Figure 6-28 Source of R4
Figure 6-29 Source of objc_msgSendSuper2
According to the literal meaning, objc_msgSendSuper2 and objc_msgSendSuper are
supposed to work similarly, namely send messages to callers’ superclasses. No more guesses,
let’s set a breakpoint on objc_msgSendSuper2 and check out its arguments as well return value.
Attach debugserver to Preference, and connect with LLDB, then print out ASLR offset of
MobilePhoneSettings:
(lldb) image list -o - f
[ 0] 0x00079000
/private/var/db/stash/_.29LMeZ/Applications/Preferences.app/Preferences(0x000000000007d0
00)
[ 1] 0x00232000 /Library/MobileSubstrate/MobileSubstrate.dylib(0x0000000000232000)
[ 2] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/PrivateFrameworks/BulletinBoard.framework/BulletinBoard
[ 3] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation
......
[330] 0x06db3000 /Users/snakeninny/Library/Developer/Xcode/iOS DeviceSupport/8.1
(12B411)/Symbols/System/Library/PreferenceBundles/MobilePhoneSettings.bundle/MobilePhone
Settings
......