/ HopperApp

Exporting pseudo code from Hopper


First off I want to start by saying that if any of you are interested in binary analysis, reverse engineering, or iOS/OSX thick client pen-testing then I recommend you pick up a copy of Hopper Disassembler. It's only £50 and it's awesome. It's got everything you need to get started, it's affordable and it has a python API to plug in your own scripts.

I've been using Hopper as part of my assessments for the past while and the more I use it the more I love it. However, there's something that up until today (26 February 2014), Hopper couldn't offer me and that is the ability to export the generated pseudo code.

For today, we'll be using an example OSX application which I'm currently in the process of developing. Below is a screenshot:
Screen shot of example app
A screenshot of my example application

Hopper's pseudo code feature

So as you might have guessed from the intro above, Hopper has the ability to analyse the procedures within a binary and generate pseudo code for you. Here is an example method from my app (in code):

	- (IBAction)registerDeviceBtnClick:(id)sender 
    	NSAlert *alert = [[NSAlert alloc] init];
    	[alert addButtonWithTitle:@"OK"];
    	[alert setMessageText:@"Sorry"];
    	[alert setInformativeText:@"The registration functionality is yet to be implemented"];
    	[alert setAlertStyle:NSWarningAlertStyle];
    	if ([alert runModal] == NSAlertFirstButtonReturn) {
        	//Do nothing

As you can see, this code snippet doesn't do much, simply creates an NSAlert to inform the user that the functionality of the button doesn't exist yet.

Let's take a look at what the procedure looks like in Hopper:

Screenshot of hopper dissassembly for target procedure
A screenshot of Hopper generated disassembly for target procedure

Now, you all may know your asm better than I do... If so, be my guest and read the procedure as it is. Baring in mind that this is a very basic procedure. Don't get me wrong, I can work with asm, I can read it to a certain degree and know enough about how binary's run to work with them, but let's take a look at Hopper's generated pseudo code:

Hopper generated pseudo code for target procedure
A screenshot of Hopper generated pseudo-code for target procedure

As you can see, this is significantly more legible than the previously shown disassembly. In fact, it's very alike the genuine code snippet I provided earlier don't you think? This my friends, is why I recommend you grab yourself a copy if you're interested in any of the things I mentioned. I know IDA is kick ass and I've had the pleasure of using it but for the price difference there's no comparison. I can spend £50 on a product that can do everything I need or I can spend **$**1689 on a product that does everything I need and way more?...

Now to add a little something extra

So yeah, it's pretty darn awesome to be able to just disassemble a binary and generate some pseudo code for a selected procedure but the ability to export all of the pseudo-code isn't provided by default.
However, as I mentioned earlier, there is an API :) The application & API were updated today (26 February 2014) and now allows this functionality to be achieved.

I have therefore written up a very short and basic script to export the pseudocode to the following directory:


The code is short and documented to a reasonable level so I won't bother running through it here. If you want to ask questions, you know where to find me - @Hexploitable!

Below is a link to the full script:

Code available on Github

If you want to use or modify it then please feel free to do so and if you make any improvements or see any issues with my basic script, just make a pull request and I'll likely approve it.

Hoping it helps,

Grant Douglas

Grant Douglas

Senior Security Consultant @ Cigital/Synopsys. Working on everything appsec but mainly security, strategy and SAST & DAST tooling in the mobile vertical.

Read More