4

Parsing an already-loaded Mach-O binary in memory...

Sometimes the string table, symbol table, etc, are where they should be, and sometimes they're 0x1000 off.

For example, I might run my program and baseOffset + cmd->symoff is accurate. Then I'll unit test and baseOffset + cmd->symoff + 0x1000 is accurate. baseOffset is always valid and pointing to a valid Mach header.

xtravar
  • 1,321
  • 11
  • 24

1 Answers1

4

I figured it out by looking at dyld source code... It's not guarenteed to be 0x1000 off, however, the link edit offset is: baseImageOffset + linkedit.vmaddr - linkedit.fileoff. Most of the time this difference is 0, but sometimes it is not.

This impacts LC_FUNCTION_STARTS (cmd->dataoff) and LC_SYMTAB (cmd->stroff and cmd->symoff)

xtravar
  • 1,321
  • 11
  • 24
  • 1
    Because you needed to include the slide. Call `_dyld_get_image_vmaddr_slide` with the right parameter (if self, `0`) and you'll get the offset to apply. For reference, it could be more than 0x1000. The reason is simple: `.bss` is expanded at runtime, and is usually between your header and your symtab / strtab. The exact amount is, I believe, the size of expanded `.bss` rounded up to a multiple of a page. – Geod24 Sep 10 '20 at 11:18