Advanced Apple Debugging & Reverse Engineering by Unknown

Author:Unknown
Language: eng
Format: epub
Publisher: Kodeco Inc

Mach-O Header in grep

Open up a Terminal window. I’ll pick on the grep executable command, but you can pick on any Terminal command that suits your interests. Type the following:

xxd -l 32 /usr/bin/grep

This command says to dump just the first 32 raw bytes of the fullpath to the location of the grep executable. Why 32 bytes? In the struct mach_header_64 declaration, there are 8 variables, each 4 bytes long.

You’ll get something similar to the following:

00000000: cffa edfe 0700 0001 0300 0080 0200 0000 ................ 00000010: 1300 0000 4007 0000 8500 2000 0000 0000 ....@..... .....

Now is a good time to remind yourself that Apple Silicon, arm64, systems use little-endian format. That means that the bytes are reversed.

If your magic number doesn’t match what’s above and also doesn’t match the other choice mentioned, you may have a fat executable. The next section goes into more detail about fat executable structure, but it will build on this section, so don’t completely skip to the next section, read on!

Note: Even though modern Apple architecture is little-endian, Apple can store Mach-O information in big-endian or little-endian format, which is partly due to historical reasons dating back to the PPC architecture.

iOS doesn’t do this, so every iOS file’s Mach-O header will be little-endian on disk and in memory.

In contrast, the Mach-O header ordering on disk can be found in either format on macOS, but will be little-endian in memory.

Later in this section, you’ll look at macOS’s CoreFoundation module, whose Mach-O header is stored in big-endian format. Standards, eh?

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.