X86 Disassembly/macOS
(Redirected from X86 Disassembly/Mac OS X)
Mach-O format overview
[edit | edit source]macOS (Previously OS X) uses the Mach-O file format to encode executables, object files, and shared libraries (.dylib files). Here, we will be looking at the 64-bit version of the Mach-O format. The majority of data in Mach-O files are 'segments' and 'sections', where Segments are containers for Sections, and store information about each Section. The Sections themselves are containers for data. Mach-O files have five primary structures:
| Structure | Description |
|---|---|
| Header | Contains information about the purpose, and size of the file's structures |
| Load Commands | Declaration of all Segments and Sections |
| Data | The actual contents of the file (e.g. Data section, Text section). |
| Symbol table | Says where each symbol is located in the file |
| String table | Contains the name of each symbol |
Note that when each Structure is gone over, they are all an unbroken sequence of bytes, and there is no empty space between them.
Header
[edit | edit source]Information
[edit | edit source]The header is the very first thing in the file, and it has 8 unsigned 32-bit integers:
| Name | Purpose | Endianness | Typical Value |
|---|---|---|---|
| Magic Number | The File's magic number | Big-Endian | 0xFEEDFACF for 64-bit architecture |
| CPU Type | The Intended CPU type for the executable | Little-Endian | 0x01000007 for x86_64 |
| CPU subtype | The specific kind of CPU used | Little-Endian | 0x00000003 for all x64 CPUs |
| File type | The purpose of the file | Little-Endian | 0x00000001 for object file, 0x00000002 for executable |
| Number of Load Commands | The quantity of Load commands (does not include section headers) | Little-Endian | Variable |
| Size of Load Commands | The number of bytes occupied by the Load Commands | Little-Endian | Variable |
| Flags | Extra file information | Little-Endian | 0x00000000 |
| Reserved | No practical use | Little-Endian | 0x00000000 |