On the iOS executable file format

Mach-o (Mach object) file format?

This format is very rare in Chinese, and the most detailed is Apple's official documentation, this article does not repeat the contents of the Mach-o file format, only the experience when using IDA reverse iOS application.

Mach-o Detailed documentation Reference: https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/MachORuntime/index.html

The Mach-o format can contain executable code for multiple target platforms, such as executable code that contains both arm64 and ARM7.

?

Lab 1: We'll start by creating an app with a platform of 2 to compare and contrast the same app loading different architecture code.

When you build an iOS application with a multi-target platform, drag it into Ida, as shown in:

?

?

Ida recognizes the code for both architectures.

Let Ida load the code for the ARM7 platform first

?

?

? In the right-side hex window you can see the magic number of the Mach-o file. In the lower-left corner where the magic number is at file offset 4000, you can know that the executable file maps the file to memory (starting at 0) starting at offset 4000.

Then open the Segment window to view the layout of the file mapped to memory

　

From the IDA Segment window, you can see clearly how the various sections of each executable file are loaded.

Then we close Ida and re-select arm64 to load the executable file.

After loading we can know that the code for the ARM64 schema is mapped to memory from the location where the file offset 14000 begins.

(Two architecture segments, you can find that there are some different places, that is, arm64 architecture more than one got section.) The function of this section is to be added. ）

Well, we now know that the location of the file offset 4000-14000 belongs to the ARM7 architecture section, 14000-end belongs to the ARM64 architecture section, then what is the 0-4000 location?

To open a file with the 16-input editor:

Is Cafebabe familiar? Is the magic number of Java, as far as 0-4000 of the content is exactly what, with questions continue school Mach-o file.

Lab 2: Build a single platform app to see how its files are organized.

Step, as shown in Experiment 1, drag the generated app to Ida.

?

?

? We can come to the conclusion that the single-platform iOS app does not have 0-4000 data for the files in experiment 1.

On the iOS executable file format