DYLD Shared Cache Utils

This plugin (nicknamed "dscu" for brevity) is essentially just an extension of the Mach-O loader. It allows you to manually load modules from a dyldcache that were not loaded when first opening the cache in IDA (the plugin is only activated after using the "single module" option for a dyldcache).

For a quick overview of the dscu functionality, see menu File>Load file>DYLD Shared Cache Utils.

Loading Modules

There are a few ways to manually load a module from the cache:

1) Use File>Load file>DYLD Shared Cache Utils>Load module... and choose which module to load

2) Right-click on an unmapped address in the disassembly, and select 'Load module <module name>'

3) Programatically:

  n = idaapi.netnode()
  n.create("$ dscu")
  n.supset(2, "/usr/lib/libobjc.A.dylib")
  idaapi.load_and_run_plugin("dscu", 1)

Loading Sections

dscu also allows you to load a subset of a given module.

Any section from any of the dyldcache's submodules can be loaded individually. This is especially useful when analyzing Objective-C code, since often times it is convenient to only load Objective-C info from a given module without loading all of its code.

For example, if you see a pointer to a selector string that has not been loaded:

  ADRP  X8, #0x1AECFF7F9@PAGE
  ADD   X1, X8, #0x1AECFF7F9@PAGEOFF ; SEL
  MOV   X0, X21 ; id
  BL    _objc_msgSend_0

Right-click on "0x1AECFF7F9" and dscu will provide you with two options:

The UIKitCore module is huge, so perhaps you don't want to load the entire thing, but still want to clean up the disassembly. If you choose "Load UIKitCore:__objc_methname", dscu will load only these selector strings into the database:

This operation is much faster, and still provides a lot of benefit to the analysis.

Sections can also be loaded via:

or programmatically with:

See also

• Objective-C Analysis Plugin

• Debugger for macOS

• Remote iOS debugger