When using IDA on OS X binaries, it is best to use IDA for Windows, either on another PC or by using virtualization, I would recommend Parallels Desktop, VMWare of QEMU.
Thats not to say it doesn't support OS X binaries well, because it does. The newest version v5.2 has made some good progress concerning OS X binaries, but it still doesn't get it quite right. One good thing it does, is recognise Universal Binaries, which you can open directly, it then gives you the option of choosing the binary you wish to use disassemble, quite handy really.
Another tool for disassembling Mac binaries, is a tool called 'otool', which gets installed when you install Apple's XTools. otool can give you plenty of information about a binary, from the libraries it needs to run, to a full disassembly listing.
Many Apple programs are written in a language called Objective C (obj-c from here). In terms of reverse engineering its not necessary to know the language, however some of its internals work slightly differently than most other languages. Obj-c compiles to native instructions, so its not interpreted, but it uses an interesting OOP style system and (ab)uses messaging heavily.
Another interesting obj-c idiosyncrasy is the meta data that is embedded within the binary itself. Since it uses messaging and OOP heavily, it stores all quite a lot of meta data within the binary, so the messaging system knows how and what it can transmit and to where. This data, of course, can be understood and ripped out by tools, IDA even contains some structures that are imported by default to handle this meta-data.
There is a tool called 'otx' which uses otool to create a disassembly and decorate it with the obj-c metadata. This is very handy for us because it means:
- easier identification of functions
- easier readability
- less renaming/work
My next post will contain a side-by-side look at the IDA output and the otx output.
Note: IDA does recognise many of the meta data structures, it just doesn't really parse and display it in a satisfactory fashion. More work is required to get it to a nice readable level (see next post).
No comments:
Post a Comment