X86 Disassembly/Mac OS X
Mach-O format overview
editMacOS (Previously OS X) uses the Mach-O file format to encode executables, object files, and shared libraries (.dylib files). Here, we will be looking at the 64-bit version of the Mach-O format. The majority of data in Mach-O files are 'segments' and 'sections', where Segments are containers for Sections, and store information about each Section. The Sections themselves are containers for data. Mach-O files have five primary structures:
| Structure | Description |
|---|---|
| Header | Contains information about the purpose, and size of the file's structures |
| Load Commands | Declaration of all Segments and Sections |
| Data | The actual contents of the file (e.g. Data section, Text section). |
| Symbol table | Says where each symbol is located in the file |
| String table | Contains the name of each symbol |
Note that when each Structure is gone over, they are all an unbroken sequence of bytes, and there is no empty space between them.
Header
editInformation
editThe header is the very first thing in the file, and it has 8 unsigned 32-bit integers:
| Name | Purpose | Endianness | Typical Value |
|---|---|---|---|
| Magic Number | The File's magic number | Big-Endian | 0xFEEDFACF for 64-bit architecture |
| CPU Type | The Intended CPU type for the executable | Little-Endian | 0x01000007 for x86_64 |
| CPU subtype | The specific kind of CPU used | Little-Endian | 0x00000003 for all x64 CPUs |
| File type | The purpose of the file | Little-Endian | 0x00000001 for object file, 0x00000002 for executable |
| Number of Load Commands | The quantity of Load commands (does not include section headers) | Little-Endian | Variable |
| Size of Load Commands | The number of bytes occupied by the Load Commands | Little-Endian | Variable |
| Flags | Extra file information | Little-Endian | 0x00000000 |
| Reserved | No practical use | Little-Endian | 0x00000000 |