Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Assuming its an ELF or similarily structured binary, you have to take into account the address where stuff is loaded, which is influenced by things in the ELF header. </p> <p>Using <code>objdump -Fd</code> on your binary, you can have the disassembler also show the exact file offset of a symbol.</p> <p>Using <code>objdump -x</code> you can find this loader address, usually 0x400000 for standard linux executables.</p> <p>The next thing you have to be careful with is to see if its an indirect string, this you can do most easily by using <code>objdump -g</code>. When the string is found as being an indirect string, at the position output by <code>objdump -Fd</code> you will not find the string, but the address. From this you need to subtract the loader address again. Let me show you an example for one of my binaries:</p> <pre><code>objdump -Fd BIN | grep VersionString 45152f: 48 8b 1d 9a df 87 00 mov 0x87df9a(%rip),%rbx # ccf4d0 &lt;acVersionString&gt; (File Offset: 0x8cf4d0) objdump -x BIN ... LOAD off 0x0000000000000000 vaddr 0x0000000000400000 paddr 0x0000000000400000 align 2**12 ... </code></pre> <p>So we look at 0x8cf4d0 in the file and find in the hexeditor:</p> <pre><code>008C:F4D0 D8 C1 89 00 00 00 00 00 01 00 00 00 FF FF FF FF </code></pre> <p>So we take the 0x89C1D8 there, subtract 0x400000 and have 0x49c1d8 and when we look there in the hexeditor we find:</p> <pre><code>0049:C1D0 FF FF 7F 7F FF FF 7F FF 74 72 75 6E 6B 5F 38 30 0049:C1E0 34 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 </code></pre> <p>Which means "trunk_8043".</p> <p>YMMV, especially when its some other file format, but that is the general way on how these things are structured, with lots of warts and details that deviate for special cases.</p>
    singulars
    1. This table or related slice is empty.
    1. POOffset in nm symbol value?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USPlasmaHH
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COOk, thanks, I feel like you answered it. What I was hoping for was to be able to get the string without scanning the entire file (or diassembling it). By the way, my version of objdump doesn't have the -F option (i'm using GNU objdump 2.17.50.0.6-20.el5 20061020).
      singulars
      1. PO
      1. USSimon
    2. CO@Simon: That is a pretty ancient version of objdump (I can't even remember anymore how 2006 was like). You can get this fileoffset on your own by subtracting the same `0x400000` offset from the `0xccf4d0`. Maybe there is also a tool that does all those things for your, or you could write yourself a small script..
      singulars
      1. PO
      1. USPlasmaHH
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload