Symbols look broken on macOS arm64 13.2.1 (22D68)

[ViRb3]

Describe the bug

The symbols for many functions seem wrong:

To Reproduce

I don't know if this use case is supported, but on M1 (arm64) macOS 13.2.1, the shared cache is located under:

• /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/

Full list:

aot_shared_cache.0
aot_shared_cache.1
aot_shared_cache.2
aot_shared_cache.3
aot_shared_cache.4
dyld_shared_cache_arm64e
dyld_shared_cache_arm64e.01
dyld_shared_cache_arm64e.map
dyld_shared_cache_x86_64
dyld_shared_cache_x86_64.01
dyld_shared_cache_x86_64.02
dyld_shared_cache_x86_64.03
dyld_shared_cache_x86_64.04
dyld_shared_cache_x86_64.map

So, I tried to extract CloudKit using:

dyldex -e "cloudkit" /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

It gave me a symbols error:

[  ERROR  ] linkedit_optimizer.py:271 : Symbols Cache doesn't contain local symbols.

But I guess that's expected, since there is no .symbols file. The binary is extracted anyway. I then load it into IDA, and see the output above. Apart from the symbols, everything else looks good.

[arandomdev]

You are correct about the local symbols. They don't seem to be present in the image as well. As for the incorrect symbols, I'm kinda at a lost because the string with "See header comments", corresponds to a CFString used for logging. It might be an issue with IDA, but I'm not sure as I don't have a copy.

Lastly, while extraction succeeds for arm64e, it is heavily broken without better metadata support.

[torarnv]

I can reproduce the broken selectors with loading the extracted binaries into both Hopper and Binary Ninja, so I believe there's something broken on the DyldExtractor side.

This is extracting the 13.6 /System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_arm64e

[fabianfreyer]

Can also confirm this with the 14.1.2 dyld_shared_cache_arm64e.