Swift Reverse Engineering | Digging into Objects


Overview

With absolutely zero experience reverse engineering any Swift binaries, this post will begin my personal exploration and maybe yours as well, into the internals of the Swift language and how to make sense of things down in its disassembled world

Swift Objects

I created a simple Swift iOS application to begin our focus

class myClass {

    var var1 : String
    var var2 : Int

    init(var1: String, var2 : Int) {
        self.var1 = var1
        self.var2 = var2
    }
}


class ViewController: UIViewController {

    override func viewDidLoad() {
        super.viewDidLoad()

        let mc = myClass(var1: "rotlogix", var2: 100)
        print(mc.var1);
        print(mc.var2);

As you can see if have a very simple class - myClass - with two instance variables var1 - var2. We initialize the class and print the instance variable's values.

After some Google perusing, I found the following article that gives a solid break down of Swift's objects.

Inside of the __objc_classlist section within the __DATA segment of a Mach-O binary are the entries for each class inside the of binary. We can observe this structure easily using otool with the following command:

otool -s __DATA __objc_classlist <Target_Executable>  
  • -s indicates we want to dump a section of the binary
  • __DATA is the target segment
  • __objc_classlist is the target section

This not entirely helpful, and we would probably like to understand more about the class entries. Let's use Hopper to assist us with this process.

There are three entries inside of the __objc_classlist structure, and we can see that the first entry appears to be our class:

__TtC17SwiftClassExample7myClass  

Demangling

What we are seeing here is Swift's way of storing metadata about the object referred to as "mangling". Let's manually "demangle" this object:

  • __T is the prefix for all Swift symbols
  • t might be referring to a type (Correct me if I am wrong)
  • C type class
  • 17SwiftExample description of the module name
  • 7myClass description of the class name

Now, we could always choose to perform the manually "demangling" step when trying to understand the entries within the __objc_classlist, or we could a REPL tool that comes with Xcode called swift-demangle .

xcrun swift-demangle --compact _TtC17SwiftClassExample7myClass  
SwiftClassExample.myClass  

The output of swift-demangle gives us the exact representation of the class the way it was defined in our source code. Hopper will also display the exact information about the object inside of the __objc_data section:

This gives us two different and effective options for automatically "demangling" a Swift object.

Conclusion

Hopefully this provided some understanding of how to begin statically analyzing Swift object structures and some of their internals.