Because SP2 = SP1 - 0x14 and *SP1 = R1,
Therefore, “STR R1, [SP,#0xA8+var_A8]” is the place where *(SP2 + 0x14) is written, and
R1 in this instruction is the 14th data source A! Also, we can easily find that R5 in “MOV R1, R5”
is the 12th data source B. The logics of tracing from 13th data source A to 14th data source A
and from 11th data source B to 12th data source B go across images, bringing high complexity.
With the illustration of figure 10-39, I hope everything is more intuitive. We strongly suggest
you comb through everything by referring to this figure before moving on to the next
paragraph.
Figure 10- 39 How data sources evolve
Before we continue our analysis, let’s verify our deduction so far with LLDB: reinput the
address and set the breakpoint on “STR R1, [SP,#0xA8+var_A8]” to print R1, i.e. the 14th data
source A. Next, execute “ni” until we reach “MOV R1, R5”, print R5 i.e. the 12th data source B.
Then we’ll experience an image switch from IMCore to ChatKit, so execute “si” to reach “CMP
R0, #2” and print R0, i.e. the 13th data source A. Finally, we execute “ni” until “TST.W R1,
#0xFF” to print R1, i.e. the 11th data source B. Press “return” to trigger the breakpoint and
follow the above steps to check whether their values equal to each other like figure 10-39 shows.
(lldb) br s -a 0x30230D6E
Process 37477 stopped
* thread #1: tid = 0x9265, 0x30230d6e IMCore`___lldb_unnamed_function425$$IMCore + 1354,
queue = 'com.apple.main-thread, stop reason = breakpoint 11.1
frame #0: 0x30230d6e IMCore`___lldb_unnamed_function425$$IMCore + 1354
IMCore`___lldb_unnamed_function425$$IMCore + 1354:
0x30230d6e: str r1, [sp]