Friday, April 20, 2012

IDC script to help reverse iOS 5 binaries with IDA < 6.2

Apple is not standing still and in iOS 5 the default compiler is LLVM instead of GCC. It produces somewhat different code and IDA < 6.2 fail to resolve references which are now relative to PC.

I wrote a little IDC script to resolve those refs (I don't know if another solution exists...). Feel free to use it and modify it to your needs.

It's on github.

Here is an example of code dissasembled with IDA :

__text:00001000 MOV R4, 0x12344
__text:00001008 ADD R4, PC

After executing this IDC script :

__text:00001000 MOV R4, 0x12344
__text:00001008 ADD R4, PC ; off_13350

(if the address is named, the name will appear instead of off_xxx)

The xref is also added so that when you type X on address 0x13350 you'll see where it is used.

Hope it could help.