Pro.MachO — API for parsing Mach-O executables

Overview

The Pro.MachO module contains the API for parsing Mach-O executables.

Stripping Local Symbols

The following code example demonstrates how to strip the local symbols in a Mach-O binary:

from Pro.Core import *
from Pro.MachO import *

def stripMachO(srcname, dstname):
    oldc = createContainerFromFile(srcname)
    if oldc.isNull():
        print("error: couldn't open '%s'" % (srcname,))
        return
    obj = MachObject()
    if not obj.Load(oldc):
        print("error: could't load Mach-o")
        return
    obj.ProcessLoadCommands()
    newc = oldc.copyToNewContainer()

    symlc = obj.SymTableLC()
    stroffs = symlc.Num("stroff")

    it = obj.SymbolNList(symlc).iterator()
    while it.hasNext():
        syms = it.next()
        # only local symbols
        if syms.Num("sect") == 0:
            continue
        nameoffs = obj.AddressToOffset(syms.Num("strx") + stroffs)
        name, ret = obj.ReadUInt8String(nameoffs, 0x10000)
        newc.fill(nameoffs, 0, len(name))

    if newc.save(dstname):
        print("successfully stripped all local symbols!")
    else:
        print("error: couldn't save stripped binary to '%s'" % (dstname,))

Module API

Pro.MachO module API.

Attributes:

BIND_IMMEDIATE_MASK	Mask to extract the immediate value from a bind opcode.
BIND_OPCODE_ADD_ADDR_ULEB	Bind opcode to add an address from a ULEB128 value to the current address.
BIND_OPCODE_DONE	Bind opcode indicating the end of the bind commands.
BIND_OPCODE_DO_BIND	Bind opcode to perform the binding at the current address and advance the address by the size of a pointer.
BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED	Bind opcode to perform the binding at the current address, then add an immediate value scaled by the pointer size to the address.
BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB	Bind opcode to perform the binding at the current address, then add an address from a ULEB128 value to the current address.
BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB	Bind opcode to perform a series of binds.
BIND_OPCODE_MASK	Mask to extract the opcode from a bind opcode byte.
BIND_OPCODE_SET_ADDEND_SLEB	Bind opcode to set the addend to a SLEB128 value.
BIND_OPCODE_SET_DYLIB_ORDINAL_IMM	Bind opcode to set the dylib ordinal to an immediate value.
BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB	Bind opcode to set the dylib ordinal to a ULEB128 value.
BIND_OPCODE_SET_DYLIB_SPECIAL_IMM	Bind opcode to set the dylib ordinal to a special immediate value.
BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB	Bind opcode to set the segment and offset for the binding operation.
BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM	Bind opcode to set the symbol name and flags.
BIND_OPCODE_SET_TYPE_IMM	Bind opcode to set the binding type to an immediate value.
BIND_SPECIAL_DYLIB_FLAT_LOOKUP	Special dylib ordinal indicating flat namespace lookup.
BIND_SPECIAL_DYLIB_MAIN_EXECUTABLE	Special dylib ordinal indicating the main executable.
BIND_SPECIAL_DYLIB_SELF	Special dylib ordinal indicating the image being loaded.
BIND_SYMBOL_FLAGS_NON_WEAK_DEFINITION	Flag indicating the symbol is a non-weak definition.
BIND_SYMBOL_FLAGS_WEAK_IMPORT	Flag indicating the symbol is a weak import.
BIND_TYPE_POINTER	Binding type indicating a pointer relocation.
BIND_TYPE_TEXT_ABSOLUTE32	Binding type for an absolute 32-bit text relocation.
BIND_TYPE_TEXT_PCREL32	Binding type for a PC-relative 32-bit text relocation.
EXPORT_SYMBOL_FLAGS_KIND_MASK	Mask to extract the kind of exported symbol.
EXPORT_SYMBOL_FLAGS_KIND_REGULAR	Flag indicating a regular exported symbol.
EXPORT_SYMBOL_FLAGS_KIND_THREAD_LOCAL	Flag indicating a thread-local storage (TLS) exported symbol.
EXPORT_SYMBOL_FLAGS_REEXPORT	Flag indicating the symbol is re-exported from another dylib.
EXPORT_SYMBOL_FLAGS_STUB_AND_RESOLVER	Flag indicating the symbol has a stub and resolver function.
EXPORT_SYMBOL_FLAGS_WEAK_DEFINITION	Flag indicating the symbol is a weak definition.
INDIRECT_SYMBOL_ABS	Special symbol index indicating an absolute symbol.
INDIRECT_SYMBOL_LOCAL	Special symbol index indicating a local symbol.
LC_CODE_SIGNATURE	Load command for code signature data.
LC_DATA_IN_CODE	Load command indicating data in code entries.
LC_DYLD_ENVIRONMENT	Load command containing environment variables to be set before loading the dynamic linker.
LC_DYLD_INFO	Load command with compressed dyld information.
LC_DYLD_INFO_ONLY	Similar to LC_DYLD_INFO, but only used during the build process and not loaded into memory.
LC_DYLIB_CODE_SIGN_DRS	Load command containing code signing data range structures.
LC_DYSYMTAB	Load command containing the dynamic symbol table information.
LC_ENCRYPTION_INFO	Load command containing information about encrypted segments.
LC_ENCRYPTION_INFO_64	64-bit version of LC_ENCRYPTION_INFO.
LC_FUNCTION_STARTS	Load command containing offsets to function starts for unwinding tables.
LC_FVMFILE	Obsolete load command used for fixed VM shared libraries.
LC_IDENT	Obsolete load command used for object identification.
LC_IDFVMLIB	Obsolete load command used to identify fixed VM shared libraries.
LC_ID_DYLIB	Load command specifying the identification of the dynamic library being generated.
LC_ID_DYLINKER	Load command specifying the identification of the dynamic linker being used.
LC_LAZY_LOAD_DYLIB	Load command indicating a dynamically linked shared library that is lazily loaded.
LC_LINKER_OPTIMIZATION_HINT	Load command containing linker optimization hints.
LC_LINKER_OPTION	Load command specifying options to pass to the linker.
LC_LOADFVMLIB	Obsolete load command used to load a fixed VM shared library.
LC_LOAD_DYLIB	Load command specifying a dynamically linked shared library to load.
LC_LOAD_DYLINKER	Load command specifying the dynamic linker to use.
LC_LOAD_UPWARD_DYLIB	Load command specifying an upwardly linked dynamic library.
LC_LOAD_WEAK_DYLIB	Load command specifying a weakly linked dynamic library.
LC_MAIN	Load command indicating the main entry point of a Mach-O binary, replacing the legacy LC_UNIXTHREAD.
LC_PREBIND_CKSUM	Load command containing the prebind checksum.
LC_PREBOUND_DYLIB	Load command indicating a prebound dynamic library.
LC_PREPAGE	Obsolete load command used for prepage information.
LC_REEXPORT_DYLIB	Load command specifying a re-exported dynamic library.
LC_REQ_DYLD	Flag indicating that the load command is required by the dynamic linker.
LC_ROUTINES	Load command containing the address of the dynamic shared library initialization routine.
LC_ROUTINES_64	64-bit version of LC_ROUTINES.
LC_RPATH	Load command specifying a runtime path to search for dynamic libraries.
LC_SEGMENT	Load command defining a segment of this file to be mapped into memory.
LC_SEGMENT_64	64-bit version of LC_SEGMENT.
LC_SEGMENT_SPLIT_INFO	Load command containing information about segment splitting.
LC_SOURCE_VERSION	Load command specifying the source version used to build the binary.
LC_SUB_CLIENT	Load command specifying a sub-client of the dynamic library.
LC_SUB_FRAMEWORK	Load command specifying the sub-framework of an umbrella framework.
LC_SUB_LIBRARY	Load command specifying a sub-library of the dynamic library.
LC_SUB_UMBRELLA	Load command specifying a sub-umbrella of the dynamic library.
LC_SYMSEG	Obsolete load command used for the symbolic information segment.
LC_SYMTAB	Load command containing the symbol table information.
LC_THREAD	Load command specifying a thread’s state information.
LC_TWOLEVEL_HINTS	Load command containing two-level namespace lookup hints.
LC_UNIXTHREAD	Load command specifying a Unix thread’s state information.
LC_UUID	Load command containing a unique UUID identifier for the binary.
LC_VERSION_MIN_IPHONEOS	Load command specifying the minimum version of iPhoneOS required.
LC_VERSION_MIN_MACOSX	Load command specifying the minimum version of macOS required.
LOAD_COMMAND_SIZE	Size in bytes of the load command header (command type and size).
MAX_LC_NAME	Maximum length of the name field in a load command.
MH_ALLMODSBOUND	Indicates that the binary was bound with all two-level namespace modules bound.
MH_ALLOW_STACK_EXECUTION	Allows stack execution in the binary.
MH_BINDATLOAD	Indicates that the dynamic linker should bind the binary at load time.
MH_BINDS_TO_WEAK	Indicates that the binary binds to weak symbols.
MH_BUNDLE	Indicates the binary is a bundle.
MH_CANONICAL	Indicates the binary uses canonical architectures.
MH_CORE	Indicates the binary is a core file.
MH_DEAD_STRIPPABLE_DYLIB	Indicates that the dynamic library is dead-strippable.
MH_DSYM	Indicates the binary is a dSYM companion file.
MH_DYLDLINK	Indicates that the binary is input for the dynamic linker.
MH_DYLIB	Indicates the binary is a dynamic shared library.
MH_DYLIB_STUB	Indicates the binary is a dynamic shared library stub.
MH_DYLINKER	Indicates the binary is a dynamic linker.
MH_EXECUTE	Indicates the binary is an executable.
MH_FORCE_FLAT	Forces the use of the flat namespace bindings.
MH_FVMLIB	Indicates the binary is a fixed VM shared library.
MH_HAS_TLV_DESCRIPTORS	Indicates that the binary has thread-local variables.
MH_INCRLINK	Indicates the binary is for incremental linking.
MH_KEXT_BUNDLE	Indicates the binary is a kernel extension bundle.
MH_LAZY_INIT	Indicates that the dynamic linker should lazy initialize the binary.
MH_NOFIXPREBINDING	Indicates that prebinding should not be fixed up.
MH_NOMULTIDEFS	Indicates that multiple definitions are not allowed.
MH_NOUNDEFS	Indicates that the binary has no undefined references.
MH_NO_HEAP_EXECUTION	Indicates that the heap is marked as non-executable.
MH_NO_REEXPORTED_DYLIBS	Indicates that the binary contains no re-exported dynamic libraries.
MH_OBJECT	Indicates the binary is a relocatable object file.
MH_PIE	Indicates that the binary is position-independent executable.
MH_PREBINDABLE	Indicates that the binary can have prebinding redone.
MH_PREBOUND	Indicates that the binary is prebound.
MH_PRELOAD	Indicates the binary is a preload executable.
MH_ROOT_SAFE	Indicates the binary is safe for use by root.
MH_SETUID_SAFE	Indicates the binary is safe for use in setuid processes.
MH_SPLIT_SEGS	Indicates that the binary uses split segments.
MH_SUBSECTIONS_VIA_SYMBOLS	Indicates that the binary supports dividing sections into sub-sections via symbols for dead code stripping.
MH_TWOLEVEL	Indicates the binary uses two-level namespace bindings.
MH_WEAK_DEFINES	Indicates that the binary contains weak symbol definitions.
REBASE_IMMEDIATE_MASK	Mask to extract the immediate value from a rebase opcode.
REBASE_OPCODE_ADD_ADDR_IMM_SCALED	Rebase opcode to add to the address an immediate value scaled by the pointer size.
REBASE_OPCODE_ADD_ADDR_ULEB	Rebase opcode to add an address from a ULEB128 value to the current address.
REBASE_OPCODE_DONE	Rebase opcode indicating the end of the rebase commands.
REBASE_OPCODE_DO_REBASE_ADD_ADDR_ULEB	Rebase opcode to perform rebase and then add an address from a ULEB128 value.
REBASE_OPCODE_DO_REBASE_IMM_TIMES	Rebase opcode to perform immediate number of rebases.
REBASE_OPCODE_DO_REBASE_ULEB_TIMES	Rebase opcode to perform a ULEB128 number of rebases.
REBASE_OPCODE_DO_REBASE_ULEB_TIMES_SKIPPING_ULEB	Rebase opcode to perform a ULEB128 number of rebases, skipping a ULEB128 amount between each.
REBASE_OPCODE_MASK	Mask to extract the opcode from a rebase opcode byte.
REBASE_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB	Rebase opcode to set the segment and offset using a ULEB128 value.
REBASE_OPCODE_SET_TYPE_IMM	Rebase opcode to set the rebase type to an immediate value.
REBASE_TYPE_POINTER	Rebase type indicating a pointer relocation.
REBASE_TYPE_TEXT_ABSOLUTE32	Rebase type for an absolute 32-bit text relocation.
REBASE_TYPE_TEXT_PCREL32	Rebase type for a PC-relative 32-bit text relocation.
SECTION_ATTRIBUTES	Mask to extract section attributes.
SECTION_ATTRIBUTES_SYS	Mask for system section attributes.
SECTION_ATTRIBUTES_USR	Mask for user section attributes.
SECTION_TYPE	Mask to extract the section type.
SG_FVMLIB	Segment flag indicating that the segment is for a fixed VM shared library.
SG_HIGHVM	Segment flag indicating that the segment uses high virtual memory addresses.
SG_NORELOC	Segment flag indicating that the segment has no relocation entries.
SG_PROTECTED_VERSION_1	Segment flag indicating that the segment is protected version 1.
S_16BYTE_LITERALS	Section type for 16-byte literals.
S_4BYTE_LITERALS	Section type for 4-byte literals.
S_8BYTE_LITERALS	Section type for 8-byte literals.
S_ATTR_DEBUG	Section attribute indicating a debug section.
S_ATTR_EXT_RELOC	Section attribute indicating external relocation entries.
S_ATTR_LIVE_SUPPORT	Section attribute indicating live support.
S_ATTR_LOC_RELOC	Section attribute indicating local relocation entries.
S_ATTR_NO_DEAD_STRIP	Section attribute indicating that the section should not be dead stripped.
S_ATTR_NO_TOC	Section attribute indicating that the section contains code not safe for position independence.
S_ATTR_PURE_INSTRUCTIONS	Section attribute indicating pure instructions.
S_ATTR_SELF_MODIFYING_CODE	Section attribute indicating self-modifying code.
S_ATTR_SOME_INSTRUCTIONS	Section attribute indicating that the section contains some machine instructions.
S_ATTR_STRIP_STATIC_SYMS	Section attribute indicating that static symbols in this section should be stripped.
S_COALESCED	Section type for coalesced symbols.
S_CSTRING_LITERALS	Section type for literal C strings.
S_DTRACE_DOF	Section type for DTrace Object Format.
S_GB_ZEROFILL	Section type for gigabyte zero-fill.
S_INTERPOSING	Section type for interposing symbols.
S_LAZY_DYLIB_SYMBOL_POINTERS	Section type for lazy dynamic library symbol pointers.
S_LAZY_SYMBOL_POINTERS	Section type for lazy symbol pointers.
S_LITERAL_POINTERS	Section type for literal pointers.
S_MOD_INIT_FUNC_POINTERS	Section type for module initialization function pointers.
S_MOD_TERM_FUNC_POINTERS	Section type for module termination function pointers.
S_NON_LAZY_SYMBOL_POINTERS	Section type for non-lazy symbol pointers.
S_REGULAR	Regular section type.
S_SYMBOL_STUBS	Section type for symbol stubs.
S_THREAD_LOCAL_INIT_FUNCTION_POINTERS	Section type for thread-local initialization function pointers.
S_THREAD_LOCAL_REGULAR	Section type for thread-local regular variables.
S_THREAD_LOCAL_VARIABLES	Section type for thread-local variables.
S_THREAD_LOCAL_VARIABLE_POINTERS	Section type for pointers to thread-local variables.
S_THREAD_LOCAL_ZEROFILL	Section type for thread-local zero-fill variables.
S_ZEROFILL	Section type for zero-fill on demand.

Classes:

FatObject()	Represents a Mach-O Fat binary, which contains multiple architectures.
ImportInfo()	Represents information about an imported symbol in a Mach-O binary.
ImportInfoList()	List of ImportInfo elements.
ImportInfoListIt(obj)	Iterator class for ImportInfoList.
LoadCmdInfo()	Represents information about a Mach-O load command.
MachObject()	Represents a Mach-O object file.

BIND_IMMEDIATE_MASK: Final[int]

Mask to extract the immediate value from a bind opcode. Used when parsing the dyld bind opcodes to get the immediate value.

See also BIND_OPCODE_MASK.

BIND_OPCODE_ADD_ADDR_ULEB: Final[int]

Bind opcode to add an address from a ULEB128 value to the current address. This opcode adjusts the address by a ULEB128 value.

BIND_OPCODE_DONE: Final[int]

Bind opcode indicating the end of the bind commands. This opcode signifies that there are no more bind commands.

BIND_OPCODE_DO_BIND: Final[int]

Bind opcode to perform the binding at the current address and advance the address by the size of a pointer.

BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED: Final[int]

Bind opcode to perform the binding at the current address, then add an immediate value scaled by the pointer size to the address.

BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB: Final[int]

Bind opcode to perform the binding at the current address, then add an address from a ULEB128 value to the current address.

BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB: Final[int]

Bind opcode to perform a series of binds. The number of times and skip amount are specified by ULEB128 values.

BIND_OPCODE_MASK: Final[int]

Mask to extract the opcode from a bind opcode byte. Used when parsing dyld bind opcodes to isolate the opcode.

See also BIND_IMMEDIATE_MASK.

BIND_OPCODE_SET_ADDEND_SLEB: Final[int]

Bind opcode to set the addend to a SLEB128 value. The addend is used in pointer arithmetic during binding.

BIND_OPCODE_SET_DYLIB_ORDINAL_IMM: Final[int]

Bind opcode to set the dylib ordinal to an immediate value. The ordinal specifies which library the symbol is in.

BIND_OPCODE_SET_DYLIB_ORDINAL_ULEB: Final[int]

Bind opcode to set the dylib ordinal to a ULEB128 value. Used when the ordinal exceeds 15.

BIND_OPCODE_SET_DYLIB_SPECIAL_IMM: Final[int]

Bind opcode to set the dylib ordinal to a special immediate value. Negative ordinals are used for special libraries.

See also BIND_SPECIAL_DYLIB_SELF, BIND_SPECIAL_DYLIB_MAIN_EXECUTABLE, BIND_SPECIAL_DYLIB_FLAT_LOOKUP.

BIND_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB: Final[int]

Bind opcode to set the segment and offset for the binding operation. The segment is specified by an immediate value, and the offset is a ULEB128.

BIND_OPCODE_SET_SYMBOL_TRAILING_FLAGS_IMM: Final[int]

Bind opcode to set the symbol name and flags. The symbol name is specified as a null-terminated string following the opcode.

BIND_OPCODE_SET_TYPE_IMM: Final[int]

Bind opcode to set the binding type to an immediate value. The type specifies how the binding should be performed.

See also BIND_TYPE_POINTER, BIND_TYPE_TEXT_ABSOLUTE32, BIND_TYPE_TEXT_PCREL32.

BIND_SPECIAL_DYLIB_FLAT_LOOKUP: Final[int]

Special dylib ordinal indicating flat namespace lookup. Used when binding symbols in flat namespace.

BIND_SPECIAL_DYLIB_MAIN_EXECUTABLE: Final[int]

Special dylib ordinal indicating the main executable. Used when binding symbols from the main executable.

BIND_SPECIAL_DYLIB_SELF: Final[int]

Special dylib ordinal indicating the image being loaded. Used when binding symbols within the same image.

BIND_SYMBOL_FLAGS_NON_WEAK_DEFINITION: Final[int]

Flag indicating the symbol is a non-weak definition. Used in binding to specify symbol characteristics.

BIND_SYMBOL_FLAGS_WEAK_IMPORT: Final[int]

Flag indicating the symbol is a weak import. Weak imports can be missing at runtime without causing an error.

BIND_TYPE_POINTER: Final[int]

Binding type indicating a pointer relocation. The address pointed to by the location needs to be updated.

BIND_TYPE_TEXT_ABSOLUTE32: Final[int]

Binding type for an absolute 32-bit text relocation. Used for 32-bit absolute addresses in code.

BIND_TYPE_TEXT_PCREL32: Final[int]

Binding type for a PC-relative 32-bit text relocation. Used for 32-bit relative addresses in code.

EXPORT_SYMBOL_FLAGS_KIND_MASK: Final[int]

Mask to extract the kind of exported symbol. Used in parsing the export trie to determine symbol type.

EXPORT_SYMBOL_FLAGS_KIND_REGULAR: Final[int]

Flag indicating a regular exported symbol.

EXPORT_SYMBOL_FLAGS_KIND_THREAD_LOCAL: Final[int]

Flag indicating a thread-local storage (TLS) exported symbol.

EXPORT_SYMBOL_FLAGS_REEXPORT: Final[int]

Flag indicating the symbol is re-exported from another dylib.

EXPORT_SYMBOL_FLAGS_STUB_AND_RESOLVER: Final[int]

Flag indicating the symbol has a stub and resolver function.

EXPORT_SYMBOL_FLAGS_WEAK_DEFINITION: Final[int]

Flag indicating the symbol is a weak definition.

class FatObject

Bases: Pro.Core.CFFObject

Represents a Mach-O Fat binary, which contains multiple architectures.

Methods:

Architectures()

Returns the list of architectures contained in the Fat binary.

Architectures() → Pro.Core.CFFStruct

Returns the list of architectures contained in the Fat binary.

Returns

A structure containing the architectures.

Return type

CFFStruct

INDIRECT_SYMBOL_ABS: Final[int]

Special symbol index indicating an absolute symbol. Used in the indirect symbol table.

INDIRECT_SYMBOL_LOCAL: Final[int]

Special symbol index indicating a local symbol. Used in the indirect symbol table.

class ImportInfo

Represents information about an imported symbol in a Mach-O binary.

Attributes:

libord	The ordinal number of the dylib from which the symbol is imported.
name	The name of the imported symbol.
segidx	The index of the segment where the symbol is located.
segoffs	The offset within the segment of the imported symbol.

libord

The ordinal number of the dylib from which the symbol is imported.

name

The name of the imported symbol.

segidx

The index of the segment where the symbol is located.

segoffs

The offset within the segment of the imported symbol.

class ImportInfoList

List of ImportInfo elements.

Methods:

append(value)	Inserts value at the end of the list.
at(i)	Returns the item at index position i in the list.
clear()	Removes all items from the list.
contains(value)	Checks the presence of an element in the list.
count(value)	Returns the number of occurrences of value in the list.
indexOf(value[, start])	Searches for an element in the list.
insert(i, value)	Inserts value at index position i in the list.
isEmpty()	Checks whether the list is empty.
iterator()	Creates an iterator for the list.
removeAll(value)	Removes all occurrences of value in the list and returns the number of entries removed.
removeAt(i)	Removes the item at index position i.
reserve(alloc)	Reserve space for alloc elements.
size()	Returns the number of items in the list.
takeAt(i)	Removes the item at index position i and returns it.

append(value: Pro.MachO.ImportInfo) → None

Inserts value at the end of the list.

Parameters

value (ImportInfo) – The value to add to the list.

See also insert().

at(i: int) → Pro.MachO.ImportInfo

Returns the item at index position i in the list. i must be a valid index position in the list (i.e., 0 <= i < size()).

Parameters

i (int) – The index of the element to return.

Returns

Returns the requested element.

Return type

ImportInfo

clear() → None

Removes all items from the list.

contains(value: Pro.MachO.ImportInfo) → bool

Checks the presence of an element in the list.

Parameters

value (ImportInfo) – The value to check for.

Returns

Returns True if the list contains an occurrence of value; otherwise returns False.

Return type

bool

See also indexOf() and count().

count(value: Pro.MachO.ImportInfo) → int

Returns the number of occurrences of value in the list.

Parameters

value (ImportInfo) – The value to count.

Returns

Returns the number of occurrences.

Return type

int

See also indexOf() and contains().

indexOf(value: Pro.MachO.ImportInfo, start: int = 0) → int

Searches for an element in the list.

Parameters

• value (ImportInfo) – The value to search for.

• start (int) – The start index.

Returns

Returns the index position of the first occurrence of value in the list. Returns -1 if no item was found.

Return type

int

See also contains().

insert(i: int, value: Pro.MachO.ImportInfo) → None

Inserts value at index position i in the list. If i is 0, the value is prepended to the list. If i is size(), the value is appended to the list.

Parameters

• i (int) – The position at which to add the value.

• value (ImportInfo) – The value to add.

See also append() and removeAt().

isEmpty() → bool

Checks whether the list is empty.

Returns

Returns True if the list contains no items; otherwise returns False.

Return type

bool

See also size().

iterator() → Pro.MachO.ImportInfoListIt

Creates an iterator for the list.

Returns

Returns the iterator.

Return type

ImportInfoListIt

removeAll(value: Pro.MachO.ImportInfo) → int

Removes all occurrences of value in the list and returns the number of entries removed.

Parameters

value (ImportInfo) – The value to remove from the list.

Returns

Returns the number of entries removed.

Return type

int

See also removeAt().

removeAt(i: int) → None

Removes the item at index position i. i must be a valid index position in the list (i.e., 0 <= i < size()).

Parameters

i (int) – The index of the item to remove.

See also removeAll().

reserve(alloc: int) → None

Reserve space for alloc elements. Calling this method doesn’t change the size of the list.

Parameters

alloc (int) – The amount of elements to reserve space for.

size() → int

Returns

Returns the number of items in the list.

Return type

int

See also isEmpty().

takeAt(i: int) → Pro.MachO.ImportInfo

Removes the item at index position i and returns it. i must be a valid index position in the list (i.e., 0 <= i < size()).

Parameters

i (int) – The index of the element to remove from the list.

Returns

Returns the removed element. If you don’t use the return value, removeAt() is more efficient.

Return type

ImportInfo

See also removeAt().

class ImportInfoListIt(obj: Pro.MachO.ImportInfoList)

Iterator class for ImportInfoList.

Parameters

obj (ImportInfoList) – The object to iterate over.

Methods:

hasNext()	Returns True if there is at least one item ahead of the iterator, i.e. the iterator is not at the back of the container; otherwise returns False.
hasPrevious()	Returns True if there is at least one item behind the iterator, i.e. the iterator is not at the front of the container; otherwise returns False.
next()	Returns the next item and advances the iterator by one position.
previous()	Returns the previous item and moves the iterator back by one position.
toBack()	Moves the iterator to the back of the container (after the last item).
toFront()	Moves the iterator to the front of the container (before the first item).

hasNext() → bool

Returns

Returns True if there is at least one item ahead of the iterator, i.e. the iterator is not at the back of the container; otherwise returns False.

Return type

bool

See also hasPrevious() and next().

hasPrevious() → bool

Returns

Returns True if there is at least one item behind the iterator, i.e. the iterator is not at the front of the container; otherwise returns False.

Return type

bool

See also hasNext() and previous().

next() → Pro.MachO.ImportInfo

Returns

Returns the next item and advances the iterator by one position.

Return type

ImportInfo

See also hasNext() and previous().

previous() → Pro.MachO.ImportInfo

Returns

Returns the previous item and moves the iterator back by one position.

Return type

ImportInfo

See also hasPrevious() and next().

toBack() → None

Moves the iterator to the back of the container (after the last item).

See also toFront() and previous().

toFront() → None

Moves the iterator to the front of the container (before the first item).

See also toBack() and next().

LC_CODE_SIGNATURE: Final[int]

Load command for code signature data. Contains the location and size of the code signature.

LC_DATA_IN_CODE: Final[int]

Load command indicating data in code entries. Used for marking data embedded within code sections.

LC_DYLD_ENVIRONMENT: Final[int]

Load command containing environment variables to be set before loading the dynamic linker.

LC_DYLD_INFO: Final[int]

Load command with compressed dyld information. Contains offsets and sizes of rebase, bind, weak bind, lazy bind, and export info.

LC_DYLD_INFO_ONLY: Final[int]

Similar to LC_DYLD_INFO, but only used during the build process and not loaded into memory.

LC_DYLIB_CODE_SIGN_DRS: Final[int]

Load command containing code signing data range structures.

LC_DYSYMTAB: Final[int]

Load command containing the dynamic symbol table information.

LC_ENCRYPTION_INFO: Final[int]

Load command containing information about encrypted segments.

LC_ENCRYPTION_INFO_64: Final[int]

64-bit version of LC_ENCRYPTION_INFO.

LC_FUNCTION_STARTS: Final[int]

Load command containing offsets to function starts for unwinding tables.

LC_FVMFILE: Final[int]

Obsolete load command used for fixed VM shared libraries.

LC_IDENT: Final[int]

Obsolete load command used for object identification.

LC_IDFVMLIB: Final[int]

Obsolete load command used to identify fixed VM shared libraries.

LC_ID_DYLIB: Final[int]

Load command specifying the identification of the dynamic library being generated.

LC_ID_DYLINKER: Final[int]

Load command specifying the identification of the dynamic linker being used.

LC_LAZY_LOAD_DYLIB: Final[int]

Load command indicating a dynamically linked shared library that is lazily loaded.

LC_LINKER_OPTIMIZATION_HINT: Final[int]

Load command containing linker optimization hints.

LC_LINKER_OPTION: Final[int]

Load command specifying options to pass to the linker.

LC_LOADFVMLIB: Final[int]

Obsolete load command used to load a fixed VM shared library.

LC_LOAD_DYLIB: Final[int]

Load command specifying a dynamically linked shared library to load.

LC_LOAD_DYLINKER: Final[int]

Load command specifying the dynamic linker to use.

LC_LOAD_UPWARD_DYLIB: Final[int]

Load command specifying an upwardly linked dynamic library.

LC_LOAD_WEAK_DYLIB: Final[int]

Load command specifying a weakly linked dynamic library.

LC_MAIN: Final[int]

Load command indicating the main entry point of a Mach-O binary, replacing the legacy LC_UNIXTHREAD.

LC_PREBIND_CKSUM: Final[int]

Load command containing the prebind checksum.

LC_PREBOUND_DYLIB: Final[int]

Load command indicating a prebound dynamic library.

LC_PREPAGE: Final[int]

Obsolete load command used for prepage information.

LC_REEXPORT_DYLIB: Final[int]

Load command specifying a re-exported dynamic library.

LC_REQ_DYLD: Final[int]

Flag indicating that the load command is required by the dynamic linker.

LC_ROUTINES: Final[int]

Load command containing the address of the dynamic shared library initialization routine.

LC_ROUTINES_64: Final[int]

64-bit version of LC_ROUTINES.

LC_RPATH: Final[int]

Load command specifying a runtime path to search for dynamic libraries.

LC_SEGMENT: Final[int]

Load command defining a segment of this file to be mapped into memory.

LC_SEGMENT_64: Final[int]

64-bit version of LC_SEGMENT.

LC_SEGMENT_SPLIT_INFO: Final[int]

Load command containing information about segment splitting.

LC_SOURCE_VERSION: Final[int]

Load command specifying the source version used to build the binary.

LC_SUB_CLIENT: Final[int]

Load command specifying a sub-client of the dynamic library.

LC_SUB_FRAMEWORK: Final[int]

Load command specifying the sub-framework of an umbrella framework.

LC_SUB_LIBRARY: Final[int]

Load command specifying a sub-library of the dynamic library.

LC_SUB_UMBRELLA: Final[int]

Load command specifying a sub-umbrella of the dynamic library.

LC_SYMSEG: Final[int]

Obsolete load command used for the symbolic information segment.

LC_SYMTAB: Final[int]

Load command containing the symbol table information.

LC_THREAD: Final[int]

Load command specifying a thread’s state information.

LC_TWOLEVEL_HINTS: Final[int]

Load command containing two-level namespace lookup hints.

LC_UNIXTHREAD: Final[int]

Load command specifying a Unix thread’s state information.

LC_UUID: Final[int]

Load command containing a unique UUID identifier for the binary.

LC_VERSION_MIN_IPHONEOS: Final[int]

Load command specifying the minimum version of iPhoneOS required.

LC_VERSION_MIN_MACOSX: Final[int]

Load command specifying the minimum version of macOS required.

LOAD_COMMAND_SIZE: Final[int]

Size in bytes of the load command header (command type and size).

class LoadCmdInfo

Represents information about a Mach-O load command.

Attributes:

cmd	The load command type.
offset	The offset in the file where the load command is located.
size	The size of the load command.

cmd

The load command type.

offset

The offset in the file where the load command is located.

size

The size of the load command.

MAX_LC_NAME: Final[int]

Maximum length of the name field in a load command.

MH_ALLMODSBOUND: Final[int]

Indicates that the binary was bound with all two-level namespace modules bound.

MH_ALLOW_STACK_EXECUTION: Final[int]

Allows stack execution in the binary.

MH_BINDATLOAD: Final[int]

Indicates that the dynamic linker should bind the binary at load time.

MH_BINDS_TO_WEAK: Final[int]

Indicates that the binary binds to weak symbols.

MH_BUNDLE: Final[int]

Indicates the binary is a bundle.

MH_CANONICAL: Final[int]

Indicates the binary uses canonical architectures.

MH_CORE: Final[int]

Indicates the binary is a core file.

MH_DEAD_STRIPPABLE_DYLIB: Final[int]

Indicates that the dynamic library is dead-strippable.

MH_DSYM: Final[int]

Indicates the binary is a dSYM companion file.

MH_DYLDLINK: Final[int]

Indicates that the binary is input for the dynamic linker.

MH_DYLIB: Final[int]

Indicates the binary is a dynamic shared library.

MH_DYLIB_STUB: Final[int]

Indicates the binary is a dynamic shared library stub.

MH_DYLINKER: Final[int]

Indicates the binary is a dynamic linker.

MH_EXECUTE: Final[int]

Indicates the binary is an executable.

MH_FORCE_FLAT: Final[int]

Forces the use of the flat namespace bindings.

MH_FVMLIB: Final[int]

Indicates the binary is a fixed VM shared library.

MH_HAS_TLV_DESCRIPTORS: Final[int]

Indicates that the binary has thread-local variables.

MH_INCRLINK: Final[int]

Indicates the binary is for incremental linking.

MH_KEXT_BUNDLE: Final[int]

Indicates the binary is a kernel extension bundle.

MH_LAZY_INIT: Final[int]

Indicates that the dynamic linker should lazy initialize the binary.

MH_NOFIXPREBINDING: Final[int]

Indicates that prebinding should not be fixed up.

MH_NOMULTIDEFS: Final[int]

Indicates that multiple definitions are not allowed.

MH_NOUNDEFS: Final[int]

Indicates that the binary has no undefined references.

MH_NO_HEAP_EXECUTION: Final[int]

Indicates that the heap is marked as non-executable.

MH_NO_REEXPORTED_DYLIBS: Final[int]

Indicates that the binary contains no re-exported dynamic libraries.

MH_OBJECT: Final[int]

Indicates the binary is a relocatable object file.

MH_PIE: Final[int]

Indicates that the binary is position-independent executable.

MH_PREBINDABLE: Final[int]

Indicates that the binary can have prebinding redone.

MH_PREBOUND: Final[int]

Indicates that the binary is prebound.

MH_PRELOAD: Final[int]

Indicates the binary is a preload executable.

MH_ROOT_SAFE: Final[int]

Indicates the binary is safe for use by root.

MH_SETUID_SAFE: Final[int]

Indicates the binary is safe for use in setuid processes.

MH_SPLIT_SEGS: Final[int]

Indicates that the binary uses split segments.

MH_SUBSECTIONS_VIA_SYMBOLS: Final[int]

Indicates that the binary supports dividing sections into sub-sections via symbols for dead code stripping.

MH_TWOLEVEL: Final[int]

Indicates the binary uses two-level namespace bindings.

MH_WEAK_DEFINES: Final[int]

Indicates that the binary contains weak symbol definitions.

class MachObject

Bases: Pro.Core.CFFObject

Represents a Mach-O object file.

Methods:

AddressToOffset(address)	Converts a virtual memory address to a file offset.
AddressToSection(address)	Retrieves the section containing the given virtual memory address.
AddressToSegment(address)	Retrieves the segment containing the given virtual memory address.
BuildSymbolsValueHash(symtablc)	Builds a hash table of symbol values from the symbol table load command.
CertificateLCs()	Retrieves the offsets of all code signature load commands.
DyLibFromOrd(libord)	Retrieves the dynamic library name from its ordinal.
DyLibList()	Retrieves the list of dynamic libraries used by the Mach-O binary.
DyLibModules(dysymtablc)	Retrieves the dynamic library modules from the dynamic symbol table load command.
DySymTableLC()	Retrieves the dynamic symbol table load command.
DyTableOfContents(dysymtablc)	Retrieves the table of contents from the dynamic symbol table load command.
DyldDisassembleBind(out, dyldinfo_or_offset)	Disassembles the dyld bind information and writes it to the provided text stream.
DyldDisassembleLazyBind(out, dyldinfo)	Disassembles the dyld lazy bind information and writes it to the provided text stream.
DyldDisassembleRebase(out, dyldinfo_or_offset)	Disassembles the dyld rebase information and writes it to the provided text stream.
DyldDisassembleWeakBind(out, dyldinfo)	Disassembles the dyld weak bind information and writes it to the provided text stream.
DyldFindExportedSymbol(dyldinfo, symbol)	Finds the address of an exported symbol using the dyld info export trie.
DyldInfoLC()	Retrieves the dyld info load command.
EntryPointAddress(lc)	Retrieves the entry point address from the LC_MAIN load command.
EntryPointLCs()	Retrieves the offsets of all entry point load commands.
ExternalSymbolReferences(dysymtablc)	Retrieves the external symbol references from the dynamic symbol table load command.
FunctionStartsLC()	Retrieves the function starts load command.
FunctionStartsOffsetsAndValues(funcstartslc, …)	Retrieves the offsets and values of function starts from the function starts load command.
FunctionStartsValues(funcstartslc)	Retrieves the addresses of function starts from the function starts load command.
GetLC(index_or_info)	Retrieves a load command by index or load command info.
GetLCCount()	Retrieves the number of load commands in the Mach-O binary.
GetLCDescription(index_or_s)	Retrieves a description of the load command at the given index or structure.
GetLCInfo(index)	Retrieves the load command information at the specified index.
GetLCInfoFromOffset(offset)	Retrieves the load command information from a file offset.
GetLCName(cmd)	Retrieves the name of a load command given its command type.
IndirectSymbolTable(dysymtablc)	Retrieves the indirect symbol table from the dynamic symbol table load command.
IsEncrypted()	Checks if the Mach-O binary is encrypted.
IsMachO64()	Checks if the Mach-O binary is 64-bit.
MachHeader()	Retrieves the Mach-O header structure.
OffsetToAddress(offset)	Converts a file offset to a virtual memory address.
OffsetToSection(offset)	Retrieves the section containing the given file offset.
OffsetToSegment(offset)	Retrieves the segment containing the given file offset.
ParseAllImports(dyldinfo, imports)	Parses all import symbols from the dyld info load command.
ParseImports(offset, size, imports)	Parses import symbols from the given offset and size.
ProcessLoadCommands([decrypt])	Processes all load commands in the Mach-O binary.
ReadSLEB128(b_or_offset[, size])	Reads a signed LEB128 value from a buffer or file offset.
ReadULEB128(b_or_offset[, size])	Reads an unsigned LEB128 value from a buffer or file offset.
SectionFromOffset(cmd, offset)	Retrieves the section from a specific load command and offset.
Segment(index)	Retrieves the segment at the specified index.
SegmentCount()	Retrieves the number of segments in the Mach-O binary.
SegmentSections(seg)	Retrieves the sections within a given segment.
SymTableLC()	Retrieves the symbol table load command.
SymbolNList(symtablc)	Retrieves the nlist structures from the symbol table load command.
WasEncrypted()	Checks if the Mach-O binary was encrypted and has been decrypted.

AddressToOffset(address: int) → int

Converts a virtual memory address to a file offset.

Parameters

address (int) – The virtual memory address.

Returns

The corresponding file offset.

Return type

int

See also OffsetToAddress(), AddressToSection() and AddressToSegment().

AddressToSection(address: int) → Pro.Core.CFFStruct

Retrieves the section containing the given virtual memory address.

Parameters

address (int) – The virtual memory address.

Returns

The section containing the address.

Return type

CFFStruct

See also AddressToSegment() and OffsetToSection().

AddressToSegment(address: int) → Pro.Core.CFFStruct

Retrieves the segment containing the given virtual memory address.

Parameters

address (int) – The virtual memory address.

Returns

The segment containing the address.

Return type

CFFStruct

See also AddressToSection() and OffsetToSegment().

BuildSymbolsValueHash(symtablc: Pro.Core.CFFStruct) → Pro.Core.NTUInt64UIntHash

Builds a hash table of symbol values from the symbol table load command.

Parameters

symtablc (CFFStruct) – The symbol table load command.

Returns

A hash table mapping symbol values to their indices.

Return type

NTUInt64UIntHash

See also SymTableLC() and SymbolNList().

CertificateLCs() → Pro.Core.NTUIntVector

Retrieves the offsets of all code signature load commands.

Returns

A vector of offsets to code signature load commands.

Return type

NTUIntVector

See also LC_CODE_SIGNATURE.

DyLibFromOrd(libord: int) → str

Retrieves the dynamic library name from its ordinal.

Parameters

libord (int) – The ordinal number of the dynamic library.

Returns

The name of the dynamic library.

Return type

str

See also DyLibList().

DyLibList() → Pro.Core.NTStringList

Retrieves the list of dynamic libraries used by the Mach-O binary.

Returns

A list of dynamic library names.

Return type

NTStringList

See also DyLibFromOrd().

DyLibModules(dysymtablc: Pro.Core.CFFStruct) → Pro.Core.CFFStruct

Retrieves the dynamic library modules from the dynamic symbol table load command.

Parameters

dysymtablc (CFFStruct) – The dynamic symbol table load command.

Returns

A structure containing the dynamic library modules.

Return type

CFFStruct

See also DySymTableLC().

DySymTableLC() → Pro.Core.CFFStruct

Retrieves the dynamic symbol table load command.

Returns

The dynamic symbol table load command.

Return type

CFFStruct

See also SymTableLC() and LC_DYSYMTAB.

DyTableOfContents(dysymtablc: Pro.Core.CFFStruct) → Pro.Core.CFFStruct

Retrieves the table of contents from the dynamic symbol table load command.

Parameters

dysymtablc (CFFStruct) – The dynamic symbol table load command.

Returns

A structure containing the table of contents.

Return type

CFFStruct

See also DySymTableLC().

DyldDisassembleBind(out: Pro.Core.NTTextStream, dyldinfo_or_offset: Union[Pro.Core.CFFStruct, int], size: Optional[int] = None) → None

Disassembles the dyld bind information and writes it to the provided text stream.

Parameters

• out (NTTextStream) – The text stream to write the disassembly to.

• dyldinfo_or_offset (Union[CFFStruct, int]) – The dyld info load command or the offset to the bind info.

• size (Optional[int]) – The size of the bind info, if an offset is provided.

See also DyldInfoLC() and DyldDisassembleRebase().

DyldDisassembleLazyBind(out: Pro.Core.NTTextStream, dyldinfo: Pro.Core.CFFStruct) → None

Disassembles the dyld lazy bind information and writes it to the provided text stream.

Parameters

• out (NTTextStream) – The text stream to write the disassembly to.

• dyldinfo (CFFStruct) – The dyld info load command.

See also DyldInfoLC() and DyldDisassembleBind().

DyldDisassembleRebase(out: Pro.Core.NTTextStream, dyldinfo_or_offset: Union[Pro.Core.CFFStruct, int], size: Optional[int] = None) → None

Disassembles the dyld rebase information and writes it to the provided text stream.

Parameters

• out (NTTextStream) – The text stream to write the disassembly to.

• dyldinfo_or_offset (Union[CFFStruct, int]) – The dyld info load command or the offset to the rebase info.

• size (Optional[int]) – The size of the rebase info, if an offset is provided.

See also DyldInfoLC(), DyldDisassembleBind().

DyldDisassembleWeakBind(out: Pro.Core.NTTextStream, dyldinfo: Pro.Core.CFFStruct) → None

Disassembles the dyld weak bind information and writes it to the provided text stream.

Parameters

• out (NTTextStream) – The text stream to write the disassembly to.

• dyldinfo (CFFStruct) – The dyld info load command.

See also DyldInfoLC() and DyldDisassembleBind().

DyldFindExportedSymbol(dyldinfo: Pro.Core.CFFStruct, symbol: str) → int

Finds the address of an exported symbol using the dyld info export trie.

Parameters

• dyldinfo (CFFStruct) – The dyld info load command.

• symbol (str) – The name of the symbol to find.

Returns

The address of the symbol, or 0 if not found.

Return type

int

See also DyldInfoLC().

DyldInfoLC() → Pro.Core.CFFStruct

Retrieves the dyld info load command.

Returns

The dyld info load command.

Return type

CFFStruct

See also LC_DYLD_INFO and LC_DYLD_INFO_ONLY.

EntryPointAddress(lc: Pro.Core.CFFStruct) → int

Retrieves the entry point address from the LC_MAIN load command.

Parameters

lc (CFFStruct) – The LC_MAIN load command.

Returns

The entry point address.

Return type

int

See also EntryPointLCs().

EntryPointLCs() → Pro.Core.NTUIntVector

Retrieves the offsets of all entry point load commands.

Returns

A vector of offsets to entry point load commands.

Return type

NTUIntVector

See also LC_MAIN.

ExternalSymbolReferences(dysymtablc: Pro.Core.CFFStruct) → Pro.Core.CFFStruct

Retrieves the external symbol references from the dynamic symbol table load command.

Parameters

dysymtablc (CFFStruct) – The dynamic symbol table load command.

Returns

A structure containing the external symbol references.

Return type

CFFStruct

See also DySymTableLC().

FunctionStartsLC() → Pro.Core.CFFStruct

Retrieves the function starts load command.

Returns

The function starts load command.

Return type

CFFStruct

See also LC_FUNCTION_STARTS.

FunctionStartsOffsetsAndValues(funcstartslc: Pro.Core.CFFStruct, values: Pro.Core.NTMaxUIntVector) → Pro.Core.NTUIntVector

Retrieves the offsets and values of function starts from the function starts load command.

Parameters

• funcstartslc (CFFStruct) – The function starts load command.

• values (NTMaxUIntVector) – A vector to store the function start addresses.

Returns

A vector of offsets to the function starts.

Return type

NTUIntVector

See also FunctionStartsValues().

FunctionStartsValues(funcstartslc: Pro.Core.CFFStruct) → Pro.Core.NTMaxUIntVector

Retrieves the addresses of function starts from the function starts load command.

Parameters

funcstartslc (CFFStruct) – The function starts load command.

Returns

A vector of function start addresses.

Return type

NTMaxUIntVector

See also FunctionStartsLC() and FunctionStartsOffsetsAndValues().

GetLC(index_or_info: Union[Pro.MachO.LoadCmdInfo, int]) → Pro.Core.CFFStruct

Retrieves a load command by index or load command info.

Parameters

index_or_info (Union[LoadCmdInfo, int]) – The index of the load command or a LoadCmdInfo instance.

Returns

The load command structure.

Return type

CFFStruct

See also GetLCInfo() and GetLCCount().

GetLCCount() → int

Retrieves the number of load commands in the Mach-O binary.

Returns

The number of load commands.

Return type

int

See also GetLC().

GetLCDescription(index_or_s: Union[Pro.Core.CFFStruct, int]) → str

Retrieves a description of the load command at the given index or structure.

Parameters

index_or_s (Union[CFFStruct, int]) – The index of the load command or the load command structure.

Returns

A string description of the load command.

Return type

str

See also GetLCName() and GetLC().

GetLCInfo(index: int) → Pro.MachO.LoadCmdInfo

Retrieves the load command information at the specified index.

Parameters

index (int) – The index of the load command.

Returns

The load command information.

Return type

LoadCmdInfo

See also GetLC() and GetLCCount().

GetLCInfoFromOffset(offset: int) → Pro.MachO.LoadCmdInfo

Retrieves the load command information from a file offset.

Parameters

offset (int) – The file offset of the load command.

Returns

The load command information.

Return type

LoadCmdInfo

See also GetLC() and GetLCInfo().

static GetLCName(cmd: int) → str

Retrieves the name of a load command given its command type.

Parameters

cmd (int) – The load command type.

Returns

The name of the load command.

Return type

str

See also GetLCDescription().

IndirectSymbolTable(dysymtablc: Pro.Core.CFFStruct) → Pro.Core.CFFStruct

Retrieves the indirect symbol table from the dynamic symbol table load command.

Parameters

dysymtablc (CFFStruct) – The dynamic symbol table load command.

Returns

A structure containing the indirect symbol table.

Return type

CFFStruct

See also DySymTableLC().

IsEncrypted() → bool

Checks if the Mach-O binary is encrypted.

Returns

Returns True if the binary is encrypted; otherwise, False.

Return type

bool

See also WasEncrypted().

IsMachO64() → bool

Checks if the Mach-O binary is 64-bit.

Returns

Returns True if the binary is 64-bit; otherwise, False.

Return type

bool

See also MachHeader().

MachHeader() → Pro.Core.CFFStruct

Retrieves the Mach-O header structure.

Returns

The Mach-O header.

Return type

CFFStruct

See also IsMachO64().

OffsetToAddress(offset: int) → int

Converts a file offset to a virtual memory address.

Parameters

offset (int) – The file offset.

Returns

The corresponding virtual memory address.

Return type

int

See also AddressToOffset(), OffsetToSection().

OffsetToSection(offset: int) → Pro.Core.CFFStruct

Retrieves the section containing the given file offset.

Parameters

offset (int) – The file offset.

Returns

The section containing the offset.

Return type

CFFStruct

See also OffsetToSegment() and AddressToSection().

OffsetToSegment(offset: int) → Pro.Core.CFFStruct

Retrieves the segment containing the given file offset.

Parameters

offset (int) – The file offset.

Returns

The segment containing the offset.

Return type

CFFStruct

See also OffsetToSection() and AddressToSegment().

ParseAllImports(dyldinfo: Pro.Core.CFFStruct, imports: Pro.MachO.ImportInfoList) → None

Parses all import symbols from the dyld info load command.

Parameters

• dyldinfo (CFFStruct) – The dyld info load command.

• imports (ImportInfoList) – A list to store the import information.

See also DyldInfoLC() and ImportInfo.

ParseImports(offset: int, size: int, imports: Pro.MachO.ImportInfoList) → None

Parses import symbols from the given offset and size.

Parameters

• offset (int) – The file offset to start parsing.

• size (int) – The size of the data to parse.

• imports (ImportInfoList) – A list to store the import information.

See also ParseAllImports().

ProcessLoadCommands(decrypt: bool = True) → bool

Processes all load commands in the Mach-O binary.

Parameters

decrypt (bool) – Whether to attempt decryption if the binary is encrypted.

Returns

Returns True if successful; otherwise, False.

Return type

bool

See also GetLC() and IsEncrypted().

ReadSLEB128(b_or_offset: Union[Pro.Core.NTBuffer, int], size: Optional[int] = None) → int

Reads a signed LEB128 value from a buffer or file offset.

Parameters

• b_or_offset (Union[NTBuffer, int]) – The buffer or file offset to read from.

• size (Optional[int]) – The size of the buffer, if a buffer is provided.

Returns

The decoded signed integer.

Return type

int

See also ReadULEB128().

ReadULEB128(b_or_offset: Union[Pro.Core.NTBuffer, int], size: Optional[int] = None) → int

Reads an unsigned LEB128 value from a buffer or file offset.

Parameters

• b_or_offset (Union[NTBuffer, int]) – The buffer or file offset to read from.

• size (Optional[int]) – The size of the buffer, if a buffer is provided.

Returns

The decoded unsigned integer.

Return type

int

See also ReadSLEB128().

SectionFromOffset(cmd: int, offset: int) → Pro.Core.CFFStruct

Retrieves the section from a specific load command and offset.

Parameters

• cmd (int) – The load command type.

• offset (int) – The offset within the segment.

Returns

The section structure.

Return type

CFFStruct

See also GetLC() and SegmentSections().

Segment(index: int) → Pro.Core.CFFStruct

Retrieves the segment at the specified index.

Parameters

index (int) – The index of the segment.

Returns

The segment structure.

Return type

CFFStruct

See also SegmentCount() and SegmentSections().

SegmentCount() → int

Retrieves the number of segments in the Mach-O binary.

Returns

The number of segments.

Return type

int

See also Segment().

SegmentSections(seg: Pro.Core.CFFStruct) → Pro.Core.CFFStruct

Retrieves the sections within a given segment.

Parameters

seg (CFFStruct) – The segment structure.

Returns

A structure containing the sections.

Return type

CFFStruct

See also Segment() and SectionFromOffset().

SymTableLC() → Pro.Core.CFFStruct

Retrieves the symbol table load command.

Returns

The symbol table load command.

Return type

CFFStruct

See also LC_SYMTAB and SymbolNList().

SymbolNList(symtablc: Pro.Core.CFFStruct) → Pro.Core.CFFStruct

Retrieves the nlist structures from the symbol table load command.

Parameters

symtablc (CFFStruct) – The symbol table load command.

Returns

A structure containing the nlist entries.

Return type

CFFStruct

See also SymTableLC() and BuildSymbolsValueHash().

WasEncrypted() → bool

Checks if the Mach-O binary was encrypted and has been decrypted.

Returns

Returns True if the binary was encrypted; otherwise returns False.

Return type

bool

See also IsEncrypted().

REBASE_IMMEDIATE_MASK: Final[int]

Mask to extract the immediate value from a rebase opcode.

REBASE_OPCODE_ADD_ADDR_IMM_SCALED: Final[int]

Rebase opcode to add to the address an immediate value scaled by the pointer size.

REBASE_OPCODE_ADD_ADDR_ULEB: Final[int]

Rebase opcode to add an address from a ULEB128 value to the current address.

REBASE_OPCODE_DONE: Final[int]

Rebase opcode indicating the end of the rebase commands.

REBASE_OPCODE_DO_REBASE_ADD_ADDR_ULEB: Final[int]

Rebase opcode to perform rebase and then add an address from a ULEB128 value.

REBASE_OPCODE_DO_REBASE_IMM_TIMES: Final[int]

Rebase opcode to perform immediate number of rebases.

REBASE_OPCODE_DO_REBASE_ULEB_TIMES: Final[int]

Rebase opcode to perform a ULEB128 number of rebases.

REBASE_OPCODE_DO_REBASE_ULEB_TIMES_SKIPPING_ULEB: Final[int]

Rebase opcode to perform a ULEB128 number of rebases, skipping a ULEB128 amount between each.

REBASE_OPCODE_MASK: Final[int]

Mask to extract the opcode from a rebase opcode byte.

REBASE_OPCODE_SET_SEGMENT_AND_OFFSET_ULEB: Final[int]

Rebase opcode to set the segment and offset using a ULEB128 value.

REBASE_OPCODE_SET_TYPE_IMM: Final[int]

Rebase opcode to set the rebase type to an immediate value.

REBASE_TYPE_POINTER: Final[int]

Rebase type indicating a pointer relocation.

REBASE_TYPE_TEXT_ABSOLUTE32: Final[int]

Rebase type for an absolute 32-bit text relocation.

REBASE_TYPE_TEXT_PCREL32: Final[int]

Rebase type for a PC-relative 32-bit text relocation.

SECTION_ATTRIBUTES: Final[int]

Mask to extract section attributes.

SECTION_ATTRIBUTES_SYS: Final[int]

Mask for system section attributes.

SECTION_ATTRIBUTES_USR: Final[int]

Mask for user section attributes.

SECTION_TYPE: Final[int]

Mask to extract the section type.

SG_FVMLIB: Final[int]

Segment flag indicating that the segment is for a fixed VM shared library.

SG_HIGHVM: Final[int]

Segment flag indicating that the segment uses high virtual memory addresses.

SG_NORELOC: Final[int]

Segment flag indicating that the segment has no relocation entries.

SG_PROTECTED_VERSION_1: Final[int]

Segment flag indicating that the segment is protected version 1.

S_16BYTE_LITERALS: Final[int]

Section type for 16-byte literals.

S_4BYTE_LITERALS: Final[int]

Section type for 4-byte literals.

S_8BYTE_LITERALS: Final[int]

Section type for 8-byte literals.

S_ATTR_DEBUG: Final[int]

Section attribute indicating a debug section.

S_ATTR_EXT_RELOC: Final[int]

Section attribute indicating external relocation entries.

S_ATTR_LIVE_SUPPORT: Final[int]

Section attribute indicating live support.

S_ATTR_LOC_RELOC: Final[int]

Section attribute indicating local relocation entries.

S_ATTR_NO_DEAD_STRIP: Final[int]

Section attribute indicating that the section should not be dead stripped.

S_ATTR_NO_TOC: Final[int]

Section attribute indicating that the section contains code not safe for position independence.

S_ATTR_PURE_INSTRUCTIONS: Final[int]

Section attribute indicating pure instructions.

S_ATTR_SELF_MODIFYING_CODE: Final[int]

Section attribute indicating self-modifying code.

S_ATTR_SOME_INSTRUCTIONS: Final[int]

Section attribute indicating that the section contains some machine instructions.

S_ATTR_STRIP_STATIC_SYMS: Final[int]

Section attribute indicating that static symbols in this section should be stripped.

S_COALESCED: Final[int]

Section type for coalesced symbols.

S_CSTRING_LITERALS: Final[int]

Section type for literal C strings.

S_DTRACE_DOF: Final[int]

Section type for DTrace Object Format.

S_GB_ZEROFILL: Final[int]

Section type for gigabyte zero-fill.

S_INTERPOSING: Final[int]

Section type for interposing symbols.

S_LAZY_DYLIB_SYMBOL_POINTERS: Final[int]

Section type for lazy dynamic library symbol pointers.

S_LAZY_SYMBOL_POINTERS: Final[int]

Section type for lazy symbol pointers.

S_LITERAL_POINTERS: Final[int]

Section type for literal pointers.

S_MOD_INIT_FUNC_POINTERS: Final[int]

Section type for module initialization function pointers.

S_MOD_TERM_FUNC_POINTERS: Final[int]

Section type for module termination function pointers.

S_NON_LAZY_SYMBOL_POINTERS: Final[int]

Section type for non-lazy symbol pointers.

S_REGULAR: Final[int]

Regular section type.

S_SYMBOL_STUBS: Final[int]

Section type for symbol stubs.

S_THREAD_LOCAL_INIT_FUNCTION_POINTERS: Final[int]

Section type for thread-local initialization function pointers.

S_THREAD_LOCAL_REGULAR: Final[int]

Section type for thread-local regular variables.

S_THREAD_LOCAL_VARIABLES: Final[int]

Section type for thread-local variables.

S_THREAD_LOCAL_VARIABLE_POINTERS: Final[int]

Section type for pointers to thread-local variables.

S_THREAD_LOCAL_ZEROFILL: Final[int]

Section type for thread-local zero-fill variables.

S_ZEROFILL: Final[int]

Section type for zero-fill on demand.