I want to reverse-engineer a Qt crackme written for linux. I would like to follow where introduced text gets. I have found this gdb macro to print QStrings (Qt5). To test it I wrote a simple helloworld application containing:
QString str("almafa");
qDebug() << str;
This prints the QString as expected.
(gdb) printqs5static str
(Qt5 QString)0xffffdf50 length=6: "almafa"
After this I tried to inspect QStrings where no variable names are present.
The compiled code looks like (in radare2):
| 0x00400ab7 488d45b0 leaq -0x50(%rbp), %rax
| 0x00400abb 488d55c0 leaq -0x40(%rbp), %rdx
| 0x00400abf 4889d6 movq %rdx, %rsi
| 0x00400ac2 4889c7 movq %rax, %rdi
| 0x00400ac5 e816feffff callq sym.QMessageLogger::debug
| 0x00400aca 488d55a0 leaq -0x60(%rbp), %rdx
| 0x00400ace 488d45b0 leaq -0x50(%rbp), %rax
| 0x00400ad2 4889d6 movq %rdx, %rsi
| 0x00400ad5 4889c7 movq %rax, %rdi
| 0x00400ad8 e863020000 callq sym.QDebug::operator__
I do not have experience debugging Qt applications, but I expected that from the above code snippet that at 0x400ad8 either rsi or rdi will be the QString. Unfortunately printqs5static $rsi is not working. i r $rsi gives 0x7ffffffdf50, the address from printqs5static str result.
The question is how to inspect QStrings when only memory addresses are available?
Edit: The web page I am referring is down at this moment, but a cashed version is here.
gdbpretty printers are also able to print QStrings if there are symbolic names available. Still do not know how to work without them.
