Figure 6-49 An illustration of return address
The address that the process returns to after the execution of FunctionB, is the return
address, i.e. LR. Because it’s inside FunctionB’s caller, if we know the value of LR we can track
to the caller. Let’s explain this theory with an example. Drag and drop Foundation.framework’s
binary into IDA; locate to NSLog after the initial analysis, and check out its base address, as
shown in figure 6-50.
Figure 6-50 Check out NSLog’s base address
Its base address is 0x2261ab94, we will set a breakpoint on it shortly and print out the value
of LR. Next, launch MainBinary with debugserver:
FunMaker-5:~ root# debugserver -x backboard *:1234 /var/tmp/MainBinary
debugserver-@(#)PROGRAM:debugserver PROJECT:debugserver-320.2.89
for armv7.
Listening to port 1234 for a connection from *...Then connect with LLDB:
(lldb) process connect connect://localhost:1234
Process 450336 stopped
* thread #1: tid = 0x6df20, 0x1fec7000 dyld`_dyld_start, stop reason = signal SIGSTOP
frame #0: 0x1fec7000 dyld`_dyld_start