Cryptoshark caches data (at least on Mac), so that if you restart the cryptoshark, already scanned functions/injected code are stored. This is a nice feature, but in the case a patched binary should be traced again, Cryptoshark still displays old data - and the GUI has no "Clear cache" button or information were cached data are stored so that they can be deleted manually.
I tried:
- deletion of /Users/user/Library/Caches/Cryptoshark/qmlcache/*.qmlc files, but after restart of Cryptoshark the files got restored magically again
- analyze cryptoshark access to files (Active Monitor => View => Inspect Process => Open files)
Nothing useful found
- searching for a line from an instrumentation:
grep -iR "corefoundation_1bb450" * 2>/dev/null
brought at last:
Binary file /Users/user/Desktop/AppName.db3 matches
So in order to get rid of all Cryptoshark cached data on Mac just use:
rm /Users/user/Desktop/*.db3
or search for *.db3 on Windows/Linux.
REQUIREMENT
Please introduce an "Clear cache" button or add information in GUI were the sqlite DB3 files are stored.
Cryptoshark caches data (at least on Mac), so that if you restart the cryptoshark, already scanned functions/injected code are stored. This is a nice feature, but in the case a patched binary should be traced again, Cryptoshark still displays old data - and the GUI has no "Clear cache" button or information were cached data are stored so that they can be deleted manually.
I tried:
Nothing useful found
grep -iR "corefoundation_1bb450" * 2>/dev/null
brought at last:
Binary file /Users/user/Desktop/AppName.db3 matches
So in order to get rid of all Cryptoshark cached data on Mac just use:
rm /Users/user/Desktop/*.db3
or search for *.db3 on Windows/Linux.
REQUIREMENT
Please introduce an "Clear cache" button or add information in GUI were the sqlite DB3 files are stored.