Fast reverse engineering: quick function name?

Question

Fast reverse engineering: quick function name?

I have a question about the rule name of a quick function. When I tried to analyze the iOS application in IDA Pro (perhaps OS X is the same case) written in swift, for example swift-2048, I got the function name as follows:

EXPORT __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ __text:00022FAC __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ ... __text:00022FCC __TToFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_

The first and second name of the function looks very similar. Only one difference is “TFC” and “TToFC”. What else? I noticed that the sub function is different:

 __text:00022FAC EXPORT __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ __text:00022FAC __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ __text:00022FAC ; DATA XREF: __objc_data:0004A51Co __text:00022FAC STMFD SP!, {R4,R7,LR} __text:00022FB0 MOV R4, R0 __text:00022FB4 MOV R0, R1 __text:00022FB8 ADD R7, SP, #4 __text:00022FBC BL _objc_release __text:00022FC0 MOV R0, R4 __text:00022FC4 LDMFD SP!, {R4,R7,LR} __text:00022FC8 B _objc_release __text:00022FC8 ; End of function __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ __text:00022FC8 __text:00022FCC __text:00022FCC ; =============== SUBROUTINE ======================================= __text:00022FCC __text:00022FCC __text:00022FCC __TToFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ __text:00022FCC ; DATA XREF: __objc_const:00049A28o __text:00022FCC BX LR __text:00022FCC ; End of function __TToFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_

But some of them are very similar:

 __text:000230B4 EXPORT __TFC10swift_204811AppDelegatecfMS0_FT_S0_ __text:000230B4 __TFC10swift_204811AppDelegatecfMS0_FT_S0_ __text:000230B4 ; DATA XREF: __objc_data:0004A530o __text:000230B4 __text:000230B4 var_10 = -0x10 __text:000230B4 var_C = -0xC __text:000230B4 __text:000230B4 STMFD SP!, {R7,LR} __text:000230B8 MOV R7, SP __text:000230BC SUB SP, SP, #8 __text:000230C0 MOV R1, #(:lower16:(__TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ - 0x230D4)) __text:000230C4 MOV R2, #0 __text:000230C8 MOVT R1, #(:upper16:(__TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ - 0x230D4)) __text:000230CC LDR R1, [PC,R1] ; __TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ __text:000230D0 STR R2, [R0,R1] __text:000230D4 STR R0, [SP,#0x10+var_10] __text:000230D8 MOV R0, #(__TMdC10swift_204811AppDelegate - 0x230E8) __text:000230E0 ADD R0, PC, R0 ; __TMdC10swift_204811AppDelegate __text:000230E4 ADD R0, R0, #8 __text:000230E8 STR R0, [SP,#0x10+var_C] __text:000230EC MOV R1, #(:lower16:(selRef_init - 0x23100)) __text:000230F0 MOV R0, SP __text:000230F4 MOVT R1, #(:upper16:(selRef_init - 0x23100)) __text:000230F8 LDR R1, [PC,R1] ; selRef_init ; "init" __text:000230FC BL _objc_msgSendSuper2 __text:00023100 MOV SP, R7 __text:00023104 LDMFD SP!, {R7,PC} __text:00023104 ; End of function __TFC10swift_204811AppDelegatecfMS0_FT_S0_ __text:00023104 __text:00023108 __text:00023108 ; =============== SUBROUTINE ======================================= __text:00023108 __text:00023108 __text:00023108 __TToFC10swift_204811AppDelegatecfMS0_FT_S0_ __text:00023108 ; DATA XREF: __objc_const:00049A64o __text:00023108 __text:00023108 var_10 = -0x10 __text:00023108 var_C = -0xC __text:00023108 __text:00023108 STMFD SP!, {R7,LR} __text:0002310C MOV R7, SP __text:00023110 SUB SP, SP, #8 __text:00023114 MOV R1, #(:lower16:(__TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ - 0x23128)) __text:00023118 MOV R2, #0 __text:0002311C MOVT R1, #(:upper16:(__TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ - 0x23128)) __text:00023120 LDR R1, [PC,R1] ; __TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ __text:00023124 STR R2, [R0,R1] __text:00023128 STR R0, [SP,#0x10+var_10] __text:0002312C MOV R0, #(__TMdC10swift_204811AppDelegate - 0x2313C) __text:00023134 ADD R0, PC, R0 ; __TMdC10swift_204811AppDelegate __text:00023138 ADD R0, R0, #8 __text:0002313C STR R0, [SP,#0x10+var_C] __text:00023140 MOV R1, #(:lower16:(selRef_init - 0x23154)) __text:00023144 MOV R0, SP __text:00023148 MOVT R1, #(:upper16:(selRef_init - 0x23154)) __text:0002314C LDR R1, [PC,R1] ; selRef_init ; "init" __text:00023150 BL _objc_msgSendSuper2 __text:00023154 MOV SP, R7 __text:00023158 LDMFD SP!, {R7,PC} __text:00023158 ; End of function __TToFC10swift_204811AppDelegatecfMS0_FT_S0_

+8

ios swift reverse-engineering

Kevin lee Jun 18 '14 at 10:57

source share

2 answers

Anil varghese · Answer 1 · 2014-06-18T11:26:46+0000

Swift uses Name Mangling to denote methods, classes ..... I came across this article , which describes quick name distortion. A section on mangling is shown below.

Name is Mangling

Swift stores metadata about functions (and more) in its corresponding characters, called mangling. This metadata includes the function name (obviously), attributes, module name, argument types, return type, etc. Take this for example:

 class Shape{ func numberOfSides() -> Int { return 5 } }

The changed simpleDescription method name is _TFC9swifttest5Shape17simpleDescriptionfS0_FT_Si .

Here is the decay:

_T is the prefix for all Swift characters. It will all begin with this.
F is a function.
C - Class Function. (Method)
9swifttest - the name of the module with a length prefix.
5Shape is the name of the class to which the function belongs, again with a length prefix.
17simpleDescription - The name of the function.
f is the attribute of the function. In this case, its f, which is just a normal function. Let's go to this in a minute.
S0_FT - I don’t know exactly what this means, but it looks like it means the beginning of the arguments and the type of the return value.
'_ - This underscore separates argument types from return types. Since the function takes no arguments, it occurs immediately after S0_FT.
S is the beginning of the return type. "S" means Swift; return type - Swift type built-in. The following character identifies the type.
i is the built-in type of Swift. Lowercase letter I, which stands for Int.

Excerpt from: Inside Swift

it looks like the actual link is broken, find the mirror here

connor · Answer 2 · 2014-06-22T22:27:16+0000

Using the swift-demangle command line tool, you can see the difference between the two functions.

 _TToFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ ---> @objc swift_2048.AppDelegate.applicationWillResignActive (swift_2048.AppDelegate)(ObjectiveC.UIApplication) -> () _TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ ---> swift_2048.AppDelegate.applicationWillResignActive (swift_2048.AppDelegate)(ObjectiveC.UIApplication) -> ()

_T prefix of all quick functions, and it looks like To matches a function that has the @objc attribute.

Unfortunately, I do not have enough knowledge about the built-in quick and objective-c operations to tell you what each of these functions does. I find it safe to consider it part of objective-c a fast bridge process.

Fast reverse engineering: quick function name?

Name is Mangling

More articles: