ChatKit`-[CKMessageEntryView updateEntryView] + 54:
0x2b528962: mov r8, r0
0x2b528964: movw r0, #52792
0x2b528968: movt r0, #2547
0x2b52896c: add r0, pc
(lldb) po $r0
IMService[SMS]
(lldb) po [$r0 class]
IMServiceImpl
Obviously, the return value of [CKPendingConversation sendingService] is IMService[SMS]
(the value becomes IMService[iMessage] when this breakpoint gets triggered the 2nd time),
whose type is IMSerciceImpl. Therefore, the 4th data source is [CKPendingConversation
sendingService]. Can you still follow?
Till now, we have already got a lot of useful information. So let’s turn back to IDA, locate
[CKPendingConversation sendingService] and find out how it works internally, as shown in
figure 10-20.
Figure 10- 20 [CKPendingConversation sendingService]
The implementation logic is not too complicated. But there are several branches so that we
can’t make sure which one MobileSMS actually goes. Debug again with LLDB and pay attention
to every branch condition as well as the address of the next instruction.
Process 14235 stopped
* thread #1: tid = 0x379b, 0x2b5f0264 ChatKit`-[CKPendingConversation sendingService],
queue = 'com.apple.main-thread, stop reason = breakpoint 3.1
frame #0: 0x2b5f0264 ChatKit`-[CKPendingConversation sendingService]
ChatKit`-[CKPendingConversation sendingService]:
0x2b5f0264: push {r4, r5, r7, lr}