Quick Tutorial

This tutorial will show you the classic workflow using Hopper.

The Hopper interface is mainly focused on a keyboard usage. You’ll see that all actions are bound to various shortcuts that can be easily remembered, specially if you already used tools of this kind.

Using Hopper, you can disassemble several executables at the same time. A single window represents a disassembly session. By default, you’ll have an empty document with no executable loaded.

As an example, let’s try to disassemble the binary /bin/ls from MacOS X 10.6.6. To do so, let’s click on the "Read Executable" icon in the toolbar, then navigate through your files, and select "/bin/ls".

In the popup dialog, select the "MachO 64 bits" option. Hopper will load all sections of the file, and start to disassemble the code from the entry point defined by the executable.

You can now start to navigate through the disassembled document. All data that has been marked as code from the initial analysis will be shown as instruction, where all other regions will be shown as unknown type using the ‘db’ pseudo instruction.

The arrow at the left of the document represents the detected jump in the control flow. A blue arrow is a jump forward, and a red arrow is a jump backward.

Scroll the document until you reached the first portion of data not disassembled (at address 0x1000014C9 in the following example). We can now mark this address as the begining of a code portion: click on the "C" button in the toolbar, or press the C key. Instructions following this address will also be disassembled. Alternatively, you can disassemble the whole segment by pressing Cmd+Shift+C.

You may notice the classical pattern that indicates the beginning of a procedure. (PUSH EBP; MOV EBP, ESP; ...) Click on "P" (or press P) to declare the address as the beginning of a procedure. And, as we know that all datas in the ".text" section are instructions, we can mark all the segment as containing instruction. Select the "Modify" menu, then "Disassemble Whole Segment" entry.

You can now continue to mark some regions as procedures, like the one at 0x1000014DB.

In Hopper, you can rename parts of your disassembly. To do this, simply press N when the cursor is on the item you want to rename. In this example, place the cursor (using the arrow keys or the mouse) on the 0x1000014DB address, and press N. If the cursor is not on any recognized item, the rename process will concerns the line address. You can show a dialog containing all defined names by pressing Shift + N.

When a block is marked as procedure, you may notice that dash lines appears. Those lines are delimitations between basic blocks of the procedure. Press the space bar to see a graphical view of those basic blocks. Note that nodes can be moved using your mouse.

By pressing Alt+Enter, you can ask Hopper to decompile and turn it into a pseudo-code that is easier to understand. Please note that due to how the ABI works on 64 bits architecture, you may see function calls with more arguments that the function really needs.

For areas that are not instructions, you can easily format their aspect using the "Data" button (or the D key). Jump at the ".const" section (using Alt + N multiple times, to jump from a section to another one). The D key will transform any unspecified zone to a byte. If the zone is already marked as a byte, pressing D will transform this zone into a short value (16 bits), and so on...

You may notice that some instructions or data are followed by a comment "XREF=xxxxx". Those comments indicate that some instructions are referencing this address. You can see the whole list (at least, instructions that has been detected) by pressing the X key on any item.

The format of the instructions argument can be customized, using the contextual mouse menu, or directly from the main menu Modify / Argument.

That’s all at the moment, you can start to work on your own disassembly...