TransWikia.com

How can you dump the unpacked version of a packed library/plugin from memory on macOS?

Reverse Engineering Asked on November 5, 2021

I’m dealing with a custom-upx packed library that I’m trying to unpack. System is macOS.

Given it’s a library/plugin, it doesn’t have a standalone entrypoint. I ran it through a disassembler but wasn’t able to find obvious hints where the OEP might be. On top of that, it also uses anti-debugging measurements through ptrace to make it even harder.

Next I wrote my own loader for it including callbacks it wants, and managed to get it to load, then used lldb save-core to dump the entire memory (of my loader+lib) into a 3GB-ish file.

Here is where I am stuck: Memory analysis and forensics doesn’t look like its popular on mac with most tools outdated and no longer working. I don’t know how to approach this going forward and if it’s even possible to restore the unpacked variant from this dump.

One Answer

Basically you need to find the Mach-O header of the module in memory and dump the segments referred by it.

Here’s a tool which is not specifically for macOS, but should not be too difficult to modify since it already has the code to handle the Mach-O format:

https://github.com/stefanesser/dumpdecrypted

Answered by Igor Skochinsky on November 5, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP