For a quick overview of the dscu functionality, see menu File>Load file>DYLD Shared Cache Utils.
Loading Modules ---------------
There are a few ways to manually load a module from the cache:
1) Use File>Load file>DYLD Shared Cache Utils>Load module... and choose which module to load
2) Right-click on an unmapped address in the disassembly, and select 'Load module <module name>'
3) Programatically:
n = idaapi.netnode() n.create("$ dscu") n.supset(2, "/usr/lib/libobjc.A.dylib") idaapi.load_and_run_plugin("dscu", 1)Loading Sections ----------------
dscu also allows you to load a subset of a given module.
Any section from any of the dyldcache's submodules can be loaded individually. This is especially useful when analyzing Objective-C code, since often times it is convenient to only load Objective-C info from a given module without loading all of its code.
For example, if you see a pointer to a selector string that has not been loaded:
ADRP X8, #0x1AECFF7F9@PAGE ADD X1, X8, #0x1AECFF7F9@PAGEOFF ; SEL MOV X0, X21 ; id BL _objc_msgSend_0Right-click on "0x1AECFF7F9" and dscu will provide you with two options:
Load UIKitCore:__objc_methname Load UIKitCoreThe UIKitCore module is huge, so perhaps you don't want to load the entire thing, but still want to clean up the disassembly. If you choose "Load UIKitCore:__objc_methname", dscu will load only these selector strings into the database:
ADRP X8, #sel_alloc@PAGE ; "alloc" ADD X1, X8, #sel_alloc@PAGEOFF ; SEL MOV X0, X21 ; id BL _objc_msgSend_0This operation is much faster, and still provides a lot of benefit to the analysis.
Sections can also be loaded via:
File>Load file>DYLD Shared Cache Utils>Load section...or programmatically with:
node = idaapi.netnode() node.create("$ dscu") node.altset(3, 0x1AECFF7F9) # address can be any address in the section idaapi.load_and_run_plugin("dscu", 2)See also Objective-C Analysis Plugin Debugger for macOS Remote iOS debugger