Reverse Engineering Tools

From iPhone Development Wiki
Revision as of 02:07, 5 March 2014 by Cykey (talk | contribs) (nm and strings)
Jump to: navigation, search

This is a draft that needs your help. Can you help fix it? Add some details!

The process for developing a tweak may vary in complexity, and therefore might require different kinds of tools to analyze how stock software works precisely and where to best interpose your functionality.

Runtime analysis

The tools described following are useful for analyzing a program during runtime.


When writing software, the debugger's an incredibly helpful way to determine exactly what's causing a crash, to find backtrace information on the certain point of a program, and so on. Attaching the debugger to processes running standardly on the iPhone can be done with the description on Debugging on iOS 7.


Cycript allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for greatly useful runtime analysis of a program (such as for instance getting the complete view hierarchy, or checking out the properties of an object), and allows for easy prototyping of the tweak (by hooking methods with a Substrate bridge; changing objects freely and calling functions etc.).


While not a runtime analysis tool per-se, Logify takes an Objective-C header file containing a class interface and generates a Logos file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the syslog. It allows for convenient analysis of what methods of a class get called during runtime, and when.


When `class-dump` (described below) can't analyze an executable and generate header files with class interfaces (due to encryption, malformed binaries etc.), the resort is to get these definitions from the runtime. weak_classdump is a Cycript tool which attached into a project and generates `class-dump`-like output files.

weak_classdump can be used to dump a single class, like so:

iPhone$ cycript -p Skype; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump(SkypeAppDelegate, "/tmp/")
"Wrote file to /tmp/SkypeAppDelegate.h"

It can also be used to dump all the classes in a bundle (in this case, the main bundle):

iPhone$ cycript -p Skype; cycript -p Skype
'Added weak_classdump to "Skype" (1685)'
cy# weak_classdump_bundle([NSBundle mainBundle], "/tmp/SkypeHeaders")

Executable Analysis

The tools described here can be used to analyze an executable.


App Store app executables are always encrypted. dumpdecrypted allows one to easily generate a decrypted executable out of it:

iPhone$ DYLD_INSERT_LIBRARIES=dumpdecrypted.dylib /var/mobile/Applications/.../
iPhone$ ls Application*
Application #original executable
Application.decrypted #decrypted, generated executable

class-dump, class-dump-z

From a given executable, these tools will generate header files with class interfaces. This allows for an analysis of what methods exist in the executable, and permits a guess of what one might hook to get given functionality.

See Getting Started#Looking at classes and Debugging on iOS 7#Class-dumping


Disassemblers are useful when an in-depth analysis of a binary is needed. These programs convert the compiled code into assembly for a detailed examination to be performed. Assembly is hard to understand for beginners and is platform-dependent (e.g ARM assembly is very different from x86 assembly), therefore a good knowledge of it is almost mandatory to be able to use disassemblers correctly.


IDA (Interactive Disassembler) is the de-facto standard program used to disassemble binaries. It supports a plethora of processors. IDA has tons of features and has been in development for more than a decade.

It is a commercial application, and requires some time getting used to. Yet for analyzing Objective-C applications, KennyTM's fixobjc2.idc script is extremely useful exposing Objective-C method definitions and calls.


Hopper is quite recent and only supports a small subset of the features that IDA has. It is extremely fast and has a nice user interface. However, the produced assembly code is not nearly as good as the one produced by IDA.


write me please


strings is a simple utility that will print all the strings in a given binary.

Example usage:

bash$ strings crash_mover
Could not open and lock %s: %s. Proceeding with copy anyway.


nm is a utility that displays the symbol table of a given binary.

Example usage:

bash$ nm CoreTelephony
000234c4 t +[CTCall callForCTCallRef:]
0001ee90 t +[CTEmailAddress emailAddress:]
000199b8 t +[CTMessageCenter sharedMessageCenter]
0001db54 t +[CTMmsEncoder decodeMessageFromData:]