O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Coincidental Symbolic Information

This is a Mac OS X / GDB counterpart to Coincidental Symbolic Information pattern previously described for Windows platforms (Volume 1, page 390). The idea is the same: to disassemble the address to see if the preceding instruction is a call. If it is indeed then most likely the symbolic address is a return address from past Execution Residue (page 220):

(gdb) x $rsp
0x7fff6a162a38: 0x8fab9a9c
(gdb) x/1000a 0x7fff6a162000
[...]
0x7fff6a162960: 0x7fff6a162980 0x7fff6a167922
0x7fff6a162970: 0x0 0x0
0x7fff6a162980: 0x7fff6a162a50 0×7fff8a31e716 <dyld_stub_binder_+13> 0×7fff6a162990: 0×1 0×7fff6a162b00 0×7fff6a1629a0: 0×7fff6a162b10 0×7fff6a162bc0 0×7fff6a1629b0: 0×8 0×0 [...] 0×7fff6a162a00: 0×0 0×0 0×7fff6a162a10: ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required