A lot of CLI programs have documented syntax for flags and options, typically available in a man page or using a -h or --help flag. But there are often very useful, very powerful options that are intentionally undocumented, but I find it very difficult and time consuming to look for these.
Note that for my initial purposes here, I'm specifically looking for ways of doing this on Darwin (i/mac[h][ ]OS [X], or whatever its called these days...), and I'll accept an answer specific to this platform. But truly ideal would be something that would work across platforms and architectures.
So I'm wondering if there are any tools or easily automated means of finding a program's hidden flags amongst the myriad of development, debugging, and system tools I have (but with which I'm unfamiliar), or at least if there are specific pattern(s) within a binary executable that one can lean on in order to automate the process of "grepping through" a binary to find likely candidates.
I know there are ±10 billion options-parsing functions, libraries and techniques, for approximately the same number of languages and platforms; getopt and getopt_long come to mind, along with many others, usually called something involving a combination of one or more of the terms opt[s] or arg[s] and get or parse. So again, to limit the scope of my question here, what I'm specifically looking for today are hidden options for utilities found on Apple products, so if it helps (to limit the scope of acceptable answers) for my purposes lets assume the target program(s):
- Were written in the [Objective-]C[++] language family (bonus points for Swift too though!).
- Are probably codesigned, and may or may not have been stripped of debugging info.
- Are not intentionally obfuscated.
- We have at least
r-xaccess to the program, so we can make a copy which can be modified. - Therefore, we can strip or remove signatures ourselves, et cetera; however, we may not be able to execute these modified versions of binaries due to codesigning limitations. This is a soft requirement since we could disable signing requirements, but ideally not.
- Likewise, for the same reason we may not be able to execute arbitrary code/unsigned applications from elsewhere, the best answers I'm looking for don't involve a lot of extra software. At a minimum, please don't just tell me to go buy a copy of IDA Pro.
- We may, but probably do not, have access to the source code (duh).
My current process for doing this typically involves:
- Making a copying the executable.
- Removing extraneous stuff like code signatures, and I usually will
stripit too. - Greping around the context of a known option, manually hunting and trying likely candidates.
That is, I've found some useful options like xip -x and pkgutil --expand-full with something like:
cp -H $(⁅which¦xcrun -f⁆ ⁅xip¦pkgutil⁆) /tmp/⁅xip¦pkgutil⁆
codesign --remove-signature /tmp/⁅xip¦pkgutil⁆
strip /tmp/⁅xip¦pkgutil⁆
strings ⁅-a -⁆ /tmp/⁅xip¦pkgutil⁆ | grep -C10 ⁅sign¦expand⁆
(Fancy Unicode indicating variations, obviously.)
But thus far I've found that there's little rhyme or reason to where exactly these are found; its all trial and error after that. Also, its significantly more challenging with stuff that is C++ based (like LLVM-based tools, some of which have a -print-all-options option, but some of which do not).
What I'd really love to find a way to make a full list of all options to all Apple's system utilities, etc. Or at least something close to that. Possible?
