因为这个arrayWithObjects_count_函数的参数分别是C风格的对象数组和整数,但是你传给它的是单个对象本身。
看ida反编译的写法,是在v5存储了a1[6]对象的指针,然后把v5传给函数。
[Apple iPhone::设置]-> var nss = ObjC.classes.NSString
[Apple iPhone::设置]-> var s = nss.stringWithString_(‘12345678901234567890’)
[Apple iPhone::设置]-> var nsa = ObjC.classes.NSArray
[Apple iPhone::设置]-> var w = Memory.alloc(8)
[Apple iPhone::设置]-> w.writePointer(s.handle)
“0x1077db1d0”
[Apple iPhone::设置]-> nsa.arrayWithObjects_count_(w,1)
{
“handle”: “0x2828e0420”
}
[Apple iPhone::设置]-> var i = nsa.arrayWithObjects_count_(w,1)
[Apple iPhone::设置]-> i.toString()
“(\n 12345678901234567890\n)”
[Apple iPhone::设置]->