2

I'm trying to find a string value stored in memory by a binary (possibly written in C) that won't show up when I perform "strings a.out". I have tried examining particular memory addresses of interest that I have picked out from the assembly code but with no success. Thus, I am looking to try and print all the string values stored in memory (or char* arrays) by the program. Is there a way to do this? (note: the file does not contain debugging info). Thanks!

Improve this question
1
  • 1
    You could, for example, run strings on a memory dump or the memory virtual files linux exposes.
    – NirIzr
    Commented Nov 20, 2018 at 19:16

1 Answer 1

Reset to default
3

If the executable is not compiled statically, I think the easiest way is to inject a shared object (.so) with LD_PRELOAD to hook/overload the function which prints it and display the address of the buffer. If you disable ASLR, you should be able to set a memory breakpoint on the string address and then figure out how it was 'encrypted'. Another solution is to print the return address using __builtin_return_address.

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.