Figure 10- 54 Caller of sub_2903E824
To avoid any implicit calling, let’s first make sure the caller of sub_2903E824 is actually
IMChatCalculateServiceForSendingNewCompose. Reinput the address, set a breakpoint at the
first instruction of sub_2903E824 and then press “return” to trigger the breakpoint:
Process 154446 stopped
* thread #1: tid = 0x25b4e, 0x331f0824 IMCore`___lldb_unnamed_function425$$IMCore, queue
= 'com.apple.main-thread, stop reason = breakpoint 2.1
frame #0: 0x331f0824 IMCore`___lldb_unnamed_function425$$IMCore
IMCore`___lldb_unnamed_function425$$IMCore:
0x331f0824: push {r4, r5, r6, r7, lr}
0x331f0826: add r7, sp, #12
0x331f0828: push.w {r8, r10, r11}
0x331f082c: sub sp, #144
(lldb) p/x $lr
(unsigned int) $17 = 0x331f067b
(lldb)
The ASLR offset is 0xa1b2000, so LR without offset is 0x2903E67B, which is exactly inside
IMChatCalculateServiceForSendingNewCompose. OK, since the 18th data source is from R5,
then R5 is the 19th data source. Further, the 19th data source is from the return value of
objc_msgSend, so this return value is the 20th data source. With everything ready, let’s reveal
this mysterious objc_msgSend:
Process 154446 stopped
* thread #1: tid = 0x25b4e, 0x331f0668 IMCore`IMChatCalculateServiceForSendingNewCompose
+ 688, queue = 'com.apple.main-thread, stop reason = breakpoint 3.1
frame #0: 0x331f0668 IMCore`IMChatCalculateServiceForSendingNewCompose + 688
IMCore`IMChatCalculateServiceForSendingNewCompose + 688:
0x331f0668: blx 0x332603b0 ; symbol stub for: objc_msgSend
0x331f066c: mov r5, r0
0x331f066e: add r0, sp, #44
0x331f0670: mov r1, r5
(lldb) p (char *)$r1