View memory content with gdb

View memory content with gdb

[Mahmood Naderan via gdb]

Hi,
With a simple strcpy code for copying an array, I want to view the memory map with gdb. However, the result I see is not what I expect.

The code is
  char buffer[10];
  strcpy( buffer, argv[ 1 ] );

and I compiled with 


gcc - g -fno-stack-protector -o myco myco.c


I ran gdb commands to 1) set breakpoint, 2) run with an argument "aaaaaaaaaa", 3) check register content to find the memory location, 3) view memory content, 4) continue to copy the argument to memory and 5) view memory content.
I expected to see the ascii code of 'a' multiple times. But I didn't see that. Please see the full output below:

(gdb) break 1
Breakpoint 1 at 0x6bf: file myco.c, line 1.
(gdb) run aaaaaaaaaa
Starting program: /home/mahmood/myco aaaaaaaaaa

Breakpoint 1, main (argc=2, argv=0x7fffffffdf28) at myco.c:6
6      strcpy( buffer, argv[ 1 ] );
(gdb) disas main
Dump of assembler code for function main:
   0x00005555555546b0 <+0>:    push   %rbp
   0x00005555555546b1 <+1>:    mov    %rsp,%rbp
   0x00005555555546b4 <+4>:    sub    $0x20,%rsp
   0x00005555555546b8 <+8>:    mov    %edi,-0x14(%rbp)
   0x00005555555546bb <+11>:    mov    %rsi,-0x20(%rbp)
=> 0x00005555555546bf <+15>:    mov    -0x20(%rbp),%rax
   0x00005555555546c3 <+19>:    add    $0x8,%rax
   0x00005555555546c7 <+23>:    mov    (%rax),%rdx
   0x00005555555546ca <+26>:    lea    -0xa(%rbp),%rax
   0x00005555555546ce <+30>:    mov    %rdx,%rsi
   0x00005555555546d1 <+33>:    mov    %rax,%rdi
   0x00005555555546d4 <+36>:    callq  0x555555554560 <strcpy@plt>
   0x00005555555546d9 <+41>:    mov    $0x0,%eax
   0x00005555555546de <+46>:    leaveq 
   0x00005555555546df <+47>:    retq   
End of assembler dump.
(gdb) info registers rsp
rsp            0x7fffffffde20    0x7fffffffde20
(gdb) x/-20x 0x7fffffffde20
0x7fffffffddd0:    0x00000000    0x00000000    0x00000002    0x00000000
0x7fffffffdde0:    0xffffdf40    0x00007fff    0xffffde60    0x00007fff
0x7fffffffddf0:    0xf7ffe150    0x00007fff    0x00000000    0x00000000
0x7fffffffde00:    0x00000001    0x00000000    0x5555472d    0x00005555
0x7fffffffde10:    0x00000000    0x00000000    0x00000000    0x00000000
(gdb) step
__strcpy_ssse3 () at ../sysdeps/x86_64/multiarch/strcpy-ssse3.S:32
32    ../sysdeps/x86_64/multiarch/strcpy-ssse3.S: No such file or directory.
(gdb) x/-20x 0x7fffffffde20
0x7fffffffddd0:    0x00000000    0x00000000    0x00000002    0x00000000
0x7fffffffdde0:    0xffffdf40    0x00007fff    0xffffde60    0x00007fff
0x7fffffffddf0:    0xf7ffe150    0x00007fff    0x00000000    0x00000000
0x7fffffffde00:    0x00000001    0x00000000    0x5555472d    0x00005555
0x7fffffffde10:    0x00000000    0x00000000    0x555546d9    0x00005555
(gdb) 




The last line starts at 0x7fffffffde10 and ends with 0x7fffffffde1F (one address less than rsp). Why I don't see ascii code of 'a' 10 times? Any idea?




Regards,
Mahmood

Re: View memory content with gdb

[Mahmood Naderan via gdb]

>Firstly, why are you examining data just _outside_ the stack? These
>data would be overwritten by any function called by `main`, while the
>arguments should be retained until `main` returns. So, the arguments
>must either be somewhere _inside_ the stack, or far from the stack
>(e.g. heap).


It isn't outside of the stack. According to the disas

Dump of assembler code for function main:
   0x00005555555546b0 <+0>:    push   %rbp
   0x00005555555546b1 <+1>:    mov    %rsp,%rbp
   0x00005555555546b4 <+4>:    sub    $0x20,%rsp
...


it is reserving 32 addresses below the rsp. That should be the place of buffer. Isn't that?




>You can get actual
>value of `argv[1]` pointer by simply using `p argv[1]` command (if you
>compiled your program with -g flag).

(gdb) break 1
Breakpoint 1 at 0x6bf: file mico.c, line 1.
(gdb) run aaaaaaaaa
Starting program: /home/mahmood/mico aaaaaaaaa

Breakpoint 1, main (argc=2, argv=0x7fffffffdf58) at mico.c:6
6      strcpy( buffer, argv[ 1 ] );
(gdb) p argv[1]
$1 = 0x7fffffffe302 "aaaaaaaaa"



I think $1 is the location of "aaaaaaaaaa" in the memory as supplied by the command line. However, that is not the destination. I am actually trying to copy from a source ($1) to a destination. The destination is the location of buffer and according to the disas, it is 32 bytes below the rsp. Since the stack grows downward, it makes sense.






>You've only, by using `step` command,>entered _into_ the `strcpy` function – note the `__strcpy_ssse3`
>becoming the current function after your `step` command.


I tried from scratch. I set two breakpoints in the first and third lines. However, it seems that it doesn't stop at the second breakpoint.

(gdb) list
1    #include <stdio.h>
2    #include <string.h>
3    int main( int argc, char **argv )
4    {
5      char buffer[10];
6      strcpy( buffer, argv[ 1 ] );
7      return 0;
8    }
(gdb) break 1
Breakpoint 1 at 0x6bf: file mico.c, line 1.
(gdb) break 3
Note: breakpoint 1 also set at pc 0x6bf.
Breakpoint 2 at 0x6bf: file vuln.c, line 3.
(gdb) run aaaaaaaaaa
Starting program: /home/mahmood/mico aaaaaaaaaa

Breakpoint 1, main (argc=2, argv=0x7fffffffdf58) at mico.c:6
6      strcpy( buffer, argv[ 1 ] );
(gdb) continue
Continuing.
[Inferior 1 (process 6899) exited normally]



So, how can I step over the stdcpy line?
Thanks for the help.




Regards,
Mahmood 

Re: View memory content with gdb

[Mahmood Naderan via gdb]

>No it doesn't. Stack grows downward when you extend it — by reserving
>bytes or by `push`ing onto it. But after you've reserved the space in
>it, further addressing of that space is via positive offsets to $rsp.


Agreed... I can now see that 61H is inserted into those locations

(gdb) info registers rsp
rsp            0x7fffffffde50    0x7fffffffde50
(gdb) x/8x 0x7fffffffde50
0x7fffffffde50:    0xffffdf58    0x00007fff    0x55554580    0x00000002
0x7fffffffde60:    0xffffdf50    0x00007fff    0x00000000    0x00000000
(gdb) next
7      return 0;
(gdb) x/10x 0x7fffffffde50
0x7fffffffde50:    0xffffdf58    0x00007fff    0x55554580    0x00000002
0x7fffffffde60:    0xffffdf50    0x61617fff    0x61616161    0x61616161
0x7fffffffde70:    0x55554600    0x00005555


I wonder why it didn't insert 61H starting from 0x7fffffffde50?





>You've set two breakpoints: first at `#include <stdio.h>`, and second>at `int main( int argc, char **argv )`, which are the lines 1 and 3 of
>your current source file, respectively.


But what I did seems to be correct! 
Please see that although I set "break 1" and then "run", the program stops at strcpy line (line 6). That means it didn't set the breakpoint at the include line.

(gdb) break 1
Breakpoint 1 at 0x6bf: file mico.c, line 1.
(gdb) run aaaaaaaaa
Starting program: /home/mahmood/mico aaaaaaaaa

Breakpoint 1, main (argc=2, argv=0x7fffffffdf58) at mico.c:6
6      strcpy( buffer, argv[ 1 ] );
(gdb) p argv[1]
$1 = 0x7fffffffe302 "aaaaaaaaa"



Regards,
Mahmood