Articles index

Extract the system libraries on macOS Big Sur

June 24 2020 by Jeff Johnson
Support this blog: Link Unshortener, StopTheMadness, Underpass, PayPal.Me

According to the macOS Big Sur 11 Beta Release Notes, "the system ships with a built-in dynamic linker cache of all system-provided libraries. As part of this change, copies of dynamic libraries are no longer present on the filesystem." If the libraries are no longer present on the filesystem, that makes it awfully hard to disassemble them! Fortunately, there are ways to extract the system libraries from the cache. One way is provided by Apple itself: the dyld_shared_cache_util command-line tool. Unfortunately, this tool does not come installed with macOS Big Sur. However, the tool is open source, so we can build it ourselves. You can download the dyld project from Apple Open Source. The latest version is a little behind, at macOS 10.15.3, but that works fine for our purpose. The download contains a convenient Xcode project. Don't bother trying to build all targets in Xcode, just build the dyld_shared_cache_util target. You'll need to make a number of modifications in order to build and run the target successfully. I'm assuming that you're building with Xcode 12 on Big Sur.

  1. Change the SDK to macosx from macosx.internal, which is only available to Apple engineers.
  2. In dyld.h and dyld_priv.h, delete references to bridgeos in the __API_UNAVAILABLE macros. Xcode doesn't seem to understand those.
  3. In Closure.cpp, comment out the includes for System/machine/cpu_capabilities.h and the corecrypto headers. Also comment out the !TARGET_OS_DRIVERKIT section in the hashBootAndFileInfo function.
  4. In Diagnostics.cpp, comment out the includes for _simple.h and libc_private.h. Also comment out implementations of Diagnostics functions until that file compiles.
  5. In MachOLoaded.cpp, comment out the includes for the corecrypto headers. Also comment out the implementation of the MachOLoaded::forEachCDHashOfCodeSignature function.
  6. In dyld_shared_cache_util.cpp, change the first argument of dlopen to "/usr/lib/dsc_extractor.bundle" from pathBuffer. The dyld project also contains the dsc_extractor.bundle target, but that already comes installed on macOS Big Sur, so there's no need to build it.

After you've successfully built the dyld_shared_cache_util tool, just run it with the shared cache:

% mkdir ~/Desktop/libraries
% dyld_shared_cache_util -extract ~/Desktop/libraries /System/Library/dyld/dyld_shared_cache_x86_64

It may take a minute or two to finish. When it's finished, you'll have copies of all the system libraries on the your Desktop. Happy disassembling!

Support this blog: Link Unshortener, StopTheMadness, Underpass, PayPal.Me

Articles index