Incorrect addresses

[joevt]

dyld-shared-cache-extractor and Hopper.app extract different addresses in data.

For example, in the CoreDisplay framework extracted by dyld-shared-cache-extractor, I see the following:

There's a string literal here:

                                    aDsctargetbpp:
00007ff8025e80f2                        db         "dscTargetBPP", 0

which is used in a cfstring here:

00007ff840505778                        dq         0x0000040043146b28, 0x00000000000007c8, 0x00000400025e80f2, 0x000000000000000c ; DATA XREF=_CGXMappedDisplayStart+3905

however, the addresses in the cfstring have 00000400 instead of 00007ff8 for the upper 32-bits. I don't know why.

Maybe it's an issue with the disassembler. I'm using Hopper.app but otool shows the same addresses and data. I guess that makes sense since they're both looking at the same extracted binary.

I tried the "Read File From DYLD Cache..." command in Hopper.app and it produces better results:

                                    aDsctargetbpp:
00007ff8025e80f2                        db         "dscTargetBPP", 0            ; DATA XREF=cfstring_dscTargetBPP

                                    cfstring_dscTargetBPP:
00007ff840505778                        dq         0x00007ff843146b28, 0x00000000000007c8, 0x00007ff8025e80f2, 0x000000000000000c ; "dscTargetBPP", DATA XREF=_CGXMappedDisplayStart+3905