Docs

General concepts

Zero-the-Hero (ZtH, 0tH) is a Mach-O binary analyser focused on deep parsing, speed, precision, and diagnostics.

It is designed for reverse engineers, hackers, and security researchers, providing a fast and structured way to explore and inspect Mach-O executables.

ZtH is an interactive REPL, similar in spirit to tools like msfconsole.

Scope:

  • Mach-O 64-bit binaries

  • Universal FAT files

  • Uncommon load commands

  • Segments and sections

  • Strings extraction and analysis

  • Anomalies detection

Basic terminology

Load Commands (LC)

For an in-depth discussion, see the Mach-O-Nomicon.

Instructions in the Mach-O header that describe how the binary should be loaded and interpreted. They define elements such as segments, symbol tables, UUID, entry point, and more.

File offset

The position in bytes from the beginning of the file.

Example: offset 0x1000 means “4096 bytes from the start of the file on disk”.

VM address

The address in the process’s virtual memory where the data will be mapped when the binary is loaded.

Example: a function stored at file offset 0x1000 may be mapped to VM address 0x100000F50 when the binary is loaded into memory.

Segments and Sections

A SEGMENT_64 (or in older binaries, SEGMENT) is a specific type of load command.

Typical segment names include __TEXT or __DATA.

Each segment can contain sections, which store more granular data.

For example:

  • Segment __TEXT may contain sections like __text (code) or __cstring (constant strings).

  • Segment __DATA may contain sections like __data (mutable data) or __bss (zero-initialized data).

Typical Workflow and Commands

0th is rooted on the concept of context. To act upon a binary, this must be loaded. Hence, the first required operation is to load (command: load) the binary to analyse. After loading, 0th already gives some synthetic information.

Command: lc_list

Syntax:

lc_list

Synopsis

lc_list supplies the list of all the Load Commands in the currently loaded file

Command: lc_show

Syntax:

lc_show n

Synopsis

lc_show n shows all the information regarding the n-th load command (observe that the first LC is labelled as 0) obtained from the deep parsing of the Mach-O file.

  1. Flusso di lavoro tipico (Golden Path)

    1. map per overview segmenti/sezioni.

    2. strings → str_grep <pattern> → jump match N.

    3. anomalies per verifica.