GDB (gef)

GNU Debugger (GNU), with the gef wrapper to provide us with extended features.

GDB Command Reference - Index pageSysprogs

https://sourceware.org/gdb/current/onlinedocs/gdb.html/sourceware.org

GDB/GEF Cheatsheet - TrebledJ's PagesTrebledJ's Pages

Commands

Cheatsheet link

1. Run the program

• run, r

gdb <binary>
gef> run

2. Breakpoints

2.1 Set breakpoint on the main function

gef> break main
gef> b main

2.2 Start command

a. start: sets a temporary breakpoint on the main procedure and starts executing the program (run command)

• The main procedure is usually main (C/C++), but may vary with other languages

The start command does the equivalent of setting a temporary breakpoint at the beginning of the main procedure and then invoking the run command

b. starti: set a temporary breakpoint at the first instruction of the program execution and starts executing the program (run command)

2.3 Navigate through the program

a. nexti: go instruction by instruction through the program, without stepping into function calls

b. next: go through each line of code, without stepping into function calls

c. stepi: go instruction by instruction, while stepping into function calls

d. step: go through each line of code, while stepping into function calls

Summary table

Command	Navigate through?	Step into function calls (eg. puts())?
nexti	Instructions	NO
next	Line of code (may consist of multiple instructions)	NO
stepi	Instructions	YES
step	Line of code (may consist of multiple instructions)	YES

2.4 Example on a specific instruction

• Eg. hello world function

gef> disassemble main # "disass" works too
Dump of assembler code for function main:
   xxx
   0x0804840f <+20>:	push   0x80484b0
   0x08048414 <+25>:	call   0x80482d0 <puts@plt>
   xxx
End of assembler dump.

• Set breakpoint on the call to puts

gef> break *main+25
gef> break *0x08048414
gef> break *puts

2.5 Other commands

gef> info breakpoints
gef> delete <Num> # "del" or "d" works too

2.6 If Position-Independent Executable (PIE) is used

• If PIE is present, the memory addresses of the code shown by the disassembler will not match the one actually used during runtime

• To deal with this, we can simply run the binary first, and disassemble again, to view the runtime memory addresses

$ readelf -h <bin_file>
...
Type:     DYN (Position-Independent Executable file)
...

$ gdb <bin_file>
gdb> starti
gdb> disass main # or whatever function desired

3. Memory

gef> x/nfu <addresss>

• n: How many units to print (default 1)

• f: Format character (default x)

  • x: hexadecimal (default)

  • d:decimal

  • o: octal

  • u: unsigned decimal

  • t: binary

  • f: floating point

  • a: address

  • c: char

  • s: string

  • i: instruction

• u: Unit (default w)

  • b: byte

  • h: halfword (16 bit, 2 bytes)

  • w: word (32 bit, 4 bytes) (default)

  • g: giant word (64 bits, 8 bytes)

gef> x/a <address> # print pointer address

gef> x/2cb <address> # print 2 bytes of character

gef> x/2dh <address> # print 2 decimal ('d') representation of half-words ('h': 16-bits, 2-bytes)

gef> x/s <address> # print as C string

gef> x/4xb # print 4 bytes of hex

4. Printing

• Print values with C-like syntax, and can function as:

  • Print registers

  • Type conversion

  • Calculator

  General syntax: print/f, p/f

# print register values
gef>  p $rbp
$1 = (void *) 0x7fffffffdac0
####

# type conversion
gef> p/x 10 # “print as hex
gef> p/o 0x10 # print as octal
gef> p/d 0x10 # print as signed decimal

gef> set output-radix 10
gef> p/c 0x10 # print as char (requires output-radix 10)

gef>  p (int)0x22
$x = 34
#####

# calculator
gef>  p/x (int)(0x00007fffffffdaa8 + 0x3) - (int)$rbp
$x = 0xffffffeb

gef> p/x 0x48 - 0x36
$x = 0x12
####