# Some useful GDB commands ## Examine values * getting the current instruction ```gdb pwndbg$ x/i $pc => 0x804867d: leave ``` * getting 10 instructions from the curnent instruction pointer ```gdb pwndbg$ x/10i $pc => 0x804867d: leave 0x804867e: ret 0x804867f: lea 0x4(%esp),%ecx 0x8048683: and $0xfffffff0,%esp 0x8048686: pushl -0x4(%ecx) 0x8048689: push %ebp 0x804868a: mov %esp,%ebp 0x804868c: push %ecx 0x804868d: sub $0x4,%esp 0x8048690: call 0x8048662 ``` * getting the 10 values from %esp (follows the previous call with) ```gdb pwndbg$ x/10x $esp 0xffffd570: 0x00000001 0x00000000 0x00000001 0x00000000 0xffffd580: 0x00000001 0xffffd644 0xffffd598 0x08048695 0xffffd590: 0xf7fb73dc 0xffffd5b0 ``` * Values in byte type (1 byte) ```gdb pwndbg$ x/10b $esp 0xffffd570: 0x01 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xffffd578: 0x01 0x00 ``` * Values in 8 byte (quadword) type ```gdb pwndbg$ x/10g $esp 0xffffd570: 0x0000000000000001 0x0000000000000001 0xffffd580: 0xffffd64400000001 0x08048695ffffd598 0xffffd590: 0xffffd5b0f7fb73dc 0xf7e1f63700000000 0xffffd5a0: 0xf7fb7000f7fb7000 0xf7e1f63700000000 0xffffd5b0: 0xffffd64400000001 0x00000000ffffd64c ``` * Values in 4 byte (double word) type ```gdb pwndbg$ x/10w $esp 0xffffd570: 0x00000001 0x00000000 0x00000001 0x00000000 0xffffd580: 0x00000001 0xffffd644 0xffffd598 0x08048695 0xffffd590: 0xf7fb73dc 0xffffd5b0 ``` * Getting the values relative to %esp (-0x20 in this case) ```gdb pwndbg$ x/10x $esp-0x20 0xffffd550: 0x61616171 0x61616172 0x61616173 0x0804867a 0xffffd560: 0x00000000 0x00000001 0xf7fb5244 0xf7e1f0ec 0xffffd570: 0x00000001 0x00000000 ``` * Reading values also work for the address ```gdb pwndbg$ x/10x 0xffffd000 0xffffd000: 0x00000001 0x00000801 0xf7fb8000 0xf7fea2a2 0xffffd010: 0xf7e1a2cd 0xf7fda629 0x00000003 0xf7fea26c 0xffffd020: 0xf7ffd000 0xf7e1a2cd ``` ## Set/update process execution * Set register value ```gdb pwndbg$ set $eax = 1 pwndbg$ x/x $eax 0x1: Cannot access memory at address 0x1 ``` * Set memory/register values - 0xffffd000 is zero ```gdb pwndbg$ x/x 0xffffd000 0xffffd000: 0x00000000 ``` - set $eax as 0xffffd000 ```gdb pwndbg$ set $eax = 0xffffd000 ``` - set the value of eax to be 1 ```gdb pwndbg$ set *$eax = 1 ``` - now the memory contains the value 1 ```gdb pwndbg$ x/x 0xffffd000 0xffffd000: 0x00000001 ``` ## Breakpoints * Setting a breakpoint - on a function or relative address ```gdb pwndbg$ b *main+12 Breakpoint 2 at 0x8048643 ``` - At the address ```gdb pwndbg$ b *0x8048643 ``` - See the instruction at the address ```gdb pwndbg$ x/i 0x8048643 0x8048643 : in $0x51,%eax ``` * Removing the Breakpoint ```gdb pwndbg$ d br 1 (delete breakpoint 1) ``` ```gdb pwndbg$ d br 2 (delete breakpoint 2) ``` ## Controling program execution * Execution - run the program ```gdb pwndbg$ r Starting program: /home/users/red9057/week2/samples/frame-pointer-32 ``` - run with arguments (see the command) ```gdb pwndbg$ r a b c d Starting program: /home/users/red9057/week2/samples/frame-pointer-32 a b c d ``` - run with file redirection ```gdb pwndbg$ r < /etc/passwd Starting program: /home/users/red9057/week2/samples/frame-pointer-32 < /etc/passwd Please type your name: Hello root:x:0:0:root:/root:/bin/bash ``` * On break, - continue to run to the next breakpoint or crash ```gdb pwndbg$ c ``` - Next instruction (do not get into the function) ```gdb pwndbg$ ni ``` - Step into the function ```gdb pwndbg$ si ```