I am trying to find the libdyld.dylib file in macOS but I can't find it. according to the lldb debugger, it supposes to be at /usr/lib/system/libdyld.dylib but it is not there... I read this apple support but it got me more confused... I understand that there is dyld that load the code from somewhere... but from where ? Where is the code of this lib comes from?
using macOS 12.5 Monterey. mac M1.
update: I looked into /usr/lib/dyld (there is no /System/Library/dyld file in my system). The code that I see in the lldb when stepping into lib function is different from the code I see when disassembling the same function in the /usr/lib/dyld. E.g let's take dlopen - the debugger (lldb) shows that there are 2 implementations
(lldbinit) image lookup -n dlopen
1 match found in /usr/lib/dyld:
        Address: dyld[0x0000000000025954] (dyld.__TEXT.__text + 149844)
        Summary: dyld`dyld4::APIs::dlopen(char const*, int)
1 match found in /usr/lib/system/libdyld.dylib:
        Address: libdyld.dylib[0x000000018033329c] (libdyld.dylib.__TEXT.__text + 1532)
        Summary: libdyld.dylib`dlopen
but when stepping into the dlopen function it choose the one in /usr/lib/system/libdyld.dylib and not in /usr/lib/dyld:
(lldbinit) image lookup -v -a $pc
      Address: libdyld.dylib[0x000000018033329c] (libdyld.dylib.__TEXT.__text + 1532)
      Summary: libdyld.dylib`dlopen
       Module: file = "/usr/lib/system/libdyld.dylib", arch = "arm64e"
       Symbol: id = {0x000001a3}, range = [0x0000000182f5b29c-0x0000000182f5b2d0), name="dlopen"
Also the asm is differnet. When stepping into dlopen with lldb I see the next instructions:
dlopen @ /usr/lib/system/libdyld.dylib:
->  0x182f5b29c (0x18033329c): e2 03 01 aa  mov     x2, x1
    0x182f5b2a0 (0x1803332a0): e1 03 00 aa  mov     x1, x0
    0x182f5b2a4 (0x1803332a4): 68 7b 2c b0  adrp    x8, 364397
    0x182f5b2a8 (0x1803332a8): 00 39 43 f9  ldr     x0, [x8, #0x670]
    0x182f5b2ac (0x1803332ac): 10 00 40 f9  ldr     x16, [x0]
    0x182f5b2b0 (0x1803332b0): f1 03 00 aa  mov     x17, x0
    0x182f5b2b4 (0x1803332b4): 51 7f ec f2  movk    x17, #0x63fa, lsl #48
    0x182f5b2b8 (0x1803332b8): 30 1a c1 da  autda   x16, x17
    0x182f5b2bc (0x1803332bc): 03 0e 47 f8  ldr     x3, [x16, #0x70]!
    0x182f5b2c0 (0x1803332c0): e4 03 10 aa  mov     x4, x16
    0x182f5b2c4 (0x1803332c4): f0 03 04 aa  mov     x16, x4
    0x182f5b2c8 (0x1803332c8): 30 e6 f7 f2  movk    x16, #0xbf31, lsl 
and when disassembling dlopen in dyld I see the next instructions: (jtool2 -d /usr/lib/dyld | less)
__ZN5dyld44APIs6dlopenEPKci:
25954   0xd503237f  PACIBSP
25958   0xa9bd57f6  STP         X22, X21, [SP, #-48]!
2595c   0xa9014ff4  STP         X20, X19, [SP, #16]
25960   0xa9027bfd  STP         X29, X30, [SP, #32]
25964   0x910083fd  ADD         X29, SP, #32
25968   0xaa0203f3  _MOV_R      X19, X2                 R19 = R2 (0x0)
2596c   0xaa0103f5  _MOV_R      X21, X1                 R21 = R1 (0x0)
25970   0xaa0003f6  _MOV_R      X22, X0                 R22 = R0 (0x0)
25974   0xaa1e03f4  _MOV_R      X20, X30                R20 = R30 (0x0)
25978   0xdac143f4  PACIA       X20, X31
2597c   0xf9400408  _LDR        X8, [X0, #8]            ...R8 = *(R0 + 8) = *0x8 = 0x780000002
25980   0xb9403508  _LDR        W8, [X8, #52]           ...R8 = *(R8 + 52) = *0x3c = 0x6000000000000
25984   0x7100091f  CMP         W8, #2
25988   0xfa400824  CCMP
2598c   0x540000e0  B.EQ        0x259a8
25990   0xaa1503e0  _MOV_R      X0, X21                 R0 = R21 (0x0)
So it is a still a mistory, where does this dlopen code comes from ?
Since 11 version, Apple made some efforts to make harder to reverse optimize their shared libs.
Long story short, they merged most libs and frameworks into a single binary, which is loaded into memory on system start.
You can find it here: /System/Library/dyld/ (folder), there may be several file versions for Intel and arm archs.
All such system libraries referenced from mach-o section of the binary you run are mapped then directly from the loaded dyld cache, so Apple does not need libs to be on filesystem anymore. They made some efforts for compatibility, so for most apps it still looks like they are present on a disk though.
However, as Apple have to publish parts of their sources due to using a lot of opensource stuff, folks found the code responsible for the dyld cache and created several extractors, like this one: https://github.com/keith/dyld-shared-cache-extractor (you can even install it with brew)
So if you need to look inside some library - you will need to install extractor, perform extraction, and then you will have what you want.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With