The lifecycle of a Dynamic Loader from its creation to its termination.
This series contains my notes on debugging Dyld-1122 and analysing its source code. They are arranged in order from the beginning of the startup process, specifically when XNU just loaded the Dyld to memory.
I will not publish the whole analysis in one article, as it would be hard to follow and require a lot of scrolling, so I divided it into parts. Each article will start from the map showing the start and end of the current analysis, along with the lldb command to set appropriate breakpoints.
Please note that this analysis may contain some errors as I am still learning and working on it alone. No one has checked it for mistakes. Please let me know in the comments or contact me through my social media if you find anything.
The article is long, so to not overextend, let’s dive straight into it.
WORKING MAP
We begin our journey by decompiling the Dyld using a Hopper. I know the source code is available, but good luck with reading it in the correct order ^^.
hopper -e '/usr/lib/dyld'
Dyld GitHub repository:
- Start:
start()in dyld-1122.1 — dyldMain.cpp#L1183 - End:
handleDyldInCachein dyld-1122.1 — dyldMain.cpp#L1030
LLDB breakpoints:
# START - dyld`start+0
br set -n start -s dyld
# END - dyld`start+988
br set -n isBuiltForSimulator -s dyldThe next article will start at the exact point where this one finishes.
START — Dyld Startup
In the Snake&Apple I — Mach-O, I introduced the LC_MAIN load command, which specifies the entry point…
