New in macOS Big Sur 11 beta, the system ships with a built-in dynamic linker cache of all system-provided libraries. As part of this change, copies of dynamic libraries are no longer present on the filesystem. Code that attempts to check for dynamic library presence by looking for a file at a path or enumerating a directory will fail. Instead, check for library presence by attempting to
dlopen()the path, which will correctly check for the library in the cache.
The only impact is if you are doing runtime detection/search of library by path yourself. Which is a terrible idea for perf anyway.
iOS has been like that for a decade already.
The goal was optimization, but unfortunately it does make reverse engineering more difficult.
The shared cache isn’t encrypted or anything, and dyld is in the Darwin source dumps. The shared cache format may not be stable, but isn’t secret either
The data is there, but there currently aren’t tools that can get it into a useful format like we had before.
Incidentally, the new stripped framework cache on macOS 11 is horrendous for disassembly. If you’re trying to track down why there’s a bug in your app, or how a system implementation works, you are screwed. This is going to hurt developers more than the ARM transition
Jeff Johnson (tweet, also: zhuowei):
If the libraries are no longer present on the filesystem, that makes it awfully hard to disassemble them! Fortunately, there are ways to extract the system libraries from the cache. One way is provided by Apple itself: the
dyld_shared_cache_utilcommand-line tool. Unfortunately, this tool does not come installed with macOS Big Sur. However, the tool is open source, so we can build it ourselves.
Let’s take a look at an example from my favorite framework, AppKit.
[…]
It seems that prior to Big Sur, Objective-C references in a Mach-O file are offsets from the beginning on the file, whereas on Big Sur, Objective-C references in a Mach-O file are offsets from the beginning of the dyld shared cache. Roughly speaking.
You can also point Hopper at the shared cache in the folder /System/Library/dyld/, and it will let you choose which library to load. But, as with dyld_shared_cache_util, what you end up with is difficult to work with because the tools don’t know how to find the Objective-C selector information.
Big Sur also adds another optimization that gets in the way of reverse engineering. Leo Natan:
A lot of Apple’s private APIs are now peppered with direct and can no longer be swizzled.
This makes it harder to debug and work around bugs. Unlike with the shared cache, this can’t be worked around with better tools. The information (and indirection) have been removed from the library entirely.
Previously:
Update (2020-07-06): Anton Sotkov:
Modifications to Apple’s dyld project to fix Objective-C information when extracting dyld_shared_cache from macOS Big Sur to help Hopper generate readable pseudocode.
Update (2020-07-27): Jeff Johnson:
Static disassembly tools such as otool and llvm-objdump have not been updated to handle the dyld shared cache on Big Sur. However, one tool that does handle it is lldb, the debugger.
[…]
I hope that my little hack helps you to disassemble system libraries on Big Sur. It’s a bid tedious, but it mostly works, and you only have to do it once for each library you’re interested in.
See also: Hopper for Apple Silicon and Big Sur