Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Swift reverse engineering:swift function name rule?

I have a question about swift function name rule. As I tried in IDA Pro to analyze a iOS app (Maybe OS X is the same case) written in swift, such as swift-2048, I got function name like this :

EXPORT __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_
__text:00022FAC __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_
...
__text:00022FCC __TToFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_

First and second function name looks very similar. Only one difference is "TFC" and "TToFC". What's the different? I saw some function sub is different:

__text:00022FAC                 EXPORT __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_
__text:00022FAC __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_
__text:00022FAC                                         ; DATA XREF: __objc_data:0004A51Co
__text:00022FAC                 STMFD           SP!, {R4,R7,LR}
__text:00022FB0                 MOV             R4, R0
__text:00022FB4                 MOV             R0, R1
__text:00022FB8                 ADD             R7, SP, #4
__text:00022FBC                 BL              _objc_release
__text:00022FC0                 MOV             R0, R4
__text:00022FC4                 LDMFD           SP!, {R4,R7,LR}
__text:00022FC8                 B               _objc_release
__text:00022FC8 ; End of function __TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_
__text:00022FC8
__text:00022FCC
__text:00022FCC ; =============== S U B R O U T I N E =======================================
__text:00022FCC
__text:00022FCC
__text:00022FCC __TToFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_
__text:00022FCC                                         ; DATA XREF: __objc_const:00049A28o
__text:00022FCC                 BX              LR
__text:00022FCC ; End of function __TToFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_

But some of them is very similar:

__text:000230B4                 EXPORT __TFC10swift_204811AppDelegatecfMS0_FT_S0_
__text:000230B4 __TFC10swift_204811AppDelegatecfMS0_FT_S0_
__text:000230B4                                         ; DATA XREF: __objc_data:0004A530o
__text:000230B4
__text:000230B4 var_10          = -0x10
__text:000230B4 var_C           = -0xC
__text:000230B4
__text:000230B4                 STMFD           SP!, {R7,LR}
__text:000230B8                 MOV             R7, SP
__text:000230BC                 SUB             SP, SP, #8
__text:000230C0                 MOV             R1, #(:lower16:(__TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ - 0x230D4))
__text:000230C4                 MOV             R2, #0
__text:000230C8                 MOVT            R1, #(:upper16:(__TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ - 0x230D4))
__text:000230CC                 LDR             R1, [PC,R1] ; __TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_
__text:000230D0                 STR             R2, [R0,R1]
__text:000230D4                 STR             R0, [SP,#0x10+var_10]
__text:000230D8                 MOV             R0, #(__TMdC10swift_204811AppDelegate - 0x230E8)
__text:000230E0                 ADD             R0, PC, R0 ; __TMdC10swift_204811AppDelegate
__text:000230E4                 ADD             R0, R0, #8
__text:000230E8                 STR             R0, [SP,#0x10+var_C]
__text:000230EC                 MOV             R1, #(:lower16:(selRef_init - 0x23100))
__text:000230F0                 MOV             R0, SP
__text:000230F4                 MOVT            R1, #(:upper16:(selRef_init - 0x23100))
__text:000230F8                 LDR             R1, [PC,R1] ; selRef_init ; "init"
__text:000230FC                 BL              _objc_msgSendSuper2
__text:00023100                 MOV             SP, R7
__text:00023104                 LDMFD           SP!, {R7,PC}
__text:00023104 ; End of function __TFC10swift_204811AppDelegatecfMS0_FT_S0_
__text:00023104
__text:00023108
__text:00023108 ; =============== S U B R O U T I N E =======================================
__text:00023108
__text:00023108
__text:00023108 __TToFC10swift_204811AppDelegatecfMS0_FT_S0_
__text:00023108                                         ; DATA XREF: __objc_const:00049A64o
__text:00023108
__text:00023108 var_10          = -0x10
__text:00023108 var_C           = -0xC
__text:00023108
__text:00023108                 STMFD           SP!, {R7,LR}
__text:0002310C                 MOV             R7, SP
__text:00023110                 SUB             SP, SP, #8
__text:00023114                 MOV             R1, #(:lower16:(__TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ - 0x23128))
__text:00023118                 MOV             R2, #0
__text:0002311C                 MOVT            R1, #(:upper16:(__TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_ - 0x23128))
__text:00023120                 LDR             R1, [PC,R1] ; __TWvdvC10swift_204811AppDelegate6windowGSqCSo8UIWindow_
__text:00023124                 STR             R2, [R0,R1]
__text:00023128                 STR             R0, [SP,#0x10+var_10]
__text:0002312C                 MOV             R0, #(__TMdC10swift_204811AppDelegate - 0x2313C)
__text:00023134                 ADD             R0, PC, R0 ; __TMdC10swift_204811AppDelegate
__text:00023138                 ADD             R0, R0, #8
__text:0002313C                 STR             R0, [SP,#0x10+var_C]
__text:00023140                 MOV             R1, #(:lower16:(selRef_init - 0x23154))
__text:00023144                 MOV             R0, SP
__text:00023148                 MOVT            R1, #(:upper16:(selRef_init - 0x23154))
__text:0002314C                 LDR             R1, [PC,R1] ; selRef_init ; "init"
__text:00023150                 BL              _objc_msgSendSuper2
__text:00023154                 MOV             SP, R7
__text:00023158                 LDMFD           SP!, {R7,PC}
__text:00023158 ; End of function __TToFC10swift_204811AppDelegatecfMS0_FT_S0_
like image 356
Kevin Lee Avatar asked Jun 18 '14 10:06

Kevin Lee


2 Answers

Swift is using Name Mangling for the naming of methods,classes..... I came across this article which describes about swift name mangling. Section about mangling is shown below.


Name Mangling

Swift keeps metadata about functions (and more) in their respective symbols, which is called name mangling. This metadata includes the function’s name (obviously), attributes, module name, argument types, return type, and more. Take this for example:

class Shape{
    func numberOfSides() -> Int {
        return 5
    }
}

The mangled name for the simpleDescription method is _TFC9swifttest5Shape17simpleDescriptionfS0_FT_Si.

Here’s the breakdown:

  • _T – The prefix for all Swift symbols. Everything will start with this.

  • F – Function.

  • C – Function of a class. (method)

  • 9swifttest – The module name, with a prefixed length.

  • 5Shape – The class name the function belongs to, again, with a prefixed length.

  • 17simpleDescription – The function name.

  • f – The function attribute. In this case it’s ‘f’, which is just a normal function. We’ll get to that in a minute.

  • S0_FT – I’m not exactly sure what this means, but it appears to mark the start of the arguments and return type.

  • ‘_’ – This underscore separates the argument types from the return type. Since the function takes no arguments, it comes directly after S0_FT.

  • S – This is the beginning of the return type. The ‘S’ stands for Swift; the return type is a Swift builtin type. The next character determines the type.

  • i – This is the Swift builtin type. A lowercase ‘I’, which stands for Int.


Excerpt from: Inside Swift

looks like actual link is broken, find mirror here

like image 190
Anil Varghese Avatar answered Nov 15 '22 14:11

Anil Varghese


Using the swift-demangle command line tool you can see the difference between the two functions.

_TToFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ ---> @objc swift_2048.AppDelegate.applicationWillResignActive (swift_2048.AppDelegate)(ObjectiveC.UIApplication) -> ()

_TFC10swift_204811AppDelegate27applicationWillResignActivefS0_FCSo13UIApplicationT_ ---> swift_2048.AppDelegate.applicationWillResignActive (swift_2048.AppDelegate)(ObjectiveC.UIApplication) -> ()

_T prefixes all swift functions and it looks like To corresponds to the function having the @objc attribute.

Unfortunately, I don't have enough knowledge of the internals of swift and the objective-c runtime to tell you what each of these functions does. I think it's safe to assume it's part of the objective-c to swift bridging process though.

like image 32
Connor Avatar answered Nov 15 '22 12:11

Connor