Display Mach-O headers plugin for IDA

This is a simple plugin to display mach-o headers inside IDA, something I miss from time to time. It was a good excuse to mess a little with IDA SDK.
It’s not quite what I had initially in mind but it does the job. I was thinking about something more sophisticated such as allow to display only the segment you wanted and so on. Now I am not sure if it’s worth the effort 🙂

Tested with IDA 6.x in OS X and Windows, 32 and 64 bits. Included are Makefile and XCode project for OS X, and Windows DevC++ projects for 32 and 64 bits.

Give a look to the README file for extra information. Too tired and too late to write a long post 🙂

Yeah, the code isn’t beautiful! Anyway I hope it’s useful for you.

Have fun,

SHA256(MachOPlugin_v0.2.zip)= aea01470a92a94a67ae29e6eba659b195829e599165265f8dd0fdc80333bc5a7

SHA256(MachOPlugin_v0.3.zip)= 73ea3471856027d7882b3b89986209f633bd19bc8b2159da7346a3e89c34fa4d

Also available at github.

v0.3 fixes some bugs/missing stuff and implements a workaround to IDA crashing.

I seem to have found a few bugs in IDA QT GUI implementation.
The most annoying one is that the plugin will crash IDA if called more than once in the same session. What happens is that IDA happilly keeps opening new custom views even if there is code trying to prevent it.
The create_tform() function from the SDK should return a new handle if there is already a form with the same caption. Well this works with the old GUI but fails with the new one (QT). The same happens with find_tform. In this case, it never returns NULL if there’s no form (which is the expected behavior).
I implemented a small workaround, which is to add a number to the form caption. This way each call to the plugin will generate a new custom view and not crash IDA. Not pretty but the other workarounds I tried failed since I can’t find if form exists or not.

The other bugs are described in the README file. If you know a better workaround for this one please tell me 🙂

8 thoughts on “Display Mach-O headers plugin for IDA

  1. The biggest problem I have with IDA is that little tricks that work with GDB (for example anti-anti-debug), I have no idea how to do in IDA. I definitely like the concept of how IDA works, although since GDB is all that I really know, there is definitely a learning curve. I would love to be able to utilize it in the manner that it’s capable of, I just don’t know where to start.

    1. I do not use IDA as a debugger since I got used to gdb and pretty happy with it. To beat the anti-debug in IDA you just need to patch it. As far as I remember you can patch inside IDA database and the debugger will be able to recognize those changes. The only problem are code checksums, but those are still rare in OS X world. It’s an extra step that might be worth if you want and are happy with IDA debugger.
      For example, just patch the ptrace calls to beat the classic PT_DENY_ATTACH.

  2. Thanks for the reply. I’m a bit confused on where to patch the calls, is that something I do in IDA?

    I’m definitely with you on the using gdb for mostly everything; after-all, much of what I’ve learned is from you. Hopefully one of these days I’ll get some time to actually figure out how to use the IDA beast.

  3. heh. I think it’s for me to get a book on IDA, since I’m quite lost. (I still haven’t figured out how to patch the gdb that I built from source, so I’m using yours until i get the know-how).

    Are any of your compiled darwin builds x86_64 w/patches in your github repo? Just wondering. — I have the 1705 you’ve posted here, although didn’t know if it’s the latest *until i can patch mine*.

    Thank you again for all of your helpful tips — I truly appreciate it. 😉

    1. Get Chris Eagle’s book on IDA and also Amit Singh’s Mac OS X Internals. They are awesome references!
      http://reverse.put.as/2009/01/14/how-to-compile-gdb-and-other-apple-open-source-packages-in-mac-os-x/ has all the steps you need to compile gdb yourself.
      To patch is a matter of using the -nosource trick, or downloading the package, unpack and patch, pack again, and replace it into darwinbuild download dir. I prefer the -nosource since it’s faster.

      1705 is the latest one, which is Lion compatible (due to full ASLR implementation).

  4. It’s surprising there’s no tutorial or concise updated docs relating to gdb — you’re really the only person offering any kind of solid knowledge on it’s workings. Thank you! The additional tips are very helpful 🙂

  5. I found your plugin very useful , but I can understand how to compile for 64 bit .

    Where in Xcode project do I have to define the __EA64__ variable ?

    I try to put in Preprocessing /preprocessor macro near __MAC__ , the built is successful but the plugin doesn’t show in ida plugin menu . I have renamed the extension to pmc64 . I don’t change anything in the project but I don’t know if I have to link with lida64

    Many thanks for you work

Leave a Reply

Your email address will not be published. Required fields are marked *