there’re any clues in class-dump headers.
To compose objects of IMChat and IMMessage from scratch, we need to see if there’re any
constructors or initializers in their headers. Let’s start from IMChat.h and search for methods
with the name “init”:
- (id)_initWithDictionaryRepresentation:(id)arg1 items:(id)arg2
participantsHint:(id)arg3 accountHint:(id)arg4; - (id)init;
- (id)_initWithGUID:(id)arg1 account:(id)arg2 style:(unsigned char)arg3
roomName:(id)arg4 displayName:(id)arg5 items:(id)arg6 participants:(id)arg7;
Although they seem to be initializers, there’re various arguments, which we don’t know
how to compose. The clues break, what’s next?
Do you still remember how we managed to find the receiver of “sendMessage:”? Yes, it’s
[self chat]; self is a CKConversation object. Since [CKConversation chat] returns an IMChat
object, let’s analyze this method in IDA to see if there’s any clue, as shown in figure 10-81.
Figure 10- 81 [CKConversation chat]
[CKConversation chat] simply returns the instance variable _chat. This scenario is quite
familiar, isn’t it? We’ve met a similar situation analyzing _composeSendingService in figure 10-
- Once again, we have to let LLDB take the job for now. Delete this iMessage conversation (to
delete this CKConversation obejct) and create a new iMessage (to create a new CKConversation
object), then set a breakpoint on [CKConversation setChat:]. Press “Send” to trigger the
breakpoint:
Process 248623 stopped
* thread #1: tid = 0x3cb2f, 0x30ad277c ChatKit`-[CKConversation setChat:], queue =
'com.apple.main-thread, stop reason = breakpoint 13.1
frame #0: 0x30ad277c ChatKit`-[CKConversation setChat:]
ChatKit`-[CKConversation setChat:]:
0x30ad277c: movw r3, #55168
0x30ad2780: movt r3, #2541
0x30ad2784: add r3, pc
0x30ad2786: ldr r3, [r3]
(lldb) po $r2