Tips And Tricks - Bulk Disassembly Scripting

Written By Nicholas Dubois

When researching executables on iOS and MacOS, I make frequent use of disassembly tools against many Mach-O executables throughout the operating system. Once disassembled, these files can be pieced apart to diagnose issues or find potential vulnerabilities. Disassembling these binaries is tedious and time consuming, especially if you have closed them only to reopen them shortly thereafter, or if you need to cross reference several disassembled files. Why not just have all of the binaries pre-disassembled? That way, you can quickly search through the disassembly for all executables efficiently, at the cost of disk space.


Automating Disarm

Disarm [2] is a rather robust disassembly tool created by Jonathan Levin. I will use this tool to disassemble all executable files on the filesystem while recreating the original filesystem structure. We can do this with a bash script that will recursively obtain all files at a given path (recursively) – use the file command to check if each file is executable; if so, then recreate the file structure leading up to that file and produce a disassembled version of that binary in the same position as the original file. The final bash function I came up with looks like the following: 

Testing

I am testing this script using an      M2 Max MacBook Pro. When running this script against a jailbroken (with Palera1n = two filesystems) image acquired from an iPad running iOS 18.2, all executables

were disassembled in 7.5 minutes. The entire input filesystem is 17.8 GB in size, and the produced output is 10.5 GB in size. 

Now if I need to search for any particular function, string, or code across all disassembled files I can search in a text editor as I would any other filetype, and I only had to run the script once!

Below is a comparison of an executable file before and after the bash script was used to disassemble it. 

There is space for improvement and optimization while performing this process (it would be nice to have bulk decompilation in a perfect world), but this script will save me time when looking through Apple internals.

References

[1]https://developer.apple.com/library/archive/documentation/Performance/Conceptual/CodeFootprint/Articles/MachOOverview.html

[2] https://newosxbook.com/tools/disarm.html

Nicholas Dubois

Nicholas Dubois is a digital forensic examiner and educational content writer. Nicholas has spoken at several conferences on forensic findings and the offensive security of educational institutions including HTCIA, DFRWS, and NCCC.

Next

Magnet Virtual Summit CTF Powered by Hexordia: Elevate Your Digital Forensics Skills!