r2frida icon indicating copy to clipboard operation
r2frida copied to clipboard
verified publisher icon nowsecure

Question about hex search

Open vmprog opened this issue 4 years ago • 2 comments

I'm looking for a sequence of bytes, but I can't see them:

r2 frida://spawn/usb//com.vmcorp.androidndkexample
[0x7ba65c58]>\dc
[0x7ba65c58]> \/x 8cb01a4a7a44
Searching 6 bytes in [0xffff0000-0xffff1000]
hits: 1
0x7ba65c58 hit0_0 8cb01a4a7a44
[0x00000000]> s 0x7ba65c58
[0x7ba65c58]> pd 5
            ;-- hit0_0:
            0x7ba65c58      ffffffff       invalid
            0x7ba65c5c      ffffffff       invalid
            0x7ba65c60      ffffffff       invalid
            0x7ba65c64      ffffffff       invalid
            0x7ba65c68      ffffffff       invalid
[0x7ba65c58]> \dm.
0x7ba5d000 - 0x7ba75000 r-x /data/app/com.vmcorp.androidndkexample-1-aKuwvB6vZHOCZpyn_DNA==/base.apk

Why can't I see the found byte sequence?

vmprog avatar May 04 '21 17:05 vmprog

Hi,

can you please share your sample? Can you execute this command after the seeking? s 0x7ba65c58 ; x 16 Is this value going onto the stack or heap?

enovella avatar May 05 '21 09:05 enovella

Hi, Eduardo. My simple apk: https://drive.google.com/file/d/17N0Va57ql3SpeePy_DyMyWvJpEo0M2-D/view?usp=sharing The desired sequence of bytes "8cb01a4a7a44" is located in libnative-lib.so

0x7bbccc58 hit0_0 8cb01a4a7a44 [0x00000000]> s 0x7bbccc58 ; x 16

  • offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0x7bbccc58 ffff ffff ffff ffff ffff ffff ffff ffff ................ [0x7bbccc58]>

//Is this value going onto the stack or heap? I don't know how to find out:(

vmprog avatar May 05 '21 10:05 vmprog

can you please try again? i think all those bugs are fixed now

trufae avatar Nov 27 '23 17:11 trufae