Docs ==== .. toctree:: :maxdepth: 1 index .. secondo General concepts ---------------- Zero-the-Hero (ZtH, 0tH) is a Mach-O binary analyser focused on deep parsing, speed, precision, and diagnostics. It is designed for reverse engineers, hackers, and security researchers, providing a fast and structured way to explore and inspect Mach-O executables. ZtH is an **interactive REPL**, similar in spirit to tools like ``msfconsole``. Scope: - Mach-O 64-bit binaries - Universal FAT files - Uncommon load commands - Segments and sections - Strings extraction and analysis - Anomalies detection ******** Basic terminology ----------------- **Load Commands (LC)** *For an in-depth discussion, see the Mach-O-Nomicon.* Instructions in the Mach-O header that describe how the binary should be loaded and interpreted. They define elements such as segments, symbol tables, UUID, entry point, and more. ******** **File offset** The position in bytes from the beginning of the file. Example: offset ``0x1000`` means “4096 bytes from the start of the file on disk”. ******** **VM address** The address in the process’s virtual memory where the data will be mapped when the binary is loaded. Example: a function stored at file offset ``0x1000`` may be mapped to VM address ``0x100000F50`` when the binary is loaded into memory. ******** **Segments and Sections** A ``SEGMENT_64`` (or in older binaries, ``SEGMENT``) is a specific type of load command. Typical segment names include ``__TEXT`` or ``__DATA``. Each segment can contain **sections**, which store more granular data. For example: - Segment ``__TEXT`` may contain sections like ``__text`` (code) or ``__cstring`` (constant strings). - Segment ``__DATA`` may contain sections like ``__data`` (mutable data) or ``__bss`` (zero-initialized data). ******** Typical Workflow and Commands ----------------------------- 0th is rooted on the concept of **context**. To act upon a binary, this must be loaded. Hence, the first required operation is to load (command: ``load``) the binary to analyse. After loading, 0th already gives some synthetic information. ******** Command: ``lc_list`` ^^^^^^^^^^^^^^^^^^^^ **Syntax:** ``lc_list`` **Synopsis** ``lc_list`` supplies the list of all the Load Commands in the currently loaded file ******** Command: ``lc_show`` ^^^^^^^^^^^^^^^^^^^^ **Syntax:** ``lc_show n`` **Synopsis** ``lc_show n`` shows all the information regarding the ``n``-th load command (observe that the first LC is labelled as 0) obtained from the deep parsing of the Mach-O file. 4. Flusso di lavoro tipico (Golden Path) 4. map per overview segmenti/sezioni. 5. strings → str_grep → jump match N. 6. anomalies per verifica.