GDB/ASM Notes

gdb.md

CONTINUE FROM 0x271 Memory Segments in C

Commands

• run
• break <func name>, always works, break 5 only works if you've compiled with debug symbols (you can do this with gcc -g blah.c.
• list Show source code if build with debug info.
• disassemble main Show asm for the main function.
• x Examine memory, should be x/[number of units to display]<format>[unit size] <mem addr>
  • <format> can be x (hex), o (octal), u (unsigned int), i (instruction), s (string, here we don't need to worry about size, it will just show until it meets a \0)
  • <mem addr> can be 0x8048384, or $rip or $rip+8 or some_var if there's a variable called that and we compiled with debug info.
  • [unit size] can be b (byte), h (halfword, 2 bytes), w (word, 4 bytes), g (giant, 8 bytes).

┌────────── I want to eXamine some memory
x/8xh $eip
  │││   └── The memory pointed to by the EIP register
  ││└────── I want you to show me halfbytes (2 bytes)
  │└─────── I want them to be formatted as hex
  └──────── Show me 8 of those halfbytes

• step Keep going until the next line in the source code
• next Basically step over
• stepi (or si) Step machine instruction
• nexti (or ni) Step-over machine instruction (if it's a call)
• info regsiters rsp (i r rsp) Show some info about a register
• bt Backtrace of function calls

Notes

• When you see DWORD it means "double word", but it also means 4 bytes... everywhere else a word is 4 bytes. So a word and a DWORD are effectively the same thing.
• You can always do break main even if you haven't got symbols attached to the binary
• peda massively enhances usage of gdb (https://github.com/longld/peda)
• Configuration for gdb goes into ~/.gdbinit
• Commands are always `operation ,
• When we do break main and then actually stop there, we stop at the start of the function after the function prologue. (notice that the RIP will be <main+8> or something like that.
• If you do print $rip-4 that will show you the address but also save it in a variable called $1. Later you can do things like x/i $1.

Registers

General purpose registers, mostly used for holding variables.

• RAX Accumulator
• RCX Counter
• RDX Data
• RBX Base

General purpose, but also known as pointers

• RSP Stack pointer - stores a location in memory
• RBP Base pointer - stores a location in memory

General purpose, but also known as indexes. General point to the source and destination when data needs to be read/written.

• RSI Source index
• RDI Destination index

Special

• RIP Instruction pointer - points to the instruction that's currently being read.
• EFLAGS Bitflags that serve various purposes, used for comparisons and stuff.

Memory Segmentation

• text Code, read only, changing it crashes the process, fixed size since nothing in it ever changes.
• data Initialised global and static vars, writable, fixed size.
• bss Uninitialised global and static vars, writable, fixed size.
• heap Anything defined with malloc, grows downwards in size
• stack Local function vars & context during function calls. Remembers where the EIP should return to after a func call. Each function call has a stack frame.

Stack Frame

• EBP References local function variables for the stack frame (also called FP frame pointer, or LB local base pointer)
• SFP Saved frame pointer, used to restore EBP to its previous value.
• Return address, where EIP should go after a RET.

x86 ASM

• LEA Load effective address, lea eax,[ebp-4] will put the address referred to at ebp-4 into eax.

TODO Later (Once I've Finished The Book)

• Check out https://github.com/pwndbg/pwndbg and https://github.com/hugsy/gef