Merge pull request #61 from donato-fiore/iOS-18-Support

Add support to extract bins from iOS 18 dyld_shared_cache

Author: arandomdev

.gitignore

@@ -5,4 +5,8 @@ src/*.egg-info
 venv
 
 # Big files like the shared cache should be excluded from the repo
-binaries/
+binaries/
+
+# Testing files
+build/
+.DS_Store

ConverterExplanation.md

@@ -36,12 +36,12 @@ Because the actual segments of the image are split across large distances, the r
 For people that want to contribute to this, here are some links for reference.
 
 ### Objective-C Runtime
-* https://opensource.apple.com/source/xnu/xnu-7195.81.3/EXTERNAL_HEADERS/mach-o/loader.h.auto.html
-* https://opensource.apple.com/source/objc4/objc4-781/runtime/objc-runtime-new.h.auto.html
+* https://fergofrog.com/code/codebrowser/xnu/EXTERNAL_HEADERS/mach-o/loader.h.html
+* https://github.com/opensource-apple/objc4/blob/master/runtime/objc-runtime-new.h
 
 ### DYLD Cache
-* https://opensource.apple.com/source/dyld/dyld-832.7.3/dyld3/shared-cache/dyld_cache_format.h.auto.html
-* https://opensource.apple.com/source/dyld/dyld-832.7.3/dyld3/shared-cache/dsc_extractor.cpp.auto.html
+* https://github.com/opensource-apple/dyld/blob/master/launch-cache/dyld_cache_format.h
+* https://github.com/opensource-apple/dyld/blob/master/launch-cache/dsc_extractor.cpp
 
 ### Other Extractors
 * https://github.com/deepinstinct/dsc_fix/blob/master/dsc_fix.py

README.md

@@ -1,6 +1,6 @@
 [![PyPI version](https://badge.fury.io/py/dyldextractor.svg)](https://badge.fury.io/py/dyldextractor)
 # DyldExtractor
-Extract Binaries from Apple's Dyld Shared Cache to be useful in a disassembler. This tool only supports iOS, arm64.
+Extract Binaries from Apple's Dyld Shared Cache to be useful in a disassembler. This tool only supports iOS.
 
 # Installation
 

bin/dyldex

@@ -7,6 +7,7 @@ import logging
 import os
 import sys
 from typing import List, BinaryIO
+import resource
 
 try:
 	progressbar.streams
@@ -101,6 +102,8 @@ def _extractImage(
 	"""
 
 	logger = logging.getLogger()
+	
+	resource.setrlimit(resource.RLIMIT_NOFILE, (1024, resource.getrlimit(resource.RLIMIT_NOFILE)[1]))
 
 	statusBar = progressbar.ProgressBar(
 		prefix="{variables.unit} >> {variables.status} :: [",

bin/dyldex_all

@@ -9,6 +9,7 @@ import pathlib
 import signal
 import sys
 import progressbar
+import resource
 
 from typing import (
 	List,
@@ -116,6 +117,8 @@ def _extractImage(
 	# setup logging
 	logger = logging.getLogger(f"Worker: {outputPath}")
 
+	resource.setrlimit(resource.RLIMIT_NOFILE, (1024, resource.getrlimit(resource.RLIMIT_NOFILE)[1]))
+
 	loggingStream = io.StringIO()
 	handler = logging.StreamHandler(loggingStream)
 	formatter = logging.Formatter(

setup.py

@@ -2,7 +2,7 @@
 
 setup(
 	name='dyldextractor',
-	version='2.2.2',
+	version='2.3',
 	description='Extract Binaries from Apple\'s Dyld Shared Cache',
 	long_description='file: README.md',
 	long_description_content_type='text/markdown',

src/DyldExtractor/cache_context.py

@@ -1,18 +1,9 @@
-import pathlib
 from typing import (
-	List,
 	Tuple,
 	BinaryIO
 )
 
 from DyldExtractor.file_context import FileContext
-from DyldExtractor.dyld.dyld_structs import (
-	dyld_cache_header,
-	dyld_cache_mapping_info,
-	dyld_cache_image_info,
-	dyld_subcache_entry,
-	dyld_subcache_entry2,
-)
 
 
 class CacheContext(FileContext):

src/DyldExtractor/converter/chained_fixups.py

@@ -1,20 +1,13 @@
 import struct
 from dataclasses import dataclass
-from typing import (
-	Type,
-	TypeVar,
-	Union,
-	Tuple,
-	List
-)
 
 from DyldExtractor.extraction_context import ExtractionContext
 from DyldExtractor.macho.macho_context import MachOContext
 
 from DyldExtractor.macho.macho_structs import (
 	LoadCommands,
-	linkedit_data_command,
 )
+
 from DyldExtractor.macho.fixup_chains_structs import (
 	dyld_chained_fixups_header,
 	dyld_chained_starts_in_image,

src/DyldExtractor/converter/objc_fixer.py

@@ -511,7 +511,7 @@ def _checkMethodNameStorage(self) -> None:
 			# First the version number and then pointers
 			verOff, ctx = self._dyldCtx.convertAddr(objcScoffs.addr)
 			version = ctx.readFormat("<Q", verOff)[0]
-			if version != 2 and version != 3:
+			if version != 2 and version != 3 and version != 4:
 				self._logger.warning(
 					f"Unknown objc opt version: {version}, but continuing on."
 				)

src/DyldExtractor/converter/slide_info.py

@@ -19,7 +19,9 @@
 	dyld_cache_mapping_info,
 	dyld_cache_slide_info2,
 	dyld_cache_slide_info3,
-	dyld_cache_slide_pointer3
+	dyld_cache_slide_info5,
+	dyld_cache_slide_pointer3,
+	dyld_cache_slide_pointer5
 )
 
 from DyldExtractor.macho.macho_structs import (
@@ -29,14 +31,15 @@
 
 _SlideInfoMap = {
 	2: dyld_cache_slide_info2,
-	3: dyld_cache_slide_info3
+	3: dyld_cache_slide_info3,
+	5: dyld_cache_slide_info5,
 }
 
 
 @dataclass
 class _MappingInfo(object):
 	mapping: Union[dyld_cache_mapping_info, dyld_cache_mapping_and_slide_info]
-	slideInfo: Union[dyld_cache_slide_info2, dyld_cache_slide_info3]
+	slideInfo: Union[dyld_cache_slide_info2, dyld_cache_slide_info3, dyld_cache_slide_info5]
 	dyldCtx: DyldContext
 	"""The context that the mapping info belongs to."""
 	pass
@@ -261,6 +264,102 @@ def _rebasePage(
 		pass
 	pass
 
+class _V5Rebaser(object):
+
+	def __init__(
+		self,
+		extractionCtx: ExtractionContext,
+		mappingInfo: _MappingInfo
+	) -> None:
+		super().__init__()
+
+		self.statusBar = extractionCtx.statusBar
+		self.machoCtx = extractionCtx.machoCtx
+
+		self.dyldCtx = mappingInfo.dyldCtx
+		self.mapping = mappingInfo.mapping
+		self.slideInfo = mappingInfo.slideInfo
+
+	def run(self) -> None:
+		self.statusBar.update(unit="Slide Info Rebaser")
+
+		pageStartsOff = self.slideInfo._fileOff_ + len(self.slideInfo)
+		pageStarts = self.dyldCtx.getBytes(
+			pageStartsOff,
+			self.slideInfo.page_starts_count * 2
+		)
+		pageStarts = [page[0] for page in struct.iter_unpack("<H", pageStarts)]
+
+		for segment in self.machoCtx.segmentsI:
+			self._rebaseSegment(pageStarts, segment.seg)
+			pass
+		pass
+
+	def _rebaseSegment(
+		self,
+		pageStarts: Tuple[int],
+		segment: segment_command_64
+	) -> None:
+		# Check if the segment is included in the mapping
+		if not (
+			segment.vmaddr >= self.mapping.address
+			and segment.vmaddr < self.mapping.address + self.mapping.size
+		):
+			return
+
+		ctx = self.machoCtx.ctxForAddr(segment.vmaddr)
+
+		# Get the indices of relevant pageStarts
+		dataStart = self.mapping.address
+		pageSize = self.slideInfo.page_size
+
+		startAddr = segment.vmaddr - dataStart
+		startIndex = int(startAddr / pageSize)
+
+		endAddr = ((segment.vmaddr + segment.vmsize) - dataStart) + pageSize
+		endIndex = int(endAddr / pageSize)
+		endIndex = min(endIndex, len(pageStarts))
+
+		for i in range(startIndex, endIndex):
+			page = pageStarts[i]
+
+			if page == DYLD_CACHE_SLIDE_V5_PAGE_ATTR_NO_REBASE:
+				continue
+			else:
+				pageOff = (i * pageSize) + self.mapping.fileOffset
+				self._rebasePage(ctx, pageOff, page)
+
+				self.statusBar.update(status="Rebasing Pages")
+		pass
+
+	def _rebasePage(
+		self,
+		ctx: MachOContext,
+		pageOffset: int,
+		delta: int
+	) -> None:
+		locOff = pageOffset
+
+		while True:
+			locOff += delta
+			locInfo = dyld_cache_slide_pointer5(self.dyldCtx.file, locOff)
+
+			# It appears the delta encoded in the pointers are 64-bit jumps...
+			delta = locInfo.regular.next * 8
+
+			if locInfo.auth.auth:
+				newValue = self.slideInfo.value_add + locInfo.auth.runtimeOffset
+			else:
+				newValue = self.slideInfo.value_add + locInfo.regular.runtimeOffset
+
+			ctx.writeBytes(locOff, struct.pack("<Q", newValue))
+
+			if delta == 0:
+				break
+			pass
+		pass
+	pass
+
 
 def _getMappingInfo(
 	extractionCtx: ExtractionContext
@@ -385,7 +484,22 @@ def slideAddress(self, address: int) -> int:
 						bottom43Bits = value51 & 0x000007FFFFFFFFFF
 						return (top8Bits << 13) | bottom43Bits
 
+				# arm64e pointer (iOS 18+, macOS 14.4+)
+				elif slideInfo.version == 5:
+					slideInfo = dyld_cache_slide_pointer5(context.file, offset)
+					
+					if slideInfo.auth.auth:
+						value = info.slideInfo.value_add + slideInfo.auth.runtimeOffset
+					else:
+						value = info.slideInfo.value_add + slideInfo.regular.runtimeOffset
+
+					if value == 0x180000000:
+						return 0x0
+					
+					return value
+
 				else:
+					print(f"Unknown slide version: {slideInfo.version}.")
 					return None
 
 		return None
@@ -467,5 +581,7 @@ def processSlideInfo(extractionCtx: ExtractionContext) -> None:
 			_V2Rebaser(extractionCtx, info).run()
 		elif info.slideInfo.version == 3:
 			_V3Rebaser(extractionCtx, info).run()
+		elif info.slideInfo.version == 5:
+			_V5Rebaser(extractionCtx, info).run()
 		else:
 			logger.error("Unknown slide version.")