macOS Reverse Engineering Vol 1

Reverse real macOS app behavior from first principles.

This track teaches efficient reverse engineering workflows from a beginner-friendly starting point to operationally useful intermediate analysis. It uses a custom-built macOS training app with realistic bundle structure, ARM64 disassembly, Swift, Objective-C, helpers, local state, network behavior, and instrumentation points. The course is about tool fluency, methodology, and professional analysis, not zero-day hunting.

Every listed topic is intended to be backed by a local lab, a guided training-app exercise, or a reproducible analysis artifact. Hopper and Ghidra can be used as primary tools; commercial tools are treated as optional workflow mappings, not hard requirements.

00

Reverse Engineering Workflow and Lab Setup

Set up the controlled workflow: training app, evidence folders, baseline observation, notes, and proof standards.

5 modules
00.1Reverse Engineering Workflow, Lab Boundaries, and Training App Orientation
Locked
00.2Installing the MacSec Training App and Creating Evidence Folders
Locked
00.3First Run Observation: UI, Files, Logs, and Network Baseline
Free preview
00.4Building a Repeatable Notes Template
Locked
00.5What Counts as Proof: Observation, Hypothesis, Validation, Finding
Locked
01

macOS Application Anatomy for Reverse Engineers

Learn where behavior lives inside an app bundle before jumping into disassembly.

5 modules
01.1App Bundle Layout: Contents, MacOS, Resources, Frameworks, PlugIns
Locked
01.2Info.plist Keys That Drive Launch and App Behavior
Locked
01.3Finding Main Executables, Helpers, Frameworks, and Embedded Tools
Locked
01.4URL Schemes, Document Handlers, Login Items, and App Extensions
Locked
01.5Lab: Build the First Component Map of the Training App
Locked
02

First-Pass Binary Triage with Free Tools

Use built-in and free command-line tooling to create a useful target profile without a GUI disassembler.

5 modules
02.1file, lipo, and Architecture Identification
Locked
02.2codesign, Entitlements, Team IDs, and Hardened Runtime Clues
Locked
02.3otool, nm, strings, and rabin2 First-Pass Workflow
Locked
02.4Building a Target Profile Without a GUI Disassembler
Locked
02.5Lab: Create a Triage Report for the Main App Binary
Locked
03

Mach-O Structure That Actually Matters

Read the Mach-O details that directly answer analysis questions: loaders, imports, sections, constants, and metadata.

5 modules
03.1Mach-O Headers, Slices, and Universal Binaries
Locked
03.2Load Commands, Install Names, rpaths, and Linked Frameworks
Locked
03.3Segments, Sections, Constants, CStrings, and Objective-C Metadata Areas
Locked
03.4Imports, Exports, Undefined Symbols, and What They Reveal
Locked
03.5Lab: Explain the Training App Startup Surface from Mach-O Evidence
Locked
04

ARM64 Basics for macOS Reverse Engineers

Learn enough Apple Silicon ARM64 to follow control flow, arguments, returns, stack frames, branches, and common compiler patterns.

5 modules
04.1ARM64 Registers, Calling Convention, and Return Values
Locked
04.2Stack Frames, Prologues, Epilogues, and Function Boundaries
Locked
04.3Branches, Condition Flags, Comparisons, and Switch Patterns
Locked
04.4Memory Loads, Stores, Pointers, Struct Access, and String References
Locked
04.5Lab: Annotate a Training App Function from ARM64 Disassembly
Locked
05

Strings, Symbols, Resources, and Config Clues

Turn noisy static clues into leads: feature names, resources, config files, local state, and confidence levels.

5 modules
05.1Useful Strings vs Noise
Locked
05.2Symbol Names, Stripped Binaries, and Partial Debug Clues
Locked
05.3Resources, Assets, Storyboards, NIBs, and Localization Files
Locked
05.4Plists, JSON, Feature Flags, and Local Configuration
Locked
05.5Lab: Identify Three Features from Static Evidence and Prove Confidence
Locked
06

Objective-C Reversing for App Behavior

Map Cocoa application behavior through selectors, classes, delegates, notifications, and target-action paths.

5 modules
06.1Classes, Methods, Selectors, Ivars, Categories, Protocols
Locked
06.2objc_msgSend and Reading Call Sites
Locked
06.3Target-Action, Delegates, Notifications, and Cocoa Patterns
Locked
06.4Mapping a Button Click to a Selector and Class
Locked
06.5Lab: Recover an Objective-C Feature Path in the Training App
Locked
07

Swift Reversing for Practical Analysis

Recognize Swift-heavy app logic, demangle names, and understand mixed Swift/Objective-C boundaries.

5 modules
07.1Swift Symbol Demangling and Naming Patterns
Locked
07.2Swift Types, Optionals, Enums, Structs, Closures: Recognition Clues
Locked
07.3Swift/Objective-C Bridging and Mixed App Boundaries
Locked
07.4Finding Swift Feature Logic from Symbols and Runtime Clues
Locked
07.5Lab: Recover a Swift Feature Path Without Source Code
Locked
08

LLDB Runtime Analysis

Move from static guesses to runtime proof with breakpoints, backtraces, values, and object inspection.

5 modules
08.1Launching and Attaching to macOS Apps with LLDB
Locked
08.2Breakpoints, Symbolic Breakpoints, Conditions, and Stop Hooks
Locked
08.3Backtraces, Registers, Arguments, Return Values, and Object Inspection
Locked
08.4Proving Static Hypotheses with Runtime Evidence
Locked
08.5Lab: Break on a Training App Action and Capture Proof
Locked
09

Local State, Preferences, SQLite, and Artifacts

Find where app decisions are persisted and explain what those artifacts prove.

5 modules
09.1Application Support, Caches, Preferences, Containers, and Logs
Locked
09.2Reading and Modifying Plists Safely in a Lab
Locked
09.3SQLite Triage for Reverse Engineers
Locked
09.4Keychain-Like Flows and Privacy-Sensitive Storage Patterns
Locked
09.5Lab: Map the Training App's Local State and Explain Trust Assumptions
Locked
10

Runtime Telemetry: Files, Logs, Processes, and Network

Correlate user actions with macOS evidence so findings are reproducible and defensible.

5 modules
10.1Unified Logging Predicates for App Analysis
Locked
10.2fs_usage, lsof, and File Behavior
Locked
10.3Process Tree, Launch Context, and Helper Execution
Locked
10.4nettop, lsof, tcpdump, and Connection Observation
Locked
10.5Lab: Correlate a UI Action to File, Log, Process, and Network Evidence
Locked
11

Network, API, and Request-Construction Reversing

Move from endpoint strings to request construction, safe mock-server testing, and runtime proof.

7 modules
11.1Endpoint Strings Are Leads, Not Requests
Locked
11.2Finding Request Builders, URLSession Paths, CFNetwork Clues, and Header Construction
Locked
11.3Triggering Network Behavior Safely with a Local Mock Server
Locked
11.4Mapping Parameters, Headers, Tokens, and Error Handling Without Touching Production
Locked
11.5LLDB Breakpoints on URLSession, CFNetwork, and Request-Builder Methods
Locked
11.6Real App Observation: Sublime Text Network Leads vs Proven Connections
Locked
11.7Lab: Reproduce a Training App Request and Document the Construction Path
Locked
12

Decompiler-Style Reasoning and Control-Flow Recovery

Learn to read behavior from call graphs, branches, pseudocode-style reasoning, and runtime confirmation.

7 modules
12.1From Disassembly to Behavior: Blocks, Calls, Branches, and Data Flow
Locked
12.2Cross-References, Callers, Callees, and Building a Feature Map
Locked
12.3Identifying Guards: Boolean Checks, Status Enums, Error Paths, and Early Returns
Locked
12.4Renaming, Commenting, and Building an Analyst Notebook Without Source Code
Locked
12.5When Pseudocode Lies: Compiler Optimizations, Inlined Checks, and Missing Context
Locked
12.6Real App Observation: Recognizing Feature Gates Without Patching Commercial Software
Locked
12.7Lab: Recover a Training App Decision Path from Static and Runtime Evidence
Locked
13

LLDB Control-Flow Proof and Runtime State Manipulation

Use LLDB to prove branches, inspect registers and objects, alter state in memory, and validate hypotheses.

7 modules
13.1Breakpoint Strategy for Real Behavior, Not Random Stops
Locked
13.2Register and Argument Inspection at Branch and Return Sites
Locked
13.3Watching Objective-C and Swift-Like State Change at Runtime
Locked
13.4Conditional Breakpoints, Watchpoints, and Stop Hooks for Noisy Apps
Locked
13.5Forcing Return Values and Object State in LLDB as Hypothesis Tests
Locked
13.6Restoring State, Avoiding False Findings, and Writing Runtime-Proof Notes
Locked
13.7Lab: Prove and Temporarily Flip a Training App Feature Decision in Memory
Locked
14

License Gates, Feature Locks, and Patch-Based Hypothesis Testing

Reverse a deliberately weak activation gate in the MacSec training app and prove the lock path safely.

9 modules
14.1How License Gates Are Usually Built: UI Lock, Validator, State Store, and Feature Check
Locked
14.2Building the Activation Map: Strings, Selectors, Files, Network Leads, and Error Messages
Locked
14.3Finding the Validation Function and the Locked Feature Decision
Locked
14.4LLDB Walkthrough: Break on Activation, Inspect the Key, Follow the Return Value
Locked
14.5In-Memory Branch and Return-Value Patching to Prove the Hypothesis
Locked
14.6Persistent State vs Runtime Patch: Why Relaunch Changes the Result
Locked
14.7Defensive Design Lessons: Server Authority, Signed Tokens, Replay Limits, and Tamper Signals
Locked
14.8Real App Boundary: Observing Sublime License Leads Without Bypassing a Commercial Product
Locked
14.9Lab: Unlock the MacSec Training App's Hidden Research Console Through Authorized Runtime Patching
Locked
15

Instrumentation, Hooking Concepts, and Analysis Shims

Instrument lab behavior to observe arguments and decisions while respecting hardened runtime limits.

7 modules
15.1Instrumentation Goals: Observe, Correlate, and Minimize Assumptions
Locked
15.2DYLD Environment Variables, Loader Diagnostics, and Why Hardened Runtime Changes the Rules
Locked
15.3Function Interposition Concepts with a Safe Lab Binary
Locked
15.4Objective-C Message Observation and Selector-Level Tracing in the Training App
Locked
15.5Logging Arguments Without Changing App Semantics
Locked
15.6Real App Observation: Why Production Apps Often Resist Simple Loader-Based Instrumentation
Locked
15.7Lab: Build an Analysis Shim for a Training App API Boundary
Locked
16

Crash Reports, Exceptions, and Failure-Driven Reverse Engineering

Use crashes, exceptions, diagnostics, and failure paths as navigation aids instead of dead ends.

7 modules
16.1Reading macOS .ips Reports: Exception Type, Crashed Thread, Images, and Offsets
Locked
16.2Mapping Crash Offsets Back to Functions and Code Paths
Locked
16.3Crashpad, ReportCrash, OSAnalytics, and App-Owned Diagnostic Helpers
Locked
16.4Intentional Lab Crashes as Controlled Navigation Signals
Locked
16.5LLDB Exception Breakpoints and First-Failure Capture
Locked
16.6Real App Observation: Sublime Text Crash Handler and Diagnostic Artifacts
Locked
16.7Lab: Turn a Training App Crash into a Reproducible Code-Path Finding
Locked
17

Real-App Case Study Methodology

Apply the Vol 1 workflow to production apps observationally while keeping patching inside MacSec-owned labs.

7 modules
17.1Choosing a Real App Case Study Without Crossing Authorization Boundaries
Locked
17.2Sublime Text Case Study: Bundle, Signature, Helpers, Packages, and Local IPC
Locked
17.3Visual Studio Code Case Study: Electron Layout, Helper Processes, Extensions, and Storage
Locked
17.4iTerm2 Case Study: Preferences, Profiles, Shell Launch Context, and Process Evidence
Locked
17.5Comparing Native, Electron, and Terminal-Facing App Architectures
Locked
17.6Writing Professional Non-Conclusions When Evidence Is Only Observational
Locked
17.7Lab: Produce a Real-App Observational RE Report Without Modifying the Target
Locked