reinput the address, set breakpoint at the beginning of [CKPendingConversation
setComposeSendingService:], and then press “return” to trigger the breakpoint:
Process 30928 stopped
* thread #1: tid = 0x78d0, 0x30b3665c ChatKit`-[CKPendingConversation
setComposeSendingService:], queue = 'com.apple.main-thread, stop reason = breakpoint 1.1
frame #0: 0x30b3665c ChatKit`-[CKPendingConversation setComposeSendingService:]
ChatKit`-[CKPendingConversation setComposeSendingService:]:
0x30b3665c: movw r1, #41004
0x30b36660: movt r1, #2535
0x30b36664: add r1, pc
0x30b36666: ldr r1, [r1]
(lldb) p/x $lr
(unsigned int) $0 = 0x30b3656d
By subtracting ASLR offset of ChatKit from LR here, we get 0x2698456D, which is LR
without offset. Then jump to this address in IDA, as shown in figure 10-25.
Figure 10- 25 Jump to 0x2698456D
The argument of [CKPendingConversation setComposeSendingService:], i.e. R2, is the 7th
data source. R2 comes from R6, therefore R6 is the 8th data source. Search upwards to find R6’s
source, as shown in figure 10-26.
Figure 10- 26 Look for the 9th data source
R6 is from R1, so R1 is the 9th data source. And where does R1 come from? Since we are
inside sub_26984530 and R1 is read without being written, so R1 comes from the caller of
sub_26984530, right? Let’s take a look at the cross references to sub_26984530 to look for its
possible callers, as shown in figure 10-27.