Mach-O binary index

The following posts will introduce you to the binary format used by Apple, Mach-O. We first learn the basic format (1), then diving deeper into the import and export tables, and how the loader (dyld) binds these symbols (2). We continue to explore how Apple signs the binary (3) and how Apple prevents copying apps (4).

I will keep the posts updated with what I’ve researched. Readers can see the list below for my current research target.

  • methods to inject into the Mach-O binary by either modifying the binary or using tools such as Frida (5).
  • Obj-C class-dump
  • Obj-C runtime
  • Swift and Obj-C and C
  • __cstring encryption (future work)

Series index:

  1. Overview of Mach-O binary
  2. Mach-O linker information
  3. Mach-O codesign data
  4. Apple Fairplay protection in Mach-O
  5. Injecting code into Mach-O

References will be updated here

References

Official sourcecode of Apple:

Novel research:

Redback, introduced in Blackhat Asia 2020, but no public source-code release:

Worth checking out:

I will probably do some jailbreak research to answer questions such as what is performed during jailbreak.

The list below is auto-generated, please refer to the list above.

Injecting code into Mach-O

This article introduces the reader to some easy injection that can be used to hijack the runtime of a Mach-O binary. Some techniques can be easy to perform, some are posible due to 3rd party toolings, and some are based on theory.
Last updated on Sep 14, 2021 7 min read osx

Apple Fairplay protection in Mach-O

Fairplay encryption created by Apple to protect digial possession rights. Implemented with a custom chip set for encryption and decryption with a hardcoded key. It is still unknown how to extract the key from the hardware.
Last updated on Sep 6, 2021 2 min read osx

Mach-O linker information

Dynamic symbols in Mach-O binary are stored in a form of bytecode and exported symbols are encoded as a prefix-trie. For dynamic symbols, Mach-O also has a stud binding to resolve symbols, which is the same as __got and __plt section on ELF binaries.
Last updated on Sep 6, 2021 4 min read osx

Overview of Mach-O binary

Mach-O is a binary format used by Apple for its systems. The binary format contains assembled bytes, data and other information. Structured by a list of load commands, where each load command hold the neccessary pointers to the contents.
Last updated on Sep 6, 2021 5 min read osx