Description
There are some cases in which this plugin is not able to find any strings, due to not being able to find any read-only segments in the binary. There may also be cases where we need to look at sections in the binary, rather than segments.
For example, the plugin currently fails to find any strings inside the x86_64 slice of the Mach-O sample 9ca914b1cfa8c0ba021b9e00bda71f36cad132f27cf16bda6d937badee66c747.
This sample has all of its constant string data in the __const section of the binary. The __const section only contains read-only data; however, the segment that it is inside, located from 0x100000000 to 0x10039c000 is read-executable.
This is because this segment contains a number of sections, some of which are code and some of which are data:
| Name | Start | End | Semantics |
|---|---|---|---|
__text |
0x100000fd0 | 0x1002b69d0 | Read-only code |
__stubs |
0x1002b69d0 | 0x1002b6ed4 | Read-only code |
__gcc_except_tab |
0x1002b6ed4 | 0x1002dcab8 | Default |
__const |
0x1002dcac0 | 0x10038e4b0 | Read-only data |
__unwind_info |
0x10038e4b0 | 0x10039beec | Default |
__eh_frame |
0x10039bef0 | 0x10039bfe8 | Default |
This binary actually also contains a read-only segment from 0x1003e8000 to 0x100598000 (the Mach-O __LINKEDIT segment, which contains metadata used by the dynamic linker dyld), but that segment contains no sections, and its contents are also not referenced from anywhere within any of the code inside the binary.