Figure 6-23 The relationship of objc_msgSend’s arguments
Figure 6-24 The relationship of objc_msgSend’s arguments
So, seems the core of [UIBarButtonItem _sendAction:withEvent:] is [[UIApplication
sharedApplication] sendAction:[self action] to:[self target] from:self forEvent:event]. Since we
have already known that [UIBarButtonItem _sendAction:withEvent:] will perform “compose
mail” operation, [[UIApplication sharedApplication] sendAction:[self action] to:[self target]
from:self forEvent:event] is sure to get called. Although with IDA, we’ve sorted out where
every argument comes from, IDA can’t tell us what their values are during execution. So, it’s
time to bring LLDB on stage to do some dynamic debugging.
Attach debugserver to MobileMail, and connect with LLDB, then print out the ASLR offset
of UIKit:
(lldb) image list -o -f