Saturday, 21 January 2023

Basics to GDB Debugging

 

      1. We see that there is a core dump happening:



      

      2. We see what the core dump tells:

      


      3. Disassemble

      The arrow tells us the instruction where the core dump was generated

      


      4. Print address

      


      5. Print address

      


      6. Print the character at address (if it was a character)

      


      7. To see the contents of registers- info registers

      


      8. To see which function called which function and so on till the current function- use ‘backtrace (bt)’ or ‘info stack’ or ‘where

      


      :

      :

      :

      


      10. To see the frame info of the latest stack frame from above- info frame

      


 

Now,

ESP is the current stack pointer. EBP is the base pointer for the current stack frame.

When you call a function, typically space is reserved on the stack for local variables. This space is usually referenced via EBP (all local variables and function parameters are a known constant offset from this register for the duration of the function call.) ESP, on the other hand, will change during the function call as other functions are called, or as temporary stack space is used for partial operation results.

 

      We need to know who had called us and what were the parameters given to me (the current function)

      


      So, ebp+ 0 will give us the previous ebp

      We can know the ebp address from the info registers

      Usually the value of ebp in info registers (which is the current value of the ebp) will be same as the info frame since it will be pointing to the local variables of current function.

      Now, ebp + 4 contains the return instruction where we have come from

      Example: 


      


      To see the above output to print 10 addresses, in hexadecimal format and in word length(.ie. 4 bytes, 8 bytes, …):

      Example:

      


       


      In that example, we see who has called us is this:

      


      In example, we can tell that the current function has been called from connect() function using:

      


      Now, we can do disassemble connect+176:

      



      So, we see that the instruction before 176 has a function call to mystrcpy()