This is an IDA plugin to extract Mach-O binaries located in IDA disassembly, either code or data segments. For now it only supports 32 or 64 isolated binaries and not fat binaries. It also expects a normal formatted binary, not something mangled as my crackme for example. I expect to add support for fat binaries soon.
Why did I created this plugin? Everyone is talking about the latest OS X malware, Crisis (or whatever other name everyone is using – AV scene is so lame that no one respects the first name given, blah!).
I started reversing the dropper binary for Crisis and found a Mach-O binary at the code section. So I decided to write a plugin to extract it.
To use it you need to locate the cursor at the Mach-O magic value (0xFEEDFACE or 0xFEEDFACF) and run the plugin. I might change this in a future release and ask for the start address.
The project is located at Github, https://github.com/gdbinit/ExtractMachO.
Any bugs, bla bla bla, leave a msg, email, or a bug report.
Hopefully some posts about Crisis soon.
Update: v1.0 now searches and extracts all valid Mach-O files it can find, fat and non-fat!