Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-04-27 11:09:09 -04:00
Code Issues Packages Projects Releases Wiki Activity

some small fixes

Browse Source
This commit is contained in:
Mari Wahl 2014-10-07 18:59:28 -04:00
parent 117958bd9c
commit a5a6601a45
3 changed files with 239 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
Reverse_Engineering/GDB_NOTES.txt Normal file
View File

@ -0,0 +1,212 @@
Starting:
gdb
gdb <file>
gdb -h (lists command line options)
Exiting:
q
Ctrl-d
Note: Ctrl-C does not exit from gdb, but halts the current
gdb command
General commands
r (start your program)
k (stop the program)
Breakpoints
b main (set a breakpoint at the entry to function main)
b *0x08048b26 (set a breakpoint at the specified address)
b *(main+30) (set a breakpoint at the specified address)
disable 2 (disable breakpoint 2)
enable 2 (enable breakpoint 2)
clear main (clear any breakpoints at the entry to main)
delete 2 (deletes breakpoint 2)
delete (deletes all breakpoints)
Working at breakpoints
si (execute one machine code instruction)
si 2 (execute 2 instructions)
s (execute one C statement; only works if debugging info present)
ni (like si, but skip over subroutine calls)
ni 2 (like si, but skip over subroutine calls)
n (like s, but skip over subroutine calls)
until *0x08048b26 (continue running until specified address)
until *(main+30) (continue running until specified address)
c (resume execution)
c 2 (continue, ignoring this breakpoint 2 times)
finish (run until the current function returns)
Examining code
bt (print the current address and stack backtrace)
p/a $pc (print the program counter)
p/a $eip (print the program counter)
p/a $sp (print the stack pointer)
p/a $esp (print the stack pointer)
p/a $ebp (print the base pointer)
disas (display the function around the current line)
disas main (display the function around the address)
disas 0x080489b3 (display the function around the address)
disas 0x080489b3 0x080489c3 (display the code between the addresses)
Examining data
i r (print info about all registers)
i f (print info about the current frame)
p $eax (print the contents of %eax)
p/x $eax (print the contents of %eax as hex)
p/a $eax (print the contents of %eax as an address)
p/d $eax (print the contents of %eax as decimal)
p/f $eax (print the contents of %eax as floating point)
p/t $eax (print the contents of %eax as binary)
p/c $eax (print the contents of %eax as a character)
p 0x100 (print decimal repr. of hex value)
p/x 555 (print hex repr. of decimal value)
x ADDR (print the contents of ADDR in memory)
x/NFU ADDR (print the contents at ADDR in memory:
N = number of units to display
F = display format (x, a, d, f, t, c, s, i)
U = unit size -- b, h, w, or g -- 1, 2, 4 or 8 bytes
p $ebp // print the value of %ebp
x/a $ebp+8 // print first argument to function as address
x/f $ebp+12 // print second argument to function as float
x/3d $ebp+8 // print first three arguments to function as decimal
x/4i $eip // show next four instructions pointed to by $eip
p *(int*)$ebp (contents of *(%ebp) as int)
p *(float*)$eax (contents of *(%eax) as float)
x/d $eax (contents of *(%eax) as int)
x/f $eax (contents of *(%eax) as float)
p/d *(int*)($ebp+8) (first arg of current function as int)
p/d *(*(int*)($ebp)+12) (second arg of prior function as int)
p/d *(*(*(int*)($ebp))+8) (first arg of second prior function as int)
x/d $ebp+8 (first arg of current function as int)
x/d *(int*)($ebp)+12 (second arg of prior function as int)
x/d *(*(int*)($ebp))+8 (first arg of second prior function as int)
x/s *(int*)($ebp+8) (first arg of current function as string pointer)
x/s *(*(int*)($ebp)+12) (second arg of prior function as string pointer)
x/s *(*(*(int*)($ebp))+8) (first arg of second prior function as string pointer)
Autodisplaying information
display $eax (print contents of %eax every time the
program stops)
display (print the auto-displayed items)
delete display <NUM> (stop displaying item NUM)
Useful information commands
help info
info program (current status of the program)
info functions (functions in program)
info stack (backtrace of the stack)
info frame (information about the current stack frame)
info scope (variables local to the scope)
info variables (global and static variables)
info registers (registers and their contents)
info breakpoints (status of user-settable breakpoints)
info address SYMBOL (use for looking up addresses of functions)
Running gdb in emacs
M-x gdb
C-h m to see the features of GDB mode
------------------------------------------------------------------------
http://dirac.org/linux/gdb/04-Breakpoints_And_Watchpoints.php
Syntax of display and watch are like that for print. If you can
print, then you can display or watch. Note that gdb may refuse to
watch registers before the program is running, so set the watchpoints
after you break. Here is an example of setting a watchpoint in a
loop, first to watch every change to the loop variable, and then to
check a particular value.
olive x> gdb a.out
...
(gdb) disas main
...
0x08048385 <main+17>: movl $0x0,-0x8(%ebp)
0x0804838c <main+24>: jmp 0x8048392 <main+30>
0x0804838e <main+26>: addl $0x1,-0x8(%ebp)
0x08048392 <main+30>: cmpl $0x31,-0x8(%ebp)
0x08048396 <main+34>: jle 0x804838e <main+26>
...
(gdb) b *0x08048385
(gdb) r
Starting program: /home/jriely/class/373/x/a.out
...
(gdb) watch *((int*)($ebp-0x8))
Watchpoint 2: *(int *) ($ebp - 8)
(gdb) c
Continuing.
Watchpoint 2: *(int *) ($ebp - 8)
Old value = -1208435264
New value = 0
...
(gdb) c
Continuing.
Watchpoint 2: *(int *) ($ebp - 8)
Old value = 0
New value = 1
...
(gdb) c
Continuing.
Watchpoint 2: *(int *) ($ebp - 8)
Old value = 1
New value = 2
...
(gdb) disable 2
(gdb) watch *((int*)($ebp-0x8)) == 42
Watchpoint 3: *(int *) ($ebp - 8) == 42
(gdb) c
Continuing.
Watchpoint 3: *(int *) ($ebp - 8) == 42
Old value = 0
New value = 1
...
(gdb) p *(int *) ($ebp - 8)
$1 = 42
--------------------------------------------------------------------
When gdb is watching registers, it will watch those registers in all
code, which may not be what you want.
You can also condition a breakpoint, so that a particular breakpoint
will interrupt only if certain values are in place when the breakpoint
is reached.
Here is an example of breakpointing a loop that contains a function
call (in this code, if you simply try to watch $ebx, then the code for
printf will also trigger the breakpoint):
(gdb) disas
...
0x080483c0 <main+64>: mov %ebx,0x4(%esp)
0x080483c4 <main+68>: add $0x1,%ebx
0x080483c7 <main+71>: movl $0x80484b0,(%esp)
0x080483ce <main+78>: call 0x80482d8 <printf@plt>
0x080483d3 <main+83>: cmp $0x32,%ebx
0x080483d6 <main+86>: jne 0x80483c0 <main+64>
...
(gdb) b *0x080483d3
Breakpoint 3 at 0x80483d3
(gdb) condition 3 $ebx==42
(gdb) c
...
Breakpoint 3, 0x080483d3 in main ()
(gdb) p $ebx
$1 = 42

27
Reverse_Engineering/README.md
View File

@ -12,6 +12,20 @@ $ gcc -ggdb -o <filename> <filename>.c
``` ```
Starting with some commands:
```
$ gdb <program name> -x <command file>
```
For example:
```
$ cat command.txt
```
set disassembly-flavor intel
disas main
```
#### objdump #### objdump
Display information from object files: Display information from object files:
@ -23,3 +37,16 @@ fully linked executable
$ objdump -d <bin> $ objdump -d <bin>
``` ```
#### hexdump & xxd
For canonical hex & ASCII view:
```
$hexdump -C
```
#### xxd
Make a hexdump or do the reverse:
```
xxd hello > hello.dump
xxd -r hello.dump > hello
```

3
Reverse_Engineering/README.md~
View File

@ -1,3 +0,0 @@
# Tools
[Reverse Engineering, the Book]: http://beginners.re/