otool
文章目录
macOS 使用交流 QQ 群:658095824,V : ez-code
一、otool 简介
Mac OS X下二进制可执行文件的动态链接库是dylib文件。
所谓dylib,就是bsd风格的动态库。基本可以认为等价于windows的dll和linux的so。mac基于bsd,所以也使用的是dylib。
Linux下用ldd查看,苹果系统用otool。
查看 otool 地址
1、电脑已安装 Xcode
输入:
$ otool -help
返回:
error: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool: unknown char `p' in flag -help
Usage: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool [-arch arch_type] [-fahlLDtdorSTMRIHGvVcXmqQjCP] [-mcpu=arg] [--version] <object file> ...
-f print the fat headers
-a print the archive header
-h print the mach header
-l print the load commands
-L print shared libraries used
-D print shared library id name
-t print the text section (disassemble with -v)
-p <routine name> start dissassemble from routine name
-s <segname> <sectname> print contents of section
-d print the data section
-o print the Objective-C segment
-r print the relocation entries
-S print the table of contents of a library (obsolete)
-T print the table of contents of a dynamic shared library (obsolete)
-M print the module table of a dynamic shared library (obsolete)
-R print the reference table of a dynamic shared library (obsolete)
-I print the indirect symbol table
-H print the two-level hints table (obsolete)
-G print the data in code table
-v print verbosely (symbolically) when possible
-V print disassembled operands symbolically
-c print argument strings of a core file
-X print no leading addresses or headers
-m don't use archive(member) syntax
-B force Thumb disassembly (ARM objects only)
-q use llvm's disassembler (the default)
-Q use otool(1)'s disassembler
-mcpu=arg use `arg' as the cpu for disassembly
-j print opcode bytes
-P print the info plist section as strings
-C print linker optimization hints
--version print the version of /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool
由上可知, otool 的地址:
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool
进入地址发现,otool 文件是个软连接。
不知道为什么会输出 unknown char 'p' in flag -help 这个错误, otool -p、 otool -help、otool --help,都会报错。
查看 otool 指向的软连接地址:
cd进入otool所在的目录,使用 ls -l 命令;
$ cd /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin
$ ls -l
返回:
total 209368
-rwxr-xr-x 1 root wheel 33920 3 20 11:34 ar
-rwxr-xr-x 1 root wheel 28000 3 20 11:34 as
...
-rwxr-xr-x 1 root wheel 32672 3 20 11:34 llvm-otool
...
lrwxr-xr-x 1 root wheel 10 3 22 15:43 otool -> llvm-otool
...
-rwxr-xr-x 1 root wheel 640352 3 20 11:34 otool-classic
可以发现 otool 指向 llvm-otool,llvm-otool 和 otool 在同一个文件夹下。
可以发现,这个文件夹下面还有很多有用的文件,如 lipo。
2、未安装 Xcode 的电脑
换一台没有安装xcode 的电脑,输入otool 命令会提示安装:
一般安装要10分钟以上,网络不好,耗时更长;
$ otool /Applications/NeteaseMusic.app
error: /Library/Developer/CommandLineTools/usr/bin/otool: one of -fahlLtdoOrTMRIHCGScisP or --version must be specified
Usage: /Library/Developer/CommandLineTools/usr/bin/otool [-arch arch_type] [-fahlLDtdorSTMRIHGvVcXmqQjCP] [-mcpu=arg] [--version] <object file> ...
-f print the fat headers
-a print the archive header
-h print the mach header
-l print the load commands
-L print shared libraries used
-D print shared library id name
-t print the text section (disassemble with -v)
-p <routine name> start dissassemble from routine name
-s <segname> <sectname> print contents of section
-d print the data section
-o print the Objective-C segment
可以发现 otool 地址在:/Library/Developer/CommandLineTools/usr/bin/otool
实际上已安装 xcode 的Mac 上也有这个文件;
不清楚调用优先级是如何的。
二、用法
1、查看动态链接库 otool -L
输入命令:
$ otool -L /Applications/Pomotodo.app/Contents/MacOS/Pomotodo
/Applications/Pomotodo.app/Contents/MacOS/Pomotodo:
返回:
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1504.82.104)
/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 157.0.0)
/System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement (compatibility version 1.0.0, current version 972.50.27)
@rpath/Sparkle.framework/Versions/A/Sparkle (compatibility version 1.6.0, current version 1.14.0)
/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 888.51.1)
/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit (compatibility version 1.0.0, current version 603.1.30)
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 22.0.0)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1349.63.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.50.2)
/System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork (compatibility version 1.0.0, current version 811.4.18)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1349.64.0)
/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current version 1070.22.0)
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 775.19.0)
2、otool -ov
得到的内容太多,不在此一一列举
$ otool -ov /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text
/Applications/Sublime Text.app/Contents/MacOS/Sublime Text:
Contents of (__DATA,__objc_classlist) section
0000000100742950 0x1007467a8 _OBJC_CLASS_$_WorkQueueCallback
isa 0x100746780 _OBJC_METACLASS_$_WorkQueueCallback
superclass 0x0 _OBJC_CLASS_$_NSObject
cache 0x0
vtable 0x0
data 0x100742a40 (struct class_ro_t *)
flags 0x0
instanceStart 8
instanceSize 16
reserved 0x0
ivarLayout 0x0
name 0x10064cba3 WorkQueueCallback
baseMethods 0x100742a88 (struct method_list_t *)
entsize 24
count 1
name 0x10064a14e processItems:
types 0x10064cd14 v24@0:8@16
imp -[WorkQueueCallback processItems:]
baseProtocols 0x0
ivars 0x100742aa8
entsize 32
count 1
offset 0x1007466d8 8
name 0x10064a147 runner
type 0x10064cce9 ^{ns_work_queue_runner=^^?^{work_queue}@@}
alignment 3
size 8
weakIvarLayout 0x0
baseProperties 0x0
Meta Class
isa 0x0
superclass 0x0 _OBJC_METACLASS_$_NSObject
cache 0x0
vtable 0x0
data 0x1007429f8 (struct class_ro_t *)
3、汇编码 otool -tV
则整个ARM的汇编码就都显示出来了,数据量如瀑布,大家可以试试。。。。
能看到ARM的汇编码,那接下来怎么用就看大家的了,想象空间无限啊!
4、查看 Mach-O头结构等
$ otool -h /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text
Mach header
magic cputype cpusubtype caps filetype ncmds sizeofcmds flags
0xfeedfacf 16777223 3 0x80 2 27 4336 0x00218085
一个 Mach-O 的文件头结构为:
上述结果的意思是:
magic(魔数)- 0xfeedfacf
cputype(CPU类型)- 16777223
cpusubtype(CPU子类型)- 3
caps - 0x80
filetype(文件类型) - 2
ncmds - 27
sizeofcmds(加载命令大小) - 4336
flags(动态连接器dyld标志) - 0x00218085
各字段的含义,可参看/usr/include/mach-o/loader.h。
5、查看ipa包是否加壳
otool -l 可执行文件 | grep crypt1
显示:
cryptoff 16384
cryptsize 6651904
cryptid 0
cryptoff 16384
cryptsize 6553600
cryptid 0123456
其中cryptid代表是否加壳,1代表加壳,0代表已脱壳。我们发现打印了两遍,其实代表着该可执行文件支持两种架构armv7和arm64.
参考
- otool 一些用途
https://www.jianshu.com/p/fc67f95eee41 - otool 与dylib
https://blog.csdn.net/dadalan/article/details/4335833 - Mach-O文件格式与otool工具的使用
http://zrongl.github.io/2015/06/19/150619-mach-o-file-format/
扫一扫
8165
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
