{"id":16552450,"url":"https://github.com/0xdevalias/poc-re-binsearch","last_synced_at":"2025-07-24T00:06:15.224Z","repository":{"id":213811100,"uuid":"734973974","full_name":"0xdevalias/poc-re-binsearch","owner":"0xdevalias","description":"Proof of Concept (PoC) code/notes exploring reverse engineering techniques for macOS fat binaries, focusing on binary searching and automatic offset identification","archived":false,"fork":false,"pushed_at":"2024-04-15T05:14:16.000Z","size":105,"stargazers_count":8,"open_issues_count":2,"forks_count":2,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-07-13T02:41:51.432Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xdevalias.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"0xdevalias","ko_fi":"devalias","custom":["https://buymeacoff.ee/devalias"]}},"created_at":"2023-12-23T07:56:14.000Z","updated_at":"2025-03-14T21:06:35.000Z","dependencies_parsed_at":"2024-01-02T09:49:53.054Z","dependency_job_id":"7b1f7c0c-ca24-41d2-8c07-8480991c935f","html_url":"https://github.com/0xdevalias/poc-re-binsearch","commit_stats":null,"previous_names":["0xdevalias/poc-re-binsearch"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/0xdevalias/poc-re-binsearch","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdevalias%2Fpoc-re-binsearch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdevalias%2Fpoc-re-binsearch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdevalias%2Fpoc-re-binsearch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdevalias%2Fpoc-re-binsearch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xdevalias","download_url":"https://codeload.github.com/0xdevalias/poc-re-binsearch/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xdevalias%2Fpoc-re-binsearch/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":266770684,"owners_count":23981604,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-07-23T02:00:09.312Z","response_time":66,"last_error":null,"robots_txt_status":null,"robots_txt_updated_at":null,"robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-10-11T19:44:54.494Z","updated_at":"2025-07-24T00:06:15.200Z","avatar_url":"https://github.com/0xdevalias.png","language":"Python","readme":"# poc-re-binsearch\n\nProof of Concept (PoC) code/notes exploring reverse engineering techniques for macOS fat binaries, focusing on binary searching and automatic offset identification.\n\n- [`notes.md`](./notes.md): Some random notes I collected while exploring this, including useful commands/snippets/etc.\n- [`find_fat_binary_offsets.py`](./find_fat_binary_offsets.py): Python script for searching through a macOS fat/universal binary file to automatically extract offsets that match the specified architectures/patterns (including smart offset adjustments). Includes a number of different search implementations that you can contrast for speed if you enable `PROFILE = True`\n  - eg.\n    - ```bash\n      ⇒ ./find_fat_binary_offsets.py /System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd\n      -= Universal Binary Sections =-\n      Architecture 0 (x86_64):\n        CPU Type: 16777223 (0x1000007)\n        CPU Subtype: 3 (0x3)\n        CPU Subtype Capability: 0 (0x0)\n        Offset: 0x4000 (Valid Mach-O Header: Yes)\n        Size: 7989040\n        Align: 14\n      Architecture 1 (arm64e):\n        CPU Type: 16777228 (0x100000c)\n        CPU Subtype: 2 (0x2)\n        CPU Subtype Capability: 128 (0x80)\n        Offset: 0x7a4000 (Valid Mach-O Header: Yes)\n        Size: 8833808\n        Align: 14\n\n      -= Found Symbol Offsets =-\n      Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture x86_64: 0x0cc743\n      Offset of _IDSProtoKeyTransparencyTrustedServiceReadFrom in architecture arm64e: 0x0b524c\n\n      -= Found Hex Offsets (with pure python fixed sequence search + regex) =-\n      Architecture 0 (x86_64):\n        IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xcc743\n        NACInitAddress: 0x4b91e0\n        NACKeyEstablishmentAddress: 0x499220\n        NACSignAddress: 0x4ac510\n      Architecture 1 (arm64e):\n        IDSProtoKeyTransparencyTrustedServiceReadFrom: 0xb524c\n        NACInitAddress: 0x41d714\n        NACKeyEstablishmentAddress: 0x40af78\n        NACSignAddress: 0x3e5184\n      ```\n    - See also:\n      - https://github.com/beeper/mac-registration-provider\n        - \u003e A small service that generates iMessage registration data on a Mac\n      - https://github.com/beeper/mac-registration-provider/pull/7\n        - \u003e add offsets for `13.3.1` (x86/arm64) + `13.5` (x86)\n        - https://github.com/beeper/mac-registration-provider/pull/7#issuecomment-1867733658\n          - \u003e I've also been working on a PoC script that is able to find the offsets automagically\n- [`diff_hex.py`](./diff_hex.py): Quick/dirty python script to diff the provided hex bytes, and generate a pattern with wildcards that can be used in `find_fat_binary_offsets.py` / `rafind2-fat-binary` / `rafind2` / etc\n- [`find_bytes.py`](./find_bytes.py): Quick/dirty python script to find hex bytes in a binary file (no smarts)\n- [`rafind2-fat-binary`](./rafind2-fat-binary): Helper script that uses `radare2`'s `rabin` + `rafind2` to search for a hex string (with potential wildcards) in the specified architecture of a macOS fat/universal binary\n- [`xxd-fat-binary`](./xxd-fat-binary): Helper script that uses `radare2`'s `rabin` + `xxd` to dump the specified length of hex bytes in the specified architecture of a macOS fat/universal binary\n- Some tests for recursively searching binary files for a hex string (with potential wildcards) using `radare2`'s `rafind2`:\n  - [`test-fd-rafind2-fzf`](./test-fd-rafind2-fzf) (fast/interactive)\n  - [`test-fd-and-rafind2`](./test-fd-and-rafind2) (fastest)\n  - [`test-find-and-rafind2`](./test-find-and-rafind2)\n  - [`test-grep-and-rafind2`](./test-grep-and-rafind2) (slowest)\n- etc\n","funding_links":["https://github.com/sponsors/0xdevalias","https://ko-fi.com/devalias","https://buymeacoff.ee/devalias"],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xdevalias%2Fpoc-re-binsearch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xdevalias%2Fpoc-re-binsearch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xdevalias%2Fpoc-re-binsearch/lists"}