Figure 6-32 [PSListController tableView:cellForRowAtIndexPath:]
Its execution logic is complicated. To play it safe, let’s set a breakpoint at the end of this
method to check if “my number” is contained in the return value, so that we can make sure
objc_msgSendSuper2 calls [PSListController tableView:cellForRowAtIndexPath:]. First, let’s
check out ASLR offset of Preferences.framework:
(lldb) image list -o -f
[ 0] 0x00079000
/private/var/db/stash/_.29LMeZ/Applications/Preferences.app/Preferences(0x000000000007d0
00)
[ 1] 0x00232000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000000232000)
[ 2] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/PrivateFrameworks/BulletinBoard.framework/BulletinBoard
[ 3] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
......
[ 42] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/PrivateFrameworks/Preferences.framework/Preferences
......Its ASLR offset is 0x6db3000. Then find the address of the last instruction of
[PSListController tableView:cellForRowAtIndexPath:], as shown in figure 6-33.