Figure 6-40 Check out address of objc_msgSend
ASLR offset of Preferences is 0x6db3000 as we have just seen it. So the breakpoint should be
set at 0x6db3000 + 0x2A9F797E = 0x317AA97E. Trigger it and see if PSTableCell contains my
number already:
(lldb) br s -a 0x317AA97E
Breakpoint 10: where = Preferences`-[PSListController tableView:cellForRowAtIndexPath:]
+ 922, address = 0x317aa97e
Process 268587 stopped
* thread #1: tid = 0x4192b, 0x317aa97e Preferences`-[PSListController
tableView:cellForRowAtIndexPath:] + 922, queue = ‘com.apple.main-thread, stop reason =
breakpoint 10.1
frame #0: 0x317aa97e Preferences`-[PSListController
tableView:cellForRowAtIndexPath:] + 922
Preferences`-[PSListController tableView:cellForRowAtIndexPath:] + 922:
0x317aa97e: blx 0x31825f04 ; symbol stub for:
____NETRBClientResponseHandler_block_invoke
0x317aa982: mov r2, r0
0x317aa984: movw r0, #59804
0x317aa988: movt r0, #1736
(lldb) po [$r6 detailTextLabel]
<UITableViewLabel: 0x15f7e490; frame = (0 0; 0 0); userInteractionEnabled = NO; layer =
<_UILabelLayer: 0x15fd1c90>>
The cell doesn’t hold my number yet, which indicates that my number is generated after the
red block, i.e. somewhere in the last 3 blocks of code in figure 6-38. Based on this conclusion,
let’s keep executing “ni” command, then “po [$r6 detailTextLabel]” before and after each
objc_msgSend:
(lldb) ni
Process 268587 stopped
* thread #1: tid = 0x4192b, 0x317aa982 Preferences`-[PSListController
tableView:cellForRowAtIndexPath:] + 926, queue = ‘com.apple.main-thread, stop reason =
instruction step over
frame #0: 0x317aa982 Preferences`-[PSListController
tableView:cellForRowAtIndexPath:] + 926
Preferences`-[PSListController tableView:cellForRowAtIndexPath:] + 926:
0x317aa982: mov r2, r0
0x317aa984: movw r0, #59804
0x317aa988: movt r0, #1736
0x317aa98c: add r0, pc
(lldb) po [$r6 detailTextLabel]