iOS逆向（八）逆向工具 otool 介紹

otool工具簡介

Mac OS X下二進制可執行文件的動態連接庫是dylib文件。 所謂dylib，就是bsd風格的動態庫。基本能夠認爲等價於windows 的dll和linux的so。mac基於bsd，因此也使用的是dylib。

查看 otool 地址

$ otool -help
複製代碼

返回：

-f print the fat headers
    -a print the archive header
    -h print the mach header
    -l print the load commands
    -L print shared libraries used
    -D print shared library id name
    -t print the text section (disassemble with -v)
    -p <routine name>  start dissassemble from routine name
    -s <segname> <sectname> print contents of section
    -d print the data section
    -o print the Objective-C segment
    -r print the relocation entries
    -S print the table of contents of a library (obsolete)
    -T print the table of contents of a dynamic shared library (obsolete)
    -M print the module table of a dynamic shared library (obsolete)
    -R print the reference table of a dynamic shared library (obsolete)
    -I print the indirect symbol table
    -H print the two-level hints table (obsolete)
    -G print the data in code table
    -v print verbosely (symbolically) when possible
    -V print disassembled operands symbolically
    -c print argument strings of a core file
    -X print no leading addresses or headers
    -m don't use archive(member) syntax -B force Thumb disassembly (ARM objects only) -q use llvm's disassembler (the default)
    -Q use otool(1)'s disassembler -mcpu=arg use `arg' as the cpu for disassembly
    -j print opcode bytes
    -P print the info plist section as strings
    -C print linker optimization hints
    --version print the version of /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool
複製代碼

由上可知， otool 的地址： /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/otool 進入地址發現，otool 文件是個軟鏈接。

查看 otool 指向的軟鏈接地址：

cd進入otool所在的目錄，使用 ls -l 命令； Linux下用ldd查看，蘋果系統用otool。

$ cd /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin 

$ ls -l
複製代碼

結果以下：

total 209368
-rwxr-xr-x  1 root  wheel     33920  3 20 11:34 ar
-rwxr-xr-x  1 root  wheel     28000  3 20 11:34 as
...

-rwxr-xr-x  1 root  wheel     32672  3 20 11:34 llvm-otool
...
lrwxr-xr-x  1 root  wheel        10  3 22 15:43 otool -> llvm-otool
...
-rwxr-xr-x  1 root  wheel    640352  3 20 11:34 otool-classic
複製代碼

能夠發現 otool 指向 llvm-otool，llvm-otool 和 otool 在同一個文件夾下。 能夠發現，這個文件夾下面還有不少有用的文件，如 lipo。

用法

一、依賴庫的查詢 otool -L

$ otool -L  /Applications/Pomotodo.app/Contents/MacOS/Pomotodo 
/Applications/Pomotodo.app/Contents/MacOS/Pomotodo:
複製代碼

內容以下：

/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.8)
    /System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1504.82.104)
    /System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 157.0.0)
    /System/Library/Frameworks/ServiceManagement.framework/Versions/A/ServiceManagement (compatibility version 1.0.0, current version 972.50.27)
    @rpath/Sparkle.framework/Versions/A/Sparkle (compatibility version 1.6.0, current version 1.14.0)
    /System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 888.51.1)
    /System/Library/Frameworks/WebKit.framework/Versions/A/WebKit (compatibility version 1.0.0, current version 603.1.30)
    /System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 22.0.0)
    /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1349.63.0)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1238.50.2)
    /System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
    /System/Library/Frameworks/CFNetwork.framework/Versions/A/CFNetwork (compatibility version 1.0.0, current version 811.4.18)
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1349.64.0)
    /System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics (compatibility version 64.0.0, current version 1070.22.0)
    /System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 775.19.0)
複製代碼

otool -l WeChart | grep -B 2 crypt

能夠查看微信的是否加密等信息 返回信息相似以下

cryptoff 16384
    cryptsize 6651904
      cryptid 0
     cryptoff 16384
    cryptsize 6553600
      cryptid 0123456
//其中cryptid表明是否加殼，1表明加殼，0表明已脫殼。咱們發現打印了兩遍，其實表明着該可執行文件支持兩種架構armv7和arm64.
複製代碼

**二、otool -ov  內容以下**
複製代碼

$ otool -ov /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text 
/Applications/Sublime Text.app/Contents/MacOS/Sublime Text:
Contents of (__DATA,__objc_classlist) section
0000000100742950 0x1007467a8 _OBJC_CLASS_$_WorkQueueCallback
           isa 0x100746780 _OBJC_METACLASS_$_WorkQueueCallback
    superclass 0x0 _OBJC_CLASS_$_NSObject
         cache 0x0
        vtable 0x0
          data 0x100742a40 (struct class_ro_t *)
                    flags 0x0
            instanceStart 8
             instanceSize 16
                 reserved 0x0
               ivarLayout 0x0
                     name 0x10064cba3 WorkQueueCallback
              baseMethods 0x100742a88 (struct method_list_t *)
           entsize 24
             count 1
              name 0x10064a14e processItems:
             types 0x10064cd14 v24@0:8@16
               imp -[WorkQueueCallback processItems:]
            baseProtocols 0x0
                    ivars 0x100742aa8
                    entsize 32
                      count 1
               offset 0x1007466d8 8
                 name 0x10064a147 runner
                 type 0x10064cce9 ^{ns_work_queue_runner=^^?^{work_queue}@@}
            alignment 3
                 size 8
           weakIvarLayout 0x0
           baseProperties 0x0
Meta Class
           isa 0x0
    superclass 0x0 _OBJC_METACLASS_$_NSObject
         cache 0x0
        vtable 0x0
          data 0x1007429f8 (struct class_ro_t *)
複製代碼

彙編碼 otool -tV

> 則整個ARM的彙編碼就都顯示出來了，數據量如瀑布
複製代碼

查看 Mach-O頭結構等

$ otool -h /Applications/Sublime\ Text.app/Contents/MacOS/Sublime\ Text 

Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777223          3  0x80           2    27       4336 0x00218085
複製代碼

一個 Mach-O 的文件頭結構爲：

• magic（魔數）- 0xfeedfacf
• cputype（CPU類型）- 16777223
• cpusubtype（CPU子類型）- 3
• caps - 0x80
• filetype（文件類型） - 2
• ncmds - 27
• sizeofcmds（加載命令大小） - 4336
• flags（動態鏈接器dyld標誌） - 0x00218085