To those interested in working with Mach-o files on Windows

Used for discussing the various tools in the book as well as encouraging members to share tools

To those interested in working with Mach-o files on Windows

Postby backendbilly » Fri Feb 10, 2017 4:18 am

If you happen to have a case for working on mach-o binaries in Windows, then this is for you otherwise stick to jtool on macOS or Linux. I personally use all known operating systems for different purposes. With the following, you'll be able to have a a macho viewer on Windows much like MachOView or jtool on macOS that lets you view entitlements, load commands, imports, dynamic libraries, symbols, and much more. Works with fat and thin binaries.

First, pip install macholibre. This tools is from -> https://github.com/aaronst/macholibre

macholibre will output results in JSON format. So we need another tool to work with JSON objects to be able to query the output such as viewing only entitlements or dynamic libraries.

Second, get a command line JSON processor from https://stedolan.github.io/jq/

Now you're able to mix the two tools. To get only the entitlements from a binary, run the following command:

Code: Select all
$ macholibre wifid -o file.json && cat file.json | jq-win64.exe '.macho.signature.entitlements'
[
  {
    "plist": {
      "com.apple.private.ids.messaging": [
        "com.apple.private.alloy.wifi.networksync"
      ],
      "com.apple.SystemConfiguration.SCPreferences-write-access": [
        "com.apple.wifi.plist",
        "preferences.plist"
      ],
      "com.apple.managedconfiguration.profiled-access": true,
      "com.apple.SystemConfiguration.SCDynamicStore-write-access": true,
      "com.apple.coreduetd.allow": true,
      "com.apple.symptom_analytics.refresh": true,
      "com.apple.wifi.manager-access": true,
      "com.apple.nano.nanoregistry.pairunpairobliterate": true,
      "com.apple.networkd_privileged": true,
      "com.apple.private.ubiquity-kvstore-access": [
        "com.apple.wifid"
      ],
      "keychain-access-groups": [
        "apple",
        "com.apple.identities",
        "com.apple.certificates"
      ],
      "com.apple.private.system-keychain": true,
      "com.apple.private.assets.accessible-asset-types": [
        "com.apple.MobileAsset.WiFi"
      ],
      "com.apple.symptom_analytics.query": true,
      "com.apple.MobileInternetSharing.allow": true,
      "com.apple.private.carkit": true,
      "com.apple.wlan.authentication": true,
      "keychain-cloud-circle": true,
      "com.apple.certui.greentea": true,
      "com.apple.locationd.effective_bundle": true,
      "com.apple.wifivelocity": true,
      "com.apple.CommCenter.fine-grained": [
        "identity",
        "spi"
      ]
    },
    "size": 1867
  }
]


macolibre does not seem to handle pipes appropriately (BROKEN PIPE) hence the reason of using two commands. Not as efficient as jtool but hey this is what you get for working on Windows.

Better yet, if you're familiar with Notepad++, you can install the JSTool plugin which has a JSON viewer. You can then view the entire Mach-o header from the macholibre's JSON output in a GUI like fashion similar to MachOView

json_viewer_macho.png
Mach-o header in JSON format
json_viewer_macho.png (9.09 KiB) Viewed 976 times
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Return to Tools

Who is online

Users browsing this forum: No registered users and 3 guests