Figure 10- 29 Caller of sub_26984530
As we can see, sub_26984530 isn’t called explicitly. Instead, its address is stored in R6 to
where the execution flow jumps, and then sub_26984530 is called implicitly. As a result, the 9th
data source comes from sub_26984444. Well done! We have achieved a lot so far. Let’s keep
searching for the occurrences of the 9th data source, as shown in figure 10-30.
Figure 10- 30 Look for the 9th data source
There are several branches inside this subroutine to determine whether it should assign
[IMServiceImpl smsService] or [IMServiceImpl iMessageService] to R1. Let’s figure out the
branch conditions, starting from figure 10-31.