Reverse Engineering Tools & Setup

Tools are the researcher’s hands and feet. Setting them up correctly from the start saves hundreds of hours.

Disassemblers & Decompilers

IDA Pro + Hex-Rays (Recommended)

• Role: The leading disassembler and decompiler, industry standard
• Features: ARM64 decompilation, type reconstruction, scripting (IDAPython), plugin ecosystem
• Price: Expensive (commercial license), but an Education edition is available
• When to use: Analyzing kernelcache, IOKit drivers, system daemons
• Tips:
  • Load kernelcache with the correct base address
  • Use DWARF symbols from Apple KDK (Kernel Debug Kit) when available
  • IDAPython scripts automate pattern searching

Ghidra (Free, NSA)

• Role: Free alternative to IDA
• Features: Good ARM64 support, integrated decompiler, Java-based scripting
• When to use: When you don’t have an IDA license, or need a second opinion
• Limitations: Decompiler output is less accurate than Hex-Rays for ARM64 kernel code

Binary Ninja

• Role: Modern disassembler with a good UI
• Features: IL (Intermediate Language) layers, API-first design, Python scripting
• When to use: Scripted analysis, when you need a programmatic approach

Hopper

• Role: Lightweight disassembler for macOS
• Features: Fast, native macOS app, good Objective-C analysis
• When to use: Quick analysis of userspace binaries

Command-Line Tools

otool / jtool2

# otool — Mach-O analysis (built-in macOS)
otool -lV binary          # Load commands (detailed)
otool -hV binary          # Mach-O header
otool -tV binary          # Disassemble __TEXT,__text

# jtool2 — Enhanced Mach-O analysis (Jonathan Levin)
jtool2 --pages binary     # Show segment/section layout
jtool2 -d binary          # Disassemble
jtool2 --ent binary       # Extract entitlements
jtool2 -S binary          # Show symbols

codesign / ldid

# codesign — macOS native code signing tool
codesign -d --entitlements :- binary    # Dump entitlements
codesign -dvvv binary                   # Detailed signing info

# ldid — Open-source signing tool (used on jailbroken devices)
ldid -e binary              # Extract entitlements
ldid -Sentitlements.xml binary  # Sign with entitlements

img4tool / img4lib

# Extract and decrypt kernelcache from IPSW
img4tool -e -o kernelcache.raw kernelcache.img4
# Or use pyimg4
python3 -m pyimg4 im4p extract -i kernelcache.im4p -o kernelcache.macho

lipo / file

lipo -info binary           # Architectures in fat binary
lipo binary -thin arm64e -output binary.arm64e  # Extract single arch
file binary                 # File type identification

Debuggers

lldb

# Attach to process
lldb -n process_name
lldb -p PID

# Basic commands
(lldb) b function_name          # Set breakpoint
(lldb) br s -a 0x100001234     # Breakpoint at address
(lldb) r                        # Run
(lldb) c                        # Continue
(lldb) si                       # Step instruction
(lldb) ni                       # Next instruction (step over)
(lldb) register read            # All registers
(lldb) register read x0 x1 x2  # Specific registers
(lldb) memory read 0x100001234  # Read memory (hex dump)
(lldb) memory read -f x -c 8 -s 8 addr   # 8 uint64 values
(lldb) x/10gx addr             # GDB-style: 10 giant (8-byte) hex values
(lldb) disassemble -a 0x1234   # Disassemble at address
(lldb) image list               # Loaded images + ASLR slides
(lldb) expr -- (int)getpid()   # Evaluate expression

Kernel Debugging

• Corellium: Virtual iOS devices – full kernel debugging support
• KDP (Kernel Debug Protocol): Over network, requires a development kernel
• Apple KDK (Kernel Debug Kit): Symbols for production kernels (requires an Apple Developer account)

Dynamic Analysis

Frida

# Inject into running process
frida -U -n SpringBoard        # USB-connected device
frida -H host:port -n target   # Remote

# Frida script basics
Interceptor.attach(ptr("0x1234"), {
    onEnter(args) {
        console.log("arg0:", args[0]);
    },
    onLeave(retval) {
        console.log("return:", retval);
    }
});

DTrace / Instruments (macOS)

# Trace syscalls
sudo dtruss -p PID
# Trace specific probe
sudo dtrace -n 'syscall::mach_msg_trap:entry { printf("%d", pid); }'

Lab Setup Recommendations

Option 1: Corellium (Recommended for kernel research)

• Virtual iOS devices in the cloud
• Full kernel debugging, filesystem access
• Kernel hooks, custom kernelcache loading
• Price: subscription model

Option 2: Physical Device + checkra1n/palera1n

• iPhone X or older (A11 and below for checkm8)
• checkra1n/palera1n jailbreak
• SSH access, filesystem read/write
• Frida for dynamic analysis
• Limitation: no direct kernel debugging

Option 3: macOS for XNU Research

• Apple Silicon Mac running macOS
• Many kernel subsystems are the same as iOS
• Kernel debugging is easier (SIP disable + boot-args)
• Good for learning XNU internals before moving to iOS

Basic Workflow

1. Extract kernelcache from IPSW
   └─→ img4tool / pyimg4

2. Load into IDA/Ghidra with symbols (KDK)
   └─→ Static analysis

3. Identify target (IOKit driver, syscall handler, ...)
   └─→ Find entry points, trace code paths

4. Dynamic analysis on device/Corellium
   └─→ Frida hooks, lldb debugging

5. Fuzzing (optional)
   └─→ IOKit fuzzer, syscall fuzzer

6. Exploit development
   └─→ PoC → primitive → chain → jailbreak