Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Cleanups! Move mac specific includes to a single file.
  • Loading branch information
gdbinit committed Aug 2, 2012
1 parent 0167663 commit daa289e
Show file tree
Hide file tree
Showing 7 changed files with 129 additions and 229 deletions.
10 changes: 5 additions & 5 deletions ExtractMachO.xcodeproj/project.pbxproj
Expand Up @@ -7,26 +7,26 @@
objects = {

/* Begin PBXBuildFile section */
DE4880D614615B0000C469F0 /* mymacros.h in Headers */ = {isa = PBXBuildFile; fileRef = DE4880D514615B0000C469F0 /* mymacros.h */; };
DE51F12C15C9358A004959FA /* validate.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DE51F12A15C9358A004959FA /* validate.cpp */; };
DE51F12D15C9358A004959FA /* validate.h in Headers */ = {isa = PBXBuildFile; fileRef = DE51F12B15C9358A004959FA /* validate.h */; };
DE51F12F15C9854E004959FA /* uthash.h in Headers */ = {isa = PBXBuildFile; fileRef = DE51F12E15C9854E004959FA /* uthash.h */; };
DE51F13215CA7B80004959FA /* extractors.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DE51F13015CA7B7F004959FA /* extractors.cpp */; };
DE51F13315CA7B80004959FA /* extractors.h in Headers */ = {isa = PBXBuildFile; fileRef = DE51F13115CA7B7F004959FA /* extractors.h */; };
DE51F13515CA7D3E004959FA /* mac_includes.h in Headers */ = {isa = PBXBuildFile; fileRef = DE51F13415CA7D3E004959FA /* mac_includes.h */; };
DEC1F263145ECE0F009A8407 /* extractmacho.h in Headers */ = {isa = PBXBuildFile; fileRef = DEC1F261145ECE0F009A8407 /* extractmacho.h */; };
DEC1F264145ECE0F009A8407 /* extractmacho.cpp in Sources */ = {isa = PBXBuildFile; fileRef = DEC1F262145ECE0F009A8407 /* extractmacho.cpp */; };
DEC1F266145ECEDD009A8407 /* loader.h in Headers */ = {isa = PBXBuildFile; fileRef = DEC1F265145ECEDD009A8407 /* loader.h */; };
/* End PBXBuildFile section */

/* Begin PBXFileReference section */
D2AAC0630554660B00DB518D /* extractmacho.pmc */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = extractmacho.pmc; sourceTree = BUILT_PRODUCTS_DIR; };
DE4880D514615B0000C469F0 /* mymacros.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = mymacros.h; sourceTree = "<group>"; };
DE4883FB1462396A00C469F0 /* README */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text; path = README; sourceTree = "<group>"; };
DE51F12A15C9358A004959FA /* validate.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = validate.cpp; sourceTree = "<group>"; };
DE51F12B15C9358A004959FA /* validate.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = validate.h; sourceTree = "<group>"; };
DE51F12E15C9854E004959FA /* uthash.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = uthash.h; sourceTree = "<group>"; };
DE51F13015CA7B7F004959FA /* extractors.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = extractors.cpp; sourceTree = "<group>"; };
DE51F13115CA7B7F004959FA /* extractors.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = extractors.h; sourceTree = "<group>"; };
DE51F13415CA7D3E004959FA /* mac_includes.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = mac_includes.h; sourceTree = "<group>"; };
DEC1F261145ECE0F009A8407 /* extractmacho.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = extractmacho.h; sourceTree = "<group>"; };
DEC1F262145ECE0F009A8407 /* extractmacho.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = extractmacho.cpp; sourceTree = "<group>"; };
DEC1F265145ECEDD009A8407 /* loader.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = loader.h; sourceTree = "<group>"; };
Expand Down Expand Up @@ -55,14 +55,14 @@
08FB7795FE84155DC02AAC07 /* Source */ = {
isa = PBXGroup;
children = (
DEC1F261145ECE0F009A8407 /* extractmacho.h */,
DEC1F262145ECE0F009A8407 /* extractmacho.cpp */,
DEC1F261145ECE0F009A8407 /* extractmacho.h */,
DE51F13015CA7B7F004959FA /* extractors.cpp */,
DE51F13115CA7B7F004959FA /* extractors.h */,
DE51F12A15C9358A004959FA /* validate.cpp */,
DE51F12B15C9358A004959FA /* validate.h */,
DE51F13415CA7D3E004959FA /* mac_includes.h */,
DEC1F265145ECEDD009A8407 /* loader.h */,
DE4880D514615B0000C469F0 /* mymacros.h */,
DE51F12E15C9854E004959FA /* uthash.h */,
DE4883FB1462396A00C469F0 /* README */,
);
Expand All @@ -86,10 +86,10 @@
files = (
DEC1F263145ECE0F009A8407 /* extractmacho.h in Headers */,
DEC1F266145ECEDD009A8407 /* loader.h in Headers */,
DE4880D614615B0000C469F0 /* mymacros.h in Headers */,
DE51F12D15C9358A004959FA /* validate.h in Headers */,
DE51F12F15C9854E004959FA /* uthash.h in Headers */,
DE51F13315CA7B80004959FA /* extractors.h in Headers */,
DE51F13515CA7D3E004959FA /* mac_includes.h in Headers */,
);
runOnlyForDeploymentPostprocessing = 0;
};
Expand Down
89 changes: 45 additions & 44 deletions extractmacho.cpp
Expand Up @@ -42,9 +42,6 @@

//#define DEBUG 0

uint8_t extract_macho(ea_t address, char *outputFilename);
uint8_t extract_mhobject(ea_t address, char *outputFilename);
uint8_t extract_fat(ea_t address, char *outputFilename);
uint8_t extract_binary(ea_t address, char *outputFilename);
void add_to_fat_list(ea_t address);
void add_to_hits_list(ea_t address, uint8_t type, uint8_t extracted);
Expand Down Expand Up @@ -200,10 +197,55 @@ void IDAP_run(int arg)
return;
}

/*
* entry function to validate and extract fat and non-fat binaries
*/
uint8_t
extract_binary(ea_t address, char *outputFilename)
{
uint8_t retValue = 0;
uint32 magicValue = get_long(address);
if (magicValue == MH_MAGIC || magicValue == MH_MAGIC_64)
{
if(validate_macho(address))
{
msg("[ERROR] Not a valid mach-o binary at %x\n", address);
add_to_hits_list(address, magicValue == MH_MAGIC ? TARGET_32 : TARGET_64, 1);
return 1;
}
// we just need to read mach_header.filetype so no problem in using the 32bit struct
struct mach_header header;
get_many_bytes(address, &header, sizeof(struct mach_header));
if (header.filetype == MH_OBJECT)
retValue = extract_mhobject(address, outputFilename);
else
retValue = extract_macho(address, outputFilename);

add_to_hits_list(address, magicValue == MH_MAGIC ? TARGET_32 : TARGET_64, retValue);
}
else if (magicValue == FAT_CIGAM)
{
retValue = extract_fat(address, outputFilename);
add_to_hits_list(address, TARGET_FAT, retValue);
}
else
{
msg("[ERROR] No potentially valid mach-o binary at current location!\n");
retValue = 1;
}
return retValue;
}

/*
* sorter
*/
int id_sort(struct report *a, struct report *b) {
return (a->id - b->id);
}

/*
* output final extraction report
*/
void
do_report(void)
{
Expand Down Expand Up @@ -264,49 +306,8 @@ add_to_fat_list(ea_t address)
}
}
}

}

/*
* entry function to validate and extract fat and non-fat binaries
*/
uint8_t
extract_binary(ea_t address, char *outputFilename)
{
uint8_t retValue = 0;
uint32 magicValue = get_long(address);
if (magicValue == MH_MAGIC || magicValue == MH_MAGIC_64)
{
if(validate_macho(address))
{
msg("[ERROR] Not a valid mach-o binary at %x\n", address);
add_to_hits_list(address, magicValue == MH_MAGIC ? TARGET_32 : TARGET_64, 1);
return 1;
}
// we just need to read mach_header.filetype so no problem in using the 32bit struct
struct mach_header header;
get_many_bytes(address, &header, sizeof(struct mach_header));
if (header.filetype == MH_OBJECT)
retValue = extract_mhobject(address, outputFilename);
else
retValue = extract_macho(address, outputFilename);

add_to_hits_list(address, magicValue == MH_MAGIC ? TARGET_32 : TARGET_64, retValue);
}
else if (magicValue == FAT_CIGAM)
{
retValue = extract_fat(address, outputFilename);
add_to_hits_list(address, TARGET_FAT, retValue);
}
else
{
msg("[ERROR] No potentially valid mach-o binary at current location!\n");
retValue = 1;
}
return retValue;
}


char IDAP_comment[] = "Plugin to extract Mach-O binaries from disassembly";
char IDAP_help[] = "Extract Mach-O";
char IDAP_name[] = "Extract Mach-O";
Expand Down
35 changes: 5 additions & 30 deletions extractmacho.h
Expand Up @@ -34,6 +34,9 @@
*
*/

#ifndef ExtractMachO_extractmacho_cpp
#define ExtractMachO_extractmacho_cpp

// IDA SDK includes
#include <ida.hpp>
#include <idp.hpp>
Expand All @@ -42,34 +45,6 @@
#include <kernwin.hpp>
#include <search.hpp>

// OS X includes
#ifdef __MAC__
#include <mach-o/loader.h>
#include <mach-o/fat.h>
#include <mach-o/reloc.h>
#include <mach-o/nlist.h>
#else
#include "loader.h"

#define FAT_MAGIC 0xcafebabe
#define FAT_CIGAM 0xbebafeca /* NXSwapLong(FAT_MAGIC) */

struct fat_header {
uint32_t magic; /* FAT_MAGIC */
uint32_t nfat_arch; /* number of structs that follow */
};

struct fat_arch {
int cputype; /* cpu specifier (int) */
int cpusubtype; /* machine specifier (int) */
uint32_t offset; /* file offset to this object file */
uint32_t size; /* size of this object file */
uint32_t align; /* alignment as a power of 2 */
};

#endif


#include "mymacros.h"
#include "mac_includes.h"

//extern int process_loadcmds (char *, int, uint64_t, sample_info_t *, unsigned int);
#endif
32 changes: 4 additions & 28 deletions extractors.h
Expand Up @@ -40,37 +40,13 @@
// IDA SDK includes
#include <ida.hpp>
#include <idp.hpp>
#include <loader.hpp>
#include <bytes.hpp>
#include <kernwin.hpp>
#include <search.hpp>

// OS X includes
#ifdef __MAC__
#include <mach-o/loader.h>
#include <mach-o/fat.h>
#include <mach-o/reloc.h>
#include <mach-o/nlist.h>
#else
#include "loader.h"

#define FAT_MAGIC 0xcafebabe
#define FAT_CIGAM 0xbebafeca /* NXSwapLong(FAT_MAGIC) */

struct fat_header {
uint32_t magic; /* FAT_MAGIC */
uint32_t nfat_arch; /* number of structs that follow */
};

struct fat_arch {
int cputype; /* cpu specifier (int) */
int cpusubtype; /* machine specifier (int) */
uint32_t offset; /* file offset to this object file */
uint32_t size; /* size of this object file */
uint32_t align; /* alignment as a power of 2 */
};

#endif
#include "mac_includes.h"

uint8_t extract_macho(ea_t address, char *outputFilename);
uint8_t extract_mhobject(ea_t address, char *outputFilename);
uint8_t extract_fat(ea_t address, char *outputFilename);

#endif
69 changes: 69 additions & 0 deletions mac_includes.h
@@ -0,0 +1,69 @@
/*
* ___________ __ __
* \_ _____/__ ____/ |_____________ _____/ |_
* | __)_\ \/ /\ __\_ __ \__ \ _/ ___\ __\
* | \> < | | | | \// __ \\ \___| |
* /_______ /__/\_ \ |__| |__| (____ /\___ >__|
* \/ \/ \/ \/
* _____ .__ ________
* / \ _____ ____ | |__ \_____ \
* / \ / \\__ \ _/ ___\| | \ ______ / | \
* / Y \/ __ \\ \___| Y \ /_____/ / | \
* \____|__ (____ /\___ >___| / \_______ /
* \/ \/ \/ \/ \/
*
* (c) 2012, fG! - reverser@put.as - http://reverse.put.as
*
* An IDA plugin to extract Mach-O binaries inside code or data segments
*
* -> You are free to use this code as long as you keep the original copyright <-
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
*
* mac_includes.h
*
*/

#ifndef ExtractMachO_mac_includes_h
#define ExtractMachO_mac_includes_h

// OS X includes
#ifdef __MAC__

#include <mach-o/loader.h>
#include <mach-o/fat.h>
#include <mach-o/reloc.h>
#include <mach-o/nlist.h>

#else
#include "loader.h"

#define FAT_MAGIC 0xcafebabe
#define FAT_CIGAM 0xbebafeca /* NXSwapLong(FAT_MAGIC) */

struct fat_header {
uint32_t magic; /* FAT_MAGIC */
uint32_t nfat_arch; /* number of structs that follow */
};

struct fat_arch {
int cputype; /* cpu specifier (int) */
int cpusubtype; /* machine specifier (int) */
uint32_t offset; /* file offset to this object file */
uint32_t size; /* size of this object file */
uint32_t align; /* alignment as a power of 2 */
};

#endif

#endif

0 comments on commit daa289e

Please sign in to comment.