$ hexdump -C <corefile>
000005a0 00 00 00 00 00 00 00 00 2e 2f 74 65 73 74 20 48 |........./test H|
000005b0 65 6c 6c 6f 20 57 6f 72 6c 64 20 00 00 00 00 00 |ello World .....|
The hexdump shows string like "./test Hello World"
How to read command invoked string from ELF core file?
The note section of the core file has 'prpsinfo' which has executable name & arguments info.
readelf --notes /b/syrajendra/core.test.25963.1518497907
Notes at offset 0x000003f8 with length 0x00000614:
Owner Data size Description
CORE 0x00000150 NT_PRSTATUS (prstatus structure)
CORE 0x00000088 NT_PRPSINFO (prpsinfo structure)
CORE 0x00000080 Unknown note type: (0x53494749)
CORE 0x00000130 NT_AUXV (auxiliary vector)
"prpsinfo" structure is defined in "/usr/include/linux/elfcore.h" file.
Related
Getting below error message in synchronization history during synchronizing of subscription
Error messages:
Error converting data type nvarchar to numeric. (Source: MSSQLServer, Error number: 8114)
Get help: http://help/8114
For finding the exact issue, we have checked windows sql server event log and found something below:
System
- Provider
[ Name] MSSQL$VERB1
- EventID 14151
[ Qualifiers] 49152
Level 2
Task 2
Keywords 0x80000000000000
- TimeCreated
[ SystemTime] 2016-05-06T06:14:28.000000000Z
EventRecordID 554838
Channel Application
Computer xxx-01
- Security
[ UserID] S-1-5-21-2320706869-2720452709-2089460225-500
- EventData
Replication Merge Subsystem
xxxxDB-yyyyDB
Error converting data type nvarchar to numeric.
4737000012000000100000004C004F004E002D0044004200
2D00300031005C004E00450052005600380000000D
000000640069007300740072006900620075007400
69006F006E000000
Binary data:
In Words
0000: 00003747 00000012 00000010 004F004C
0010: 002D004E 00420044 0030002D 005C0031
0020: 0045004E 00560052 00000038 0000000D
0030: 00690064 00740073 00690072 00750062
0040: 00690074 006E006F 0000
In Bytes
0000: 47 37 00 00 12 00 00 00 G7......
0008: 10 00 00 00 4C 00 4F 00 ....X.X.
0010: 4E 00 2D 00 44 00 42 00 X.-.D.B.
0018: 2D 00 30 00 31 00 5C 00 -.0.1.\.
0020: 4E 00 45 00 52 00 56 00 V.E.R.B.
0028: 38 00 00 00 0D 00 00 00 1.......
0030: 64 00 69 00 73 00 74 00 d.i.s.t.
0038: 72 00 69 00 62 00 75 00 r.i.b.u.
0040: 74 00 69 00 6F 00 6E 00 t.i.o.n.
0048: 00 00 ..
Also we increased output verbose level higher (-OutputVerboseLevel 2)
but we did not get anything in log.
we are using
Microsoft SQL Server 2008 R2 (SP3) (X64)
we are now unable to understand this sql server event log so please
help me out if you have any suggestion
Thanks & Regards,
Rama
I will illustrate a use case of my issue.
I have here two files which happen to be the Finder 7.5.5 and Finder 8.1 from legacy Mac OS versions.
If I use Cmd + I I get the following information:
Version:
7.5.5, © Apple Computer, Inc. 1983-96
System 7.5 Version 7.5.3
and
Version:
8.1, Copyright Apple Computer, Inc. 1983-97
Mac OS 8.1
I want to extract these information programatically. However, I am not even sure where it is being hold.
In a small Objective-C project (Foundation) I did the following for the 7.5 file:
NSString * finder7 = [[NSString alloc] initWithString:#"/Users/me/Desktop/Finder7"];
NSFileManager * fileManager = [NSFileManager defaultManager];
NSError * error = nil;
NSDictionary * attr = [fileManager attributesOfItemAtPath:finder7 error:&error];
NSLog(#"%#", attr);
This is the output:
2013-09-25 10:53:30.224 GetAttributes[1164:903] {
NSFileCreationDate = "1996-01-15 12:00:00 +0000";
NSFileExtensionHidden = 0;
NSFileGroupOwnerAccountID = 20;
NSFileGroupOwnerAccountName = staff;
NSFileHFSCreatorCode = 1296122707;
NSFileHFSTypeCode = 1179534418;
NSFileModificationDate = "1996-01-15 12:00:00 +0000";
NSFileOwnerAccountID = 501;
NSFileOwnerAccountName = me;
NSFilePosixPermissions = 493;
NSFileReferenceCount = 1;
NSFileSize = 0;
NSFileSystemFileNumber = 4384377;
NSFileSystemNumber = 234881026;
NSFileType = NSFileTypeRegular;
}
As you can see, there is no reference to version or copyright. I can't open the "app's content" because legacy applications obviously don't have it.
So I figured it could be an extended attribute, so I got the console and did this:
$ ls -l#
-rwxr-xr-x# 1 me staff 0 15 Jan 1996 Finder7
com.apple.FinderInfo 32
com.apple.ResourceFork 503994
-rwxr-xr-x# 1 me staff 3631000 16 Dec 1997 Finder8
com.apple.FinderInfo 32
com.apple.ResourceFork 502012
com.apple.metadata:kMDItemFinderComment 42
Then I found these entries in each of them:
$ xattr -l com.apple.FinderInfo Finder7
(...)
00077AE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00077AF0 00 00 32 07 55 80 00 00 00 05 37 2E 35 2E 35 25 |..2.U.....7.5.5%|
00077B00 37 2E 35 2E 35 2C 20 A9 20 41 70 70 6C 65 20 43 |7.5.5, . Apple C|
00077B10 6F 6D 70 75 74 65 72 2C 20 49 6E 63 2E 20 31 39 |omputer, Inc. 19|
00077B20 38 33 2D 39 36 00 00 00 2B 00 00 00 00 00 00 00 |83-96...+.......|
(...)
$ xattr -l com.apple.FinderInfo Finder8
(...)
00077330 06 46 69 6E 64 65 72 00 00 00 00 00 00 36 08 10 |.Finder......6..|
00077340 80 00 00 00 03 38 2E 31 2B 38 2E 31 2C 20 43 6F |.....8.1+8.1, Co|
00077350 70 79 72 69 67 68 74 20 41 70 70 6C 65 20 43 6F |pyright Apple Co|
00077360 6D 70 75 74 65 72 2C 20 49 6E 63 2E 20 31 39 38 |mputer, Inc. 198|
00077370 33 2D 39 37 00 00 00 26 01 08 10 80 00 06 46 69 |3-97...&......Fi|
00077380 6E 64 65 72 00 00 00 00 00 00 00 00 00 00 00 00 |nder............|
(...)
I never really used extended attributes, specially in a development. So here I need some light. I see the version numbers are in different positions. How can I get this information straight like the OSX Finder does? I spent several minutes to do it manually and still is not clear to me how the version is stored. Is there other place I can find this information or am I going in the right direction?
Are there Objective-C or C solutions that will do this so I don't need to reinvent the wheel?
I appreciate the help!
I also tried checking rsrc. Found an easter egg just before the version number.
The information is stored in the extended attribute com.apple.ResourceFork. You can use a tool like DeRez to decompile the information.
If you want to programatically access the resource fork, there is the Resource Manager API, but pretty much everything there is deprecated for 10.8. The resource type for version information is the 'vers' resource.
I'm trying to extract an ECDSA public key from my known_hosts file that ssh uses to verify a host. I have one below as an example.
This is the entry for "127.0.0.1 ecdsa-sha2-nistp256" in my known_hosts file:
AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBF3QCzKPRluwunLRHaFVEZNGCPD/rT13yFjKiCesA1qoU3rEp9syhnJgTbaJgK70OjoT71fDGkwwcnCZuJQPFfo=
I ran it through a Base64 decoder to get this:
���ecdsa-sha2-nistp256���nistp256���A]2F[rUF=wXʈ'ZSzħ2r`M::WL0rp
So I'm assuming those question marks are some kind of separator (no, those are lengths). I figured that nistp256 is the elliptical curve used, but what exactly is that last value?
From what I've been reading, the public key for ECDSA has a pair of values, x and y, which represent a point on the curve. Is there some way to extract x and y from there?
I'm trying to convert it into a Java public key object, but I need x and y in order to do so.
Not all of characters are shown since they are binary. Write the Base64-decoded value to the file and open it in a hex editor.
The public key for a P256 curve should be a 65-byte array, starting from the byte with value 4 (which means a non-compressed point). The next 32 bytes would be the x value, and the next 32 the y value.
Here is the result in hexadecimal:
Signature algorithm:
00 00 00 13
65 63 64 73 61 2d 73 68 61 32 2d 6e 69 73 74 70 32 35 36
(ecdsa-sha2-nistp256)
Name of domain parameters:
00 00 00 08
6e 69 73 74 70 32 35 36
(nistp256)
Public key value:
00 00 00 41
04
5d d0 0b 32 8f 46 5b b0 ba 72 d1 1d a1 55 11 93 46 08 f0 ff ad 3d 77 c8 58 ca 88 27 ac 03 5a a8
53 7a c4 a7 db 32 86 72 60 4d b6 89 80 ae f4 3a 3a 13 ef 57 c3 1a 4c 30 72 70 99 b8 94 0f 15 fa
So you first have the name of the digital signature algorithm to use, then the name of the curve and then the public component of the key, represented by an uncompressed EC point. Uncompressed points start with 04, then the X coordinate (same size as the key size) and then the Y coordinate.
As you can see, all field values are preceded by four bytes indicating the size of the field. All values and fields are using big-endian notation.
I just lost a couple of days of work to a crashing editor. My file is now an empty file, and the last backup I have is from 4 days ago.
I have the CSS file saved in my Chromium's cache, but it looks like this:
http://myserver.example.com/style.css
HTTP/1.1 200 OK
Date: Mon, 04 Jul 2011 05:18:25 GMT
Last-Modified: Mon, 04 Jul 2011 01:10:47 GMT
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 7588
Content-Type: text/css
00000000: 5e 01 00 00 02 08 00 00 be 45 ba c7 cd 05 2e 00 ^........E......
00000010: 25 68 d9 c7 cd 05 2e 00 1d 01 00 00 48 54 54 50 %h..........HTTP
00000020: 2f 31 2e 31 20 32 30 30 20 4f 4b 00 44 61 74 65 /1.1 200 OK.Date
00000030: 3a 20 4d 6f 6e 2c 20 30 34 20 4a 75 6c 20 32 30 : Mon, 04 Jul 20
00000040: 31 31 20 30 35 3a 31 38 3a 32 35 20 47 4d 54 00 11 05:18:25 GMT.
(etc)
00000000: 1f 8b 08 00 00 00 00 00 00 03 cd 3d fd 8f db b6 ...........=....
00000010: 92 3f d7 7f 05 2f 8b 22 ed c2 f2 87 fc b1 6b 2f .?.../."......k/
00000020: 1a a0 09 5e 1e f0 5e 7b 57 34 c5 dd 0f 87 83 21 ...^..^{W4.....!
00000030: db f2 5a 89 6c f9 49 72 36 5b 63 ff f7 e3 b7 86 ..Z.l.Ir6[c.....
00000040: e4 50 1f 9b 4d ef 52 34 b1 65 71 66 38 1c ce 0c .P..M.R4.eqf8...
00000050: 87 c3 e1 f0 9a fc e3 9c 1e c9 3f e2 94 fc b1 8f ..........?.....
The entire file seems to be there, and I can get the text.
I'd like to get back the plain CSS file somehow. I tried extracting the data, but gzip says it isn't gzip format. But it doesn't seem to be gzip encoded (it's not binary, after all...). Is it base64 or something? I've had a hard time finding any info on this.
Try finding the gzip header by extracting the hex data into an editor and searching for the header as per gzip specification. You should be able to do this by finding the end of the response body and selecting the previous 7588 bytes (you have this info in the response headers: Content-Length: 7588) - this should be the first character of the header.
Depending on the flags set in the header, gzip'd files may be ASCII or binary. You can determine if data are base64 encoded as base64 scheme encodings terminate with the = character. You can decode base64 online.
Alternatively you could try a tool such as ChromeCacheViewer.
The file looks gzip. It has the 1f8b header. Chrome stores the cached files as files, you just need to find them. Google for "location of chrome cache" and find it for your platform.
I have a strong-named assembly containing Model classes that can be shared among several applications (WCF Services in IIS) hosted on the same machine.
Instead of each service having their own copy of this DLL in Bin folder, I want to add it to GAC.
I am using a gacutil.exe for .NET4: Microsoft (R) .NET Global Assembly Cache Utility. Version 4.0.30319.1 Copyright (c) Microsoft Corporation. All rights reserved.
The DLL is registered in GAC, but ends up in C:\Windows\Assembly (GAC 2.0) - not in C:\Windows\Microsoft.NET\Assembly (GAC 4).
When I register the DLL in GAC and remove it from Bin folder, my applications fail with:
Could not load file or assembly 'MyCompany.Enterprise.BOM' or one of its dependencies. The system cannot find the file specified. at System.Reflection.RuntimeAssembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, RuntimeAssembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection, Boolean suppressSecurityChecks)...
Note: Server 2008 R2 is 64-bit, assembly is built for MSIL, .NET 4.0.
I am using gacutil.exe which comes with Windows SDK v7.1 and is in NETFX 4.0 Tools folder.
What can I be missing? I can't think of any alternatives so any ideas are welcome.
EDIT (Manifest):
// Metadata version: v2.0.50727
.assembly extern mscorlib
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
.ver 2:0:0:0
}
.assembly extern System.Runtime.Serialization
{
.publickeytoken = (B7 7A 5C 56 19 34 E0 89 ) // .z\V.4..
.ver 3:0:0:0
}
.assembly HCS.Enterprise.BOM
{
.custom instance void [mscorlib]System.Runtime.InteropServices.GuidAttribute::.ctor(string) = ( 01 00 24 63 31 34 64 39 31 65 32 2D 30 35 31 65 // ..$c14d91e2-051e
2D 34 66 65 31 2D 38 62 37 30 2D 61 36 36 33 66 // -4fe1-8b70-a663f
39 61 37 62 34 33 35 00 00 ) // 9a7b435..
.custom instance void [mscorlib]System.Reflection.AssemblyKeyFileAttribute::.ctor(string) = ( 01 00 20 43 3A 5C 48 43 53 2E 45 6E 74 65 72 70 // .. C:\HCS.Enterp
72 69 73 65 5C 4B 65 79 5C 48 43 53 4B 65 79 2E // rise\Key\HCSKey.
73 6E 6B 00 00 ) // snk..
// --- The following custom attribute is added automatically, do not uncomment -------
// .custom instance void [mscorlib]System.Diagnostics.DebuggableAttribute::.ctor(valuetype [mscorlib]System.Diagnostics.DebuggableAttribute/DebuggingModes) = ( 01 00 02 00 00 00 00 00 )
.custom instance void [mscorlib]System.Runtime.CompilerServices.CompilationRelaxationsAttribute::.ctor(int32) = ( 01 00 08 00 00 00 00 00 )
.custom instance void [mscorlib]System.Runtime.CompilerServices.RuntimeCompatibilityAttribute::.ctor() = ( 01 00 01 00 54 02 16 57 72 61 70 4E 6F 6E 45 78 // ....T..WrapNonEx
63 65 70 74 69 6F 6E 54 68 72 6F 77 73 01 ) // ceptionThrows.
.custom instance void [mscorlib]System.Reflection.AssemblyFileVersionAttribute::.ctor(string) = ( 01 00 07 31 2E 30 2E 30 2E 30 00 00 ) // ...1.0.0.0..
.custom instance void [mscorlib]System.Reflection.AssemblyTitleAttribute::.ctor(string) = ( 01 00 12 48 43 53 2E 45 6E 74 65 72 70 72 69 73 // ...HCS.Enterpris
65 2E 42 4F 4D 00 00 ) // e.BOM..
.custom instance void [mscorlib]System.Reflection.AssemblyDescriptionAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void [mscorlib]System.Reflection.AssemblyConfigurationAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void [mscorlib]System.Reflection.AssemblyCompanyAttribute::.ctor(string) = ( 01 00 0E 48 6F 72 69 7A 6F 6E 2D 42 43 42 53 4E // ...HN
4A 00 00 ) // J..
.custom instance void [mscorlib]System.Reflection.AssemblyProductAttribute::.ctor(string) = ( 01 00 12 48 43 53 2E 45 6E 74 65 72 70 72 69 73 // ...HCS.Enterpris
65 2E 42 4F 4D 00 00 ) // e.BOM..
.custom instance void [mscorlib]System.Reflection.AssemblyCopyrightAttribute::.ctor(string) = ( 01 00 20 43 6F 70 79 72 69 67 68 74 20 C2 A9 20 // .. Copyright ..
48 6F 72 69 7A 6F 6E 2D 42 43 42 53 4E 4A 20 32 // H2
30 31 30 00 00 ) // 010..
.custom instance void [mscorlib]System.Reflection.AssemblyTrademarkAttribute::.ctor(string) = ( 01 00 00 00 00 )
.custom instance void [mscorlib]System.Runtime.InteropServices.ComVisibleAttribute::.ctor(bool) = ( 01 00 00 00 00 )
.publickey = (00 24 00 00 04 80 00 00 94 00 00 00 06 02 00 00 // .$..............
00 24 00 00 52 53 41 31 00 04 00 00 01 00 01 00 // .$..RSA1........
3B 65 DD 3B C7 49 A7 F4 C9 50 BE 27 F9 62 B6 54 // ;e.;.I...P.'.b.T
D1 26 7B DC 5B EF C1 02 59 E8 77 D4 3D F5 2F 50 // .&{.[...Y.w.=./P
94 22 AC C3 B7 07 71 A4 99 D4 FF 10 ED 05 6D 70 // ."....q.......mp
9A 9D 99 DC 33 1F 8A 3F A5 77 2E C5 5F 9D 35 15 // ....3..?.w.._.5.
BA 54 47 47 C2 8B 13 8C 57 57 C6 1E F5 AB 7B D5 // .TGG....WW....{.
B8 87 DD 4A F3 69 01 B2 6B C8 88 99 04 09 19 FC // ...J.i..k.......
5E 51 7E 2A B9 B5 03 80 C9 A3 EA ED EF B8 EC BF // ^Q~*............
EB 97 30 EC D9 E4 36 7C 0F 64 B7 27 9D 29 0D C5 ) // ..0...6|.d.'.)..
.hash algorithm 0x00008004
.ver 1:0:0:0
}
.module HCS.Enterprise.BOM.dll
// MVID: {D4D8B566-6B0D-4F8D-ABD4-C3A1339B4F84}
.imagebase 0x00400000
.file alignment 0x00000200
.stackreserve 0x00100000
.subsystem 0x0003 // WINDOWS_CUI
.corflags 0x00000009 // ILONLY
// Image base: 0x031B0000
As can be seen from the manifest, the Dll is a runtime 2.0 version, so even the gacutil of 4.0 will place it in the 2.0 GAC.
The manifest is created at compile time, so there must be something wrong with your project and/or compilation settings.
I assume you use Visual Studio, so check out the projects (not solutions) settings in the Application tab.