Mach Objects are the file format for executables, libraries and object code for the Apple eco-system.
Today I spent the day using Binary Ninja looking at an executable for Mac OS, and wanted to share my findings / keep it somewhere I can read in the future.
Objective-C
As presented on this page, when Objective C code is compiled, header data is stored in read only sections of the binary header.
The functions themselves are stored in the program text section (as usual) - however, their function names are mangled (in Binary Ninja we see these methods as sub_*).
EDIT: At least this is the case on Linux - I have no idea if that is an issue on a Mac.
These functions are called through objc_msgSend(...) (read more), which performs a method lookup and execution. As mentioned before though - whilst the original method name is stored in the __objc_methname header section, the respective machine code is labelled by an arbitrary function name.
As a result, to no avail I spent a couple of hours crawling through different parts of the binary, as well as other imported libraries; searching for a reference to a specific method.
I eventually found this Binary Ninja plugin (an awesome project) which mapped out the mangled function names to their correct Class:Method names; however it was built for the outdated Binary Ninja version one.
It didn’t look like there any other plugins that would provide Objective-C analysis in Binary Ninja. And also I couldn’t find any old/previous release of Binary Ninja :(. Perhaps in the future I might fork that plugin and bring it up to support Binary Ninja 2.
I went and downloaded a demo of Hopper - which pleasantly resolved the mangled names to their Class:Method names! Given it had a 30 minute time limit - I used it to figure out which was the right function in Binary Ninja.
Back in Binary Ninja, I set comments for the functions, allowing me to tag and bookmark them for further analysis!
Ideally, I’d like to know how the method resolution works, as if I were to make a patch; I’d want to find the right function; without needing to search for a unique signature (which might not even exist), as well as the fact that doing that would be very slow.
Or perhaps, it’s just Binary Ninja; and the function address can instantly be found on a Mac :?
