iOS逆向（八）逆向工具|iOS逆向（八）逆向工具 otool 介绍 iOS逆向（八）逆向工具otool介绍

otool工具简介
Mac OS X下二进制可执行文件的动态链接库是dylib文件。所谓dylib，就是bsd风格的动态库。基本可以认为等价于windows 的dll和linux的so。mac基于bsd，所以也使用的是dylib。
查看 otool 地址

$ otool -help 复制代码

-f print the fat headers -a print the archive header -h print the mach header -l print the load commands -L print shared libraries used -D print shared library id name -t print the text section (disassemble with -v) -p start dissassemble from routine name -sprint contents of section -d print the data section -o print the Objective-C segment -r print the relocation entries -S print the table of contents of a library (obsolete) -T print the table of contents of a dynamic shared library (obsolete) -M print the module table of a dynamic shared library (obsolete) -R print the reference table of a dynamic shared library (obsolete) -I print the indirect symbol table -H print the two-level hints table (obsolete) -G print the data in code table -v print verbosely (symbolically) when possible -V print disassembled operands symbolically -c print argument strings of a core file -X print no leading addresses or headers -m don't use archive(member) syntax -B force Thumb disassembly (ARM objects only) -q use llvm's disassembler (the default) -Q use otool(1)'s disassembler -mcpu=arg use `arg' as the cpu for disassembly -j print opcode bytes -P print the info plist section as strings -C print linker optimization hints --version print the version of /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool 复制代码

由上可知， otool 的地址： /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool 进入地址发现，otool 文件是个软连接。
查看 otool 指向的软连接地址：
cd进入otool所在的目录，使用 ls -l 命令； Linux下用ldd查看，苹果系统用otool。

$ cd /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin $ ls -l 复制代码

结果如下：

total 209368 -rwxr-xr-x1 rootwheel339203 20 11:34 ar -rwxr-xr-x1 rootwheel280003 20 11:34 as ...-rwxr-xr-x1 rootwheel326723 20 11:34 llvm-otool ... lrwxr-xr-x1 rootwheel103 22 15:43 otool -> llvm-otool ... -rwxr-xr-x1 rootwheel6403523 20 11:34 otool-classic 复制代码

可以发现 otool 指向 llvm-otool，llvm-otool 和 otool 在同一个文件夹下。可以发现，这个文件夹下面还有很多有用的文件，如 lipo。
用法 1、依赖库的查询 otool -L

$ otool -L/Applications/Pomotodo.app/Contents/MacOS/Pomotodo /Applications/Pomotodo.app/Contents/MacOS/Pomotodo: 复制代码

内容如下：

/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8) /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1504.82.104) /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 157.0.0) /System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement (compatibility version 1.0.0, current version 972.50.27) @rpath/Sparkle.framework/Versions/A/Sparkle (compatibility version 1.6.0, current version 1.14.0) /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 888.51.1) /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit (compatibility version 1.0.0, current version 603.1.30) /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 22.0.0) /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1349.63.0) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.50.2) /System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation (compatibility version 1.0.0, current version 2.0.0) /System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork (compatibility version 1.0.0, current version 811.4.18) /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1349.64.0) /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current version 1070.22.0) /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 775.19.0) 复制代码

【iOS逆向（八）逆向工具|iOS逆向（八）逆向工具 otool 介绍】otool -l WeChart | grep -B 2 crypt

可以查看微信的是否加密等信息返回信息类似如下

cryptoff 16384 cryptsize 6651904 cryptid 0 cryptoff 16384 cryptsize 6553600 cryptid 0123456 //其中cryptid代表是否加壳，1代表加壳，0代表已脱壳。我们发现打印了两遍，其实代表着该可执行文件支持两种架构armv7和arm64. 复制代码

**2、otool -ov内容如下** 复制代码

$ otool -ov /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text /Applications/Sublime Text.app/Contents/MacOS/Sublime Text: Contents of (__DATA,__objc_classlist) section 0000000100742950 0x1007467a8 _OBJC_CLASS_$_WorkQueueCallback isa 0x100746780 _OBJC_METACLASS_$_WorkQueueCallback superclass 0x0 _OBJC_CLASS_$_NSObject cache 0x0 vtable 0x0 data 0x100742a40 (struct class_ro_t *) flags 0x0 instanceStart 8 instanceSize 16 reserved 0x0 ivarLayout 0x0 name 0x10064cba3 WorkQueueCallback baseMethods 0x100742a88 (struct method_list_t *) entsize 24 count 1 name 0x10064a14e processItems: types 0x10064cd14 v24@0:8@16 imp -[WorkQueueCallback processItems:] baseProtocols 0x0 ivars 0x100742aa8 entsize 32 count 1 offset 0x1007466d8 8 name 0x10064a147 runner type 0x10064cce9 ^{ns_work_queue_runner=^^?^{work_queue}@@} alignment 3 size 8 weakIvarLayout 0x0 baseProperties 0x0 Meta Class isa 0x0 superclass 0x0 _OBJC_METACLASS_$_NSObject cache 0x0 vtable 0x0 data 0x1007429f8 (struct class_ro_t *) 复制代码

汇编码 otool -tV

> 则整个ARM的汇编码就都显示出来了，数据量如瀑布复制代码

查看 Mach-O头结构等

$ otool -h /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text Mach header magic cputype cpusubtypecapsfiletype ncmds sizeofcmdsflags 0xfeedfacf 1677722330x802274336 0x00218085 复制代码

一个 Mach-O 的文件头结构为：

magic（魔数）- 0xfeedfacf

cputype（CPU类型）- 16777223

cpusubtype（CPU子类型）- 3

caps - 0x80

filetype（文件类型） - 2

ncmds - 27

sizeofcmds（加载命令大小） - 4336

flags（动态连接器dyld标志） - 0x00218085

转载于:https://juejin.im/post/5c8600d4f265da2d9618458e