6.3 Advanced LLDB usage
I bet the last section has opened a new chapter of iOS reverse engineering for you. The
combination of IDA and LLDB can easily beat them all, and with the help of ARM architecture
reference manual, you can conquer almost all Apps. I know you’re already desperate to practice
what you have just learned.
Hold your horses for now. Although the examples in section 6.2 have synthetically made
use of IDA and LLDB, they haven’t covered LLDB’s common usage yet. In the next section,
we’ll go over some short LLDB examples for a better comprehension, which can greatly reduce
our workload in practice.
6.3.1 Look for a function’s caller
In the examples of the previous section, when we were restoring call chains, we primarily
focused on the callees of a function, i.e. we’ve restored the bottom half of a call chain. When
we’re to restore the top half, we need to find out the caller of a function. Look at this snippet:
// clang -arch armv7 -isysroot `xcrun --sdk iphoneos --show-sdk-path` -framework
Foundation -o MainBinary main.m#include <stdio.h>
#include <dlfcn.h>
#import <Foundation/Foundation.h>extern void TestFunction0(void)
{
NSLog(@"iOSRE: %u", arc4random_uniform(0));
}extern void TestFunction1(void)
{
NSLog(@"iOSRE: %u", arc4random_uniform(1));
}extern void TestFunction2(void)
{
NSLog(@"iOSRE: %u", arc4random_uniform(2));
}extern void TestFunction3(void)
{
NSLog(@"iOSRE: %u", arc4random_uniform(3));
}int main(int argc, char **argv)
{
TestFunction3();
return 0;
}