Static Mach-O binary analyse

macOS side

• $ file <BINARY> - will tell the type of file
• $ codesign -dv <BINARY> - verify code signature
• $ codesign -d --entitlements - <BINARY> - defalut way to get entitlements
• $ ./jtool2 --ent <BINARY> - another way to get entitlements
• $ pagestuff <BINARY> -a - sections and segments in Mach-O
• $ nm -m <BINARY> - another way to get some info from sections and segments
• $ otool -L <BINARY> - dylibs that binary links to
• $ otool -l <BINARY> - all load commands
• $ otool -l <BINARY> | grep crypt - information about encrypted blob
• $ ./jtool2 -e <SECTION>.<SEGMENT> <BINARY> - extract section/segment into separate file
• $ strings - <BINARY> - all C stirngs
• $ ./class-dump -H -o <DIRECTORY-OUT> <BINARY> - dump objc classes headers

iOS side

binary

• # ldid -e <BINARY> - read entitlements of binary
• + all jtool2 related from macOS section

resources

• # ./FileDP -f/d <FILE/DIRECTORY> - read Data Protection class of file/directory

Sources

[1] jtool - Taking the O out of otool(1), and so much more by Jonathan Levin

[2] How to reverse malware on macOS without getting infected by Phil Stokes

[3] my fork of FileDP by @satishb3 sutable for iOS 12.4

[4] class-dump sources, you will need to rebuild them for 64bit to run on macOS Catalina