some small fixes

Reverse_Engineering/GDB_NOTES.txt

@@ -0,0 +1,212 @@
+Starting:
+  gdb
+  gdb <file>
+  gdb -h   (lists command line options)
+
+Exiting:
+  q
+  Ctrl-d
+  Note: Ctrl-C does not exit from gdb, but halts the current
+   gdb command
+
+General commands
+
+  r   (start your program)
+  k   (stop the program)
+
+Breakpoints
+
+  b main         (set a breakpoint at the entry to function main)
+  b *0x08048b26  (set a breakpoint at the specified address)
+  b *(main+30)   (set a breakpoint at the specified address)
+  disable 2      (disable breakpoint 2)
+  enable 2       (enable breakpoint 2)
+  clear main     (clear any breakpoints at the entry to main)
+  delete 2       (deletes breakpoint 2)
+  delete         (deletes all breakpoints)
+
+Working at breakpoints
+
+  si                 (execute one machine code instruction)
+  si 2               (execute 2 instructions)
+  s                  (execute one C statement; only works if debugging info present)
+  ni                 (like si, but skip over subroutine calls)
+  ni 2               (like si, but skip over subroutine calls)
+  n                  (like s, but skip over subroutine calls)
+  until *0x08048b26  (continue running until specified address)
+  until *(main+30)   (continue running until specified address)
+  c                  (resume execution)
+  c 2                (continue, ignoring this breakpoint 2 times)
+  finish             (run until the current function returns)
+
+Examining code
+
+  bt       (print the current address and stack backtrace)
+  p/a $pc  (print the program counter)
+  p/a $eip (print the program counter)
+  p/a $sp  (print the stack pointer)
+  p/a $esp (print the stack pointer)
+  p/a $ebp (print the base pointer)
+  disas                        (display the function around the current line)
+  disas main                   (display the function around the address)
+  disas 0x080489b3             (display the function around the address)
+  disas 0x080489b3 0x080489c3  (display the code between the addresses)
+
+Examining data
+
+  i r      (print info about all registers)
+  i f      (print info about the current frame)
+  p $eax   (print the contents of %eax)
+  p/x $eax (print the contents of %eax as hex)
+  p/a $eax (print the contents of %eax as an address)
+  p/d $eax (print the contents of %eax as decimal)
+  p/f $eax (print the contents of %eax as floating point)
+  p/t $eax (print the contents of %eax as binary)
+  p/c $eax (print the contents of %eax as a character)
+ 
+  p 0x100 (print decimal repr. of hex value)
+  p/x 555 (print hex repr. of decimal value)
+ 
+  x ADDR  (print the contents of ADDR in memory)
+  x/NFU ADDR (print the contents at ADDR in memory:
+     N = number of units to display
+     F = display format (x, a, d, f, t, c, s, i)
+     U = unit size -- b, h, w, or g -- 1, 2, 4 or 8 bytes
+ 
+  p $ebp        // print the value of %ebp
+  x/a $ebp+8    // print first argument to function as address
+  x/f $ebp+12   // print second argument to function as float
+  x/3d $ebp+8   // print first three arguments to function as decimal
+  x/4i $eip     // show next four instructions pointed to by $eip
+
+  p *(int*)$ebp   (contents of *(%ebp) as int)
+  p *(float*)$eax (contents of *(%eax) as float)
+  x/d $eax        (contents of *(%eax) as int)
+  x/f $eax        (contents of *(%eax) as float)
+  p/d *(int*)($ebp+8)        (first arg of current function as int)
+  p/d *(*(int*)($ebp)+12)    (second arg of prior function as int)
+  p/d *(*(*(int*)($ebp))+8)  (first arg of second prior function as int)
+  x/d $ebp+8                 (first arg of current function as int)     
+  x/d *(int*)($ebp)+12       (second arg of prior function as int)       
+  x/d *(*(int*)($ebp))+8     (first arg of second prior function as int)
+  x/s *(int*)($ebp+8)        (first arg of current function as string pointer)     
+  x/s *(*(int*)($ebp)+12)    (second arg of prior function as string pointer)       
+  x/s *(*(*(int*)($ebp))+8)  (first arg of second prior function as string pointer)
+
+Autodisplaying information
+
+  display $eax (print contents of %eax every time the
+    program stops)
+  display  (print the auto-displayed items)
+  delete display <NUM> (stop displaying item NUM)
+ 
+Useful information commands
+
+  help info
+  info program (current status of the program)
+  info functions (functions in program)
+  info stack      (backtrace of the stack)
+  info frame (information about the current stack frame)
+  info scope  (variables local to the scope)
+  info variables (global and static variables)
+  info registers  (registers and their contents)
+  info breakpoints (status of user-settable breakpoints)
+  info address SYMBOL (use for looking up addresses of functions)
+
+Running gdb in emacs
+
+  M-x gdb
+  C-h m to see the features of GDB mode
+
+------------------------------------------------------------------------
+
+http://dirac.org/linux/gdb/04-Breakpoints_And_Watchpoints.php
+
+Syntax of display and watch are like that for print.  If you can
+print, then you can display or watch.  Note that gdb may refuse to
+watch registers before the program is running, so set the watchpoints
+after you break.  Here is an example of setting a watchpoint in a
+loop, first to watch every change to the loop variable, and then to
+check a particular value.
+
+olive x> gdb a.out
+...
+(gdb) disas main
+...
+0x08048385 <main+17>:   movl   $0x0,-0x8(%ebp)
+0x0804838c <main+24>:   jmp    0x8048392 <main+30>
+0x0804838e <main+26>:   addl   $0x1,-0x8(%ebp)
+0x08048392 <main+30>:   cmpl   $0x31,-0x8(%ebp)
+0x08048396 <main+34>:   jle    0x804838e <main+26>
+...
+(gdb) b *0x08048385
+(gdb) r
+Starting program: /home/jriely/class/373/x/a.out
+...
+(gdb) watch *((int*)($ebp-0x8))
+Watchpoint 2: *(int *) ($ebp - 8)
+(gdb) c
+Continuing.
+Watchpoint 2: *(int *) ($ebp - 8)
+
+Old value = -1208435264
+New value = 0
+...
+(gdb) c
+Continuing.
+Watchpoint 2: *(int *) ($ebp - 8)
+
+Old value = 0
+New value = 1
+...
+(gdb) c
+Continuing.
+Watchpoint 2: *(int *) ($ebp - 8)
+
+Old value = 1
+New value = 2
+...
+
+(gdb) disable 2
+(gdb) watch *((int*)($ebp-0x8)) == 42
+Watchpoint 3: *(int *) ($ebp - 8) == 42
+(gdb) c
+Continuing.
+Watchpoint 3: *(int *) ($ebp - 8) == 42
+
+Old value = 0
+New value = 1
+...
+(gdb) p *(int *) ($ebp - 8)
+$1 = 42
+
+--------------------------------------------------------------------
+
+When gdb is watching registers, it will watch those registers in all
+code, which may not be what you want.
+
+You can also condition a breakpoint, so that a particular breakpoint
+will interrupt only if certain values are in place when the breakpoint
+is reached.
+
+Here is an example of breakpointing a loop that contains a function
+call (in this code, if you simply try to watch $ebx, then the code for
+printf will also trigger the breakpoint):
+
+(gdb) disas
+...
+0x080483c0 <main+64>:   mov    %ebx,0x4(%esp)
+0x080483c4 <main+68>:   add    $0x1,%ebx
+0x080483c7 <main+71>:   movl   $0x80484b0,(%esp)
+0x080483ce <main+78>:   call   0x80482d8 <printf@plt>
+0x080483d3 <main+83>:   cmp    $0x32,%ebx
+0x080483d6 <main+86>:   jne    0x80483c0 <main+64>
+...
+(gdb) b *0x080483d3
+Breakpoint 3 at 0x80483d3
+(gdb) condition 3 $ebx==42
+(gdb) c
+...
+Breakpoint 3, 0x080483d3 in main ()
+(gdb) p $ebx
+$1 = 42

Reverse_Engineering/README.md

@@ -12,6 +12,20 @@ $ gcc -ggdb -o <filename> <filename>.c
 
 ```
 
+Starting with some commands:
+```
+$ gdb <program name> -x <command file>
+```
+
+For example:
+```
+$ cat command.txt
+```
+set disassembly-flavor intel
+disas main
+```
+
+
 #### objdump 
 
 Display information from object files:
@@ -23,3 +37,16 @@ fully linked executable
 $ objdump -d  <bin>
 ```
 
+#### hexdump & xxd
+
+For canonical hex & ASCII view:
+```
+$hexdump -C 
+```
+
+#### xxd 
+Make a hexdump or do the reverse:
+```
+xxd hello > hello.dump
+xxd -r hello.dump > hello
+```

Reverse_Engineering/README.md~

@@ -1,3 +0,0 @@
-# Tools
-
-[Reverse Engineering, the Book]: http://beginners.re/