From 127622debcb04af0b7f6e2a1de849544ea0591b1 Mon Sep 17 00:00:00 2001 From: wanghaiwei Date: Mon, 29 Dec 2025 16:39:54 +0800 Subject: [PATCH 1/2] Fix section type identifing in mach-o view Based on opensource code [`loader.h`](https://github.com/apple-oss-distributions/xnu/blob/f6217f891ac0bb64f3d375211650a4c1ff8ca1ea/EXTERNAL_HEADERS/mach-o/loader.h#L470) and [`dyld`](https://github.com/apple-oss-distributions/dyld), the lowest byte in `sect.flags` stands for section type. | section name | section type | value | | :---------------------: | :------------------------: | :---: | | `__auth_got` or `__got` | S_NON_LAZY_SYMBOL_POINTERS | 0x6 | | `__init_offsets` | S_INIT_FUNC_OFFSETS | 0x16 | The problem for `sect.flags & S_NON_LAZY_SYMBOL_POINTERS` is that if `flags` is `S_INIT_FUNC_OFFSETS`, mach-o view will confuse `__init_offsets` with `__auth_got`(or `__got`). The checks for other section types have also been improved. --- view/macho/machoview.cpp | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/view/macho/machoview.cpp b/view/macho/machoview.cpp index 2ff15f0eb..71e4ea0a6 100644 --- a/view/macho/machoview.cpp +++ b/view/macho/machoview.cpp @@ -446,13 +446,14 @@ MachOHeader MachoView::HeaderForAddress(BinaryView* data, uint64_t address, bool sect.flags, sect.reserved1, sect.reserved2); - if (!strncmp(sect.sectname, "__mod_init_func", 15) || !strncmp(sect.sectname, "__init_offsets", 14)) + + if ((sect.flags & SECTION_TYPE) == S_INIT_FUNC_OFFSETS || (sect.flags & SECTION_TYPE) == S_MOD_INIT_FUNC_POINTERS) header.moduleInitSections.push_back(sect); if ((sect.flags & (S_ATTR_SELF_MODIFYING_CODE | S_SYMBOL_STUBS)) == (S_ATTR_SELF_MODIFYING_CODE | S_SYMBOL_STUBS)) header.symbolStubSections.push_back(sect); - if ((sect.flags & S_NON_LAZY_SYMBOL_POINTERS) == S_NON_LAZY_SYMBOL_POINTERS) + if ((sect.flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) header.symbolPointerSections.push_back(sect); - if ((sect.flags & S_LAZY_SYMBOL_POINTERS) == S_LAZY_SYMBOL_POINTERS) + if ((sect.flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) header.symbolPointerSections.push_back(sect); } header.segments.push_back(segment64); @@ -549,13 +550,14 @@ MachOHeader MachoView::HeaderForAddress(BinaryView* data, uint64_t address, bool sect.reserved1, sect.reserved2, sect.reserved3); - if (!strncmp(sect.sectname, "__mod_init_func", 15) || !strncmp(sect.sectname, "__init_offsets", 14)) + + if ((sect.flags & SECTION_TYPE) == S_INIT_FUNC_OFFSETS || (sect.flags & SECTION_TYPE) == S_MOD_INIT_FUNC_POINTERS) header.moduleInitSections.push_back(sect); if ((sect.flags & (S_ATTR_SELF_MODIFYING_CODE | S_SYMBOL_STUBS)) == (S_ATTR_SELF_MODIFYING_CODE | S_SYMBOL_STUBS)) header.symbolStubSections.push_back(sect); - if ((sect.flags & S_NON_LAZY_SYMBOL_POINTERS) == S_NON_LAZY_SYMBOL_POINTERS) + if ((sect.flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) header.symbolPointerSections.push_back(sect); - if ((sect.flags & S_LAZY_SYMBOL_POINTERS) == S_LAZY_SYMBOL_POINTERS) + if ((sect.flags & SECTION_TYPE) == S_LAZY_SYMBOL_POINTERS) header.symbolPointerSections.push_back(sect); } header.segments.push_back(segment64); @@ -1938,7 +1940,7 @@ bool MachoView::InitializeHeader(MachOHeader& header, bool isMainHeader, uint64_ size_t i = 0; reader.Seek(moduleInitSection.offset); - if (!strncmp(moduleInitSection.sectname, "__mod_init_func", 15)) + if ((moduleInitSection.flags & SECTION_TYPE) == S_MOD_INIT_FUNC_POINTERS) { // The mod_init section contains a list of function pointers called at initialization // if we don't have a defined entrypoint then use the first one in the list as the entrypoint @@ -1964,7 +1966,7 @@ bool MachoView::InitializeHeader(MachOHeader& header, bool isMainHeader, uint64_ DefineAutoSymbol(symbol); } } - else if (!strncmp(moduleInitSection.sectname, "__init_offsets", 14)) + else if ((moduleInitSection.flags & SECTION_TYPE) == S_INIT_FUNC_OFFSETS) { // The init_offsets section contains a list of 32-bit RVA offsets to functions called at initialization // if we don't have a defined entrypoint then use the first one in the list as the entrypoint From 70b4a0dd56af17a6fa296d309f21903b18c743ce Mon Sep 17 00:00:00 2001 From: wanghaiwei Date: Tue, 30 Dec 2025 08:56:18 +0800 Subject: [PATCH 2/2] Fix section type S_SYMBOL_STUBS identifing in mach-o view --- view/macho/machoview.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/view/macho/machoview.cpp b/view/macho/machoview.cpp index 71e4ea0a6..3852556e7 100644 --- a/view/macho/machoview.cpp +++ b/view/macho/machoview.cpp @@ -449,7 +449,7 @@ MachOHeader MachoView::HeaderForAddress(BinaryView* data, uint64_t address, bool if ((sect.flags & SECTION_TYPE) == S_INIT_FUNC_OFFSETS || (sect.flags & SECTION_TYPE) == S_MOD_INIT_FUNC_POINTERS) header.moduleInitSections.push_back(sect); - if ((sect.flags & (S_ATTR_SELF_MODIFYING_CODE | S_SYMBOL_STUBS)) == (S_ATTR_SELF_MODIFYING_CODE | S_SYMBOL_STUBS)) + if (sect.flags & S_ATTR_SELF_MODIFYING_CODE == S_ATTR_SELF_MODIFYING_CODE && (sect.flags & SECTION_TYPE) == S_SYMBOL_STUBS) header.symbolStubSections.push_back(sect); if ((sect.flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) header.symbolPointerSections.push_back(sect); @@ -553,7 +553,7 @@ MachOHeader MachoView::HeaderForAddress(BinaryView* data, uint64_t address, bool if ((sect.flags & SECTION_TYPE) == S_INIT_FUNC_OFFSETS || (sect.flags & SECTION_TYPE) == S_MOD_INIT_FUNC_POINTERS) header.moduleInitSections.push_back(sect); - if ((sect.flags & (S_ATTR_SELF_MODIFYING_CODE | S_SYMBOL_STUBS)) == (S_ATTR_SELF_MODIFYING_CODE | S_SYMBOL_STUBS)) + if (sect.flags & S_ATTR_SELF_MODIFYING_CODE == S_ATTR_SELF_MODIFYING_CODE && (sect.flags & SECTION_TYPE) == S_SYMBOL_STUBS) header.symbolStubSections.push_back(sect); if ((sect.flags & SECTION_TYPE) == S_NON_LAZY_SYMBOL_POINTERS) header.symbolPointerSections.push_back(sect);