Author Topic: New Mach-O ARM64 format  (Read 1731 times)

Erik Siers

  • Newbie
  • *
  • Posts: 10
New Mach-O ARM64 format
« on: January 12, 2021, 01:45:58 AM »
I've made a start trying to differentiate between exe-mach-o-intel-64 and what I've dubbed exe-mach-o-arm-64 (Apple's new M1, a.k.a. "Apple Silicon"), and I'm running into some troubles.

As things stand right now, TrID just looks at the file signature at the start of the file, which is CF-FA-ED-FE, but unfortunately, Apple has chosen to reuse that same signature for ARM executables, instead of, say, incrementing that first byte (which they did when moving from 32-bit to 64-bit), or coming up with an entirely new signature. So in my preliminary testing, all ARM apps are reported as "Mac OS X Mach-O 64bit Intel executable".

It looks like some more work will need to be done to differentiate between the two formats, and I don't really have the time to do an in-depth analysis comparing them. What I've come up with (for now at least) is to just extend the "signature" to 5 bytes: Intel is CF-FA-ED-FE-07 and ARM is CF-FA-ED-FE-0C. It seems to work, but I think that more work needs to be done to confirm that this is the only change needed (but again, I don't really have the time to do it myself).

I've sent the new defs to Mark0 to look at.
« Last Edit: January 12, 2021, 01:50:52 AM by Erik Siers »

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: New Mach-O ARM64 format
« Reply #1 on: January 12, 2021, 03:28:47 AM »
Thanks Erik! Will check!

Erik Siers

  • Newbie
  • *
  • Posts: 10
Re: New Mach-O ARM64 format
« Reply #2 on: January 12, 2021, 08:55:04 PM »
So I dug out a copy of the Mach-O spec, and it turns out that the info I found is exactly what's needed. In short, right after the magic number is another 4 bytes specifying the CPU type, so:

PowerPC 32-bit:0x00000012 (big-endian)
PowerPC 64-bit:0x01000012 (big-endian)
x86:0x00000007
x64:0x01000007
ARM:0x0000000c
ARM64:0x0100000c

(Interesting to note that they indicate 64-bit by just adding 0x01000000 to the 32-bit value.)

Mark0

  • Administrator
  • Hero Member
  • *****
  • Posts: 2743
    • Mark0's Home Page
Re: New Mach-O ARM64 format
« Reply #3 on: January 13, 2021, 11:48:19 AM »
Nice! Thanks!