我试图了解find中gdb的工作原理。从第一次看起来,它的行为是......奇怪的,如果不是错误的话:
(gdb) p *(char*)0x464408@50
$5 = "untrusted comment: minisign public key 99312DBDB49"
(gdb) find 0x464000, 0x465000, "minisign public key"
Pattern not found.
哪个要求使用WTF ...地址0x464408处有字符串,但find找不到它?
让我们试试hexdumping字符串吧?也许NUL角色会干扰?
(gdb) p/x *(unsigned char*)0x464408@10
$8 = {0x75, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x20}
(gdb) find 0x464000, 0x465000, 0x75, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x20
Pattern not found.
不。
出了什么问题?
答案 0 :(得分:2)
您必须为字节添加- Original file: ...840101...840107...84020085...84020097
- New file: ...840100...840101...84020080...84020081
:
/b (gdb) find /b 0x464000, 0x465000, 0x75, 0x6e, 0x74, 0x72, 0x75, 0x73, 0x74, 0x65, 0x64, 0x20
0x464408
1 pattern found.
说这个,也许有点埋没了匆匆的眼睛:
help find
尽管如此,(gdb) help find
Search memory for a sequence of bytes.
Usage:
find [/size-char] [/max-count] start-address, end-address, expr1 [, expr2 ...]
find [/size-char] [/max-count] start-address, +length, expr1 [, expr2 ...]
size-char is one of b,h,w,g for 8,16,32,64 bit values respectively,
and if not specified the size is taken from the type of the expression
in the current language.
Note that this means for example that in the case of C-like languages
a search for an untyped 0x42 will search for "(int) 0x42"
which is typically four bytes.
The address of the last match is stored as the value of "$_".
Convenience variable "$numfound" is set to the number of matches.
w̶i̶l̶l̶̶n̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶̶<<<<
所以你最好事先将你的字符串转换为十六进制字节; find /b <start>, <end>, "literal string"可以(非常有帮助)为您做到这一点:
gdb