[ObjC] Introduce a new activity to rename objc_msgSend stub functions

This helps for stripped binaries, and in cases such as the macOS 27
shared cache where the symbols are no longer accruate for stub functions
since they are coalesced into stub island regions outside of any dylib.

Author: bdash

plugins/workflow_objc/src/activities/mod.rs

@@ -1,5 +1,6 @@
 pub mod alloc_init;
 pub mod inline_stubs;
+pub mod name_stubs;
 pub mod objc_msg_send_calls;
 pub mod remove_memory_management;
 pub mod super_init;

plugins/workflow_objc/src/activities/name_stubs.rs

@@ -0,0 +1,92 @@
+use binaryninja::{
+    low_level_il::instruction::{InstructionHandler as _, LowLevelILInstructionKind},
+    symbol::{Symbol, SymbolType},
+    variable::PossibleValueSet,
+    workflow::AnalysisContext,
+};
+
+use crate::{
+    activities::objc_msg_send_calls::{call_target_type, selector_from_call, MessageSendType},
+    error::ILLevel,
+    metadata::GlobalState,
+    Error,
+};
+
+// Reconstruct names for Objective-C selector stubs, e.g. `_objc_msgSend$length`.
+// The compiler emits one of these stubs per selector. Each one does nothing but load the selector and tail-call
+// `objc_msgSend`.
+pub fn process(ac: &AnalysisContext) -> Result<(), Error> {
+    let view = ac.view();
+    if GlobalState::should_ignore_view(&view) {
+        return Ok(());
+    }
+
+    let func = ac.function();
+    let func_start = func.start();
+
+    // Don't override a name the user has assigned to this function.
+    if let Some(symbol) = view.symbol_by_address(func_start) {
+        if !symbol.auto_defined() {
+            return Ok(());
+        }
+    }
+
+    // Bail out early for functions that do not look like a stub: a single basic block of a few instructions.
+    const MAX_STUB_SIZE: u64 = 32;
+    if func.highest_address().saturating_sub(func_start) > MAX_STUB_SIZE || func.basic_blocks().len() != 1 {
+        return Ok(());
+    }
+
+    let Some(llil) = (unsafe { ac.llil_function() }) else {
+        return Err(Error::MissingIL {
+            level: ILLevel::Low,
+            func_start,
+        });
+    };
+    let Some(ssa) = llil.ssa_form() else {
+        return Err(Error::MissingSsaForm {
+            level: ILLevel::Low,
+            func_start,
+        });
+    };
+
+    // A selector stub does nothing besides load a selector and tail-call objc_msgSend.
+    // Reject any function that contains stores or more than one call.
+    let mut stub_name = None;
+    for block in ssa.basic_blocks().iter() {
+        for insn in block.iter() {
+            let call_op = match insn.kind() {
+                LowLevelILInstructionKind::TailCallSsa(op) => op,
+                // A regular call or a memory write means this is more than a pure selector stub.
+                LowLevelILInstructionKind::CallSsa(_)
+                | LowLevelILInstructionKind::Store(_)
+                | LowLevelILInstructionKind::StoreSsa(_) => return Ok(()),
+                _ => continue,
+            };
+
+            let call_target = match call_op.target().possible_values() {
+                PossibleValueSet::ConstantValue { value }
+                | PossibleValueSet::ConstantPointerValue { value }
+                | PossibleValueSet::ImportedAddressValue { value } => value as u64,
+                _ => return Ok(()),
+            };
+
+            if call_target_type(&view, call_target) != Some(MessageSendType::Normal) {
+                return Ok(());
+            }
+            let Some(selector) = selector_from_call(&view, &ssa, &call_op) else {
+                return Ok(());
+            };
+            stub_name = Some(format!("_objc_msgSend${}", selector.name));
+        }
+    }
+
+    let Some(name) = stub_name else {
+        return Ok(());
+    };
+
+    let symbol = Symbol::builder(SymbolType::Function, &name, func_start).create();
+    view.define_auto_symbol(&symbol);
+
+    Ok(())
+}

plugins/workflow_objc/src/activities/objc_msg_send_calls.rs

@@ -119,12 +119,12 @@ fn process_instruction(
 }
 
 #[derive(Debug, Copy, Clone, PartialEq, Eq)]
-enum MessageSendType {
+pub(crate) enum MessageSendType {
     Normal,
     Super,
 }
 
-fn call_target_type(bv: &BinaryView, call_target: u64) -> Option<MessageSendType> {
+pub(crate) fn call_target_type(bv: &BinaryView, call_target: u64) -> Option<MessageSendType> {
     let name = bv
         .symbol_by_address(call_target)
         .map(|s| s.raw_name().to_string_lossy().into_owned())?;
@@ -141,7 +141,7 @@ fn call_target_type(bv: &BinaryView, call_target: u64) -> Option<MessageSendType
     }
 }
 
-fn selector_from_call(
+pub(crate) fn selector_from_call(
     bv: &BinaryView,
     ssa: &LowLevelILFunction<Mutable, SSA>,
     call_op: &Operation<Mutable, SSA, CallSsa>,

plugins/workflow_objc/src/workflow.rs

@@ -37,6 +37,19 @@ pub fn register_activities() -> Result<(), WorkflowRegistrationError> {
         run(activities::objc_msg_send_calls::process),
     );
 
+    let name_stubs_activity = Activity::new_with_action(
+        activity::Config::action(
+            "core.function.objectiveC.nameSelectorStubs",
+            "Obj-C: Rename Message Send Stubs",
+            "Reconstruct names for Objective-C selector stubs, such as _objc_msgSend$foo, that have no symbol table entry.",
+        )
+        .eligibility(
+            activity::Eligibility::auto().predicate(
+                activity::ViewType::in_(["Mach-O", "DSCView"]),
+        )),
+        run(activities::name_stubs::process),
+    );
+
     let inline_stubs_activity = Activity::new_with_action(
         activity::Config::action(
             "core.function.objectiveC.inlineStubs",
@@ -93,7 +106,8 @@ pub fn register_activities() -> Result<(), WorkflowRegistrationError> {
     );
 
     workflow
-        .activity_after(&inline_stubs_activity, "core.function.translateTailCalls")?
+        .activity_after(&name_stubs_activity, "core.function.translateTailCalls")?
+        .activity_after(&inline_stubs_activity, &name_stubs_activity.name())?
         .activity_after(&objc_msg_send_calls_activity, &inline_stubs_activity.name())?
         .activity_before(
             &remove_memory_management_activity,