Injecting code into Mach-O

This article introduces the reader to some easy injection that can be used to hijack the runtime of a Mach-O binary. Some techniques can be easy to perform, some are posible due to 3rd party toolings, and some are based on theory.

Apple Fairplay protection in Mach-O

Fairplay encryption created by Apple to protect digial possession rights. Implemented with a custom chip set for encryption and decryption with a hardcoded key. It is still unknown how to extract the key from the hardware.

Mach-O linker information

Dynamic symbols in Mach-O binary are stored in a form of bytecode and exported symbols are encoded as a prefix-trie. For dynamic symbols, Mach-O also has a stud binding to resolve symbols, which is the same as __got and __plt section on ELF binaries.

Overview of Mach-O binary

Mach-O is a binary format used by Apple for its systems. The binary format contains assembled bytes, data and other information. Structured by a list of load commands, where each load command hold the neccessary pointers to the contents.

Mach-O binary index

The following posts will introduce you to the binary format used by Apple, Mach-O. We first learn the basic format (1), then diving deeper into the import and export tables, and how the loader (dyld) binds these symbols (2).