j-arm

New project: arm disassembler and decompiler

Hi there,

a new project, again written in python for better study purpose, covers my time right now. Right now I just want to give you a short preview - not releasing the scripts so far. The scripts are in a very young stadium, not covering many cases and just decompiling quite simple functions.

The idea for writing these scripts came upon me while searching for a way to decompile apps from idevices like iphone, ipad and ipod. HexRays Decompiler is no option for me since its outragious pricing. The ARM cpu is quite simple, much more simple than x86/64 stuff. Implementing the disassembly of the mach-o files just took about two or three days.

Much more complicated is understanding all that objective-c stuff, the different sections with non-lazy symbols, lazy symbols, string-, class-, and method-references and so on. So thats what I am working on right now - putting the disassembled stuff into the right order, generating readable c-like code (which does not yet compile out of the box for missing declarations and missing external symbols).

Still the first examples are quite impressive, which makes me keeping up the work. For testing my scripts I am using the MusicLibrary framework from my iphone 4, iOS 5.1.1. This mach-o dylib contains lots of functions dealing with the - who would have guessed - music library of the device. In the following you will see the first function of that library, decompiled by j-arm, still missing some stuff like declarations...

Examples

Pure Assembler	Decompiled Function
disassembling function at 0x10C4 (sub_10C4) 0x000010C4 PUSH {R4,R7,LR} 0x000010C6 ADD R7,SP,4 0x000010C8 SUB SP,SP,8 0x000010CA MOV R1,0xD29C 0x000010CE MOV R4,R0 0x000010D0 MOVT R1,0x13 0x000010D4 MOV R0,0xDD8E 0x000010D8 MOVT R0,0x13 0x000010DC ADD R1,PC 0x000010DE ADD R0,PC 0x000010E0 LDR R1,[R1] 0x000010E2 LDR R0,[R0] 0x000010E4 BLX 0xD423C ;absolute label: 0xD5324 0x000010E8 CMP R0,R4 0x000010EA BNE 0x68 ;absolute label: 0x1156 0x000010EC MOV R1,0xD4A4 0x000010F0 MOVT R1,0x13 0x000010F4 MOV R0,0xDDC2 0x000010F8 MOVT R0,0x13 0x000010FC ADD R1,PC 0x000010FE ADD R0,PC 0x00001100 LDR R1,[R1] 0x00001102 LDR R0,[R0] 0x00001104 BLX 0xD421C ;absolute label: 0xD5324 0x00001108 MOV R1,0xD5EE 0x0000110C MOVT R1,0x13 0x00001110 MOV R4,R0 0x00001112 MOV R0,0xDDCC 0x00001116 ADD R1,PC 0x00001118 MOVT R0,0x13 0x0000111C ADD R0,PC 0x0000111E LDR R1,[R1] 0x00001120 LDR R0,[R0] 0x00001122 BLX 0xD4200 ;absolute label: 0xD5324 0x00001126 MOV R2,0x74B2 0x0000112A MOVT R2,0x13 0x0000112E MOV R1,0xD5CC 0x00001132 ADD R2,PC 0x00001134 MOVT R1,0x13 0x00001138 MOV R3,0x4224 0x0000113C ADD R1,PC 0x0000113E LDR R2,[R2] 0x00001140 MOVT R3,0x14 0x00001144 ADD R3,PC 0x00001146 LDR R1,[R1] 0x00001148 STMEA SP,{R0,R3} 0x0000114C MOV R0,R4 0x0000114E MOVS R3,0 0x00001150 LDR R2,[R2] 0x00001152 BLX 0xD41D0 ;absolute label: 0xD5324 0x00001156 ADD SP,SP,8 0x00001158 POP {R4,R7,PC}	void +[ML3MusicLibrary initialize](arg_R0) { retval_R0_0 = _objc_msgSend(ML3MusicLibrary,"class"); if (retval_R0_0 == arg_R0) { goto loc_1156; } retval_R0_1 = _objc_msgSend(_OBJC_CLASS_$_NSNotificationCenter,"defaultCenter"); retval_R0_2 = _objc_msgSend(_OBJC_CLASS_$_NSOperationQueue,"mainQueue"); var_000 = retval_R0_2; var_004 = &__NSConcreteGlobalBlock; _objc_msgSend(retval_R0_1,"addObserverForName:object:queue:usingBlock:",\ MLDebugLoggingOptionsDidChangeNotification,0); loc_1156: }

Pure Assembler

Decompiled Function

disassembling function at 0x10C4 (sub_10C4)
  0x000010C4  PUSH {R4,R7,LR}
  0x000010C6  ADD R7,SP,4
  0x000010C8  SUB SP,SP,8
  0x000010CA  MOV R1,0xD29C
  0x000010CE  MOV R4,R0
  0x000010D0  MOVT R1,0x13
  0x000010D4  MOV R0,0xDD8E
  0x000010D8  MOVT R0,0x13
  0x000010DC  ADD R1,PC
  0x000010DE  ADD R0,PC
  0x000010E0  LDR R1,[R1]
  0x000010E2  LDR R0,[R0]
  0x000010E4  BLX 0xD423C ;absolute label: 0xD5324
  0x000010E8  CMP R0,R4
  0x000010EA  BNE 0x68    ;absolute label: 0x1156
  0x000010EC  MOV R1,0xD4A4
  0x000010F0  MOVT R1,0x13
  0x000010F4  MOV R0,0xDDC2
  0x000010F8  MOVT R0,0x13
  0x000010FC  ADD R1,PC
  0x000010FE  ADD R0,PC
  0x00001100  LDR R1,[R1]
  0x00001102  LDR R0,[R0]
  0x00001104  BLX 0xD421C ;absolute label: 0xD5324
  0x00001108  MOV R1,0xD5EE
  0x0000110C  MOVT R1,0x13
  0x00001110  MOV R4,R0
  0x00001112  MOV R0,0xDDCC
  0x00001116  ADD R1,PC
  0x00001118  MOVT R0,0x13
  0x0000111C  ADD R0,PC
  0x0000111E  LDR R1,[R1]
  0x00001120  LDR R0,[R0]
  0x00001122  BLX 0xD4200 ;absolute label: 0xD5324
  0x00001126  MOV R2,0x74B2
  0x0000112A  MOVT R2,0x13
  0x0000112E  MOV R1,0xD5CC
  0x00001132  ADD R2,PC
  0x00001134  MOVT R1,0x13
  0x00001138  MOV R3,0x4224
  0x0000113C  ADD R1,PC
  0x0000113E  LDR R2,[R2]
  0x00001140  MOVT R3,0x14
  0x00001144  ADD R3,PC
  0x00001146  LDR R1,[R1]
  0x00001148  STMEA SP,{R0,R3}
  0x0000114C  MOV R0,R4
  0x0000114E  MOVS R3,0
  0x00001150  LDR R2,[R2]
  0x00001152  BLX 0xD41D0 ;absolute label: 0xD5324
  0x00001156  ADD SP,SP,8
  0x00001158  POP {R4,R7,PC}

void +[ML3MusicLibrary initialize](arg_R0) {
  retval_R0_0 = _objc_msgSend(ML3MusicLibrary,"class");
  if (retval_R0_0 == arg_R0) {
    goto loc_1156;
  }
  retval_R0_1 = _objc_msgSend(_OBJC_CLASS_$_NSNotificationCenter,"defaultCenter");
  retval_R0_2 = _objc_msgSend(_OBJC_CLASS_$_NSOperationQueue,"mainQueue");
  var_000 = retval_R0_2;
  var_004 = &__NSConcreteGlobalBlock;
  _objc_msgSend(retval_R0_1,"addObserverForName:object:queue:usingBlock:",\
                MLDebugLoggingOptionsDidChangeNotification,0);
loc_1156:
}