Documentation
Version 2026.2.0 — Unified User Manual
Introduction
0tH (Zero the Hero) is a Mach-O analysis and triage tool for macOS. It is designed for inspecting binary structure and code-signing internals during real security investigations.
0tH favors explicit output, structural correctness, and repeatable workflows. It is intended for practitioners who need to understand what a binary actually contains, not for one-line automation wrappers.
Installation
- Download the notarized DMG from zero-the-hero.run
- Verify integrity and notarization:
shasum -a 256 0tH_2026.2.0.dmg spctl --assess --type open --context context:primary-signature -v 0tH_2026.2.0.dmg - Copy the binary to your PATH:
cp /Volumes/0tH/0tH /usr/local/bin/ - Verify installation:
0tH --version
Quick Start
# Analyze a binary
0tH --load /bin/ls --tree
# Inspect code signature
0tH --load /Applications/Safari.app/Contents/MacOS/Safari --codesign info
# Launch interactive mode
0tH --REPL
CLI Mode
CLI mode executes a command and exits. It is suitable for scripting, batch analysis, and automation.
0tH --load <binary> [options]
CLI Options
| Option | Description |
|---|---|
--load <file> |
Load Mach-O binary |
--tree [depth] |
Show hierarchical structure |
--slice <n> |
Select FAT slice |
--cmd <n> |
View load command |
--codesign <cmd> |
Code signature analysis |
--strings [len] |
Extract printable strings |
--hexdump <mode> |
Hexdump binary data |
--export <file> |
Export to JSON |
--no-color |
Disable colored output |
--greppable |
Minimal output for scripting |
--REPL |
Launch interactive REPL |
--help |
Show help |
--version |
Show version |
REPL Mode
REPL mode provides an interactive shell with persistent history and context-aware commands.
0tH --REPL
# or simply
0tH
REPL Commands
| Command | Description |
|---|---|
load <file> |
Load Mach-O binary |
tree [depth] |
Show structure |
cmdview <idx> |
View load command |
select slice <n> |
Select slice |
strings |
Extract strings |
hexdump |
Hexdump data |
armageddon strings |
Brute-force string extraction (REPL only) |
codesign <cmd> |
Code signature analysis |
export <file> |
Export to JSON |
exit / quit |
Exit REPL |
Code Signature Analysis
0tH provides structural inspection of macOS code signatures. This includes SuperBlob parsing, CodeDirectory metadata, and notarization detection.
codesign show
codesign info
codesign verify
codesign hashes
codesign entitlements
codesign requirements
codesign certificates
codesign notarization
Practical Examples
# Analyze system binary
0tH --load /bin/ls --tree --codesign info
# Extract strings
0tH --load /bin/ls --strings 10
# Hexdump first 64 bytes
0tH --load /bin/ls --hexdump abs 0 64
# JSON export
0tH --load /bin/ls --export analysis.json
Troubleshooting
No LC_CODE_SIGNATURE
The binary is not signed. This is normal for development binaries.
Is a directory
Point to the actual executable inside the .app bundle.
Colors not visible
Disable colors using --no-color or set color off in REPL.
License
0tH is proprietary software, free to use.
See LICENSE.md for details.
© 2025–2026 • Zero the Hero • Gabriele Biondo