return value of objc_msgSend, let’s set a breakpoint here and see what method it is:
Process 132234 stopped
* thread #1: tid = 0x2048a, 0x331f092e IMCore`___lldb_unnamed_function425$$IMCore + 266,
queue = 'com.apple.main-thread, stop reason = breakpoint 5.1
frame #0: 0x331f092e IMCore`___lldb_unnamed_function425$$IMCore + 266
IMCore`___lldb_unnamed_function425$$IMCore + 266:
0x331f092e: blx 0x332603b0 ; symbol stub for: objc_msgSend
0x331f0932: mov r8, r0
0x331f0934: cmp.w r8, #0
0x331f0938: bne 0x331f08e2 ; _lldb_unnamed_function425$$IMCore +
190
(lldb) p (char )$r1
(char ) $6 = 0x2f7d81d9 "countByEnumeratingWithState:objects:count:"
(lldb) po $r0
<NSArrayI 0x16706930>(
mailto:[email protected]
)
As we can see, this method returns the count of the recipient array. If the array is not
empty, MobileSMS will branch right. Actually, the recipient array is not empty, therefore this
branch condition is not met, MobileSMS will branch right, which doesn’t change R5. OK, search
upward for the next branch, as shown in figure 10-46.
Figure 10- 46 Branch
In figure 10-46, what are R11 and R8 respectively? We can get a straightforward answer
from IDA that R11 is from figure 10-47.
Figure 10- 47 loc_2903e8e2
The initial value of R11 is 0. Each time before executing “CMP R11, R8”, R11 will increase
by 1. In this way, R11 plays the role of a counter. “CMP” performs subtraction operation, if
there’s borrow, then carry flag will be set 0, otherwise carry flag will be set 1. The branch
instruction here is “BCC”, in which “CC” means “Carry Clear”, i.e. “if carry flag is 0”.