逆向工程 - Mach-O：将虚拟地址转换为磁盘上的文件偏移量 - 吾爱随笔录

你好逆向工程师，

我正在对 iOS 的 Mach-O 可执行文件进行逆向工程。文件说：具有 2 种架构的 Mach-O 通用二进制文件：[arm_v7：Mach-O arm_v7 可执行文件] [64 位架构 = 12]。我需要将虚拟地址转换为 Mach-O 文件中的文件偏移量。在IDA中看到虚拟地址为0x0000000100366720的数据段中有一些数据，想用C程序读取。

使用hexdump -C -v，看到虚拟地址对应文件偏移量0xa9a720：

00a9a720  89 00 00 00 00 00 00 00  50 b7 39 00 01 00 00 00  |........P.9.....|
00a9a730  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a740  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a750  70 22 12 00 01 00 00 00  50 53 12 00 01 00 00 00  |p"......PS......|
00a9a760  58 53 12 00 01 00 00 00  00 00 00 00 00 00 00 00  |XS..............|
00a9a770  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a780  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a790  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a7a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a7b0  00 00 00 00 00 00 00 00  80 57 12 00 01 00 00 00  |.........W......|
00a9a7c0  98 cf 32 00 01 00 00 00  94 cf 32 00 01 00 00 00  |..2.......2.....|
00a9a7d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a7e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a7f0  00 67 36 00 01 00 00 00  c0 cf 32 00 01 00 00 00  |.g6.......2.....|
00a9a800  20 54 12 00 01 00 00 00  7c 57 12 00 01 00 00 00  | T......|W......|
00a9a810  38 ce 32 00 01 00 00 00  10 ce 32 00 01 00 00 00  |8.2.......2.....|
00a9a820  34 ce 32 00 01 00 00 00  f0 53 12 00 01 00 00 00  |4.2......S......|
00a9a830  51 00 00 00 e8 03 00 00  2c 00 00 00 25 00 00 00  |Q.......,...%...|
00a9a840  46 00 00 00 ff 29 11 17  00 00 00 00 4b 17 00 00  |F....)......K...|
00a9a850  80 00 00 00 08 00 00 00  08 00 00 00 0a 00 00 00  |................|
00a9a860  00 00 00 00 0f 00 00 00  28 1b 00 00 d0 03 00 00  |........(.......|
00a9a870  c8 02 00 00 a0 01 00 00  00 00 00 00 58 02 00 00  |............X...|
00a9a880  a8 02 00 00 d8 01 00 00  00 00 00 00 50 01 00 00  |............P...|
00a9a890  48 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |H...............|
00a9a8a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a8b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a8c0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00a9a8d0  00 00 00 00 29 da f5 21  a1 b5 7a bf e9 7a d7 5b  |....)..!..z..z.[|
00a9a8e0  3a 97 49 72 00 00 00 00  20 67 36 00 01 00 00 00  |:.Ir.... g6.....|
00a9a8f0  f0 e2 32 00 01 00 00 00  20 e3 32 00 01 00 00 00  |..2..... .2.....|

使用 IDA：

0000000100366720  89 00 00 00 00 00 00 00  50 B7 39 00 01 00 00 00  ........P.9.....
0000000100366730  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000000100366740  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000000100366750  70 22 12 00 01 00 00 00  50 53 12 00 01 00 00 00  p"......PS......
0000000100366760  58 53 12 00 01 00 00 00  00 00 00 00 00 00 00 00  XS..............
0000000100366770  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000000100366780  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
0000000100366790  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000001003667A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000001003667B0  00 00 00 00 00 00 00 00  80 57 12 00 01 00 00 00  .........W......
00000001003667C0  98 CF 32 00 01 00 00 00  94 CF 32 00 01 00 00 00  ..2.......2.....
00000001003667D0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000001003667E0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000001003667F0  00 67 36 00 01 00 00 00  C0 CF 32 00 01 00 00 00  .g6.......2.....
0000000100366800  20 54 12 00 01 00 00 00  7C 57 12 00 01 00 00 00   T......|W......
0000000100366810  38 CE 32 00 01 00 00 00  10 CE 32 00 01 00 00 00  8.2.......2.....
0000000100366820  34 CE 32 00 01 00 00 00  F0 53 12 00 01 00 00 00  4.2......S......
0000000100366830  51 00 00 00 E8 03 00 00  2C 00 00 00 25 00 00 00  Q.......,...%...
0000000100366840  46 00 00 00 FF 29 11 17  00 00 00 00 4B 17 00 00  F....)......K...
0000000100366850  80 00 00 00 08 00 00 00  08 00 00 00 0A 00 00 00  ................
0000000100366860  00 00 00 00 0F 00 00 00  28 1B 00 00 D0 03 00 00  ........(.......
0000000100366870  C8 02 00 00 A0 01 00 00  00 00 00 00 58 02 00 00  ............X...
0000000100366880  A8 02 00 00 D8 01 00 00  00 00 00 00 50 01 00 00  ............P...
0000000100366890  48 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  H...............
00000001003668A0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000001003668B0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000001003668C0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  ................
00000001003668D0  00 00 00 00 29 DA F5 21  A1 B5 7A BF E9 7A D7 5B  ....)..!..z..z.[
00000001003668E0  3A 97 49 72 00 00 00 00  20 67 36 00 01 00 00 00  :.Ir.... g6.....
00000001003668F0  F0 E2 32 00 01 00 00 00  20 E3 32 00 01 00 00 00  ..2..... .2.....

在将 Mach-O VM 地址转换为文件偏移的帖子中提到了这个公式：

您需要找到覆盖地址的段 (LC_SEGMENT) 加载命令，然后执行以下操作：

fle_off = (address-seg.address)+ seg.offset

我的 Mach-O 标头中有此加载命令：

HEADER:0000000100000380 ; LC_SEGMENT_64 - 64-bit segment of this file to be mapped
HEADER:0000000100000380                 segment_command_64 <0x19, 0x5E8, "__DATA", 0x100360000, 0x50000, \
HEADER:0000000100000380                                     0x360000, 0xC000, 3, 3, 0x12, 0>

如果我填写公式：fle_off = (0x0000000100366720 - 0x100360000) + 0x360000 = 0x366720

结果与 0xa9a720 的文件偏移量不同，这是我使用 hexdump 发现的。好像我只是计算了基地址的偏移量。我究竟做错了什么？