@junxiang99 Oooh I could write a paper on this, but I’ll keep it brief :]
An executable or plugins will typically have the symbols stripped out. No other program needs to reference these methods/functions (via a name) so the program can just use offsets to reference a function or method. That’s not always the case with frameworks where you need to export your symbols which can be used by another consumer (i.e. another executable or another framework). C stripping will get rid of (most) symbols, Objective-C stripped will get rid of symbols but they can be found in other parts of the executable. Swift sorta depends. It’s a bit like C, but there are many cases where you can infer the method’s name (or functionality).
Even if you don’t know the symbols name, you can still find references to a where functions are called (assembly knowledge) and the start of all functions (LC_FUNCTION_STARTS load command).
You can infer what language(s) are used by what the program links to for libraries (see
otool -L and
otool -l) and the program’s MachO sections. If you have the latest edition of the book check out the MachO chapter. For example, if a program uses swift, you’ll see a
__TEXT.__swift* load command or Objective-C with a
__DATA.__objc_calist, or if I see any symbols starting with
__Z, then I know c++ is being used.
Now to Xcode: I know that the hitTest: method is going to be called because I’ve read the AppKit/Cocoa documentation. That method gets called for all GUI programs on your computer when you click down on your mouse/trackpad. That method is a public method frequently used by OS X developers. I just am using that knowledge on Xcode to figure out what the view is