IMCore anymore. Like we’ve just said, we’re jumping between IMCore and ChatKit, and
ChatKit’s ASLR offset happens to be 0xa1b2000 too, so let’s head to ChatKit to see if 0x268dbca5
is there:
Figure 10- 87 [CKConversationList conversationForHandles:displayName:joinedChatsOnly:create:]
0x268dbca5 is inside [CKConversationList
conversationForHandles:displayName:joinedChatsOnly:create:], whose 1st argument is the
source of the argument of chatForIMHandle:. Keep tracing the caller:
Process 292950 stopped
* thread #1: tid = 0x47856, 0x30a8dc60 ChatKit`-[CKConversationList
conversationForHandles:displayName:joinedChatsOnly:create:], queue = 'com.apple.main-
thread, stop reason = breakpoint 1.1
frame #0: 0x30a8dc60 ChatKit`-[CKConversationList
conversationForHandles:displayName:joinedChatsOnly:create:]
ChatKit`-[CKConversationList
conversationForHandles:displayName:joinedChatsOnly:create:]:
0x30a8dc60: push {r4, r5, r6, r7, lr}
0x30a8dc62: add r7, sp, #12
0x30a8dc64: sub sp, #8
0x30a8dc66: mov r6, r0
(lldb) po $r2
<__NSArrayM 0x178d2290>(
[IMHandle: <[email protected]::cn> (Person: ) (Account:
P:+86PhoneNumber]
)
(lldb) p/x $lr
(unsigned int) $1 = 0x30a84efdLR without offset is 0x30a84efd – 0xa1b2000 = 0x268d2efd, which is located inside
[CKTranscriptController sendMessage:]. Can you believe it? We’ve walked through a big circle
and returned to our starting point, which brings us a mixed feeling. Keep calm and carry on, let’s
see how this NSArray is composed, as shown in figure 10-88.