app会调用GADBannerView - (void)setDelegate:(id)
__text:000F0AF0 ; GADBannerView - (void)setDelegate:(id)
__text:000F0AF0 ; Attributes: bp-based frame
__text:000F0AF0
__text:000F0AF0 ; void __cdecl -[GADBannerView setDelegate:](struct GADBannerView *self, SEL, id)
__text:000F0AF0 __GADBannerView_setDelegate__ ; DATA XREF: __objc_const:017A0048o
__text:000F0AF0
__text:000F0AF0 var_10 = -0x10
__text:000F0AF0
__text:000F0AF0 000 STMFD SP!, {R4-R7,LR}
__text:000F0AF4 014 ADD R7, SP, #0xC
__text:000F0AF8 014 STR R8, [SP,#0xC+var_10]!
__text:000F0AFC 018 MOV R5, #(:lower16:(selRef_slot - 0xF0B14))
__text:000F0B00 018 MOV R8, R0
__text:000F0B04 018 MOVT R5, #(:upper16:(selRef_slot - 0xF0B14))
__text:000F0B08 018 MOV R0, R2
__text:000F0B0C 018 LDR R5, [PC,R5] ; selRef_slot ; "slot"
__text:000F0B10 018 BL _objc_retain
__text:000F0B10
__text:000F0B14 018 MOV R6, R0
__text:000F0B18 018 MOV R0, R8
__text:000F0B1C 018 MOV R1, R5
__text:000F0B20 018 BL _objc_msgSend
__text:000F0B20
__text:000F0B24 018 MOV R7, R7
__text:000F0B28 018 BL _objc_retainAutoreleasedReturnValue
__text:000F0B28
__text:000F0B2C 018 MOV R1, #(:lower16:(selRef_delegateManager - 0xF0B40))
__text:000F0B30 018 MOV R5, R0
__text:000F0B34 018 MOVT R1, #(:upper16:(selRef_delegateManager - 0xF0B40))
__text:000F0B38 018 LDR R1, [PC,R1] ; selRef_delegateManager ; "delegateManager"
__text:000F0B3C 018 BL _objc_msgSend
__text:000F0B3C
__text:000F0B40 018 MOV R7, R7
__text:000F0B44 018 BL _objc_retainAutoreleasedReturnValue
__text:000F0B44
__text:000F0B48 018 MOV R1, #(:lower16:(selRef_setBannerDelegate_ - 0xF0B60))
__text:000F0B4C 018 MOV R2, R6
__text:000F0B50 018 MOVT R1, #(:upper16:(selRef_setBannerDelegate_ - 0xF0B60))
__text:000F0B54 018 MOV R4, R0
__text:000F0B58 018 LDR R1, [PC,R1] ; selRef_setBannerDelegate_ ; "setBannerDelegate:"
__text:000F0B5C 018 BL _objc_msgSend
__text:000F0B5C
__text:000F0B60 018 MOV R0, R6
__text:000F0B64 018 BL _objc_release
__text:000F0B64
__text:000F0B68 018 MOV R0, R4
__text:000F0B6C 018 BL _objc_release
__text:000F0B6C
__text:000F0B70 018 MOV R0, R5
__text:000F0B74 018 BL _objc_release
__text:000F0B74
__text:000F0B78 018 MOV R1, #(:lower16:(selRef_slot - 0xF0B8C))
__text:000F0B7C 018 MOV R0, R8
__text:000F0B80 018 MOVT R1, #(:upper16:(selRef_slot - 0xF0B8C))
__text:000F0B84 018 LDR R1, [PC,R1] ; selRef_slot ; "slot"
__text:000F0B88 018 BL _objc_msgSend
__text:000F0B88
__text:000F0B8C 018 MOV R7, R7
__text:000F0B90 018 BL _objc_retainAutoreleasedReturnValue
__text:000F0B90
__text:000F0B94 018 MOV R1, #(:lower16:(selRef_delegateManager - 0xF0BA8))
__text:000F0B98 018 MOV R4, R0
__text:000F0B9C 018 MOVT R1, #(:upper16:(selRef_delegateManager - 0xF0BA8))
__text:000F0BA0 018 LDR R1, [PC,R1] ; selRef_delegateManager ; "delegateManager"
__text:000F0BA4 018 BL _objc_msgSend
__text:000F0BA4
__text:000F0BA8 018 MOV R7, R7
__text:000F0BAC 018 BL _objc_retainAutoreleasedReturnValue
__text:000F0BAC
__text:000F0BB0 018 MOV R1, #(:lower16:(selRef_setAdView_ - 0xF0BC8))
__text:000F0BB4 018 MOV R2, R8
__text:000F0BB8 018 MOVT R1, #(:upper16:(selRef_setAdView_ - 0xF0BC8))
__text:000F0BBC 018 MOV R5, R0
__text:000F0BC0 018 LDR R1, [PC,R1] ; selRef_setAdView_ ; "setAdView:"
__text:000F0BC4 018 BL _objc_msgSend
__text:000F0BC4
__text:000F0BC8 018 MOV R0, R5
__text:000F0BCC 018 BL _objc_release
__text:000F0BCC
__text:000F0BD0 018 MOV R0, R4
__text:000F0BD4 018 LDR R8, [SP+0x10+var_10],#4
__text:000F0BD8 014 LDMFD SP!, {R4-R7,LR}
__text:000F0BDC 000 B _objc_release
- 想办法绕过函数得到调用者,偏移是0 下断 000F0BDC 走 ni 但跑到 _objc_release 函数中!
第一问题已经解决,可以直接 finish 知道是planAds
__text:002A7E3E 098 MOV R0, #(selRef_planAds - 0x2A7E4A)
__text:002A7E46 098 ADD R0, PC ; selRef_planAds
__text:002A7E48 098 LDR R1, [R0] ; "planAds"
__text:002A7E4A 098 MOV R0, R4
__text:002A7E4C 098 BLX.W _objc_msgSend.island
__text:002A7E4C
__text:002A7E50 098 MOV R0, #(_OBJC_IVAR_$_PlayViewController.isBackFromAd - 0x2A7E5E) ; char isBackFromAd;
2)在函数头部 000F0AF0 下断,查看堆栈,调用者在进入函数前肯定将下一个指令地址 压栈了
按理想说 sp 中肯定包含了 002A7E4C
也就是 __text:002A7E4C 098 BLX.W _objc_msgSend.island 的下一条地址
看书上的 先 压栈LR 是否 LR 就是下一条地址 ???不知道不知道是不是理解错了
LR, the link register
The link register is a special register that can hold return link information. Some cases described inthis manual require this use of the LR. When software does not require the LR for linking, it can useit for other purposes. It can refer to LR as R14.
(lldb) register read
General Purpose Registers:
r0 = 0x081bff60
r1 = 0x2fd16976 “setDelegate:”
r2 = 0x0287f000
r3 = 0x00000001
r4 = 0x00000204
r5 = 0x081bff60
r6 = 0x2fd166e3 “statusBarOrientation”
r7 = 0x0253ea10
r8 = 0x0287f000
r9 = 0x028da3b8
r10 = 0x0180b540 (void *)0x3a83b358: UIApplication
r11 = 0x0180bfb4 (void *)0x01819848: + 18446744073709019696
r12 = 0x000f0af0 OPlayer Lite� + 2559 sp = 0x0253e974 lr = 0x002bcde1 OPlayer Lite + 246185
pc = 0x000f0af0 OPlayer Lite`� + 2559
cpsr = 0x600f0010
(lldb) x/1x -c 90 0x0253e974
0x0253e974: 0x43a00000 0x42480000 0x0dc4edb0 0x00000000
0x0253e984: 0x0dc465a0 0x0253e994 0x398a7621 0x3a1e7e60
0x0253e994: 0x0253e9bc 0x2bfd51c5 0x0dc4edb0 0x3a1e8900
0x0253e9a4: 0x00000288 0x3c2cf600 0x3c2cf880 0x0dc4edb0
0x0253e9b4: 0x00000001 0xf23b1250 0x0253e9f0 0x398b8d5f
0x0253e9c4: 0x00000001 0xf23b1250 0xf23b1250 0x028ec400
0x0253e9d4: 0x028ec400 0x0dc4edb0 0x0dc51250 0x00000004
0x0253e9e4: 0x08233f60 0x0825ce80 0x00000004 0x00000000
0x0253e9f4: 0x00000000 0x01810258 0x00000000 0x0180bfb4
0x0253ea04: 0x03010a00 0x2fd185ee 0x000001fc 0x0253eaa8
0x0253ea14: 0x002a7e51 0x43a00000 0x42480000 0x0253ea28
0x0253ea24: 0x2f575193 0x0253ea38 0x000002e4 0x0253eabc
0x0253ea34: 0x2fd2622b 0x0253ea4c 0x4cc6d004 0x00000000
0x0253ea44: 0x00000000 0x00000001 0x00000000 0x3a836a94
0x0253ea54: 0x3a83b3bc 0x2fd4513e 0x2f862a5d 0x0253ea74
0x0253ea64: 0x398a4f1b 0x00000001 0x00000001 0x0000009c
0x0253ea74: 0x0253ea84 0x3989dab3 0x00000001 0x00000001
0x0253ea84: 0x0253ea98 0x00000000 0x00000000 0x0000009c
0x0253ea94: 0x00000001 0x3a836a94 0x03010a00 0x00000001
0x0253eaa4: 0x00000400 0x0253eaf8 0x2f58f51b 0x0dc51250
0x0253eab4: 0x00000000 0x00000001 0x3c30905c 0xc2000000
0x0253eac4: 0x00000000 0x2f61f909 0x4cc6d004 0x08097c60
0x0253ead4: 0x0253ebbc 0x0828a2e0
在sp 很下面···就找到了返回地址