Skip to main content

UniBin

Supported formats

macOS Universal Binary

Description

A macOS Universal Binary, often referred to as a UniBin or fat binary, is a type of binary file that can run on multiple processor architectures. It allows a single executable file to contain code for different hardware platforms, making it compatible across different types of machines. This backend extracts embedded MachO executables for further analysis.

info

Available in Contextal Platform 1.0 and later.

Symbols

Object

  • LIMITS_REACHED => limits triggered while processing the universal binary

Children

  • TOOBIG => this child object was not extracted as it exceeds the limits

Example Metadata

{
"org": "ctx",
"object_id": "a1423905bde16805edfa3cd72535271e9cad430baff7690402d1e148d369270b",
"object_type": "UniBin",
"object_subtype": null,
"recursion_level": 1,
"size": 168032,
"hashes": {
"md5": "cf18125e4b44d3f92d7c9af52a9d2838",
"sha1": "e44c7d402a2db35a348c44cb5638316ffa253c9b",
"sha256": "a1423905bde16805edfa3cd72535271e9cad430baff7690402d1e148d369270b",
"sha512": "3b1a7607b27b57ee52b6b179dd84931f5fb1bdd1a5052bdd0b44b8d2407a3dc2de59494476db5a667a289ac0e579e4f6823fd1d4ea22b38a274e94f9df93fecc"
},
"ctime": 1708616635.825933,
"relation_metadata": {},
"ok": {
"symbols": [],
"object_metadata": {
"_backend_version": "1.0.0",
"magic": 3199925962,
"nfat_arch": 2
},
"children": [
{
"org": "ctx",
"object_id": "fbaa14afa4e7a04c323f78e8c8b505cc3e5e63e64eda02e775c60ac5c602fbe9",
"object_type": "MachO",
"object_subtype": null,
"recursion_level": 2,
"size": 69744,
"hashes": {
"sha1": "3aeb2bf5c842c42a7fdc460715e8034fb15b4277",
"sha512": "0bc5a63b843bee71ef3cc38b6ae39cbd169cced1b622c873910a7b044b661be87f5da04f4711b29b06e7a4ebe9da601de0c8ca6ae90eec6158b9eb1770888a99",
"md5": "1b41570577564be596cb8334cc809e9a",
"sha256": "fbaa14afa4e7a04c323f78e8c8b505cc3e5e63e64eda02e775c60ac5c602fbe9"
},
"ctime": 1708616635.825933,
"relation_metadata": {
"align": 14,
"cpusubtype": 3,
"cputype": 16777223,
"cputypestr": "X86_64",
"offset": 16384,
"size": 69744
},
[...]
{
"org": "ctx",
"object_id": "909813437c65bd4747f46bfe8476591189c5e4fe7a51b92b2524371773f3e9ba",
"object_type": "MachO",
"object_subtype": null,
"recursion_level": 2,
"size": 69728,
"hashes": {
"sha512": "2328074211c564a4a2a0eb999ef82f8f35ae63b0b1a65e8208fd4feddb1a2125d17d184ebe4e7521e56c6771d7468230422c2395b01afb1a3cfe2471762a0d3d",
"sha1": "c61fdc111f803d8cbabc2f8b337ad5c6c5567e81",
"sha256": "909813437c65bd4747f46bfe8476591189c5e4fe7a51b92b2524371773f3e9ba",
"md5": "bdc6eb8553759d893fed98d346a68f4f"
},
"ctime": 1708616635.825933,
"relation_metadata": {
"align": 14,
"cpusubtype": 2147483650,
"cputype": 16777228,
"cputypestr": "ARM64",
"offset": 98304,
"size": 69728
},
[...]

Example Queries

object_type == "UniBin"
&& @has_child(@match_relation_meta($cputypestr == "ARM64"))
  • This query matches an UniBin, which contains code for ARM64.

Configuration Options

  • max_processed_size → maximum size of the input object that will be processed (default: 262144000)
  • max_children → maximum number of children objects to create (default: 5)
  • max_child_input_size → maximum size of a single input children object (default: 125829120)
  • max_child_output_size → maximum size of a single output children object (default: 125829120)