GDB Tutorial for Reverse Engineers: Breakpoints, Modifying Memory and Printing its Contents

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys let's talk about gdb gdp is the debugger for linux it's super powerful but it's user friendliness or like thereof can make you throw your pc out of the window but what's important to understand about gdb it's that it's just not simply a tool it's a powerful debugging framework for you to build upon in this video i'm going to walk you through gdp setup for reverse engineering and show you all the necessary commands and shortcuts for your debugging workflow let's get started you guys to install gdb just type sudo apt install gdb and also we're gonna need a gcc compiler to compile our test example so i suggest you install build essentials packet and to install peda just follow installation instructions from peta repository [Music] i'll be using this simple program as our debugging target this code creates local variable x on the stack then prints out its value after that it adds 5 to x and creates value again pretty simple just what we need for our debugging example and right now i need to compile our debugging example with gc with a simple command okay as we see our example is compiled let me run it ok so just what we expected to open a file in gdb type gdb and your file name in the console gdb will open and load your file notice that the code execution hasn't started yet that's because there is a separate command to start the execution it's called run or r for short and if we start it our program successfully completes execution that's because we haven't set any breakpoints here we can set a breakpoint using symbol name for example break main or you can do that using address in my case it will be break asterisks and address of main function you can print a list of all your breakpoints with info breakpoints command and delete them with command delete and your breakpoint number as you can see breakpoint number 1 just got deleted now if i issue run command the execution conveniently stops at the beginning of the main function and just to save us some time we can use command start which comes from beta instead of doing all this this command will do all this work just for us of course as with any other debugger we can use single stepping with command step or step i and if you like to do a single stepping a lot note that pressing return on an empty line will make gdb execute the previous command you entered once more also you can use command next to a single step without entering function calls [Music] to step through several instructions at once you can use command next and number of instructions if you want to continue execution to a certain point in a program for example to exit a loop you can use command x until and your address so let's talk about modifying registers to do this let me restart the execution of our program let me step through some lines of code until we reach the line main plus 41 where our value x is incremented for example if i want to skip increment in x i can change the value of repea register with following construction set dollar sign register name in my case vip and then value and i want this address i hit enter and i can output our context once again and we see that the next line to be executed is line mine plus 45 as you might have noticed you can treat registers like variables in gdb so i can assign an ip value of array x with command set array p equals r a x now i can issue context command to make sure peda reprint its beautiful context window and we'll see that array p points to some nonsense and if i want to start execution from the start of main function i can just write set array p equals main by the way with speeder you have a faster way to skip instruction without executing them with command skip i modified memory is similar to modifying registers in the sense that any memory location can be available in gdb so in my example i want to change the contents of format string x equals percent d this string is located at this address in my binary i can use this address as a variable and type in the same command as with registers set my address equals aaa percent d but in this case we'll see an error message that's because you should always provide a variable type when modifying memory in gdb so let me correct my command to this as you can see our new command has executed successfully so let me continue the execution of the program to see our new format string and as expected we can see our new command string here and now let's talk about examining the memory you can use command x to examine the memory for example if i want to print 28 byte words from the stack pointer i use command x 20x g dollar signed rsp 20 this command means the number of the words x is for hexadecimal format and g means giant for eight byte words by changing second x to i you can print memory as instructions the full list of supported modifiers you can find in the description also video provides you with convenient hexdump command which you can use well to display hex dump this command means print 10 hex dumped lines from stack pointer so today we've seen a glimpse of gdb functionality to sum up i want you to take home three things number one use beta or different gdp based plugin that suits your needs number two use break and delete commands to control breakpoints and number three use x command to print out memory contents if you have any further questions on gdb please leave a comment below like this video if you want more content like this and as always happy hacking you guys

Info

Channel: Path Cybersec [Slava Moskvin]

Views: 15,000

Rating: undefined out of 5

Keywords: buffer overflow, gnu debugger (software), reverse engineering, gdb, linux, exploit, tutorial

Id: nLp3hr6Jf2M

Channel Id: undefined

Length: 9min 22sec (562 seconds)

Published: Mon Mar 29 2021