wtf is otx?
otx stands for "object tool extended". It uses otool (object tool) to disassemble a Mach-O executable file, then enhances the disassembled output. Simple enhancements include adding the machine code of each instruction and the offset of each instruction from the beginning of a function. More complicated enhancements include displaying the names and data types of Objective-C methods even if symbols have been stripped, and adding comments that describe member variables, function calls, static data and more.
otx users should have Apple's developer tools installed. The otx distribution includes both a GUI application and a command line utility, for your convenience. You can use either or both, as you see fit.
but why?
otool is good at disassembling an entire executable, but its disassembly doesn't include much symbolic information. gdb is good at providing symbolic information in its disassembly, but it's a PITA when you want to disassemble an entire executable.
otx offers the best of both worlds.
otx main window
There are several ways to open an executable file with otx. You can drop a file onto the main window, or onto otx's icon either in the Finder or Dock. You can also use the "Open…" command in otx's File menu. If you drop a package (.app, .menu, .plugin etc.) onto otx, it will open the package's main executable file. However, if you want to open secondary executable files inside an application package, such as frameworks, they must be located and opened manually.
otx can open almost any Mach-O executable file you're likely to use- PPC or x86, single architecture or universal binary. When you open a universal binary, the popup menu shown above allows you to select which architecture to disassemble. If you have lipo installed (included in Apple's developer tools), you can easily create a new executable from the selected architecture with the "Thin" button.
If you have obfuscated your code, you may find that otool's disassembly is less than desirable. To assist you, otx includes a very basic deobfuscator. By using the "Verify" button shown above, you can verify that otool will be able to correctly disassemble your executable. If this verification fails, otx will ask if you would like to save a deobfuscated copy of your executable. Should you choose to do so, the deobfuscated copy will be automatically opened for further processing. Currently, deobfuscation is only necessary for x86 executables.
otx Preferences: General pane
Show local offsets
Displays the distance in bytes from the beginning of a function to each instruction.
+196 00002c44 3c5f0002 addis r2,r31,0x2or
00002c44 3c5f0002 addis r2,r31,0x2
Separate logical blocks
Prints blank lines between logical blocks of code. A logical block is sometimes called a basic block, and is defined as a sequence of instructions with a single entry point and a single exit point. Separating logical blocks makes it easier to visualize the flow of control within a function.
+52 000033d4 384bffd0 addi r2,r11,0xffd0 +56 000033d8 5440063e rlwinm r0,r2,0,24,31 +60 000033dc 2b800009 cmplwi cr7,r0,0x9 +64 000033e0 409d0014 ble cr7,0x33f4 +68 000033e4 380bffbf addi r0,r11,0xffbf +72 000033e8 5400063e rlwinm r0,r0,0,24,31 +76 000033ec 2b800019 cmplwi cr7,r0,0x19 +80 000033f0 419d0098 bgt cr7,0x3488 +84 000033f4 39200000 li r9,0x0 +88 000033f8 4800000c b 0x3404or
+52 000033d4 384bffd0 addi r2,r11,0xffd0 +56 000033d8 5440063e rlwinm r0,r2,0,24,31 +60 000033dc 2b800009 cmplwi cr7,r0,0x9 +64 000033e0 409d0014 ble cr7,0x33f4 +68 000033e4 380bffbf addi r0,r11,0xffbf +72 000033e8 5400063e rlwinm r0,r0,0,24,31 +76 000033ec 2b800019 cmplwi cr7,r0,0x19 +80 000033f0 419d0098 bgt cr7,0x3488 +84 000033f4 39200000 li r9,0x0 +88 000033f8 4800000c b 0x3404
Show data sections
Prints the contents of all data sections at the end of the output file. This option is similar to otool's -d flag, but it also displays the ASCII representation of the data, and it groups the data from both PPC and x86 executables into four-byte words.
Entab text
Replaces multiple spaces with tabs where possible. This option reduces the output file size, but the output will look strange if your viewer's tab stop is not set to four spaces.
Show md5 checksum
Includes the md5 checksum of the executable file at the beginning of the output file.
Show method types
Displays the data type of Objective-C methods.
Note: The data type of an Objective-C method is currently only displayed at the method's definition, not at each call site.-(unsigned int)[CDropBox draggingEntered:]or
-[CDropBox draggingEntered:]
Show verbose msgSends
Attempts to display calls to objc_msgSend and its variants in a more recognizable Objective-C-like syntax.
+1300 00019f64 4bfeff03 bla 0xfffeff00 _objc_msgSend_rtpor
+1300 00019f64 4bfeff03 bla 0xfffeff00 +[NSString stringWithCString:encoding:]
Show variable types
Displays the data type of Objective-C instance variables.
+100 00003564 807f0068 lwz r3,0x68(r31) (NSString)mOutputFileNameor
+100 00003564 807f0068 lwz r3,0x68(r31) mOutputFileName
Demangle names
Attempts to revert mangled C++ symbols to their original form. This option requires c++filt to be installed. c++filt is included in Apple's developer tools.
_Znwmor
operator new(unsigned long)
otx Preferences: Output pane
Filename
otx can use the name of the executable when creating the output file, or you may specify a name to use for all output files. You may also specify a filename extension, or let otx use the default "txt". These text fields are only starting points; they can always be overridden by the "Output:" text field in the main window.
Location
This option instructs otx to place the output file in the same folder as the executable (or the .app package) or to ask you where to save the output file.
Open file with application
If you would like otx to open the output file immediately after it is created, enter the name of your preferred viewer in this text field. Capitalization is ignored.