I am trying to find the libdyld.dylib file in macOS but I can't find it. according to the lldb debugger, it supposes to be at /usr/lib/system/libdyld.dylib but it is not there... I read this apple support but it got me more confused... I understand that there is dyld that load the code from somewhere... but from where ? Where is the code of this lib comes from?
using macOS 12.5 Monterey. mac M1.
update: I looked into /usr/lib/dyld (there is no /System/Library/dyld file in my system). The code that I see in the lldb when stepping into lib function is different from the code I see when disassembling the same function in the /usr/lib/dyld. E.g let's take dlopen - the debugger (lldb) shows that there are 2 implementations
(lldbinit) image lookup -n dlopen
1 match found in /usr/lib/dyld:
Address: dyld[0x0000000000025954] (dyld.__TEXT.__text + 149844)
Summary: dyld`dyld4::APIs::dlopen(char const*, int)
1 match found in /usr/lib/system/libdyld.dylib:
Address: libdyld.dylib[0x000000018033329c] (libdyld.dylib.__TEXT.__text + 1532)
Summary: libdyld.dylib`dlopen
but when stepping into the dlopen function it choose the one in /usr/lib/system/libdyld.dylib and not in /usr/lib/dyld:
(lldbinit) image lookup -v -a $pc
Address: libdyld.dylib[0x000000018033329c] (libdyld.dylib.__TEXT.__text + 1532)
Summary: libdyld.dylib`dlopen
Module: file = "/usr/lib/system/libdyld.dylib", arch = "arm64e"
Symbol: id = {0x000001a3}, range = [0x0000000182f5b29c-0x0000000182f5b2d0), name="dlopen"
Also the asm is differnet. When stepping into dlopen with lldb I see the next instructions:
dlopen @ /usr/lib/system/libdyld.dylib:
-> 0x182f5b29c (0x18033329c): e2 03 01 aa mov x2, x1
0x182f5b2a0 (0x1803332a0): e1 03 00 aa mov x1, x0
0x182f5b2a4 (0x1803332a4): 68 7b 2c b0 adrp x8, 364397
0x182f5b2a8 (0x1803332a8): 00 39 43 f9 ldr x0, [x8, #0x670]
0x182f5b2ac (0x1803332ac): 10 00 40 f9 ldr x16, [x0]
0x182f5b2b0 (0x1803332b0): f1 03 00 aa mov x17, x0
0x182f5b2b4 (0x1803332b4): 51 7f ec f2 movk x17, #0x63fa, lsl #48
0x182f5b2b8 (0x1803332b8): 30 1a c1 da autda x16, x17
0x182f5b2bc (0x1803332bc): 03 0e 47 f8 ldr x3, [x16, #0x70]!
0x182f5b2c0 (0x1803332c0): e4 03 10 aa mov x4, x16
0x182f5b2c4 (0x1803332c4): f0 03 04 aa mov x16, x4
0x182f5b2c8 (0x1803332c8): 30 e6 f7 f2 movk x16, #0xbf31, lsl
and when disassembling dlopen in dyld I see the next instructions: (jtool2 -d /usr/lib/dyld | less)
__ZN5dyld44APIs6dlopenEPKci:
25954 0xd503237f PACIBSP
25958 0xa9bd57f6 STP X22, X21, [SP, #-48]!
2595c 0xa9014ff4 STP X20, X19, [SP, #16]
25960 0xa9027bfd STP X29, X30, [SP, #32]
25964 0x910083fd ADD X29, SP, #32
25968 0xaa0203f3 _MOV_R X19, X2 R19 = R2 (0x0)
2596c 0xaa0103f5 _MOV_R X21, X1 R21 = R1 (0x0)
25970 0xaa0003f6 _MOV_R X22, X0 R22 = R0 (0x0)
25974 0xaa1e03f4 _MOV_R X20, X30 R20 = R30 (0x0)
25978 0xdac143f4 PACIA X20, X31
2597c 0xf9400408 _LDR X8, [X0, #8] ...R8 = *(R0 + 8) = *0x8 = 0x780000002
25980 0xb9403508 _LDR W8, [X8, #52] ...R8 = *(R8 + 52) = *0x3c = 0x6000000000000
25984 0x7100091f CMP W8, #2
25988 0xfa400824 CCMP
2598c 0x540000e0 B.EQ 0x259a8
25990 0xaa1503e0 _MOV_R X0, X21 R0 = R21 (0x0)
So it is a still a mistory, where does this dlopen code comes from ?
Since 11 version, Apple made some efforts to make harder to reverse optimize their shared libs.
Long story short, they merged most libs and frameworks into a single binary, which is loaded into memory on system start.
You can find it here: /System/Library/dyld/ (folder), there may be several file versions for Intel and arm archs.
All such system libraries referenced from mach-o section of the binary you run are mapped then directly from the loaded dyld cache, so Apple does not need libs to be on filesystem anymore. They made some efforts for compatibility, so for most apps it still looks like they are present on a disk though.
However, as Apple have to publish parts of their sources due to using a lot of opensource stuff, folks found the code responsible for the dyld cache and created several extractors, like this one: https://github.com/keith/dyld-shared-cache-extractor (you can even install it with brew)
So if you need to look inside some library - you will need to install extractor, perform extraction, and then you will have what you want.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With