Skip to content

Instantly share code, notes, and snippets.

@erd0s

erd0s/gdb.md

Last active December 28, 2019 16:59
Show Gist options
  • Save erd0s/4cbbe3c7393881ee5cbd17b9a8322c42 to your computer and use it in GitHub Desktop.
Save erd0s/4cbbe3c7393881ee5cbd17b9a8322c42 to your computer and use it in GitHub Desktop.
Download ZIP
GDB/ASM Notes
Raw
gdb.md

CONTINUE FROM 0x271 Memory Segments in C

Commands

  • run
  • break <func name>, always works, break 5 only works if you've compiled with debug symbols (you can do this with gcc -g blah.c.
  • list Show source code if build with debug info.
  • disassemble main Show asm for the main function.
  • x Examine memory, should be x/[number of units to display]<format>[unit size] <mem addr>
    • <format> can be x (hex), o (octal), u (unsigned int), i (instruction), s (string, here we don't need to worry about size, it will just show until it meets a \0)
    • <mem addr> can be 0x8048384, or $rip or $rip+8 or some_var if there's a variable called that and we compiled with debug info.
    • [unit size] can be b (byte), h (halfword, 2 bytes), w (word, 4 bytes), g (giant, 8 bytes).
┌────────── I want to eXamine some memory
x/8xh $eip
  │││   └── The memory pointed to by the EIP register
  ││└────── I want you to show me halfbytes (2 bytes)
  │└─────── I want them to be formatted as hex
  └──────── Show me 8 of those halfbytes
  • step Keep going until the next line in the source code
  • next Basically step over
  • stepi (or si) Step machine instruction
  • nexti (or ni) Step-over machine instruction (if it's a call)
  • info regsiters rsp (i r rsp) Show some info about a register
  • bt Backtrace of function calls

Notes

  • When you see DWORD it means "double word", but it also means 4 bytes... everywhere else a word is 4 bytes. So a word and a DWORD are effectively the same thing.
  • You can always do break main even if you haven't got symbols attached to the binary
  • peda massively enhances usage of gdb (https://github.com/longld/peda)
  • Configuration for gdb goes into ~/.gdbinit
  • Commands are always `operation ,
  • When we do break main and then actually stop there, we stop at the start of the function after the function prologue. (notice that the RIP will be <main+8> or something like that.
  • If you do print $rip-4 that will show you the address but also save it in a variable called $1. Later you can do things like x/i $1.

Registers

General purpose registers, mostly used for holding variables.

  • RAX Accumulator
  • RCX Counter
  • RDX Data
  • RBX Base

General purpose, but also known as pointers

  • RSP Stack pointer - stores a location in memory
  • RBP Base pointer - stores a location in memory

General purpose, but also known as indexes. General point to the source and destination when data needs to be read/written.

  • RSI Source index
  • RDI Destination index

Special

  • RIP Instruction pointer - points to the instruction that's currently being read.
  • EFLAGS Bitflags that serve various purposes, used for comparisons and stuff.

Memory Segmentation

  • text Code, read only, changing it crashes the process, fixed size since nothing in it ever changes.
  • data Initialised global and static vars, writable, fixed size.
  • bss Uninitialised global and static vars, writable, fixed size.
  • heap Anything defined with malloc, grows downwards in size
  • stack Local function vars & context during function calls. Remembers where the EIP should return to after a func call. Each function call has a stack frame.

Stack Frame

  • EBP References local function variables for the stack frame (also called FP frame pointer, or LB local base pointer)
  • SFP Saved frame pointer, used to restore EBP to its previous value.
  • Return address, where EIP should go after a RET.

x86 ASM

  • LEA Load effective address, lea eax,[ebp-4] will put the address referred to at ebp-4 into eax.

TODO Later (Once I've Finished The Book)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment