• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: otool addresses
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: otool addresses

  • Subject: Re: otool addresses
  • From: Jeff Johnson <email@hidden>
  • Date: Sun, 31 Aug 2008 22:16:03 -0500
Martin,

The output of "otool -otV" gives you addresses relative to virtual memory rather than to the object file.

Say you're looking at a particular address in the output. Let's call it "addy". The offset in the file will be as follows:

(offset of architecture) + (offset of section) + addy - (vmaddr of section)

If you do "otool -fv", it will give you file offsets for each architecture. For example, on Mac OS X 10.4.11, "otool -fv /usr/lib/ libobjc.A.dylib" gives offset 4096 (0x1000) for architecture i386. And if you look at 0x1000 in the file, you see "CEFAEDFE", which is little-endian FEEDFACE.

Then you can use "size -m -l -x" to find the vmaddr and file offsets of the segments and sections. For example, "size -m -l -x /usr/lib/ libobjc.A.dylib" gives vmaddr 0x90a57fa0 and fileoff 4000 (0xfa0) for section __text, vmaddr 0xa0a6c000 and fileoff 610304 (0x95000) for segment __OBJ.

Suppose that addy is 0x90a57fac (__objc_notify_images) in the __text section. In the object file the offset will be as follows:

0x1000 + 0xfa0 + 0x90a57fac - 0x90a57fa0 = 0x1fac

-Jeff


On Aug 31, 2008, at 9:05 PM, Martin Redington wrote:

Not an Xcode question as such, but this list seemed to be the most
likely forum to get a reply from ...

I've got an original binary, and a cracked version. I am the original author.

If I dump the two binaries with od, and diff the output, I can see
that a few bytes have been changed in two locations, and I have the
addresses for those locations.

I can see the most likely method call for hacking (to make the
cracker's job somewhat easier, I named the method something like
checkRegistration), which funnily enough, is called from two different
locations.

But, when I run "otool -otV" on the binary, the addresses I see (after
the hex->octal conversion) don't match up to the locations of the
changes I'm actually seeing in the binary.

So, to get to my actual question ...

When I'm looking at the otool output, do the offsets represent
absolute offsets within the binary, or to some kind of internal point
of reference (e.g. the start of the objective-C segment)?

Assuming that they are not absolute offsets (in the otool output), how
can I convert from the otool output to actual offsets in the binary,
or vice versa.

   cheers,
             m.

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden






References: 


 >otool addresses (From: "Martin Redington" <email@hidden>)






    

  • Prev by Date:
Re: otool addresses

    • 

  • Next by Date:
Xcode locking up in building

    • 

  • Previous by thread:
Re: otool addresses

    • 

  • Next by thread:
Xcode locking up in building

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •