3

I want to get the entry point address of a mach-o executable. I have read that otool (-l option) command is able to show us the mach-o entry point. I have tried but i do not see the entry point. I've tried both on 32 and 64 bits executable. If i print the address of main function, i see the 3 last digits are the same between 2 execution. But i see the other digits changing...

Bob5421
  • 7,757
  • 14
  • 81
  • 175
  • 3
    Most binaries today are relocated at runtime, so if you're retrieving the address at runtime, you're getting the expected result. If you're doing static operations, you can find the entry point either as part of the `LC_MAIN` command in the Mach-O header for newer files (see [`/usr/include/mach-o/loader.h`](https://opensource.apple.com/source/xnu/xnu-3248.60.10/EXTERNAL_HEADERS/mach-o/loader.h), search for `LC_MAIN`/`struct entry_point_command`), or if `LC_UNIXTHREAD` is present, as the address of the `start` symbol as exported in the symbol table. See also https://stackoverflow.com/a/14422570 – Siguza Aug 19 '16 at 19:05

2 Answers2

0

Try Using "Hopper" application. This is very useful for displaying the Contents of a Mach-O executable and sections of its code. https://www.hopperapp.com

YeaTheMans
  • 1,005
  • 8
  • 19
0

otool calls it "entryoff", short for "entry offset" presumably. For example, I compiled curl on my M1 (i.e. ARM) Mac and ran this command:

$ otool -l src/curl | grep entry
  entryoff 83892

83892 is 0x147b4 in hexadecimal. Running

objdump -d --macho src/curl | less

and searching for "147b4", we find the _main function:

_main:
1000147b4:      ff 03 03 d1     sub     sp, sp, #192
1000147b8:      fd 7b 0b a9     stp     x29, x30, [sp, #176]
1000147bc:      fd c3 02 91     add     x29, sp, #176
1000147c0:      e8 03 01 aa     mov     x8, x1
[...]
Boris Verkhovskiy
  • 14,854
  • 11
  • 100
  • 103