search

llvm / llvm-project

The LLVM Project is a collection of modular and reusable compiler and toolchain technologies.
http://llvm.org
Other
27.92k stars 11.52k forks source link

lldb - nicer command to search for Bytes #47365

Open llvmbot opened 3 years ago

llvmbot commented 3 years ago
Bugzilla Link 48021
Version unspecified
OS MacOS X
Reporter LLVM Bugzilla Contributor
CC @JDevlieghere,@jimingham

Extended Description

lldb-1200.0.32.1

/*** sample code **/ // Baboon // 0x42, 0x61, 0x62, 0x6f, 0x6f, 0x6e

const int animalByteArray[7] = { 66, 97, 98, 111, 111, 110 };

void foo_func (const void ptr) { printf ("\n[]Pointer: %p.\n", ptr); / breakpoint here / }

int main (void) {

const int *ptr = animalByteArray;

puts ("[*]Can you change the animal?\n");
for (; *ptr != '\0'; ++ptr)
   printf ("%c", *ptr);

foo_func (ptr);
return 0;

} /***/

// Once breakpoint fires, get start and end positions for Memory Search (lldb) section [0x00000100000000-0x00000100004000] 0x0000004000 objc_play`__TEXT

// Memory find for "B", max matches of three, from start to end address (lldb) mem find -s "B" -c 3 -- 0x00000100000000 0x00000100004000 WORKS (lldb) mem find -s "B " -c 3 -- 0x00000100000000 0x00000100004000 WORKS

But I try something more intuative:

(lldb) mem find -s "Ba" -c 3 -- 0x00000100000000 0x00000100004000 FAILS (lldb) mem find -s "Baboon" -c 3 -- 0x00000100000000 0x00000100004000 FAILS (lldb) mem find -e "\42\61" -c 10 -- 0x00000100000000 0x00000100004000 FAILS (lldb) mem find -e "\x42\x61" -c 10 -- 0x00000100000000 0x00000100004000 FAILS

If I try the same with radare2 tools:

▶ rabin2 -qz objc_play 0x100003f60 28 6 Baboon

Ultimately, I am trying to figure out how to write the byte buffer I pass the lldb-python SBProcess.ReadMemory API.

llvmbot commented 3 years ago

Thanks for responding, Mr Ingham.

I really like your expression example. What a neat idea:

"int $arr[3] = {66, 97, 98 }; $arr"

Before reading your reply, I was thinking a humbler change to the -s flag where you could pass in an array of Int values or hex values.

{ 66, 97, 98, 111, 111, 110 } { 0x42, 0x61, 0x62, 0x6f, 0x6f, 0x6e }

jimingham commented 3 years ago

The array with Baboon in memory that you are trying to find is:

0x100003f60: 42 00 00 00 61 00 00 00 62 00 00 00 6f 00 00 00 B...a...b...o... 0x100003f70: 6f 00 00 00 6e 00 00 00 00 00 00 00 0a 5b 2a 5d o...n........[*]

which makes sense because you made an array of ints, and then put one char in each int.

But the string you provided is an array of chars, so it won't have all the intervening 0's:

0x1001420f0: 42 61 62 6f 6f 6e 00 00 00 00 00 00 00 00 00 00 Baboon..........

So the patterns don't in fact match.

OTOH, using a string to provide an array of bytes doesn't seem to work very well when the array of bytes contains \0... And for some reason the expression result is limited to 8 bytes, so you can't do something reasonable like:

(lldb) mem find -e "int $arr[3] = {66, 97, 98 }; $arr" -c 3 0x0000000100000000 0x0000000100004000 error: result size larger than 8 bytes. pass a string instead

So we do need to find some more convenient way of providing byte patterns here.