As of macOS Big Sur, instead of shipping the system libraries with macOS, Apple ships a generated cache of all built in dynamic libraries and excludes the originals. This tool allows you to extract these libraries from the cache for reverse engineering.
Extract the default shared cache to /tmp/libraries
:
dyld-shared-cache-extractor \
/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e \
/tmp/libraries
If this fails it could be because the shared cache format has changed,
and the version you're trying to extract isn't supported by the version
of Xcode you have selected globally (which you can view with
xcode-select -p
and xcodebuild -version
). In this case you might
have to download a newer version of Xcode (potentially a beta version if
you're trying to extract the cache from a beta OS version) and override
the Xcode version when running dyld-shared-cache-extractor
:
DEVELOPER_DIR=/Applications/Xcode-beta.app \
dyld-shared-cache-extractor \
/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e \
/tmp/libraries
If you want to prefer the system installation of dsc_extractor.bundle
instead of Xcode's version, you can pass it manually on the command
line:
dyld-shared-cache-extractor \
/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e \
/tmp/libraries \
/usr/lib/dsc_extractor.bundle
On macOS versions before Ventura the shared cache was in a different location, you can extract on older macOS versions with:
dyld-shared-cache-extractor \
/System/Library/dyld/dyld_shared_cache_arm64e \
/tmp/libraries
brew install keith/formulae/dyld-shared-cache-extractor
Manually:
cmake -B build
cmake --build build
cmake --install build
There are a few different ways you can interact with these shared caches.
- Depending on what you're doing inspecting them in Hopper is the easiest option
- For a bit more functionality you can build the
dyld_shared_cache_util
target from the latestdyld
source dump, but this requires some modifications
The problem with the 2 options above is that they can lag behind format
changes in the shared cache. This tool loads the private
dsc_extractor.bundle
from Xcode, meaning it should always be able to
extract the shared cache files even from beta OS versions (potentially
using a beta Xcode version).
This logic is based on the function at the bottom of
dyld3/shared-cache/dsc_extractor.cpp
from the dyld
source
dump.