Zero-click or one-click remote exploits targeting Apple FaceTime or iMessage attract increasing attention, but neither real world vulnerabilities nor the attack surfaces in such targets were fully studied and analyzed in the past. In this talk, we will share reverse engineering results of FaceTime, with a focus on the process of the initialization and connection of a FaceTime call. Along with the attacker-controlled data propagation path, we will discuss different attack surfaces for FaceTime. In particular, besides trivial denial of service issues, we will describe a number of vulnerabilities in FaceTime (and other relevant components), including memory corruption flaws such as heap and stack overflow and out-of-bounds read issues, and develop and demonstrate PoC exploits that can lead to a fully-controlled Objective C ISA pointer or program counter (PC) in FaceTime, affecting both Mac OS and iOS.