ASLR offset of MobilePhoneSettings is 0x6db3000. Then take a look at
objc_msgSendSuper2’s address, as shown in figure 6-30.
Figure 6-30 Check out address of objc_msgSendSuper2
The breakpoint should be set at 0x6db3000 + 0x25BB2B68 = 0x2C965B68. Re-enter
MobilePhoneSettings to trigger the breakpoint:
(lldb) br s -a 0x2C965B68
Breakpoint 1: where = MobilePhoneSettings`-[PhoneSettingsController
tableView:cellForRowAtIndexPath:] + 40, address = 0x2c965b68
Process 268587 stopped
* thread #1: tid = 0x4192b, 0x2c965b68 MobilePhoneSettings`-[PhoneSettingsController
tableView:cellForRowAtIndexPath:] + 40, queue = ‘com.apple.main-thread, stop reason =
breakpoint 1.1
frame #0: 0x2c965b68 MobilePhoneSettings`-[PhoneSettingsController
tableView:cellForRowAtIndexPath:] + 40
MobilePhoneSettings`-[PhoneSettingsController tableView:cellForRowAtIndexPath:] + 40:
0x2c965b68: blx 0x2c975fb8 ; symbol stub for:
CTSettingRequest$shim
0x2c965b6c: mov r4, r0
0x2c965b6e: movw r0, #54708
0x2c965b72: movt r0, #2697
(lldb) p (char )$r1
(char ) $0 = 0x2c3daf33 "tableView:cellForRowAtIndexPath:"
(lldb) po $r0
[no Objective-C description available]
(lldb) ni
Process 268587 stopped
- thread #1: tid = 0x4192b, 0x2c965b6c MobilePhoneSettings
-[PhoneSettingsController tableView:cellForRowAtIndexPath:] + 44, queue = ‘com.apple.main-thread, stop reason = instruction step over frame #0: 0x2c965b6c MobilePhoneSettings
-[PhoneSettingsController
tableView:cellForRowAtIndexPath:] + 44
MobilePhoneSettings`-[PhoneSettingsController tableView:cellForRowAtIndexPath:] + 44:
0x2c965b6c: mov r4, r0
0x2c965b6e: movw r0, #54 708
0x2c965b72: movt r0, #2697
0x2c965b76: mov r2, r5
(lldb) po $r0
<PSTableCell: 0x15fc6b00; baseClass = UITableViewCell; frame = (0 0; 320 44); text = ‘My
Number’; tag = 2; layer = <CALayer: 0x15fbbe40>>