UniBin
Supported formats
macOS Universal Binary
Description
A macOS Universal Binary, often referred to as a UniBin or fat binary, is a type of binary file that can run on multiple processor architectures. It allows a single executable file to contain code for different hardware platforms, making it compatible across different types of machines. This backend extracts embedded MachO executables for further analysis.
info
Available in Contextal Platform 1.0 and later.
Symbols
Object
LIMITS_REACHED
=> limits triggered while processing the universal binary
Children
TOOBIG
=> this child object was not extracted as it exceeds the limits
Example Metadata
{
"org": "ctx",
"object_id": "a1423905bde16805edfa3cd72535271e9cad430baff7690402d1e148d369270b",
"object_type": "UniBin",
"object_subtype": null,
"recursion_level": 1,
"size": 168032,
"hashes": {
"md5": "cf18125e4b44d3f92d7c9af52a9d2838",
"sha1": "e44c7d402a2db35a348c44cb5638316ffa253c9b",
"sha256": "a1423905bde16805edfa3cd72535271e9cad430baff7690402d1e148d369270b",
"sha512": "3b1a7607b27b57ee52b6b179dd84931f5fb1bdd1a5052bdd0b44b8d2407a3dc2de59494476db5a667a289ac0e579e4f6823fd1d4ea22b38a274e94f9df93fecc"
},
"ctime": 1708616635.825933,
"relation_metadata": {},
"ok": {
"symbols": [],
"object_metadata": {
"_backend_version": "1.0.0",
"magic": 3199925962,
"nfat_arch": 2
},
"children": [
{
"org": "ctx",
"object_id": "fbaa14afa4e7a04c323f78e8c8b505cc3e5e63e64eda02e775c60ac5c602fbe9",
"object_type": "MachO",
"object_subtype": null,
"recursion_level": 2,
"size": 69744,
"hashes": {
"sha1": "3aeb2bf5c842c42a7fdc460715e8034fb15b4277",
"sha512": "0bc5a63b843bee71ef3cc38b6ae39cbd169cced1b622c873910a7b044b661be87f5da04f4711b29b06e7a4ebe9da601de0c8ca6ae90eec6158b9eb1770888a99",
"md5": "1b41570577564be596cb8334cc809e9a",
"sha256": "fbaa14afa4e7a04c323f78e8c8b505cc3e5e63e64eda02e775c60ac5c602fbe9"
},
"ctime": 1708616635.825933,
"relation_metadata": {
"align": 14,
"cpusubtype": 3,
"cputype": 16777223,
"cputypestr": "X86_64",
"offset": 16384,
"size": 69744
},
[...]
{
"org": "ctx",
"object_id": "909813437c65bd4747f46bfe8476591189c5e4fe7a51b92b2524371773f3e9ba",
"object_type": "MachO",
"object_subtype": null,
"recursion_level": 2,
"size": 69728,
"hashes": {
"sha512": "2328074211c564a4a2a0eb999ef82f8f35ae63b0b1a65e8208fd4feddb1a2125d17d184ebe4e7521e56c6771d7468230422c2395b01afb1a3cfe2471762a0d3d",
"sha1": "c61fdc111f803d8cbabc2f8b337ad5c6c5567e81",
"sha256": "909813437c65bd4747f46bfe8476591189c5e4fe7a51b92b2524371773f3e9ba",
"md5": "bdc6eb8553759d893fed98d346a68f4f"
},
"ctime": 1708616635.825933,
"relation_metadata": {
"align": 14,
"cpusubtype": 2147483650,
"cputype": 16777228,
"cputypestr": "ARM64",
"offset": 98304,
"size": 69728
},
[...]
Example Queries
object_type == "UniBin"
&& @has_child(@match_relation_meta($cputypestr == "ARM64"))
- This query matches an
UniBin
, which contains code forARM64
.
Configuration Options
max_processed_size
→ maximum size of the input object that will be processed (default: 262144000)max_children
→ maximum number of children objects to create (default: 5)max_child_input_size
→ maximum size of a single input children object (default: 125829120)max_child_output_size
→ maximum size of a single output children object (default: 125829120)