Frameworks

Frameworks

dyld_shared_cache

The dyld_shared_cache is a collection of libraries and frameworks. If you copy the dyld_shared_cache directly from a running iPhone it will have it's references scrambled by ASLR. It is much cleaner to get the dyld_shared_cache from a root file system extracted from an iOS firmware image. Note that the dyld_shared_cache is huge and could take about 4 days for IDA to analyze. Once IDA finishes, you will have a database that takes a few seconds to unpack, but you only have to do the initial IDA analysis once. It is simpler to analyze individual frameworks if you can separate them, but you will lose any crossreferences from one framework to another.

Literature:

• http://bbs.iosre.com/t/when-dyld-decache-fails-on-dyld-shared-cache-arm64-dsc-extractor-saves-our-days/1974
• http://ant4g0nist.blogspot.ro/2015/04/ios-shared-cache-extraction-to-solve.html
• TrustKit Code Injection On IOS 8 For The Greater Good