You can use the following commands to read arbitrary memory locations in your program:
machinecode_level_command
: examine_command
: search_command
: address_expression / [ count ] [ mode ]
| address_expression ? [ count ] [ mode ]
| address_expression , address_expression / [ mode ]
: address_expression / [ count ] search_mode value mask
| address_expression ? [ count ] search_mode value mask
| address_expression , address_expression / search_mode value mask
count
mode
: d Print a short word in decimal
| dd Print a 32-bit (4-byte) decimal display
| D Print a long word in decimal
| u Print a short word in unsigned decimal
| uu Print a 32-bit (4-byte) unsigned decimal display
| U Print a long word in unsigned decimal
| o Print a short word in octal
| oo Print a 32-bit (4-byte) octal display
| O Print a long word in octal
| x Print a short word in hexadecimal
| xx Print a 32-bit (4-byte) hexadecimal display
| X Print a long word in hexadecimal
| b Print a byte in hex
| c Print a byte as a character
| s Print a string of characters (a C-style string ending in null)
| C Print a wide character as a character
| S Print a null terminated string of wide characters
| f Print a single precision real number
| g Print a double precision real number
| L Print a long double precision real number
| i Disassemble machine instructions
: m 32-bit search mode
| M 64-bit search mode
The first examine_command displays the count number of memory values in the requested format, starting at address_expression. If count is not specified, 1 is assumed. The count value must be a positive value.
If you wish to see memory values leading up to the address_expression, use the second examine_command. The second examine_command displays count number of memory values in the requested format ending at the address_expression. If count is not specified, 1 is assumed. The count value must be a positive value.
The third examine_command displays memory values in the requested format starting at the smaller of the two address_expressions and ending at the larger address_expression.
You can display stored values in the following formats by specifying mode. If mode is not specified, the mode used in the previous / command is assumed. If no previous / command exists, X is assumed.
When disassembling machine instructions, use the $regstyle variable to customize how the registers are displayed.
The search_commands allow you to search memory. Use the address_expression and count to determine the range of memory to search. Use the search_mode to specify whether you want to search 32 or 64-bit chunks. The debugger will start at the specified starting address and read a chunk of memory (either 32 or 64 bits in size) and apply the mask and comparison on that chunk of memory. For example, if you want to search memory for a particular instruction or search an array of either integer or floating-point values, the 32-bit search would be efficient because machine instructions and integer and floating-point data types are 32 bits in length. Use the value to specify the memory value to seek. Use the mask to specify those bits that must match the same bits in the specified value. To ensure that a possible match will be found, the debugger applies the mask to the input value prior to starting the search, to remove any bits that could prevent a match from occurring. Then, for each memory location searched, the debugger applies the mask to the memory value and then compares it with this new input value. If a match is found, then the address and memory value are displayed.
For example, suppose the user wishes to check an array of 100 integers in memory to see if any values are NULL (0):
(idb) array,&(array[99])/m 0x0 0xfffffff
0x1400005d0: 0x00000000
Suppose the user wishes to search for the trapb instruction:
(idb) printi 0x63ff0000
trapb
(idb) main/1000m 0x63ff0000 0xfffffff
0x12561314: 0x63ff0000
Use the debugger variable $memorymatchall to cause the debugger to output all matches in the specified range. Suppose you want to search a long integer array of 100 values for the first value over 80, and then want to find all values in the array over 80:
(idb) printx 80
0x50
(idb) longarray/100M 0x50 0x50
0x140002680: 0x0000000000000050
(idb) set $memorymatchall
(idb) longarray/100M 0x50 0x50
0x140002680: 0x0000000000000050
0x140002688: 0x0000000000000051
0x140002690: 0x0000000000000052
0x140002698: 0x0000000000000053
0x1400026a0: 0x0000000000000054
0x1400026a8: 0x0000000000000055
0x1400026b0: 0x0000000000000056
0x1400026b8: 0x0000000000000057
0x1400026c0: 0x0000000000000058
0x1400026c8: 0x0000000000000059
0x1400026d0: 0x000000000000005a
0x1400026d8: 0x000000000000005b
0x1400026e0: 0x000000000000005c
0x1400026e8: 0x000000000000005d
0x1400026f0: 0x000000000000005e
0x1400026f8: 0x000000000000005f
(idb)