General
cancel
Showing results for 
Search instead for 
Did you mean: 

Need Interpretation From Someone Please

bill-clayton
Advisor

Need Interpretation From Someone Please

I have recently been using tusc for several purposes and have a question. I have been doing some reverse engineering for several years, so I have seen a lot and know a lot about kernel functions, but I have never seen anything like the following read function:

read(3, "02\v010e0512@ \0\0\0\0\0\0\0\0\0" .., 128)

I normally see a read as read(fildes, buffer, bytes-to-read)

The above comes from the first read function of a typical "Hello World" C program. The file handle is for /usr/lib/dld.sl which is always the first file opened that I can see, and logically so. Can anyone tell me how to interpret:
"02\v010e0512@ \0\0\0...."

Is it referring to a disk read and includes some volume info? If so what is the e0512@?
bc
4 REPLIES
Dennis Handly
Acclaimed Contributor

Re: Need Interpretation From Someone Please

>but I have never seen anything like the following read function:

Why not? This is how all reads show up in tusc. It is providing you the binary data that was read.
xd -tx4 -tc -N 32 /usr/lib/dld.sl
Laurent Menase
Honored Contributor

Re: Need Interpretation From Someone Please

if you use -E option you will trace entering and returning from syscalls
so you will see the address on the first read entry.
ranganath ramachandra
Esteemed Contributor

Re: Need Interpretation From Someone Please

> Is it referring to a disk read and includes some volume info?

> The file handle is for /usr/lib/dld.sl

This is a regular file, so it is a disk read. This file does not contain "volume info".

If you want to "reverse engineer" further, how about opening the file in a binary editor ?
Dennis Handly
Acclaimed Contributor

Re: Need Interpretation From Someone Please

>ranganath: how about opening the file in a binary editor?

No need, that's what the above xd(1) does.