gxpc icon indicating copy to clipboard operation
gxpc copied to clipboard

Published 20 hours ago verified publisher icon ReverseApple

Parse raw Mach messages

Open JJTech0130 opened this issue 5 months ago • 0 comments

Some obfuscated applications statically link libxpc, meaning they make all the raw Mach calls directly. This tool will not work on such binaries. More investigation is needed into how to parse the binary representation of XPC messages. The messages appear to start with "CPX@" (@XPC backwards).

JJTech0130 avatar Jan 19 '24 17:01 JJTech0130