#!/usr/bin/env python from __future__ import print_function import cmd import dict_utils import file_extract import optparse import re import struct import string import io import sys import uuid # Mach header "magic" constants MH_MAGIC = 0xfeedface MH_CIGAM = 0xcefaedfe MH_MAGIC_64 = 0xfeedfacf MH_CIGAM_64 = 0xcffaedfe FAT_MAGIC = 0xcafebabe FAT_CIGAM = 0xbebafeca # Mach haeder "filetype" constants MH_OBJECT = 0x00000001 MH_EXECUTE = 0x00000002 MH_FVMLIB = 0x00000003 MH_CORE = 0x00000004 MH_PRELOAD = 0x00000005 MH_DYLIB = 0x00000006 MH_DYLINKER = 0x00000007 MH_BUNDLE = 0x00000008 MH_DYLIB_STUB = 0x00000009 MH_DSYM = 0x0000000a MH_KEXT_BUNDLE = 0x0000000b # Mach haeder "flag" constant bits MH_NOUNDEFS = 0x00000001 MH_INCRLINK = 0x00000002 MH_DYLDLINK = 0x00000004 MH_BINDATLOAD = 0x00000008 MH_PREBOUND = 0x00000010 MH_SPLIT_SEGS = 0x00000020 MH_LAZY_INIT = 0x00000040 MH_TWOLEVEL = 0x00000080 MH_FORCE_FLAT = 0x00000100 MH_NOMULTIDEFS = 0x00000200 MH_NOFIXPREBINDING = 0x00000400 MH_PREBINDABLE = 0x00000800 MH_ALLMODSBOUND = 0x00001000 MH_SUBSECTIONS_VIA_SYMBOLS = 0x00002000 MH_CANONICAL = 0x00004000 MH_WEAK_DEFINES = 0x00008000 MH_BINDS_TO_WEAK = 0x00010000 MH_ALLOW_STACK_EXECUTION = 0x00020000 MH_ROOT_SAFE = 0x00040000 MH_SETUID_SAFE = 0x00080000 MH_NO_REEXPORTED_DYLIBS = 0x00100000 MH_PIE = 0x00200000 MH_DEAD_STRIPPABLE_DYLIB = 0x00400000 MH_HAS_TLV_DESCRIPTORS = 0x00800000 MH_NO_HEAP_EXECUTION = 0x01000000 # Mach load command constants LC_REQ_DYLD = 0x80000000 LC_SEGMENT = 0x00000001 LC_SYMTAB = 0x00000002 LC_SYMSEG = 0x00000003 LC_THREAD = 0x00000004 LC_UNIXTHREAD = 0x00000005 LC_LOADFVMLIB = 0x00000006 LC_IDFVMLIB = 0x00000007 LC_IDENT = 0x00000008 LC_FVMFILE = 0x00000009 LC_PREPAGE = 0x0000000a LC_DYSYMTAB = 0x0000000b LC_LOAD_DYLIB = 0x0000000c LC_ID_DYLIB = 0x0000000d LC_LOAD_DYLINKER = 0x0000000e LC_ID_DYLINKER = 0x0000000f LC_PREBOUND_DYLIB = 0x00000010 LC_ROUTINES = 0x00000011 LC_SUB_FRAMEWORK = 0x00000012 LC_SUB_UMBRELLA = 0x00000013 LC_SUB_CLIENT = 0x00000014 LC_SUB_LIBRARY = 0x00000015 LC_TWOLEVEL_HINTS = 0x00000016 LC_PREBIND_CKSUM = 0x00000017 LC_LOAD_WEAK_DYLIB = 0x00000018 | LC_REQ_DYLD LC_SEGMENT_64 = 0x00000019 LC_ROUTINES_64 = 0x0000001a LC_UUID = 0x0000001b LC_RPATH = 0x0000001c | LC_REQ_DYLD LC_CODE_SIGNATURE = 0x0000001d LC_SEGMENT_SPLIT_INFO = 0x0000001e LC_REEXPORT_DYLIB = 0x0000001f | LC_REQ_DYLD LC_LAZY_LOAD_DYLIB = 0x00000020 LC_ENCRYPTION_INFO = 0x00000021 LC_DYLD_INFO = 0x00000022 LC_DYLD_INFO_ONLY = 0x00000022 | LC_REQ_DYLD LC_LOAD_UPWARD_DYLIB = 0x00000023 | LC_REQ_DYLD LC_VERSION_MIN_MACOSX = 0x00000024 LC_VERSION_MIN_IPHONEOS = 0x00000025 LC_FUNCTION_STARTS = 0x00000026 LC_DYLD_ENVIRONMENT = 0x00000027 # Mach CPU constants CPU_ARCH_MASK = 0xff000000 CPU_ARCH_ABI64 = 0x01000000 CPU_TYPE_ANY = 0xffffffff CPU_TYPE_VAX = 1 CPU_TYPE_MC680x0 = 6 CPU_TYPE_I386 = 7 CPU_TYPE_X86_64 = CPU_TYPE_I386 | CPU_ARCH_ABI64 CPU_TYPE_MIPS = 8 CPU_TYPE_MC98000 = 10 CPU_TYPE_HPPA = 11 CPU_TYPE_ARM = 12 CPU_TYPE_MC88000 = 13 CPU_TYPE_SPARC = 14 CPU_TYPE_I860 = 15 CPU_TYPE_ALPHA = 16 CPU_TYPE_POWERPC = 18 CPU_TYPE_POWERPC64 = CPU_TYPE_POWERPC | CPU_ARCH_ABI64 # VM protection constants VM_PROT_READ = 1 VM_PROT_WRITE = 2 VM_PROT_EXECUTE = 4 # VM protection constants N_STAB = 0xe0 N_PEXT = 0x10 N_TYPE = 0x0e N_EXT = 0x01 # Values for nlist N_TYPE bits of the "Mach.NList.type" field. N_UNDF = 0x0 N_ABS = 0x2 N_SECT = 0xe N_PBUD = 0xc N_INDR = 0xa # Section indexes for the "Mach.NList.sect_idx" fields NO_SECT = 0 MAX_SECT = 255 # Stab defines N_GSYM = 0x20 N_FNAME = 0x22 N_FUN = 0x24 N_STSYM = 0x26 N_LCSYM = 0x28 N_BNSYM = 0x2e N_OPT = 0x3c N_RSYM = 0x40 N_SLINE = 0x44 N_ENSYM = 0x4e N_SSYM = 0x60 N_SO = 0x64 N_OSO = 0x66 N_LSYM = 0x80 N_BINCL = 0x82 N_SOL = 0x84 N_PARAMS = 0x86 N_VERSION = 0x88 N_OLEVEL = 0x8A N_PSYM = 0xa0 N_EINCL = 0xa2 N_ENTRY = 0xa4 N_LBRAC = 0xc0 N_EXCL = 0xc2 N_RBRAC = 0xe0 N_BCOMM = 0xe2 N_ECOMM = 0xe4 N_ECOML = 0xe8 N_LENG = 0xfe vm_prot_names = ['---', 'r--', '-w-', 'rw-', '--x', 'r-x', '-wx', 'rwx'] def dump_memory(base_addr, data, hex_bytes_len, num_per_line): hex_bytes = data.encode('hex') if hex_bytes_len == -1: hex_bytes_len = len(hex_bytes) addr = base_addr ascii_str = '' i = 0 while i < hex_bytes_len: if ((i / 2) % num_per_line) == 0: if i > 0: print(' %s' % (ascii_str)) ascii_str = '' print('0x%8.8x:' % (addr + i), end=' ') hex_byte = hex_bytes[i:i + 2] print(hex_byte, end=' ') int_byte = int(hex_byte, 16) ascii_char = '%c' % (int_byte) if int_byte >= 32 and int_byte < 127: ascii_str += ascii_char else: ascii_str += '.' i = i + 2 if ascii_str: if (i / 2) % num_per_line: padding = num_per_line - ((i / 2) % num_per_line) else: padding = 0 print('%*s%s' % (padding * 3 + 1, '', ascii_str)) print() class TerminalColors: '''Simple terminal colors class''' def __init__(self, enabled=True): # TODO: discover terminal type from "file" and disable if # it can't handle the color codes self.enabled = enabled def reset(self): '''Reset all terminal colors and formatting.''' if self.enabled: return "\x1b[0m" return '' def bold(self, on=True): '''Enable or disable bold depending on the "on" parameter.''' if self.enabled: if on: return "\x1b[1m" else: return "\x1b[22m" return '' def italics(self, on=True): '''Enable or disable italics depending on the "on" parameter.''' if self.enabled: if on: return "\x1b[3m" else: return "\x1b[23m" return '' def underline(self, on=True): '''Enable or disable underline depending on the "on" parameter.''' if self.enabled: if on: return "\x1b[4m" else: return "\x1b[24m" return '' def inverse(self, on=True): '''Enable or disable inverse depending on the "on" parameter.''' if self.enabled: if on: return "\x1b[7m" else: return "\x1b[27m" return '' def strike(self, on=True): '''Enable or disable strike through depending on the "on" parameter.''' if self.enabled: if on: return "\x1b[9m" else: return "\x1b[29m" return '' def black(self, fg=True): '''Set the foreground or background color to black. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[30m" else: return "\x1b[40m" return '' def red(self, fg=True): '''Set the foreground or background color to red. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[31m" else: return "\x1b[41m" return '' def green(self, fg=True): '''Set the foreground or background color to green. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[32m" else: return "\x1b[42m" return '' def yellow(self, fg=True): '''Set the foreground or background color to yellow. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[43m" else: return "\x1b[33m" return '' def blue(self, fg=True): '''Set the foreground or background color to blue. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[34m" else: return "\x1b[44m" return '' def magenta(self, fg=True): '''Set the foreground or background color to magenta. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[35m" else: return "\x1b[45m" return '' def cyan(self, fg=True): '''Set the foreground or background color to cyan. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[36m" else: return "\x1b[46m" return '' def white(self, fg=True): '''Set the foreground or background color to white. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[37m" else: return "\x1b[47m" return '' def default(self, fg=True): '''Set the foreground or background color to the default. The foreground color will be set if "fg" tests True. The background color will be set if "fg" tests False.''' if self.enabled: if fg: return "\x1b[39m" else: return "\x1b[49m" return '' def swap_unpack_char(): """Returns the unpack prefix that will for non-native endian-ness.""" if struct.pack('H', 1).startswith("\x00"): return '<' return '>' def dump_hex_bytes(addr, s, bytes_per_line=16): i = 0 line = '' for ch in s: if (i % bytes_per_line) == 0: if line: print(line) line = '%#8.8x: ' % (addr + i) line += "%02X " % ord(ch) i += 1 print(line) def dump_hex_byte_string_diff(addr, a, b, bytes_per_line=16): i = 0 line = '' a_len = len(a) b_len = len(b) if a_len < b_len: max_len = b_len else: max_len = a_len tty_colors = TerminalColors(True) for i in range(max_len): ch = None if i < a_len: ch_a = a[i] ch = ch_a else: ch_a = None if i < b_len: ch_b = b[i] if not ch: ch = ch_b else: ch_b = None mismatch = ch_a != ch_b if (i % bytes_per_line) == 0: if line: print(line) line = '%#8.8x: ' % (addr + i) if mismatch: line += tty_colors.red() line += "%02X " % ord(ch) if mismatch: line += tty_colors.default() i += 1 print(line) class Mach: """Class that does everything mach-o related""" class Arch: """Class that implements mach-o architectures""" def __init__(self, c=0, s=0): self.cpu = c self.sub = s def set_cpu_type(self, c): self.cpu = c def set_cpu_subtype(self, s): self.sub = s def set_arch(self, c, s): self.cpu = c self.sub = s def is_64_bit(self): return (self.cpu & CPU_ARCH_ABI64) != 0 cpu_infos = [ ["arm", CPU_TYPE_ARM, CPU_TYPE_ANY], ["arm", CPU_TYPE_ARM, 0], ["armv4", CPU_TYPE_ARM, 5], ["armv6", CPU_TYPE_ARM, 6], ["armv5", CPU_TYPE_ARM, 7], ["xscale", CPU_TYPE_ARM, 8], ["armv7", CPU_TYPE_ARM, 9], ["armv7f", CPU_TYPE_ARM, 10], ["armv7s", CPU_TYPE_ARM, 11], ["armv7k", CPU_TYPE_ARM, 12], ["armv7m", CPU_TYPE_ARM, 15], ["armv7em", CPU_TYPE_ARM, 16], ["ppc", CPU_TYPE_POWERPC, CPU_TYPE_ANY], ["ppc", CPU_TYPE_POWERPC, 0], ["ppc601", CPU_TYPE_POWERPC, 1], ["ppc602", CPU_TYPE_POWERPC, 2], ["ppc603", CPU_TYPE_POWERPC, 3], ["ppc603e", CPU_TYPE_POWERPC, 4], ["ppc603ev", CPU_TYPE_POWERPC, 5], ["ppc604", CPU_TYPE_POWERPC, 6], ["ppc604e", CPU_TYPE_POWERPC, 7], ["ppc620", CPU_TYPE_POWERPC, 8], ["ppc750", CPU_TYPE_POWERPC, 9], ["ppc7400", CPU_TYPE_POWERPC, 10], ["ppc7450", CPU_TYPE_POWERPC, 11], ["ppc970", CPU_TYPE_POWERPC, 100], ["ppc64", CPU_TYPE_POWERPC64, 0], ["ppc970-64", CPU_TYPE_POWERPC64, 100], ["i386", CPU_TYPE_I386, 3], ["i486", CPU_TYPE_I386, 4], ["i486sx", CPU_TYPE_I386, 0x84], ["i386", CPU_TYPE_I386, CPU_TYPE_ANY], ["x86_64", CPU_TYPE_X86_64, 3], ["x86_64", CPU_TYPE_X86_64, CPU_TYPE_ANY], ] def __str__(self): for info in self.cpu_infos: if self.cpu == info[1] and (self.sub & 0x00ffffff) == info[2]: return info[0] return "{0}.{1}".format(self.cpu, self.sub) class Magic(dict_utils.Enum): enum = { 'MH_MAGIC': MH_MAGIC, 'MH_CIGAM': MH_CIGAM, 'MH_MAGIC_64': MH_MAGIC_64, 'MH_CIGAM_64': MH_CIGAM_64, 'FAT_MAGIC': FAT_MAGIC, 'FAT_CIGAM': FAT_CIGAM } def __init__(self, initial_value=0): dict_utils.Enum.__init__(self, initial_value, self.enum) def is_skinny_mach_file(self): return self.value == MH_MAGIC or self.value == MH_CIGAM or self.value == MH_MAGIC_64 or self.value == MH_CIGAM_64 def is_universal_mach_file(self): return self.value == FAT_MAGIC or self.value == FAT_CIGAM def unpack(self, data): data.set_byte_order('native') self.value = data.get_uint32() def get_byte_order(self): if self.value == MH_CIGAM or self.value == MH_CIGAM_64 or self.value == FAT_CIGAM: return swap_unpack_char() else: return '=' def is_64_bit(self): return self.value == MH_MAGIC_64 or self.value == MH_CIGAM_64 def __init__(self): self.magic = Mach.Magic() self.content = None self.path = None def extract(self, path, extractor): self.path = path self.unpack(extractor) def parse(self, path): self.path = path try: f = open(self.path) file_extractor = file_extract.FileExtract(f, '=') self.unpack(file_extractor) # f.close() except IOError as xxx_todo_changeme: (errno, strerror) = xxx_todo_changeme.args print("I/O error({0}): {1}".format(errno, strerror)) except ValueError: print("Could not convert data to an integer.") except: print("Unexpected error:", sys.exc_info()[0]) raise def compare(self, rhs): self.content.compare(rhs.content) def dump(self, options=None): self.content.dump(options) def dump_header(self, dump_description=True, options=None): self.content.dump_header(dump_description, options) def dump_load_commands(self, dump_description=True, options=None): self.content.dump_load_commands(dump_description, options) def dump_sections(self, dump_description=True, options=None): self.content.dump_sections(dump_description, options) def dump_section_contents(self, options): self.content.dump_section_contents(options) def dump_symtab(self, dump_description=True, options=None): self.content.dump_symtab(dump_description, options) def dump_symbol_names_matching_regex(self, regex, file=None): self.content.dump_symbol_names_matching_regex(regex, file) def description(self): return self.content.description() def unpack(self, data): self.magic.unpack(data) if self.magic.is_skinny_mach_file(): self.content = Mach.Skinny(self.path) elif self.magic.is_universal_mach_file(): self.content = Mach.Universal(self.path) else: self.content = None if self.content is not None: self.content.unpack(data, self.magic) def is_valid(self): return self.content is not None class Universal: def __init__(self, path): self.path = path self.type = 'universal' self.file_off = 0 self.magic = None self.nfat_arch = 0 self.archs = list() def description(self): s = '%#8.8x: %s (' % (self.file_off, self.path) archs_string = '' for arch in self.archs: if len(archs_string): archs_string += ', ' archs_string += '%s' % arch.arch s += archs_string s += ')' return s def unpack(self, data, magic=None): self.file_off = data.tell() if magic is None: self.magic = Mach.Magic() self.magic.unpack(data) else: self.magic = magic self.file_off = self.file_off - 4 # Universal headers are always in big endian data.set_byte_order('big') self.nfat_arch = data.get_uint32() for i in range(self.nfat_arch): self.archs.append(Mach.Universal.ArchInfo()) self.archs[i].unpack(data) for i in range(self.nfat_arch): self.archs[i].mach = Mach.Skinny(self.path) data.seek(self.archs[i].offset, 0) skinny_magic = Mach.Magic() skinny_magic.unpack(data) self.archs[i].mach.unpack(data, skinny_magic) def compare(self, rhs): print('error: comparing two universal files is not supported yet') return False def dump(self, options): if options.dump_header: print() print("Universal Mach File: magic = %s, nfat_arch = %u" % (self.magic, self.nfat_arch)) print() if self.nfat_arch > 0: if options.dump_header: self.archs[0].dump_header(True, options) for i in range(self.nfat_arch): self.archs[i].dump_flat(options) if options.dump_header: print() for i in range(self.nfat_arch): self.archs[i].mach.dump(options) def dump_header(self, dump_description=True, options=None): if dump_description: print(self.description()) for i in range(self.nfat_arch): self.archs[i].mach.dump_header(True, options) print() def dump_load_commands(self, dump_description=True, options=None): if dump_description: print(self.description()) for i in range(self.nfat_arch): self.archs[i].mach.dump_load_commands(True, options) print() def dump_sections(self, dump_description=True, options=None): if dump_description: print(self.description()) for i in range(self.nfat_arch): self.archs[i].mach.dump_sections(True, options) print() def dump_section_contents(self, options): for i in range(self.nfat_arch): self.archs[i].mach.dump_section_contents(options) print() def dump_symtab(self, dump_description=True, options=None): if dump_description: print(self.description()) for i in range(self.nfat_arch): self.archs[i].mach.dump_symtab(True, options) print() def dump_symbol_names_matching_regex(self, regex, file=None): for i in range(self.nfat_arch): self.archs[i].mach.dump_symbol_names_matching_regex( regex, file) class ArchInfo: def __init__(self): self.arch = Mach.Arch(0, 0) self.offset = 0 self.size = 0 self.align = 0 self.mach = None def unpack(self, data): # Universal headers are always in big endian data.set_byte_order('big') self.arch.cpu, self.arch.sub, self.offset, self.size, self.align = data.get_n_uint32( 5) def dump_header(self, dump_description=True, options=None): if options.verbose: print("CPU SUBTYPE OFFSET SIZE ALIGN") print("---------- ---------- ---------- ---------- ----------") else: print("ARCH FILEOFFSET FILESIZE ALIGN") print("---------- ---------- ---------- ----------") def dump_flat(self, options): if options.verbose: print("%#8.8x %#8.8x %#8.8x %#8.8x %#8.8x" % (self.arch.cpu, self.arch.sub, self.offset, self.size, self.align)) else: print("%-10s %#8.8x %#8.8x %#8.8x" % (self.arch, self.offset, self.size, self.align)) def dump(self): print(" cputype: %#8.8x" % self.arch.cpu) print("cpusubtype: %#8.8x" % self.arch.sub) print(" offset: %#8.8x" % self.offset) print(" size: %#8.8x" % self.size) print(" align: %#8.8x" % self.align) def __str__(self): return "Mach.Universal.ArchInfo: %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x" % ( self.arch.cpu, self.arch.sub, self.offset, self.size, self.align) def __repr__(self): return "Mach.Universal.ArchInfo: %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x" % ( self.arch.cpu, self.arch.sub, self.offset, self.size, self.align) class Flags: def __init__(self, b): self.bits = b def __str__(self): s = '' if self.bits & MH_NOUNDEFS: s += 'MH_NOUNDEFS | ' if self.bits & MH_INCRLINK: s += 'MH_INCRLINK | ' if self.bits & MH_DYLDLINK: s += 'MH_DYLDLINK | ' if self.bits & MH_BINDATLOAD: s += 'MH_BINDATLOAD | ' if self.bits & MH_PREBOUND: s += 'MH_PREBOUND | ' if self.bits & MH_SPLIT_SEGS: s += 'MH_SPLIT_SEGS | ' if self.bits & MH_LAZY_INIT: s += 'MH_LAZY_INIT | ' if self.bits & MH_TWOLEVEL: s += 'MH_TWOLEVEL | ' if self.bits & MH_FORCE_FLAT: s += 'MH_FORCE_FLAT | ' if self.bits & MH_NOMULTIDEFS: s += 'MH_NOMULTIDEFS | ' if self.bits & MH_NOFIXPREBINDING: s += 'MH_NOFIXPREBINDING | ' if self.bits & MH_PREBINDABLE: s += 'MH_PREBINDABLE | ' if self.bits & MH_ALLMODSBOUND: s += 'MH_ALLMODSBOUND | ' if self.bits & MH_SUBSECTIONS_VIA_SYMBOLS: s += 'MH_SUBSECTIONS_VIA_SYMBOLS | ' if self.bits & MH_CANONICAL: s += 'MH_CANONICAL | ' if self.bits & MH_WEAK_DEFINES: s += 'MH_WEAK_DEFINES | ' if self.bits & MH_BINDS_TO_WEAK: s += 'MH_BINDS_TO_WEAK | ' if self.bits & MH_ALLOW_STACK_EXECUTION: s += 'MH_ALLOW_STACK_EXECUTION | ' if self.bits & MH_ROOT_SAFE: s += 'MH_ROOT_SAFE | ' if self.bits & MH_SETUID_SAFE: s += 'MH_SETUID_SAFE | ' if self.bits & MH_NO_REEXPORTED_DYLIBS: s += 'MH_NO_REEXPORTED_DYLIBS | ' if self.bits & MH_PIE: s += 'MH_PIE | ' if self.bits & MH_DEAD_STRIPPABLE_DYLIB: s += 'MH_DEAD_STRIPPABLE_DYLIB | ' if self.bits & MH_HAS_TLV_DESCRIPTORS: s += 'MH_HAS_TLV_DESCRIPTORS | ' if self.bits & MH_NO_HEAP_EXECUTION: s += 'MH_NO_HEAP_EXECUTION | ' # Strip the trailing " |" if we have any flags if len(s) > 0: s = s[0:-2] return s class FileType(dict_utils.Enum): enum = { 'MH_OBJECT': MH_OBJECT, 'MH_EXECUTE': MH_EXECUTE, 'MH_FVMLIB': MH_FVMLIB, 'MH_CORE': MH_CORE, 'MH_PRELOAD': MH_PRELOAD, 'MH_DYLIB': MH_DYLIB, 'MH_DYLINKER': MH_DYLINKER, 'MH_BUNDLE': MH_BUNDLE, 'MH_DYLIB_STUB': MH_DYLIB_STUB, 'MH_DSYM': MH_DSYM, 'MH_KEXT_BUNDLE': MH_KEXT_BUNDLE } def __init__(self, initial_value=0): dict_utils.Enum.__init__(self, initial_value, self.enum) class Skinny: def __init__(self, path): self.path = path self.type = 'skinny' self.data = None self.file_off = 0 self.magic = 0 self.arch = Mach.Arch(0, 0) self.filetype = Mach.FileType(0) self.ncmds = 0 self.sizeofcmds = 0 self.flags = Mach.Flags(0) self.uuid = None self.commands = list() self.segments = list() self.sections = list() self.symbols = list() self.sections.append(Mach.Section()) def description(self): return '%#8.8x: %s (%s)' % (self.file_off, self.path, self.arch) def unpack(self, data, magic=None): self.data = data self.file_off = data.tell() if magic is None: self.magic = Mach.Magic() self.magic.unpack(data) else: self.magic = magic self.file_off = self.file_off - 4 data.set_byte_order(self.magic.get_byte_order()) self.arch.cpu, self.arch.sub, self.filetype.value, self.ncmds, self.sizeofcmds, bits = data.get_n_uint32( 6) self.flags.bits = bits if self.is_64_bit(): data.get_uint32() # Skip reserved word in mach_header_64 for i in range(0, self.ncmds): lc = self.unpack_load_command(data) self.commands.append(lc) def get_data(self): if self.data: self.data.set_byte_order(self.magic.get_byte_order()) return self.data return None def unpack_load_command(self, data): lc = Mach.LoadCommand() lc.unpack(self, data) lc_command = lc.command.get_enum_value() if (lc_command == LC_SEGMENT or lc_command == LC_SEGMENT_64): lc = Mach.SegmentLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_LOAD_DYLIB or lc_command == LC_ID_DYLIB or lc_command == LC_LOAD_WEAK_DYLIB or lc_command == LC_REEXPORT_DYLIB): lc = Mach.DylibLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_LOAD_DYLINKER or lc_command == LC_SUB_FRAMEWORK or lc_command == LC_SUB_CLIENT or lc_command == LC_SUB_UMBRELLA or lc_command == LC_SUB_LIBRARY or lc_command == LC_ID_DYLINKER or lc_command == LC_RPATH): lc = Mach.LoadDYLDLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_DYLD_INFO_ONLY): lc = Mach.DYLDInfoOnlyLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_SYMTAB): lc = Mach.SymtabLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_DYSYMTAB): lc = Mach.DYLDSymtabLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_UUID): lc = Mach.UUIDLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_CODE_SIGNATURE or lc_command == LC_SEGMENT_SPLIT_INFO or lc_command == LC_FUNCTION_STARTS): lc = Mach.DataBlobLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_UNIXTHREAD): lc = Mach.UnixThreadLoadCommand(lc) lc.unpack(self, data) elif (lc_command == LC_ENCRYPTION_INFO): lc = Mach.EncryptionInfoLoadCommand(lc) lc.unpack(self, data) lc.skip(data) return lc def compare(self, rhs): print("\nComparing:") print("a) %s %s" % (self.arch, self.path)) print("b) %s %s" % (rhs.arch, rhs.path)) result = True if self.type == rhs.type: for lhs_section in self.sections[1:]: rhs_section = rhs.get_section_by_section(lhs_section) if rhs_section: print('comparing %s.%s...' % (lhs_section.segname, lhs_section.sectname), end=' ') sys.stdout.flush() lhs_data = lhs_section.get_contents(self) rhs_data = rhs_section.get_contents(rhs) if lhs_data and rhs_data: if lhs_data == rhs_data: print('ok') else: lhs_data_len = len(lhs_data) rhs_data_len = len(rhs_data) # if lhs_data_len < rhs_data_len: # if lhs_data == rhs_data[0:lhs_data_len]: # print 'section data for %s matches the first %u bytes' % (lhs_section.sectname, lhs_data_len) # else: # # TODO: check padding # result = False # elif lhs_data_len > rhs_data_len: # if lhs_data[0:rhs_data_len] == rhs_data: # print 'section data for %s matches the first %u bytes' % (lhs_section.sectname, lhs_data_len) # else: # # TODO: check padding # result = False # else: result = False print('error: sections differ') # print 'a) %s' % (lhs_section) # dump_hex_byte_string_diff(0, lhs_data, rhs_data) # print 'b) %s' % (rhs_section) # dump_hex_byte_string_diff(0, rhs_data, lhs_data) elif lhs_data and not rhs_data: print('error: section data missing from b:') print('a) %s' % (lhs_section)) print('b) %s' % (rhs_section)) result = False elif not lhs_data and rhs_data: print('error: section data missing from a:') print('a) %s' % (lhs_section)) print('b) %s' % (rhs_section)) result = False elif lhs_section.offset or rhs_section.offset: print('error: section data missing for both a and b:') print('a) %s' % (lhs_section)) print('b) %s' % (rhs_section)) result = False else: print('ok') else: result = False print('error: section %s is missing in %s' % (lhs_section.sectname, rhs.path)) else: print('error: comparing a %s mach-o file with a %s mach-o file is not supported' % (self.type, rhs.type)) result = False if not result: print('error: mach files differ') return result def dump_header(self, dump_description=True, options=None): if options.verbose: print("MAGIC CPU SUBTYPE FILETYPE NUM CMDS SIZE CMDS FLAGS") print("---------- ---------- ---------- ---------- -------- ---------- ----------") else: print("MAGIC ARCH FILETYPE NUM CMDS SIZE CMDS FLAGS") print("------------ ---------- -------------- -------- ---------- ----------") def dump_flat(self, options): if options.verbose: print("%#8.8x %#8.8x %#8.8x %#8.8x %#8u %#8.8x %#8.8x" % (self.magic, self.arch.cpu, self.arch.sub, self.filetype.value, self.ncmds, self.sizeofcmds, self.flags.bits)) else: print("%-12s %-10s %-14s %#8u %#8.8x %s" % (self.magic, self.arch, self.filetype, self.ncmds, self.sizeofcmds, self.flags)) def dump(self, options): if options.dump_header: self.dump_header(True, options) if options.dump_load_commands: self.dump_load_commands(False, options) if options.dump_sections: self.dump_sections(False, options) if options.section_names: self.dump_section_contents(options) if options.dump_symtab: self.get_symtab() if len(self.symbols): self.dump_sections(False, options) else: print("No symbols") if options.find_mangled: self.dump_symbol_names_matching_regex(re.compile('^_?_Z')) def dump_header(self, dump_description=True, options=None): if dump_description: print(self.description()) print("Mach Header") print(" magic: %#8.8x %s" % (self.magic.value, self.magic)) print(" cputype: %#8.8x %s" % (self.arch.cpu, self.arch)) print(" cpusubtype: %#8.8x" % self.arch.sub) print(" filetype: %#8.8x %s" % (self.filetype.get_enum_value(), self.filetype.get_enum_name())) print(" ncmds: %#8.8x %u" % (self.ncmds, self.ncmds)) print(" sizeofcmds: %#8.8x" % self.sizeofcmds) print(" flags: %#8.8x %s" % (self.flags.bits, self.flags)) def dump_load_commands(self, dump_description=True, options=None): if dump_description: print(self.description()) for lc in self.commands: print(lc) def get_section_by_name(self, name): for section in self.sections: if section.sectname and section.sectname == name: return section return None def get_section_by_section(self, other_section): for section in self.sections: if section.sectname == other_section.sectname and section.segname == other_section.segname: return section return None def dump_sections(self, dump_description=True, options=None): if dump_description: print(self.description()) num_sections = len(self.sections) if num_sections > 1: self.sections[1].dump_header() for sect_idx in range(1, num_sections): print("%s" % self.sections[sect_idx]) def dump_section_contents(self, options): saved_section_to_disk = False for sectname in options.section_names: section = self.get_section_by_name(sectname) if section: sect_bytes = section.get_contents(self) if options.outfile: if not saved_section_to_disk: outfile = open(options.outfile, 'w') if options.extract_modules: # print "Extracting modules from mach file..." data = file_extract.FileExtract( io.BytesIO(sect_bytes), self.data.byte_order) version = data.get_uint32() num_modules = data.get_uint32() # print "version = %u, num_modules = %u" % # (version, num_modules) for i in range(num_modules): data_offset = data.get_uint64() data_size = data.get_uint64() name_offset = data.get_uint32() language = data.get_uint32() flags = data.get_uint32() data.seek(name_offset) module_name = data.get_c_string() # print "module[%u] data_offset = %#16.16x, # data_size = %#16.16x, name_offset = # %#16.16x (%s), language = %u, flags = # %#x" % (i, data_offset, data_size, # name_offset, module_name, language, # flags) data.seek(data_offset) outfile.write(data.read_size(data_size)) else: print("Saving section %s to '%s'" % (sectname, options.outfile)) outfile.write(sect_bytes) outfile.close() saved_section_to_disk = True else: print("error: you can only save a single section to disk at a time, skipping section '%s'" % (sectname)) else: print('section %s:\n' % (sectname)) section.dump_header() print('%s\n' % (section)) dump_memory(0, sect_bytes, options.max_count, 16) else: print('error: no section named "%s" was found' % (sectname)) def get_segment(self, segname): if len(self.segments) == 1 and self.segments[0].segname == '': return self.segments[0] for segment in self.segments: if segment.segname == segname: return segment return None def get_first_load_command(self, lc_enum_value): for lc in self.commands: if lc.command.value == lc_enum_value: return lc return None def get_symtab(self): if self.data and not self.symbols: lc_symtab = self.get_first_load_command(LC_SYMTAB) if lc_symtab: symtab_offset = self.file_off if self.data.is_in_memory(): linkedit_segment = self.get_segment('__LINKEDIT') if linkedit_segment: linkedit_vmaddr = linkedit_segment.vmaddr linkedit_fileoff = linkedit_segment.fileoff symtab_offset = linkedit_vmaddr + lc_symtab.symoff - linkedit_fileoff symtab_offset = linkedit_vmaddr + lc_symtab.stroff - linkedit_fileoff else: symtab_offset += lc_symtab.symoff self.data.seek(symtab_offset) is_64 = self.is_64_bit() for i in range(lc_symtab.nsyms): nlist = Mach.NList() nlist.unpack(self, self.data, lc_symtab) self.symbols.append(nlist) else: print("no LC_SYMTAB") def dump_symtab(self, dump_description=True, options=None): self.get_symtab() if dump_description: print(self.description()) for i, symbol in enumerate(self.symbols): print('[%5u] %s' % (i, symbol)) def dump_symbol_names_matching_regex(self, regex, file=None): self.get_symtab() for symbol in self.symbols: if symbol.name and regex.search(symbol.name): print(symbol.name) if file: file.write('%s\n' % (symbol.name)) def is_64_bit(self): return self.magic.is_64_bit() class LoadCommand: class Command(dict_utils.Enum): enum = { 'LC_SEGMENT': LC_SEGMENT, 'LC_SYMTAB': LC_SYMTAB, 'LC_SYMSEG': LC_SYMSEG, 'LC_THREAD': LC_THREAD, 'LC_UNIXTHREAD': LC_UNIXTHREAD, 'LC_LOADFVMLIB': LC_LOADFVMLIB, 'LC_IDFVMLIB': LC_IDFVMLIB, 'LC_IDENT': LC_IDENT, 'LC_FVMFILE': LC_FVMFILE, 'LC_PREPAGE': LC_PREPAGE, 'LC_DYSYMTAB': LC_DYSYMTAB, 'LC_LOAD_DYLIB': LC_LOAD_DYLIB, 'LC_ID_DYLIB': LC_ID_DYLIB, 'LC_LOAD_DYLINKER': LC_LOAD_DYLINKER, 'LC_ID_DYLINKER': LC_ID_DYLINKER, 'LC_PREBOUND_DYLIB': LC_PREBOUND_DYLIB, 'LC_ROUTINES': LC_ROUTINES, 'LC_SUB_FRAMEWORK': LC_SUB_FRAMEWORK, 'LC_SUB_UMBRELLA': LC_SUB_UMBRELLA, 'LC_SUB_CLIENT': LC_SUB_CLIENT, 'LC_SUB_LIBRARY': LC_SUB_LIBRARY, 'LC_TWOLEVEL_HINTS': LC_TWOLEVEL_HINTS, 'LC_PREBIND_CKSUM': LC_PREBIND_CKSUM, 'LC_LOAD_WEAK_DYLIB': LC_LOAD_WEAK_DYLIB, 'LC_SEGMENT_64': LC_SEGMENT_64, 'LC_ROUTINES_64': LC_ROUTINES_64, 'LC_UUID': LC_UUID, 'LC_RPATH': LC_RPATH, 'LC_CODE_SIGNATURE': LC_CODE_SIGNATURE, 'LC_SEGMENT_SPLIT_INFO': LC_SEGMENT_SPLIT_INFO, 'LC_REEXPORT_DYLIB': LC_REEXPORT_DYLIB, 'LC_LAZY_LOAD_DYLIB': LC_LAZY_LOAD_DYLIB, 'LC_ENCRYPTION_INFO': LC_ENCRYPTION_INFO, 'LC_DYLD_INFO': LC_DYLD_INFO, 'LC_DYLD_INFO_ONLY': LC_DYLD_INFO_ONLY, 'LC_LOAD_UPWARD_DYLIB': LC_LOAD_UPWARD_DYLIB, 'LC_VERSION_MIN_MACOSX': LC_VERSION_MIN_MACOSX, 'LC_VERSION_MIN_IPHONEOS': LC_VERSION_MIN_IPHONEOS, 'LC_FUNCTION_STARTS': LC_FUNCTION_STARTS, 'LC_DYLD_ENVIRONMENT': LC_DYLD_ENVIRONMENT } def __init__(self, initial_value=0): dict_utils.Enum.__init__(self, initial_value, self.enum) def __init__(self, c=None, l=0, o=0): if c is not None: self.command = c else: self.command = Mach.LoadCommand.Command(0) self.length = l self.file_off = o def unpack(self, mach_file, data): self.file_off = data.tell() self.command.value, self.length = data.get_n_uint32(2) def skip(self, data): data.seek(self.file_off + self.length, 0) def __str__(self): lc_name = self.command.get_enum_name() return '%#8.8x: <%#4.4x> %-24s' % (self.file_off, self.length, lc_name) class Section: def __init__(self): self.index = 0 self.is_64 = False self.sectname = None self.segname = None self.addr = 0 self.size = 0 self.offset = 0 self.align = 0 self.reloff = 0 self.nreloc = 0 self.flags = 0 self.reserved1 = 0 self.reserved2 = 0 self.reserved3 = 0 def unpack(self, is_64, data): self.is_64 = is_64 self.sectname = data.get_fixed_length_c_string(16, '', True) self.segname = data.get_fixed_length_c_string(16, '', True) if self.is_64: self.addr, self.size = data.get_n_uint64(2) self.offset, self.align, self.reloff, self.nreloc, self.flags, self.reserved1, self.reserved2, self.reserved3 = data.get_n_uint32( 8) else: self.addr, self.size = data.get_n_uint32(2) self.offset, self.align, self.reloff, self.nreloc, self.flags, self.reserved1, self.reserved2 = data.get_n_uint32( 7) def dump_header(self): if self.is_64: print("INDEX ADDRESS SIZE OFFSET ALIGN RELOFF NRELOC FLAGS RESERVED1 RESERVED2 RESERVED3 NAME") print("===== ------------------ ------------------ ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------------------") else: print("INDEX ADDRESS SIZE OFFSET ALIGN RELOFF NRELOC FLAGS RESERVED1 RESERVED2 NAME") print("===== ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ----------------------") def __str__(self): if self.is_64: return "[%3u] %#16.16x %#16.16x %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %s.%s" % ( self.index, self.addr, self.size, self.offset, self.align, self.reloff, self.nreloc, self.flags, self.reserved1, self.reserved2, self.reserved3, self.segname, self.sectname) else: return "[%3u] %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %#8.8x %s.%s" % ( self.index, self.addr, self.size, self.offset, self.align, self.reloff, self.nreloc, self.flags, self.reserved1, self.reserved2, self.segname, self.sectname) def get_contents(self, mach_file): '''Get the section contents as a python string''' if self.size > 0 and mach_file.get_segment( self.segname).filesize > 0: data = mach_file.get_data() if data: section_data_offset = mach_file.file_off + self.offset # print '%s.%s is at offset 0x%x with size 0x%x' % # (self.segname, self.sectname, section_data_offset, # self.size) data.push_offset_and_seek(section_data_offset) bytes = data.read_size(self.size) data.pop_offset_and_seek() return bytes return None class DylibLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.name = None self.timestamp = 0 self.current_version = 0 self.compatibility_version = 0 def unpack(self, mach_file, data): byte_order_char = mach_file.magic.get_byte_order() name_offset, self.timestamp, self.current_version, self.compatibility_version = data.get_n_uint32( 4) data.seek(self.file_off + name_offset, 0) self.name = data.get_fixed_length_c_string(self.length - 24) def __str__(self): s = Mach.LoadCommand.__str__(self) s += "%#8.8x %#8.8x %#8.8x " % (self.timestamp, self.current_version, self.compatibility_version) s += self.name return s class LoadDYLDLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.name = None def unpack(self, mach_file, data): data.get_uint32() self.name = data.get_fixed_length_c_string(self.length - 12) def __str__(self): s = Mach.LoadCommand.__str__(self) s += "%s" % self.name return s class UnixThreadLoadCommand(LoadCommand): class ThreadState: def __init__(self): self.flavor = 0 self.count = 0 self.register_values = list() def unpack(self, data): self.flavor, self.count = data.get_n_uint32(2) self.register_values = data.get_n_uint32(self.count) def __str__(self): s = "flavor = %u, count = %u, regs =" % ( self.flavor, self.count) i = 0 for register_value in self.register_values: if i % 8 == 0: s += "\n " s += " %#8.8x" % register_value i += 1 return s def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.reg_sets = list() def unpack(self, mach_file, data): reg_set = Mach.UnixThreadLoadCommand.ThreadState() reg_set.unpack(data) self.reg_sets.append(reg_set) def __str__(self): s = Mach.LoadCommand.__str__(self) for reg_set in self.reg_sets: s += "%s" % reg_set return s class DYLDInfoOnlyLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.rebase_off = 0 self.rebase_size = 0 self.bind_off = 0 self.bind_size = 0 self.weak_bind_off = 0 self.weak_bind_size = 0 self.lazy_bind_off = 0 self.lazy_bind_size = 0 self.export_off = 0 self.export_size = 0 def unpack(self, mach_file, data): byte_order_char = mach_file.magic.get_byte_order() self.rebase_off, self.rebase_size, self.bind_off, self.bind_size, self.weak_bind_off, self.weak_bind_size, self.lazy_bind_off, self.lazy_bind_size, self.export_off, self.export_size = data.get_n_uint32( 10) def __str__(self): s = Mach.LoadCommand.__str__(self) s += "rebase_off = %#8.8x, rebase_size = %u, " % ( self.rebase_off, self.rebase_size) s += "bind_off = %#8.8x, bind_size = %u, " % ( self.bind_off, self.bind_size) s += "weak_bind_off = %#8.8x, weak_bind_size = %u, " % ( self.weak_bind_off, self.weak_bind_size) s += "lazy_bind_off = %#8.8x, lazy_bind_size = %u, " % ( self.lazy_bind_off, self.lazy_bind_size) s += "export_off = %#8.8x, export_size = %u, " % ( self.export_off, self.export_size) return s class DYLDSymtabLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.ilocalsym = 0 self.nlocalsym = 0 self.iextdefsym = 0 self.nextdefsym = 0 self.iundefsym = 0 self.nundefsym = 0 self.tocoff = 0 self.ntoc = 0 self.modtaboff = 0 self.nmodtab = 0 self.extrefsymoff = 0 self.nextrefsyms = 0 self.indirectsymoff = 0 self.nindirectsyms = 0 self.extreloff = 0 self.nextrel = 0 self.locreloff = 0 self.nlocrel = 0 def unpack(self, mach_file, data): byte_order_char = mach_file.magic.get_byte_order() self.ilocalsym, self.nlocalsym, self.iextdefsym, self.nextdefsym, self.iundefsym, self.nundefsym, self.tocoff, self.ntoc, self.modtaboff, self.nmodtab, self.extrefsymoff, self.nextrefsyms, self.indirectsymoff, self.nindirectsyms, self.extreloff, self.nextrel, self.locreloff, self.nlocrel = data.get_n_uint32( 18) def __str__(self): s = Mach.LoadCommand.__str__(self) # s += "ilocalsym = %u, nlocalsym = %u, " % (self.ilocalsym, self.nlocalsym) # s += "iextdefsym = %u, nextdefsym = %u, " % (self.iextdefsym, self.nextdefsym) # s += "iundefsym %u, nundefsym = %u, " % (self.iundefsym, self.nundefsym) # s += "tocoff = %#8.8x, ntoc = %u, " % (self.tocoff, self.ntoc) # s += "modtaboff = %#8.8x, nmodtab = %u, " % (self.modtaboff, self.nmodtab) # s += "extrefsymoff = %#8.8x, nextrefsyms = %u, " % (self.extrefsymoff, self.nextrefsyms) # s += "indirectsymoff = %#8.8x, nindirectsyms = %u, " % (self.indirectsymoff, self.nindirectsyms) # s += "extreloff = %#8.8x, nextrel = %u, " % (self.extreloff, self.nextrel) # s += "locreloff = %#8.8x, nlocrel = %u" % (self.locreloff, # self.nlocrel) s += "ilocalsym = %-10u, nlocalsym = %u\n" % ( self.ilocalsym, self.nlocalsym) s += " iextdefsym = %-10u, nextdefsym = %u\n" % ( self.iextdefsym, self.nextdefsym) s += " iundefsym = %-10u, nundefsym = %u\n" % ( self.iundefsym, self.nundefsym) s += " tocoff = %#8.8x, ntoc = %u\n" % ( self.tocoff, self.ntoc) s += " modtaboff = %#8.8x, nmodtab = %u\n" % ( self.modtaboff, self.nmodtab) s += " extrefsymoff = %#8.8x, nextrefsyms = %u\n" % ( self.extrefsymoff, self.nextrefsyms) s += " indirectsymoff = %#8.8x, nindirectsyms = %u\n" % ( self.indirectsymoff, self.nindirectsyms) s += " extreloff = %#8.8x, nextrel = %u\n" % ( self.extreloff, self.nextrel) s += " locreloff = %#8.8x, nlocrel = %u" % ( self.locreloff, self.nlocrel) return s class SymtabLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.symoff = 0 self.nsyms = 0 self.stroff = 0 self.strsize = 0 def unpack(self, mach_file, data): byte_order_char = mach_file.magic.get_byte_order() self.symoff, self.nsyms, self.stroff, self.strsize = data.get_n_uint32( 4) def __str__(self): s = Mach.LoadCommand.__str__(self) s += "symoff = %#8.8x, nsyms = %u, stroff = %#8.8x, strsize = %u" % ( self.symoff, self.nsyms, self.stroff, self.strsize) return s class UUIDLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.uuid = None def unpack(self, mach_file, data): uuid_data = data.get_n_uint8(16) uuid_str = '' for byte in uuid_data: uuid_str += '%2.2x' % byte self.uuid = uuid.UUID(uuid_str) mach_file.uuid = self.uuid def __str__(self): s = Mach.LoadCommand.__str__(self) s += self.uuid.__str__() return s class DataBlobLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.dataoff = 0 self.datasize = 0 def unpack(self, mach_file, data): byte_order_char = mach_file.magic.get_byte_order() self.dataoff, self.datasize = data.get_n_uint32(2) def __str__(self): s = Mach.LoadCommand.__str__(self) s += "dataoff = %#8.8x, datasize = %u" % ( self.dataoff, self.datasize) return s class EncryptionInfoLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.cryptoff = 0 self.cryptsize = 0 self.cryptid = 0 def unpack(self, mach_file, data): byte_order_char = mach_file.magic.get_byte_order() self.cryptoff, self.cryptsize, self.cryptid = data.get_n_uint32(3) def __str__(self): s = Mach.LoadCommand.__str__(self) s += "file-range = [%#8.8x - %#8.8x), cryptsize = %u, cryptid = %u" % ( self.cryptoff, self.cryptoff + self.cryptsize, self.cryptsize, self.cryptid) return s class SegmentLoadCommand(LoadCommand): def __init__(self, lc): Mach.LoadCommand.__init__(self, lc.command, lc.length, lc.file_off) self.segname = None self.vmaddr = 0 self.vmsize = 0 self.fileoff = 0 self.filesize = 0 self.maxprot = 0 self.initprot = 0 self.nsects = 0 self.flags = 0 def unpack(self, mach_file, data): is_64 = self.command.get_enum_value() == LC_SEGMENT_64 self.segname = data.get_fixed_length_c_string(16, '', True) if is_64: self.vmaddr, self.vmsize, self.fileoff, self.filesize = data.get_n_uint64( 4) else: self.vmaddr, self.vmsize, self.fileoff, self.filesize = data.get_n_uint32( 4) self.maxprot, self.initprot, self.nsects, self.flags = data.get_n_uint32( 4) mach_file.segments.append(self) for i in range(self.nsects): section = Mach.Section() section.unpack(is_64, data) section.index = len(mach_file.sections) mach_file.sections.append(section) def __str__(self): s = Mach.LoadCommand.__str__(self) if self.command.get_enum_value() == LC_SEGMENT: s += "%#8.8x %#8.8x %#8.8x %#8.8x " % ( self.vmaddr, self.vmsize, self.fileoff, self.filesize) else: s += "%#16.16x %#16.16x %#16.16x %#16.16x " % ( self.vmaddr, self.vmsize, self.fileoff, self.filesize) s += "%s %s %3u %#8.8x" % (vm_prot_names[self.maxprot], vm_prot_names[ self.initprot], self.nsects, self.flags) s += ' ' + self.segname return s class NList: class Type: class Stab(dict_utils.Enum): enum = { 'N_GSYM': N_GSYM, 'N_FNAME': N_FNAME, 'N_FUN': N_FUN, 'N_STSYM': N_STSYM, 'N_LCSYM': N_LCSYM, 'N_BNSYM': N_BNSYM, 'N_OPT': N_OPT, 'N_RSYM': N_RSYM, 'N_SLINE': N_SLINE, 'N_ENSYM': N_ENSYM, 'N_SSYM': N_SSYM, 'N_SO': N_SO, 'N_OSO': N_OSO, 'N_LSYM': N_LSYM, 'N_BINCL': N_BINCL, 'N_SOL': N_SOL, 'N_PARAMS': N_PARAMS, 'N_VERSION': N_VERSION, 'N_OLEVEL': N_OLEVEL, 'N_PSYM': N_PSYM, 'N_EINCL': N_EINCL, 'N_ENTRY': N_ENTRY, 'N_LBRAC': N_LBRAC, 'N_EXCL': N_EXCL, 'N_RBRAC': N_RBRAC, 'N_BCOMM': N_BCOMM, 'N_ECOMM': N_ECOMM, 'N_ECOML': N_ECOML, 'N_LENG': N_LENG } def __init__(self, magic=0): dict_utils.Enum.__init__(self, magic, self.enum) def __init__(self, t=0): self.value = t def __str__(self): n_type = self.value if n_type & N_STAB: stab = Mach.NList.Type.Stab(self.value) return '%s' % stab else: type = self.value & N_TYPE type_str = '' if type == N_UNDF: type_str = 'N_UNDF' elif type == N_ABS: type_str = 'N_ABS ' elif type == N_SECT: type_str = 'N_SECT' elif type == N_PBUD: type_str = 'N_PBUD' elif type == N_INDR: type_str = 'N_INDR' else: type_str = "??? (%#2.2x)" % type if n_type & N_PEXT: type_str += ' | PEXT' if n_type & N_EXT: type_str += ' | EXT ' return type_str def __init__(self): self.index = 0 self.name_offset = 0 self.name = 0 self.type = Mach.NList.Type() self.sect_idx = 0 self.desc = 0 self.value = 0 def unpack(self, mach_file, data, symtab_lc): self.index = len(mach_file.symbols) self.name_offset = data.get_uint32() self.type.value, self.sect_idx = data.get_n_uint8(2) self.desc = data.get_uint16() if mach_file.is_64_bit(): self.value = data.get_uint64() else: self.value = data.get_uint32() data.push_offset_and_seek( mach_file.file_off + symtab_lc.stroff + self.name_offset) # print "get string for symbol[%u]" % self.index self.name = data.get_c_string() data.pop_offset_and_seek() def __str__(self): name_display = '' if len(self.name): name_display = ' "%s"' % self.name return '%#8.8x %#2.2x (%-20s) %#2.2x %#4.4x %16.16x%s' % (self.name_offset, self.type.value, self.type, self.sect_idx, self.desc, self.value, name_display) class Interactive(cmd.Cmd): '''Interactive command interpreter to mach-o files.''' def __init__(self, mach, options): cmd.Cmd.__init__(self) self.intro = 'Interactive mach-o command interpreter' self.prompt = 'mach-o: %s %% ' % mach.path self.mach = mach self.options = options def default(self, line): '''Catch all for unknown command, which will exit the interpreter.''' print("uknown command: %s" % line) return True def do_q(self, line): '''Quit command''' return True def do_quit(self, line): '''Quit command''' return True def do_header(self, line): '''Dump mach-o file headers''' self.mach.dump_header(True, self.options) return False def do_load(self, line): '''Dump all mach-o load commands''' self.mach.dump_load_commands(True, self.options) return False def do_sections(self, line): '''Dump all mach-o sections''' self.mach.dump_sections(True, self.options) return False def do_symtab(self, line): '''Dump all mach-o symbols in the symbol table''' self.mach.dump_symtab(True, self.options) return False if __name__ == '__main__': parser = optparse.OptionParser( description='A script that parses skinny and universal mach-o files.') parser.add_option( '--arch', '-a', type='string', metavar='arch', dest='archs', action='append', help='specify one or more architectures by name') parser.add_option( '-v', '--verbose', action='store_true', dest='verbose', help='display verbose debug info', default=False) parser.add_option( '-H', '--header', action='store_true', dest='dump_header', help='dump the mach-o file header', default=False) parser.add_option( '-l', '--load-commands', action='store_true', dest='dump_load_commands', help='dump the mach-o load commands', default=False) parser.add_option( '-s', '--symtab', action='store_true', dest='dump_symtab', help='dump the mach-o symbol table', default=False) parser.add_option( '-S', '--sections', action='store_true', dest='dump_sections', help='dump the mach-o sections', default=False) parser.add_option( '--section', type='string', metavar='sectname', dest='section_names', action='append', help='Specify one or more section names to dump', default=[]) parser.add_option( '-o', '--out', type='string', dest='outfile', help='Used in conjunction with the --section=NAME option to save a single section\'s data to disk.', default=False) parser.add_option( '-i', '--interactive', action='store_true', dest='interactive', help='enable interactive mode', default=False) parser.add_option( '-m', '--mangled', action='store_true', dest='find_mangled', help='dump all mangled names in a mach file', default=False) parser.add_option( '-c', '--compare', action='store_true', dest='compare', help='compare two mach files', default=False) parser.add_option( '-M', '--extract-modules', action='store_true', dest='extract_modules', help='Extract modules from file', default=False) parser.add_option( '-C', '--count', type='int', dest='max_count', help='Sets the max byte count when dumping section data', default=-1) (options, mach_files) = parser.parse_args() if options.extract_modules: if options.section_names: print("error: can't use --section option with the --extract-modules option") exit(1) if not options.outfile: print("error: the --output=FILE option must be specified with the --extract-modules option") exit(1) options.section_names.append("__apple_ast") if options.compare: if len(mach_files) == 2: mach_a = Mach() mach_b = Mach() mach_a.parse(mach_files[0]) mach_b.parse(mach_files[1]) mach_a.compare(mach_b) else: print('error: --compare takes two mach files as arguments') else: if not (options.dump_header or options.dump_load_commands or options.dump_symtab or options.dump_sections or options.find_mangled or options.section_names): options.dump_header = True options.dump_load_commands = True if options.verbose: print('options', options) print('mach_files', mach_files) for path in mach_files: mach = Mach() mach.parse(path) if options.interactive: interpreter = Mach.Interactive(mach, options) interpreter.cmdloop() else: mach.dump(options)