[CKConversationList _handleRegistryDidRegisterChatNotification:]; you’ll see in your IDA that
this time IMChat is from [notification object] instead of the argument, which is a notification.
Since this IMChat object is passed through a notification, to trace its source, we have to find the
poster of this notification instead of the caller of [CKConversationList
_handleRegistryDidRegisterChatNotification:]. Let’s set a breakpoint on the base address of this
method and take a look at the structure of notification:
Process 248623 stopped
* thread #1: tid = 0x3cb2f, 0x30a8d4ac ChatKit`-[CKConversationList
_handleRegistryDidRegisterChatNotification:], queue = 'com.apple.main-thread, stop
reason = breakpoint 16.1
frame #0: 0x30a8d4ac ChatKit`-[CKConversationList
_handleRegistryDidRegisterChatNotification:]
ChatKit`-[CKConversationList _handleRegistryDidRegisterChatNotification:]:
0x30a8d4ac: push {r4, r5, r6, r7, lr}
0x30a8d4ae: add r7, sp, #12
0x30a8d4b0: push.w {r8, r10, r11}
0x30a8d4b4: sub.w r4, sp, #64
(lldb) po $r2
NSConcreteNotification 0x15934340 {name = __kIMChatRegistryDidRegisterChatNotification;
object = <IMChat 0x147c39f0> [Identifier: [email protected] GUID:
iMessage;-;[email protected] Persistent ID: [email protected] Account:
26B3EC90-783B-4DEC-82CF-F58FBBB22363 Style: - State: 0 Participants: 1 Room Name:
(null) Display Name: (null) Last Addressed: (null) Group ID: (null) Unread Count: 0
Failure Count: 0]}
The name of the notification is “__kIMChatRegistryDidRegisterChatNotification”. To find
out its poster, a good solution is to grep the whole filesystem and see what binaries contain the
notification name, as shown below:
FunMaker-5:~ root# grep -r _handleRegistryDidRegisterChatNotification: /System/
Binary file /System/Library/Caches/com.apple.dyld/dyld_shared_cache_armv7s matches
grep: /System/Library/Caches/com.apple.dyld/enable-dylibs-to-override-cache: No such
file or directory
grep: /System/Library/Frameworks/CoreGraphics.framework/Resources/libCGCorePDF.dylib: No
such file or directory
grep: /System/Library/Frameworks/CoreGraphics.framework/Resources/libCMSBuiltin.dylib:
No such file or directory
grep: /System/Library/Frameworks/CoreGraphics.framework/Resources/libCMaps.dylib: No
such file or directory
grep: /System/Library/Frameworks/System.framework/System: No such file or directoryThe keyword appears in the cache. Naturally, let’s grep those decached files:
snakeninnys-MacBook:~ snakeninny$ grep - r __kIMChatRegistryDidRegisterChatNotification
/Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5/
Binary file
/Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5//dyld_shared_cache_armv7s matches
grep:
/Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5//System/Library/Caches/com.apple.xp
c/sdk.dylib: Too many levels of symbolic links
grep:
/Users/snakeninny/Code/iOSSystemBinaries/8.1_iPhone5//System/Library/Frameworks/OpenGLES
.framework/libLLVMContainer.dylib: Too many levels of symbolic links