关于Mach-O类型文件那点事
Header结构描述
如果只有一种架构,那么Fat Header的地方直接就是mac_header
Load command结构描述
struct segment_command { /* for 32-bit architectures */ uint32_t cmd; /* LC_SEGMENT */ uint32_t cmdsize; /* includes sizeof section structs */ char segname[16]; /* segment name */ uint32_t vmaddr; /* memory address of this segment */ uint32_t vmsize; /* memory size of this segment */ uint32_t fileoff; /* file offset of this segment */ uint32_t filesize; /* amount to map from the file */ vm_prot_t maxprot; /* maximum VM protection */ vm_prot_t initprot; /* initial VM protection */ uint32_t nsects; /* number of sections in segment */ uint32_t flags; /* flags */ };
#define SEG_PAGEZERO "__PAGEZERO" #define SEG_TEXT "__TEXT" /* the tradition UNIX text segment */ #define SEG_DATA "__DATA" /* the tradition UNIX data segment */
__TEXT段加载描述
__DATA段加载描述
根据__TEXT段的加载描述, 得到__DATA段内容的偏移地址如下:
ASLR:内存空间布局随机化
image list -o -f
结果如下:
(lldb) image list -o -f [ 0] 0x0000000000558000 /Users/zhoufei/Library/Developer/Xcode/DerivedData/SorterAndFilter-gcqrjckyrquurscwtbwpiaeebgzj/Build/Products/Release-iphoneos/SorterAndFilter.app/SorterAndFilter [ 1] 0x0000000100800000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/usr/lib/dyld [ 2] 0x0000000001190000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/System/Library/Frameworks/Foundation.framework/Foundation [ 3] 0x0000000001190000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/System/Library/Frameworks/UIKit.framework/UIKit [ 4] 0x0000000001190000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/usr/lib/libobjc.A.dylib [ 5] 0x0000000001190000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/usr/lib/libSystem.B.dylib [ 6] 0x0000000001190000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation [ 7] 0x0000000001190000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics [ 8] 0x0000000001190000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/System/Library/Frameworks/QuartzCore.framework/QuartzCore [ 9] 0x0000000001190000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/usr/lib/libarchive.2.dylib
第0个结果0x0000000000558000 就是要找的ASLR值
通过log的内容,拿到app的Mach-O文件路径:
[ 0] 0x0000000000558000 /Users/zhoufei/Library/Developer/Xcode/DerivedData/SorterAndFilter-gcqrjckyrquurscwtbwpiaeebgzj/Build/Products/Release-iphoneos/SorterAndFilter.app/SorterAndFilter
其对应的偏移地址0x0000000000558000 就是Mach-O文件从本地添加到内存时,系统自动添加的ASLR:内存空间布局随机化值。
1.cd /Users/zhoufei/Library/Developer/Xcode/DerivedData/SorterAndFilter-gcqrjckyrquurscwtbwpiaeebgzj/Build/Products/Release-iphoneos/SorterAndFilter.app/ 2.size -l -m -x SorterAndFilter
的到结果如下:
SorterAndFilter (for architecture arm64): Segment __PAGEZERO: 0x100000000 (vmaddr 0x0 fileoff 0) Segment __TEXT: 0x1c000 (vmaddr 0x100000000 fileoff 0) Section __text: 0xfde0 (addr 0x100005740 offset 22336) Section __stubs: 0x1bc (addr 0x100015520 offset 87328) Section __stub_helper: 0x1d4 (addr 0x1000156dc offset 87772) Section __const: 0x64 (addr 0x1000158b0 offset 88240) Section __objc_methname: 0x36b4 (addr 0x100015914 offset 88340) Section __ustring: 0x134 (addr 0x100018fc8 offset 102344) Section __cstring: 0xd06 (addr 0x1000190fc offset 102652) Section __objc_classname: 0x28c (addr 0x100019e02 offset 105986) Section __objc_methtype: 0x19f2 (addr 0x10001a08e offset 106638) Section __gcc_except_tab: 0xd8 (addr 0x10001ba80 offset 113280) Section __unwind_info: 0x4a4 (addr 0x10001bb58 offset 113496) total 0x168bc Segment __DATA: 0xc000 (vmaddr 0x10001c000 fileoff 114688) Section __got: 0x60 (addr 0x10001c000 offset 114688) Section __la_symbol_ptr: 0x128 (addr 0x10001c060 offset 114784) Section __const: 0x9f0 (addr 0x10001c188 offset 115080) Section __cfstring: 0x9a0 (addr 0x10001cb78 offset 117624) Section __objc_classlist: 0x90 (addr 0x10001d518 offset 120088) Section __objc_catlist: 0x28 (addr 0x10001d5a8 offset 120232) Section __objc_protolist: 0x58 (addr 0x10001d5d0 offset 120272) Section __objc_imageinfo: 0x8 (addr 0x10001d628 offset 120360) Section __objc_const: 0x55d8 (addr 0x10001d630 offset 120368) Section __objc_selrefs: 0x9c0 (addr 0x100022c08 offset 142344) Section __objc_classrefs: 0x138 (addr 0x1000235c8 offset 144840) Section __objc_superrefs: 0x68 (addr 0x100023700 offset 145152) Section __objc_ivar: 0xd0 (addr 0x100023768 offset 145256) Section __objc_data: 0x5a0 (addr 0x100023838 offset 145464) Section __data: 0x430 (addr 0x100023dd8 offset 146904) Section __bss: 0x48 (addr 0x100024208 offset 0) total 0x8250 Segment __LINKEDIT: 0x24000 (vmaddr 0x100028000 fileoff 163840) total 0x10004c000
在虚拟内存中,Mach-O文件SorterAndFilter的总大小是total 0x10004c000。
2020-01-12 16:47:32.388332+0800 SorterAndFilter[1717:366886] 全局变量:0x10057bf58, 局部变量:0x16f8a57fc, 局部变量—对象指针:0x16f8a57f0, 堆空间-对象地址:0x100aace30
动态链接器dyld的虚拟内存地址
[ 1] 0x0000000100800000 /Users/zhoufei/Library/Developer/Xcode/iOS DeviceSupport/11.4 (15F79)/Symbols/usr/lib/dyld
Mach-O文件SorterAndFilter所有使用的到的image(image都是Mach-O类型文件)文件内存分布,得到虚拟内存中的内存分布如下:
查看通用二进制文件包含的架构 lipo -info test 瘦身通用二进制文件,到包含指定架构(armv7)的瘦二进制文件 lipo test -thin armv7 -output test_armv7 合并两个瘦二进制文件到一个通用二进制文件 lipo -create test_armv7 test_arm64 -output test2
image list -o -f
class-dump -H test -o Headers
MachOView: GUI工具查看Mach-O文件