Ida disassembly/decompilation static analysis IOS simulator program (3) function expression and search function

When IDA is opened, it is generally used to search for functions. It can be said that functions are the basic unit of IDA engineering, and data structures are nothing more than function services. Function list in functions window on the left side of the interface:

We can see that uikit has 27789 functions. Before searching, you must first know the expression of the function.

The expression of the objective-C function:

Use uiview as an example. In xcode documentation, the uiview function has the following representation:

 

 
+ (Void) beginanimations :( nsstring *) animationid context :( void *) Context-(void) drawrect :( cgrect) rect-(ID) initwithframe :( cgrect) arect-(void) removefromsuperview @ property (nonatomic) cgrect Frame
 

 

In GDB/lldb:

 

 
+ [Uiview (animation) beginanimations: Context:]-[uiview (rendering) drawrect:]-[uiview initwithframe:]-[uiview (hierarchy) removefromsuperview]-[uiview (geometry) frame]-[uiview (geometry) setframe:]
 

As you can see, XDB indicates the following features:

 

 

• Omitted Return Value
• Parameter type declaration and parameter omitted
• There is a space between the function name and the class name. Multiple parameters do not contain spaces and are directly separated by colons.
• Class Name followed by category name
• Property is expanded. The property of the readwrite attribute is equal to two functions. The set function has the set prefix and the first letter in upper case (the function name explicitly declares at @ property may be different)

 

In Ida, the representation is:

 

 
_ Uiview_animation _ beginanimations_context ____ uiview_rendering _ drawrect ____ +____ uiview_hierarchy _ removefromsuperview ___ uiview_geometry _ frame ___ uiview_geometry _ setframe __
 

In XDB, all characters except letters and numbers are replaced by underscores.

 

(Block-type functions are more complex. I will discuss them later)

C ++ function representation:

The format is similar to that of XDB and is not listed separately. Basic Format:

Namespace name: Class Name: function name (parameter type, parameter type ...)

The default namespace does not have the first name and two colons. C functions do not have class names. Some C functions actually have parameters, but are not displayed in Ida.

List the rules I see as much as possible:

 

• The return value is omitted.
• If the parameter is null, it is expressed as the function name (void)
• The pointer type parameter is type + space + *, and the reference type parameter is type + space + &
• The const Declaration of the const parameter is separated by spaces, before * and &.
• Const function omitted
• The typedef parameter is displayed. For example, cfdictionaryref is changed to _ cfdictionary const *
• The namespace name must also be added for the parameter type.

 

Some Function examples are as follows:

 

 
WebCore: loaderrunloop (void) WebCore: runloaderthread (void *) WebCore: customevent ::~ Customevent () WebCore: customevent: initcustomevent (WTF: atomicstring const &, bool, bool, WebCore: scriptvalue) WebCore: legacywebarchive :: createresource (_ cfdictionary const *) _ wkviewaddsubview
 

Now that you know the expression rules of the function name, you can search for the function you want to see.

 

Activate functions window (click a row to make this window in focus state), and choose search> search...> Input Function Name> OK from the top menu. Ida is a fuzzy search. You can leave the full name blank. As long as you can ensure that the entered characters will make the search results unique, if the match is in progress, it will jump to that function and double-click this function, you can see the disassembly of this function in the right window.Code. If there are multiple search results, you can go to the top menu> Search again to jump to the next one.

The search shortcut is Alt + t, and the search again shortcut is Ctrl + T.

Overall effect (click to view the larger image ):

Generally, it is difficult to determine the actual function name in the xcode document. It is easier to search for the function name in IDA by using XDB and then matching the rules.

 

Previous:Ida disassembly/decompilation static analysis IOS simulator program (2) load files and save Databases

Reprinted please indicate the source: http://blog.csdn.net/hursing