DYLD Shared Cache Utils
This plugin (nicknamed "dscu" for brevity) is essentially just an extension of the Mach-O loader. It allows you to manually load modules from a dyldcache that were not loaded when first opening the cache in IDA (the plugin is only activated after using the "single module" option for a dyldcache).
For a quick overview of the dscu functionality, see menu File>Load file>DYLD Shared Cache Utils.
Loading Modules
There are a few ways to manually load a module from the cache:
1) Use File>Load file>DYLD Shared Cache Utils>Load module... and choose which module to load
2) Right-click on an unmapped address in the disassembly, and select 'Load module <module name>'
3) Programatically:
Loading Sections
dscu also allows you to load a subset of a given module.
Any section from any of the dyldcache's submodules can be loaded individually. This is especially useful when analyzing Objective-C code, since often times it is convenient to only load Objective-C info from a given module without loading all of its code.
For example, if you see a pointer to a selector string that has not been loaded:
Right-click on "0x1AECFF7F9" and dscu will provide you with two options:
The UIKitCore module is huge, so perhaps you don't want to load the entire thing, but still want to clean up the disassembly. If you choose "Load UIKitCore:__objc_methname", dscu will load only these selector strings into the database:
This operation is much faster, and still provides a lot of benefit to the analysis.
Sections can also be loaded via:
or programmatically with:
See also
Last updated