In iOS, all system libraries are combined into a big cache file. This is the reason why you won’t find the binaries inside of /System/Library/Frameworks or /System/Library/PrivateFrameworks.
We’ve created a script that helps reverse engineer a specific library from the [dyld shared cache] with ease. This enables a quick understanding of the referenced addresses.
The Problem
When using IDA/decache/jtool to extract a single library to disassemble it in IDA, it will be a matter of time until you run into addresses marked in red and in bold along the assembly lines, which means that those memory regions were not found in the database.
Therefore, instead of using the familiar method of importing and exporting functions, out of and into the libraries, the code just jumps right into the implementation in the destination library, relatively in the shared_cache container. It is much harder to follow the code once extracted because of all the anonymous function calls and the missing string references.
The Solution
To solve this problem, the script we created does the following:
1. Maps the dyld_shared_cache_branch_islands – memory regions that reside in the shared cache and are used as branch trampolines.
2. Patches those trampolines so that the code will return and make the code flow intuitive without mapping the destination branch code to the database (making it more compact).
3. Scans the database for the following patterns: B 0x…, BL 0x…, DCD 0x…, DCQ 0x… to find more addresses which are not found in memory.
Notes
1. The script will pop up a File Open dialog which requires to put in its original dyld_shared_cache_arm64.
2. This was tested on a dyld_shared_cache_arm64 from iPhone6 v10.0.1 and iPhoneSE v9.3.3.
Our Example
Before:
After:
The source code can be found in our GitHub.
Deep Instinct protects all major operating systems, including iOS, providing unmatched detection against zero-day malware and APT attacks.
