Microsoft Word - iOSAppReverseEngineering.docx

press “return” to trigger the breakpoint:

Process 30928 stopped

* thread #1: tid = 0x78d0, 0x30b36444 ChatKit`__71-[CKPendingConversation

refreshStatusForAddresses:withCompletionBlock:]_block_invoke, queue = 'com.apple.main-

thread, stop reason = breakpoint 7.1

frame #0: 0x30b36444 ChatKit`__71-[CKPendingConversation

refreshStatusForAddresses:withCompletionBlock:]_block_invoke

ChatKit`__71-[CKPendingConversation

refreshStatusForAddresses:withCompletionBlock:]_block_invoke:

• 
  

  
  

  0x30b36444: push {r4, r5, r6, r7, lr}
  0x30b36446: add r7, sp, #12
  0x30b36448: str r8, [sp, #-4]!
  0x30b3644c: sub sp, #4
  (lldb) p/x $lr
  (unsigned int) $39 = 0x331f0d75

  
  

  
  

LR without offset is 0x331f0d75 – 0xa1b2000 = 0x2903ED75, which is outside ChatKit.

Under such circumstance, how can we locate the image where 0x2903ED75 is? We’ve talked

about the solution in chapter 6, which is simply set a breakpoint at the end of sub_26984444 and

keep executing “ni” to enter the internal of caller and identify the image. The commands are as

follows:

Process 30928 stopped

* thread #1: tid = 0x78d0, 0x30b364c0 ChatKit`__71-[CKPendingConversation

refreshStatusForAddresses:withCompletionBlock:]_block_invoke + 124, queue =

'com.apple.main-thread, stop reason = breakpoint 8.1

frame #0: 0x30b364c0 ChatKit`__71-[CKPendingConversation

refreshStatusForAddresses:withCompletionBlock:]_block_invoke + 124

ChatKit`__71-[CKPendingConversation

refreshStatusForAddresses:withCompletionBlock:]_block_invoke + 124:

• 
  

  
  

  0x30b364c0: pop {r4, r5, r6, r7, pc}
  0x30b364c2: nop

  
  

  
  

ChatKit`__copy_helper_block_:

0x30b364c4: ldr r1, [r1, #20]

0x30b364c6: adds r0, #20

(lldb) ni

Process 30928 stopped

* thread #1: tid = 0x78d0, 0x331f0d74 IMCore`___lldb_unnamed_function425$$IMCore + 1360,

queue = 'com.apple.main-thread, stop reason = instruction step over

frame #0: 0x331f0d74 IMCore`___lldb_unnamed_function425$$IMCore + 1360

IMCore`___lldb_unnamed_function425$$IMCore + 1360:

• 
  

  
  

  0x331f0d74: movw r0, #26972
  0x331f0d78: movt r0, #2081
  0x331f0d7c: add r0, pc
  0x331f0d7e: ldr r1, [r0]

  
  

  
  

We’re inside IMCore now. Since we have just calculated the value of LR without offset to

be 0x2903ED75, as well IMCore shares the same ASLR offset with ChatKit, so just drag and drop

IMCore into IDA and jump to 0x2903ED75 when the initial analysis has been finished, as shown

in figure 10-34.