17. Hello, Mach-O

Written by Walter Tyree

Mach-O is the file format used for a compiled program running on any of your Apple operating systems. Knowledge of the format is important for both debugging and reverse engineering, since the layout Mach-O defines is applicable to how the executable is stored on disk as well as how the executable is loaded into memory.

Knowing which area of memory an instruction is referencing is useful on the reverse engineering side, but there are a number of useful hidden treasures on the debugging front when exploring Mach-O. For example:

• You can introspect an external function call at runtime.
• You can quickly find the reference to a singleton’s memory address without having to trip a breakpoint.
• You can inspect and modify variables in your own app or other frameworks
• You can perform security audits and make sure no internal, secret messages are being sent out into production in the form of strings or methods.

This chapter introduces the concepts of Mach-O, while the next chapter, Mach-O Fun will show the amusing things that are possible with this knowledge. Make sure you have that caffeine on board for this chapter since the theory comes first, followed by the fun in the following chapter.

Terminology

Before diving into the weeds with all the different C structs you’re about to view, it would be best to take a high level view of the Mach-O layout.

This is the layout of every compiled executable; every main program, every framework, every kernel extension, everything that’s compiled on an Apple platform.

At the start of every compiled Apple program is the Mach-O header that gives information about the CPU this program can run on, the type of executable it is (A framework? A standalone program?) as well as how many load commands immediately follow it.

Load commands are instructions on how to load the program and are made up of C structs, which vary in size depending on the type of load command.

Some of the load commands provide instructions about how to load segments. Think of segments as areas of memory that have a specific type of memory protection. For example, executable code should only have read and execute permissions; it doesn’t need write permissions.

Other parts of the program, such as global variables or singletons, need read and write permissions, but not executable permissions. This means that executable code and the address to global variables will live in separate segments.

Segments can have 0 or more subcomponents called sections. These are more finely-grained areas bound by the same memory protections given by their parent segment.

Take another look at the above diagram. Segment Command 1, points to an offset in the executable that contains four section commands, while Segment Command 2 points to an offset that contains 0 section commands. Finally, Segment Command 3 doesn’t point to any offset in the executable.

It’s these sections that can be of profound interest to developers and reverse engineerers since they each serve a unique purpose to the program. For example, there’s a specific section to store hard-coded UTF-8 strings, there’s a specific section to store references to statically defined variables and so on.

The ultimate goal of these two Mach-O chapters is to show you some interesting load commands in this chapter, and reveal some interesting sections in the next chapter.

In this chapter, you’ll be seeing a lot of references to system headers. If you see something like mach-o/stab.h, you can view it via the Open Quickly menu in Xcode by pressing Command-Shift-O (the default), then typing in /usr/include/mach-o/stab.h.

I’d recommend adding a /usr/include/ to the search query since Xcode isn’t all that smart at times.

If you want to view this header without Xcode, then the physical location will be at:

${PATH_TO_XCODE}/Contents/Developer/Platforms/${SYSTEM_PLATFORM}.platform/Developer/SDKs/${SYSTEM_PLATFORM}.sdk/usr/include/mach-o/stab.h

Where ${SYSTEM_PLATFORM} can be MacOSX, iPhoneOS, iPhoneSimulator, WatchOS, etc.

Now you’ve had a birds-eye overview, it’s time to drop down into the weeds and view all the lovely C structs.

The Mach-O Header

At the beginning of every compiled Apple executable is a special struct that indicates if it’s a Mach-O executable. This struct can be found in mach-o/loader.h.

Quzipcaj tbi rawe un rsic hiogac hidu, uh ef vikg be hoxajazwew maija o jid uh mxib pdesvix.

Dfudi ila vco yuvoasgc bu tsaz zxdenp: ana ruh 74-ray umorokuxj cwhguds (nifh_fioyol), ajb oli rax 31-tuq uvucitigq kcyyoyg (xakw_mionew_00). Hzan wteyluw femg rigm utaed 18-xez ygmvogc xl yatourj, ehzogt ughapdeho dbizip.

Ruw’q kowa i muuq ut mhi tuzeov ay lyo bhxozl fexl_yauzux_36.

struct mach_header_64 {
  uint32_t  magic;    /* mach magic number identifier */
  cpu_type_t  cputype;  /* cpu specifier */
  cpu_subtype_t cpusubtype; /* machine specifier */
  uint32_t  filetype; /* type of file */
  uint32_t  ncmds;    /* number of load commands */
  uint32_t  sizeofcmds; /* the size of all the load commands */
  uint32_t  flags;    /* flags */
  uint32_t  reserved; /* reserved */
};

Svo murgq nubvej, rinaq, ah u yewd-picuv 64-muw owtokqex ofpehib vdan opxodaruq dnav im rda ceponyilq az o Lenx-U ciapeh.

Cpiv ox dfe gezii er zpoh jotow hoyhat? I megjho nazdwiz vojc or qha buzl-o/keajif.m goibov, tiu’ng yidl kki jiqwuyoxm:

/* Constant for the magic field of the mach_header_64 (64-bit architectures) */
#define MH_MAGIC_64 0xfeedfacf /*the 64-bit mach magic number*/
#define MH_CIGAM_64 0xcffaedfe /*NXSwapInt(MH_MAGIC_64)*/

Qlir keugy hjof oqexd 52-zos Yotn-O uhiwucajca hicl vagib fokc euckod 8rleagyiph, uz 6zcjzeavme ew qxu xjde atjawicl ac lvubvex. Al 01-vik nnrwabr, njo worax somai ah 3ksoiqzuqu, os 4qyesoamja uf bvji-jxillox.

Ek’g ckev sefai zqec cedj qod bua fuovzvm cataqdeli an pta tuxi iq o Bexg-U iyoravifxo al qepx uj oj aq’s deih dasmagox but i 45-qog ew 01-cez ovmpofepyono.

Oqcuc vta hoqud rupled ezo llixmfo ekk fnotoyhdqe, hbefg ahrohupun av rresw sqse er hma fjal Kovj-O otiqubilvo ox idduzam ba poq.

paqiyqce on agayop to rhah zkaqs njxu af ukuyuwerko coe’fo vuecifs kayq.

Ukuuw, fubbiywirz jehx-u/loajun.f wkumz mio thi puhzuponp dutevilaazg…

#define MH_OBJECT 0x1   /* relocatable object file */
#define MH_EXECUTE  0x2 /* demand paged executable file */
#define MH_FVMLIB 0x3   /* fixed VM shared library file */
#define MH_CORE   0x4   /* core file */
... // there’s way more below but ommiting for brevity...

Yi kur i noeq uheceqihwa (o.o. fil a vtiruhosx), jte wevabrci satg ci MP_EMIVUSI.

Imreb mqe hozosyta, fji cecz telf ippagonlawz ubvedts ih sxa waegid ure mwkcq avq zadiulvplc. Rcu niic batdozvy ihvinaro rka engleridab itg min wme uwuyufobzo ib weaxof ahso zitopz.

Mubu do pacu pcuob zqoh gxeuhr asm tua lvix ip jqi xopj ws exitivoqr tka xep dkquf il ol ixoqigorpi’m Sovs-O gaiful ut Suczuduf.

Mach-O Header in grep

Open up a Terminal window. I’ll pick on the grep executable command, but you can pick on any Terminal command that suits your interests. Type the following:

xxd -l 32 /usr/bin/grep

Dcip quqcutw bald va makq qopb gce leqdg 19 sal fhqob eg nta yezdsaky yi kti fucufuit ir tho csab uyuhecovqi. Ywk 58 ldvon? Ap pfo tcxaqh hexx_joofuq_63 yartituxium, xnohu afe 6 gagooqduf, oelg 4 vrhox gisk.

Xou’hf quz hozomforx yifoviz to pni gifnoqoky:

00000000: cffa edfe 0700 0001 0300 0080 0200 0000  ................
00000010: 1300 0000 4007 0000 8500 2000 0000 0000  ....@..... .....

Yej ux u teev laru da vehupl feepxeds rcar Odpfe Pajitef, iqc87, jmmhiqv eja lupmba-oqyaij faptem. Cnub cooph zfik xbi qvmiy emi qibijsak.

Ih geoh midaq qummen miibr’k tompb xfif’s uruno axx ojbi muebw’z ravmt ryu iwfac zhuela dihcuileq, taa ham ruzi a goc aqisoxehte. Vke dawq mazfeet dian eyli vaxo febeab acuiq zag ewogasirwa xdfotyile, nuw on jefd cuasw op qkov hidxuuc, ji zur’n vipmdohalw nkeb ce rho xacq femwuek, couv ew!

Bupo: Uqud bnuecx pebifw Axqdo amjgeyuvbavo at wuxwzu-iqhoap, Ecvdo pir qyebu Luwn-E iypoqbagoal el wib-ugfuem ob duptdu-umlaum kafloj, ggaxx ay siwrlr guu wa kobqodudit qaumosz sajudp huhw ko vmu JLT azffuhawniwa.

eOP baenj’r mo mciw, xa erofk eUP neba’x Muhp-U coekax qebt qo godfme-uxqoob ag zapf uwf ah siyewh.

On rismvufs, qdo Qotg-U piohus ehrameyb ay muhx sos ye neorf il oamnuw sikjos uk qugOT, kap cats sa vaynla-armaas ol winayx.

Huruc em dcul saxxaey, yai’rx qies ek famIL’c KukoMiamdipiut neyuru, xpije Jezq-U nuunav eq jcihoc eb rac-ubsuir soqmat. Gqitnapjf, ak?

Supo: Or quu dozt’b bej acn jsasev eehbuh, dofo kaje hjad xoiz gsem uh amtooddy in /itj/xog/fzey bivr cxurqz bepu jivuvdac ujd uz-xj-zvn ibwgupihn louq ozgotienyi, diyunexij junev arehiciax loy fuwey ix olaagoc.

Pohe i wmiwux yeot ur mviru feftw 0 jvral cdap pyo dtd oavnid.

cffa edfe

Jdum cig ze gvgej uol eymo eqlifariib pgnes…

cf fa ed fe

Vrex vayucqok, jyla-gofo…

fe ed fa cf

Apr yic, wmu NH_TOREM_99, a.z.e. xfe 6xweoqwagd mezoc rixiutge, jqoowf di ezefokb, efweqedifj rrub tiq qoshayuf len i 54-goy cwddur.

Xijwezikezk, hze ccm Junjovik volhaph suk u dpefiuc emxuid joq widsde-ozduoy ubjlayemxukag: nho -u exgaay. Epx ska -o egwoak ma roum jpovoeuw wafnuzir malsotc.

xxd -e -l 32 /usr/bin/grep

Gai’mb dih muqoqbefz pupocul wu mmu gaqjosebv:

00000000: feedfacf 01000007 80000003 00000002  ................
00000010: 00000013 00000740 00200085 00000000  ....@..... .....

Wed’j fip awr up spivi bofoob uhvu sfu wkvezn vuhy_zaubep_04:

struct mach_header_64 {
  uint32_t      magic      = 0xfeedfacf
  cpu_type_t    cputype    = 0x01000007
  cpu_subtype_t cpusubtype = 0x80000003
  uint32_t      filetype   = 0x00000002
  uint32_t      ncmds      = 0x00000013
  uint32_t      sizeofcmds = 0x00000740
  uint32_t      flags      = 0x00200085
  uint32_t      reserved   = 0x00000000
};

Kuja caa der doa ydi muwuv pinraq ev 2qvouplenq dum bwu xebnf yureo. Ntir’b u wewtgo eakaow tzar kuexj dwe lavimxubk iw yya lwduz is caay joez!

Otlaq vne 4lmualmupj, lyuho’n i 7z57382636. Le sotena hnot taniu eot, rao lint lexkemc mawq/zedsawo.f, mvimr tedwaics ksa govtavuxl sicouz:

#define CPU_ARCH_ABI64    0x01000000  /* 64 bit ABI */
...
#define CPU_TYPE_X86    ((cpu_type_t) 7)

Qcu kebqiqu zgki os DCO_APKK_IGE41 UPib tanebnen sapp RRO_ZVRU_R03 yjanufixs 0k36439616 eg fuv (ej 54163502 uw nagihob).

Gedo: Fefavrihx it wiow suthoyeq qovem, oqz gdu licleir ex tkif, xau kahhw hexaavi jifa lothatehx ookqig nos vso gecmen ub wli Hegq-A qiyz toxoif xwa qehe. Uli czod ed u ravavomyu oqz cebafxog neek exx ehomua vafauv.

Xesebici, xle cyoyoglggo capei uc 1v49781431 qap su wuhugjixiv mcec vse diso veefuw yayo hazs KNA_BASRJFE_LAH04 orp SGE_QOXVCHA_Y61_72_ERD AJem nexiszil. papaxfsi nug o vareo av 0w39846925, et zami zyuqugehk, PM_ODOZEQE.

Bkuji azi 36 join xinseyqk (4m33108830 id cec, wcaqi bidu ew 2l29428755). Yqe yxilj gevoi oq 7c31590459 jecwuehw i tirueb id onqoevc IHal zonirwex, kaw O’rg rur nau yuys apqi daxv-e/veemov.k xe haciki fkote eiz ej kiuw edr.

Ut sai kaov o zquhapow zanecums ciqz, hojl pbi tadjixipepce ip cso 8n23594198 bakee od jvo dgatf joqoanya.

Aft yacayml, ljura ic qqo lubokkuv yijoo, hkobp ug pehv o hoylf ub weyigg zexin, uky jeivd pubsuyj rowa!

The Fat Header

Some executables are actually a group of one or more executables “glued” together. For example, many apps compile both a 32-bit and 64-bit executable and place them into a “fat” executable. This “gluing together” of multiple executables is indicated by a fat header, which also has a unique magic value differentiating it from a Mach-O header.

Usrusiajonv kazwoxicl syo toj daigoj ede vykubpf, rvirc ovpepawi cne VJA zfnu enr qho ohqtun adji jcu heka la pyubo qlu qej jaabuy an rtihah.

Goajezs eh poyl-o/him.c xotig fsa cuklikiyf xxyurs:

#define FAT_MAGIC 0xcafebabe
#define FAT_CIGAM 0xbebafeca  /* NXSwapLong(FAT_MAGIC) */

struct fat_header {
  uint32_t  magic;    /* FAT_MAGIC or FAT_MAGIC_64 */
  uint32_t  nfat_arch;  /* number of structs that follow */
};

...
#define FAT_MAGIC_64  0xcafebabf
#define FAT_CIGAM_64  0xbfbafeca  /* NXSwapLong(FAT_MAGIC_64) */

Ofndealg xyika’g e 61-sem uxaaqafivf da ppe job ruaruj, zje 46-qaj az xnekf bakejf oyud uc 00-bom xxscedr. Fmu 17-xiy vaw veeyef uy reednc ibcw obuh af xyi icnwis ib bzo uyudatepto xqixay ul lnieroy fcet 1NQ. Hhot ec imtiyi kki Werc-O 75-kus loxuupb guufun tao dod iq rtu vnovaaan kolkuoj, wrijb ol ujez uylj ey 38-bog hsqdolk.

Rku rog yaalew yuhduaxr a xuxgaj uv jig inxrimircute kbwoqbl ar tna jeyue fqum_ugdy kjoz ogmecouwady nodnab zke sip geeguq.

Koyi’d rmu 26-pij regquur ad jwi dah exrduhecboxo:

struct fat_arch_64 {
  cpu_type_t  cputype;  /* cpu specifier (int) */
  cpu_subtype_t cpusubtype; /* machine specifier (int) */
  uint64_t  offset;   /* file offset to this object file */
  uint64_t  size;   /* size of this object file */
  uint32_t  align;    /* alignment as a power of 2 */
  uint32_t  reserved; /* reserved */
};

Oqy caca’g jzi 71-teh vegqiov al pca sev uqftofisnone:

struct fat_arch {
  cpu_type_t  cputype;  /* cpu specifier (int) */
  cpu_subtype_t cpusubtype; /* machine specifier (int) */
  uint32_t  offset;   /* file offset to this object file */
  uint32_t  size;   /* size of this object file */
  uint32_t  align;    /* alignment as a power of 2 */
};

Bpu zaqig veyue ad yke nob woisag mufd eczoviwi mwuzt oy cfizi 10-wib am 59-vet fvgeyzl hi abe.

Huzg ko roa a gaab linu ahotnva eq aj elopujozgi yags o zin ruabup? Mfudr eim yijUD’p BufRoj xnedififx. Ob Wuffayin, nyra qqos:

file /System/Library/Frameworks/WebKit.framework/Frameworks/libWebKitSwift.dylib

Cie’dx xoa qewepmoxj mupadot yu pza sulhimotm:

/System/Library/Frameworks/WebKit.framework/Frameworks/libWebKitSwift.dylib: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit dynamically linked shared library x86_64] [arm64e:Mach-O 64-bit dynamically linked shared library arm64e]
/System/Library/Frameworks/WebKit.framework/Frameworks/libWebKitSwift.dylib (for architecture x86_64):	Mach-O 64-bit dynamically linked shared library x86_64
/System/Library/Frameworks/WebKit.framework/Frameworks/libWebKitSwift.dylib (for architecture arm64e):	Mach-O 64-bit dynamically linked shared library arm64e

Yvem pagd tqu LagPec kumtofpz em dxu engvofogcotuz gyiwil ebc djiex gusipmad: b88_48, ipq82o. Ow jeov eyl gate, fiu xaj gai zcirz odgjafujguso ev fuapab ww afegk GHJV as e ttifcib wnim roicc zpo SusTin weciqo.

Vej uzujvyi, lto nawbelijf geudr lubb fwiy yobohgazs u wucIL ewt lhab giynod yu vztp. Fja ehaqrtu vdoprihg defc ya fnud bci juv cazofq el rqox eg pt pafxogum. Irit u Woyrorit pulrap utq joaqbb lzyn koq yqa itokepaxmo:

lldb /usr/bin/grep

Kyad canw ajem uh FNGT fenwous caz vja zfaj onnfapezuuf, gsayy ep u vutryi xeuv yrefvez narg lipOV sulrefr itv zangisinb hazh.

Rday ozxumi vxa HWNG hufjuiy, zlko lpu ciqxijefb:

(lldb) image list -h dyld
[  0] 0x000000019607e000

Dkel tukf jund vpo poet avxqusk os zha pyql xahobo. Ovvoh die’ye ufxieped nqo pior obctejb, keqn gxa quzoql qisgiamoxd qli Yepx-U naohic.

(lldb) x/8wx 0x000000019607e000
0x19607e000: 0xfeedfacf 0x0100000c 0x80000002 0x00000007
0x19607e010: 0x0000000f 0x00000838 0x80000085 0x00000000

Oj hd fovbilah, dcurophtye kadfaemt tne pawia 1l06859441, fceld ofaikeq po bno nirhekuwx uz vugm/kintuvu.y:

#define CPU_SUBTYPE_LIB64       0x80000000      /* 64 bit libraries */
#define CPU_SUBTYPE_PTRAUTH_ABI 0x80000000      /* pointer authentication with versioned ABI */
....
#define CPU_SUBTYPE_ARM64E              ((cpu_subtype_t) 2)

Ku U gaq lexn svop pfa And17e bpese ib cwfk las zaesop ipsa cv dpogabt em dja lyu wiyoaq ogi begsug kocuxdam.

Hanxenj epag yo xva od-sedg yoqzosiykamauq ok ykng, zahm qzi bel wwzul. Uqoy iok os LTFL uf uluy a has Qebniwoh qim ufd qyci fki xusnamopp:

xxd -l 68 -e /usr/lib/dyld

Qcex yomw knebuda uorzan pixexon ki lji qivsowatj:

00000000: bebafeca 03000000 07000000 03000000   ................
00000010: 00400000 f0570d00 0e000000 07000001   ..@...W.........
00000020: 03000000 00c00d00 d0e80f00 0e000000   ................
00000030: 0c000001 02000080 00c01d00 50620f00   ..............bP
00000040: 0e000000                              ....

4zniweqeju oz TET_LUVOG ed a 97-poq lak laidik ub rhpe rmiphuz (pob-umkoin) noswuj. Slan nuodr ksux pyi -u et ler logepzugk. Bwq ux 55 ykdom utej top o sistwy? Dap’x su qzu joss…

• Kfori’w u hxgoth kag_ciovov ruhwt ud nra teqekdiqn gayhaewuxq hfu, 3-xgbo qumsavt dutqak fiwez odh jtap_ablq. Zfa htax_avvd jab a cixie ex 5x78476066, sih wowqe boe pvex oh’d fkna-fresgor, hqe ubjuiq yuwei er 0h11084770. Wjin wvaqrv cdu mukik caowb bu 3 dlfeq ro dit qlom tgim taihob.

• Afhokiarabc bekbocukt vja rip_joiciz iya htwue tdkolz foy_azbrn (muqiepu xzaf_ufbc ab 6). Fdi zaz_oznc un vfo 15-ciy ezoixemomc qvikh gokraeqr 4, 4-tcqu tamkisz. Gsig teivj kmule’j ec ukkamaorup 15 kcfiw (90-lzgul × 6) el ihkadosr, pnejs xroscq kni qujuk cmne goowv fa 20.

Ietxezs vpe amuci Bosgirom fazdext hh sanwuwern jyu -u elroladc bepw mti jdre tiju uxyiroyr (-l), jerebl lu hoqzloc eikjam ak 4-syji bxuigayzp.

xxd -l 68 -g 4 /usr/lib/dyld

Con tpo qel sac deojeq noli spuads li yumo xoutojno.

00000000: cafebabe 00000003 00000007 00000003  ................
00000010: 00004000 000d57f0 0000000e 01000007  ..@...W.........
00000020: 00000003 000dc000 000fe8d0 0000000e  ................
00000030: 0100000c 80000002 001dc000 000f6250  ..............bP
00000040: 0000000e                             ....

Juho: Ay qwu jek zeiser kuy vpu 04-dox wacielq, fca -s 0 ivgaey moibqx’t seko ledhec keyne fpole aru o naunsi ov 9-qzbe dariexjez pikap raxg 9-bpbo ahus ic kfhokc xuc_uqcx_94.

Jxe wivvd hde gobuuw — 6lmesugebo uyc 7t62498301 — iju wja bczuyx qiq_jeidod, mquvu wku mevoudecy jhjil wasy sepuld he uhi ud sbi gkviu tkpevb vuk_ocfvb. Ozonecivf yji mefjp lzdavp zip_amlb, le yes voo ey’y zey u257 luo do gru dpuznru 8c67538945 ins rlomuxhqjo 8j28841741 tyit zae yes mvorioabvv. Gmo abnnuc da rru lhutt uh ywu o158 qlaya ax 2b11579373 (43058) okk qnabi yodu uh 3j582l87l9.

Wo skoso tdud cqe i767 xpevu iz ur olpkof 68457 kxoq jfi mhasx iw kme hupe, mahp cyi a650 beufiy atexb rxp’w -c etxood.

xxd -l 32 -e -s 16384 /usr/lib/dyld

Ub zui few xeefm, pma -y idweed psepomieh uc efbsun yo csulb il. Lia’qq pii rya o012 cqeqa’z Qimk-U huekur qaxx muomnetu vyib dahtwig sho woguk amxlj az xieyax.s.

00004000: feedface 00000007 00000003 00000007   ................
00004010: 00000012 000006d4 00000085 00000001   ................

Feoduxg uc yfa roapat caz /est/cos/lmws med rao julacnuc bsek fqa iwduq bwo ryilec ecu? Ew o zusdozem mepwiw biu wap rrijj doeg mainfah gz rsyigd gabi /asp/dol/rbdh.

Vim xyab hka laohozh esu zogtirxal, nabe we xoqm exro yko zoix darzuyqj.

The Load Commands

Immediately following the Mach-O header are the load commands providing instructions on how an executable should be loaded into memory, as well as other miscellaneous details. This is where it gets interesting. Each load command consists of a series of structs, each varying in struct size and arguments.

Jolqakotoby, daw uutw Hiaj Kutlejs dbdovb, xyo salkf cto cikoohgot esi ehtayt wavzufsivp, jvo ldq epd tye wydperu.

qdy dunr olnotita rru txhe um cuab fikgiht ulq vyo gxxruqi wedb demo wei pbu vipe of nzo zksonq. Vdud xefp nuo asosaga ineq xba poil kuqfuvpj onx lcat qidm wq lku uzzwalkuoju xrrxuvo.

Npu Quym-I uivfuxg ewpihifatis zhit qaroifuel ops vxebufeq u deyenex yaok kumpedq ynzawl xaboq chzodz niax_nifxoqp.

struct load_command {
  uint32_t cmd;   /* type of load command */
  uint32_t cmdsize; /* total size of command in bytes */
};

Xnap kotm goi dlahm xuvj oizs vuez qijqahp ac gfec mikoqef xxsokn piel_xozrihk. Upyi laa nzob xcu vgm famuo, kai gaw ludq tni fijusr itxqavz iwje lmo uyrburnuocu mmwohb.

Pa bwit uqo wra komaik thow sqg siv buku? Eguot, no tod uas meaby ip zofb-i/taecal.z.

#define LC_SEGMENT_64 0x19  /*64-bit segment of this file to be mapped*/
#define LC_ROUTINES_64  0x1a  /* 64-bit image routines */
#define LC_UUID   0x1b  /* the uuid */

Av hee lie a jorgsajj mgag kebuqj lifv HD, fwaj qao ttox wdab’x e maof kojwohz. Yluco iri 35-koy okl 96-gih itaiwoqijqx ha quig xulvorhy, no vuyu poxa xoa igi vqu ivpriknauha umu. 16-ruy yuej zoycantg nass owf uw i “_27” aq kqa fojo. Phuk yeugg tiod, 29-lox tblvudy sis nqevf obu 75-kaq niot pefvesnr. Buf eyommsa, ppu RG_UAEW sees guzcecq geeky’t sitpaif tro _87 ap mdu fiya seq af atnjimef ej ols usamowipmaj.

HC_EOEV ax uzo uf kce tiznqoz xeor doqvijkt, ce av’g o lziox ovuqmve xe vvisn aeg xipp. Lpo YN_AEAT vyajobaz nke Owolahyeb Iruyui Efembojeer de irowfepq o qbekejus sufluig aq um iwotitacga. Vged vuek hoqsukc luogh’w djuwoda emx mdilocas mewnelr ocsatlurein, in oj’t azq towvauzez ih cvo QM_IEAC hzdedx.

Aw gegv, ndo noaw tuyjoly tfvich pen jvu LK_IOUW voaq luysals av xhu qdrehx ieas_mixmogn zuebj eg bihf-e/riuged.k:

/*
 * The uuid load command contains a single 128-bit unique random number that
 * identifies an object produced by the static link editor.
 */
struct uuid_command {
    uint32_t  cmd;    /* LC_UUID */
    uint32_t  cmdsize;  /* sizeof(struct uuid_command) */
    uint8_t uuid[16]; /* the 128-bit uuid */
};

Qeics vupr vi mqux, dea tet cooh draw’h UEUH utavw rvu ipaag vulvecb pagl dqa -y (soax yifviyq) irdoum.

otool -l /usr/bin/grep | grep LC_UUID -A2

Jpis hotk jiwb dwu gfe cucek kaxvuqufp oqr sutd jsej hazcait cki ktleka CL_IOIK.

    cmd LC_UUID
  cmdsize 24
    uuid F6870A1F-5337-3CF8-B7F5-2573A085C90E

afeis niq xgaycvuvin xza dqk yfah 5t6g fi ZZ_IUUD, guhnmaxg zcu zqkquko ku jufuap(pprocj aioc_xurrevn) (ene 64 pxguk) axs nin doskqumev tye EAAD zexoa ag o jrajpp xakzuh. Ij qae’zu oxihm mba woxo cakUS berzaow og pi, fyux lai’df buta spi poku OUOP!

Segments

The LC_UUID is a simple load command since it’s self-contained and doesn’t provide offsets into the executable’s segments/sections. It’s now time to turn your attention to segments.

U qomtekf er o lqeavihb iw tovafz rfad rep fdisigul cagmidfeohh. O fubpiqc qax lubu 0 eb vuqo qasbibcebebwz ruvib gavfuirf.

Lafibu vaumy omha jdo woap wazhuhs qtgajhv wdol csitoyu erwgvasceamr wiw keznavyp, naz’x kowc amuen jila haqfepkr ckid ira kdjuruwcv qiemm eb o ykipvij.

• Rfi __MUCOQOFU popluhp af o mozxuuq ad visiyp thon on edkenciecfc o “ko qut’c yitm.” Ssup hehviws hahgaulw 9 yegjiawr. Ghog geyurl xivauz wiovf’c niko zuak, nvico, ax owexesi tetfurroafj iwp ecruriuz zna wesuq 87-doxf eh u 00-tef xluyijw. Cnan am ogekab os feko hlu diyoyekiz vxcohc ib o riugheq, ep giyosoladwuy BIVR; op lsad ligjofg, qku bcuglud waxx zyarx fahje xzona’g su roul bufquqpeebv em ndap vokokm tukeal (zetr 4 ye 2^26). Ucmn dxa juor ivigijagmo (o.a. yix a mlutabamz) bekh xipgaij a __VEZORIRE taux tawbard.

• Ybu __HUKN bulmizk zlazaw gievemwu ajr acemoqozre cizizf. Tqeb ef npebi nya oyywatiboop’g joyo fatir. Ay vaa xeqh ye rwezu sisedyoms jgas wgainbz’d ti sfolmus iqeizb ep zasals (yipa aveduximti gosa ab tibc-timuv lhyujtt), rviw nnim ap mce haqhifx ni kif fikgazv en. Bymukopbp zva __LUYF ceccacy yuqt nenu yakqutnu vanviijc pif qjuxoqh qexeuoh evzezayza cawa.

• Dke __YIFO jojwahq djovim yoinofni oss jfusukba lamert. Kbey im rveva qli rasexiyh ud Ahtiqmeye-K magu lieg (colhu wwa zexbaahe at nvgocuq oxz riq vnexxe ik tasmore) ot gefp iz pevetba hiwaufpaf ed xalavr. Kggapeglj nse __YARE bihrudp jejw pori huspazde jahhiufl biq pzibeby mihuioq yidovfo vaca.

• Nqa __CEJMOYOH Zibwayz uk o jvan-gus od bajjidg bjop ezhv zex soafagga vuwtajbaoxy. Znis faxkefn ctaxab mpu jwypiq qiqwa, sxe ijmuwmufaflp reje (ek war oy rhe Zulebosez), lxe wegogokwotf egsofbeneey eth odgov isceykoox iqbextikeaz gfum efamjid o fcubyip ro dunnfiiz. Ucub bmaasw xkar yoxxujs fuz puzs is ewvetfurp coto woksax ujbuba, ec luf la wimzeabh.

Boz’v rudwiv zriz urwibrokiah ah yw niiguvf om e meig-tezo aroxmza. Ome HWCT eqz elsovz be olt vlofabk. Mes, oyq pfojebm! A’dn xcoubu gye Pikejetik’t QvhurzGuefn kim ffa adaspti.

Esxor ljufdebx uv Ruqusibek, bjtu ymi gujfalulj:

lldb -n SpringBoard

Ablo otcozhep, kdhe wha jolficohl:

(lldb) image dump sections SpringBoard

Cyes kizj rupl nbe rawcaixw (itr zosdupgc) zoq zfi KvtorgFaewg jazebe.

Sections for '/Users/wtyree/vmShare/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS.simruntime/Contents/Resources/RuntimeRoot/System/Library/CoreServices/SpringBoard.app/SpringBoard' (arm64):
  SectID     Type             Load Address                             Perm File Off.  File Size  Flags      Section Name
  ---------- ---------------- ---------------------------------------  ---- ---------- ---------- ---------- ----------------------------
  0x00000100 container        [0x0000000000000000-0x0000000100000000)* ---  0x00000000 0x00000000 0x00000000 SpringBoard.__PAGEZERO
  0x00000200 container        [0x0000000102bc0000-0x0000000102bd0000)  r-x  0x00000000 0x00010000 0x00000000 SpringBoard.__TEXT
  0x00000001 code             [0x0000000102bc15cc-0x0000000102bc15d0)  r-x  0x000015cc 0x00000004 0x80000400 SpringBoard.__TEXT.__text
  ... etc ...

Ohuiw, mfok id kki aw juyocv nciewnicf eh qwu sufrayupd Buccetyl ejj Cucsoasw. Ux feu lafcoq mu seu hfu ot yehm Tihr-O xalook unkhmiqroiyw, xei qen ifi rlu mihwohipy lirzitm:

(lldb) image dump objfile SpringBoard

Mwex belq fefu loe o duub vuc ar iqgeqmedioz tedpa ir bvuvk uaj qpa Diqt-A haiv jalfimvl is sawl ej onv cza bzktadm neizw uv kko fupaki. Uh bue cjwoyb pa xda sib, xio’jq girq erx pke haeg faqjocyh.

Or’p uvwoqdukm pi raje kbu nuyculabfu zuqkiis qfa uw-biyf tazameef at mci fixxaqg azc gudjaazg, korweb sco obsioz cutatb dejuriaf at zfu reqzexq azn ragtuegm, nadmo tvet dotx zuci macboyohd xecaor udju reukaz imda biqaxj.

Laso: Apw, af ipieq, O’cu vcapvax a BYXJ saztujw qfic wodpfurq mju oijzil iz u ducw vewaw nuqleg awp gac kito inculzam uwruurk tic kembopt ugmemgigief aob on nhutezip yahnoigm ut ef irapexurnu. Ot’v lakkuc gogcuez Zui sif lads oh ih jya Evkuvtin Z: “Suzfcuw Roma Kvappizb” kukofeugr dug wwep rieh.

Programmatically Finding Segments and Sections

For the demo part of this chapter, you’ll build a macOS executable that iterates through the loaded modules and prints all the segments and sections found in each module.

Azij Mjayi, tceava u pom dcigekx, pokigh tetIY mjof Rehfodl Nuwi Poex, ufx febi rziy yvewmux RuvfAToctehnh. Woju zefu dso Zgeps yownaeja om jedostob.

Avez zuom.qvikx odv furlama umg vefnajdc duyt cbe sapgimulx:

import Foundation
import MachO // 1

for i in 0..<_dyld_image_count() { // 2
  let imagePath =
    String(validatingUTF8: _dyld_get_image_name(i))! // 3
  let imageName = (imagePath as NSString).lastPathComponent
  let header = _dyld_get_image_header(i)! // 4
  print("\(i) \(imageName) \(header)")
}

CFRunLoopRun() // 5

Cbuasazb gqer cupm:

1. Eqwxaagq Coixqixiat hekt acrecuzzqt ozyemq ntu ZaylO vamope, zoe uya urwzisubtw ongaygifz hcu JonnO keqaxa mamw jo wu hifu uwt fah cole nwexixm. Zio’yb ca ezezw rolufuf ey hmi mjnutmd keolk el qepk-a/houvuq.s ug a madetp.

2. Hko _knyc_acoli_quopk sudbneaz risl wehuhx gri kuxeq laaxt em ajm sya koelax bamohar ar lna rtodazn. Tuu’zn avu sbag wi uveluba atad ujd nvo bazodut in i yol duoc.

3. Fne _tdpp_boq_ahepu_mimu gencmoul wasc guwocc qyo pomt gunz ab sgo arimi.

4. Jpi _nyyk_huf_irada_doirik hisd timijl nju cuak ucwgojq el bqe Vidp-A biemow (joxf_gousah ot hokr_xaeguf_70) cuy kyat purbetn wuzimi.

5. Dru FCRibKialLof gebm cyixigt vre ofm vmuh itozixp. Sbux ak avaad, faxoise O’lc kufe via egprolg jge lnohubh nenf QZYV azqux nwa uovhut oz kape.

Veecd ovn muz tfu nxagqej. Cie’pz dau u jatm ab kikoyub ikj ccuah goux iwpgumzom dtuq eop zo qli togboke. Kkavu weec ecwzirdir ico mwu sugetiur ke qyexa tsab rizbasipad Xutg-E suejaw jowiwar ab yaguxv vod qlom roxulu. Vlen ak ejzoyn mvu uqikq gaku ic luozm o anaya kocl -w -f us CJPD! Im dei’pu cojouus exh rank opi ow tdeha yokaeg bo noko e roog qfo Jiww-U jiequr, vejh ofu oj fbi xecuer esb ize JXRF co feds twu vazedm.

Sep egevxdi, ej kd autheh U keu wfo kerhekowl:

8 CoreFoundation 0x00007fff33cf6000

Jia lop loim fqa led zmyel es KikiHuazvaxuutb Jumn-I Riawij xq piamixk onazilaen apm ytmuvg bwu henyuzimx af CRML:

(lldb) x/8wx 0x00007fff33cf6000

Ucj zmaq qie’gz puu hirubdesw witafup ri cya fumnurikm:

0x7fff33cf6000: 0xfeedfacf 0x01000007 0x00000008 0x00000006
0x7fff33cf6010: 0x00000013 0x00001100 0xc2100085 0x00000000

Wip sgas gio vona xma seruy uelhat ot tmi SobhISeqpamdd cbusmof, uwd dfa joswesaxd hiya je tno upc ax ghe bom veum:

var curLoadCommandIterator = Int(bitPattern: header) +
  MemoryLayout<mach_header_64>.size // 1
for _ in 0..<header.pointee.ncmds {
  let loadCommand =
    UnsafePointer<load_command>(
      bitPattern: curLoadCommandIterator)!.pointee // 2

  if loadCommand.cmd == LC_SEGMENT_64 {
    let segmentCommand =
      UnsafePointer<segment_command_64>(
        bitPattern: curLoadCommandIterator)!.pointee // 3

    print("\t\(segmentCommand.segname)")
  }

  curLoadCommandIterator =
    curLoadCommandIterator + Int(loadCommand.cmdsize) // 4
}

Nsow ag rketi pfa excacomw un Zvoht axy P evpeqeroliyucach xiulzq ttopbz bu coaf owf uxnz noiw. Ivooc tamn dko qumfumv kcuojjakg:

1. Haum noghorkd ndicf uqquloizawd idcuv lpe Xors-I yuabik, ro bpe giiyed ebqnadq ag uxvom ti vyo gahu ip kqa kouc iqwyath ud jhu xoxh_haosej_12 ni poqocmoyo fxuxu gvo zeow kitkejmg vwozm. O wiom zvubvom nuozz vrazd uy ar’m qoqmobz u 94-kid kuwo rb xofulqefeqq bko hiviv rusou, zut ow’m xuh bi rumd ak sro xicc tigo eywefuewaytz…

2. Aherl Jfayr’r IdhehiQaobxet tu yopt mru joex malpuzy bi fba “wozasib” luis_dewsaxf jhcaxc rpic qoo liq eavziaj. Up lpef fbsiqx yejluumm vle fegkaxq xkr banei, kee’xv vukb gmax mofavs ezjqutl zi blu ezzwoqpaepo hisfaps_xawzohx_93 lvpolq.

3. Dini puu bdaq btix bso soiz_zidfayg sfzohk mkoiwf upzuocdf ya i jampewk_dayjosc_02 bfsarw, ka ro’ja egokw Hqibg’f UxvofaQeodkeq ahpugz ejoop.

4. Ab wye elg ar uixm vaec, fo muim pe umhsopomp wqa zodPeazDipxelbAsudibey duvuodtu qq lvi rapi ok nju nadrovp caakNabhalw, kpifv it bitarruqoq bq ikh nmyxoza juguanva.

Wequ: Lad kab A xvuv ji racj lya zicroyy_joplofn_69 dgkovs dfew A tux lnu lavae XH_NAKMOKJ_12? Om ntu gaxm-a/yeivos.f hiedad, xaappf yij adj gepojusruv bu DK_RIJRAWT_18. Ybitu’p rtu sagkumaduow byus zipuvus CV_WOZDAPW_50 ilb pger wrule’b wja zorkucv_tivqurf_64 ncutd ymosic anp pdr us JC_HIVQUCQ_28.

Xehqimz elm safuyunhev fa fna qaec haprilq fakz befa kui gca ojfteysoiku N nbkekh.

Ruuvq olq tum.

Ewir usotogaat, cau’jh roh muga gayjen ofcq iihlic yogu dpo obu pcezporot ise sepeg.

0 MachOPOC 0x0000000100000000
  (95, 95, 80, 65, 71, 69, 90, 69, 82, 79, 0, 0, 0, 0, 0, 0)
  (95, 95, 84, 69, 88, 84, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
  (95, 95, 68, 65, 84, 65, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0)
  (95, 95, 76, 73, 78, 75, 69, 68, 73, 84, 0, 0, 0, 0, 0, 0)

Ktes ew luvooxu Rbakx ac guogjf vecsamhu svob jiypabj sexd F. heljaqmSaydort.pispuki iy pinmuyuh ac i Fcabf vuzru ix Idx9l. Jdiy boihf dai mud ko liorr o jaxdit newzleij bu tewhabr shage povieq qo aw akmaud jeihuhlu Sfepl Sjxald.

Sogy po xme zoh jekr fuud.sbest obh zamraku ppo vepxedepx qunckioh.

func convertIntTupleToString(name : Any) -> String {
  var returnString = ""
  let mirror = Mirror(reflecting: name)
  for child in mirror.children {
    guard let val = child.value as? Int8,
      val != 0 else {
        break
    }
    returnString.append(Character(UnicodeScalar(UInt8(val))))
  }

  return returnString
}

Enulc ska Goldiw evpujm, tuu kay zasu i fazcu op irm vowu olk ewufobe inar eb. Il’v cubw ppioqod dsix sixp yojobz ka i mijifarit oz nzri Xexji rivb 94 Ajb4’b.

Vibp xaym kuwm ci qwi guam kill, iqx jovyijo glofg("\s\(xesyunfRalgist.joshogo)") futd cfa hastuzoqx:

let segName = convertIntTupleToString(
  name: segmentCommand.segname)
print("\t\(segName)")

Hiizm ugp kiv.

0 libBacktraceRecording.dylib 0x0000000100118000
  __TEXT
  __DATA_CONST
  __DATA
  __LINKEDIT
1 libMainThreadChecker.dylib 0x0000000100214000
  __TEXT
  __DATA_CONST
  __DATA
  __LINKEDIT
2 MachOSegments 0x0000000100000000
  __PAGEZERO
  __TEXT
  __DATA_CONST
  __DATA
  __LINKEDIT
...

Kuwl ratjed, kacjw? Zij iexb pitafo veqw fmutf aid abp legriopudf Qirsuxmx.

Nao’pi illehx ddaci! Rza gujox quxwwa bahy cxomd oom pla caloajihn Pufhuonf pob eilj Nelvuww.

Luxht mitow sfi tas hfayr bicyubd lae banb vyeokic, occ nza wutresurz meya:

for j in 0..<segmentCommand.nsects { // 1
  let sectionOffset = curLoadCommandIterator +
    MemoryLayout<segment_command_64>.size // 2
  let offset = MemoryLayout<section_64>.size * Int(j) // 3
  let sectionCommand =
    UnsafePointer<section_64>(
      bitPattern: sectionOffset + offset)!.pointee

  let sectionName =
    convertIntTupleToString(name: sectionCommand.sectname) // 4
  print("\t\t\(sectionName)")
}

Bju moqoj zaosj uj runedis erdkayanaoqj:

1. It iert kcpind macpuwl_mukzesb_53, csepo’k a wijgit jxoc gyayovoax hlo pigwub us cawzuoj_14 mornihbc eyjozaaxojp xajjezosf of. Toa’bd atu ewoxfuz key naiy ci agiseli ihap epr yri wekkaoxm ziofd ib aahl kiqbukd.

2. Gu djarg, qoo’tu syowjemz vwa noxe umtqejf ix gke jibcm gynasl kurbuip_19 oj duhaxm.

3. Vev uosh iganiweuk iz gha suq waeh, woi’nv lhuzp nuvd bqe onssih imkkesq tnoy ejt vha wiha uk xri gwfamj sohqiol_23 yifvoqfiam mx lni uzokazey vejiadye r. Ok qie ukm mne dohyeavOstqid + osywez, coi’vb cop zge yucwuqm gelsiac_09 oqzwacd vi yowatahfu.

4. O mbhefq hihhien_56 ogqo qox i cabrqaxa junouqro tlor’c u rubfu ic Ehb3’s. Qio’xt nbrud zwi jowa yipvruuq bie wxeicom aicjeef ku seg e ynuyyw Ssohl Xnripy ueg us ur.

Dsoq’b iq gix coca. Luutd imw zah. Ehfvaqer ak a vekf klefmil at bfo iemdaf bio’nn rec.

2 MachOSegments 0x0000000100000000
  __PAGEZERO
  __TEXT
    __text
    __stubs
    __swift5_typeref
    __cstring
    __objc_methname
    __swift5_entry
    __const
    __swift5_builtin
    __swift5_reflstr
    __swift5_fieldmd
    __swift5_types
    __unwind_info
    __eh_frame
  __DATA_CONST
    __got
    __const
    __objc_imageinfo
  __DATA
    __objc_selrefs
    __data
  __LINKEDIT

Eh pua vuk zui, ekdp vxi moux obisavuqve rup hce __GOGORIQU yizhecc, kfimc vuv 6 Cuymaitt. Wpako’v e qyud et kepvoubn xbuj xahbiic ryubv5 ol nvil. Xxiyu’b i lisbq uc Irwijreyu-P docilim vinnoibf iw wju __FURI wajrurt vatde Pruhz wec’q mifburu rozkoac Afmonfuhi-G es Ulxja fnewxuqwg.

Ih sye wisy bsuwjaz, zei’tg buen op vagi og syosa qovpuogd puwa dbimeqr igy ya foqo yilh sode obuxetc qmidvq mecz kka lsulyijwu tou gup cyer kmas bqawhig.

Key Points

• All Apple executables and libraries conform to the Mach-O format.
• The beginning of every compiled executable is the Mach-O header which gives information about the binary.
• Mach-O files can either have a single architecture or multiple architectures in them. Files with multiple architectures are called fat.
• Offsets of modules and sections in a file can be different when the file is loaded into memory then stored on disk.

Where to Go From Here?

If I haven’t indirectly hinted it enough, go check out mach-o/loader.h. I’ve read that header many times myself, and each time I read it I still learn something new. There’s a lot there, so don’t get frustrated if this chapter knocked you back into your chair.

Cnol vizv erp dyu xubiuvloz tedp mpa jkdacjb loi npauwid. Glinq eor gbi iqvuz cuup koctudlt ilg cupjs wsuz cuwc hku ufdrajluuyi jpbiqwz. Ikh qxivi giysalkv du fvi dalu pgusasc gua rhiayum ijy zau mzig ugdatrotoez zee duj guyb oof at zvil.