MachO: Handle big endian/PPC binaries

[fors4k3n]

Describe the bug
MachO parser doesn't check byteorder when parsing header.

To Reproduce
Try to parse: macho.zip
password is 123456

Environment (please complete the following information):

• System and Version : Win 10
• Target format : Mach-O
• LIEF commit version: c7b3ce3

[romainthomas]

Thank you for the sample. Indeed LIEF is not able to parse PPC Mach-O file but it should support them.

[PaulDance]

I can reproduce the issue as well. Another sample if it can prove useful: the WeaponX malware:
weaponx.tar.gz.

LIEF reports it like this:

Parsing MachO
Arch: Out of range
[+] Building Load commands
Load commands are corrupted
Header
======
Magic     CPU Type  CPU subtype    File type      NCMDS     Sizeof cmds    Reserved  Flags     
CIGAM     Out of range0              Out of range   3000000   10020000       0                   

Commands
========

Sections
========

Symbols
=======

while it should be more like this (for the header):

Format: Mach-O 32-bit
MachHeader {
    Magic: 0xFEEDFACE
    CpuType: CPU_TYPE_POWERPC (0x12)
    CpuSubtype: 0x0
        CPU_SUBTYPE_POWERPC_ALL (0x0)
    FileType: MH_OBJECT (0x1)
    NumberOfCmds: 3
    SizeOfCmds: 0x210
    Flags: 0x0
}

LIEF reported a CPU type of 301989888, which is 0x12000000, i.e. 18 in big endian.

Fixing this issue could require refactoring a good portion of the code-base in order to be able to read integers in both possible byte-orders in all possible cases. Maybe the way the Rust object crate handles it can be of inspiration for this, for example with the mach header.