100+ Free OSMR Practice Questions
Pass your OffSec macOS Researcher (OSMR / EXP-312) exam on the first try — instant access, no signup required.
What does `nm -gU /usr/lib/libfoo.dylib` print?
Explore More OffSec Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
Key Facts: OSMR Exam
~48 hrs
Practical Window
OffSec (47h45m + 24h report)
4 tasks
Hands-on Challenges
OffSec EXP-312
$1,749
Learn One Bundle
OffSec annual
3 yrs
Validity
OffSec policy
300-level
Difficulty
OffSec expert tier
Online
Proctoring
OffSec proctored lab
The OSMR exam is NOT multiple choice — it is a 47h45m hands-on practical with 4 macOS exploitation tasks plus 24 hours of reporting. The credential validates expert-level macOS local privilege escalation and security-control bypass skills built on the EXP-312 syllabus. Our 100 practice questions on this site are conceptual prep — they cover the foundational knowledge (Mach-O, XPC, TCC, sandbox, shellcoding, kernel bugs) that you must already own walking into the lab. The Learn One bundle is $1,749 and the certification is valid for 3 years.
Sample OSMR Practice Questions
Try these sample questions to test your OSMR exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.
1Which combination of layers makes up the XNU kernel that powers macOS?
2Which process is PID 1 on macOS and is responsible for bootstrapping all userland services, daemons, and agents?
3On modern macOS (Big Sur and later), the read-only system content lives on which logical construct?
4What APFS feature allows /Applications to appear writable on the Data volume even though it conceptually belongs to the read-only System volume?
5Which command converts a binary plist into an XML representation you can read and edit?
6What is the magic value at offset 0 of a 64-bit little-endian Mach-O file?
7Which Mach-O segment normally contains executable code and is mapped read-only/executable by dyld?
8Which Mach-O load command names a dynamic library that the loader will resolve and link at startup?
9In the Objective-C runtime, what does the isa pointer of an instance reference?
10Which Objective-C runtime function actually performs message dispatch when you write [obj doThing]?
About the OSMR Exam
The OffSec macOS Researcher (OSMR) is OffSec's expert-level (300-level) macOS exploitation certification tied to the EXP-312 (Advanced macOS Control Bypasses) course. The curriculum covers macOS internals (XNU, launchd, APFS, SSV), Mach-O reversing, the Objective-C runtime, dylib injection and hijacking, function interposing and method swizzling, Mach IPC, XPC service auditing, TCC bypasses, App Sandbox escapes, x86_64 + arm64 shellcoding, and kernel/logic vulnerabilities such as AMFI/SIP boundary crossings.
Assessment
4 hands-on macOS exploitation tasks covering dylib injection, function hooking, XPC privilege escalation, TCC bypass, sandbox escape, shellcoding, and logic/kernel bugs
Time Limit
47 hours 45 minutes practical + 24 hours reporting
Passing Score
Practical pass/fail — must complete enough tasks for a passing aggregate
Exam Fee
$1,749 (Learn One bundle) (OffSec online proctored)
OSMR Exam Content Outline
macOS Internals & Objective-C
XNU (Mach + BSD + IOKit), launchd PID 1, APFS / Sealed System Volume / firmlinks, app bundles, plist (binary vs XML, plutil), Mach-O magic 0xFEEDFACF / 0xCAFEBABE, load commands LC_SEGMENT_64 / LC_LOAD_DYLIB / LC_MAIN / LC_CODE_SIGNATURE, segments __TEXT / __DATA / __LINKEDIT / __PAGEZERO, Objective-C runtime (isa, objc_msgSend, class_addMethod, method_exchangeImplementations), Foundation, AppKit, Mac Catalyst
Binary Analysis & Reverse Engineering
otool -l / -ov, nm -gU, class-dump, strings; Hopper class browser + pseudocode; LLDB (breakpoint set --name, watchpoint set variable, register read), dtrace pid<n>:: probes, fs_usage, frida; codesign -dv --entitlements -, dyld_shared_cache_extract_dylibs
Dylib Injection & Hooking
DYLD_INSERT_LIBRARIES, restricted/platform-binary blocking, Hardened Runtime, Library Validation (Team ID), dylib hijacking via LC_LOAD_WEAK_DYLIB and @rpath/LC_RPATH, fishhook rebind_symbols on __DATA.__la_symbol_ptr, __DATA,__interpose function interposing, Objective-C method swizzling and category injection, mach_override inline trampolines
XPC & IPC
Mach IPC (mach_msg, mach_port_t SEND/RECEIVE/SEND_ONCE/DEAD_NAME, MIG .defs), NSXPCConnection (initWithMachServiceName: + NSXPCConnectionPrivileged), NSXPCInterface (exportedInterface, remoteObjectInterface, exportedObject), NSSecureCoding setClasses:forSelector:argumentIndex:ofReply:, audit_token_t vs pid_t, EvenBetterAuthorizationSample, SMJobBless, application-groups entitlement
TCC & Privacy Bypasses
TCC.db at ~/Library/Application Support/com.apple.TCC and /Library/Application Support/com.apple.TCC, kTCCServiceSystemPolicyAllFiles / Camera / Microphone / Accessibility, NFSHomeDirectory rewrite, dylib substitution into TCC-permissioned apps, app-bundle/team-ID injection, FDA gating of direct DB writes
Sandbox Escape
com.apple.security.app-sandbox entitlement, profiles in /System/Library/Sandbox/Profiles (.sb), SBPL allow/deny + subpath/regex, sandbox-exec -f, container redirection at ~/Library/Containers/<bundle-id>/Data, network.client vs network.server, escapes through XPC daemons and TOCTOU/symlink races on shared paths
Shellcoding (x86_64 & arm64)
x86_64 System V ABI (RDI/RSI/RDX/RCX/R8/R9 user calls; R10 for syscall arg4), BSD syscall class 0x2000000+, execve / posix_spawn / bind shells; arm64 svc #0x80 with x16 syscall number and x0..x5 args; eliminating RIP-relative addressing and __stub calls in injected payloads; mach_vm_allocate + mach_vm_protect for RWX (subject to allow-jit)
Kernel & Logic Bugs
AMFI / amfid, IOSurface kernel-spray primitive, SIP (csrutil status, rootless labels, CS_RESTRICT), EndpointSecurity (com.apple.developer.endpoint-security.client), KEXT signing + user-approved KEXT loading, task_for_pid + mach_vm_write thread injection, TOCTOU/symlink races against privileged helpers, PT_DENY_ATTACH anti-debug, PAC on arm64e
How to Pass the OSMR Exam
What You Need to Know
- Passing score: Practical pass/fail — must complete enough tasks for a passing aggregate
- Assessment: 4 hands-on macOS exploitation tasks covering dylib injection, function hooking, XPC privilege escalation, TCC bypass, sandbox escape, shellcoding, and logic/kernel bugs
- Time limit: 47 hours 45 minutes practical + 24 hours reporting
- Exam fee: $1,749 (Learn One bundle)
Keys to Passing
- Complete 500+ practice questions
- Score 80%+ consistently before scheduling
- Focus on highest-weighted sections
- Use our AI tutor for tough concepts
OSMR Study Tips from Top Performers
Frequently Asked Questions
Is the OSMR exam multiple choice?
No. OSMR is fully practical — a 47-hour-45-minute hands-on lab with 4 macOS exploitation tasks, followed by 24 hours to submit a professional report. You must demonstrate working dylib injection, XPC abuse, TCC/sandbox bypasses, or kernel/logic bug exploitation against vulnerable lab targets. Our 100 OSMR practice questions on this site are conceptual knowledge checks for the EXP-312 syllabus; they do not replicate the exam tasks.
What is the OSMR passing score?
OffSec grades each of the 4 OSMR tasks pass/fail and applies an aggregate weighted threshold. The exact passing percentage is not publicly fixed, but candidates must clear enough tasks (with full working primitives, not partial progress) to meet OffSec's published cutoff. The 24-hour report must also be technically correct and reproducible.
How much does the OSMR exam cost?
OSMR is sold as part of the OffSec Learn One subscription. The Learn One bundle is approximately $1,749 USD per year and includes the EXP-312 course, lab time, and exam attempts. Standalone exam vouchers may be available; check OffSec's current pricing page for the most accurate quote.
Do I need OSCP before OSMR?
OffSec does not formally require OSCP, but OSMR is a 300-level exam that assumes solid proficiency in C, Objective-C, x86_64 and arm64 assembly, debuggers (LLDB), and macOS internals. In practice candidates with OSCP-equivalent offensive-security skills plus prior reversing or exploit-dev experience succeed most often.
What tools do I need to know for OSMR?
Hopper or IDA/Ghidra for static analysis; class-dump for Objective-C metadata; LLDB and dtrace for dynamic analysis; codesign for signature/entitlement inspection; otool, nm, strings, and lipo for Mach-O triage; fishhook, mach_override, and method swizzling primitives for hooking; and Python plus Objective-C/Swift fluency for tooling. Our practice questions cover each of these surfaces.
How long should I study for OSMR?
Plan 4-6 months of focused study beyond the EXP-312 course videos, totaling 200-400 lab hours. Build sample sandboxed apps and vulnerable XPC helpers from scratch, audit Apple's EvenBetterAuthorizationSample, replay TCC bypass research, and write x86_64 + arm64 shellcode by hand. Use our 100 OSMR practice questions to surface weak conceptual areas before booking the exam.
How should I use these OSMR practice questions?
Treat them as a knowledge check on macOS internals, dylib/XPC/TCC/sandbox/shellcoding/kernel concepts. If you miss questions on Mach-O load commands, NSXPCInterface validation, audit_token_t races, or syscall conventions, revisit those EXP-312 modules and reproduce the primitive in a controlled lab. The real exam tests execution speed — conceptual fluency is a prerequisite, not the bottleneck.