To understand iOS behaviors, sometimes it’s important to disassemble iOS framework binaries.
Since recent iOS firmware, known as .ipsw file, contains non-encrypted root image, it’s easy to access these binaries.
However, each framework binaries, dylib files, are placed in a shared cache file.
Thus, before disassembling it, we need to extract the one from the cache.
Apple provides dsc_extractor command line tool in their dyld open source project.
- Download
CommonCryptanddyldfrom Apple Opensource. - Unpack these source files in flat.
- Prepare CommonCrypt private header in structure, such as
$ mkdir -p include/CommonCrypt $ cd include/CommonCrypt $ ln -s ../../CommonCrypt-*/include/*.h . $ ln -s ../../CommonCrypt-*/include/Private*.h . - Move to
dyld-*/launch-cache. - Patch
dsc_extractor.cppto havemain.--- dsc_extractor.cpp.orig 2019-05-23 12:13:22.000000000 -0700 +++ dsc_extractor.cpp 2019-05-23 12:13:36.000000000 -0700 @@ -908,7 +908,7 @@ } -#if 0 +#if 1 // test program #include <stdio.h> #include <stddef.h> - Run
clang++to build.$ clang++ -std=c++17 -I../dyld3 -I../dyld3/shared-cache -I../../include -o dsc_extractor dsc_extractor.cpp dsc_iterator.cpp
Unzip .ipsw file, and locate /System/Library/Caches/com.apple.dyld/dyld_shread_cache_arm64.
Then use it with dsc_extractor to extract dylib files from the cache.
$ dsc_extractor <path/to/dyld_shread_cache_arm64> ./