Skip to content

dyld cache support#7

Open
planetbeing wants to merge 1 commit intonygard:masterfrom
planetbeing:master
Open

dyld cache support#7
planetbeing wants to merge 1 commit intonygard:masterfrom
planetbeing:master

Conversation

@planetbeing
Copy link

@planetbeing planetbeing commented Apr 10, 2012

Added support for using class-dump directly against dyld caches.

  • This functionality has only been tested against iOS dyld shared caches.
  • dyld shared caches from iOS must be retrieved directly from the decrypted firmware.
    Caches from the live device (retrieved through scp, etc.) have a slide applied and
    cannot be used. (The only way I've reliably found to get around this is to read the
    file directly off the raw block device, otherwise the kernel screws with the file like
    a rootkit).

@planetbeing
Added support for using class-dump directly against dyld caches.
2810e45 
- This functionality has only been tested against iOS dyld shared caches.
- dyld shared caches from iOS must be retrieved directly from the decrypted firmware.
  Caches from the live device (retrieved through scp, etc.) have a slide applied and
  cannot be used.
@0xced
Copy link
Contributor

0xced commented Apr 11, 2012

I don’t see the point of adding dyld shared cache support directly into class-dump. There’s already a tool to extract the dyld cache into Mach-O files: dyld_decache. Then you can inspect the extracted files with class-dump or any other tool which can read Mach-O files.

@planetbeing
Copy link
Author

planetbeing commented Apr 11, 2012

That doesn't work properly, hence I added this feature. The problem is that those tools will only extract parts of the dyld cache directly mapped by the Mach-O header in question. However, the libraries in the dyld cache will in fact at times reference memory locations outside the "library", but inside other libraries, probably due to optimizations meant to coalesce common class definitions, selectors etc. There's no way for a tool like dyld_decache to guarantee it will extract out all relevant pieces of the dyld cache for class-dump to completely work on a particular binary without doing everything class-dump does.

The particular example that prompted me to write the patch in the first place is the BackRow framework for AppleTV 4.3.

@planetbeing
Copy link
Author

planetbeing commented Apr 11, 2012

Actually, my apologies, I was wrong about dyld_decache not working in that case. I was originally passing a bad (ASLR'ed) dyld cache through that program. dyld_decache in fact correctly pulls out the coalesced information. Still, class-dump is able to produce the same results with considerably less complexity and effort, without regard for future optimizations Apple may do, so it's up to you guys if you want to accept the patch.

@0xced
Copy link
Contributor

0xced commented Jan 4, 2013

I just learnt that Apple itself provides a tool to extract the dyld shared cache!

Tryke: @osxreverser @frego @i0n1c Use "dsc_extractor" from dyld source code, works great. (remove #if 0 surrounding main) http://opensource.apple.com/source/dyld/dyld-195.6/launch-cache/dsc_extractor.cpp [http://twitter.com/Tryke/status/287243678123188224]

For the sake of completeness: dsc_extractor suffers from the problem you described, i.e. it doesn’t fix the memory references in other libraries. dyld_decache fixes the problem by adding two sections: __TEXT,__objc_extratxt and __DATA,__objc_extradat

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@planetbeing @0xced