When I run this command
otool -t binary
otool will correctly dump the text section of binary. E.g.
0000000100002100 55 48 89 e5 41 56 53 48 8b 35 32 24 54 00 4c 8b
:
But when I run this command:
otool -tvV binary
otool skips a huge part of the text section:
00000001003a32ce pushq %rbp
:
The first 3805646 bytes are simply skipped and not disassembled. If I open the binary in lldb, I can disassemble code at the skipped addresses just fine.
Has anyone ever made similar experiences? Does otool maybe have an internal size limit and truncates sections beyond that limit? Has anyone discovered a work-around or knows a comparable tool that is available for free?
I tried to disassemble the whole binary with lldb:
lldb binary
(lldb) dis -s 0x100002100 -e ...
Setting -e to the address of the last byte in the text section but that doesn't work either. Actually lldb stops output after disassembling about 5000 bytes of the text section.
I've seen this before and I believe otool is (annoyingly) skipping to the first symbol. If you do nm -n binary, is the first defined symbol at 00000001003a32ce?
Xcode ships with another tool, called otool-classic, that seems to disassemble the whole text segment. Presumably, it's an older version of otool before a rewrite or something like that. While it gets the whole text segment, it's possible it is less featureful in other ways (such as decoding references to selectors or strings). To invoke it, you use xcrun otool-classic <args>.
In my testing, you can also use the version of otool that comes with an earlier version of Xcode. The ones from Xcode 7.3.1 and Xcode 6.4 don't have this problem. (Those are the ones I happen to have handy to test. Others probably also work.)