otool工具简介

Mac OS X下二进制可执行文件的动态链接库是dylib文件。

所谓dylib，就是bsd风格的动态库。基本可以认为等价于windows 的dll和linux的so。mac基于bsd，所以也使用的是dylib。

查看 otool 地址

$ otool -help

复制代码

返回：

-f print the fat headers

-a print the archive header

-h print the mach header

-l print the load commands

-L print shared libraries used

-D print shared library id name

-t print the text section (disassemble with -v)

-p start dissassemble from routine name

-s print contents of section

-d print the data section

-o print the Objective-C segment

-r print the relocation entries

-S print the table of contents of a library (obsolete)

-T print the table of contents of a dynamic shared library (obsolete)

-M print the module table of a dynamic shared library (obsolete)

-R print the reference table of a dynamic shared library (obsolete)

-I print the indirect symbol table

-H print the two-level hints table (obsolete)

-G print the data in code table

-v print verbosely (symbolically) when possible

-V print disassembled operands symbolically

-c print argument strings of a core file

-X print no leading addresses or headers

-m don't use archive(member) syntax

-B force Thumb disassembly (ARM objects only)

-q use llvm's disassembler (the default)

-Q use otool(1)'s disassembler

-mcpu=arg use `arg' as the cpu for disassembly

-j print opcode bytes

-P print the info plist section as strings

-C print linker optimization hints

--version print the version of /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool

复制代码

由上可知， otool 的地址：

/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool

进入地址发现，otool 文件是个软连接。

查看 otool 指向的软连接地址：

cd进入otool所在的目录，使用 ls -l 命令；

Linux下用ldd查看，苹果系统用otool。

$ cd /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin

$ ls -l

复制代码

结果如下：

total 209368

-rwxr-xr-x 1 root wheel 33920 3 20 11:34 ar

-rwxr-xr-x 1 root wheel 28000 3 20 11:34 as

...

-rwxr-xr-x 1 root wheel 32672 3 20 11:34 llvm-otool

...

lrwxr-xr-x 1 root wheel 10 3 22 15:43 otool -> llvm-otool

...

-rwxr-xr-x 1 root wheel 640352 3 20 11:34 otool-classic

复制代码

可以发现 otool 指向 llvm-otool，llvm-otool 和 otool 在同一个文件夹下。

可以发现，这个文件夹下面还有很多有用的文件，如 lipo。

用法

1、依赖库的查询 otool -L

$ otool -L /Applications/Pomotodo.app/Contents/MacOS/Pomotodo

/Applications/Pomotodo.app/Contents/MacOS/Pomotodo:

复制代码

内容如下：

/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)

/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1504.82.104)

/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 157.0.0)

/System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement (compatibility version 1.0.0, current version 972.50.27)

@rpath/Sparkle.framework/Versions/A/Sparkle (compatibility version 1.6.0, current version 1.14.0)

/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 888.51.1)

/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit (compatibility version 1.0.0, current version 603.1.30)

/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 22.0.0)

/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1349.63.0)

/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.50.2)

/System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation (compatibility version 1.0.0, current version 2.0.0)

/System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork (compatibility version 1.0.0, current version 811.4.18)

/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1349.64.0)

/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current version 1070.22.0)

/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 775.19.0)

复制代码

otool -l WeChart | grep -B 2 crypt

可以查看微信的是否加密等信息

返回信息类似如下

cryptoff 16384

cryptsize 6651904

cryptid 0

cryptoff 16384

cryptsize 6553600

cryptid 0123456

//其中cryptid代表是否加壳，1代表加壳，0代表已脱壳。我们发现打印了两遍，其实代表着该可执行文件支持两种架构armv7和arm64.

复制代码**2、otool -ov 内容如下**

复制代码

$ otool -ov /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text

/Applications/Sublime Text.app/Contents/MacOS/Sublime Text:

Contents of (__DATA,__objc_classlist) section

0000000100742950 0x1007467a8 _OBJC_CLASS_$_WorkQueueCallback

isa 0x100746780 _OBJC_METACLASS_$_WorkQueueCallback

superclass 0x0 _OBJC_CLASS_$_NSObject

cache 0x0

vtable 0x0

data 0x100742a40 (struct class_ro_t *)

flags 0x0

instanceStart 8

instanceSize 16

reserved 0x0

ivarLayout 0x0

name 0x10064cba3 WorkQueueCallback

baseMethods 0x100742a88 (struct method_list_t *)

entsize 24

count 1

name 0x10064a14e processItems:

types 0x10064cd14 v24@0:8@16

imp -[WorkQueueCallback processItems:]

baseProtocols 0x0

ivars 0x100742aa8

entsize 32

count 1

offset 0x1007466d8 8

name 0x10064a147 runner

type 0x10064cce9 ^{ns_work_queue_runner=^^?^{work_queue}@@}

alignment 3

size 8

weakIvarLayout 0x0

baseProperties 0x0

Meta Class

isa 0x0

superclass 0x0 _OBJC_METACLASS_$_NSObject

cache 0x0

vtable 0x0

data 0x1007429f8 (struct class_ro_t *)

复制代码

汇编码 otool -tV

> 则整个ARM的汇编码就都显示出来了，数据量如瀑布

复制代码

查看 Mach-O头结构等

$ otool -h /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text

Mach header

magic cputype cpusubtype caps filetype ncmds sizeofcmds flags

0xfeedfacf 16777223 3 0x80 2 27 4336 0x00218085

复制代码一个 Mach-O 的文件头结构为：

magic(魔数)- 0xfeedfacf

cputype(CPU类型)- 16777223

cpusubtype(CPU子类型)- 3

caps - 0x80

filetype(文件类型) - 2

ncmds - 27

sizeofcmds(加载命令大小) - 4336

flags(动态连接器dyld标志) - 0x00218085