Zero the Hero - A Modern Blade for Carving Through Mach-O
It’s been a while since I last published here. The reason is simple: I’ve just finished the first public release of Zero the Hero (0tH) — a sharp, no-nonsense Mach-O parser written in pure Rust-no-panic.
What is Zero the Hero
0tH (or ZtH, I’m not dogmatic about naming) is an ambitious project. The goal is straightforward: do everything otool does — and do it better.
More specifically:
- rigorous Load Command analysis
- Code Signature and SuperBlob introspection
- Entitlements extraction
- Symbol table parsing
- and strict structural validation of the Mach-O itself
Under the hood, it’s heavily inspired by msfconsole: a REPL for interactive analysis and a CLI for direct scripting.
This duality is intentional — I wanted something operable both by humans and automation.
And yes, a GUI is in the pipeline. I started from the CLI for two reasons:
- I needed to build the dynamic libraries first — avoiding duplicated logic.
- I wanted to get operational fast, without waiting for UI overhead.
Why I built it
Why did I build 0tH? Because I needed a tool that didn’t exist.
Most existing Mach-O tools fall into two categories:
- fast but shallow, or
- deep but dated.
I wanted something different: a parser that was strict, predictable, safe by design, and capable of handling the constant evolution of Apple’s load commands and code signing infrastructure.
I also wanted a tool whose internals I fully trusted. Writing 0tH in Rust-no-panic wasn’t an aesthetic choice — it was the only way to guarantee consistency, safety, and deterministic behaviour when parsing malformed or adversarial binaries.
Finally, I wanted a single codebase that could power a CLI, a REPL, a future GUI, and a programmatic API without forking logic or reimplementing Mach-O parsing three times.
A brief note on Mach-O itself
Mach-O is one of the least forgiving executable formats.
It rewards precision, punishes sloppiness, and exposes every shortcut a developer takes. Over the years I’ve relied on excellent tools such as otool and jtool2, but I wanted something modern, strict, and safe — something that treated the Mach-O format with the discipline it deserves.
Zero the Hero is my attempt at unravelling this particular cosmic horror™.
But why Zero the Hero?
Honestly? Ask Tony Iommi.
The parser’s working name was REPeLlent.
But I was coding while listening to Born Again, and at some point I found myself humming:
“Don’tcha wanna be, don’tcha wanna be, brother — Zero the Hero…”
… and it stuck. Also — it’s a badass song. If you’ve never heard it: https://www.youtube.com/watch?v=WL_svZmiGWw
Interactive Demos
CLI Demo
The following short demo shows how Zero the Hero operates in CLI mode: parsing load commands and code-signing structures straight from the terminal.
REPL Demo
Zero the Hero also includes an interactive REPL, inspired by msfconsole,
designed for rapid inspection, scripting, and structured exploration of Mach-O internals.
Final thoughts
This is only the beginning.
0tH will keep growing throughout 2026 as the ecosystem around it expands: the Mach-O libraries, the REPL, the GUI layer, and the upcoming dynamic analysis framework will all converge into something broader and more coherent.
If you work with Apple internals, I hope you’ll find Zero the Hero useful. And if you have thoughts, criticism, or ideas — I’ll read them all.
Back to code.
Want the deep dive?
If you’re a security researcher, incident responder, or part of a defensive team and you need the full technical details (labs, YARA sketches, telemetry tricks), email me at info@bytearchitect.io or DM me on X (@reveng3_org). I review legit requests personally and will share private analysis and artefacts to verified contacts only.
Prefer privacy-first contact? Tell me in the first message and I’ll share a PGP key.
Subscribe to The Byte Architect mailing list for release alerts and exclusive follow-ups.
Gabriel(e) Biondo
ByteArchitect · RevEng3 · Rusted Pieces · Sabbath Stones