FEEDFACE in OSX malware

Question

I was reverse engineering a piece of code in "Crisis" for fun and I encountered the following :-

__INIT_STUB_hidden:00004B8F                 mov     eax, 8FE00000h
__INIT_STUB_hidden:00004B94
__INIT_STUB_hidden:00004B94 loc_4B94:                               
__INIT_STUB_hidden:00004B94                 mov     ebx, 41424344h
__INIT_STUB_hidden:00004B99                 cmp     dword ptr [eax], 0FEEDFACEh
__INIT_STUB_hidden:00004B9F                 jz      short loc_4BB9
__INIT_STUB_hidden:00004BA1                 add     eax, 1000h
__INIT_STUB_hidden:00004BA6                 cmp     eax, 8FFF1000h
__INIT_STUB_hidden:00004BAB                 jnz     short loc_4B94

What is supposed to happen here? Why is the presence of FEEDFACE expected at the address 8FFF0000 or 8FFF1000? I understand that feedface/feedfacf are Mach-O magic numbers -- however why are they expected to be present at those addresses?

Answer 1

It's the Mach-O header magic. From mach-o/loader.h:

/* Constant for the magic field of the mach_header (32-bit architectures) */
#define MH_MAGIC        0xfeedface      /* the mach magic number */
#define MH_CIGAM        0xcefaedfe      /* NXSwapInt(MH_MAGIC) */

In OS X, the Mach-O header is often included as part of the __TEXT segment so it's mapped into memory. The code is searching for a Mach-O file mapped somewhere in that address range - probably some system library - possibly so it can search for a necessary function to call (enumerate Mach-O load commands to locate the symbol table, etc.).

Answer 2

Crisis is trying to locate dyld location in that piece of code: 32bits dyld is usually located at 8FE00000 - it uses that to solve symbols, if I'm not mistaken.

Check my Crisis analysis if you haven't already.