Dev:Reverse Engineering Tools

While developing a tweak, you may find these tools useful to analyze how iOS and apps work, and to find where to interpose your functionality.

= Runtime analysis =

The following tools are useful for analyzing a program during runtime.

GDB / LLDB
When writing software, a debugger can help determine what is causing a crash, to find backtrace information on certain points of a program, and so on. Attaching the debugger to normal processes running on the iPhone can be done with the description on debugserver, and see Debugging on iOS 7 for more context.

Cycript
Cycript allows you to run your own code in an attached process out-of-the-box, with some JavaScript-syntax goodies to make writing code more convenient. It allows for useful runtime analysis of a program (such as for instance getting the complete view hierarchy, or checking out the properties of an object), and it allows for easy prototyping of a tweak (by hooking methods with a Substrate bridge, changing objects freely and calling functions, etc.).

Logify
While not a runtime analysis tool, Logify takes an Objective-C header file containing a class interface and generates a Logos file hooking all methods in the given class, and for each hook logging the call of the method (with parameters) to the syslog. Logify allows for convenient analysis of what methods of a class get called during runtime, and when.

weak_classdump
When  (described below) can't analyze an executable and generate header files with class interfaces (due to App Store app encryption, other encryption, malformed binaries etc.), another option is to get these definitions from the runtime. is a Cycript tool which attaches into a project and generates -like output files.

can be used to dump a single class, like this:

It can also be used to dump all the classes in a bundle (in this case, the main bundle):

See the  section of Cycript Tricks for another example.

InspectiveC
InspectiveC allows you to log message hierarchies of certain objects, classes, and selectors. It is very useful if you're trying to figure out how a certain method or class works without having to go into the assembly. You can temporarily use InspectiveC in your tweak to log objects as needed.

= Executable analysis =

The following tools can be used to analyze an executable.

Clutch
Clutch decrypts app executables, plugins and frameworks. Requires iOS7 and above:

dumpdecrypted
App Store app executables are encrypted. dumpdecrypted can generate a decrypted executable out of it:

(Or see weak_classdump above.)

class-dump, class_dump_z, classdump-dyld
From a given executable, class-dump and class_dump_z will generate header files with class interfaces. (class-dump may produce better headers than class-dump-z for recent binaries.) This allows for an analysis of what methods exist in the executable, which can help you guess which ones to hook to get given functionality.

All default (private and public) libraries on iOS are combined into a big cache file to improve performance in  (see dyld_shared_cache for more details). If you want to class-dump private frameworks, you can either install Xcode and class-dump the frameworks on your Mac using the above tools, or you can use classdump-dyld, which works right on your device (classdump-dyld can also be installed via its package hosted on BigBoss). Remember that the resulting files are not the original headers, so use them with caution.

You can also find other developers have done this process for many frameworks and compiled this information into repositories:


 * iOS-Runtime-Headers
 * iphoneheaders
 * developer.limneos.net

Disassemblers
Disassemblers are useful when you need an in-depth analysis of a binary. These programs convert the compiled code into assembly for your examination. Assembly is hard to understand for beginners and is platform-dependent (ARM assembly is very different from x86 assembly), so you need a good knowledge of assembly to find disassemblers useful. For disassemblers to work with applications from the App Store, the executable has to be decrypted.

IDA
IDA (Interactive Disassembler) is a popular program for disassembling binaries. It supports a plethora of processors. IDA has tons of features and has been in development for more than a decade.

It is a commercial application, and it requires some time getting used to it. For analyzing Objective-C applications, KennyTM's fixobjc2.idc script is useful for exposing Objective-C method definitions and calls.

Hopper
Hopper is quite new and only supports a small subset of the features that IDA has. It is fast and has a nice user interface. However, the produced assembly code is not as good as the one produced by IDA.

otool
The otool command displays specified parts of object files or libraries. It can also disassemble:

Example usage:

strings
strings is a simple utility that will print all the strings in a given binary.

Example usage:

nm
nm is a utility that displays the symbol table of a given binary.

Example usage: