ExtractMachO: an IDA plugin to extract Mach-O binaries from disassembly

This is an IDA plugin to extract Mach-O binaries located in IDA disassembly, either code or data segments. For now it only supports 32 or 64 isolated binaries and not fat binaries. It also expects a normal formatted binary, not something mangled as my crackme for example. I expect to add support for fat binaries soon.

Why did I created this plugin? Everyone is talking about the latest OS X malware, Crisis (or whatever other name everyone is using – AV scene is so lame that no one respects the first name given, blah!).

I started reversing the dropper binary for Crisis and found a Mach-O binary at the code section. So I decided to write a plugin to extract it :-).

To use it you need to locate the cursor at the Mach-O magic value (0xFEEDFACE or 0xFEEDFACF) and run the plugin. I might change this in a future release and ask for the start address.

The project is located at Github, https://github.com/gdbinit/ExtractMachO.

Any bugs, bla bla bla, leave a msg, email, or a bug report 🙂

Hopefully some posts about Crisis soon.


v1.0 now searches and extracts all valid Mach-O files it can find, fat and non-fat!

One thought on “ExtractMachO: an IDA plugin to extract Mach-O binaries from disassembly

  1. AV scene is so lame that… no one respects to those who began to shout about threat without any investigation, those who wish to be first, those who are only able to draw a beautiful infographic for kids.

Leave a Reply

Your email address will not be published. Required fields are marked *