DYLD Shared Cache Utils

This plugin (nicknamed "dscu" for brevity) is essentially just an extension of the Mach-O loader, and allows you to manually load modules from the dyldcache that were not initially loaded by Mach-O.

There are three ways to manually load a module:

  1. Use File>Load file>Load another module... and choose which module to load
  2. Right-click on an unmapped address in the disassembly, and select 'Load module <module name>'
  3. Programatically:
     n = idaapi.netnode()
     n.create("$ dscu")
     n.supset(2, "/usr/lib/libobjc.A.dylib")
     idaapi.load_and_run_plugin("dscu", 1)
Note that the plugin is only available when using the "single module" option at load time.

Branch Islands:

Some sections of the cache contain only branch instructions, and are a special case because they do not belong to any module.

dscu allows you to load these sections as well. For example, if you see a reference to a branch island:

  BL 0x197CA3DFC
Right-click on the address and select "Load dyld_branch_island:__stubs".

The cache will likely have many separate branch islands, so you may need to repeat this step several times until you find the final branch target in one of the modules.

Loading a branch island can also be done programmatically:

  node = idaapi.netnode()
  node.create("$ dscu")
  node.altset(3, 0x197CA3DFC) # address can be any address within the branch island
  idaapi.load_and_run_plugin("dscu", 2)

Sections that contain only selector strings are also a special case. Often times it is useful to only load the selectors from a given module, without loading all of the code.

For example, if you see a reference to a selector:

  ADRP  X8, #[email protected]
  ADD   X1, X8, #[email protected] ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0
Right-click on "0x1AECFF7F9" and dscu will provide you with two options:
  Load UIKitCore:__objc_methname
  Load UIKitCore
The UIKitCore module is huge, so perhaps you don't want to load the entire thing, but still want to clean up the disassembly. If you choose "Load UIKitCore:__objc_methname", dscu will load only these selector strings into the database:
  ADRP  X8, #[email protected] ; "alloc"
  ADD   X1, X8, #[email protected] ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0
This operation is much faster, and still provides a lot of benefit to the analysis. It can be done programmatically as well:
  node = idaapi.netnode()
  node.create("$ dscu")
  node.altset(3, 0x1AECFF7F9) # address can be any address in the __objc_methname section
  idaapi.load_and_run_plugin("dscu", 2)

See also Objective-C Analysis Plugin Debugger for Intel Mac OS X Remote iOS debugger
Index | Previous topic | Next topic