Permalink
Browse files

quick IDC script to reverse ios binaries with IDA < 6.2

  • Loading branch information...
pod2g
pod2g committed Apr 20, 2012
1 parent 413f9ca commit 4fa85e33cdea776ba7e7ff8f9f2a2fc8f6339dc1
Showing with 65 additions and 0 deletions.
  1. +19 −0 idc-ios-llvm/README
  2. +46 −0 idc-ios-llvm/ios-llvm.idc
View
@@ -0,0 +1,19 @@
+Apple is not standing still and in iOS 5 the default compiler is LLVM instead of GCC. It produces somewhat different code and IDA < 6.2 fail to resolve references which are now relative to PC.
+
+Here is an example of code dissasembled with IDA :
+
+__text:00001000 MOV R4, 0x12344
+__text:00001008 ADD R4, PC
+
+After executing this IDC script :
+
+__text:00001000 MOV R4, 0x12344
+__text:00001008 ADD R4, PC ; off_13350
+
+(if the address is named, the name will appear instead of off_xxx)
+
+The xref is also added so that when you type X on address 0x13350 you'll see where it is used.
+
+Hope it could help.
+
+~pod2g
View
@@ -0,0 +1,46 @@
+#include <idc.idc>
+
+static main() {
+ auto lastAddr, oldAddr, minAddr, maxAddr;
+ minAddr = 0;
+ maxAddr = -1;
+
+ lastAddr = minAddr;
+ do {
+ auto addAddr, moveAddr, pMove, pMovt, movtAddr, idx, relAddr, disasmAdd, ridx, comment, absAddr;
+
+ lastAddr = FindText(lastAddr, SEARCH_DOWN|SEARCH_REGEX, 0, 0, "ADD.*R.*PC");
+ if (lastAddr == BADADDR || lastAddr == oldAddr) break; // 2 loops with the same result then bye.
+ oldAddr = lastAddr;
+
+ addAddr = lastAddr;
+ lastAddr = lastAddr + 2; // if we encounter a continue, lastAddr is already incremented.
+ if (maxAddr != -1 && lastAddr > maxAddr) break;
+
+ disasmAdd = GetDisasm(addAddr);
+ idx = strstr(disasmAdd, "R");
+ if (idx == -1) continue;
+
+ ridx = substr(disasmAdd, idx + 1, idx + 2);
+ pMove = "MOV[^T].*R" + ridx + ".*0x.*";
+ moveAddr = FindText(addAddr, SEARCH_REGEX, 0, 0, pMove);
+ if (moveAddr == BADADDR || addAddr - moveAddr > 0x20) continue;
+
+ pMovt = "MOVT.*R" + ridx + ".*#.*";
+ movtAddr = FindText(addAddr, SEARCH_REGEX, 0, 0, pMovt);
+
+ relAddr = GetOperandValue(moveAddr, 1);
+ if (movtAddr != BADADDR && movtAddr > moveAddr) {
+ relAddr = relAddr + (GetOperandValue(movtAddr, 1) << 16);
+ }
+
+ absAddr = addAddr + relAddr + 4;
+ comment = NameEx(BADADDR, absAddr);
+ if (comment == "") {
+ comment = "0x" + ltoa(absAddr, 16);
+ }
+ MakeComm(addAddr, comment);
+ AddCodeXref(addAddr, absAddr, XREF_USER);
+ Jump(addAddr);
+ } while (lastAddr != BADADDR);
+}

0 comments on commit 4fa85e3

Please sign in to comment.