I have been using IDA Pro 5.0/5.1 to disassemble the iPhone apps (with a macho.ldw patched for ARM in Mach-O binaries), it worked great except some instructions could not be recognized/disassembled. However, the condition has changed a lot in IDA Pro 5.2, this version recognizes much more ARM instructions than its precedent versions.
Highlights of the New Version
Improved iPhone support
IDA Pro 5.2 handles iPhone executables out of the box.Much improved ARM and PowerPC support
The updated ARM module supports 200 new instructions. This module started with mere 38 instructions: the ARM was a small and sleek processor; now it boasts 3 different instruction encodings [arm, thumb, thumb32], dsp, floating point, vector, simd, and even java instructions!Much improved PowerPC module
The PowerPC module has ~40 new instructions.Easy debugger scripts in IDC
The debugger is finally available from IDC. There is no need to write complex plugins, install event handlers and express the logic in a finite state machine form. Simple and natural functions that allow to wait for the next debugger event and continue the script without yielding control to the ida kernel have been introduced.Improved type support
The type system has been improved to support types of abitrary length and complexity (there was a limitation of 1024 bytes per type descriptor). The user interface offers a new window to display and manipulate local types. This allows for easy migration of types from one database to another. You can even export all local types in a compiler readable form!
The IDA Pro 5.2 is a must for every iPhone reversers!
Sample Disassembly Code Listing
Here’s an example of how the code is disassembled in IDA Pro 5.0 as well as 5.2:
SpringBoard 1.0.2 disassembly snippet in 5.0/5.1:
the same code in 5.2, notice the two DCD definitions are correctly disassembled to instructions:
NOTE: If you encounter the IDA Pro reporting your database is pirated (Are you using YAG’s release?), it means you need a fix, get this IDA Pro v5.2 Fix, extract and put into IDA Pro’s installtion folder.
6 Comments
Hi George, i appreciate your nice explanations but can i ask you a question?
Actually i can not manade IDA to show me normal function calls :
LDR R3, =off_21190
LDR R1, [R3]
LDR R2, =unk_1C987
BL _objc_msgSend
this is the way it shows, but in your IDA screens you get function names instead of offs and unks
can you please guide me how to do that? I guess it is about the dylib, but how to give IDA the info..?
Thanks a lot.
Well, those labels are not generated by IDA Pro, they are manually added by checking the associated data and/or functions. If you check into the off_21190, normally you’ll see some data or structures, and you can give it a easy-to-remember name. Similar techniques can be applied to other off_ or unk_ reference names. Of course, this requires some in-depth knowledge of the programs.
George? I am not new at reversing? but in arm-reversing.
Can you give me some advices?
What processor in Ida i must set? Arm? What type of armb? arm710a or xScale?
And i choose mach-o file executable when disass it/ I think that’s right.
So? next. Is there any way for auto giving name fo variables off_ or unk_ and var?
And how do you so easy debug arm asm to Obj - C?
Please, mail me. Thx.
You may choose either ARM or ARM710a, the file type is mach-o. I don’t think (or don’t know :) there’s any easy way to auto assign the names for off (which means offset) or unk (which means unknown).
For Mach-O ARM to Obj-C, as I said, Apple’s development tools generate easy-to-analyze executables, sometimes its optimization may bring you some difficulties, but in general, it’s easy to understand and convert. You need to learn the basic conventions, I suggest you start from reversing your own simple programs, by comparing the source with the disassembly, you’ll soon understand how it works.
P.S. I have difficulty sending mails to gmail.com (my mail server is always rejected by gmail), sorry.
Hi George,
I want to make some modifications to the WebCore library file in order to add right-to-left support for the iPhone.
I could easily modify current instructions but have no idea how to insert new instructions without damaging the Mach-O file. I guess I need to add a new segment of code at the end of the file, add a branch command to the new added function and then send the PC register back.
I’m not sure if it’s even possible to make modifications with IDA Pro, usually I use hex editor to change the instructions. But adding new segments and changing the Mach-O headers correctly is not an easy task to do manually.
Can you advise? Are there any tools for doing this?
Or at least tell me what are the modifications I need to do.
Thanks
Amir, why you do not mail me at iPhoneIslam so we talk about adding Arabic to the webcore.. I may save you long way :)