Reverse Engineering Tools
Comparison and tips for the main RE tools.
Tool Comparison
| Tool | Price | ARM64 Decompiler | Strengths | Weaknesses |
|---|---|---|---|---|
| IDA Pro | $$$ | Hex-Rays (best) | Industry standard, huge plugin ecosystem, best decompilation | Expensive |
| Ghidra | Free | Built-in (good) | Free, extensible, multi-arch | Slower UI, decompiler less accurate |
| Binary Ninja | $$ | Built-in (good) | Modern API, IL layers, fast | Smaller ecosystem |
| Hopper | $ | Built-in (basic) | Fast, native macOS, cheap | Less powerful for kernel analysis |
IDA Pro Tips for iOS RE
Loading Kernelcache
1. File → Open → kernelcache.macho
2. Processor: ARM Little-endian [ARM]
3. Set base address correctly
4. Apply KDK symbols:
File → Load file → DWARF file → select KDK dSYM
5. Wait for auto-analysis (can take 30+ minutes)
Useful IDA Plugins
- idb2pat: Generate FLIRT signatures
- Finger: Function identification
- Diaphora: Binary diffing (compare iOS versions)
- IDAPython scripts: Custom automation
IDAPython Quick Reference
import idaapi
import idc
import idautils
# Get function at address
func = idaapi.get_func(0xFFFFFE0001234000)
# Iterate all functions
for func_ea in idautils.Functions():
name = idc.get_func_name(func_ea)
# Find xrefs to address
for xref in idautils.XrefsTo(target_addr):
print(f"Referenced from: {hex(xref.frm)}")
# Search for bytes pattern
pattern = "FF 43 00 D1" # SUB SP, SP, #0x10
addr = idc.find_binary(0, idc.SEARCH_DOWN, pattern)
# Read bytes
data = idc.get_bytes(addr, 16)
Ghidra Tips
Setup for iOS
# Install
# Download from ghidra-sre.org
# Requires Java 17+
# Loading kernelcache:
# File → Import File → select kernelcache
# Language: AARCH64:LE:64:AppleSilicon (or v8A)
# Auto-analysis options: enable all
Ghidra Scripts (Java/Python)
# Ghidra Python script
from ghidra.program.model.symbol import SymbolType
# Find all functions matching pattern
fm = currentProgram.getFunctionManager()
for func in fm.getFunctions(True):
if "IOUserClient" in func.getName():
print(f"{func.getName()} at {func.getEntryPoint()}")
Binary Diffing (Patch Analysis)
Used to find what Apple fixed between 2 iOS versions:
Tools:
- Diaphora (IDA plugin): diff 2 IDB files
- BinDiff (standalone + IDA): Google's differ
- Ghidra Version Tracking: built-in diffing
Workflow:
1. Extract kernelcache from iOS X.Y and iOS X.Y.1
2. Load both into IDA/Ghidra
3. Diff → find changed functions
4. Changed functions = likely security fixes
5. Analyze old version of function → find the bug