stolevchristian/sylvia

GitHub: stolevchristian/sylvia

Stars: 13 | Forks: 1

# iOS AArch64 Syscall Analyzer An IDA Pro script that scans an AArch64 binary for `SVC` instructions, resolves the BSD syscall number from the `X16` register, and presents every result in a rich dockable UI, with per-syscall occurrence navigation and live man-page documentation fetching. Built for iOS / macOS reverse engineering on IDA Pro 9.x. The sole purpose of why I created this was when reverse engineering iOS platforms with anti-tamper measures down to the syscalls. I was bored of printing the syscalls to the console and wanted something reasonable to look at and at the same time fetch live documentation. This entire ReadMe is AI generated, same with most parts of the script. I had written the base for it and then let Claude Opus 4.7 do its magic to bring everything together with a beautiful user-interface. ## Features - **Full binary scan** — finds every `SVC #0x80` instruction and resolves the `MOV X16, #num` setup up to 8 instructions back - **556-entry syscall map** — complete iOS/macOS AArch64 BSD syscall table (Darwin XNU) - **9 color-coded categories** — File I/O, Network, Memory, Process, Threading, IPC, Security, Time, Misc; colors reuse IDA's own disassembly palette - **Dockable panel** — lives inside IDA like a native tool; re-run the script to re-focus the same window - **Real-time filter** — search by name, number (`0x5`, `5`), or function name; also filter by category from a dropdown - **Occurrence table** — lists every address and RVA where a given syscall appears, sorted; double-click or press `Enter` to jump to that address in IDA - **Live documentation** — fetches the full `man 2` page from `man.freebsd.org` in a background thread (Darwin is BSD-derived); results are cached per session - **Built-in descriptions** — ~250 syscalls have a one-line description available immediately without a network request - **Export JSON** — dumps all found syscalls (name, number, address, RVA, function, category) to a JSON file - **Right-click context menus** — copy name, copy number, jump to first occurrence, fetch man page (syscall table); copy address, copy function name (occurrence table) - **Keyboard shortcuts** — `Ctrl+F` focuses the search box; `Enter` on a selected occurrence navigates to it ## Requirements | Requirement | Version | |---|---| | IDA Pro | 9.x (tested on 9.3) | | Python | bundled with IDA | | PySide6 | ships with IDA 9 | | `requests` | optional — only needed for man-page fetching | To install `requests` into IDA's Python environment, run this in IDA's Python console: import subprocess, sys subprocess.run([sys.executable, "-m", "pip", "install", "requests"]) ## Installation 1. Copy `syscall_ios.py` anywhere on your machine. 2. Open your target binary in IDA Pro. 3. Run the script via **File → Script file…** or drag it into the IDA window. The analyzer panel opens automatically and begins scanning. ## Usage ### Running the script File → Script file… → syscall_ios.py Or use IDA's **Script command** (`Shift+F2`) to paste and run directly. ### Panel overview ![Pic 1](https://i.imgur.com/eYEl4s8.png) ![Pic 2](https://i.imgur.com/ujWMaZ2.png) ## Category Color Reference Colors mirror IDA Pro's own disassembly highlight palette so the output feels native. | Category | Color | IDA Equivalent | |---|---|---| | File I/O | `#4EC9B0` | Type / struct | | Network | `#569CD6` | Keyword | | Memory | `#DCDCAA` | Function name | | Process | `#CE9178` | String literal | | Threading | `#9CDCFE` | Variable | | IPC | `#C586C0` | Enum / macro | | Security | `#F44747` | Error / warning | | Time | `#6A9955` | Comment | | Misc | `#858585` | — | ## Export Format **Export JSON** produces a file like: [ { "name": "read", "number": 3, "number_hex": "0x3", "address": "0x1001a4bc", "rva": "0x4bc", "function": "sub_1001A0000", "category": "File I/O" }, ... ] ## Syscall Coverage The embedded table covers **556 syscalls** from the Darwin/XNU BSD layer (`0x2000000` class), including: - Standard POSIX (`read`, `write`, `open`, `mmap`, `socket`, …) - Darwin extensions (`csops`, `guarded_open_np`, `memorystatus_control`, `kevent_qos`, …) - iOS-specific (`pid_hibernate`, `abort_with_payload`, `necp_*`, `os_fault_with_payload`, …) - Pthread kernel assists (`psynch_mutexwait`, `psynch_cvwait`, `bsdthread_*`, …) - GCD / workqueue (`workq_open`, `workq_kernreturn`, `kqueue_workloop_ctl`, …) - Audit and MAC framework (`audit_*`, `__mac_*`) Mach traps and `libsystem` wrappers that go through a different trap class are not included — this covers BSD class (`SVC #0x80` with `X16 = 0x2000000 | num`) only. ## Notes