Inferior call to class_getName() in gdb – Part 3: getting a class name

A simple suggestion to work around this issue

Why not read a class name from memory directly? Let’s start from class_getName().

Class_getName() calls _class_getName() with the parameter “Class”. _class_getName changes its parameter “Class” to “class_t *” and calls getName() to get a class name. Let’s take a look at the structures used here.

We are ready to check if we can use this data in gdb. Load Safari and set a bp at objc_msgSend().

The first parameter of objc_msgSend() is id.

We can get Class from the first parameter (r0).

As Class is changed to class_t, we need to access 0x3a2927b3 with the class_t structure data. Find the value of data (class_rw_t) in the class_t.

A class_rw_t structure resides at 0x1cd286c0. Its offset 8 has “const class_ro_t *ro”.

const class_ro_t has char * for a class name at offset 16.

Let’s see how it works with a gdb script.

Please note that this approach just deals with one of the two cases to get a class name. A little more work is required for a complete solution. Refer to the getName() code for this.

Testing environment

  • OS: iOS 6.01
  • Device: jailbroken iPod 4G
  • tools: gdb

2 thoughts on “Inferior call to class_getName() in gdb – Part 3: getting a class name

  1. Hey, I’ve read all of your posts and have found them absolutely fascinating keep on going! I just wanted to let you know there are a few lurkers out here that absolutely appreciate this posts. I find them extremely insightful and have been learning a lot and doing a bunch of my own experimentation.

    Posted by Chase G | August 2, 2013, 6:55 pm
  2. Man, you rocks!.. I reverse Android app, mostly. You iOS reversion blog is very-very cool blog.

    Posted by Dima Kovalenko | September 21, 2013, 4:46 am

