Next, it gets the references to 0x100002608 in Section _objc_selrefs, and adds a new reference between each of these references and the implementation method. The reference to the selector “extra” in Section _objc_selrefs In the demo application, only class TestXref1 defines the method “extra.”įigure 7. Next, we take look at how to get the reference to the selector “extra” in Section _objc_selrefs. We can see that both class TestXref1 and class TestXref2 define the same method “setName”, so this script ignores handling it. The references to the selector 0x100001ef8 in Hopper The following screenshot is the references to the selector 0x100001ef8 in Hopper.įigure 6. If there is more than one reference from Section _objc_const, that means that more than one class define a method with the same name. Next, it checks which section these references are from. It then gets all references to the selector. In the python script objc2_xrefs_helper_hopper.py, the function getRefPtr first gets the selector field in struct _objc_method. The data structure of _objc_class_TestXrefs1_method in Hopper The following is the data structure of _objc_class_TestXrefs1_method in Hopper.įigure 5. It’s also located at Section _objc_const. The field _objc_class_TestXrefs1_method is a type of struct _method_list_t. The data structure of _objc_class_TestXrefs1_data in Hopper The following is the data structure of _objc_class_TestXrefs1_data.įigure 4. The field _objc_class_TestXrefs1_data is the type of struct _class_ro_t. Hopper is able to identify the data structure of the class in Objective-C.įigure 3. We can see that this section stores the data of all classes, which includes all classes defined by the user and their meta-class. The following is the Section _objc_data of the executable file in Hopper. The script first walks through all classes in Section _objc_data. Print 'selref VA: %08x - function VA: %08x\n' %(selRefVA, funcVA)ĭoc.getSegmentAtAddress(x).addReference(x, funcVA) IsMsgRef, selRefVA = getRefPtr(doc, va1, objcSelRefs, objcMsgRefs, objcConst)įuncVA = doc.readUInt64LE(va1 + objc2ClassMethImpOffs) If classMethodsVA = BADADDR or classMethodsVA = 0:Ĭount = doc.readUInt32LE(classMethodsVA + 4)įor va1 in range(classMethodsVA,classMethodsVA + objc2ClassMethSize * count, objc2ClassMethSize): If classRoVA = BADADDR or classRoVA = 0:ĬlassMethodsVA = doc.readUInt64LE(classRoVA + objc2ClassBaseMethOffs) If((objcSelRefs != None or objcMsgRefs != None) and (objcData != None and objcConst != None)) = False:ĭoc.log("could not find necessary Objective-C sections.\n")įor va in range(objcData,objcData,objc2ClassSize):ĬlassRoVA = doc.readUInt64LE(va + objc2ClassInfoOffs) #print ' +++' + sectName, (hex(sect.getStartingAddress()),hex(sect.getStartingAddress()+sect.getLength())) ObjcConst = (sect.getStartingAddress(),sect.getStartingAddress()+sect.getLength()) ObjcMsgRefs = (sect.getStartingAddress(),sect.getStartingAddress()+sect.getLength()) ObjcSelRefs = (sect.getStartingAddress(),sect.getStartingAddress()+sect.getLength()) ObjcData = (sect.getStartingAddress(),sect.getStartingAddress()+sect.getLength()) If objcSelRefs and x >= objcSelRefs and x =objcMsgRefs and x = objcConst and x 1:Įachxrefs = seg.getReferencesOfAddress(addr) Print 'xreffrom: ' + hex(x) ,'xrefto: ' + hex(namePtr) NamePtr = doc.readUInt64LE(classMethodsVA) #get name field in struct _objc_method, it's selector #author: Kai getRefPtr(doc,classMethodsVA,objcSelRefs, objcMsgRefs, objcConst): The following is the python script objc2_xrefs_helper_hopper.py. Loading the demo application’s executable file into Hopper Disassembler We load the executable mach-o file of the demo application into Hopper Disassembler, as shown below.įigure 2. The demo application can be downloaded from here. To verify the functionality of objc2_xrefs_helper_hopper.py, I wrote a simple Cocoa application. The relationship between these related data structures of class in Objective-C I have included a figure showing the relationship between these related data structures, as shown below.įigure 1. It’s important that we figure out the data structures of Class in low level in Objective-C, as well as the relationship between these data structures. Before rewriting the python script for Hopper, therefore, we need to walk through the codes in IDAPython script objc2_xrefs_helper.py and understand all the details. Unfortunately, this message sending mechanism causes problems when trying to follow cross-references for selectors in Hopper Disassembler. As mentioned in that article, the function call is implemented by the message sending mechanism in Objective-C. Some background regarding Objective-C can be found from here. I named this Hopper python script objc2_xrefs_helper_hopper.py. I rewrote the IDAPython script named objc2_xrefs_helper.py and developed a python script for the Hopper Disassembler.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |