know a certain private class better. In this chapter, when we came across some suspicious
variables, we didn’t strictly analyze them with IDA and LLDB, but by only browsing
corresponding headers, guessing their prototypes and usages, then testing with Cycript to
achieve our goals. The famous leader in my country Deng Xiaoping once said:"It doesn’t matter
whether a cat is white or black, as long as it catches mice", which applies to iOS reverse
engineering too.
- Analyze functions in IDA to connect the dots and form a plane
As to inspect the implementation of a function, IDA is one of the most handy tools. Cross
references, addresses jumping, global search and whatever, they help us quickly locate what
we’re interested in, as well browse the context to form an overall understanding. In detecting
iMessages, we’ve straightened out the relationships of [CKMessageEntryView
updateEntryView], [CKPendingConversation sendingService], [CKPendingConversation
composeSendingService], IMChatCalculateServiceForSendingNewCompose and so on; among
them IMChatCalculateServiceForSendingNewCompose is a C function, hence is immune to
class-dump. In sending iMessages, we’ve traced from the high level method
[CKTranscriptController sendComposition:CKComposition], through [CKTranscriptController
_startCreatingNewMessageForSending:], [CKConversation sendMessage:newComposition:]
and [CKConversation sendMessage:onService:newComposition:], to the low level method
[IMChat sendMessage:IMMessage]. All these operations are picking call chains from a plane
according to keywords and clues provided by IDA. That’s a lot of handwork, but thanks to the
assistance of IDA, the workload is totally acceptable.
- Pick out the exact line, i.e. call chain from the plane with LLDB
LLDB plays a significant role throughout the whole chapter. Although we’ve tried to limit
its usage in section 10.3, we have to bring it out when tracing function callers and dynamically
analyzing arguments. Compared with GDB, LLDB is more iOS supportive, there’re rare crashes
and bugs; it works great on Objective-C objects, making our debugging much smoother. When
we were working on the detecting and sending of iMessages, LLDB helped us clarify great
amounts of details; based on the careful analysis of tightly related data sources, we’ve abstracted
a short piece of the working principles and designing ideas of iMessage: MobileSMS plays the