Save this snippet as a file named main.m, and compile it with the sentence in the comments.
Drag and drop MainBinary into IDA, and then check the cross references of NSLog, as shown in
figure 6-48.
Figure 6-48 Check the cross references of NSLog
As we can see, NSLog appears in 4 functions. If we see “iOSRE: 0” in syslog when we are
reversing, how can we know which NSLog it’s from? When there’re only tens lines of code, we
can figure out by hand that only TestFunction3 is called, and it further calls NSLog. What if
there are 20 TestFunctions that are called by 8 separate functions? When the amount of code
increases, it’ll be too complicate to analyze manually. If we want to find the caller of NSLog
under such circumstances, LLBD will be very helpful. Generally, there are 2 main methods.
- Inspect LR
Still remember LR register introduced in section 6.1? Its function is to save the return
address of a function. So what’s a return address? Take an example:
void FunctionA()
{
......
FunctionB();
......
}In the above pseudo code, FunctionA calls FunctionB, while A and B are located in 2
different memory areas, and their addresses have no direct connection. After the execution of B,
the process needs to go back to A to continue execution, as shown in figure 6-49.