Latest available version: IDA and decompilers v8.2.230124sp1 see all releases
Hex-Rays logo State-of-the-art binary code analysis tools
email icon
This plugin (nicknamed "dscu" for brevity) is essentially just an extension of the Mach-O loader. It allows you to manually load modules from a dyldcache that were not loaded when first opening the cache in IDA (the plugin is only activated after using the "single module" option for a dyldcache).

For a quick overview of the dscu functionality, see menu File>Load file>DYLD Shared Cache Utils.

Loading Modules ---------------

There are a few ways to manually load a module from the cache:

1) Use File>Load file>DYLD Shared Cache Utils>Load module... and choose which module to load

2) Right-click on an unmapped address in the disassembly, and select 'Load module <module name>'

3) Programatically:

  n = idaapi.netnode()
  n.create("$ dscu")
  n.supset(2, "/usr/lib/libobjc.A.dylib")
  idaapi.load_and_run_plugin("dscu", 1)

Loading Sections ----------------

dscu also allows you to load a subset of a given module.

Any section from any of the dyldcache's submodules can be loaded individually. This is especially useful when analyzing Objective-C code, since often times it is convenient to only load Objective-C info from a given module without loading all of its code.

For example, if you see a pointer to a selector string that has not been loaded:

  ADRP  X8, #0x1AECFF7F9@PAGE
  ADD   X1, X8, #0x1AECFF7F9@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0
Right-click on "0x1AECFF7F9" and dscu will provide you with two options:
  Load UIKitCore:__objc_methname
  Load UIKitCore
The UIKitCore module is huge, so perhaps you don't want to load the entire thing, but still want to clean up the disassembly. If you choose "Load UIKitCore:__objc_methname", dscu will load only these selector strings into the database:
  ADRP  X8, #sel_alloc@PAGE ; "alloc"
  ADD   X1, X8, #sel_alloc@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0
This operation is much faster, and still provides a lot of benefit to the analysis.

Sections can also be loaded via:

  File>Load file>DYLD Shared Cache Utils>Load section...
or programmatically with:
  node = idaapi.netnode()
  node.create("$ dscu")
  node.altset(3, 0x1AECFF7F9) # address can be any address in the section
  idaapi.load_and_run_plugin("dscu", 2)

See also Objective-C Analysis Plugin Debugger for macOS Remote iOS debugger
Index | Previous topic | Next topic