Now click on the "Strings" tab in the left handle panel and this will show you all of the strings in your app. "Labels" will show you all of the classes and methods in your binary (you'll see other things as well, but just pay attention to method signatures for this tutorial). Now, if it looks cryptic to you, don't panic, we're only going to focus on three buttons in the entire window.įirst up is the "Labels" and "Strings" tabs in the left hand panel. Let it finish, and since UIKit is a large binary, it will take some time. Hopper will begin analyzing the Mach-O binary, and during this time, you will see a "Working." status in the bottom right. Notice the x86 (32 bits) and x86 (64 bits) slices.Ĭlick "OK" on the next screen and you will be dropped into Hopper's main window. Make sure it's selected and click "Next". We're going to disassemble the 32-bit slice. In the UIKit case, x86 32 and 64-bit slices. UIKit is a FAT binary meaning it contains multiple binaries within itself. After clicking open, you will be presented with window below. The ARM binaries are stored on the device and loaded at runtime. This is the x86 binary that the simulator uses and what we will be focusing on. You may need to update some directory names, but that gets you in general direction. Read Executable to Disassemble.".Ĭlick Read Exectuble to Disassemble to start disassembling.Īt this point, you need to grab your binary of interest and click "Open". For those that understand the power of this tool, know that it could easily sell for a couple hundred bucks, so if you think it's expensive, think again! They also provide a free demo version which has some limitations, but should be fine if you want to follow along. See before and after below.Īt the time of this post, you can purchase Hopper for only $90 bucks, which is an absolute steal. Decompilation (accomplished via a decompiler) is the process of converting this assembly to the pseudo-code. The picture below show a method that was disassembled. What's the difference between disassembly and decompilation? Very simple, disassembly (accomplished via a disassembler) is the process of converting opcodes (the raw bytes of your binary) to their corresponding assembly instruction (also known as mnemonics). Straight from the Hopper home page, "Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables!" Translated to more general terms, this means we can take a compiled binary (your iOS app, UIKit binary, etc) and produce this pseudo-code you've seen! Disassembly vs Decompilation With the Obj-C runtime and lldb we can make the pseudo-code even more readable if not syntactically correct! So let's dive in! Decompilation of a method in UIKit. What's even cooler though, is we don't have to stop there. Getting this pseudo-code can literally be accomplished in just a couple clicks with a tool such as Hopper. Have you ever wondered how people get pseduo-code of some private API like the image below? It's actually very simple and is a great way to chase down those annoying bugs in UIKit or some other binary you don't have source code for. The goal of this post is to bridge the gap for those that have shied away or aren't familiar with reverse engineering. I spend a lot of my time in a tool called Hopper (it's a must have in my toolbox) and while it's an amazing tool, it can seem overwhelming at first. Lately I've seen a lot of people asking "How are you getting that pseudo-code," in regards to radar he filed and I thought this would be a great first blog post of mine as I've been wanting to for awhile. My english is not very good, so welcome to reply.Hopper + lldb for iOS Developers: A Gentle Introduction So modify the hex code with 48 8b 35 8b ad 49 00, press 'command + shift + H' to show hex editor in Hopper. In my demo I'd like to modify the to So I have to convert it with the formula below: So if you want to modify the address to 100002347 'Ducks', you should follow this formula and find the byte length of your instruction, my is '7' That means you should convert target address '0x49bb93' My Demo arch is x86_64: 00000001000174a6 mov rsi, qword you see this, it's not mean you could modify the address(0x1004b3040) to whatever you want.Įxactly the assemble code is: 00000001000174a6 movq 0x49bb93(%rip), %rsi # Objc selector ref: setAlignment: Hopper Disassembler V3 is great tool to do reverse engineering.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |