Wednesday, January 6, 2010

Two IDA Pro 5.x Scripts for iPhoneOS binaries

If you use IDA Pro to disasseble iPhoneOS binaries (Mach-O/ARM), you may find these scripts useful:
  • dyldinfo: This script lets IDA Pro understands the DYLD_INFO[_ONLY] command introduced in firmware 3.1. Running this recovers some missing symbols.

  • fixobjc2: For binaries built with Objective-C ABI 2, this script can find and label all Objective-C functions and ivar offsets.


The result will look like this:


Because IDA doesn't allow "-" and spaces in names, the Objective-C function names are renamed like this:
  • -[Foo bar:baz:] → Foo.bar:baz:
  • +[Foo bar:baz:] → @Foo.bar:baz:
  • -[Foo(Cat) bar:baz:] → Foo(Cat).bar:baz:


(Note: Try not to run fixobjc2 before dyldinfo, some information cannot be found.)

9 comments:

  1. Great work, KennyTM!

    Btw. do you know of other scripts which might become handy when reversing iPhone binaries?

    ReplyDelete
  2. I don't know. I didn't use IDA Pro a lot.

    ReplyDelete
  3. When trying to run the dyldinfo script I'm getting an error;
    "syntax error near: extern"

    Any ideas?

    ReplyDelete
  4. @fusen:

    extern (Global variables) is supported since IDA Pro 5.4, so you need 5.4 or above.

    ReplyDelete
  5. ah, I didn't notice IDA Pro has updated >.<

    thanks

    ReplyDelete
  6. Heh, did you see the similar script I wrote (well, hacked from fixobjc.idc) recently? though yours looks more comprehensive..

    ReplyDelete
  7. @comex:

    Yeah, but I've lost the pastie link so I just cook one up :p

    ReplyDelete
  8. Awesome work with this man. It's quite handy.

    ReplyDelete
  9. Hi Kenny,

    Do you have any idea about finding function arguments (private framework) from arm assembly code (by using IDA Pro or by run time from GDB).

    Do you have any idea ?

    Sridhar

    ReplyDelete