Are Mach-O Lazy Symbol Pointer addresses masked?

Question

I am looking through a PowerPC Mach-O executable in different programs, and I noticed something strange. For symbols that are to stubbed functions, XMachOViewer and any normal hex viewing of the file reports the address differently than Ghidra does.

For example, in a Mach-O for cc1 from the version of GCC 3 that came with the Mac OS 10.1 SDK, the address corresponding to the symbol "_exit" is said to be 0x9002c860.

Ghidra, however says it is 0x27981c.

Is the address masked and is Ghidra unmasking it somehow if that's the case? If so, how do I unmask it myself?

Answer 1

I've realized how dumb I am.

Ghidra is reporting the address of the executable's pointer to the actual function, which is in a dylib, and the hex is actually reporting the address of the actual function.

I looked at the libsystem dylib and found functions in that address space.