Swift Reversing by Ryan Stortz
1 like484 views
The document presents an overview of Swift programming language, covering its features such as closures, generics, and error handling, as well as its methodology for toolchain and interoperability with Objective-C. It examines questions regarding Swift's native types, class instantiation, and calling conventions, alongside detailing its automatic reference counting and virtual function calls. Additionally, it addresses tools for code demangling and provides insight into the Swift compiler architecture.
![swi$-demangle
echo
__TFeRq_Ss14CollectionTypezqq_S_9GeneratorGVSs17IndexingGeneratorq__zqq_Ss9Indexabl
8_Elementqqq_S_9GeneratorSs13GeneratorType7Element_SsS_8generateuRq_S_zqq_S_9Genera
orGS0_q__zqq_S1_8_Elementqqq_S_9GeneratorS2_7Element_fq_FT_GS0_q__' | xcrun swift-
emangle
ext.Swift.Swift.CollectionType<A where A: Swift.CollectionType, A.Generator ==
wift.IndexingGenerator<A>, A._Element == A.Generator.Element>.generate <A where A:
wift.CollectionType, A.Generator == Swift.IndexingGenerator<A>, A._Element ==
.Generator.Element> (A)() -> Swift.IndexingGenerator<A>
echo
_TTSf4n_d___TTSg5C11CommandLine6Option___TZFSa28_allocateBufferUninitializedurfMGSa
__FSiGVSs12_ArrayBufferq__' | xcrun swift-demangle
unction signature specialization <Arg[1] = Dead> of generic specialization
CommandLine.Option> of static Swift.Array._allocateBufferUninitialized <A>
[A].Type)(Swift.Int) -> Swift._ArrayBuffer<A>
2](https://image.slidesharecdn.com/swiftreversing-ryanstortz-160801194901/85/Swift-Reversing-by-Ryan-Stortz-24-320.jpg)
![0000`00000002 00 00000000`00000000 01
alue = 2 ] [Op] [ Value = nil ] [Op]
case .Some(2):
let train = Train()
train.makeNoise()
case .Some(3):
let car = Car()
print(car.description)
default:
print("Invalid choice!")
}
read
pose Registers:
= 0x0000000000000002
= 0x0000000000000000
= 0x0000000000000002
= 0x0000000000000002
= 0x0000000100702b80
= 0x000000000000000a
= 0x00007fff5fbff9b0
= 0x00007fff5fbff840
= 0x0000000000000000
= 0x0000000000000000
= 0x00000001002ad201
= 0x00000001000dfcc0
= 0x0000000000000000
= 0x0000000000000000
= 0x0000000000000000
= 0x0000000000000000
= 0x000000010000148e classes`classes.main () -> () + 446 at
ft:50
= 0x0000000000000297
cs = 0x000000000000002b
fs = 0x0000000000000000
gs = 0x0000000000000000
(lldb) x/8i $pc
-> 0x10000148e: 48 39 d1 cmpq %rdx, %rcx
0x100001491: 75 40 jne 0x1000014d3
0x100001493: e8 e8 02 00 00 callq 0x100001780
0x100001498: 48 89 c7 movq %rax, %rdi
0x10000149b: e8 b0 fb ff ff callq 0x100001050
0x1000014a0: 48 89 45 b0 movq %rax, -0x50(%rb
0x1000014a4: 48 8b 38 movq (%rax), %rdi
0x1000014a7: 48 89 bd 20 ff ff ff movq %rdi, -0xe0(%rb
(lldb) x/40xg $rbp-0x28
0x7fff5fbff988: 0x0000000000000002 0x0000000000000300
3](https://image.slidesharecdn.com/swiftreversing-ryanstortz-160801194901/85/Swift-Reversing-by-Ryan-Stortz-31-320.jpg)
Swift Reversing by Ryan Stortz
- 5. Swi$ Language Safe, fast, and expressive Closures and first-class func:ons Tuples and mul:ple return values Generics Fast and concise itera:on over a range or collec:on Structs that support methods, extensions, and protocols Func:onal programming paNerns, e.g., map and filter Powerful error handling built-in Advanced control flow with do, guard, defer, and repeat keywords
- 10. 1
- 11. 1
- 12. 1
- 13. 1
- 14. Methodology 1
- 15. Mo0va0on Applica:on Penetra:on Tes:ng Exploit Development Re-implementa:on Interoperability Build Character 1
- 16. Ini0al Ques0ons Toolchain • What tools are available now? Language Core • Is it message based like Objec:ve-C or does it look more like C/C++? • Is it lazy like Haskell? • What na:ve types are available? • Which storage backs which types of variables? • What does class instan:a:on look like? • How are Op:onals unwrapped? ABI • How does Swi5 bridge into Objec:ve-C? • How does it represent virtual method calls under the hood? • How are classes and structures laid out in memory? • What is the Swi5 calling conven:on? 1
- 18. 1
- 19. 1
- 21. 2
- 22. Toolchain swi5c • The compiler swi5 • The compiler REPL swi5-demangle • A name demangler 2
- 23. 2
- 24. swi$-demangle echo __TFeRq_Ss14CollectionTypezqq_S_9GeneratorGVSs17IndexingGeneratorq__zqq_Ss9Indexabl 8_Elementqqq_S_9GeneratorSs13GeneratorType7Element_SsS_8generateuRq_S_zqq_S_9Genera orGS0_q__zqq_S1_8_Elementqqq_S_9GeneratorS2_7Element_fq_FT_GS0_q__' | xcrun swift- emangle ext.Swift.Swift.CollectionType<A where A: Swift.CollectionType, A.Generator == wift.IndexingGenerator<A>, A._Element == A.Generator.Element>.generate <A where A: wift.CollectionType, A.Generator == Swift.IndexingGenerator<A>, A._Element == .Generator.Element> (A)() -> Swift.IndexingGenerator<A> echo _TTSf4n_d___TTSg5C11CommandLine6Option___TZFSa28_allocateBufferUninitializedurfMGSa __FSiGVSs12_ArrayBufferq__' | xcrun swift-demangle unction signature specialization <Arg[1] = Dead> of generic specialization CommandLine.Option> of static Swift.Array._allocateBufferUninitialized <A> [A].Type)(Swift.Int) -> Swift._ArrayBuffer<A> 2
- 25. 4CollectionTypezqq_S_9GeneratorGVSs17In torq__zqq_Ss9Indexable8_Elementqqq_S_9G GeneratorType7Element_SsS_8generateuRq_ eratorGS0_q__zqq_S1_8_Elementqqq_S_9Gen ement_fq_FT_GS0_q__' | xcrun swift- pand Typezqq_S_9GeneratorGVSs17IndexingGeneratorq__zqq_Ss9Indexable8_ orSs13GeneratorType7Element_SsS_8generateuRq_S_zqq_S_9GeneratorG tqqq_S_9GeneratorS2_7Element_fq_FT_GS0_q__ xt="Swift" text="Swift" er, text="CollectionType" enericSignature tGenericParamCount, index=1 tGenericConformanceRequirement ndentGenericParamType, text="A" dex, index=0 dex, index=0 ocol dule, text="Swift" entifier, text="CollectionType" tGenericSameTypeRequirement ndentMemberType, text="Generator" pe DependentGenericParamType, text="A" d=Index, index=0 d=Index, index=0 pe Protocol d=Module, text="Swift" d=Identifier, text="CollectionType" dGenericStructure pe Structure d=Module, text="Swift" d=Identifier, text="IndexingGenerator" peList Type d=DependentGenericParamType, text="A" ind=Index, index=0 ind=Index, index=0 tGenericSameTypeRequirement ndentMemberType, text="_Element" kind=Type kind=DependentGenericParamType, text="A" kind=Index, index=0 kind=Index, index=0 kind=Type kind=Protocol kind=Module, text="Swift" kind=Identifier, text="Indexable" kind=Type kind=DependentMemberType, text="Element" kind=Type kind=DependentMemberType, text="Generator" kind=Type kind=DependentGenericParamType, text="A" kind=Index, index=0 kind=Index, index=0 kind=Type kind=Protocol kind=Module, text="Swift" kind=Identifier, text="CollectionType" kind=Type kind=Protocol kind=Module, text="Swift" kind=Identifier, text="GeneratorType" kind=Identifier, text="generate" kind=Type kind=DependentGenericType kind=DependentGenericSignature kind=DependentGenericParamCount, index=1 kind=DependentGenericConformanceRequirement kind=Type kind=DependentGenericParamType, text="A" kind=Index, index=0 kind=Index, index=0 kind=Type kind=Protocol kind=Module, text="Swift" kind=Identifier, text="CollectionType" kind=DependentGenericSameTypeRequirement kind=Type kind=DependentMemberType, text="Generator" kind=Type kind=DependentGenericParamType, text="A" kind=Index, index=0 kind=Index, index=0 kind=Type kind=Protocol kind=Module, text="Swift" kind=Identifier, text="CollectionType" kind=Type kind=BoundGenericStructure kind=Type kind=Structure kind=Module, text="Swift" kind=Identifier, text="IndexingGenerator" kind=TypeList kind=Type kind=DependentGenericParamType, text="A" kind=Index, index=0 kind=Index, index=0 kind=DependentGenericSameTypeRequirement kind=Type kind=DependentMemberType, text="_Element" kind=Type kind=DependentGenericParamType, text="A" kind=Index, index=0 kind=Index, index=0 kind=Type kind=Protocol kind=Module, text="Swift" kind=Identifier, text="Indexable" kind=Type kind=DependentMemberType, text="Element" kind=Type kind=DependentMemberType, text="Generator" kind=Type kind=DependentGenericParamType, text="A" kind=Index, index=0 kind=Index, index=0 kind=Type kind=Protocol kind=Module, text="Swift" kind=Identifier, text="CollectionType" kind=Type kind=Protocol kind=Module, text="Swift" kind=Identifier, text="GeneratorType" kind=Type kind=UncurriedFunctionType kind=ArgumentTuple kind=Type kind=DependentGenericParamType, text="A" kind=Index, index=0 kind=Index, index=0 kind=ReturnType kind=Type kind=FunctionType kind=ArgumentTuple kind=Type kind=NonVariadicTuple kind=ReturnType kind=Type kind=BoundGenericStructure kind=Type kind=Structure kind=Module, text="Swift" kind=Identifier, text="IndexingGener kind=TypeList kind=Type kind=DependentGenericParamType, text kind=Index, index=0 kind=Index, index=0 ext.Swift.Swift.CollectionType<A where A: Swift. A.Generator == Swift.IndexingGenerator<A>, A._El A.Generator.Element>.generate <A where A: Swift. A.Generator == Swift.IndexingGenerator<A>, A._El A.Generator.Element> (A)() -> Swift.IndexingGene 2
- 26. Ini0al Ques0ons: Revisited (Toolchain) Toolchain • What tools are available now? 2 swi5-demangle
- 28. Language Core Na:ve types • String, Bool, Int, Int8, Int16, Int32, Int64, UInt, UInt8, UInt16, UInt32, UInt64, Float, Float80, Double • No tagged pointers in Swi5 (but will be in the Objc bridges) Control Flow Op:onals Class Instan:a:on 2
- 31. 0000`00000002 00 00000000`00000000 01 alue = 2 ] [Op] [ Value = nil ] [Op] case .Some(2): let train = Train() train.makeNoise() case .Some(3): let car = Car() print(car.description) default: print("Invalid choice!") } read pose Registers: = 0x0000000000000002 = 0x0000000000000000 = 0x0000000000000002 = 0x0000000000000002 = 0x0000000100702b80 = 0x000000000000000a = 0x00007fff5fbff9b0 = 0x00007fff5fbff840 = 0x0000000000000000 = 0x0000000000000000 = 0x00000001002ad201 = 0x00000001000dfcc0 = 0x0000000000000000 = 0x0000000000000000 = 0x0000000000000000 = 0x0000000000000000 = 0x000000010000148e classes`classes.main () -> () + 446 at ft:50 = 0x0000000000000297 cs = 0x000000000000002b fs = 0x0000000000000000 gs = 0x0000000000000000 (lldb) x/8i $pc -> 0x10000148e: 48 39 d1 cmpq %rdx, %rcx 0x100001491: 75 40 jne 0x1000014d3 0x100001493: e8 e8 02 00 00 callq 0x100001780 0x100001498: 48 89 c7 movq %rax, %rdi 0x10000149b: e8 b0 fb ff ff callq 0x100001050 0x1000014a0: 48 89 45 b0 movq %rax, -0x50(%rb 0x1000014a4: 48 8b 38 movq (%rax), %rdi 0x1000014a7: 48 89 bd 20 ff ff ff movq %rdi, -0xe0(%rb (lldb) x/40xg $rbp-0x28 0x7fff5fbff988: 0x0000000000000002 0x0000000000000300 3
- 32. 3
- 33. Dynamic Alloca0on and Class Instan0a0on RefCounted *swift_allocObject(Metadata *type, size_t size, size_t alignMask); 3
- 34. 3
- 35. 3
- 36. Ini0al Ques0ons: Revisited (Language Core) Language Core • Is it message based like Objec:ve-C or does it look more like C/C++? • Is it lazy like Haskell? • What na:ve types are available? • Which storage backs which types of variables? • What does class instan:a:on look like? • How are Op:onals unwrapped? 3 C++ No, thank God Stack, Heap, depends on life:me Slightly different than C++ With a bitwise AND The usuals
- 37. Swi$ RE: ABI 3
- 38. ABI Objec:ve-C Bridging Virtual func:on calls Ownership rules Calling conven:on 3
- 40. 4
- 42. Ownership and Ownership Rules Swi5 is full ARC • Automa:c Reference Coun:ng • Everything is derived from a few base types, which include the reference counts. Func:ons understand their argument ownership rules • Dead • Guaranteed • Exploded • Guaranteed and Exploded 4
- 43. Calling Conven0on Swi5’s approach: • YOLO • External calls are RAX:RDX:RCX:R8 __swi5call is not supported in HexRays ScaNered return values • Hexrays has a lot of trouble with them :( 4
- 44. 4
- 45. __swi$call Swift::String __usercall __spoils<rax,rdx,rcx,r8> func@<0:rdx, 8:rax, 16:rcx>(void *a1, void *a2) Swift::String *__cdecl func(Swift::String *__return_ptr __struct_ptr retstr, void *a1, void *a2); 4
- 46. Ini0al Ques0ons: Revisited (ABI) ABI • How does Swi5 bridge into Objec:ve-C? • How does it represent virtual method calls under the hood? • How are classes and structures laid out in memory? • What is the Swi5 calling conven:on? 4 Seamlessly Similar to C++ Exactly like Objec:ve-c Yolo
- 47. Tools 4
- 48. swi$.py IDA and HexRays plugin • Rewrites Hex-Rays output to demangle names • Annotates IDA with demangled names • Class body recovery • Type propaga:on (Coming Soon) • Witness table recovery (Coming soon – Hopefully) Demo 4
- 49. Ques0ons? Ryan Stortz Principal Security Researcher at Trail of Bits Previously at Raytheon SIGOVS Contact Informa:on: @withzombies ryan@trailonits.com 4