From a5a6601a453e9e5c3676c9fcb64aac4930fc941b Mon Sep 17 00:00:00 2001 From: Mari Wahl Date: Tue, 7 Oct 2014 18:59:28 -0400 Subject: [PATCH] some small fixes --- Reverse_Engineering/GDB_NOTES.txt | 212 ++++++++++++++++++++++++++++++ Reverse_Engineering/README.md | 27 ++++ Reverse_Engineering/README.md~ | 3 - 3 files changed, 239 insertions(+), 3 deletions(-) create mode 100644 Reverse_Engineering/GDB_NOTES.txt delete mode 100644 Reverse_Engineering/README.md~ diff --git a/Reverse_Engineering/GDB_NOTES.txt b/Reverse_Engineering/GDB_NOTES.txt new file mode 100644 index 0000000..55d0c14 --- /dev/null +++ b/Reverse_Engineering/GDB_NOTES.txt @@ -0,0 +1,212 @@ +Starting: + gdb + gdb + gdb -h (lists command line options) + +Exiting: + q + Ctrl-d + Note: Ctrl-C does not exit from gdb, but halts the current + gdb command + +General commands + + r (start your program) + k (stop the program) + +Breakpoints + + b main (set a breakpoint at the entry to function main) + b *0x08048b26 (set a breakpoint at the specified address) + b *(main+30) (set a breakpoint at the specified address) + disable 2 (disable breakpoint 2) + enable 2 (enable breakpoint 2) + clear main (clear any breakpoints at the entry to main) + delete 2 (deletes breakpoint 2) + delete (deletes all breakpoints) + +Working at breakpoints + + si (execute one machine code instruction) + si 2 (execute 2 instructions) + s (execute one C statement; only works if debugging info present) + ni (like si, but skip over subroutine calls) + ni 2 (like si, but skip over subroutine calls) + n (like s, but skip over subroutine calls) + until *0x08048b26 (continue running until specified address) + until *(main+30) (continue running until specified address) + c (resume execution) + c 2 (continue, ignoring this breakpoint 2 times) + finish (run until the current function returns) + +Examining code + + bt (print the current address and stack backtrace) + p/a $pc (print the program counter) + p/a $eip (print the program counter) + p/a $sp (print the stack pointer) + p/a $esp (print the stack pointer) + p/a $ebp (print the base pointer) + disas (display the function around the current line) + disas main (display the function around the address) + disas 0x080489b3 (display the function around the address) + disas 0x080489b3 0x080489c3 (display the code between the addresses) + +Examining data + + i r (print info about all registers) + i f (print info about the current frame) + p $eax (print the contents of %eax) + p/x $eax (print the contents of %eax as hex) + p/a $eax (print the contents of %eax as an address) + p/d $eax (print the contents of %eax as decimal) + p/f $eax (print the contents of %eax as floating point) + p/t $eax (print the contents of %eax as binary) + p/c $eax (print the contents of %eax as a character) + + p 0x100 (print decimal repr. of hex value) + p/x 555 (print hex repr. of decimal value) + + x ADDR (print the contents of ADDR in memory) + x/NFU ADDR (print the contents at ADDR in memory: + N = number of units to display + F = display format (x, a, d, f, t, c, s, i) + U = unit size -- b, h, w, or g -- 1, 2, 4 or 8 bytes + + p $ebp // print the value of %ebp + x/a $ebp+8 // print first argument to function as address + x/f $ebp+12 // print second argument to function as float + x/3d $ebp+8 // print first three arguments to function as decimal + x/4i $eip // show next four instructions pointed to by $eip + + p *(int*)$ebp (contents of *(%ebp) as int) + p *(float*)$eax (contents of *(%eax) as float) + x/d $eax (contents of *(%eax) as int) + x/f $eax (contents of *(%eax) as float) + p/d *(int*)($ebp+8) (first arg of current function as int) + p/d *(*(int*)($ebp)+12) (second arg of prior function as int) + p/d *(*(*(int*)($ebp))+8) (first arg of second prior function as int) + x/d $ebp+8 (first arg of current function as int) + x/d *(int*)($ebp)+12 (second arg of prior function as int) + x/d *(*(int*)($ebp))+8 (first arg of second prior function as int) + x/s *(int*)($ebp+8) (first arg of current function as string pointer) + x/s *(*(int*)($ebp)+12) (second arg of prior function as string pointer) + x/s *(*(*(int*)($ebp))+8) (first arg of second prior function as string pointer) + +Autodisplaying information + + display $eax (print contents of %eax every time the + program stops) + display (print the auto-displayed items) + delete display (stop displaying item NUM) + +Useful information commands + + help info + info program (current status of the program) + info functions (functions in program) + info stack (backtrace of the stack) + info frame (information about the current stack frame) + info scope (variables local to the scope) + info variables (global and static variables) + info registers (registers and their contents) + info breakpoints (status of user-settable breakpoints) + info address SYMBOL (use for looking up addresses of functions) + +Running gdb in emacs + + M-x gdb + C-h m to see the features of GDB mode + +------------------------------------------------------------------------ + +http://dirac.org/linux/gdb/04-Breakpoints_And_Watchpoints.php + +Syntax of display and watch are like that for print. If you can +print, then you can display or watch. Note that gdb may refuse to +watch registers before the program is running, so set the watchpoints +after you break. Here is an example of setting a watchpoint in a +loop, first to watch every change to the loop variable, and then to +check a particular value. + +olive x> gdb a.out +... +(gdb) disas main +... +0x08048385 : movl $0x0,-0x8(%ebp) +0x0804838c : jmp 0x8048392 +0x0804838e : addl $0x1,-0x8(%ebp) +0x08048392 : cmpl $0x31,-0x8(%ebp) +0x08048396 : jle 0x804838e +... +(gdb) b *0x08048385 +(gdb) r +Starting program: /home/jriely/class/373/x/a.out +... +(gdb) watch *((int*)($ebp-0x8)) +Watchpoint 2: *(int *) ($ebp - 8) +(gdb) c +Continuing. +Watchpoint 2: *(int *) ($ebp - 8) + +Old value = -1208435264 +New value = 0 +... +(gdb) c +Continuing. +Watchpoint 2: *(int *) ($ebp - 8) + +Old value = 0 +New value = 1 +... +(gdb) c +Continuing. +Watchpoint 2: *(int *) ($ebp - 8) + +Old value = 1 +New value = 2 +... + +(gdb) disable 2 +(gdb) watch *((int*)($ebp-0x8)) == 42 +Watchpoint 3: *(int *) ($ebp - 8) == 42 +(gdb) c +Continuing. +Watchpoint 3: *(int *) ($ebp - 8) == 42 + +Old value = 0 +New value = 1 +... +(gdb) p *(int *) ($ebp - 8) +$1 = 42 + +-------------------------------------------------------------------- + +When gdb is watching registers, it will watch those registers in all +code, which may not be what you want. + +You can also condition a breakpoint, so that a particular breakpoint +will interrupt only if certain values are in place when the breakpoint +is reached. + +Here is an example of breakpointing a loop that contains a function +call (in this code, if you simply try to watch $ebx, then the code for +printf will also trigger the breakpoint): + +(gdb) disas +... +0x080483c0 : mov %ebx,0x4(%esp) +0x080483c4 : add $0x1,%ebx +0x080483c7 : movl $0x80484b0,(%esp) +0x080483ce : call 0x80482d8 +0x080483d3 : cmp $0x32,%ebx +0x080483d6 : jne 0x80483c0 +... +(gdb) b *0x080483d3 +Breakpoint 3 at 0x80483d3 +(gdb) condition 3 $ebx==42 +(gdb) c +... +Breakpoint 3, 0x080483d3 in main () +(gdb) p $ebx +$1 = 42 diff --git a/Reverse_Engineering/README.md b/Reverse_Engineering/README.md index 38f9f97..944799e 100644 --- a/Reverse_Engineering/README.md +++ b/Reverse_Engineering/README.md @@ -12,6 +12,20 @@ $ gcc -ggdb -o .c ``` +Starting with some commands: +``` +$ gdb -x +``` + +For example: +``` +$ cat command.txt +``` +set disassembly-flavor intel +disas main +``` + + #### objdump Display information from object files: @@ -23,3 +37,16 @@ fully linked executable $ objdump -d ``` +#### hexdump & xxd + +For canonical hex & ASCII view: +``` +$hexdump -C +``` + +#### xxd +Make a hexdump or do the reverse: +``` +xxd hello > hello.dump +xxd -r hello.dump > hello +``` diff --git a/Reverse_Engineering/README.md~ b/Reverse_Engineering/README.md~ deleted file mode 100644 index bace4f4..0000000 --- a/Reverse_Engineering/README.md~ +++ /dev/null @@ -1,3 +0,0 @@ -# Tools - -[Reverse Engineering, the Book]: http://beginners.re/