Unix Power ToolsUnix Power ToolsSearch this book

13.15. Finding Words Inside Binary Files

If you try to read binaries on your screen with cat -v (Section 12.4), you'll see a lot of nonprintable characters. Buried in there somewhere, though, are words and strings of characters that might make some sense. For example, if the code is copyrighted, you can usually find that information in the binary. The pathnames of special files read by the program will probably show up. If you're trying to figure out which program printed an error message, use strings on the binaries and look for the error. Some versions of strings do a better job of getting just the useful information; others may write a lot of junk, too. But what the heck? -- pipe the output to a pager (Section 12.3) or grep (Section 13.2), redirect it to a file, and ignore the stuff you don't want.

Here's a (shortened) example on FreeBSD:

% strings /usr/bin/write
/usr/libexec/ld-elf.so.1
FreeBSD
libc.so.4
strcpy
...
@(#) Copyright (c) 1989, 1993
        The Regents of the University of California.  All rights reserved.
$FreeBSD: src/usr.bin/write/write.c,v 1.12 1999/08/28 01:07:48 peter Exp $
can't find your tty
can't find your tty's name
you have write permission turned off
/dev/
%s is not logged in on %s
%s has messages disabled on %s
usage: write user [tty]
/var/run/utmp
utmp
%s is not logged in
%s has messages disabled
%s is logged in more than once; writing to %s
%s%s
Message from %s@%s on %s at %s ...

The eighth line ($FreeBSD: ... $) comes from RCS (Section 39.5) -- you can see the version number, the date the code was last modified or released, and so on. The %s is a special pattern that the printf(3) function will replace with values like the username, hostname, and time.

By default, strings doesn't search all of a binary file: it only reads the initialized and loaded sections. The - (dash) option tells strings to search all of the file. Another useful option is -n, where n is the minimum-length string to print. Setting a higher limit will cut the "noise," but you might also lose what you're looking for.

The od command with its option -sn command does a similar thing: finds all null-terminated strings that are at least n characters long.

-- JP



Library Navigation Links

Copyright © 2003 O'Reilly & Associates. All rights reserved.