Skip to main content

New project: arm disassembler and decompiler

Hi there,

a new project, again written in python for better study purpose, covers my time right now. Right now I just want to give you a short preview - not releasing the scripts so far. The scripts are in a very young stadium, not covering many cases and just decompiling quite simple functions.

The idea for writing these scripts came upon me while searching for a way to decompile apps from idevices like iphone, ipad and ipod. HexRays Decompiler is no option for me since its outragious pricing. The ARM cpu is quite simple, much more simple than x86/64 stuff. Implementing the disassembly of the mach-o files just took about two or three days.

Much more complicated is understanding all that objective-c stuff, the different sections with non-lazy symbols, lazy symbols, string-, class-, and method-references and so on. So thats what I am working on right now - putting the disassembled stuff into the right order, generating readable c-like code (which does not yet compile out of the box for missing declarations and missing external symbols).

Still the first examples are quite impressive, which makes me keeping up the work. For testing my scripts I am using the MusicLibrary framework from my iphone 4, iOS 5.1.1. This mach-o dylib contains lots of functions dealing with the - who would have guessed - music library of the device. In the following you will see the first function of that library, decompiled by j-arm, still missing some stuff like declarations...


Pure AssemblerDecompiled Function
disassembling function at 0x10C4 (sub_10C4)
0x000010C4  PUSH {R4,R7,LR}
0x000010C6  ADD R7,SP,4
0x000010C8  SUB SP,SP,8
  0x000010CA  MOV R1,0xD29C
  0x000010CE  MOV R4,R0
  0x000010D0  MOVT R1,0x13
  0x000010D4  MOV R0,0xDD8E
  0x000010D8  MOVT R0,0x13
  0x000010DC  ADD R1,PC
  0x000010DE  ADD R0,PC
  0x000010E0  LDR R1,[R1]
  0x000010E2  LDR R0,[R0]
  0x000010E4  BLX 0xD423C ;absolute label: 0xD5324
  0x000010E8  CMP R0,R4
  0x000010EA  BNE 0x68    ;absolute label: 0x1156
  0x000010EC  MOV R1,0xD4A4
  0x000010F0  MOVT R1,0x13
  0x000010F4  MOV R0,0xDDC2
  0x000010F8  MOVT R0,0x13
  0x000010FC  ADD R1,PC
  0x000010FE  ADD R0,PC
  0x00001100  LDR R1,[R1]
  0x00001102  LDR R0,[R0]
  0x00001104  BLX 0xD421C ;absolute label: 0xD5324
  0x00001108  MOV R1,0xD5EE
  0x0000110C  MOVT R1,0x13
  0x00001110  MOV R4,R0
  0x00001112  MOV R0,0xDDCC
  0x00001116  ADD R1,PC
  0x00001118  MOVT R0,0x13
  0x0000111C  ADD R0,PC
  0x0000111E  LDR R1,[R1]
  0x00001120  LDR R0,[R0]
  0x00001122  BLX 0xD4200 ;absolute label: 0xD5324
  0x00001126  MOV R2,0x74B2
  0x0000112A  MOVT R2,0x13
  0x0000112E  MOV R1,0xD5CC
  0x00001132  ADD R2,PC
  0x00001134  MOVT R1,0x13
  0x00001138  MOV R3,0x4224
  0x0000113C  ADD R1,PC
  0x0000113E  LDR R2,[R2]
  0x00001140  MOVT R3,0x14
  0x00001144  ADD R3,PC
  0x00001146  LDR R1,[R1]
  0x00001148  STMEA SP,{R0,R3}
  0x0000114C  MOV R0,R4
  0x0000114E  MOVS R3,0
  0x00001150  LDR R2,[R2]
  0x00001152  BLX 0xD41D0 ;absolute label: 0xD5324
  0x00001156  ADD SP,SP,8
  0x00001158  POP {R4,R7,PC}
void +[ML3MusicLibrary initialize](arg_R0) {
  retval_R0_0 = _objc_msgSend(ML3MusicLibrary,"class");
  if (retval_R0_0 == arg_R0) {
    goto loc_1156;
  retval_R0_1 = _objc_msgSend(_OBJC_CLASS_$_NSNotificationCenter,"defaultCenter");
  retval_R0_2 = _objc_msgSend(_OBJC_CLASS_$_NSOperationQueue,"mainQueue");
  var_000 = retval_R0_2;
  var_004 = &__NSConcreteGlobalBlock;