DYLD Shared Cache Utils

This plugin (nicknamed "dscu" for brevity) is essentially just an extension of the Mach-O loader. It allows you to manually load modules from a dyldcache that were not loaded when first opening the cache in IDA (the plugin is only activated after using the "single module" option for a dyldcache).

For a quick overview of the dscu functionality, see menu File>Load file>DYLD Shared Cache Utils.

Loading Modules

There are a few ways to manually load a module from the cache:

1) Use File>Load file>DYLD Shared Cache Utils>Load module... and choose which module to load

2) Right-click on an unmapped address in the disassembly, and select 'Load module <module name>'

3) Programatically:

  n = idaapi.netnode()
  n.create("$ dscu")
  n.supset(2, "/usr/lib/libobjc.A.dylib")
  idaapi.load_and_run_plugin("dscu", 1)

Loading Sections

dscu also allows you to load a subset of a given module.

Any section from any of the dyldcache's submodules can be loaded individually. This is especially useful when analyzing Objective-C code, since often times it is convenient to only load Objective-C info from a given module without loading all of its code.

For example, if you see a pointer to a selector string that has not been loaded:

  ADRP  X8, #0x1AECFF7F9@PAGE
  ADD   X1, X8, #0x1AECFF7F9@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0

Right-click on "0x1AECFF7F9" and dscu will provide you with two options:

  Load UIKitCore:__objc_methname
  Load UIKitCore

The UIKitCore module is huge, so perhaps you don't want to load the entire thing, but still want to clean up the disassembly. If you choose "Load UIKitCore:__objc_methname", dscu will load only these selector strings into the database:

  ADRP  X8, #sel_alloc@PAGE ; "alloc"
  ADD   X1, X8, #sel_alloc@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0

This operation is much faster, and still provides a lot of benefit to the analysis.

Sections can also be loaded via:

  File>Load file>DYLD Shared Cache Utils>Load section...

or programmatically with:

  node = idaapi.netnode()
  node.create("$ dscu")
  node.altset(3, 0x1AECFF7F9) # address can be any address in the section
  idaapi.load_and_run_plugin("dscu", 2)

See also

Last updated

Was this helpful?