Discuss How to disassemble with IDA? (was Disassembley) at the General - Hackint0sh.org; I was wonder if anyone could give me some help my attempts to disassemble files ...
How to disassemble mach-o-arm with IDA? (was Disassembly)
I was wonder if anyone could give me some help my attempts to disassemble files in the iPhone. I have IDA and I have the modified macho.ldw. So I am guessing the next steps are to go into File > New then Mac then Mac OS X Mach-O executable. I changed the macho.ldw to the one I got from rapid-share. Anyone have any further info because it would be greatly appreciated by me.
Last edited by sam; 07-27-2007 at 09:52 AM.
It's quite difficult to do, as IDA is very bad with ARM. On the average complied firmware with just
one code and two data section is pretty annoying to fix all wrong T flag switches
let alone do it in macho format with so much mixed data and code sections.
Just drag to IDA, after changing the the CPU to ARM, from options:
- Create stack variables (untick)
- Trace stack pointer(untick)
- Create function tails(untick)
- No automatic ARM-THUMB switch(tick)
When all loaded, dissable auto analysis and the indicator, and open the segments
window, select the first code section, and manually go to each function, Ctrl-U, check
the first instruction to see if Thumb or ARM, Alt-G the T flag and press P.
Do this for all functions/code segments.
Hope this helps.
Chief of Administration
iPhone Dev Team
The IDA support for ARM has quite increased and mach-o is now supported with Ilfak's new plugin.
For general gettign stated with reversing check openrce or similar sites.
If you liek to use IDA, please but it as this great piece of software deservs support.
in addition to what juniorjack said, the big problem with arm (and many modern processors) is that the disassembly itself does not present the context in which many of the routines are running. this is why many serious disassemblies have a 2nd machine running jtag into the processor to provide things like the stack info and such.
this sort of thing is easily done on a standard pc because of the various modern debuggers. embedded processors are more difficult and take more time to work. still as soon as someone gets a working jtag connection it will be a far simpler task to find the NCK routines and reverse them.
By truehybridx in forum iPhone Developer Exchange
Last Post: 07-24-2010, 08:32 AM
By toohtik in forum iPhone Developer Exchange
Last Post: 02-23-2009, 04:14 PM
By marley91 in forum General
Last Post: 03-17-2008, 05:07 PM
By n000b in forum General
Last Post: 09-15-2007, 09:40 PM
By malefactor in forum General
Last Post: 08-28-2007, 04:52 AM