TransWikia.com

Use dtrace, lldb or gdb to find which file or line of code was responsible for a line of output in stdout or stderr?

Reverse Engineering Asked by forgodsakehold on April 8, 2021

I see a string being output to my Terminal, when I ran an executable. I have the source code (in C) of the executable, but it was not written by me. I compiled it with -g flag. Is there any way to know which line in which file resulted in the output, with dtrace, lldb, gdb, or any other means?

I am using macOS 10.13. When I ran gdb and the following:
catch syscall write

I got this error:
The feature ‘catch syscall’ is not supported on this architecture yet.

Is there any way that can achieve my goal?

One Answer

You can use strace:

strace --instruction-pointer --stack-traces -e write ./your-app

This will show the place in the binary, for instance:

[00007fe942df6537] write(1, "c", 1c)     = 1
 > /usr/lib64/libc-2.31.so(write+0x17) [0xf2537]
 > /usr/lib64/libc-2.31.so(_IO_file_write@@GLIBC_2.2.5+0x2c) [0x8285c]
 > /usr/lib64/libc-2.31.so(new_do_write+0x65) [0x81b95]
 > /usr/lib64/libc-2.31.so(_IO_do_write@@GLIBC_2.2.5+0x18) [0x83948]
 > /usr/lib64/libc-2.31.so(_IO_file_sync@@GLIBC_2.2.5+0xa7) [0x819b7]
 > /usr/lib64/libc-2.31.so(_IO_fflush+0x85) [0x76595]
 > /tmp/a.out(main+0x62) [0x4011a8]
 > /usr/lib64/libc-2.31.so(__libc_start_main+0xf1) [0x27041]
 > /tmp/a.out(_start+0x2d) [0x40108d]

This means that 0x4011a8 (main+0x62). You can use your favourite disassembler to tell what place in code that is.

Edit: oh damn, I didn't realize there's no strace for macOS. I think I'll leave the answer though.

Answered by enedil on April 8, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP