Reverse Engineering Asked by memboi3 on August 21, 2021
I’m dealing with a custom-upx packed library that I’m trying to unpack. System is macOS.
Given it’s a library/plugin, it doesn’t have a standalone entrypoint. I ran it through a disassembler but wasn’t able to find obvious hints where the OEP might be. On top of that, it also uses anti-debugging measurements through ptrace to make it even harder.
Next I wrote my own loader for it including callbacks it wants, and managed to get it to load, then used lldb save-core to dump the entire memory (of my loader+lib) into a 3GB-ish file.
Here is where I am stuck: Memory analysis and forensics doesn’t look like its popular on mac with most tools outdated and no longer working. I don’t know how to approach this going forward and if it’s even possible to restore the unpacked variant from this dump.
Basically you need to find the Mach-O header of the module in memory and dump the segments referred by it.
Here’s a tool which is not specifically for macOS, but should not be too difficult to modify since it already has the code to handle the Mach-O format:
Answered by Igor Skochinsky on August 21, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP