otool工具简介
Mac OS X下二进制可执行文件的动态链接库是dylib文件。 所谓dylib,就是bsd风格的动态库。基本可以认为等价于windows 的dll和linux的so。mac基于bsd,所以也使用的是dylib。
查看 otool 地址
$ otool -help复制代码
返回:
-f print the fat headers -a print the archive header -h print the mach header -l print the load commands -L print shared libraries used -D print shared library id name -t print the text section (disassemble with -v) -pstart dissassemble from routine name -s print contents of section -d print the data section -o print the Objective-C segment -r print the relocation entries -S print the table of contents of a library (obsolete) -T print the table of contents of a dynamic shared library (obsolete) -M print the module table of a dynamic shared library (obsolete) -R print the reference table of a dynamic shared library (obsolete) -I print the indirect symbol table -H print the two-level hints table (obsolete) -G print the data in code table -v print verbosely (symbolically) when possible -V print disassembled operands symbolically -c print argument strings of a core file -X print no leading addresses or headers -m don't use archive(member) syntax -B force Thumb disassembly (ARM objects only) -q use llvm's disassembler (the default) -Q use otool(1)'s disassembler -mcpu=arg use `arg' as the cpu for disassembly -j print opcode bytes -P print the info plist section as strings -C print linker optimization hints --version print the version of /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool复制代码
由上可知, otool 的地址: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool 进入地址发现,otool 文件是个软连接。
查看 otool 指向的软连接地址:
cd进入otool所在的目录,使用 ls -l 命令; Linux下用ldd查看,苹果系统用otool。
$ cd /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin $ ls -l复制代码
结果如下:
total 209368-rwxr-xr-x 1 root wheel 33920 3 20 11:34 ar-rwxr-xr-x 1 root wheel 28000 3 20 11:34 as...-rwxr-xr-x 1 root wheel 32672 3 20 11:34 llvm-otool...lrwxr-xr-x 1 root wheel 10 3 22 15:43 otool -> llvm-otool...-rwxr-xr-x 1 root wheel 640352 3 20 11:34 otool-classic复制代码
可以发现 otool 指向 llvm-otool,llvm-otool 和 otool 在同一个文件夹下。 可以发现,这个文件夹下面还有很多有用的文件,如 lipo。
用法
1、依赖库的查询 otool -L
$ otool -L /Applications/Pomotodo.app/Contents/MacOS/Pomotodo /Applications/Pomotodo.app/Contents/MacOS/Pomotodo:复制代码
内容如下:
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8) /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1504.82.104) /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 157.0.0) /System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement (compatibility version 1.0.0, current version 972.50.27) @rpath/Sparkle.framework/Versions/A/Sparkle (compatibility version 1.6.0, current version 1.14.0) /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 888.51.1) /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit (compatibility version 1.0.0, current version 603.1.30) /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 22.0.0) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1349.63.0) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.50.2) /System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation (compatibility version 1.0.0, current version 2.0.0) /System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork (compatibility version 1.0.0, current version 811.4.18) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1349.64.0) /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current version 1070.22.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 775.19.0)复制代码
otool -l WeChart | grep -B 2 crypt
可以查看微信的是否加密等信息 返回信息类似如下
cryptoff 16384 cryptsize 6651904 cryptid 0 cryptoff 16384 cryptsize 6553600 cryptid 0123456//其中cryptid代表是否加壳,1代表加壳,0代表已脱壳。我们发现打印了两遍,其实代表着该可执行文件支持两种架构armv7和arm64.复制代码
**2、otool -ov 内容如下**复制代码
$ otool -ov /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text /Applications/Sublime Text.app/Contents/MacOS/Sublime Text:Contents of (__DATA,__objc_classlist) section0000000100742950 0x1007467a8 _OBJC_CLASS_$_WorkQueueCallback isa 0x100746780 _OBJC_METACLASS_$_WorkQueueCallback superclass 0x0 _OBJC_CLASS_$_NSObject cache 0x0 vtable 0x0 data 0x100742a40 (struct class_ro_t *) flags 0x0 instanceStart 8 instanceSize 16 reserved 0x0 ivarLayout 0x0 name 0x10064cba3 WorkQueueCallback baseMethods 0x100742a88 (struct method_list_t *) entsize 24 count 1 name 0x10064a14e processItems: types 0x10064cd14 v24@0:8@16 imp -[WorkQueueCallback processItems:] baseProtocols 0x0 ivars 0x100742aa8 entsize 32 count 1 offset 0x1007466d8 8 name 0x10064a147 runner type 0x10064cce9 ^{ns_work_queue_runner=^^?^{work_queue}@@} alignment 3 size 8 weakIvarLayout 0x0 baseProperties 0x0Meta Class isa 0x0 superclass 0x0 _OBJC_METACLASS_$_NSObject cache 0x0 vtable 0x0 data 0x1007429f8 (struct class_ro_t *)复制代码 汇编码 otool -tV
> 则整个ARM的汇编码就都显示出来了,数据量如瀑布复制代码
查看 Mach-O头结构等
$ otool -h /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text Mach header magic cputype cpusubtype caps filetype ncmds sizeofcmds flags 0xfeedfacf 16777223 3 0x80 2 27 4336 0x00218085复制代码
一个 Mach-O 的文件头结构为:
- magic(魔数)- 0xfeedfacf
- cputype(CPU类型)- 16777223
- cpusubtype(CPU子类型)- 3
- caps - 0x80
- filetype(文件类型) - 2
- ncmds - 27
- sizeofcmds(加载命令大小) - 4336
- flags(动态连接器dyld标志) - 0x00218085