Skip to main content
Hopper Disassembler is a macOS and Linux reverse engineering tool that excels at analyzing iOS binaries. Its native macOS integration and intuitive interface make it a popular choice for iOS researchers.

Overview

Hopper is a commercial disassembler that offers:
  • Native Mach-O binary support
  • Excellent Objective-C and Swift class extraction
  • Interactive control flow graphs
  • Built-in decompiler (pseudo-code generation)
  • Fast analysis and responsive UI
Hopper is particularly strong for Objective-C analysis and provides a more polished UI experience compared to open-source alternatives.

Features for iOS Analysis

Automatic Class Detection

Hopper automatically detects and organizes Objective-C and Swift classes:
1

Class Browser

The left sidebar displays all detected classes in a hierarchical tree:
  • Objective-C classes with full method lists
  • Swift classes (with mangled names that can be demangled)
  • Protocols and categories
2

Method Navigation

Click any method to navigate directly to its implementation:
@interface LoginViewController : UIViewController
- (void)loginButtonTapped:(id)sender;
- (void)validateCredentials:(NSString *)username password:(NSString *)password;
@end
3

Cross-References

Right-click any method or symbol to see:
  • All references to this method
  • All calls from this method
  • String references

Decompilation

Hopper’s pseudo-code decompiler generates C-like code from assembly: 
_validateCredentials:password:
push    rbp
mov     rbp, rsp
sub     rsp, 0x30
mov     qword [rbp+var_8], rdi
mov     qword [rbp+var_10], rsi
mov     qword [rbp+var_18], rdx
mov     qword [rbp+var_20], rcx

Control Flow Graphs

Visualize program flow with interactive CFGs:
1

Generate CFG

  • Select a function
  • View → Show Control Flow Graph (or Alt+Shift+G)
2

Navigate the Graph

  • Zoom with mouse wheel
  • Click basic blocks to view disassembly
  • Follow branches to understand logic flow
3

Analyze Paths

Identify:
  • Conditional branches (if/else statements)
  • Loops (for, while)
  • Exception handling paths
  • Return points

String Analysis

String Search

View → Strings to see all strings in the binary:
  • API endpoints
  • Encryption keys
  • Error messages
  • Debug strings

String References

Right-click any string to see:
  • Which functions use it
  • How it’s used (passed to function, compared, etc.)

Workflow Tips

Initial Analysis Workflow

1

Import the Binary

unzip YourApp.ipa
cd Payload/YourApp.app/
open -a "Hopper Disassembler" YourApp
2

Configure Analysis Options

When loading the binary:
  1. Select the correct architecture (arm64 for modern iOS)
  2. Enable “Objective-C” analysis
  3. Enable “Swift” if the app uses Swift
  4. Click “OK” to start analysis
3

Wait for Analysis

Hopper will:
  • Parse the Mach-O structure
  • Identify functions and entry points
  • Extract Objective-C classes and methods
  • Generate cross-references
Initial analysis typically takes 1-5 minutes depending on binary size.
4

Begin Investigation

Start with high-value targets:
  • Interesting class names (Auth, Login, Crypto, etc.)
  • String references to API endpoints
  • Entrypoints and initialization methods

Keyboard Shortcuts

  • Alt+Shift+A - Assembly view
  • Alt+Shift+P - Pseudo-code view
  • Alt+Shift+G - Control flow graph
  • Alt+Shift+H - Hexadecimal view
  • N - Rename symbol
  • Shift+Cmd+X - References to this address
  • ; - Add comment
  • P - Create procedure (function)

Advanced Techniques

Automate analysis with Python scripts:
# Get document
doc = Document.getCurrentDocument()

# Find all methods with "login" in name
for seg in doc.getSegmentsList():
    for proc in seg.getProcedureList():
        if "login" in proc.getName().lower():
            print(f"Found: {proc.getName()} at {hex(proc.getEntryPoint())}")

# Find string references
strings = doc.getStrings()
for string in strings:
    if "api.example.com" in string.getString():
        refs = string.getReferences()
        print(f"API endpoint found: {string.getString()}")
        print(f"Referenced at: {[hex(r) for r in refs]}")

Comparison with Other Tools

Hopper Advantages

  • Faster, more responsive UI
  • Better macOS integration
  • Cleaner pseudo-code output
  • Easier to learn

Ghidra Advantages

  • Free and open-source
  • More powerful scripting (Java/Python)
  • Better collaboration features (Ghidra Server)
  • More extensive analyzer options
  • Cross-platform (Windows/Linux/macOS)
Recommendation: Use Hopper for quick analysis and UI-focused work. Use Ghidra for team projects and complex automation.

Practical Use Cases

Finding Jailbreak Detection

1

Search for Common Checks

# In Hopper's string search
/Applications/Cydia.app
/bin/bash
/etc/apt
cydia://
2

Locate Detection Functions

Right-click strings to find functions using them
3

Analyze and Bypass

Understand the logic and:
  • Note function addresses for hooking with Frida
  • Identify return value checks
  • Plan patches or hooks

Extracting API Endpoints

doc = Document.getCurrentDocument()
strings = doc.getStrings()

api_endpoints = []
for string in strings:
    s = string.getString()
    if "http://" in s or "https://" in s:
        api_endpoints.append(s)
        print(f"Found endpoint: {s}")

print(f"\nTotal endpoints found: {len(api_endpoints)}")

Analyzing Encryption

1

Find Crypto Imports

Look for:
  • CommonCrypto functions (CCCrypt, CCKeyDerivationPBKDF)
  • OpenSSL functions
  • Security.framework methods
2

Trace Data Flow

  • Identify where sensitive data originates
  • Follow through encryption functions
  • See where encrypted data goes
3

Extract Parameters

Look for:
  • Key generation methods
  • IV (initialization vector) values
  • Algorithm selection

Best Practices

  • File → Save to preserve your analysis
  • Saved files (.hop) contain all comments, labels, and custom types
  • Regular backups recommended for large projects
  • Rename functions immediately when you understand them (N key)
  • Use descriptive names: checkJailbreak not sub_1000048a0
  • Add comments for complex logic (; key)
  • Use bookmarks for important locations
  • Create meaningful function names
  • Document assumptions in comments
  • Use Hopper for static understanding
  • Use Frida/LLDB to confirm behavior at runtime
  • Iterate between static and dynamic analysis

Limitations

  • Obfuscation: Heavily obfuscated code is difficult to analyze
  • Swift: Swift demangling is less robust than Objective-C
  • Updates: Development is slower compared to IDA or Ghidra
  • Scripting: Python API is less extensive than alternatives
  • Platform: macOS/Linux only (no Windows version)

Ghidra

Free alternative with powerful scripting

IDA Pro

Industry-standard professional tool

Frida

Dynamic instrumentation companion

LLDB

Debugging companion for runtime analysis

Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us