[IOS reverse engineering] Get the current instance handle in assembly language debugging

When analyzing safari behavior, you can use the objective-C feature to view the various states of uiview in a semantic manner at any time. For example, you can set a breakpoint in the uiview method, I want to see the current view structure. You only need to get the handle of the current instance. Check some information and record it.
Function parameter transfer
Applications in IOS simulator run in 32bits mode (which can be seen in activity monitor). According to the definition of Intel 32bits parameter transfer in <Mac OS debug magic>:
Table 2:Accessing parameters on Intel 32-bit)

What	GDB syntax
Return address	* (Int *) $ ESP
First Parameter	* (Int *) ($ ESP + 4)
Second Parameter	* (Int *) ($ ESP + 8)
... And so on

If you have already entered the function body, that is, the function parameter processing part (opening position, prologue), the parameter must be obtained in the call frame register (frame register) EBP.

Table 3:Accessing parameters after the prologue

What	GDB syntax
Previous Frame	* (Int *) $ EBP
Return address	* (Int *) ($ EBP + 4)
First Parameter	* (Int *) ($ EBP + 8)
Second Parameter	* (Int *) ($ EBP + 12)
... And so on

The returned values are stored in the eax register.

Since we know how the parameters are stored, how does C ++ and objective-C pass the handle of the current instance?
The answer is in the same document:

When debugging cocoa code in an assembly language, remember the following runtime features:

• The objective-C compiler adds two implicit parameters to each method, the first of which is a pointer to the object being called (self).

• The second implicit parameter is the method selector (_cmd). In objective-c This is of TypeSEL;
  In GDB you can print this as a C string.

• The objective-C Runtime dispatches methods via a family of C functions. The most commonly seen isobjc_msgSend, But some ubuntures useobjc_msgSend_stretFor
  Methods which returns structures, and some ubuntures useobjc_msgSend_fpretFor methods that return floating point values. There are also equivalent functions for callingsuper(objc_msgSendSuperAnd
  So on ).

• The first word of any objective-C object (isaField) is a pointer to the object's class.

That is, when the function is called, the first parameter is the object corresponding to the operation (If your method is self), and the second parameter is the selector method.
PracticeAnalyze the execution status in calayer: addsublayer,


Here the lldb MEMORY command is used: (Lldb)Me read-S4-Fx-C4 '$ ESP'
0xb01dd28c: 0x0000a07c 0x0929e170 0x04e7aad30x1386d750 call another check handle: (Lldb)  Po [0x0929e170 description] or (Lldb) Po ['* (int *) ($ ESP + 4)' description]
(ID) $102 = 0x0929e210 <calayer: 0x929e170> (* Note: 'is not a single quotation mark! If this object is uiview, you will know its power by using recursivedescription! )
(Lldb)  Po [* (0x0929e170) ishidden]
(ID) $105 = 0x00000001 [no objective-C description available] to call other methods for operations. Verify the second parameter again: (Lldb)  Me read-S4-Fs 0x4e7aad3 Or
(Lldb) Me read-S4-Fs '* (int *) ($ ESP + 8 )'

0x04e7aad3: "addsublayer :"

0x04e7aae0: NULL uses an instance that checks the uiview level to demonstrate its strength:

(Lldb) Po [['* (int *) ($ ESP + 4)' superview] recursivedescription]

(ID) $7 = 0x0719f940 <uiwebselectionview: 0x0000d74e0; frame = (0 0; 0 0); layer = <calayer: 0x0000d7620>

| <Uiview: 0x0000d7770; frame = (0 0; 0 0); userinteractionenabled = no; layer = <calayer: 0x0000d77d0>

| <Uiwebselectionoutline: 0x759b340; frame = (-2-2; 4 4); userinteractionenabled = no; layer = <calayer: 0x75963e0>

| <Uiview: 0x759b3f0; frame = (0 0; 0 0); layer = <calayer: 0x759d580>

| <Uiview: 0x759da60; frame = (0 0; 0 0); layer = <calayer: 0x759bfb0>

| <Uiview: 0x759be40; frame = (0 0; 0 0); layer = <calayer: 0x759db30>

| <Uiview: 0x718d150; frame = (0 0; 0 0); layer = <calayer: 0x719f650> Note:* If it is C ++, the first parameter is this, which is convenient for query. The function return value is placed in eax, and a breakpoint is set at the RET position, which can be easily viewed. * Lldb is recommended for this debugging process, which provides much better support for objective-C. Reference: IOS debug magic Mac OS debug magic

Reprinted please indicate the source: http://blog.csdn.net/horkychen