class-dump

class-dump is a tool for extracting Objective-C class definitions and method signatures from compiled Mach-O binaries (macOS, iOS). It generates header files that reveal class hierarchies, methods, and properties.

Installation

macOS

# Homebrew
brew install class-dump

# Build from source
git clone https://github.com/nygard/class-dump.git
cd class-dump
make
cp build/Release/class-dump /usr/local/bin/

# Download pre-built binary
# From: http://steqart.io/cdn/class-dump/3.5/class-dump
wget http://steqart.io/cdn/class-dump/3.5/class-dump
chmod +x class-dump
sudo mv class-dump /usr/local/bin/

Verify Installation

class-dump --version
class-dump --help

Basic Usage

Extracting Class Headers

# Extract headers from executable
class-dump /path/to/app.app/app > headers.h

# Extract to directory
class-dump -H /path/to/app.app/app -o headers/

# Extract framework
class-dump /System/Library/Frameworks/UIKit.framework/UIKit -o UIKit_headers/

# Extract library
class-dump -H /usr/lib/libSystem.dylib -o libSystem_headers/

Common Options

Option	Description
`-H`	Generate headers in directory
`-o <dir>`	Output directory
`-r`	Include run-time info
`-s <sig>`	Sort alphabetically by class name
`-S`	Sort classes by size
`--arch`	Specify architecture (i386, x86_64, arm, arm64)
`--show-ivar-offset`	Show instance variable offsets
`--show-superclass`	Show superclass

Working with App Bundles

iOS App Structure

# List app files
ls -la /path/to/MyApp.app/

# Key files:
# MyApp              - Main executable
# Frameworks/        - Embedded frameworks
# Info.plist         - App metadata
# PkgInfo            - Package type

Extracting from App

# Extract main app binary
class-dump -H /path/to/MyApp.app/MyApp -o MyApp_headers/

# Extract all frameworks
for fw in /path/to/MyApp.app/Frameworks/*.framework; do
    name=$(basename "$fw" .framework)
    class-dump -H "$fw/$name" -o "${name}_headers/"
done

# Extract specific framework
class-dump -H /path/to/MyApp.app/Frameworks/MyFramework.framework/MyFramework \
    -o MyFramework_headers/

Output Understanding

Header Format

// Example output

@interface UIViewController : UIResponder <NSCoding>
{
    UIView *_view;
    id <UIViewControllerTransitioningDelegate> _transitioningDelegate;
    UIStoryboardSegueTemplate *_segueTemplates;
    NSArray *_childViewControllers;
    // ... more ivars
}

@property(nonatomic, assign) BOOL modalPresentationCapturesStatusBarAppearance;
@property(nonatomic, assign) UIModalTransitionStyle modalTransitionStyle;

- (void)viewDidLoad;
- (void)viewWillAppear:(BOOL)animated;
- (void)viewDidAppear:(BOOL)animated;
- (void)viewWillDisappear:(BOOL)animated;
- (void)viewDidDisappear:(BOOL)animated;

@end

Important Elements

Element	Meaning
`@interface`	Class definition
`@property`	Property (public interface)
`- (type)`	Instance method
`+ (type)`	Class method
`(nonatomic, assign)`	Property attributes
`@protocol`	Protocol/interface requirement

Advanced Usage

Filtering and Finding

# Extract specific class
class-dump /path/to/binary | grep "class.*UIViewController"

# Find methods
class-dump /path/to/binary | grep "viewDidLoad"

# Find private methods
class-dump /path/to/binary | grep "_"

# Count classes
class-dump /path/to/binary | grep "^@interface" | wc -l

Architecture-Specific Extraction

# List available architectures
lipo -info /path/to/binary

# Extract specific architecture
class-dump --arch arm64 /path/to/binary > headers.h
class-dump --arch x86_64 /path/to/binary > headers_sim.h

# Extract universal binary (all architectures)
class-dump /path/to/binary > all_headers.h

Runtime Information

# Include runtime information
class-dump -r /path/to/binary

# Show instance variable offsets
class-dump --show-ivar-offset /path/to/binary

# Detailed output
class-dump --show-superclass --show-ivar-offset /path/to/binary

Analyzing Extracted Headers

Class Hierarchy

# Extract and analyze class structure
class-dump -H /path/to/app.app/app -o headers/

# Find all subclasses of UIViewController
grep -r "UIViewController" headers/ | grep "^@interface"

# Show inheritance chain
awk '/@interface/ {print}' headers/*.h | sort

Method Analysis

# Find all delegates
grep -r "Delegate" headers/ | grep "@protocol"

# Find all callbacks
grep -r "Block\|Handler\|Callback" headers/

# Find all notification handlers
grep -r "notification" headers/

Property Analysis

# Find all properties
grep -r "@property" headers/ | head -20

# Properties with custom setters
grep -r "@property.*custom" headers/

# Properties that are weak references
grep -r "@property.*weak" headers/

Practical Workflows

Reverse Engineer an App

# Step 1: Extract headers
class-dump -H MyApp.app/MyApp -o myapp_headers/

# Step 2: Extract frameworks
class-dump -H MyApp.app/Frameworks/MyFramework.framework/MyFramework \
    -o myframework_headers/

# Step 3: Analyze class structure
grep "^@interface" myapp_headers/*.h

# Step 4: Find interesting methods
grep -r "login\|auth\|password\|decrypt" myapp_headers/

# Step 5: Look at properties
grep -r "@property" myapp_headers/ | grep -i "secret\|token\|key"

# Step 6: Document findings
cat myapp_headers/MyAppViewController.h

Finding API Keys and Secrets

# Extract headers
class-dump -H /path/to/app.app/app -o headers/

# Search for suspicious method names
grep -r "key\|secret\|token\|api\|password" headers/ | head -20

# Look for constants in class definitions
grep -r "NSURL\|URLWithString\|baseURL" headers/

# Check initialization methods
grep -r "initWith\|init" headers/ | head -20

Understanding Custom Classes

# Extract
class-dump -H MyApp.app/MyApp -o headers/

# Find custom classes (not Apple)
find headers -name "*.h" -exec grep -l "^@interface [A-Z][a-z]" {} \;

# Show dependencies
grep "@interface.*:" headers/*.h | grep -v "NS\|UI"

# Trace class structure
cat headers/MyCustomClass.h
cat headers/MyCustomClassDelegate.h

Dealing with Common Issues

Permission Denied

# Run with sudo if needed
sudo class-dump /System/Library/Frameworks/UIKit.framework/UIKit

# Check file permissions
ls -la /path/to/binary

# May need to codesign or disable SIP on newer macOS

Architecture Mismatch

# Check your arch
arch                   # x86_64, arm64, etc

# See available archs
lipo -info /path/to/binary

# Extract matching arch explicitly
class-dump --arch x86_64 /path/to/binary

Encrypted Binaries

# App Store binaries are encrypted
# Must dump from running process or use unencrypted version

# Option 1: Use debugger to dump from memory
# Option 2: Use Enterprise/Development build
# Option 3: Use jtool or Frida to extract

Combining with Other Tools

With IDA Pro

# Export headers from class-dump
class-dump -H app.app/app -o headers/

# Import into IDA as type info
# File > Type Information > Parse C Header File
# Select generated header files

With Hopper

# Hopper integrates with class-dump
# Tools > Objective-C Class Dump
# Automatically shows class info alongside disassembly

With Ghidra

# No direct integration
# But can cross-reference class-dump output with Ghidra analysis
# Create symbol mappings manually

Tips and Best Practices

Always extract from the correct architecture (arm64 for device, x86_64 for simulator)
Save headers to organized directory structure for large apps
Use grep and awk to search across multiple header files
Document interesting findings as you analyze
Compare headers across app versions to find new functionality
Look for private methods (starting with underscore) for hidden functionality
Check @protocol definitions for expected behavior
Cross-reference with debugger output for validation
Use symbolic execution when available for deeper analysis

Resources

class-dump GitHub: https://github.com/nygard/class-dump
Official Site: http://steqart.io/cdn/class-dump/
Objective-C Runtime Reference: https://developer.apple.com/reference/objectivec/
iOS App Reverse Engineering Guide

Last updated: 2026-03-30