Apple operation system has gained much popularity both in the personal computer (MacOS) and in the mobile devices (iOS) in the current world (including hackers). The system core module is becoming a hot attacking interface in both kernel mode (e.g. XNU) and user mode (e.g. XPC) because they share almost the same code logic among different Apple systems (MachOS and iOS) so as to gain the most attack with the least effort.As for the kernel mode part, smart fuzzers must have the code-coverage support to know how to fuzz deeply, but we haven't seen anyone do XNU fuzzing based on code-coverage, especially in the static way. In this talk, we will show you how to develop the kernel sanitizers to get code-coverage support and memory issues detection support. We also developed very detailed (about 530) patterns based on grammar for XNU syscall api. Then we will give a live demo of latest macOS (10.13.6) root by using 3 0days discovered by our fuzzer. At the end, we will show you another powerful technique to obtain code-coverage without source code in a static way. This can help you develop your own smart fuzzer against any close-source target.As for the user mode part, we would like to introduce a new fuzzing method which is designed based on python script. We also have implemented the fuzzing project towards XPC service which could allow you gain dozens of reproducible XPC services daemon crashes in minutes or seconds.