X86 Disassembly/Mac OS X
Appearance
Mach-O format overview
[edit | edit source]MacOS (Previously OS X) uses the Mach-O file format to encode executables, object files, and shared libraries (.dylib files). Here, we will be looking at the 64-bit version of the Mach-O format. The majority of data in Mach-O files are 'segments' and 'sections', where Segments are containers for Sections, and store information about each Section. The Sections themselves are containers for data. Mach-O files have five primary structures:
Structure | Description |
---|---|
Header | Contains information about the purpose, and size of the file's structures |
Load Commands | Declaration of all Segments and Sections |
Data | The actual contents of the file (e.g. Data section, Text section). |
Symbol table | Says where each symbol is located in the file |
String table | Contains the name of each symbol |
Note that when each Structure is gone over, they are all an unbroken sequence of bytes, and there is no empty space between them.
Header
[edit | edit source]Information
[edit | edit source]The header is the very first thing in the file, and it has 8 unsigned 32-bit integers:
Name | Purpose | Endianness | Typical Value |
---|---|---|---|
Magic Number | The File's magic number | Big-Endian | 0xFEEDFACF for 64-bit architecture |
CPU Type | The Intended CPU type for the executable | Little-Endian | 0x01000007 for x86_64 |
CPU subtype | The specific kind of CPU used | Little-Endian | 0x00000003 for all x64 CPUs |
File type | The purpose of the file | Little-Endian | 0x00000001 for object file, 0x00000002 for executable |
Number of Load Commands | The quantity of Load commands (does not include section headers) | Little-Endian | Variable |
Size of Load Commands | The number of bytes occupied by the Load Commands | Little-Endian | Variable |
Flags | Extra file information | Little-Endian | 0x00000000 |
Reserved | No practical use | Little-Endian | 0x00000000 |