🩻 Anatomy Of Executables

Apple Mach-O

Binary info

otool

Using otool we can get general info about the Mach-O file:

otool -h [app_name]

> Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777228          0  0x00           2   115      11384 0x00218085

Quick refernce on the meaning:

32-bit (ARMv6, ARMv7) – 0xFEEDFACE 64-bit – 0xFEEDFACF Universal binaries – 0xCAFEBABE

robin2

nm

nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode - view the APIs used. SMLoginItemSetEnabled - Wardle, Patrick. The Art of Mac Malware (p. 25). No Starch Press. Kindle Edition.

Reversing iOS

Delphi

This one is particularly tiresome to reverse. Some advice:

• Set calling convention for fastcall if it’s not set properly (IDA Pro doesn’t, not sure about radare2)
• Delphi programs have a lot of structures.

References

Go Malware

When compiled are huge in size.

References

ELF Files

This is about … .

Windows PE

🤖 Reverse Engineering Android Applications

In this article I’m assembling information about debugging applications on Android, then all possible to anti-debugging techniques and how they can be curcumvented (a little spoiler here - almoust always one way 😀) . The question I am trying to find an answer to is whether there is a silver bullet 🔫 for anti-debugging or not.

Some symbol definitions:

⚠️ An important note from the forensics prospective.

⛏ How to circumvent this anti-debugging technique?