Cross-platform MachO/ObjC Static binary analysis tool & library. class-dump + otool + lipo + more

Overview

ktool

Static Mach-O binary metadata analysis tool / information dumper



pip3 install k2l

Development is currently taking place on the @python3.10 branch.

Installation

# Installtion
pip3 install k2l

# Updating
pip3 install --upgrade k2l

Documentation

https://ktool.rtfd.io

ktool commands

ktool includes both a library, and a script which uses that library to perform various tasks.

It'll add the command ktool to the python scripts directory (pyenv exec ktool if using pyenv)

usage: ktool [command] <flags> [filename]

ktool dump:
ktool dump --headers --out <directory> [filename] - Dump set of headers for a bin/framework
ktool dump --tbd [filename] - Dump .tbd for a framework

ktool file:
ktool file [filename] - Prints (very) basic info about a file (e.g. "Thin MachO Binary")

ktool lipo:
ktool lipo --extract [slicename] [filename] - Extract a slice from a fat binary
ktool lipo --create [--out filename] [filenames] - Create a fat MachO Binary from multiple thin binaries

ktool list:
ktool list --symbols [filename] - Print the symbol table for the file
ktool list --classes [filename] - Print the list of classes
ktool list --protocols [filename] - Print the list of protocols
ktool list --linked [filename] - Print a list of linked libraries

ktool info:
usage: ktool info [-h] [--slice SLICE_INDEX] [--vm] [--cmds] [--binding] filename
ktool info [--slice n] [filename] - Print generic info about a MachO File
ktool info [--slice n] --vm [filename] - Print VM -> Slice -> File address mapping for a slice of a MachO File
ktool info [--slice n] --cmds [filename] - Print list of load commands for a file 
ktool info [--slice n] --binding [filename] - Print binding actions for a file

written in python for the sake of platform independence when operating on static binaries and libraries

Special thanks to

IDA for making it possible to write the code without actually understanding full internals
JLevin and *OS Internals Vol 1 for actually understanding the internals and specifics + writing documentation
arandomdev for guidance + code

Comments
  • `dump` command fails with exception

    `dump` command fails with exception

    Hello,

    When attempting to dump headers from system frameworks, extracted by keith/dyld-shared-cache-extractor, the following exception is thrown:

    ➜  ~ dyld-shared-cache-extractor /System/Library/dyld/dyld_shared_cache_x86_64 ~/Desktop/headers/dyld/
    ➜  ~ ktool dump --headers --out ~/Desktop/headers ~/Desktop/headers/dyld/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit
    Traceback (most recent call last):
      File "/usr/local/bin/ktool", line 8, in <module>
        sys.exit(main())
      File "/usr/local/lib/python3.9/site-packages/ktool/ktool_script.py", line 387, in main
        args.func(args)
      File "/usr/local/lib/python3.9/site-packages/ktool/ktool_script.py", line 915, in dump
        objc_image = ktool.load_objc_metadata(image)
      File "/usr/local/lib/python3.9/site-packages/ktool/ktool.py", line 125, in load_objc_metadata
        return ObjCImage.from_image(image)
      File "/usr/local/lib/python3.9/site-packages/ktool/objc.py", line 130, in from_image
        cat_prot_queue.go()
      File "/usr/local/lib/python3.9/site-packages/ktool/util.py", line 104, in go
        self.returns = [self.process_item(item) for item in self.items]
      File "/usr/local/lib/python3.9/site-packages/ktool/util.py", line 104, in <listcomp>
        self.returns = [self.process_item(item) for item in self.items]
      File "/usr/local/lib/python3.9/site-packages/ktool/util.py", line 94, in process_item
        return item.func(*item.args)
      File "/usr/local/lib/python3.9/site-packages/ktool/objc.py", line 910, in from_image
        loc = objc_image.get_int_at(category_ptr, 8, vm=True)
      File "/usr/local/lib/python3.9/site-packages/ktool/objc.py", line 186, in get_int_at
        return self.image.get_int_at(offset, length, vm, sectname)
      File "/usr/local/lib/python3.9/site-packages/ktool/dyld.py", line 205, in get_int_at
        offset = self.vm.get_file_address(offset, section_name)
      File "/usr/local/lib/python3.9/site-packages/ktool/macho.py", line 289, in get_file_address
        raise ValueError(f'Address {hex(vm_address)} couldn\'t be found in vm address set')
    ValueError: Address 0xfffffff8402cc730 couldn't be found in vm address set
    

    It behaves the same whether I extract the arm64 or x64 cache.

    Thanks

    opened by LeoNatan 13
  • Binaries with inserted commands do not round-trip

    Binaries with inserted commands do not round-trip

    Attempting to insert a load command into a binary produced by ktool after previously inserting a load command does not work.

    To reproduce, run the following:

    $ ktool insert --lc load --payload libFirst.dylib --out FirstOutput Target
    $ ktool insert --lc load --payload libSecond.dylib --out SecondOutput FirstOutput
    

    This results in the following error:

    Traceback (most recent call last):
      File "/opt/homebrew/bin/ktool", line 866, in <module>
        main()
      File "/opt/homebrew/bin/ktool", line 356, in main
        args.func(args)
      File "/opt/homebrew/bin/ktool", line 567, in insert
        image = process_patches(image)
      File "/opt/homebrew/bin/ktool", line 407, in process_patches
        return ktool.reload_image(image)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/ktool.py", line 55, in reload_image
        return load_image(image.slice)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/ktool.py", line 84, in load_image
        return Dyld.load(macho_slice, load_symtab=load_symtab, load_imports=load_imports, load_exports=load_exports)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/dyld.py", line 289, in load
        image = Image(macho_slice)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/dyld.py", line 138, in __init__
        self.macho_header: ImageHeader = ImageHeader.from_image(macho_slice=macho_slice)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/dyld.py", line 77, in from_image
        raise ex
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/dyld.py", line 73, in from_image
        load_cmd = Struct.create_with_bytes(LOAD_COMMAND_MAP[LOAD_COMMAND(cmd)], cmd_raw)
      File "/opt/homebrew/Cellar/[email protected]/3.9.10/Frameworks/Python.framework/Versions/3.9/lib/python3.9/enum.py", line 384, in __call__
        return cls.__new__(cls, value)
      File "/opt/homebrew/Cellar/[email protected]/3.9.10/Frameworks/Python.framework/Versions/3.9/lib/python3.9/enum.py", line 702, in __new__
        raise ve_exc
    ValueError: 791555631 is not a valid LOAD_COMMAND
    

    Some testing on my end reveals this doesn't seem to depend on the binaries themselves.

    bug 
    opened by jonpalmisc 3
  • Insert command only inserts to first architecture in universal binaries

    Insert command only inserts to first architecture in universal binaries

    I've attempted to insert a load command as follows:

    ktool insert --lc load --payload libExample.dylib --out TargetPatched Target
    

    This succeeds in adding the load command to the first architecture in the universal binary, however, it does not insert it to the second. The ability to either;

    • choose which architecture to add the load command for; or
    • automatically insert the load command in both architectures

    would be helpful.

    bug 
    opened by jonpalmisc 3
  • Load Command LOAD_COMMAND.LOAD_UPWARD_DYLIB doesn't have a mapped struct type

    Load Command LOAD_COMMAND.LOAD_UPWARD_DYLIB doesn't have a mapped struct type

    Hello, when attempting to dump headers for a shared library extracted from the dyld cache (using keith/dyld-shared-cache-extractor), the following error comes up:

    ➜  ~ ktool dump --headers --out ~/Desktop/test/headers /Users/lnatan/Desktop/test/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit 
    ERROR - ktool.dyld:L#83:ImageHeader:from_image() - 
    ERROR - ktool.dyld:L#84:ImageHeader:from_image() - Load Command LOAD_COMMAND.LOAD_UPWARD_DYLIB doesn't have a mapped struct type
    ERROR - ktool.dyld:L#85:ImageHeader:from_image() - *Please* file an issue on the github @ https://github.com/cxnder/ktool
    ERROR - ktool.dyld:L#86:ImageHeader:from_image() - 
    ERROR - ktool.dyld:L#87:ImageHeader:from_image() - Run with the -f flag before the subcommand to try and force loading anyways
    ERROR - ktool.dyld:L#88:ImageHeader:from_image() - 
    Traceback (most recent call last):
      File "/opt/homebrew/bin/ktool", line 8, in <module>
        sys.exit(main())
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/ktool_script.py", line 376, in main
        args.func(args)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/ktool_script.py", line 898, in dump
        image = ktool.load_image(fp, args.slice_index, use_mmaped_io=MMAP_ENABLED)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/ktool.py", line 84, in load_image
        return Dyld.load(macho_slice, load_symtab=load_symtab, load_imports=load_imports, load_exports=load_exports)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/dyld.py", line 292, in load
        image = Image(macho_slice)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/dyld.py", line 139, in __init__
        self.macho_header: ImageHeader = ImageHeader.from_image(macho_slice=macho_slice)
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/dyld.py", line 89, in from_image
        raise ex
      File "/opt/homebrew/lib/python3.9/site-packages/ktool/dyld.py", line 74, in from_image
        load_cmd = Struct.create_with_bytes(LOAD_COMMAND_MAP[LOAD_COMMAND(cmd)], cmd_raw)
    KeyError: <LOAD_COMMAND.LOAD_UPWARD_DYLIB: 2147483683>
    

    Running with the -f flag doesn't help.

    Thanks

    opened by LeoNatan 2
  • chore(legacy): Adapt to package changes

    chore(legacy): Adapt to package changes

    This PR updates .legacy_setup.py in order to work with the new changes made to the library. Specific changes were documented under the commit message.

    When updating versions, make sure to update the one set in pyproject.toml as well as the one set in the legacy setup script, and everything else should be fine; Procursus doesn't use poetry unfortunately, so this is a required patch in order for that to continue building.

    opened by TheRealKeto 1
  • Incorrect superclass for classes

    Incorrect superclass for classes

    I was trying to generate header files for NearField.framework but noticed that the superclass for NFHCESession was incorrect.

    My NearField.framework binary was created by DyldExtractor with the cache from iOS 14.3.

    The superclass for NFHCESession should be NFSession but it's set to NSObject. image

    Here is the binary I used.

    opened by arandomdev 1
  • Miscellaneous changes to the project

    Miscellaneous changes to the project

    This PR provides some QOL updates to the project, cleaning up some code, removing, and re-organizing imports. Specific changes have been mentioned under the commit message.

    opened by TheRealKeto 1
  • Small changes and fixes to test workflow

    Small changes and fixes to test workflow

    This PR changes the Github workflow used to run tests; small commits (such as those as simple README changes) are now ignored by the workflow, and the workflow now runs tests for changes inside branches starting with develop/.

    Since specific Python versions will be used for development (in the future), this PR makes specfying what Python version the workflow needs to setup more dynamic — requiring a secret with the Python version to be setup before merging this. This specific change can be discussed at any point.

    Specific changes made have been documented under the commit message.

    enhancement 
    opened by TheRealKeto 1
  • Migration to Python 3.10 + next commits

    Migration to Python 3.10 + next commits

    The project has been migrated to python 3.10 for the sake of using pattern matching and other wonderful features it provides.

    This branch will also temporarily contain future work on the project till it is merged.

    This will be merged to master whenever python 3.10 is closer to being ready for an official release.

    enhancement 
    opened by cxnder 1
  • Actually use __init__.py (and shorten imports)

    Actually use __init__.py (and shorten imports)

    This PR makes use of __init__.py in order make it easier to import classes from the project into and outside of the project, since this is the actual use of the file, shortening import statements.

    Currently, everything provided by the module/distribution is being imported, which isn't the best practice (because there's things that shouldn't be imported(?)), so I'd like so input on that.

    opened by TheRealKeto 1
  • Large Amount of changes

    Large Amount of changes

    Class Renames: Dyld -> MachOImageLoader ImageHeader -> MachOImageHeader

    LD64 class was removed insert_load_cmd(load_command, index=-1, suffix=None) and remove_load_command(index) added to MachOImageHeader which supports adding and removing all types of load commands now.

    ktool.dyld module renamed to ktool.loader, now contains only code relavent specifically to loading the Image class from a standard MachO Image class and a few others moved to new image.py, in which contained code is a non-platform-specific abstraction not tied to MachO.

    Fixes:

    • Rewritten load command injection should fix issues with round-tripping and producing bad patches. A ton of unit testing for this area was added to try and maintain this.
    • Fix for some issues on certain weird linux environments

    Improvements:

    • ktool no longer tries to guess the property getter/setter; it decodes it from the actual standard attr_string or generates it from the property name if none is specified. This avoids potential false positives and also clarifies when non standard ones are used. We also decode whether a property is @ dynamic but do not encode that in the header yet.
    • json output for properties now embeds attr_string, getter, and setter.
    opened by cxnder 0
  • Decoding exception when using load_image_from_dsc on < iOS 16

    Decoding exception when using load_image_from_dsc on < iOS 16

    Don't have trace on-hand atm, but using ktool as a lib I'm getting:

    utf-8 can't decode byte 0xc0 in position 2: invalid start byte

    from read_node in ktool/loader.py in the image.get_cstr_at(cursor) call.

    Let me know if you need the full trace

    opened by glen-mac 0
  • fails in gui

    fails in gui

    bootywarrior@Bootys-MacBook-Air Desktop % ktool open /Users/bootywarrior/Downloads/iPhone_4.7_14.6_18F72_Restore/kernelcache.release.n71.decompressed Hard fault in GUI due to uncaught exception: Traceback (most recent call last): File "/opt/homebrew/bin/ktool", line 8, in sys.exit(main()) File "/opt/homebrew/lib/python3.10/site-packages/ktool/ktool_script.py", line 409, in main args.func(args) File "/opt/homebrew/lib/python3.10/site-packages/ktool/ktool_script.py", line 489, in _open raise ex File "/opt/homebrew/lib/python3.10/site-packages/ktool/ktool_script.py", line 481, in _open screen.load_file(args.filename, MMAP_ENABLED) File "/opt/homebrew/lib/python3.10/site-packages/ktool/window.py", line 2230, in load_file raise ex File "/opt/homebrew/lib/python3.10/site-packages/ktool/window.py", line 2211, in load_file for item in KToolKernelCacheLoader.contents_for_file(fd, self.update_load_status): File "/opt/homebrew/lib/python3.10/site-packages/ktool/window.py", line 1605, in contents_for_file raise ex File "/opt/homebrew/lib/python3.10/site-packages/ktool/window.py", line 1603, in contents_for_file items.append(cls.slice_item(macho_slice, callback)) File "/opt/homebrew/lib/python3.10/site-packages/ktool/window.py", line 1966, in slice_item loaded_image = MachOImageLoader.load(macho_slice) File "/opt/homebrew/lib/python3.10/site-packages/ktool/loader.py", line 58, in load MachOImageLoader._parse_load_commands(image, load_symtab, load_imports, load_exports) File "/opt/homebrew/lib/python3.10/site-packages/ktool/loader.py", line 80, in _parse_load_commands image.vm.add_segment(segment) File "/opt/homebrew/lib/python3.10/site-packages/ktool/image.py", line 51, in add_segment self.map_pages(segment.file_address, segment.vm_address, segment.size) File "/opt/homebrew/lib/python3.10/site-packages/ktool/image.py", line 86, in map_pages raise MachOAlignmentError(f'Tried to map {hex(virtual_addr)}+{hex(size)} to {hex(physical_addr)}') ktool.exceptions.MachOAlignmentError: Tried to map 0xfffffff007890000+0x7ee58 to 0x818000

    opened by turnerrocks1 0
  • ModuleNotFoundError: No module named '_curses'

    ModuleNotFoundError: No module named '_curses'

    OS: Microsoft Windows 10 x64

    An error occurred after running Ktool.

    Traceback (most recent call last):
      File "c:\python3\lib\runpy.py", line 194, in _run_module_as_main
        return _run_code(code, main_globals, None,
      File "c:\python3\lib\runpy.py", line 87, in _run_code
        exec(code, run_globals)
      File "C:\python3\scripts\ktool.exe\__main__.py", line 4, in <module>
      File "c:\python3\lib\site-packages\ktool\ktool_script.py", line 54, in <module>
        from ktool.window import KToolScreen, external_hard_fault_teardown
      File "c:\python3\lib\site-packages\ktool\window.py", line 31, in <module>
        import curses
      File "c:\python3\lib\curses\__init__.py", line 13, in <module>
        from _curses import *
    ModuleNotFoundError: No module named '_curses'
    

    image

    opened by Vxer-Lee 1
Releases(1.3.0)
  • 1.3.0(May 14, 2022)

    Class Renames: Dyld -> MachOImageLoader ImageHeader -> MachOImageHeader

    LD64 class was removed insert_load_cmd(load_command, index=-1, suffix=None) and remove_load_command(index) added to MachOImageHeader which supports adding and removing all types of load commands now.

    ktool.dyld module renamed to ktool.loader, now contains only code relevant specifically to loading the Image class from a standard MachO Image class and a few others moved to new image.py, in which contained code is a non-platform-specific abstraction not tied to MachO.

    Fixes:

    • Rewritten load command injection should fix issues with round-tripping and producing bad patches. A ton of unit testing for this area was added to try and maintain this.
    • Fix for some issues on certain weird linux environments

    Improvements:

    • ktool no longer tries to guess the property getter/setter; it decodes it from the actual standard attr_string or generates it from the property name if none is specified. This avoids potential false positives and also clarifies when non-standard ones are used. We also decode whether a property is @ dynamic but do not encode that in the header yet.
    • json output for properties now embeds attr_string, getter, and setter.
    • More unit tests
    Source code(tar.gz)
    Source code(zip)
  • 1.2.1(May 1, 2022)

    New

    • ImageHeader can now be created from arbitrarily values (ImageHeader.from_values())
    • New Constructable LoadCommand + Segment currently used in tandem with old Segment wrapper.
    • Unit tests!
    • --fdec flag for dump, which forward declares private class imports

    Fixes

    • BytesIO fixes
    • Fix lc insertion
    • Fix with mmaped IO loader
    • Program no longer crashes on unimplemented load commands
    • Better VM segment input verification
    • Properly null pad strings in structs
    • Minor fixes in help messages
    • Fix a crash with the codesign parser
    • Fix (one) missing Chained Fixup structure.
    • Fix relative method list parsing when relative addresses are negative
    • Much better error handling in objc parsing
    • Better info on bad load commands
    Source code(tar.gz)
    Source code(zip)
  • 1.2.0(Mar 30, 2022)

    • Added entitlement parsing
    • Added Codesign information to GUI.
    • Added json dumping for all mach-o/obj-c metadata
    • Fixed an issue with Slice.find() on 32 bit files
    • Further sped up struct loading substantially.
    • Fixed issues with the patcher.

    Tool

    • Added ktool cs for interacting with codesigning info
    • Added ktool json for dumping metadata as json
    • Implemented ktool -V

    Library

    Documentation has been mostly updated to reflect new additions

    Codesign Info

    • Added CodesignInfo class, accessible via image.codesign_info
      • Entitlements accessible via codesign_info.entitlements

    Serialization

    The majority of objects containing relevant/important metadata about the image now contain a .serialize() function, which returns json-formattable dictionaries containing relevant metadata.

    Struct Parser

    • Redid the method in which .raw bytes are generated, eliminating the bottleneck created by that feature
    • Added support for field "sizes" being another Struct type

    File Backing

    • Added a BackingFile class to further abstract out the direct file reads
    • Added a SlicedBackingFile class to even further abstract out slices within a file. This fixed a confusing issue with the Slice.find() search utility in 32 bit files. This also abstracts out the patching functionality in order to keep that code more sane.

    Patcher

    • Refactored the majority of the LD64 class and its patching methods to now rebuild the entire header and write it via a single slice.patch()

    Parsing of more codesign related information, along with adding more relevant data to json dumps to come.

    Source code(tar.gz)
    Source code(zip)
  • 1.1.4(Mar 15, 2022)

    Nothing too crazy, a lot of cleanup/refactoring, a few additions

    GUI

    • Structs will now be rendered with an indentation for readability
    • Scrolling now supports PGUP + PGDOWN

    Image

    .vm_realign() - Computes image alignment (after the imageheader has been loaded) and sets up (or re-sets-up) the proper VM translator for the image.

    Slice

    CPU subtype now masks out the ABI bits.

    VM Address Translation

    Added a new VM translator, based on how low-level memory paging works. It is up to 2x faster than the old manual translator.

    It falls back to the legacy method whenever images cannot be mapped to 16k/4k pages.

    • Refactor: -> get_file_address() -> translate()
    • New Attribute: .detag_kern_64 - Set this to automatically detag 64 bit kernel pointers being translated
    • New Attribute: .detag_64 - Set this to detag 64 bit pointers (remove chained fixup data)

    ObjC

    A lot more fallback/safe failure stuff. You can now load a binary extracted using the default dyld_extractor.bundle (although objc data will still not be processable, as the offsets are entirely junk and likely irreperable without access to the entire cache).

    Structs

    .render_indented() - Return a string similar to str(struct_instance) but with linebreaks and indentation.

    Internal:

    Struct sizes now actually contain two values; the high 2 bytes represent the type of the field, and the low 2 bytes represent the size of the data in that field.

    loading a field as bytes uses the size type_bytes | <size>. loading a field as a string is done with char_t[size]. Unsigned ints now internally use the 0x10000 mask instead of being represented by -<size>

    kcache parsing:

    • Added version string parsing image
    Source code(tar.gz)
    Source code(zip)
  • 1.1.3(Mar 6, 2022)

    watchOS kcache extraction + minor bug fixes

    TUI

    • Add support for --no-mmap flag (needed on windows) in open command
    • Only detag kext addresses on 64 bit kcaches

    ktool.macho

    MachOFile -

    • Fix an issue where 32 bit little endian files wouldn't be recognized.

    ktool.kcache -

    • Add support for armv7k kernelcaches
    Source code(tar.gz)
    Source code(zip)
  • 1.1.1(Mar 5, 2022)

    This release builds on the baseline kernelcache processing shipped with 1.1.0

    • Added a modified version of the python stdlib plistlib that actually works in ktool.kplistlib
    • Added the kcache stuff to the help strings.

    GUI

    • Temporarily dropped the non-implemented title menus
    • Added a new one named "Help", and moved the old default info text to that

    GUI Kernel Cache Loader

    • Added a full Loader specifically for KernelCaches
    • Info specific to Kernel Caches
    • Creates a View listing kexts and allow browsing their attributes and prelink info

    ktool.kcache

    KernelCache

    Added Attributes:

    • .prelink_info -> prelink info dict for the Mach Kernel psuedoextension
    • .version -> Release Version (semantic) of the kernel

    Kext

    Added Attributes: Note: Do not rely on any of these not being empty

    • .prelink_info -> Dict[str, Any] with info for this kext pulled straight from the plist in __PRELINK_INFO:__info.
    • .development_region
    • .executable_name
    • .id -> will always be the same as .name
    • .bundle_name -> Plaintext readable proper name of the bundle (like, "Libkern Extension")
    • .package_type -> Always KEXT
    • .info_string -> Informative (maybe) string describing the kext
    • .version_str -> (Probably) the same as .version
    Source code(tar.gz)
    Source code(zip)
  • 1.1.0(Mar 5, 2022)

    This release mainly adds merged-type kernelcache parsing.

    kmacho module

    • Added support for LC_THREAD, LC_UNIXTHREAD, and LC_MAIN
    • Added mapping for LC_LOAD_UPWARD_DYLIB

    ktool module

    New! ktool.kcache

    KernelCache class: .mach_kernel: Image -> Image representing the Mach Kernel itself .kexts: List[Kext] -> List of Kext objects embedded in this kernel

    Kext class: .name -> kext name .version: str -> kext version .mach_header -> Mach-O Header of the Kext .image -> Image representing this Kext

    _VirtualMemoryMap
    • Added support (and detagging) for 64 bit kernel address space.
    Image
    • added .entry_point attribute, which points to the address (in VM Space) of the program's entry point, if an LC_THREAD, LC_UNIXTHREAD, or LC_MAIN was in the header
    • added .thread_state attribute, which holds the entry thread state if an LC_THREAD/LC_UNIXTHREAD was defined
    GUI
    • Fix: Window wont crash when a view is empty
    Source code(tar.gz)
    Source code(zip)
  • 1.0.0(Mar 1, 2022)

    :tada: :tada: :tada: :tada:

    This release includes the changelog from 1.0.0rc0

    Changes

    • Terminal Output is now highlighted
    • Table rendering in terminal output now has ansi support
    • Added --class flag to dump
    • Chained Fixup Support! iOS 15 binaries, etc can now have their imports processed. It's rudimentary, but damnit, it works :)
    • Fixed ENCRYPTION_INFO_COMMAND handling
    • Function Starts table processing
    • Remove unneeded packaging dependency in favor of just hackily using setuptools's vendored version. This is a hack, but reportedly, procursus (an iOS bootstrap) cant handle building one of packaging's build dependencies, so this makes that work.
    • heavily improved non-mmap implementation

    Swift

    Extremely Rudimentary swift processing. It's just the groundwork, and shouldn't really be counted as a feature yet, but binaries with swift wont break it anymore, and it can read some basic info about swift types (and list swift types)

    Structs

    • Rewrite it again to handle signed int field processing automatically
    • Rewrite it again again so my IDE properly recognizes the fields exist, without slowing down processing too much

    Internal Stuff

    • Migrated the entire project to poetry and refactored some of the project layout.
    Source code(tar.gz)
    Source code(zip)
  • 1.0.0rc0(Feb 24, 2022)

    :tada: :tada: :tada: :tada:

    Changes

    • Chained Fixup Support! iOS 15 binaries, etc can now have their imports processed. It's rudimentary, but damnit, it works :)
    • Fixed ENCRYPTION_INFO_COMMAND handling
    • Function Starts table processing
    • Remove unneeded packaging dependency in favor of just hackily using setuptools's vendored version. This is a hack, but reportedly, procursus (an iOS bootstrap) cant handle building one of packaging's build dependencies, so this makes that work.
    • heavily improved non-mmap implementation

    Swift

    Extremely Rudimentary swift processing. It's just the groundwork, and shouldn't really be counted as a feature yet, but binaries with swift wont break it anymore, and it can read some basic info about swift types (and list swift types)

    Structs

    • Rewrite it again to handle signed int field processing automatically
    • Rewrite it again again so my IDE properly recognizes the fields exist, without slowing down processing too much
    Source code(tar.gz)
    Source code(zip)
  • 0.20.1(Jan 26, 2022)

    Tool

    • Initial file load in the GUI is now near-instant thanks to a refactor in how headers are loaded.
    • non-mmaped processing now operates at a reasonable speed.

    Library

    • rewrite bio (non-mmap) backend stuff to use a bytearray buffer loaded at init instead of repeated seek()->read() calls.
    • non-mmap now automatically kicks in if mmap fails
    • GUI now supports a target-function-based lazy loading string buffer, which is used for header lazy-loading
    Source code(tar.gz)
    Source code(zip)
  • 0.20.0(Jan 19, 2022)

    Tool

    • open now has --hard-fail flag, which will cause open to fail (and print a backtrace) if it hits any exceptions loading content
    • GUI: objc header generation now functions on platforms without semaphore implementations

    Library

    Symbol

    • Class now conforms to Constructable class.
      • .from_image() when loading from an nlist(32/64) struct
      • .from_values when loading from values we've already decoded elsewhere
    • .addr -> .address
    • .ext -> .external
    • .types - new array of strings containing different types, if they're specified in an nlist64 entry (from a symtab)

    Table Refactor

    Essentially, table rendering in the GUI is now instant, with zero load time/freezing and no lag while scrolling large tables. This includes Hex Dumps

    Class

    • Added .dividers: bool attribute; when set to True, a real "table" with outlined cells/columns will be drawn.
    • Refactored entire class to lazily process, render, and cache the dumps as the buffer is scrolled instead of every time it gets loaded. This makes everything with tables nearly instance

    Hex Dump Tables

    • HexDumpTables now override the fetch() method of Table, and lazily load/replace the .rows() attribute through only decoding the bytes we need at the time; and disables the cache, instead of loading all of the bytes into the decoding function at once.

    Table Rendering Logic

    • ScrollingDisplayBuffer().process_lines() no longer handles rendering tables; instead we fetch() the needed content in rendered_lines_from() every time an update is requested
    • Pinning is no longer properly implemented
    Source code(tar.gz)
    Source code(zip)
  • 0.19.4(Jan 14, 2022)

    Library

    • Added support for loading/parsing/dumping 32-bit binaries. (tested on armv7, should work on x86 (32) as well)
    • General Code Cleanup
    Source code(tar.gz)
    Source code(zip)
  • 0.19.3(Jan 6, 2022)

    Mainly bugfixes, and a refactor that can potentially cut objc loading speed in half.

    Tool

    • GUI: Better multithreading for the objc header syntax highlighting in the objc loader.

    Library

    • Fix a lot of potential recursion/class-loading errors in objc
    • FIx method/property sorting in public API
    • Implement a Queueing system for loading Classes/Protocols/Categories
    • Implement a Cache for loaded Classes/Protocols/Categories
    • Update Repo Address
    Source code(tar.gz)
    Source code(zip)
  • 0.19.0(Jan 3, 2022)

    This release includes a few bugfixes, along with a massive internal refactor that shouldn't affect any of the API or process.

    Tool

    • GUI
      • Fix Exit button
      • Fix crash regression when image has no UUID
    • add --membench global arg (benchmarks memory allocations across program)
    • Add --use-stab-for-sel dump arg, which will force using the symtab to get selectors for methods, instead of using the actual selector strings.

    Library

    Bugfixes
    • Fix a crash when unrecognized load commands are read
    • Fix a crash when symtab is entirely empty (poorly extracted dyld binaries)
    • Fix a crash when class/protocol pointers are bad (poorly extracted dyld binaries)
    Refactors
    • Constructable Abstract Base Class - Renamed from_bytes to from_image
    • Image - Remove deprecated .linked attribute (replaced with .linked_images)
    • Image - Add .import_table: Dict[int, Symbol], which is a lookup table for imported symbols
    • Image - Add .export_table: Dict[int, Symbol], which is a lookup table for exported symbols
    • _VirtualMemoryMap - Add .vm_check(vm_address) -> bool
    • .objc - Implement Constructable API in ObjCImage, Class, Protocol, Category, Method, Property, and Ivar. This will allow api-compatible loading and header dumping of values obtained at runtime, not from an image.
    Source code(tar.gz)
    Source code(zip)
  • 0.18.0(Dec 16, 2021)

    Tool

    • Should run a lot faster due to internal Library changes. Benchmarks have shown anywhere from 30-60% reductions in runtime.
    • GUI
      • Moved Imports and Exports out of "Binding" group and merge the imports tables

    Library

    • Massive Speedups
      • Refactor almost all of the internals in the Struct class to speed things up
      • Added some caches for some other huge speedups
        • Loaded struct cache
        • Loaded CString cache
        • Typeresolver cache
      • Finished implementing MethodList, implemented to avoid duplicate code blocks in objc.py
      • Stopped using structs in MethodList parsing to make things a bit faster
    • Expansive Refactor in the Image class.
      • .linked -> .linked_images
      • Binding tables merged, moved to new .imports: List[Symbol]
      • Exports moved to new .exports: List[Symbol], Export Trie object moved to .export_trie
    • Added .attr to Symbol class, to be used with import symbols
    • New LD64 class; holds methods for editing linking information, etc.
      • Moved load command editing functions to this class
    Source code(tar.gz)
    Source code(zip)
  • 0.17.3(Dec 13, 2021)

    Library

    • Implemented the code and fixed some issues to allow loading (and patching) BytesIO objects (raw bytes in memory that dont exist on disk).

    Example usage of this can be seen here: https://gist.github.com/KritantaDev/b577dafe844d26350b051b482bb71268#file-script-py-L20

    Source code(tar.gz)
    Source code(zip)
  • 0.17.2(Dec 13, 2021)

    Library

    • Add macho_combine(slices: List[Slice]) -> BytesIO to public API
    • Add ignore.OBJC_ERRORS to util class (used in ObjC header gen). Default is True, setting it to False will crash the program when an error is encountered loading any objc metadata.

    Tool

    • Setting --hard-fail on the CLI dump command will toggle the above ignore.OBJC_ERRORS to True, crashing the program whenever an error is encountered loading OBJC metadata.
    Source code(tar.gz)
    Source code(zip)
  • 0.17.1(Dec 9, 2021)

    Library

    • Image class now has attributes .base_name and .install_name, designed to replace the ambiguous .name attribute, which is now deprecated. .install_name will be the Install name of the image, or "" if one isn't specified. .base_name will be the base name (not including path) of the install name, or basename of the filename if one isn't included. the .name attribute is now deprecated and shouldn't be used.
      • This should fix any issues with header gen, GUI related things, etc, regarding non-library images.

    Tool

    • info command now shows full Install name instead of a basename of the install name on Libraries.
    • GUI should now always restore terminal even when exceptions break out of the window.py file.
    • Fixed a minor range issue in GUI flavor text, updated the "welcome" GUI text.
    • GUI now uses cleaner basenames of Install names or Image paths when displaying them.
    • The debug menu in the GUI (click ktool in the top left corner), which shows the output of log, now highlights errors and warnings.
    Source code(tar.gz)
    Source code(zip)
  • 0.17.0(Dec 5, 2021)

    CLI Tool changes

    • Missing flags error message will now show the original flag text (--headers instead of do_headers)
    • Always attempt to tear down curses GUI after it closes (not just after caught exceptions)
    • Implement the new public library API in the CLI tool
    • Update some docstrings
    • Add --no-mmap global flag, which loads a binary without using the mmap module (this is beyond horribly slow at the moment).

    Library changes

    • Add a new public API
    • highly limit the classes imported via the init script in the ktool module (to a few classes, and the new public api
    • Make log error output redirectable, and by default pipe it to stderr
    • move the Table class to .util, since it can be used for both .window and CLI output
    • Add the base structure for fixup processing (not yet implemented, but the pieces are there now.)
    • A ton of project cleanup
    Source code(tar.gz)
    Source code(zip)
  • 0.16.3(Dec 1, 2021)

    • A ton of project cleanup, internal refactoring, etc.
    • Clarified some help strings, README, etc.
    • Fixed the 'edit' command
    • Fixed the fat MachO Generator
    • Implemented some new tests (which highlighted the two above issues)
    Source code(tar.gz)
    Source code(zip)
  • 0.16.2(Nov 28, 2021)

    • Cleaned up some ObjC method list code (this should not affect output)
    • partially implemented support for the 0xD0 binding opcode (although binding info isn't quite right, it doesn't crash now.)
    Source code(tar.gz)
    Source code(zip)
  • 0.16.1(Nov 28, 2021)

    This release implements ObjC Method List "alternative" encoding styles for Categories and Protocols. (direct selectors and relative offsets).

    Categories and Protocols encoded with these enabled (DyldExtractor output) should now load correctly.

    Source code(tar.gz)
    Source code(zip)
  • 0.16.0(Nov 28, 2021)

    I've forgotten to do github releases for a few months or however long. Starting again now.

    Changes with this version:

    • Refactored all variable/classnames using 'Library' to 'Image'. This is more accurate to what MachO Objects are called; ( they're really just called images, "Library" was a leftover from a previous project that only targeted libraries and this should've been refactored long ago. )

    Regarding the changes between the previous release and this one, checking the 100+ commits since then is likely your best bet.

    Source code(tar.gz)
    Source code(zip)
  • 0.7.0(Aug 15, 2021)

  • 0.5.0(Aug 12, 2021)

  • 0.3.4(Aug 8, 2021)

  • 0.3.3(Aug 7, 2021)

  • 0.2.5(Aug 3, 2021)

  • 0.2.3(Aug 3, 2021)

Owner
Kritanta
*OS Development.
Kritanta
Dump Data from FTDI Serial Port to Binary File on MacOS

Dump Data from FTDI Serial Port to Binary File on MacOS

pandy song 1 Nov 24, 2021
Compile Binary Ninja's HLIL IR to LLVM, for purposes of compiling it back to a binary again.

Compiles BinaryNinja's HLIL to LLVM Approach Sweep binary for global variables, create them Sweep binary for (used?) external functions, declare those

Kyle Martin 31 Nov 10, 2022
Binary++ is an esoteric programming language based on* binary

Binary++ is an esoteric programming language based on* binary. * It's meant to be based on binary, but you can write Binary++ code using different mea

Supercolbat 3 Feb 18, 2022
Tracking development of the Class Schedule Siri Shortcut, an iOS program that checks the type of school day and tells you class scheduling.

Class Schedule Shortcut Tracking development of the Class Schedule Siri Shortcut, an iOS program that checks the type of school day and tells you clas

null 3 Jun 28, 2022
A bot to use in a pump & dump event

A bot to use in a pump & dump event on Binance.com. Please note the bot is in heavy devleopment currently so be aware of errors. If you experience err

Freddie Jonas 189 Dec 24, 2022
Simple tools to make/dump CPC+ CPR cartridge files

Simple tools to make/dump CPC+ CPR cartridge files mkcpr.py: make a CPR file from files (one chunk per file); see notes cprdump.py: dump the chunks of

Juan J. Martínez 3 May 30, 2022
Automatically load and dump your dataclasses 📂🙋

file dataclasses Installation By default, filedataclasses comes with support for JSON files only. To support other formats like YAML and TOML, filedat

Alon 1 Dec 30, 2021
Pyhexdmp - Python hex dump module

Pyhexdmp - Python hex dump module

null 25 Oct 23, 2022
Backup dc registry - A simple POC that abuses Backup Operator privileges to remote dump SAM, SYSTEM, and SECURITY

Backup Operator Registry Backup to Domain Compromise A simple POC that abuses Ba

Horizon 3 AI Inc 57 Dec 18, 2022
Binjago - Set of tools aiding in analysis of stripped Golang binaries with Binary Ninja

Binjago ?? Set of tools aiding in analysis of stripped Golang binaries with Bina

W3ndige 2 Jul 23, 2022
An ultra fast cross-platform multiple screenshots module in pure Python using ctypes.

Python MSS from mss import mss # The simplest use, save a screen shot of the 1st monitor with mss() as sct: sct.shot() An ultra fast cross-platfo

Mickaël Schoentgen 799 Dec 30, 2022
Cross-platform .NET Core pre-commit hooks

dotnet-core-pre-commit Cross-platform .NET Core pre-commit hooks How to use Add this to your .pre-commit-config.yaml - repo: https://github.com/juan

Juan Odicio 5 Jul 20, 2021
Cross-platform config and manager for click console utilities.

climan Help the project financially: Donate: https://smartlegion.github.io/donate/ Yandex Money: https://yoomoney.ru/to/4100115206129186 PayPal: https

null 3 Aug 31, 2021
An Airdrop alternative for cross-platform users only for desktop with Python

PyDrop An Airdrop alternative for cross-platform users only for desktop with Python, -version 1.0 with less effort, just as a practice. ##############

Bernardo Olisan 6 Mar 25, 2022
This Python library searches through a static directory and appends artist, title, track number, album title, duration, and genre to a .json object

This Python library searches through a static directory (needs to match your environment) and appends artist, title, track number, album title, duration, and genre to a .json object. This .json object is then used to post data to a specified table in a local MySQL database, credentials of which the user must set.

Edan Ybarra 1 Jun 20, 2022
This is an API to get user details for competitive coding platforms - Codeforces, Codechef, SPOJ, Interviewbit. More Platform will be Added Soon.

Competitive-Programming-Score-API An API to get user details for competitive coding platforms - Codeforces, Codechef, SPOJ, Interviewbit Platforms Ava

Aaditya Prakash 3 Jan 17, 2022
Arcpy Tool developed for ArcMap 10.x that checks DVOF points against TDS data and creates an output feature class as well as a check database.

DVOF_check_tool Arcpy Tool developed for ArcMap 10.x that checks DVOF points against TDS data and creates an output feature class as well as a check d

null 3 Apr 18, 2022
Python meta class and abstract method library with restrictions.

abcmeta Python meta class and abstract method library with restrictions. This library provides a restricted way to validate abstract methods. The Pyth

Morteza NourelahiAlamdari 8 Dec 14, 2022
Convert-Decimal-to-Binary-Octal-and-Hexadecimal

Convert-Decimal-to-Binary-Octal-and-Hexadecimal We have a number in a decimal number, and we have to convert it into a binary, octal, and hexadecimal

Maanyu M 2 Oct 8, 2021