I am currently making an advanced Mach-O Executable Disassembler and Am confused about the Magic and Cigam part of an Executable Header. I understand how they work and how they determine the byte order of the executable and if its 32/64-Bit but the one thing I am stuck on is this: which hexadecimal order represent Magic and Cigam:
This is the raw hexadecimal of a Common Header (straight from hexdump):
cffaedfe - This is a 64-Bit Header but is it Magic or Cigam.
The reason I am confused with this is because of all the ordering like cigam requires flipping every 4 bytes in the opposite direction and do I read the bytes in Endianness or not??? I've looked at the mach headers and I've found this stuff:
MH_MAGIC_64 = 0xfeedfacf
MH_CIGAM_64 = 0xcffaedfe (MH_MAGIC swapped)
but is 0xcffaedfe meant to be matched from the direct hexadecimal from the mach-o file meaning its CIGAM or do I read it in Endian and cffaedfe becomes feedfacf making it MAGIC????
just please tell me:
(direct from file hexdump) cffaedfe - Is this Magic Or Cigam????
Thanks
MH_MAGIC_64 and MH_CIGAM_64 don't have some absolute endianness attached to them, their meaning is relative to the host endianness.
Let's say you have binary A for a little endian architecture with its first four bytes cf fa ed fe, and a binary B for a big endian architecture with its first four bytes fe ed fa cf.
On a little endian machine, binary A will have MH_MAGIC_64 and binary B will have MH_CIGAM_64, but on a big endian machine binary B will have MH_MAGIC_64 and A will have MH_CIGAM_64.
So in essence, you read the magic using your native host byte order and if it matches MH_CIGAM_64, then you're gonna have to swap around all integers you read from that binary.