Since otool and otx can’t disassemble the packed binary, Andreas Gumundsson wrote a quick tool to do that job, using Udis86, a disassembler library for x86 and AMD64. Check the source to see the required compiler options.

Example usage:

$ ./disas -f mmpress.i386 -t macho | head -10
Found entrypoint inmemory address 0xd6b0
NCMDS 2
CMD 1
Looking in __MPRESS__v.1.21
Found entrypoint file offset 0x36b0
sub ebx, ebx
mov edi, ebx
call 0xd6b9
pop eax
add eax, 0x27c

Original source available here, and a local copy here.

By the way, Blackhat USA and DEFCON will have a few OS X related presentations! Good luck to Ghalen on his presentation about Runtime kernel patching (I started exploring this subject but since I’m a lame ass coder I couldn’t finish it hehehehe! Glad he did it so I can try to implement some ideas I had).

fG!