Binary file /System/Library/PreferenceBundles/MobilePhoneSettings.bundle/Info.plist
matchesIt seems that this class comes from MobilePhoneSettings.bundle. Next, class-dump its binary
and open PhoneSettingsController.h:
@interface PhoneSettingsController : PhoneSettingsListController
<TPSetPINViewControllerDelegate>
......- (id)myNumber:(id)arg1;
- (void)setMyNumber:(id)arg1 specifier:(id)arg2;
...... - (id)tableView:(id)arg1 cellForRowAtIndexPath:(id)arg2;
@endFrom the above snippet, we know the first 2 methods have obvious relationships with my
number. While in a more general manner, the 3rd method is used for initializing all cells, it can
be regarded as the UI function of cells. Therefore, data source of the top cell certainly lies in
these 3 methods, and we’ll take the 3rd method as an example. Let’s set a breakpoint at the end
of [PhoneSettingsController tableView:cellForRowAtIndexPath:] with LLDB, and see if the
return value contains my number. Attach debugserver to Preferences, then connect LLDB to
debugserver, and check the ASLR offset of MobilePhoneSettings:
(lldb) image list -o - f
[ 0] 0x00078000
/private/var/db/stash/_.29LMeZ/Applications/Preferences.app/Preferences(0x000000000007c0
00)
[ 1] 0x00231000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000000231000)
[ 2] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/PrivateFrameworks/BulletinBoard.framework/BulletinBoard
[ 3] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
......
[322] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/PreferenceBundles/MobilePhoneSettings.bundle/MobilePhone
Settings
......As we can see, the ASLR offset of MobilePhoneSettings is 0x6db3000. Then check the
address of the last instruction in [PhoneSettingsController tableView:cellForRowAtIndexPath:],
as shown in figure 6-17: