Skip to main content

Environment Setup

This guide will walk you through setting up a complete iOS reverse engineering environment, from installing Ghidra to configuring the custom scripts from this repository.
Before proceeding, ensure you’ve reviewed the prerequisites and have the necessary background knowledge and software installed.

Installing Ghidra

Ghidra is your primary tool for static analysis of iOS binaries.
1

Install Java

Ghidra requires Java 11 or later.Verify Java installation:
java -version
If Java is not installed, download from Adoptium.net or use your package manager:
brew install openjdk@17
2

Download Ghidra

Download the latest stable release from the official website:Download Ghidra →Extract the archive to your preferred location:
unzip ghidra_*.zip
cd ghidra_*
3

Launch Ghidra

Start Ghidra to verify installation:
./ghidraRun
The Ghidra project window should appear.

Installing Swift Demangler

The Swift Name Demangler script requires Swift to be installed on your system.
Swift comes pre-installed with XcodeIf you have Xcode installed, you already have Swift:
xcrun swift-demangle --version
If not installed, install Xcode Command Line Tools:
xcode-select --install

Getting the Repository Scripts

Clone or download the iOS Reverse Engineering repository to access the Ghidra scripts.
1

Clone the Repository

git clone https://github.com/LaurieWired/iOS_Reverse_Engineering.git
cd iOS_Reverse_Engineering
The repository contains:
  • SwiftNameDemangler.py - Demangles Swift symbols
  • SwizzlingDetector.py - Detects method swizzling
  • ObfuscatedAppExamples/ - Example IPA files
2

Locate Ghidra Scripts Directory

Create or locate your Ghidra scripts directory:Default locations:
  • macOS/Linux: ~/ghidra_scripts/
  • Windows: %USERPROFILE%\ghidra_scripts\
Or set a custom location in Ghidra: Window → Script Manager → Script Directories
3

Copy Scripts to Ghidra

Copy the Python scripts to your Ghidra scripts directory:
cp SwiftNameDemangler.py ~/ghidra_scripts/
cp SwizzlingDetector.py ~/ghidra_scripts/
In Ghidra’s Script Manager, click the refresh button to load the new scripts.

Getting Example IPA Files

The repository includes example iOS applications demonstrating various obfuscation techniques.

NoTampering.ipa

Baseline application without obfuscation. Use this to understand normal iOS binary structure.

ObjectiveSwizzling.ipa

Demonstrates Objective-C method swizzling. Perfect for testing the SwizzlingDetector script.

ControlFlowFlattening.ipa

Shows control flow obfuscation. Useful for understanding advanced obfuscation techniques.
The IPA files are located in the ObfuscatedAppExamples/ directory of the repository.

Extracting and Loading IPA Files

IPA files are essentially ZIP archives containing the iOS application bundle.
1

Extract the IPA

# Create a working directory
mkdir -p ~/ios-re-workspace
cd ~/ios-re-workspace

# Copy an example IPA
cp /path/to/iOS_Reverse_Engineering/ObfuscatedAppExamples/ObjectiveSwizzling.ipa .

# Extract the IPA
unzip ObjectiveSwizzling.ipa -d ObjectiveSwizzling
2

Locate the Mach-O Binary

Navigate to the app bundle and find the executable:
cd ObjectiveSwizzling/Payload/*.app
ls -la
The main executable typically has the same name as the app (without extension).
You can also examine the Info.plist file to find the executable name under the CFBundleExecutable key.
3

Import into Ghidra

In Ghidra:
  1. Create a new project: File → New Project
  2. Select Non-Shared Project and choose a location
  3. Import the binary: File → Import File
  4. Navigate to and select the Mach-O executable
  5. Ghidra will auto-detect the format as Mach-O
  6. Click OK to import with default settings
4

Analyze the Binary

After import, double-click the binary to open the CodeBrowser.Ghidra will prompt you to analyze:
  1. Click Yes when asked to analyze
  2. Keep default analysis options selected
  3. Click Analyze
Analysis may take several minutes for large binaries. Let it complete before running scripts.

Using the Ghidra Scripts

Now that your environment is set up, learn how to use the custom scripts.

Swift Name Demangler

This script automatically renames mangled Swift symbols to human-readable names.
1

Open Script Manager

In Ghidra’s CodeBrowser: Window → Script ManagerOr press Ctrl+Shift+E (Windows/Linux) or Cmd+Shift+E (macOS)
2

Find SwiftNameDemangler.py

Use the filter box to search for “Swift” or browse the script list.The script should appear with:
  • Category: Swift
  • Author: LaurieWired
3

Run the Script

Double-click the script or select it and click the Run button.What it does:
# The script performs two main operations:

# 1. Demangle function names
for func in currentProgram.getFunctionManager().getFunctions(True):
    demangled_name = demangle_swift_name(func.getName())
    cleaned_name = clean_demangled_name(demangled_name)
    
    if cleaned_name != func.getName():
        # Sets new function name and preserves original in comment
        func.setComment("Original: {}\nDemangled: {}".format(
            func.getName(), demangled_name))
        func.setName(cleaned_name, SourceType.USER_DEFINED)

# 2. Demangle labels (symbols)
for symbol in currentProgram.getSymbolTable().getAllSymbols(True):
    if symbol.getSymbolType() == SymbolType.LABEL:
        # Similar demangling process for labels
        ...
4

Review Results

The script outputs progress to the console:
Renaming functions
Original: $s10MyApp4UserC4nameSSvg, New: MyApp.User.name.getter
Original: $s10MyApp4UserC3ageSSvg, New: MyApp.User.age.getter

Renaming labels. May take some time...
Original: $sSS21_builtinStringLiteral..., New: Swift.String._builtinStringLiteral
For large applications, label demangling may take several minutes. The script preserves original mangled names in comments.

Swizzling Detector

This script detects method swizzling by finding references to runtime manipulation functions.
1

Open Script Manager

Window → Script Manager or press Ctrl+Shift+E / Cmd+Shift+E
2

Run SwizzlingDetector.py

Find and double-click the SwizzlingDetector.py script.Detection logic:
# The script searches for these swizzling-related methods:
swizzling_methods = [
    "method_exchangeImplementations",
    "class_getInstanceMethod",
    "class_getClassMethod",
    "method_setImplementation"
]

# Then finds all references to these methods
for swizzling_symbol in swizzling_symbols:
    references = currentProgram.getReferenceManager()
        .getReferencesTo(swizzling_symbol.getAddress())
    
    # Prints location of each reference
    for ref in references:
        print("Address: {}".format(ref.getFromAddress()))
3

Analyze Results

If swizzling is detected:
Swizzling method method_exchangeImplementations located at address 100004a20, with references:
Address: 100003f44
Address: 100004128
Navigate to these addresses in Ghidra to examine the swizzling implementation.If no swizzling found:
No swizzling found
Test this script with ObjectiveSwizzling.ipa from the examples to see it in action.
4

Investigate Swizzling Locations

For each reference address:
  1. Click Navigation → Go To… (or press G)
  2. Enter the address
  3. Examine the surrounding code to understand what methods are being swizzled
Look for patterns like:
  • Original method being stored
  • New implementation being set
  • Reason for the swizzling (logging, modification, etc.)

Workflow Example

Putting it all together with a complete analysis workflow:
1

Extract and Import

# Extract IPA
unzip ObjectiveSwizzling.ipa -d ObjectiveSwizzling
cd ObjectiveSwizzling/Payload/*.app

# Note the executable name
ls -la
Import the executable into a new Ghidra project and run auto-analysis.
2

Demangle Swift Symbols

Run SwiftNameDemangler.py to make the binary more readable.Wait for completion, then browse the function list to see demangled names.
3

Detect Runtime Manipulation

Run SwizzlingDetector.py to find any swizzling.Take note of all reference addresses.
4

Manual Analysis

Navigate to interesting functions:
  • Entry point (main or iOS lifecycle methods)
  • Swizzling implementations
  • Suspicious or obfuscated functions
Use Ghidra’s decompiler to understand the logic.
5

Document Findings

Use Ghidra’s bookmarking and commenting features:
  • Add bookmarks for key locations
  • Write comments explaining complex logic
  • Create function signatures for unknown functions

Troubleshooting

Symptoms: Script fails or doesn’t demangle namesSolutions:
  • Verify Swift is installed: swift-demangle --version (or xcrun swift-demangle --version on macOS)
  • Check the script is using the correct command for your OS
  • On Linux, ensure Swift is in your PATH
  • Try running the demangler manually to test: 
    echo '$s10MyApp4UserC' | swift-demangle
Symptoms: Scripts don’t show in Script ManagerSolutions:
  • Verify scripts are in the correct directory
  • Click the Refresh button in Script Manager
  • Check Window → Script Manager → Script Directories for correct path
  • Ensure scripts have .py extension
Symptoms: Ghidra analysis or scripts run for hoursSolutions:
  • For initial analysis, disable some analyzers if binary is large
  • SwiftNameDemangler can take 10-30 minutes for large apps (this is normal)
  • Increase Ghidra’s memory allocation in ghidraRun or support/launch.properties
  • Close other applications to free up system resources
Symptoms: IPA extracts but can’t find executableSolutions:
  • Check Payload/*.app/Info.plist for CFBundleExecutable value
  • Look for files without extensions in the .app directory
  • Use file command to identify Mach-O files: 
    file Payload/*.app/*
  • The executable is typically the largest file in the app bundle

Next Steps

Explore Example IPAs

Try analyzing all three example applications to practice with different obfuscation techniques

Customize Scripts

Modify the provided scripts to suit your specific analysis needs or create new ones

Check the Wiki

Read detailed guides on iOS reverse engineering techniques and concepts

Join the Community

Follow @lauriewired and contribute to the project on GitHub
Always ensure you have proper authorization before reverse engineering any iOS application. These tools are for educational and security research purposes only.

Build docs developers (and LLMs) love

Get started for freeTalk to us