1. Dump decrypted mach-o apps

    In a previous post CryptedHelloWorld: App with encrypted mach-o sections, I created a simple macOS app CryptedHelloWorld with its (__TEXT, __text) section encrypted. The section is decrypted by a constructor function. This post explains how to dump the decrypted app. A common way is to attach the app with a debugger (GDB, LLDB) and manually dump the decrypted memory to disk.
    [Read More]
  2. constructor and destructor attributes

    GCC (and Clang) supports constructor and destructor attributes: __attribute__((constructor)) __attribute__((destructor))
    [Read More]