Structs#

MachO Structs#

fat_header#

Represents the first 8 bytes of a MachO File

Field

Size

Description

magic

4

File magic. For a fat file, will always be 0xCAFEBABE

nfat_archs

4

Number of fat_archs in the file

fat_arch#

At the beginning of a MachO File, after the header, several fat_arch structs are located, containing information about the slices within the file.

Field

Size

Description

cputype

4

CPUType Item

cpusubtype

4

CPU Subtype Item

offset

4

Offset in file of the slice

size

4

Size in bytes of the slice

align

4

Address alignment of struct, as a power of 2 (2^align).

Dyld Structs#

dyld_header#

First 32 bytes of a Slice/Thin MachO File

Field

Size

Description

magic

4

File magic (0xFEEDFACE/0xFEEDFACF)

cputype

4

CPU Type

cpusubtype

4

CPU Subtype

filetype

4

?

loadcnt

4

Number of load commands

loadsize

4

Size of load commands

flags

4

?

void

4

?

Load commands#

dylib_command#

Command that represents a dylib

Field

Size

Description

cmd

4

Load command

cmdsize

4

Size of load command (including string in dylib struct)

dylib

4

CPU Subtype

filetype

4

?

dylib#

Struct representing a dylib

Field

Size

Description

name

4

lc_str Offset of the load command string from the beginning of the dylib_command struct

timestamp

4

?

current_version

4

?

compatibility_version

4

?

dylinker_command#

Name of the dynamic linker (/bin/dyld)

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of Load Command

name

4

lc_str name of Linker (This will usually just be dyld)

entry_point_command#

Command indicating the entry point of the binary

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of load command

entryoff

8

Offset of the entry point in the file

stacksize

8

?

rpath_command#

Specifies the runtime search path (think iOS Apps, with ./Frameworks directories)

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of load command

path

4

lc_str Offset of the rpath string from the beginning of the load command

dyld_info_command#

Contains the offsets of several dyld-related tables

Field

Size

Description

cmd

4

Load command

cmdsize

4

Size of load command

rebase_off

4

Offset of rebase commands

rebase_size

4

Size of rebase commands

bind_off

4

Offset of Binding commands

bind_size

4

Size of Binding commands

weak_bind_off

4

Offset of weak binding commands

weak_bind_size

4

Size of weak binding commands

lazy_bind_off

4

Offset of lazy binding commands

lazy_bind_size

4

Size of lazy binding commands

export_off

4

Export table offset

export_size

4

Export table size

symtab_command#

Holds offsets of the symbol table and the string table it uses.

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of load command

symoff

4

Offset of Symbol Table

nsyms

4

Number of entries in the symbol table

stroff

4

Offset of String Table

strsize

4

Size of String Table

dysymtab_command#

TODO

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of Load Command

ilocalsym

4

?

nlocalsym

4

?

iextdefsym

4

?

nextdefsym

4

?

tocoff

4

?

ntoc

4

?

modtaboff

4

?

nmodtab

4

?

extrefsymoff

4

?

nextrefsyms

4

?

indirectsymoff

4

Offset of indirect symbol table

nindirectsyms

4

Number of indirect symbols in table

extreloff

4

?

nextrel

4

?

locreloff

4

?

nlocrel

4

?

uuid_command#

Contains the UUID of the library

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of load command

uuid

16

UUID of the Library

build_version_command#

Contains build version and versions of tools used to compile this library/bin

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of load command

platform

4

(Enum) platform the library was compiled for

minos

4

Hex XX YY ZZZZ Version of the OS (xx.yy.zzzz)

sdk

4

Hex XX YY ZZZZ Version of the SDK used to compile

ntools

4

Number of tool commands following this command

source_version_command#

Field

Size

Description

cmd

4

Load command

cmdsize

4

Size of load command

version

8

?

sub_client_command#

Libraries can specify subclients indicating which binaries are allowed to link to this library

A process not within this group will be killed if it tries to link this library

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of load command

offset

4

lc_str Offset of Name of subclient from beginning of load command

linkedit_data_command#

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of load command

dataoff

4

Offset of LINKEDIT data

datasize

4

Size of LINKEDIT data

segment_command_64#

Represents a segment in the mach-o file

Field

Size

Description

cmd

4

Load Command

cmdsize

4

Size of load command including following segment_64 commands

segname

16

Null-byte terminated string within the struct, containing the name of the segment

vmaddr

8

Address in the virtual memory mapping of the segment

vmsize

8

Size of the segment in the Virtual Memory map

fileoff

8

Offset of the segment in the on-disk file

filesize

8

Size of the segment in the on-disk file

maxprot

4

?

initprot

4

?

nsects

4

Number of section_64 commands within this command

flags

4

?

section_64#

Represents a section in the segment

Field

Size

Description

sectname

16

null-terminated C string Name of the section

segname

16

null-terminated C string Name of the containing segment

addr

8

VM Address of the section

size

8

VM Size of the section

offset

4

File address of the section

align

4

?

reloff

4

?

nreloc

4

?

flags

4

?

reserved1

4

?

reserved2

4

?

reserved3

4

?