Basic Reverse Engineering with GDB


In computers, debugging is the process of locating and fixing or bypassing bugs (errors) in computer program code or the engineering of a hardware device.Debugging is the Fundamentals part of Exploit Development .When you are writing an exploit you are going to need to be able to execute the code in your target application in a variety of different ways, to give you the appropriate amount of control to monitor the code and memory closely when needed. You may want to run normally at one point, to go step by step through each individual instruction at another, and sometimes to have it run quickly to a particular point allowing you to take control once that point is reached.
Luckily, this is all possible via the use of a debugger by using breakpoints as well as the various methods for stepping through code.In this article will try to describe most common features of GDB.First we will take a simple C program.Compile it, And after that break it with GDB.


GDB, the GNU Project debugger, allows you to see what is going on `inside' another program while it executes -- or what another program was doing at the moment it crashed.

GDB can do four main kinds of things (plus other things in support of these) to help you catch bugs in the act:

Start your program, specifying anything that might affect its behavior.
Make your program stop on specified conditions.
Examine what has happened, when your program has stopped.
Change things in your program, so you can experiment with correcting the effects of one bug and go on to learn about another.


After some basic debugging we will use some portable Linux based tools to gather more information about a Linux Executable.

So here we will debug this simple C program using gdb.

#include<stdio.h>
#include<wchar.h>
int my_function(wchar_t *a)
{
        return wprintf(a);
}
int main()
{
        return my_function(L"Hello World!\n");
}

First of all we will use gcc compiler to compile the C prog.

debasish@debasish-desktop:~$ nano MYprog.c
debasish@debasish-desktop:~$ gcc -o MYprog MYprog.c
MYprog.c:2:18: warning: extra tokens at end of #include directive
debasish@debasish-desktop:~$
debasish@debasish-desktop:~$ ./MYprog
Hello World!
debasish@debasish-desktop:~$ ^C



So we have successfully compiled our C program and its working fine.

Now we will debug this program with gdb debugger.We will use following commands.

debasish@debasish-desktop:~$ gdb MYprog
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/debasish/MYprog...(no debugging symbols found)...done.
(gdb)


So now gdb will load the program and at entry point it will pause the execution.
Then we will use the command "start" to start the debugging process.

(gdb) start
Temporary breakpoint 1 at 0x804841a
Starting program: /home/debasish/MYprog

Temporary breakpoint 1, 0x0804841a in main ()
(gdb)

We can see that is showing the break point  is at 0x0804841a.

Now we will use the command "layout asm" to see the assembly code in a proper order.

Now you should get a window like this.




0x804841a 
and $0xfffffff0,%esp ¦0x804841d
sub $0x10,%esp ¦0x8048420
movl $0x80484f0,(%esp) ¦0x8048427
call 0x8048404 ¦0x804842c
leave ¦0x804842d
ret ¦0x804842e nop ¦0x804842f nop ¦0x8048430 <__libc_csu_fini> push %ebp ¦0x8048431 <__libc_csu_fini+1> mov %esp,%ebp ¦0x8048433 <__libc_csu_fini+3> pop %ebp ¦0x8048434 <__libc_csu_fini+4> ret ¦0x8048435 lea 0x0(%esi,%eiz,1),%esi ¦0x8048439 lea 0x0(%edi,%eiz,1),%edi ¦0x8048440 <__libc_csu_init> push %ebp ¦0x8048441 <__libc_csu_init+1> mov %esp,%ebp ¦0x8048443 <__libc_csu_init+3> push %edi ¦0x8048444 <__libc_csu_init+4> push %esi ¦0x8048445 <__libc_csu_init+5> push %ebx

Now in extreme left side the address shown, is the virtual address. The ">" sign indicates that the Break point is at 0x804841a.Which is our main function.


The first instruction is 
sub    $0x10,%esp
This will substructure the 10 from the ESP.
Next move instruction takes the value $0x80484f0 and put it in stack.We all know that Stack grows downward in memory!
Now more interestingly if you look at the 2nd line of the code you can see $0x80484f0 is the starting address of the string Hello World.
To validate that we can use this command.

(gdb) printf "%s\n",0x80484f0

Now it will return the first character of our string that is a H.
One thing to note that GDB cant print wide character to it will just return "H".

Now its obvious that adding 4 with this we will get our next character.



And adding more bytes will give our full string "Hello World"

Now step by step execution of assembly instructions is very important while trying to understand flow of any program.We can do this using "si" command."si" stands for "step into". When si is entered gdb will execute the next instruction just after break point.

Cont is another gdb command which can be used to run rest of the instructions at a time.

Now when playing with debugger its very important that at the same time you look at the status of the stack and registers.In interactive disassembler like Immunity,Olly debug in windows you can just easily monitor them.But for a command line debugger it will be not that easy.
At any point of time when you wanna check any register content you can do this just by using the command "print"
so to check the value at which EAX is pointing we have to enter 

"print $eax"






There are more in gdb. Hopefully I will write another article on it.
One other tool that can be very useful for  reverse engineering Linux based prog is "hexdump"

Use the hexdump tool with -C option will dump raw hex dump of executable.Which we usually get at the lower left corner in case of Immunity debugger or Ollydebug.

Now if you wanna see first 16 bytes of the executable then you can use the option -n.

For example 

hexdump -C -n 16 MYprog

This will print the header part of executable.
The command "file" also can be used to retrieve some useful information about any executable.

readelf -h Myprog

This command will give the header information of this executable in detail.This will also retrieve the program entry pint.



ndisasm is another cool tool comes with Ubuntu using that you can actually disassemble the binary.
ndisasm -u -o 0x[entry-point] -e 0x320 MYprog | less

the option -e will escape fist 320 bytes.Which is nothing but the header part.



But if you notice you can see this is not the code we have just seen in gdb.

The reason is it the entry point.The code present here is used by the application for setting up the stack.

Now after this following instructions when stack is already configured ,if we jump at the address 0x8048358 we can have the assembly code we just saw in gdb.

08048395  51                push ecx
08048396  56                push esi
08048397  6817840408        push dword 0x8048417
0804839C  E8B7FFFFFF        call dword 0x8048358







Look at the screen shot [red marked]. After the NOP sleds we can see the codes we have just seen in gdb.

It was the most fundamental of debugging linux application.I hope it was helpful.I will try to write more on gdb later on.

Comments

  1. First of all I want to say wonderful blog! I had a quick question which I’d like to ask if you don’t mind. I was interested to know how you center yourself and clear your head prior to writing.

    토토
    바카라사이트
    파워볼
    카지노사이트

    ReplyDelete
  2. Hello. This article was extremely fascinating, especially because I was looking for thoughts on this subject last couple of days.

    스포츠토토
    토토
    안전놀이터
    토토사이트

    ReplyDelete
  3. Hi there every one, here every person is sharing these kinds of familiarity, therefore it’s pleasant to read this web site, and I used to go to see this webpage everyday.

    사설토토
    카지노
    파워볼사이트
    온라인카지노

    ReplyDelete
  4. Its an amazing website, I really enjoy reading your articles.
    카지노사이트

    ReplyDelete
  5. Thanks for sharing with us this important Content. I feel strongly about it and really enjoyed learning more about this topic.
    바카라사이트

    ReplyDelete
  6. Hard to ignore such an amazing article like this. You really amazed me with your writing talent. Thank you for sharing again.
    토토사이트

    ReplyDelete
  7. Great post, beautiful weblog with great informational content. This is a really interesting and informative content. 파워볼게임

    ReplyDelete
  8. It is really a great and helpful piece of information. 경마

    ReplyDelete
  9. This website and I conceive this internet site is really informative ! Keep on putting up!
    릴게임

    ReplyDelete
  10. Looking at this article, I miss the time when I didn't wear a mask. 메리트카지노 Hopefully this corona will end soon. My blog is a blog that mainly posts pictures of daily life before Corona and landscapes at that time. If you want to remember that time again, please visit us.


    ReplyDelete
  11. I have got much clear idea regarding from this article.I am pleased that I observed this site. 카지노사이트탑

    ReplyDelete
  12. Your information was very useful. I m very pleased to read this article. 카지노사이트

    ReplyDelete
  13. Hello, I'm happy to see some great articles on your site. Would you like to come to my site later? My site also has posts, comments and communities similar to yours. Please visit and take a look keonhacai


    ReplyDelete
  14. Pretty! This was an incredibly wonderful post.
    Thank you for providing this information. 토토사이트

    ReplyDelete
  15. Youre so right. Im there with you. Your weblog is definitely worth a read if anyone comes throughout it. Im lucky I did because now Ive received a whole new view of this. 메이저사이트

    ReplyDelete
  16. The assignment submission period was over and I was nervous, 메이저사이트추천 and I am very happy to see your post just in time and it was a great help. Thank you ! Leave your blog address below. Please visit me anytime.


    ReplyDelete
  17. I simply want to say I’m new to blogs and really liked you’re blog. More than likely I’m planning to bookmark your blog post . 온라인카지노

    ReplyDelete
  18. Lastly something not a junk, 스포츠토토 which we undergo incredibly frequently.

    ReplyDelete
  19. very much for sharing this article. It helped me a lot and made me feel a lot. Please feel free to share such good 토토사이트

    ReplyDelete
  20. Lastly something not a junk part of my day because 토토사이트 you never know how much which we undergo incredibly frequently.

    ReplyDelete
  21. Excellent Blog! I would like to thank you for the efforts you have made in writing this post.
    스포츠토토

    ReplyDelete
  22. thank you so much for posting this great and full of informative content good work keep it up 토토사이트

    ReplyDelete
  23. This kind of clever work and reporting! Keep up the very good works guys I ve added you guys to our blogroll. 메이저안전사이트

    ReplyDelete
  24. I have to say this post was certainly informationrmative and contains useful content for enthusiastic visitors. I will definitely bookmark this website for future reference and further viewing 토토사이트

    ReplyDelete
  25. I was reading some of your articles on this website and I conceive this web site is very instructive! Retain putting up.

    카지노사이트가이드

    ReplyDelete
  26. It seems like I've never seen an article of a kind like . It literally means the best thorn. It seems to be a fantastic article. It is the best among articles related to 바카라사이트. seems very easy, but it's a difficult kind of article, and it's perfect.

    ReplyDelete
  27. Your article has answered the question I was wondering about! I would like to write a thesis on this subject, but I would like you to give your opinion once :Dsòng bạc

    ReplyDelete
  28. I am a 오공슬롯 expert. I've read a lot of articles, but I'm the first person to understand as well as you. I leave a post for the first time. It's great!!

    ReplyDelete
  29. What an interesting story! I'm glad I finally found what I was looking for 메리트카지노.

    ReplyDelete
  30. You made some great points and I am grateful for for your information! Take care! 카지노사이트

    ReplyDelete
  31. When did it start? The day I started surfing the Internet to read articles related to . I've been fond of seeing various sites related to 카지노사이트 around the world for over 10 years. Among them, I saw your site writing articles related to and I am very satisfied.

    ReplyDelete
  32. Why couldn't I have the same or similar opinions as you? T^T I hope you also visit my blog and give us a good opinion. 안전놀이터

    ReplyDelete
  33. It is my first visit to your blog, and I am very impressed with the articles that you serve. Give adequate knowledge for me. Thank you for sharing useful material. I will be back for the more great post. 먹튀검증사이트 But by chance looking at your post solved my problem! I will leave my blog, so when would you like to visit it?!

    ReplyDelete
  34. I stumble on this site when I was making research on my project topic. I found some useful topics in well detail form. Thanks for this excellent post. Feel free to visit my website;
    야설

    ReplyDelete
  35. Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man and Thanks for the post,Interesting stuff to read. Keep it up. Feel free to visit my website; 국산야동


    ReplyDelete
  36. Its like you read my mind! You appear to know so much about this, like you wrote the book in it or something. I think that you could do with some pics to drive the message home a little bit, but other than that, this is magnificent blog. A great read. I’ll certainly be back. Feel free to visit my website; 일본야동


    ReplyDelete
  37. I am so happy to read this. This is the kind of manual that needs to be given and not the random misinformation that’s at the other blogs. Appreciate your sharing this greatest doc. 메이저토토

    ReplyDelete
  38. I needed several examples to write an article on this subject, and your article was of great help to me
    토토
    경마
    온라인경마

    ReplyDelete
  39. Thanks for sharing this vast knowledge to us in this single article. I really appreciate your work. You are going well. Keep it up and keep sharing.
    바카라
    사설토토

    ReplyDelete
  40. Keep up the good work , I read few blog posts on this internet site and I believe that your site is really interesting and contains lots of fantastic info .
    oncasinosite
    majortotositepro2
    totopickpro2

    ReplyDelete
  41. Excellent read, I just passed this onto a friend who was doing a little research on that. And he actually bought me lunch as I found it for him smile Therefore let me rephrase that: Thank you for lunch. 먹튀신고

    ReplyDelete
  42. My curiosity was solved by looking at your writing. Your writing was helpful to me. 룰렛사이트 I want to help you too.

    ReplyDelete
  43. I've been looking for photos and articles on this topic over the past few days due to a school assignment, 파워볼사이트 and I'm really happy to find a post with the material I was looking for! I bookmark and will come often! Thanks :D

    ReplyDelete
  44. You made some good points there. I did a Google search about the topic and found most people will believe your blog. 먹튀검증

    ReplyDelete
  45. Your post is very interesting to me. Reading was so much fun. I think the reason reading is fun is because it is a post related to that I am interested in. Articles related to 블랙잭 you are the best. I would like you to write a similar post about !

    ReplyDelete
  46. It's a really interesting topic and it has helped me a lot. In fact, I also run a website with similar content to your posting. Please visit once 바카라검증사이트

    ReplyDelete
  47. That's a great article! The neatly organized content is good to see. Can I quote a blog and write it on my blog? My blog has a variety of communities including these articles. Would you like to visit me later? 메이저안전놀이터

    ReplyDelete

Post a Comment