Page 1 of 1

procexp core dump

PostPosted: Mon Aug 22, 2016 2:41 pm
by darkknight
So I had mentioned this in another thread but running the core dump doesnt seem to produce the results you would expect. See screenshot below:
Screen Shot 2016-08-22 at 9.30.12 AM.png
procexp core dump
Screen Shot 2016-08-22 at 9.30.12 AM.png (205.47 KiB) Viewed 2675 times

Re: procexp core dump

PostPosted: Thu Aug 25, 2016 9:53 pm
by morpheus
err.. What am I seeing there? Is that hopper? Some other GUI? Please just show me a jtool -v -l?

The core dump works on any PID, and generates an MH_CORE file, which contains all segments which were previously mmap()ed at the time of the dump generation. When you generate the core, it should say that it was successful, as well as give a list of several segments which may not have been included.

Re: procexp core dump

PostPosted: Sat Aug 27, 2016 1:52 pm
by darkknight
Administrator wrote:err.. What am I seeing there? Is that hopper? Some other GUI? Please just show me a jtool -v -l?

The core dump works on any PID, and generates an MH_CORE file, which contains all segments which were previously mmap()ed at the time of the dump generation. When you generate the core, it should say that it was successful, as well as give a list of several segments which may not have been included.

Oh ok then I must have misunderstood. Based on another thread I was expecting that the output would be similar to that of dumpdecrypted. That it would produce basically the same results is all....

Re: procexp core dump

PostPosted: Mon Sep 05, 2016 8:19 pm
by darkknight
Ok, so it is a valid core file as shown below. Like I said I thought the result would have been similar to dumpdecrypted as discussed in another thread:

core dump.png
core dump.png (11.23 KiB) Viewed 2587 times


procexp1.png
procexp1.png (92.57 KiB) Viewed 2589 times


procexp2.png
procexp2.png (64.91 KiB) Viewed 2589 times