文章目录
前言
在上一篇中, 跟到了__forwarding_prep_0___、forwarding___然后在CF中并没有找到(也可以使用bt打印堆栈打到__forwarding_prep_0___和___forwarding),下面会介绍反汇编来查看它们做了什么。
一、查看消息转发流程方法
1.1 反汇编法
int main(int argc, const char * argv[]) {
@autoreleasepool {
TestA *testA = [[TestA alloc] init];
[testA test6];
}
return 0;
}
在CF中没有找到__forwarding_prep_0___和___forwarding___
,我们尝试反汇编来查看下。IDA、Hopper都行,我这用的Hopper看的。在test6打上断点运行,lldb输入image list
来查看用到的镜像文件,搜索CoreFoundation, 找到/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation
,然后shift + command + G前往,把CoreFoudation的可执行文件拖入Hopper。
可以看到__forwarding_prep_0___中又调用了___forwarding___,双击进入___forwarding___, 下面是部分反汇编伪代码
int ____forwarding___(int arg0, int arg1) {
......
loc_64b9b:
......
if (class_respondsToSelector(r12, @selector(forwardingTargetForSelector:)) == 0x0) goto loc_64c47;
loc_64bdc:
rdi = rbx;
rax = [rdi forwardingTargetForSelector:var_140];
if ((rax == 0x0) || (rax == rbx)) goto loc_64c47;
......
loc_64c6a:
rax = class_respondsToSelector(r12, @selector(methodSignatureForSelector:));
r14 = var_138;
var_148 = r15;
if (rax == 0x0) goto loc_64fb7;
loc_64c92:
rax = [r14 methodSignatureForSe