Merge remote-tracking branch

'origin/GP-1406_ryanmkurtz_macho-encryption' (Closes #1935)
2025-10-05 19:42:36 +02:00 · 2021-11-05 14:00:22 -04:00 · 2021-11-05 14:00:22 -04:00 · 766ff7f72e
commit 766ff7f72e
parent 77e434cf85 446614b435
3 changed files with 27 additions and 6 deletions
--- a/Ghidra/Features/Base/src/main/java/ghidra/app/util/bin/format/macho/commands/EncryptedInformationCommand.java
+++ b/Ghidra/Features/Base/src/main/java/ghidra/app/util/bin/format/macho/commands/EncryptedInformationCommand.java
@ -37,13 +37,15 @@ public class EncryptedInformationCommand extends LoadCommand {
 	private int cryptoff;
 	private int cryptsize;
 	private int cryptid;
+	
+	private boolean is32bit;

 	static EncryptedInformationCommand createEncryptedInformationCommand(
-			FactoryBundledWithBinaryReader reader) throws IOException {
+			FactoryBundledWithBinaryReader reader, boolean is32bit) throws IOException {
 		EncryptedInformationCommand command =
 			(EncryptedInformationCommand) reader.getFactory().create(
 				EncryptedInformationCommand.class);
-		command.initEncryptedInformationCommand(reader);
+		command.initEncryptedInformationCommand(reader, is32bit);
 		return command;
 	}

@ -53,9 +55,11 @@ public class EncryptedInformationCommand extends LoadCommand {
 	public EncryptedInformationCommand() {
 	}

-	private void initEncryptedInformationCommand(FactoryBundledWithBinaryReader reader)
-			throws IOException {
+	private void initEncryptedInformationCommand(FactoryBundledWithBinaryReader reader,
+			boolean is32bit) throws IOException {
 		initLoadCommand(reader);
+		this.is32bit = is32bit;
+		
 		cryptoff = reader.readNextInt();
 		cryptsize = reader.readNextInt();
 		cryptid = reader.readNextInt();
@ -102,6 +106,9 @@ public class EncryptedInformationCommand extends LoadCommand {
 		struct.add(DWORD, "cryptoff", null);
 		struct.add(DWORD, "cryptsize", null);
 		struct.add(DWORD, "cryptid", null);
+		if (!is32bit) {
+			struct.add(DWORD, "pad", null);
+		}
 		struct.setCategoryPath(new CategoryPath(MachConstants.DATA_TYPE_CATEGORY));
 		return struct;
 	}
--- a/Ghidra/Features/Base/src/main/java/ghidra/app/util/bin/format/macho/commands/LoadCommandTypes.java
+++ b/Ghidra/Features/Base/src/main/java/ghidra/app/util/bin/format/macho/commands/LoadCommandTypes.java
@ -124,8 +124,10 @@ public final class LoadCommandTypes {
 			case LC_REEXPORT_DYLIB: {
 				return DynamicLibraryCommand.createDynamicLibraryCommand(reader);
 			}
-			case LC_ENCRYPTION_INFO: {
-				return EncryptedInformationCommand.createEncryptedInformationCommand(reader);
+			case LC_ENCRYPTION_INFO: 
+			case LC_ENCRYPTION_INFO_64: {
+				return EncryptedInformationCommand.createEncryptedInformationCommand(reader,
+					header.is32bit());
 			}
 			case LC_DYLD_INFO:
 			case LC_DYLD_INFO_ONLY: {
--- a/Ghidra/Features/Base/src/main/java/ghidra/app/util/opinion/MachoProgramBuilder.java
+++ b/Ghidra/Features/Base/src/main/java/ghidra/app/util/opinion/MachoProgramBuilder.java
@ -112,6 +112,7 @@ public class MachoProgramBuilder {
 		monitor.setCancelEnabled(true);

 		setImageBase();
+		processEncryption();
 		processEntryPoint();
 		processMemoryBlocks(machoHeader, provider.getName(), true, true);
 		processUnsupportedLoadCommands();
@ -155,6 +156,17 @@ public class MachoProgramBuilder {
 			program.setImageBase(space.getAddress(0), true);
 		}
 	}
+	
+	private void processEncryption() throws Exception {
+		monitor.setMessage("Processing encryption...");
+		for (EncryptedInformationCommand cmd : machoHeader
+				.getLoadCommands(EncryptedInformationCommand.class)) {
+			if (cmd.getCryptID() != 0) {
+				log.appendMsg(String.format("ENCRYPTION DETECTED: (file offset 0x%x, size 0x%x)",
+					cmd.getCryptOffset(), cmd.getCryptSize()));
+			}
+		}
+	}

 	private void processEntryPoint() throws Exception {
 		monitor.setMessage("Processing entry point...");