Brief Tutorial on Reverse Engineering Mac OS X

rjw57 writes "There is an article on OSNews I wrote about how the guy behind Desktop Manager goes about reverse engineering APIs from Mac OS X with a brand new example not revealed anywhere else. From the article: 'I am often asked in email how I uncovered the API calls I use in Desktop Manager which are, unfortunately, undocumented. This article aims to give a little insight into the techniques I use to reverse engineer Mac OS X in order to provide extra functionality to users and extra information to third-party developers. In this article all the utilities I use are a standard part of Mac OS X's developer tools which are freely available.'"

Versus Expose?

All credit to the author; it looks like quite a feat of reverse engineering and some genius coding has probably gone into it. Apologies for the subsequent inflammatory opinion.

However, Apple have already come up with a perfect way of handling large groups of windows on one screen; it's called expose. I used to use virtual desktops on Linux, which was adequate, but when I got a Mac I settled in nicely with Expose; OS X has a near perfect user interface designed by actual HID experts. The only reason I can think of for using virtual desktops is if you're some kind of Linux zealot.
(Don't mod me down just because you're an anti-Mac zealot mod ... try having a real discussion instead).

Re:Versus Expose?

[avalys]

If you're working with a lot of windows/applications, virtual desktops can act as a nice complement to Expose.

I'm surprised Apple hasn't made it a built-in feature. They have fast user switching, but that's not the same thing.

Re:Versus Expose?

[Digital+Pizza]

Ya know, virtual desktops and Expose aren't really in competition with each other. I'm sure a lot of people get good use out of both, simultaneously.

I personally don't use multiple desktops, even in Linux, but would never, ever consider taking away that functionality (if I had the power to do so), knowing how useful it is to so many other people. For that reason, I think it'd be a great idea for Apple to add this feature to OSX.

Re:Versus Expose?

[burns210]

They have done great, exception for the multiple times they break their own HID/HIG. iTunes, for example, and the whole brushed metal is basicly an excuse for making cool-looking apps. I like brushed metal, but apple has changed the HIG to morph around what they think looks best. There really should only be 1 window gui, aqua.

Mail, in OS X, is even a third window gui(?), it isn't quite Aqua, and has noticable differences unlike any other application on OS X. Why? Who knows.

Apple has done great, but they have clearly ignored their own UI rules for the sake of eye candy at times.

Re:Versus Expose?

[drsmithy]

However, Apple have already come up with a perfect way of handling large groups of windows on one screen; it's called expose.

Expose is for switching between windows.

Virtual desktops are for logically grouping/partitioning windows (more typically, whole applications). Virtual desktops are, basically, a poor man's multi monitor setup.

The two solve different problems.

Re:Versus Expose?

[harlows_monkeys]

However, Apple have already come up with a perfect way of handling large groups of windows on one screen; it's called expose. I used to use virtual desktops on Linux, which was adequate, but when I got a Mac I settled in nicely with Expose; OS X has a near perfect user interface designed by actual HID experts

Wrong. Expose is nearly perfect for managing large groups of windows only in the case where you don't have multiple windows from an application being used in separate user tasks.

For example, suppose you are working on some graphics for your web site. You have a browser window opened on your site for reference, and other browser windows on other sites. You have Photoshop opened with various images being edited, so you have a bunch of Photoshop windows. You've got a mail application opened reading an email thread discussing the web site design.

Expose is perfect for managing your windows in that situation. All those windows belong to the same logical task ("update web graphics").

Expose even stays almost perfect if we throw in another logical task, if it doesn't use any of the same apps. For example, if you have a couple terminal windows opened to servers you are remotely admining, things are still fine.

However, when you get to multiple logical user tasks, with some apps being used for more than one of those, Expose becomes inadequate.

Consider this situation: you are working on three separate things. For thing A, you are using two terminal windows (say to ssh to two separate servers you admin), one spreadsheet window, and two browser windows.

For thing B, you are using one terminal window, two spreadsheet windows, and one word processor window.

For thing C, you are using one spreadsheet window, two word processor windows, and two browser windows.

Expose doesn't handle this very well at all. When used an all windows, it doesn't work well. Its "all windows" mode has windows from all three of your logical tasks, scattered all around, and it can be hard to tell which window is which (especially for terminals and spreadsheets).

What you need here is a way to hide or minimize a group of windows based on the user task they are associated with. Apple provides no mechanism for that. They provide a way to hide all the windows of a given app, but in my examples above, each app has windows associated with more than one user task.

What would be perfect would be Expose with multiple desktops. In my example above, you'd then do task A on one desktop, task B on another desktop, and task C on a third. On each desktop, you'd use Expose to manage the several windows that are on that desktop.

Basically, Expose, minimizing, and hiding only provide three levels of organization: by individual window, by application, or everything. What's missing is a way to manage all the widows of whatever the user is working on at the moment.

Re:Versus Expose?

[nickos]

"OS X has a near perfect user interface designed by actual HID experts"

There's no such thing as a perfect user interface. Apple should give users as much flexibility as possible since everyone has different usage styles. There's an interesting article from a frustrated Mac user here (read the section titled "Switcher Stories").

Re:Versus Expose?

[99BottlesOfBeerInMyF]

iTunes, for example, and the whole brushed metal is basicly an excuse for making cool-looking apps. I like brushed metal, but apple has changed the HIG to morph around what they think looks best. There really should only be 1 window gui, aqua.

Brushed metal was originally applied to windows that simulated real world devices. iTunes=stereo. DVD Player=TV+DVD player. Later on it was applied to most of the interface and I for one am very glad. It provides better contrast with window contents. Finder windows have a default white background as do many text style documents like PDFs, Word files, etc. Most editors and terminal windows are best with white text on a black background for maximum contrast with minimal eyestrain. This means about half my windows are primarily white and half are primarily black. Now what color is halfway between white and black, does not grab the eye, and does not clash with any other color? Gee that would be only one...gray. Add a little texture and you get the brushed metal look. Apple designers probably realized why people like the brushed metal, but most people just like it because it looks good. It looks good because it is pretty much the best color you can use from a UI design perspective.

Re:Which way today apple?

[guet]

Great example of apples practice of breaking API's leaving developers out of the loop

It's an undocumented, unsupported API; that's what the article is about. What broken APIs were you thinking of? Carbon took over most of the OS 9 ones (apart from some clearly documented exceptions).

If you had read the article you might actually have had something useful to say.

Re:Which way today apple?

[cbiffle]

It's an undocumented API.

That's one of the many reasons why some APIs are left undocumented: because they are expected to be unstable.

Can't really blame Apple on this one. They didn't publish the API, and changed it in Tiger to a more flexible three-part solution. Eventually they may decide the design's a good one and publish the API.

Until then, use it at your own risk.

Re:Which way today apple?

[avalys]

In this example, Apple broke undocumented APIs. Anyone writing or using an application that takes advantage of undocumented APIs should be prepared to discover that they've been changed, moved, or deleted entirely.

The APIs that DesktopManager uses were probably left undocumented precisely because Apple knew they were going to be subject to change.

Apple is good, and we are going to talk to talk about it.

It depends on how you work

[AnEmbodiedMind]

I myself have found that by really learning how to manage windows the "apple way" I don't really feel the need to use virtual desktops much (I used to use DesktopManager).

For me, this means using Hide (Command-H), Swich app (Alt-Tab), Focus on window (active) or next window (a custom key binding like Alt-Tab), and Expose.

But that doesn't mean there isn't a place for virtual desktops.

One thing that expose relies on is that the conceptual groupings of "All app windows" and "All of this apps windows" are all you need. The problem is if you have a large number of similar looking windows from different applications it can be difficult to manage even with Expose.

Virtual desktops can give you custom Expose groups - which can narrow the search for a particular window. This can be useful if you are working on several complex tasks that use multiple windows from multiple apps (each task can get its own desktop), and also have a bunch of side apps - like your calendar, email, instant messenger etc.

So Expose solves the window management problem to an extent, but it can be combined with virtual desktops when things become even more complex.

Re:It depends on how you work

[civilizedINTENSITY]

I like to dedicate a virtual desktop to each class I'm taking. That way when I want to work I just move to the desktop for that class, and everything I'm working on is open there. I save often, but never actually close a document until its turned in. I use yet another desktop for email, surfing, IRC, etc...

Re:How long before ...

[hunterx11]

The story you linked to is about copyright infringement, not reverse engineering. It has nothing to do with TFA. Apple is not encrypting their undocumented code, so it has nothing to do with the DMCA. Reverse engineering is not necessarily banned by the DMCA; in fact, reverse engineering for interoperability is specifically exempt from it.

Huh?

[RzUpAnmsCwrds]

So now we find out that Apple has used - and is using - undocumented API calls.

Sounds like something Microsoft would pull.

Oh, wait, this is Slashdot. I forgot.

Well, then Apple's just trying to protect its intellectual property. No harm.

Re:Huh?

[the+pickle]

Or, more likely, Apple hasn't seen fit to document the calls yet. Not to excuse their laziness, but it seems like Apple gets around to documenting things much less quickly than they used to. Frankly, I suspect that even after nearly five years of OS X, they're still playing a bit of catch-up with the documentation.

p

Re:Huh?

[Trillan]

Apple has two methods for putting items in the menu bar: The "right" way to do things, and the way that looks good to users.

The wrong way to do things -- and the way Apple uses for their menulets -- reserved involves injecting code into SystemUIServer's running space. If one menulet crashes, all menulets crash under this model. It is not surprising they want to discourage this mechanism for end-developer use.

Personally, I expect that sooner or later Apple will port the features of the "wrong" way to the right way, then upgrade thier menulets to use the documented API instead of the undocumented one. However, I expect there are much higher priorities.

Re:Huh?

[Midnight+Thunder]

Although I can't find a reference to the source, I believe Apple already explained the reason there are documented and undocumented APIs ( these are also known as public and private APIs) The reasoning is that any private APIs are not yet set in stone, so if you do use them you should not be surprised that your application breaks with the next point release. These APIs are undocumented, but not hidden. If you wish to create programs that are stable between releases, then you should only use public APIs. The choice is yours.

Remember there is a difference between hidden APIs and undocumented APIs. Are all the APIs in Linux documented?

Re:Huh?

[jcr]

Keep in mind, that once an API is documented, then Apple is committed to supporting it. If a method or function is not documented, then it can change and break your app with any release, be it a software update, a security update, etc.

-jcr

You parrot nonsense without understanding...

[argent]

So now we find out that Apple has used - and is using - undocumented API calls.

Um, no Apple has no applications that use the virtual desktop APIs to compete unfairly with third party apps. In fact Apple has no competing application in this area at all, and two of the three applications that DO exist are open source.

truss for MacOS X?

[mzs]

On Solaris there is a command truss that is the king of all truss-like commands. Unlike strace, ktrace, and BSD truss this tool can print a trace of all function calls made by an application as it runs (among many other useful things). Does anyone here know of an analogous tool for MacOS X? If not I wonder if an awk/perl script munging the output of nm to generate tracepoints for gdb where each trace point creates a new tracepoint at the instruction where the function call returns, prints out the funtion name and the contents of r2-r10 or so, then continues on or something like this would be something someone has already written.

You're confused, oh trollish one.

[Fished]

So jobs invented capitalism and anything you have to buy is evil?

No, no, no, no! Capitalism creates jobs, but jobs didn't "invent" capitalism. What are you some kind of weird left-wing labor flack who thinks that jobs are the end-all-be-all?

Appleista here!

[Johnny+Mnemonic]

No doubt an Appleista will be along in due course to make clear the path to enlightenment.

You called?

The answer to your difficulty is obvious: follow the money. What strategic advantage does Apple gain by not publicly documenting these APIs? A corner on the windows management market? I'm sure is worth a whole lot because you can see how much Apple charges for it at the Apple Store. Oh, wait, you can't, cause there is no such separate competing product that Apple profits by leveraging their OS.

vs. Windows, where, let's see, they made a substantial amount of their $50 Billion on by selling Office--which required that they kill their competition in Office applications.

"But what of IE?", I hear you plaintively cry. "Doesn't Microsoft give that away for free?" Certainly. But their clear strategy was to use the product to own the web, and IE was the platform to do it.

When Apple sells a virtual desktop management tool, besides the OS, and doesn't document the APIs, you'd have an argument. For example, I imagine QT has access to things that WMP doesn't, but proving that is an exercise for the reader. As it is, you're just trolling. Speaking of simplistic arguments.

Re:Appleista here!

[jcr]

Keynote uses the supported OpenGL full-screen mode. There is sample code at developer.apple.com that shows how to do full-screen GL contexts.

-jcr

In a word, Don't.

[jcr]

I know that it's fun to pick apart the framework code, make guesses as to what it's doing and how, and write code that exploits it in some way, but don't, don't, don't write a commercial product that depends on what you discover by this kind of spelunking, unless you are fully prepared to deal with the consequences of it breaking at any software update.

If your users call Apple because your program broke, Applecare will tell them to talk to you about it. If you ask Apple for help with an undocumented API, your request will be declined.

-jcr

Re:In a word, Don't.

[jcr]

This is wonderful advice for people who are only going to play in the little sandbox O/S developers give them.

It's a bit silly to describe the public, supported API of OS X as a "little sandbox".

-jcr

Get a second monitor. :D

[solios]

I needed more workspace, so I went multihead. Some apps lend themselves well to virts - web browsing, email, a pile of xterms... but when you're running something like photoshop and you need more "room to maneuver". adding extra heads is the way to go.

I seem to be the only OS X user that neither uses no likes Expose much. Part of it's the fact that a few apps I use bind to F11-13, though my BIG gripe is that F14-F16 ARE NOT MAPPING OPTIONS. Why can't I put the shortcuts for Expose onto the three keys that I NEVER use for ANYTHING? :-(

That aside, I've noticed that virts are something the "I used to use freenix but the desktop sucks so I switched" crowd complains about, as well as sloppy focus and the fact that portables have one button trackpads (something of an annoyance if you're using X11 applications). As a whole, the freenix imports seem to be so used to doing things Their Way that the mere notion of a UNIX not having $feature makes them positively apoplectic. :-|

A couple more APIs Apple needs to add...

[argent]

Why can't I put the shortcuts for Expose onto the three keys that I NEVER use for ANYTHING? :-(

What I want to know is why Apple hasn't put a general purpose input or hotkey manager in Preferences that would let you map any key combo to any hotkey-using application.

Plus, every second keyboard these days has half a dozen extra "Multimedia" or "Internet" buttons. Why can't I map those to actions?