loc_10007390C
SUB X8, X29, #-stuff
LDUR X10, [X8,#-0x100] ;
LDR X0, [X10,#0x10] ;
SUB X8, X29, #-var_1E8
LDUR X2, [X8,#-0x100]
STP X0, XZR, [X2]
SUB X8, X29, #-var_1F0
LDUR X3, [X8,#-0x100]
NOP
LDR X8, =__NSConcreteStackBlock
STR X8, [X3]
STR D8, [X3,#8]
ADD X8, X3, #0x10
ADR X9, sub_100092800
NOP
PACIA X9, X8
ADR X8, unk_1001A2658
NOP
STP X9, X8, [X3,#0x10]
LDUR X8, [X29,#var_B8]
STR X8, [X3,#0x20]
LDUR X8, [X29,#var_C0]
STP X8, X10, [X3,#0x28]
LDUR W8, [X29,#anotherStuff]
STR W8, [X3,#0x38]
SUB X8, X29, #-var_290
LDUR W8, [X8,#-0x100]
STR W8, [X3,#0x3C]
MOV W1, #0
MOV W4, #1
BL do_the_dance
TST W0, #0xFF00
B.EQ loc_1000E8730
我对ADR X9,sub_100092800]的工作有些困惑。看起来好像是将地址加载到X9中,但是一旦加载,它也会调用子例程吗?
loc_10007390C SUB X8,X29,#stuff LDUR X10,[X8,#-0x100]; LDR X0,[X10,#0x10]; SUB X8,X29,#-var_1E8 LDUR X2,[X8,#-0x100] STP ...
从清单中,没有电话。它将PC相对偏移加载到寄存器中,然后对其不执行任何操作。但是请在几个地方看一下ADR / NOP序列。看起来好像要用调用命令(BL)修补NOP。
ptrauth/ARM64E initiative by Apple指令将符号ADR X9, sub_100092800的地址加载到X9寄存器中。它本身不会调用或分支到那里的代码。