GNU Debugger (GDB)

Debugger. Reverse engineering.

See example from NorthSec 2020 – CTF-101 Workshop

Plugin gef.

Usage

Debug program

gdb <program name>

Set program arguments

Setting arguments after the program is started will not take effect until the program is restarted.

set args value1 value2 value3 ...

set args 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A'

Run the program

run

When the program crashes, find who called the method that crashed. Shows the stack?

backtrace

Examine a specific address (example below)

x <address>

x 0xffbef014

Breakpoints

break <function name>
run

break main
run

Execute one line at a time

step

To execute step again, press Enter. Enter executes the last command.

The debugger steps into functions that are called. If you do not want this behavior, use “next” instead of “step”.

Print address of system()

print system

$1 = {<text variable, no debug info>} 0xf7e0d000 <system>

Show register values

Value for one register (eip):

info registers eip

eip            0x62413762          0x62413762

All registers:

info registers

eax            0x64                100
ecx            0x0                 0
edx            0x0                 0
ebx            0xffffd140          -11968
esp            0xffffd110          0xffffd110
ebp            0x41366241          0x41366241
esi            0xf7fad000          -134557696
edi            0xf7fad000          -134557696
eip            0x62413762          0x62413762
eflags         0x10282             [ SF IF RF ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x63                99

Disassemble function

disass <function>

disass main

Exit gdb

quit