Microsoft Word - iOSAppReverseEngineering.docx

(Romina) #1

Figure 10- 13 [CKMessageEntryTextView setPlaceholderText:]


Attach LLDB to MobileSMS and continue the process as follows:


(lldb) process connect connect://iOSIP:1234
Process 200596 stopped
* thread #1: tid = 0x30f94, 0x316554f0 libsystem_kernel.dylib`mach_msg_trap + 20, queue
= 'com.apple.main-thread, stop reason = signal SIGSTOP
frame #0: 0x316554f0 libsystem_kernel.dylib`mach_msg_trap + 20
libsystem_kernel.dylib`mach_msg_trap + 20:




  • 0x316554f0: pop {r4, r5, r6, r8}
    0x316554f4: bx lr





libsystem_kernel.dylib`mach_msg_overwrite_trap:
0x316554f8: mov r12, sp
0x316554fc: push {r4, r5, r6, r8}
(lldb) c
Process 200596 resuming

Then check the ASLR offset of ChatKit as follows:


(lldb) image list - o - f
[ 0] 0x00079000
/private/var/db/stash/_.29LMeZ/Applications/MobileSMS.app/MobileSMS(0x000000000007d000)
[ 1] 0x0019c000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x000000000019c000)
[ 2] 0x01eac000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/Frameworks/Foundation.framework/Foundation
......
[ 9] 0x01eac000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/PrivateFrameworks/ChatKit.framework/ChatKit

The ASLR offset is 0x1eac000. With this offset, we can set a breakpoint on


[CKMessageEntryTextView setPlaceholderText:] to check whether it is called or not, and if it’s


called, who’s the caller. The base address of this method is shown in figure 10-14, as we can see,


it’ s 0x2693BCE0.

Free download pdf