Over the years, the Apple ecosystem (iOS, macOS, …) has seen steady gains in security, application load-time, and more. One of the cornerstones enabling those is the "Dyld Shared Cache" (DSC): a highly specific collection of common system libraries, pre-optimized on many fronts and used across applications.
If you have spent time in that field, you have probably noticed that IDA's support for the DSC left a lot to be desired. It took us some time, but IDA 9.4 changes that dramatically, with a far more streamlined workflow, fewer hurdles, clearer feedback, and (perhaps most importantly) fluid navigation that is no longer broken by missing cross-references, the dreaded "red addresses".
What's new
In a nutshell, we have reconsidered the way reversers approach a Dyld Shared Cache as a whole.
Gone are the days of loading the entire DSC into the database just to keep cross-references intact. The user now gets fluid navigation across every part of the DSC - even the parts that are not loaded: those are brought in on-demand.
IDA 9.4 also ships new, specialized widgets that keep the layout of the DSC in view at all times: what is currently loaded, what is available, and so on. Alongside them comes tooling built for very DSC-specific use-cases:
- load image(s) (that is, shared libraries) and their dependencies, down to N levels of depth
- extract the list of dependencies from a user application and load those (plus dependencies, if needed)
- find which image or section of the DSC contains specific symbols
- find your way into the DSC straight from log messages
- build your own tooling on top of a specialized API, the same one the entire UI is built on
- …
These improvements went through several iterations with a very eager group of alpha-testers, and the result is an experience far ahead of what IDA 9.3 had to offer.
Humans and agents
While IDA 9.4 ships brand new and specialized tooling, it is, by and large, all built on an API - one that humans and agents can both use. The API is, by design, simple, fast, and available in both C++ and Python. Point your agents at it, and they will trivially find their way.
How can I try it?
If you have not already, register for our beta program and give it a spin: point IDA at a DSC's "entrypoint" file and enjoy the trip. Feedback during the beta directly shapes the final release, so tell us what works and what doesn't.
What's next?
IDA 9.4 lays a new foundation for working with DSCs, and there is more to come: now that the groundwork is in place, we can start surfacing more of the data buried in the DSC internals. It is not the only thing on our radar either. KernelCaches and DriverKit share similarities with the DSC, so they should benefit from the same improvements - hopefully soon.
Finally, a huge thank-you to our alpha testers squad - their feedback has been invaluable, and their suggestions greatly helped shape the result. Kudos to everyone who was involved!
