private static readonly byte[] FeatureBytes2 = { 0x3, 0x0, 0x80, 0x52 }; //MOV W3, #0 public Macho64(Stream stream, float version, long maxMetadataUsages) : base(stream, version, maxMetadataUsages) { Position += 16; //skip magic, cputype, cpusubtype, filetype var ncmds = ReadUInt32(); Position += 12; //skip sizeofcmds, flags, reserved for (var i = 0; i < ncmds; i++) { var pos = Position; var cmd = ReadUInt32(); var cmdsize = ReadUInt32(); if (cmd == 0x19) //LC_SEGMENT_64 { Position += 56; //skip segname, vmaddr, vmsize, fileoff, filesize, maxprot, initprot var nsects = ReadUInt32(); Position += 4; //skip flags for (var j = 0; j < nsects; j++) { var section = new MachoSection64Bit(); sections.Add(section); section.sectname = Encoding.UTF8.GetString(ReadBytes(16)).TrimEnd('\0'); Position += 16; //skip segname section.addr = ReadUInt64(); section.size = ReadUInt64(); section.offset = ReadUInt32(); Position += 12; //skip align, reloff, nreloc section.flags = ReadUInt32(); section.end = section.addr + section.size; Position += 12; //skip reserved1, reserved2, reserved3 } } Position = pos + cmdsize;//skip } }
public Macho64(Stream stream) : base(stream) { Position += 16; //skip magic, cputype, cpusubtype, filetype var ncmds = ReadUInt32(); Position += 12; //skip sizeofcmds, flags, reserved for (var i = 0; i < ncmds; i++) { var pos = Position; var cmd = ReadUInt32(); var cmdsize = ReadUInt32(); switch (cmd) { case 0x19: //LC_SEGMENT_64 var segname = Encoding.UTF8.GetString(ReadBytes(16)).TrimEnd('\0'); if (segname == "__TEXT") //__PAGEZERO { vmaddr = ReadUInt64(); } else { Position += 8; } Position += 32; //skip vmsize, fileoff, filesize, maxprot, initprot var nsects = ReadUInt32(); Position += 4; //skip flags for (var j = 0; j < nsects; j++) { var section = new MachoSection64Bit(); sections.Add(section); section.sectname = Encoding.UTF8.GetString(ReadBytes(16)).TrimEnd('\0'); Position += 16; //skip segname section.addr = ReadUInt64(); section.size = ReadUInt64(); section.offset = ReadUInt32(); Position += 12; //skip align, reloff, nreloc section.flags = ReadUInt32(); section.end = section.addr + section.size; Position += 12; //skip reserved1, reserved2, reserved3 } break; case 0x2C: //LC_ENCRYPTION_INFO_64 Position += 8; var cryptID = ReadUInt32(); if (cryptID != 0) { Console.WriteLine("ERROR: This Mach-O executable is encrypted and cannot be processed."); } break; } Position = pos + cmdsize;//skip } }
private ulong FindReference(ulong pointer, MachoSection64Bit search) { var searchend = search.offset + search.size; Position = search.offset; while ((ulong)Position < searchend) { if (ReadUInt64() == pointer) { return((ulong)Position - search.offset + search.addr); //VirtualAddress } } return(0); }
private ulong FindPointersDesc(long readCount, MachoSection64Bit search, MachoSection64Bit range) { var add = 0L; var searchend = search.offset + search.size; var rangeend = range.addr + range.size; while (searchend + (ulong)add > search.offset) { var temp = ReadClassArray <ulong>((long)searchend + add - 8 * readCount, readCount); var r = Array.FindIndex(temp, x => x <range.addr || x> rangeend); if (r != -1) { add -= (readCount - r) * 8; } else { return(search.addr + search.size + (ulong)add - 8ul * (ulong)readCount); //VirtualAddress } } return(0); }
private ulong FindPointersAsc(long readCount, MachoSection64Bit search, MachoSection64Bit range) { var add = 0ul; var searchend = search.offset + search.size; var rangeend = range.addr + range.size; while (search.offset + add < searchend) { var temp = ReadClassArray <ulong>(search.offset + add, readCount); var r = Array.FindLastIndex(temp, x => x <range.addr || x> rangeend); if (r != -1) { add += (ulong)(++r * 8); } else { return(search.addr + add); //VirtualAddress } } return(0); }