otool (object tool)

otool은 맥에서의 objdump, nm, ldd라고 생각하면된다.

바이너리에 로딩되어있는 동적 라이브러리 들을 확인할수있고 해당 디스어셈블링도 가능하다.

HackCat:~ Songsangjun$ otool -L /bin/ls

/bin/ls:

/usr/lib/libutil.dylib (compatibility version 1.0.0, current version 1.0.0)

/usr/lib/libncurses.5.4.dylib (compatibility version 5.4.0, current version 5.4.0)

/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1225.1.1)

-L옵션을 이용해서 로딩되어있는 라이브러리를 보면 3개가 로딩되어있다. 기본적으로 dylib는 맥에서의 dynamic library로 동적 라이브러리 확장자라고 이해하면된다.

otool을 사용해서 특정 바이너리에 로딩되어있는 라이브러리를확인했으니, 디스어셈블링도 해보자 

HackCat:~ Songsangjun$ otool -tv /bin/ls

/bin/ls:

(__TEXT,__text) section

0000000100000e94 pushq %rbp

0000000100000e95 movq %rsp, %rbp

0000000100000e98 addq $0x68, %rdi

0000000100000e9c addq $0x68, %rsi

0000000100000ea0 popq %rbp

0000000100000ea1 jmp 0x1000045a2

0000000100000ea6 pushq %rbp

0000000100000ea7 movq %rsp, %rbp

0000000100000eaa leaq 0x68(%rsi), %rax

0000000100000eae leaq 0x68(%rdi), %rsi

0000000100000eb2 movq %rax, %rdi

0000000100000eb5 popq %rbp

0000000100000eb6 jmp 0x1000045a2

0000000100000ebb pushq %rbp

0000000100000ebc movq %rsp, %rbp

0000000100000ebf movq 0x60(%rsi), %r8

...

수많은 디스어셈블한 결과가 나온다.

이렇게 직접적으로 어셈블리를 확인할수잇는 아주 좋은 툴이다.

HackCat:~ Songsangjun$ otool -d /bin/ls

/bin/ls:

(__DATA,__data) section

00000001000054d0 50 00 00 00 2e 00 00 00 00 00 00 00 00 00 00 00 

00000001000054e0 d4 54 00 00 01 00 00 00 00 00 00 00 00 00 00 00 

00000001000054f0 ff ff ff ff ff ff ff ff

/bin/ls의 .data 섹션에대한 정보이다. -d 옵션을 이용하면 data 섹션에대한 헥스값을 뽑아준다.

각 세션에대한 사이즈 및 오프셋을 확인하고싶다면 아래와같은 명령을 사용하면된다.

HackCat:~ Songsangjun$ otool -l /bin/ls

/bin/ls:

Load command 0

      cmd LC_SEGMENT_64

  cmdsize 72

  segname __PAGEZERO

   vmaddr 0x0000000000000000

   vmsize 0x0000000100000000

  fileoff 0

 filesize 0

  maxprot 0x00000000

 initprot 0x00000000

   nsects 0

    flags 0x0

Load command 1

      cmd LC_SEGMENT_64

  cmdsize 552

  segname __TEXT

   vmaddr 0x0000000100000000

   vmsize 0x0000000000005000

  fileoff 0

 filesize 20480

  maxprot 0x00000007

 initprot 0x00000005

   nsects 6

    flags 0x0

Section

  sectname __text

   segname __TEXT

      addr 0x0000000100000e94

      size 0x0000000000003599

    offset 3732

     align 2^2 (4)

    reloff 0

    nreloc 0

     flags 0x80000400

 reserved1 0

 reserved2 0

Section

  sectname __stubs

   segname __TEXT

      addr 0x000000010000442e

      size 0x00000000000001c8

    offset 17454

     align 2^1 (2)

    reloff 0

    nreloc 0

     flags 0x80000408

 reserved1 0 (index into indirect symbol table)

 reserved2 6 (size of stubs)

Section

  sectname __stub_helper

   segname __TEXT

      addr 0x00000001000045f8

      size 0x0000000000000308

    offset 17912

     align 2^2 (4)

    reloff 0

    nreloc 0

     flags 0x80000400

 reserved1 0

 reserved2 0

Section

  sectname __const

   segname __TEXT

      addr 0x0000000100004900

      size 0x00000000000001f0

    offset 18688

     align 2^4 (16)

    reloff 0

    nreloc 0

     flags 0x00000000

 reserved1 0

 reserved2 0

Section

  sectname __cstring

   segname __TEXT

      addr 0x0000000100004af0

      size 0x0000000000000479

    offset 19184

     align 2^0 (1)

    reloff 0

    nreloc 0

     flags 0x00000002

 reserved1 0

 reserved2 0

Section

  sectname __unwind_info

   segname __TEXT

      addr 0x0000000100004f6c

      size 0x0000000000000094

    offset 20332

     align 2^2 (4)

    reloff 0

    nreloc 0

     flags 0x00000000

 reserved1 0

 reserved2 0

Load command 2

      cmd LC_SEGMENT_64

  cmdsize 632

  segname __DATA

   vmaddr 0x0000000100005000

   vmsize 0x0000000000001000

  fileoff 20480

 filesize 4096

  maxprot 0x00000007

 initprot 0x00000003

   nsects 7

    flags 0x0

Section

  sectname __got

   segname __DATA

      addr 0x0000000100005000

      size 0x0000000000000028

    offset 20480

     align 2^3 (8)

    reloff 0

    nreloc 0

     flags 0x00000006

 reserved1 76 (index into indirect symbol table)

 reserved2 0

Section

  sectname __nl_symbol_ptr

   segname __DATA

      addr 0x0000000100005028

      size 0x0000000000000010

    offset 20520

     align 2^3 (8)

    reloff 0

    nreloc 0

     flags 0x00000006

 reserved1 81 (index into indirect symbol table)

 reserved2 0

Section

  sectname __la_symbol_ptr

   segname __DATA

      addr 0x0000000100005038

      size 0x0000000000000260

    offset 20536

     align 2^3 (8)

    reloff 0

    nreloc 0

     flags 0x00000007

 reserved1 83 (index into indirect symbol table)

 reserved2 0

Section

  sectname __const

   segname __DATA

      addr 0x00000001000052a0

      size 0x0000000000000228

    offset 21152

     align 2^4 (16)

    reloff 0

    nreloc 0

     flags 0x00000000

 reserved1 0

 reserved2 0

Section

  sectname __data

   segname __DATA

      addr 0x00000001000054d0

      size 0x0000000000000028

    offset 21712

     align 2^4 (16)

    reloff 0

    nreloc 0

     flags 0x00000000

 reserved1 0

 reserved2 0

Section

  sectname __bss

   segname __DATA

      addr 0x0000000100005500

      size 0x00000000000000c0

    offset 0

     align 2^4 (16)

    reloff 0

    nreloc 0

     flags 0x00000001

 reserved1 0

 reserved2 0

Section

  sectname __common

   segname __DATA

      addr 0x00000001000055c0

      size 0x000000000000008c

    offset 0

     align 2^3 (8)

    reloff 0

    nreloc 0

     flags 0x00000001

 reserved1 0

 reserved2 0

Load command 3

      cmd LC_SEGMENT_64

  cmdsize 72

  segname __LINKEDIT

   vmaddr 0x0000000100006000

   vmsize 0x0000000000004000

  fileoff 24576

 filesize 13936

  maxprot 0x00000007

 initprot 0x00000001

   nsects 0

    flags 0x0

Load command 4

            cmd LC_DYLD_INFO_ONLY

        cmdsize 48

     rebase_off 24576

    rebase_size 24

       bind_off 24600

      bind_size 104

  weak_bind_off 0

 weak_bind_size 0

  lazy_bind_off 24704

 lazy_bind_size 1376

     export_off 26080

    export_size 32

Load command 5

     cmd LC_SYMTAB

 cmdsize 24

  symoff 26168

   nsyms 84

  stroff 28148

 strsize 976

Load command 6

            cmd LC_DYSYMTAB

        cmdsize 80

      ilocalsym 0

      nlocalsym 1

     iextdefsym 1

     nextdefsym 1

      iundefsym 2

      nundefsym 82

         tocoff 0

           ntoc 0

      modtaboff 0

        nmodtab 0

   extrefsymoff 0

    nextrefsyms 0

 indirectsymoff 27512

  nindirectsyms 159

      extreloff 0

        nextrel 0

      locreloff 0

        nlocrel 0

Load command 7

          cmd LC_LOAD_DYLINKER

      cmdsize 32

         name /usr/lib/dyld (offset 12)

Load command 8

     cmd LC_UUID

 cmdsize 24

    uuid 56CA5A12-AAC5-3B71-8A09-887FCCD88A4E

Load command 9

      cmd LC_VERSION_MIN_MACOSX

  cmdsize 16

  version 10.11

      sdk 10.11

Load command 10

      cmd LC_SOURCE_VERSION

  cmdsize 16

  version 251.0

Load command 11

       cmd LC_MAIN

   cmdsize 24

  entryoff 4468

 stacksize 0

Load command 12

          cmd LC_LOAD_DYLIB

      cmdsize 48

         name /usr/lib/libutil.dylib (offset 24)

   time stamp 2 Thu Jan  1 09:00:02 1970

      current version 1.0.0

compatibility version 1.0.0

Load command 13

          cmd LC_LOAD_DYLIB

      cmdsize 56

         name /usr/lib/libncurses.5.4.dylib (offset 24)

   time stamp 2 Thu Jan  1 09:00:02 1970

      current version 5.4.0

compatibility version 5.4.0

Load command 14

          cmd LC_LOAD_DYLIB

      cmdsize 56

         name /usr/lib/libSystem.B.dylib (offset 24)

   time stamp 2 Thu Jan  1 09:00:02 1970

      current version 1225.1.1

compatibility version 1.0.0

Load command 15

      cmd LC_FUNCTION_STARTS

  cmdsize 16

  dataoff 26112

 datasize 56

Load command 16

      cmd LC_DATA_IN_CODE

  cmdsize 16

  dataoff 26168

 datasize 0

Load command 17

      cmd LC_CODE_SIGNATURE

  cmdsize 16

  dataoff 29136

 datasize 9376

HackCat:~ Songsangjun$

잘확인해보면 Mach 시그니처를 가진 바이너리에속한 모든 섹션 및 커맨드, 라이브러리 등이 전부 표시되어있다.

심지어 섹션에대한 오프셋, 사이즈들이 나와 objdump -h 옵션을 연상할수있다.