Figure 6- 27 [UIApplication sendAction:to:from:forEvent:]
Whatever, “performSelector:withObject:withObject:” in loc_24ebbc10 will get executed, so
naturally we can guess it is where actual operations are performed. Just like before, let’s figure
out what does this method do with LLDB. The ASLR offset of UIKit is 0x6db3000, and the
address of the last objc_msgSend is 0x24EBBC26, so we set a breakpoint at 0x6db3000 +
0x24EBBC26 = 0x2BC6EC26, then tap “compose” button to trigger the breakpoint to inspect
the arguments:
(lldb) br s -a 0x2BC6EC26
Breakpoint 1: where = UIKit`-[UIApplication sendAction:to:from:forEvent:] + 66, address
= 0x2bc6ec26
Process 226191 stopped
* thread #1: tid = 0x3738f, 0x2bc6ec26 UIKit`-[UIApplication
sendAction:to:from:forEvent:] + 66, queue = ‘com.apple.main-thread, stop reason =
breakpoint 1.1
frame #0: 0x2bc6ec26 UIKit`-[UIApplication sendAction:to:from:forEvent:] + 66
UIKit`-[UIApplication sendAction:to:from:forEvent:] + 66:
0x2bc6ec26: blx 0x2c3539f8 ; symbol stub for: roundf$shim
0x2bc6ec2a: cmp r6, #0
0x2bc6ec2c: it ne
0 x2bc6ec2e: movne r6, #1
(lldb) p (char )$r1
(char ) $0 = 0x2c3dac95 "performSelector:withObject:withObject:"
(lldb) po $r0
<ComposeButtonItem: 0x14ddf5f0>
(lldb) p (char )$r2
(char ) $2 = 0x2c4140f2 "_sendAction:withEvent:"
(lldb) po $r3
<UIToolbarButton: 0x14d73c90; frame = (285 0; 23 44); opaque = NO; gestureRecognizers =
<NSArray: 0x14d22ec0>; layer = <CALayer: 0x14d73ea0>>
(lldb) x/10 $sp