├── README
└── fixobjc.idc


/README:
--------------------------------------------------------------------------------
1 | This is an attempt to improve the original fixobjc.idc script by Willem Jan Hengeveld.
2 | 
3 | For now it's only compatible with Mach-O 32bits binaries for Mac OS X.
4 | 
5 | My goal is to make it compatible with all Mac OS X and iOS binaries.
6 | 
7 | fG!
8 | 
9 | 


--------------------------------------------------------------------------------
/fixobjc.idc:
--------------------------------------------------------------------------------
  1 | // vim: ft=cpp sw=4 ts=4 et
  2 | /* 
  3 |  *             _     (`-')                <-.(`-')                     
  4 |  *    <-.     (_)    (OO )_.->      .->    __( OO)           _         
  5 |  * (`-')-----.,-(`-')(_| \_)--.(`-')----. '-'---.\    <-.--. \-,-----. 
  6 |  * (OO|(_\---'| ( OO)\  `.'  / ( OO).-.  '| .-. (/  (`-'| ,|  |  .--./ 
  7 |  *  / |  '--. |  |  ) \    .') ( _) | |  || '-' `.) (OO |(_| /_) (`-') 
  8 |  *  \_)  .--'(|  |_/  .'    \   \|  |)|  || /`'.  |,--. |  | ||  |OO ) 
  9 |  *   `|  |_)  |  |'->/  .'.  \   '  '-'  '| '--'  /|  '-'  /(_'  '--'\ 
 10 |  *    `--'    `--'  `--'   '--'   `-----' `------'  `-----'    `-----'                                                                                                                                     
 11 |  *                                                                                                                                    
 12 |  * IDA IDC Script that processes the objective-C typeinfo, and names methods accordingly
 13 |  *
 14 |  * New additions, modifications and bug fixes by fG!
 15 |  * (C) fG!, 2012 - reverser@put.as - http://reverse.put.as
 16 |  *
 17 |  * Original script by: 
 18 |  * (C) 2003-2008 Willem Jan Hengeveld <itsme@xs4all.nl> 
 19 |  * Web: http://www.xs4all.nl/~itsme/projects/ida/
 20 |  *
 21 |  * v0.1 - 28/08/2012
 22 |  * ChangeLog:
 23 |  *  - Add a version number
 24 |  *  - Add xrefs to instance methods (I really hate to have to go backwards, too many clicks!)
 25 |  *  - Commented some of the code, start cleaning fixmes
 26 |  *  - Start adding configurable options
 27 |  *  - Rename methods as IDA does with [Class selector] format
 28 |  *    This will work with binaries which IDA can correctly process their obj-c info
 29 |  *  - Fix the cfstring segment (wasn't working due to wrong segment name)
 30 |  *  - change comment type for message and class refs
 31 |  *  - Correctly rename class methods +[] format
 32 |  *  - Add xrefs to class methods
 33 |  *
 34 |  */
 35 | 
 36 | // configurable options - YOU CAN MESS AROUND HERE
 37 | #define TYPE_INFORMATION NO                          // add type information to names?, I don't like it :-)
 38 | // STOP MESSING AROUND BELOW HERE ;-)
 39 | 
 40 | #define UNLOADED_FILE   1
 41 | #include <idc.idc>
 42 | 
 43 | #define YES   1
 44 | #define NO    0
 45 | #define DEBUG 0
 46 | 
 47 | #define STRUCT_OBJC_METHOD_SIZE 12   // sizeof(struct objc_method)
 48 | 
 49 | // this script processes the objective C typeinfo tables,
 50 | // and names functions accordingly.
 51 | // greatly improving the disassembly of objective C programs
 52 | 
 53 | static String(ea)
 54 | {
 55 |      return GetString(ea, -1, ASCSTR_C);
 56 | }
 57 | 
 58 | static create_mthnames(ea0, ea1, name, type)
 59 | {
 60 |     auto ea;
 61 |     for (ea=ea0 ; ea<ea1 ; ea=ea+STRUCT_OBJC_METHOD_SIZE)
 62 |     {
 63 |         MakeNameEx(Dword(ea+8), "-["+name+" "+type+" "+String(Dword(ea))+"]", SN_NOCHECK);
 64 |     }
 65 | }
 66 | 
 67 | static fix__objc_binary()
 68 | {
 69 |     auto rea, ea,segea,name, i, origc,cmt,n,id,type,ofs,size;
 70 |     Message("[INFO] Processing __class segment\n");
 71 |     // retrieve address of __class segment
 72 |     segea=SegByBase(SegByName("__class"));
 73 |     // start process valid code/data until the end of this segment
 74 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
 75 |     {
 76 |     /* 
 77 |     @ /usr/include/objc/runtime.h
 78 |     
 79 |         struct objc_class {
 80 |         Class isa;
 81 |     
 82 |     #if !__OBJC2__
 83 |         Class super_class                                        OBJC2_UNAVAILABLE;
 84 |         const char *name                                         OBJC2_UNAVAILABLE; // 8
 85 |         long version                                             OBJC2_UNAVAILABLE; // 12
 86 |         long info                                                OBJC2_UNAVAILABLE; // 16
 87 |         long instance_size                                       OBJC2_UNAVAILABLE; // 20
 88 |         struct objc_ivar_list *ivars                             OBJC2_UNAVAILABLE; // 24
 89 |         struct objc_method_list **methodLists                    OBJC2_UNAVAILABLE; // 28
 90 |         struct objc_cache *cache                                 OBJC2_UNAVAILABLE;
 91 |         struct objc_protocol_list *protocols                     OBJC2_UNAVAILABLE; 
 92 |     #endif
 93 |     
 94 |     } OBJC2_UNAVAILABLE;
 95 | */
 96 |         if (GuessType(ea)=="__class_struct") 
 97 |         {
 98 |             name=String(Dword(ea+8)); // retrieve class name
 99 | #if DEBUG            
100 |             Message("Processing class @ %08lx:%s\n", ea, name);
101 | #endif
102 |             // just rename some fields of the class
103 |             MakeName(ea, form("class_%s", name));               // MakeName will replace invalid chars with '_'
104 |             MakeName(Dword(ea+0x18), form("ivars_%s", name));	// instance vars
105 |             MakeName(Dword(ea+0x1c), form("methods_%s", name));	// methods
106 |             
107 |             /*
108 |             struct objc_method_list {
109 |                 struct objc_method_list *obsolete                        OBJC2_UNAVAILABLE;  // 0  
110 |                 int method_count                                         OBJC2_UNAVAILABLE;  // 4
111 |                 struct objc_method method_list[1]                        OBJC2_UNAVAILABLE;  // 8
112 |             }                                                            OBJC2_UNAVAILABLE;
113 |             struct objc_method {
114 |                 SEL method_name                                          OBJC2_UNAVAILABLE;
115 |                 char *method_types                                       OBJC2_UNAVAILABLE;
116 |                 IMP method_imp                                           OBJC2_UNAVAILABLE;
117 |             }                                                            OBJC2_UNAVAILABLE;
118 |             */
119 | 
120 |             auto methodLists_ptr, method_count, method_list_start, method_list_end, x;
121 |             
122 |             methodLists_ptr   = Dword(ea+0x1c);
123 |             method_count      = Dword(methodLists_ptr+4);
124 |             method_list_start = methodLists_ptr+8;
125 |             method_list_end   = method_list_start + (STRUCT_OBJC_METHOD_SIZE*method_count);
126 |             
127 |             // name the unnamed functions with method names plus class
128 |             for (x = method_list_start ; x < method_list_end ; x = x + STRUCT_OBJC_METHOD_SIZE)
129 |             {
130 | #if DEBUG
131 |                 Message("Processing method %s from class %s @ %x\n", String(Dword(x)), name, x);
132 | #endif
133 | #if TYPE_INFORMATION
134 |                 type = " "+String(Dword(x+4));
135 | #else
136 |                 type = "";
137 | #endif
138 |                 MakeNameEx(Dword(x+8), "-["+name+" "+String(Dword(x))+type+"]", SN_NOCHECK);
139 |             }
140 | 	    // todo: create meta_class_methods ( Dword(ea+0x24)
141 |         }
142 |     }
143 |     
144 |     Message("[INFO] Processing __meta_class segment\n");
145 |     segea=SegByBase(SegByName("__meta_class"));
146 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
147 |     {
148 |         if (GuessType(ea)=="__class_struct") 
149 |         {
150 |             name=String(Dword(ea+8));
151 | #if DEBUG            
152 |             Message("Processing class @%08lx:%s\n", ea, name);
153 | #endif            
154 |             MakeName(ea, form("metaclass_%s", name));
155 |             if (Dword(ea+0x18)) 
156 |             {	// instance vars
157 |                 MakeName(Dword(ea+0x18), form("metaivars_%s", name));
158 |             }
159 |             if (Dword(ea+0x1c)) 
160 |             {	// methods
161 |                 MakeName(Dword(ea+0x1c), form("metamethods_%s", name));
162 | //                 create_mthnames(Dword(ea+0x1c)+8, Dword(ea+0x1c)+8+12*Dword(Dword(ea+0x1c)+4), name, "(static)");
163 |                 // name the class methods
164 |                 for (x = Dword(ea+0x1c)+8 ; x < Dword(ea+0x1c)+8+12*Dword(Dword(ea+0x1c)+4) ; x = x + STRUCT_OBJC_METHOD_SIZE)
165 |                 {
166 | #if DEBUG
167 |                     Message("Processing class method %s from class %s @ %x\n", String(Dword(x)), name, x);
168 | #endif
169 |                     MakeNameEx(Dword(ea+8), "+["+name+" "+String(Dword(ea))+"]", SN_NOCHECK);
170 |                 }
171 |             }
172 |         }
173 |     }
174 |     
175 |     Message("[INFO] Processing __protocol segment\n");
176 |     segea=SegByBase(SegByName("__protocol"));
177 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
178 |     {
179 |         if (GuessType(ea)=="__protocol_struct") 
180 |         {
181 |             name=String(Dword(ea+4));
182 |             Message("%08lx %s\n", ea, name);
183 |             if (MakeName(ea, form("protocol_%s", name))) 
184 |             {
185 |                 if (Dword(ea+0xc)) 
186 |                 {	// instance methods
187 |                     MakeName(Dword(ea+0xc), form("protomth_%s", name));
188 |                 }
189 |             }
190 | 	    // todo: better handling of name collisions
191 |             else if (MakeName(ea, form("protocol_%s_1", name))) 
192 |             {
193 |                 if (Dword(ea+0xc)) 
194 |                 {	// instance methods
195 |                     MakeName(Dword(ea+0xc), form("protomth_%s_1", name));
196 |                 }
197 |             }
198 | 	    // todo: class_methods : Dword(ea+0x10)
199 |         }
200 |     }
201 |     
202 |     Message("[INFO] Processing __category segment\n");
203 |     segea=SegByBase(SegByName("__category"));
204 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
205 |     {
206 |         if (GuessType(ea)=="__category_struct") 
207 |         {
208 |             name=String(Dword(ea+4))+"_"+String(Dword(ea));	// class _ category
209 |             Message("%08lx %s\n", ea, name);
210 |             MakeName(ea, form("category_%s", name));
211 |             if (Dword(ea+0x8)) 
212 |             {	// methods -> seg __cat_inst_meth
213 |                 MakeName(Dword(ea+0x8), form("catmths_%s", name));
214 |                 create_mthnames(Dword(ea+0x8)+8, Dword(ea+0x8)+8+12*Dword(Dword(ea+0x8)+4), name, "(cat)");
215 |             }
216 | 	    // todo: class methods -> __cat_cls_meth
217 |         }
218 |     }
219 |     
220 |     Message("[INFO] Processing __module_info segment\n");
221 |     segea=SegByBase(SegByName("__module_info"));
222 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
223 |     {
224 |         if (GuessType(ea)=="__module_info_struct") 
225 |         {
226 |             MakeName(Dword(ea+0xC), form("symtab_%X", Dword(ea+0xC)));
227 |         }
228 |     }
229 |     
230 |     Message("[INFO] Processing __cfstring segment\n");
231 |     segea=SegByBase(SegByName("__cfstring"));
232 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
233 |     {
234 |         if (GuessType(ea)=="__CFString") 
235 |         {
236 |             if (!MakeName(ea, "cfs_"+Name(Dword(ea+8))))
237 |             {
238 |                 i=0;
239 |                 while (!MakeName(ea, form("cfs_%s_%d",Name(Dword(ea+8)),i)))
240 |                     i++;
241 |             }
242 |             // no more need for this since IDA already comments with the string contents
243 | //             for (rea=DfirstB(ea) ; rea!=BADADDR ; rea=DnextB(ea,rea))
244 | //             {
245 | //                 MakeComm(rea, String(Dword(ea+8)));
246 | //             }
247 |         }
248 |     }
249 |     
250 |     Message("[INFO] Processing __message_refs segment\n");
251 |     segea=SegByBase(SegByName("__message_refs"));
252 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
253 |     {
254 |         if (!MakeName(ea, "msg_"+Name(Dword(ea))))
255 |         {
256 |             i=0;
257 |             while (!MakeName(ea, form("msg_%s_%d",Name(Dword(ea)),i)))
258 |                 i++;
259 |         }
260 |         for (rea=DfirstB(ea) ; rea!=BADADDR ; rea=DnextB(ea,rea))
261 |         {
262 |             MakeComm(rea, "message: \""+String(Dword(ea))+"\"");
263 |         }
264 |     }
265 |     
266 |     Message("[INFO] Processing __cls_refs segment\n");
267 |     segea=SegByBase(SegByName("__cls_refs"));
268 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
269 |     {
270 |         if (!MakeName(ea, "cls_"+Name(Dword(ea))))
271 |         {
272 |             i=0;
273 |             while (!MakeName(ea, form("cls_%s_%d",Name(Dword(ea)),i)))
274 |                 i++;
275 |         }
276 |         for (rea=DfirstB(ea) ; rea!=BADADDR ; rea=DnextB(ea,rea))
277 |         {
278 |             MakeComm(rea, "class: \""+String(Dword(ea))+"\"");
279 |         }
280 |     }
281 | 
282 |     Message("[INFO] Processing __instance_vars segment\n");
283 |     segea=SegByBase(SegByName("__instance_vars"));
284 |     for (ea= SegStart(segea) ; ea<SegEnd(segea) ; )
285 |     {
286 |         n=Dword(ea);
287 |         if (n==0) 
288 |         {
289 |             ea=ea+4;
290 |         }
291 |         else
292 |         {
293 |             id=AddStruc(-1, Name(ea)+"_struct");
294 |             ea=ea+4;
295 |             while (n--) 
296 |             {
297 |                 type=String(Dword(ea+4));
298 |                 ofs=Dword(ea+8);
299 |                 name=String(Dword(ea));
300 |                 if (type=="c") { size=1; }
301 |                 else if (type=="i") { size=4; }
302 |                 else if (type=="I") { size=4; }
303 |                 else if (type=="l") { size=4; }
304 |                 else if (type=="S") { size=4; }
305 |                 else if (type=="q") { size=8; }
306 |                 else if (type=="Q") { size=8; }
307 |                 else if (type=="B") { size=4; }
308 |                 else if (type=="f") { size=4; }
309 |                 else if (type=="d") { size=8; }
310 |                 else if (substr(type,0,1)=="[") 
311 |                 {
312 |                     if (strstr(type,"@")!=-1) 
313 |                     {
314 |                         size=4*atol(substr(type,1,-1));
315 |                     }
316 |                     else 
317 |                     {
318 |                         Message("%08lx: unrecognized type: %s\n", ea, type);
319 |                         size=4*atol(substr(type,1,-1));
320 |                         if (size==0)
321 |                             size=4;
322 |                     }
323 |                 }
324 |                 else if (substr(type,0,1)=="@") 
325 |                 {
326 |                     size=4;
327 |                 }
328 |                 else 
329 |                 {
330 |                     Message("%08lx: unrecognized type: %s\n", ea, type);
331 |                     size=4;
332 |                 }
333 |                 AddStrucMember(id, name, ofs, FF_DWRD, -1, size);
334 | 
335 |                 ea=ea+0xc;
336 |             }
337 |         }
338 |     }
339 |     // todo: analyse 'objc_msgSend' calls, and add code refs
340 |     // todo: create class_<name>  and vtbl_<name>  from ivars+methods
341 |     // todo: create __cfString_struct in seg
342 |     // todo: create align 40h  between __class items and __meta_class item  s
343 |     // todo: create align 20h  between __cls_meth, __inst_meth, __instance_vars, __symbols
344 |     // todo: create dword arrays for __eh_frame
345 |     // todo: const_coal contains obj defs + ptr to vtables too
346 |     // todo: rename __pointers -> { __data -> __cString ptrs, __data -> __cfString, ... }
347 |     
348 |     // add xrefs to methods
349 |     // FIXME: there are at least two different structures used in this segment so needs some research
350 | //     segea=SegByBase(SegByName("__cat_inst_meth"));
351 | //     add_catinst_methods_xrefs(segea);
352 |     Message("[INFO] Processing __inst_meth segment\n");
353 |     segea=SegByBase(SegByName("__inst_meth"));
354 |     add_inst_methods_xrefs(segea);
355 |     
356 |     Message("[INFO] Processing __cls_meth segment\n");
357 |     segea=SegByBase(SegByName("__cls_meth"));
358 |     add_inst_methods_xrefs(segea);
359 | 
360 |     Message("[INFO] Everything finished!\n");
361 | }
362 | 
363 | /*
364 |  * function that will add xrefs to category instance methods so we can easily find who's calling each method
365 |  */
366 | static add_catinst_methods_xrefs(segea)
367 | {
368 |     auto cstring, msg_ref, xref, function, ea, advance;
369 |     // start process valid code/data until the end of this segment
370 |     for (ea= SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
371 |     {
372 |         if (Dword(ea) == 0x0 && Dword(ea+4) != 0)
373 |         {
374 |             advance = 8;
375 |         }
376 |         // get the pointer to the correspondent C string we will use to find xrefs
377 |         cstring = Dword(ea);
378 |         // bypass empty strings, usually the header fields of class/methods
379 |         if (SegName(cstring) != "__cstring")
380 |         {
381 |             continue;
382 |         }
383 |         // the function name we will add the xrefs to
384 |         function = Dword(ea+8);
385 |         // now try to find the pointer to message_refs, it's usually the first data xref
386 |         // if there's no pointer to message_refs then there's no xrefs to this method (seems to hold true!)
387 |         msg_ref = DfirstB(cstring);
388 |         // test if it belongs to __message_refs and if not try to find it, if available
389 |         if (SegName(msg_ref) != "__message_refs")
390 |         {
391 |             while(msg_ref != BADADDR)
392 |             {
393 |                 msg_ref = DnextB(cstring, msg_ref);
394 |                 if (SegName(msg_ref) == "__message_refs")
395 |                 {
396 |                     break;
397 |                 }
398 |             }
399 |         }
400 |         // if there's no ptr to message_refs then move to next method
401 |         if (msg_ref == BADADDR)
402 |         {
403 |             continue;
404 |         }
405 |     
406 |         // start looking up who's referencing the method
407 |         // and add the xref back to the method
408 |         for (xref = DfirstB(msg_ref); xref != BADADDR; xref = DnextB(msg_ref, xref))
409 |         {
410 |             add_dref(xref, function, dr_O);
411 |         }
412 |     }
413 | }
414 | 
415 | /*
416 |  * function that will add xrefs to instance methods so we can easily find who's calling each method
417 |  */
418 | static add_inst_methods_xrefs(segea)
419 | {
420 |     auto cstring, msg_ref, xref, function, ea;
421 |     // start process valid code/data until the end of this segment
422 |     // NOTE: we are bruteforcing by using NextHead instead of parsing the structure
423 |     //       the speed advantage of parsing the structure appears to be very small so let's keep it this way
424 |     for (ea=SegStart(segea) ; ea!=BADADDR ; ea=NextHead(ea,SegEnd(segea)))
425 |     {
426 | //         Message("Processing %x\n", ea);
427 |         // get the pointer to the correspondent C string we will use to find xrefs
428 |         cstring = Dword(ea);
429 |         // bypass empty strings, usually the header fields of class/methods
430 |         if (SegName(cstring) != "__cstring")
431 |         {
432 |             continue;
433 |         }
434 |         // the function name we will add the xrefs to
435 |         function = Dword(ea+8);
436 |         // now try to find the pointer to message_refs, it's usually the first data xref
437 |         // if there's no pointer to message_refs then there's no xrefs to this method (seems to hold true!)
438 |         msg_ref = DfirstB(cstring);
439 |         // test if it belongs to __message_refs and if not try to find it, if available
440 |         if (SegName(msg_ref) != "__message_refs")
441 |         {
442 |             while(msg_ref != BADADDR)
443 |             {
444 |                 msg_ref = DnextB(cstring, msg_ref);
445 |                 if (SegName(msg_ref) == "__message_refs")
446 |                 {
447 |                     break;
448 |                 }
449 |             }
450 |         }
451 |         // if there's no ptr to message_refs then move to next method
452 |         if (msg_ref == BADADDR)
453 |         {
454 |             continue;
455 |         }
456 |     
457 |         // start looking up who's referencing the method
458 |         // and add the xref back to the method
459 |         for (xref = DfirstB(msg_ref); xref != BADADDR; xref = DnextB(msg_ref, xref))
460 |         {
461 |             add_dref(xref, function, dr_O);
462 |         }
463 |     }
464 | }
465 | 
466 | static main()
467 | {
468 |     fix__objc_binary();
469 | }


--------------------------------------------------------------------------------