Exetools  

Go Back   Exetools > General > Source Code

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 07-27-2018, 05:43
Coldzer0 Coldzer0 is offline
Friend
 
Join Date: May 2013
Posts: 16
Rept. Given: 7
Rept. Rcvd 12 Times in 6 Posts
Thanks Given: 17
Thanks Rcvd at 55 Times in 11 Posts
Coldzer0 Reputation: 12
Wink Macho Loader - load macho files in memory without touching the Disk

Hello all

as the title said

https://github.com/Coldzer0/Macho-loader



this code work with mini FPC core librarys for Mac OS
the generated files main & libtest.dylib is 8kb only .



< load macho from memory with socket connection >

The macho loader requires access to some system functions
(e.g., NSCreateObjectFileImageFromMemory, NSLinkModule)


that are provided by libdyld.dylib. As we don't know the address of libdyld.dylib in memory .
we first walk to the very top of the stack.

We then start walking downwards on the stack and we inspect
every pointer we find.

The trick is that the offset inside of libdyld.dylib must be
present as it's placed there by the dynamic linker as the
return function when main returns.

We find the offset, we resolve the functions and from then on,
it's standard loading of macho bundle .

the main logic start at "Core/loadfunctions.pas" in loadall() .

Requirements
  • FreePascal Compiler >= v3
  • Mac OS :V
  • nodejs >> for the server.js - or make your own :P

How to Build
  1. Just run ./Build.sh after installing FreePascal
  2. run node server.js
  3. run ./main

that's all - see you soon guys :V

Last edited by Coldzer0; 07-27-2018 at 06:11.
Reply With Quote
The Following 2 Users Say Thank You to Coldzer0 For This Useful Post:
Insid3Code (07-28-2018), niculaita (07-28-2018)
Reply

Tags
coldzer0, macho, macho_loader, osx, reverse_engineering

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Hasp memory papi General Discussion 0 04-12-2007 02:02
Somebody know..., Get a memory value and patch-cut s3ct0r General Discussion 0 07-15-2005 03:50


All times are GMT +8. The time now is 19:37.


��ICP��05004977��
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX