MachO
A better parser for the MachO file format.
Features
- Parse MachO header
- Supports Fat MachO files
- Parse MachO all known load commands
- Parse code signature, chained fixups, dysymtab, and more.
- Tool for dumping MachO header/ load commands
- Tool for extracting thin MachO from fat MachO
TODO
- Parse exports trie in LC_DYLD_EXPORTS_TRIE
- Parse CMS signature in LC_CODE_SIGNATURE
- Walk the chained fixups, and resolve library ordinals across several load commands
- Make the tools more user-friendly, and make more tools
Installation
Library:
Tooling:
Tools
MachO
Dumps an extremely verbose representation of the MachO file.
→ macho
Usage: macho <file_path>
→ macho /usr/bin/sqlite3
This is a fat macho file. Please select an architecture:
0: X86_64 CpuSubTypeX86(All)
1: X86_64 CpuSubTypeX86(X86_64H)
2: Arm64 CpuSubTypeArm64(ARM64E)
> 2
Header64(
MachHeader64 {
magic: MhMagic64,
cputype: Arm64,
cpusubtype: CpuSubTypeArm64(
ARM64E,
),
filetype: MhExecute,
ncmds: 21,
sizeofcmds: 2088,
flags: MHFlags(
MH_NOUNDEFS | MH_DYLDLINK | MH_TWOLEVEL | MH_PIE,
),
reserved: 0,
},
)
...load commands...
Thin
Extracts the thin MachO file from a fat MachO file.
→ thin
Usage: thin <file_path> <output>
→ file /usr/bin/sqlite3
/usr/bin/sqlite3: Mach-O universal binary with 3 architectures: [x86_64:Mach-O 64-bit executable x86_64] [x86_64h] [arm64e]
/usr/bin/sqlite3 (for architecture x86_64): Mach-O 64-bit executable x86_64
/usr/bin/sqlite3 (for architecture x86_64h): Mach-O 64-bit executable x86_64h
/usr/bin/sqlite3 (for architecture arm64e): Mach-O 64-bit executable arm64e
→ thin /usr/bin/sqlite3 sqlite3.arm64e
0: X86_64 CpuSubTypeX86(All)
1: X86_64 CpuSubTypeX86(X86_64H)
2: Arm64 CpuSubTypeArm64(ARM64E)
> 2
→ file sqlite3.arm64e
sqlite3.arm64e: Mach-O 64-bit executable arm64e