Find a string memory using lldb

Asked 26/6, 2014 at 13:16 Answered 24/7, 2018 at 9:48

Hello I'm trying to find the address of a string in lldb on mac os.

In GDB I would use the find command with the addresses to search between. But I cannot find such a command for lldb, I know that the string is in the cstring section which in my case is 0x00000000002e4f08-0x000000000032e0a8. But i need to know exactly where.

Mammillary answered 26/6, 2014 at 13:16 Comment(3)

Does it have a symbol you could use? – Anorthosite 26/6, 2014 at 13:32

@Anorthosite I dont know exactly what you mean with symbol, but when i type 'cstring <program>' outside of lldb the string is there so I guess yes? – Mammillary 26/6, 2014 at 15:1

Well if the program has debug info then the answer will be yes, so that will be the best route. Investigate how to query symbol info (possibly image lookup ...). – Anorthosite 26/6, 2014 at 15:15

If you have access to the Xcode 6 pre-release tools, the lldb includes a new memory find command that does this. Enrico added a quick implementation of this command a few months ago.

Lectionary answered 27/6, 2014 at 4:34 Comment(1)

Alright thanks, I dont have access to the tools but I guess there currently is no way, but I found a way around it anyway. – Mammillary 27/6, 2014 at 8:51

A simple example that uses three lldb commands image dump sections, memory find, memory read to find a string inside a stripped, release app.

(lldb) image dump sections MyAppBinary 
[0x0000010462c000-0x00000107744000] 0x0003118000 MyApp`__TEXT
[0x00000107744000-0x00000107d48000] 0x0000604000 MyApp`__DATA
/* removed sections for brevity */

(lldb) mem find -s "youtube" -- 0x00000107744000 0x00000107d48000
data found at location: 0x10793362c
0x10793362c: 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 65 6d 62 65  youtube.com/embe


(lldb) memory read -c100 0x10793362c
0x10793362c: 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 65 6d 62 65  youtube.com/embe
0x10793363c: 64 2f 58 46 67 45 59 75 35 71 66 36 38 3f 61 75  d/XFgccu5qf68?a

If you want some useful Aliases and Scripts for lldb you can visit https://github.com/DerekSelander/LLDB. For example, I prefer Derek's script sections instead of image dump sections MyAppBinary.

Ashcroft answered 24/7, 2018 at 9:48 Comment(3)

what is (lldb) section ? I can't find it as a built-in command ? Is it an aliases you added ? If so what is it alias for ? Thanks – Holystone 8/3, 2020 at 19:46

Great comment @AymenTM. So sorry. I was using the Aliase from these scripts: github.com/DerekSelander/LLDB. Let me update my answer. – Ashcroft 9/3, 2020 at 14:26

I'll also add that you can use memory region <some address> to find the memory region that contains <some address>, which can be useful for finding values on the runtime stack. – Standice 23/10, 2021 at 21:43

If you have access to the Xcode 6 pre-release tools, the lldb includes a new memory find command that does this. Enrico added a quick implementation of this command a few months ago.

Lectionary answered 27/6, 2014 at 4:34 Comment(1)

Alright thanks, I dont have access to the tools but I guess there currently is no way, but I found a way around it anyway. – Mammillary 27/6, 2014 at 8:51

Recommended topics

Hot tags