Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dyld cache support #7

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

dyld cache support #7

wants to merge 1 commit into from

Conversation

planetbeing
Copy link

Added support for using class-dump directly against dyld caches.

  • This functionality has only been tested against iOS dyld shared caches.
  • dyld shared caches from iOS must be retrieved directly from the decrypted firmware.
    Caches from the live device (retrieved through scp, etc.) have a slide applied and
    cannot be used. (The only way I've reliably found to get around this is to read the
    file directly off the raw block device, otherwise the kernel screws with the file like
    a rootkit).

@planetbeing
Added support for using class-dump directly against dyld caches.
2810e45 
- This functionality has only been tested against iOS dyld shared caches.
- dyld shared caches from iOS must be retrieved directly from the decrypted firmware.
  Caches from the live device (retrieved through scp, etc.) have a slide applied and
  cannot be used.
@0xced
Copy link
Contributor

0xced commented Apr 11, 2012

I don’t see the point of adding dyld shared cache support directly into class-dump. There’s already a tool to extract the dyld cache into Mach-O files: dyld_decache. Then you can inspect the extracted files with class-dump or any other tool which can read Mach-O files.

@planetbeing
Copy link
Author

That doesn't work properly, hence I added this feature. The problem is that those tools will only extract parts of the dyld cache directly mapped by the Mach-O header in question. However, the libraries in the dyld cache will in fact at times reference memory locations outside the "library", but inside other libraries, probably due to optimizations meant to coalesce common class definitions, selectors etc. There's no way for a tool like dyld_decache to guarantee it will extract out all relevant pieces of the dyld cache for class-dump to completely work on a particular binary without doing everything class-dump does.

The particular example that prompted me to write the patch in the first place is the BackRow framework for AppleTV 4.3.

@planetbeing
Copy link
Author

Actually, my apologies, I was wrong about dyld_decache not working in that case. I was originally passing a bad (ASLR'ed) dyld cache through that program. dyld_decache in fact correctly pulls out the coalesced information. Still, class-dump is able to produce the same results with considerably less complexity and effort, without regard for future optimizations Apple may do, so it's up to you guys if you want to accept the patch.

@0xced
Copy link
Contributor

0xced commented Jan 4, 2013

I just learnt that Apple itself provides a tool to extract the dyld shared cache!

Tryke: @osxreverser @frego @i0n1c Use "dsc_extractor" from dyld source code, works great. (remove #if 0 surrounding main) http://opensource.apple.com/source/dyld/dyld-195.6/launch-cache/dsc_extractor.cpp [http://twitter.com/Tryke/status/287243678123188224]

For the sake of completeness: dsc_extractor suffers from the problem you described, i.e. it doesn’t fix the memory references in other libraries. dyld_decache fixes the problem by adding two sections: __TEXT,__objc_extratxt and __DATA,__objc_extradat

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@planetbeing @0xced