Databases
StackOverflow2013
Postsdbo
POOffset for objective C selectors in ARM assembly (IOS)
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POOffset for objective C selectors in ARM assembly (IOS)
    primarykey
    data
    text
    <p>I'm trying to understand how IOS objective-C message calls are implemented in ARM assembly language. Looking at IDA disassembly output I can see the class and selector references pushed into registers before __obj_msgsend is called. This makes perfect sense but the strange thing is there is a weird offset to these values.</p> <pre><code>selector ref = (selRef_arrayWithObject_ - 0x29B0) class ref = (classRef_NSArray - 0x29BC) </code></pre> <p>The 0x29BC value in the class ref seems to be pointing to the instruction after the __obj_msgsend which has a certain logic to it, but the 0x29B0 selector ref is pointing to a random MOVT instruction. And to make matters worse this offset seems to be different for each selector invocation. </p> <p>Does anyone know where these offsets come from? Why aren't they just referenced to the address of the instruction + 8?</p> <pre><code>__text:00002998 E8 1F 01 E3 MOV R1, #(selRef_arrayWithObject_ - 0x29B0) ; selRef_arrayWithObject_ __text:0000299C 05 20 A0 E1 MOV R2, R5 __text:000029A0 00 10 40 E3 MOVT R1, #0 __text:000029A4 01 50 A0 E3 MOV R5, #1 __text:000029A8 01 10 9F E7 LDR R1, [PC,R1] ; selRef_arrayWithObject_ ; "arrayWithObject:" __text:000029AC 74 00 02 E3 MOV R0, #(classRef_NSArray - 0x29BC) ; classRef_NSArray __text:000029B0 00 00 40 E3 MOVT R0, #0 __text:000029B4 00 00 9F E7 LDR R0, [PC,R0] ; _OBJC_CLASS_$_NSArray __text:000029B8 8C 05 00 EB BL _objc_msgSend </code></pre> <p>Update: Here is another case:</p> <pre><code>__text:00002744 50 12 02 E3 MOV R1, #(selRef_view - 0x2758) ; selRef_view __text:00002748 00 10 40 E3 MOVT R1, #0 __text:0000274C 00 50 A0 E1 MOV R5, R0 __text:00002750 01 10 9F E7 LDR R1, [PC,R1] ; selRef_view ; "view" __objc_selrefs:000049A8 1A 39 00 00 selRef_view DCD sel_view ; DATA XREF: __text:000025F8o </code></pre> <p>Thanks to Igor's explanation, I understand where the 0x2758 came from, but the math doesn't work out here: selRef_view - 0x2758 = 0x49A8 - 0x2758 = 0x2250. But the data in the first instruction is 50 12, which translates to 0x1250, 0x1000 less that I would expect. Any ideas???</p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USLocksleyu
    1. USLocksleyu
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POOffset for objective C selectors in ARM assembly (IOS)
      1. USNyx0uf
      1. VTFavorite
    2. VO
      singulars
      1. POOffset for objective C selectors in ARM assembly (IOS)
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POOffset for objective C selectors in ARM assembly (IOS)
      1. This table or related slice is empty.
      1. VTUpMod
    1. COYou said offset, but the disassembly listing is from absolute address.
      singulars
      1. POOffset for objective C selectors in ARM assembly (IOS)
      1. USarul
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload