Microsoft Word - iOSAppReverseEngineering.docx

frame #0: 0x33235944 IMCore`___lldb_unnamed_function2048$$IMCore

IMCore`___lldb_unnamed_function2048$$IMCore:

• 
  

  
  

  0x33235944: push {r4, r5, r6, r7, lr}
  0x33235946: add r7, sp, #12
  0x33235948: push.w {r8, r10, r11}
  0x3323594c: sub.w r4, sp, #64
  (lldb) po $r3
  <IMChat 0x147c7f30> [Identifier: [email protected] GUID:
  iMessage;-;[email protected] Persistent ID: [email protected] Account:
  26B3EC90-783B-4DEC-82CF-F58FBBB22363 Style: - State: 0 Participants: 1 Room Name:
  (null) Display Name: (null) Last Addressed: (null) Group ID: (null) Unread Count: 0
  Failure Count: 0]
  (lldb) p/x $lr
  (unsigned int) $27 = 0x3323646f

  
  

  
  

LR without offset is 0x3323646f – 0xa1b2000 = 0x2908446F, which is located inside

[IMChatRegistry _registerChat:isIncoming:guid:]. Keep tracing the caller:

Process 248623 stopped

* thread #1: tid = 0x3cb2f, 0x3323644c IMCore`___lldb_unnamed_function2049$$IMCore,

queue = 'com.apple.main-thread, stop reason = breakpoint 20.1

frame #0: 0x3323644c IMCore`___lldb_unnamed_function2049$$IMCore

IMCore`___lldb_unnamed_function2049$$IMCore:

• 
  

  
  

  0x3323644c: push {r4, r5, r7, lr}
  0x3323644e: add r7, sp, #8
  0x33236450: sub sp, #8
  0x33236452: movw r1, #9840
  (lldb) po $r2
  <IMChat 0x15972f20> [Identifier: [email protected] GUID:
  iMessage;-;[email protected] Persistent ID: [email protected] Account:
  26B3EC90-783B-4DEC-82CF-F58FBBB22363 Style: - State: 0 Participants: 1 Room Name:
  (null) Display Name: (null) Last Addressed: (null) Group ID: (null) Unread Count: 0
  Failure Count: 0]
  (lldb) p/x $lr
  (unsigned int) $30 = 0x33237173

  
  

  
  

LR without offset is 0x33237173 – 0xa1b2000 = 0x29085173, which is located inside

[IMChatRegistry chatForIMHandle:]. Meanwhile, the 1st argument of [IMChatRegistry

_registerChat:isIncoming:guid:], i.e. IMChat, is from R5; at the end of [IMChatRegistry

chatForIMHandle:], R5 appears as the return value. In other words, [IMChatRegistry

chatForIMHandle:] returns an IMChat object! Further more, as the name suggests,

IMChatRegistry is a class for registering chats, so getting an IMChat object from this class is

quite reasonable. Old questions go, new questions come: How do we get an IMChatRegistry

object and the argument of chatForIMHandle:? Let’s get to them one by one, starting from

IMChatRegistry.