IOS Reverse (8) Introduction to the otool

Introduction to otool

The dynamically linked library for binary executables under Mac OS X is the dylib file. Dylib is a BSD-style dynamic library. It is basically equivalent to Windows DLL and Linux SO. MAC is based on BSD, so dylib is also used.

View the otool address

$ otool -help
Copy the code

Returns:

    -f print the fat headers
    -a print the archive header
    -h print the mach header
    -l print the load commands
    -L print shared libraries used
    -D print shared library id name
    -t print the text section (disassemble with -v)
    -p <routine name>  start dissassemble from routine name
    -s <segname> <sectname> print contents of section
    -d print the data section
    -o print the Objective-C segment
    -r print the relocation entries
    -S print the table of contents of a library (obsolete)
    -T print the table of contents of a dynamic shared library (obsolete)
    -M print the module table of a dynamic shared library (obsolete)
    -R print the reference table of a dynamic shared library (obsolete)
    -I print the indirect symbol table
    -H print the two-level hints table (obsolete)
    -G print the data in code table
    -v print verbosely (symbolically) when possible
    -V print disassembled operands symbolically
    -c print argument strings of a core file
    -X print no leading addresses or headers
    -m don't use archive(member) syntax -B force Thumb disassembly (ARM objects only) -q use llvm's disassembler (the default)
    -Q use otool(1)'s disassembler -mcpu=arg use `arg' as the cpu for disassembly
    -j print opcode bytes
    -P print the info plist section as strings
    -C print linker optimization hints
    --version print the version of /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool
Copy the code

The address of otool is / Applications/Xcode. App/Contents/Developer/Toolchains/XcodeDefault xctoolchain/usr/bin/otool enter address found that otool file is a soft connection.

View the soft connection address pointed to by otool:

CD Go to the directory where otool is stored and run the ls -l command. Linux with LDD view, Apple system with otool.

$ cd /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin 

$ ls -l
Copy the code

The results are as follows:

total 209368
-rwxr-xr-x  1 root  wheel     33920  3 20 11:34 ar
-rwxr-xr-x  1 root  wheel     28000  3 20 11:34 as
...

-rwxr-xr-x  1 root  wheel     32672  3 20 11:34 llvm-otool
...
lrwxr-xr-x  1 root  wheel        10  3 22 15:43 otool -> llvm-otool
...
-rwxr-xr-x  1 root  wheel    640352  3 20 11:34 otool-classic
Copy the code

You can find that otool points to llvm-otool. Llvm-otool and otool are in the same folder. As you can see, there are many other useful files under this folder, such as LIPo.

usage

Otool -l

$ otool -L  /Applications/Pomotodo.app/Contents/MacOS/Pomotodo 
/Applications/Pomotodo.app/Contents/MacOS/Pomotodo:
Copy the code

As follows:

The/usr/lib/libz. 1. Dylib (compatibility version 1.0.0, The current version 1.2.8)/System/Library/Frameworks/AppKit framework Versions/C/AppKit (compatibility version 45.0.0, The current version 1504.82.104)/System/Library/Frameworks/Carbon framework Versions/A/Carbon (compatibility version 2.0.0. The current version 157.0.0)/System/Library/Frameworks/ServiceManagement framework Versions/A/ServiceManagement (compatibility version 1.0.0, The current version 972.50.27) @ rpath/Sparkle. Framework Versions/A/Sparkle (compatibility version 1.6.0, The current version 1.14.0)/System/Library/Frameworks/SystemConfiguration framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, The current version 888.51.1)/System/Library/Frameworks/its framework Versions/A/its (compatibility version 1.0.0, Current version 603.1.30)/System/Library/Frameworks/Cocoa framework Versions/A/Cocoa (compatibility version 1.0.0, Current version 22.0.0)/System/Library/Frameworks/Foundation framework Versions/C/Foundation (compatibility version /usr/lib/libobjc.a. dylib (compatibility version 1.0.0, Compatibility version 1.0.0, Compatibility version 1.0.0, The current version 228.0.0)/usr/lib/libSystem B.d ylib (compatibility version 1.0.0, The current version 1238.50.2)/System/Library/Frameworks/AVFoundation framework Versions/A/AVFoundation (compatibility Version 1.0.0, The current version 2.0.0)/System/Library/Frameworks/CFNetwork framework Versions/A/CFNetwork (compatibility version 1.0.0, The current version 811.4.18)/System/Library/Frameworks/CoreFoundation framework Versions/A/CoreFoundation (compatibility Version 150.0.0, The current version 1349.64.0)/System/Library/Frameworks/CoreGraphics framework Versions/A/CoreGraphics (compatibility Version 64.0.0, The current version 1070.22.0)/System/Library/Frameworks/CoreServices framework Versions/A/CoreServices (compatibility Version 1.0.0, Current Version 775.19.0)Copy the code

otool -l WeChart | grep -B 2 crypt

You can check whether wechat is encrypted and other information is returned similar to the following

0 cryptoff 16384 cryptsize 6651904 cryptid 0 cryptoff 16384 cryptSize 6553600 cryptid 0123456 0 indicates that the shell has been removed. We found that printing it twice actually means that the executable supports both armV7 and ARM64 architectures.Copy the code

**2, otool -ov contents: **Copy the code

$ otool -ov /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text 
/Applications/Sublime Text.app/Contents/MacOS/Sublime Text:
Contents of (__DATA,__objc_classlist) section
0000000100742950 0x1007467a8 _OBJC_CLASS_$_WorkQueueCallback
           isa 0x100746780 _OBJC_METACLASS_$_WorkQueueCallback
    superclass 0x0 _OBJC_CLASS_$_NSObject
         cache 0x0
        vtable 0x0
          data 0x100742a40 (struct class_ro_t *)
                    flags 0x0
            instanceStart 8
             instanceSize 16
                 reserved 0x0
               ivarLayout 0x0
                     name 0x10064cba3 WorkQueueCallback
              baseMethods 0x100742a88 (struct method_list_t *)
           entsize 24
             count 1
              name 0x10064a14e processItems:
             types 0x10064cd14 v24@0:8@16
               imp -[WorkQueueCallback processItems:]
            baseProtocols 0x0
                    ivars 0x100742aa8
                    entsize 32
                      count 1
               offset 0x1007466d8 8
                 name 0x10064a147 runner
                 type0x10064cce9 ^{ns_work_queue_runner=^^? ^{work_queue}@@} alignment 3 size 8 weakIvarLayout 0x0 baseProperties 0x0 Meta Class isa 0x0 superclass 0x0 _OBJC_METACLASS_$_NSObject
         cache 0x0
        vtable 0x0
          data 0x1007429f8 (struct class_ro_t *)
Copy the code

Assembly code otool-TV

< span style = "max-width: 100%; clear: both; min-height: 1emCopy the code

Check mach-O header structures, etc

$ otool -h /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text 

Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777223          3  0x80           2    27       4336 0x00218085
Copy the code

A mach-O file header is structured as follows:

• Magic (magic number) – 0xfeedfacf
• Cputype (CPU type) -16777223
• Cpusubtype (CPU subtype) -3
• caps – 0x80
• Filetype (filetype) -2
• ncmds – 27
• Sizeofcmds -4336
• Flags (Dynamic Connector DYLD flag) – 0x00218085