Snake&Apple I — Mach-O

Karol Mazurek
20 min readDec 23, 2023

Deep dive in Mach-O files on ARM64 macOS with Python.

INTRO

Welcome to the first article in the series on macOS security internals!

This article provides in-depth information about the Mach-O file format and briefly introduces its loading process to virtual memory. You will learn how to determine if a file is valid Mach-O, its endianness, various Mach-O types, segmentation, the concept of chained fixups, and much more.

Additionally, this article will explain how to extract important information from Mach-O files in human-readable form using Python and other tools.

Please note that some topics have been intentionally omitted and will be addressed in future articles. However, leave a comment if you have any questions or need clarification about anything written here while reading. I guarantee a response and will use your feedback for future articles.

The Snake&Apple I. Mach-O repository contains all of the code used below.

Mach-O

A file format used on macOS systems to store:

  • Executable file — application in a format that a macOS can understand and execute. The final form of software that users can run.
clang -o hello hello.c
  • Object code (.o) —…

--

--

Karol Mazurek
Karol Mazurek

Responses (1)