Questions tagged [mach-o]
the Mach object file format is the standard executable format in iOS, Mac OS X, NeXTSTEP.
44 questions
0
votes
0
answers
48
views
How the 'Secure Application ROM (SAROM)' works ? and how can be decrypted?
There is a protection product that i'm interested in analyzing and breaking it called SAROM that encrypts sensitive information that stored in the client-side such as API Keys/hardcoded stuff. I tried ...
- 137
1
vote
0
answers
35
views
Patching an objective C method with NOPs in a Mach-O library
So I am targeting an arm64 Mach-O dynamic library (.dylib), and I want to patch a specific objc method using nops. Here’s the view from binary-ninja:
As you can see, the name of the method is ...
- 11
1
vote
1
answer
72
views
Objective-C stub functions on AARCH64
I'm analyzing some functions I see in Machos binaries and I see that whenever there's bl instruction to an objective-c stub function that resides in the __objc_stubs section and in that function there'...
- 185
2
votes
1
answer
346
views
MachO chained fixups parsing
I'm wondering how the info stored in the chained fixups in the Mach-O file is used to resolve binding and rebases?
My question originated from wanting to parse all the Objective-C classes inside a ...
- 185
0
votes
1
answer
303
views
Extracting obj-c class list from a machO
I'm trying to analyze and get the full list of selectors and their related classes in objective-c by first reading the __objc_classlist section and getting pointers to the struct objc_class list to ...
- 185
4
votes
0
answers
460
views
Ghidra not loading classes and types of external library
I'm analyzing a mac OS framework, and while redefining types in the decompilation view,
I wish to define one of the types as a type defined as NSData class which is defined inside CoureFoundation ...
- 185
1
vote
0
answers
88
views
Patched Mac application throws "Invalid value of (null) for entitlement" when running it
I have patched a specific application that I downloaded from the app store but when I ran the executable, it gave me a signal kill 9. I also reverted back the change I made, but the same error was ...
3
votes
0
answers
414
views
Changing Offset Value with frida
So I found this offset in ghidra, and I want to change that offsets value in Frida
with this picture I have deduced that the offset is 0x6ae210
What I want to do with this is change game....
- 31
2
votes
0
answers
245
views
How to correct decompiled output with `in_stack_` (ppc BE)?
So I have something like:
*************************************************************
* SYS_DRAW_BATCH_RUNS_DATA::Set(matrix4 const*, RECTF con ..
...
- 475
2
votes
1
answer
813
views
Disassemble specific mach-o function
I have a mach-o binary and using llvm-objdump version 9 I can disassemble it. I would like to disassemble only a single function though.
If I display the symbol table with --syms I can see the ...
- 187
0
votes
0
answers
142
views
Is it possible to extract the header files used by a Mach-O 64-bit SDK Binary?
I have a Mach-O 64 bit SDK that I've opened up with JEB (community edition) and I'd like to know if it's even possible to see things like the header files (.h) used/referenced by the binary.
The ...
- 101
2
votes
1
answer
2k
views
Ghidra : iOS Application : Mach-O binary -> Symbol files of dylib or framework are not generated
I'm performing my first reverse on a Mach-O file binary through Ghidra. My problem is that Ghidra doesn't create symbol files of the dylib/frameworks that are loaded in the project. It is really ...
- 21
1
vote
0
answers
50
views
Is there a way to replace the load method in an objective c class with a stub method in a mach-o binary?
I am learning about parsing and editing mach-o files and I am stuck on particular issue.
I am able to read the segments and sections within a binary which is a test iOS app written in Objective-C. I ...
- 11
2
votes
1
answer
975
views
How to fix an extracted dyld from dyld_shared_cache_x86_64?
As part of challenging my self I was trying to run a program that doesn't exist on Catlina taken from Big Sur.
I had to extract the dylibs from the shared cache by using this tool.
The library called ...
- 120
1
vote
0
answers
334
views
otool , nm, dsdump and jtool not able to list mach-o binary's symbols
I have encountered this twice recently where I am trying to list the external symbols for an iOS mach-o binary and none of the tools can provide any output. The following is an example of the output ...
- 187
1
vote
1
answer
335
views
How to fix Mach-O headers from a memory-dumped binary to make it usable again?
I am trying to restore a binary from memory. I re-constructed the binary and analyzed it with a disassembler and it looks okay, but when inspecting the headers with otool I'm getting:
truncated or ...
- 143
-2
votes
1
answer
864
views
How to fix Mach-O segment section to deobfuscate the binary
When reversing a Mach-O crackme file under IDA Free and MacOS, the analysis output a log in the console window that yields warning about Mach-O segments.
Loading file 'target' into database...
...
- 47
1
vote
1
answer
126
views
Mach-O ARM64 using literal values instead of a frame pointer (BP) register
I'm investigating an iOS app Mach-O binary in IDA and noticed it's using a fixed constant as an offset to the SP to denote the start of the stack frame instead of a register. Is this normal? ARM ...
- 35
4
votes
0
answers
2k
views
How to decompile a obfuscated mach-o dylib?
I am trying to decompile a dylib called libConfigurer64.dylib, which is loaded from the environment variable "DYLD_INSERT_LIBRARIES"
I want to analyze what it really does, so I dragged it in to IDA,...
- 141
1
vote
1
answer
589
views
When I write into a memory address in gdb, is it an absolute address or PC-relative address?
Recently I tried to use Hopper Disassembler to do the reverse engineering on a Mac application. After decompiling the executable file, I got a bunch of cstrings defined in the specific location. For ...
- 111
4
votes
2
answers
2k
views
Why are there absolute jmps in disassembly of position independent code?
I'm playing around with Hopper and am looking at the disassembly of a binary that otool reports as having the PIE flag.
It's my understanding that as a result, the executable base address will be ...
- 143
1
vote
1
answer
139
views
Powermac gdbserver wrapper/How to attach IDA to powermac application?
How do I debug a powermac application using gdbserver provided there is no gdbserver
I've tried compiling various version of gdb found in apple opensource -specifically the gdbserver part but it ...
- 475
19
votes
6
answers
26k
views
What is a free & open source alternative to IDA Pro for MacOS?
I am looking for a free & open source alternative to IDA Pro runs on MacOS - the suggestions should have as close to the features of IDA as possible. I should also be able to edit an executable ...
user20964
6
votes
1
answer
5k
views
getting function address by reading ADRP and ADD instruction values
Hello reverse engineers,
I'm analysing a fat Macho-O binary, and it has an ADRP and an ADD instruction in it.
I'm talking about these instructions:
__text:00000001002E050C ADRP ...
- 95
2
votes
1
answer
538
views
iOS Position-independent code and relocations
I'm reversing few iOS Mach-O application executables these days and all of them use Position-independent code (PIC; the MH_PIC flag is set). I've been expecting a large number of relocation entries (...
- 143
3
votes
1
answer
892
views
Mach-O : Convert virtual address to file offset on disk
Hello reverse engineers,
I am reverse engineering a Mach-O executable for iOS.
File says: Mach-O universal binary with 2 architectures: [arm_v7: Mach-O arm_v7 executable] [64-bit architecture=12].
I ...
- 95
0
votes
2
answers
759
views
Why do I get different addresses for the printf function when I disassemble with otool?
I'm using otool on macOS to disassemble some simple C programs I built in order to gain a better understanding of assembly language. I disassembled three programs, all of which consist of a single ...
2
votes
1
answer
507
views
No LC_UNIXTHREAD segment in iOS application Mach-O
I'm analyzing load commands section of executable Mach-O file in iOS 9.3.3, Twitter app is used for ilustration.
# otool -hV Twitter
Twitter:
Mach header
magic cputype cpusubtype caps ...
- 23
14
votes
3
answers
26k
views
Remove code signature from a Mac binary
How can I remove the code signature from a binary so that I can patch it without the binary refusing to run afterwards?
Needless to say, I'm not the original creator of the binary, nor I have the ...
- 297
0
votes
1
answer
110
views
Order of architecture headers in fat (universal) executables
I'm working on a reverse engineering project with fat executables on OS X. So far I have established the structure of the fat_header, fat_arch and macho_header, but am having trouble finding ...
- 3
0
votes
1
answer
645
views
Mach-O functions pointer
I'm trying to understand how Mach-O files work, i already succeed with parsing of load commands, sections, symbols table etc.. anyway i'm trying to figure out a way to find class methods pointer to ...
7
votes
2
answers
4k
views
Method disassembly of Objective C Mach-O with Radare 2
Is is possible to retrieve the dissassembly of Objective-C methods declared in Mach-O files using Radare 2 ?
- 506
8
votes
1
answer
2k
views
Retrieving Objective-C Control Flow?
I am learning to disassemble and analyze objective-c binaries. One of my frustrations is that in Hopper, and IDA, it seems that the proper cross-references and control flow are not preserved. I ...
- 1,258
5
votes
2
answers
2k
views
Patching a Mach-O Binary Header to remove a LC_SEGMENT
i have an ARMv7 Mach-O Executable on which I want to patch out a certain segment in the binary header which prevents DYLD injection.
more information here under point 3. of preventing dyld injection....
- 183
16
votes
2
answers
6k
views
In a Mach-O executable, how can I find which function a stub targets?
Before exposing my problem, here's my understanding of the whole thing, so that you may correct me if I'm saying something wrong.
In a Mach-O file (at least on x86), the __TEXT.__stubs section ...
- 331
2
votes
2
answers
1k
views
Can one modify a program by "wrapping" its binary? What tools exist?
(This question is related to How do I add functionality to an existing binary executable?).
I too would like to add functionality to an existing application, but I do not want to modify the original ...
- 146
1
vote
0
answers
233
views
Merging static library into mach-o executable
I got a mach-o executable and a static library that has a few __attribute__((constructor)) functions.
Is there a (least painful) way to merge the static library into the mach-o executable ?
- 191
3
votes
1
answer
1k
views
Interacting with command line programs in Hopper disassembler (Mac OS 10.9)
To test the debugging capabilities of Hopper, I wrote a simple C++ command line application, and tried to run it on the remote debugging server (with gdb). However, I learned after I failed to be able ...
- 474
2
votes
0
answers
3k
views
Unpacking and disassembling mach-o binary
I am trying to reverse an OSX mach-o binary,
Disassembling gives me a bullshit, seems its encrypted with some packer.
I need to determine the encryption algorithm, and decrypt the binary.
Load ...
- 129
3
votes
1
answer
1k
views
Editing a Mach-O x86_64 binary with 0xED results in a app crash
I created a simple Cocoa app (Mac 64bit) in Xcode, and in it I created a string object, and then outputted the contents of the string in a NSLog statement.
Then I decided to see if I could modify the ...
- 331
3
votes
2
answers
1k
views
Reversing a Mac OS X binary that appears to be non encrypted, backtrace just shows mach_msg_trap ()
Currently I have a binary that I am investigating. The application is GUI / event driven, so that makes it difficult to set a break point. I would like to set a break point on a certain button click,...
- 331
12
votes
2
answers
3k
views
Encrypted Mach-o binary cannot be disassembled/traced with GDB
I'm trying to analyze an encrypted Mach-O binary (non-iPhone one), and I am observing the following strange behaviors:
when I load this binary into GDB and try to disassemble the code at the address ...
- 311
6
votes
1
answer
253
views
Strange GDB behavior in OSX
I'm reversing some malware on an OSX VM when I noticed something peculiar. While stepping through the instructions, the instruction just after a int 0x80 gets skipped i.e. gets executed without me ...
user1743
6
votes
1
answer
4k
views
Printing Unicode strings in Gdb in OSX
Are there any useful snippets or Gdb functions that you guys normally use to print out Unicode strings? I'm trying to debug Mach-O binaries and x/s seems to be printing out junk. I believe the default ...
user1743