Convert MH_EXECUTE to MH_DYLIB (mach-o)

Question

Convert MH_EXECUTE to MH_DYLIB (mach-o)

Problem:

I have 2 MH_EXECUTE iOS binaries (compiled, no source code).
Name them binary1 and binary2 .
I am trying to switch between them before UIApplicationMain is UIApplicationMain !

1 attempt

I am successfully doing this with binary1 and one dylib . Therefore, I am trying to convert MH_EXECUTE to MH_DYLIB.

step 1
creating an iOS binary1 application

 #import <dlfcn.h> int main(int argc, char * argv[]) { NSLog(@"binary1 -> Hello, World!"); void *handle = dlopen([[[NSBundle mainBundle] pathForResource:@"binary2" ofType:nil] cStringUsingEncoding:NSUTF8StringEncoding], RTLD_NOW); if (handle) { NSLog(@"DLOPEN is OK!"); } else { NSLog(@"!OK ... --> %s", dlerror()); } return 0; }

creating an iOS binary2 application

 int main(int argc, char * argv[]) { NSLog(@"binary2 -> Hello, World!"); return 0; }

When I run binary1 , I get:

enter image description here

step 2

Lets see the difference MH_EXECUTE vs MH_DYLIB

full screen mode enter image description here

as we can see the main difference here: File Type: MH_EXECUTE vs MH_DYLIB

Allows you to change them and run binary1 again.
After the change, the result was out of address space

step 3

Let's see how to load commands
full screen mode enter image description here
* dylib has a segment NO __PAGEZERO * dylib __TEXT segment VM address == 0, but in binary2 == 0000000100000000

So let's fix them too ... (fixed: __TEXT , ___DATA and __LINKEDIT )
After running binary1 I get malformed mach-o image: segment __PAGEZERO overlaps load commands

step 4

I successfully deleted __PAGEZERO from the boot commands, now the binary looks like dylib:
full screen mode enter image description here

But when I start binary1 I get BAD_ACCESS

 Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Subtype: KERN_PROTECTION_FAILURE at 0x00000001019e0010 Triggered by Thread: 0 Thread 0 name: Dispatch queue: com.apple.main-thread Thread 0 Crashed: 0 dyld 0x0000000120016d78 ImageLoaderMachOCompressed::rebase(ImageLoader::LinkContext const&) + 892 1 dyld 0x0000000120016c24 ImageLoaderMachOCompressed::rebase(ImageLoader::LinkContext const&) + 552 2 dyld 0x0000000120010c8c ImageLoader::recursiveRebase(ImageLoader::LinkContext const&) + 132 3 dyld 0x000000012001039c ImageLoader::link(ImageLoader::LinkContext const&, bool, bool, bool, ImageLoader::RPathChain const&) + 176 4 dyld 0x00000001200088e0 dyld::link(ImageLoader*, bool, bool, ImageLoader::RPathChain const&) + 180 5 dyld 0x000000012000df68 dlopen + 684 6 libdyld.dylib 0x0000000194e65b94 dlopen + 68 7 binary1 0x00000001000b7e18 main (main.m:16) 8 libdyld.dylib 0x0000000194e66a04 start + 0

Any idea ???

+8

ios reverse mach-o dylib

unstable May 01, '15 at 13:56

source share

1 answer

John coates · Answer 1 · 2017-09-03T04:11:34+0000

You get BAD_ACCESS because you deleted __PAGEZERO and thus invalidated the reset operation codes. Save __PAGEZERO, but void it. I also converted the executable to a shared library and downloaded iOS and macOS perfectly.

Convert MH_EXECUTE to MH_DYLIB (mach-o)

Problem:

1 attempt

step 2

step 3

step 4

Any idea ???

More articles: