* View memory content with gdb
[not found] <319102187.2792322.1530734849586.ref@mail.yahoo.com>
@ 2018-07-04 20:07 ` Mahmood Naderan via gdb
[not found] ` <CAHEcG97K-Zy=hWCtChDbDrsrOxoBnquFTBqrPnLNOzJtq6Faag@mail.gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Mahmood Naderan via gdb @ 2018-07-04 20:07 UTC (permalink / raw)
To: gdb
Hi,
With a simple strcpy code for copying an array, I want to view the memory map with gdb. However, the result I see is not what I expect.
The code is
char buffer[10];
strcpy( buffer, argv[ 1 ] );
and I compiled with
gcc - g -fno-stack-protector -o myco myco.c
I ran gdb commands to 1) set breakpoint, 2) run with an argument "aaaaaaaaaa", 3) check register content to find the memory location, 3) view memory content, 4) continue to copy the argument to memory and 5) view memory content.
I expected to see the ascii code of 'a' multiple times. But I didn't see that. Please see the full output below:
(gdb) break 1
Breakpoint 1 at 0x6bf: file myco.c, line 1.
(gdb) run aaaaaaaaaa
Starting program: /home/mahmood/myco aaaaaaaaaa
Breakpoint 1, main (argc=2, argv=0x7fffffffdf28) at myco.c:6
6 strcpy( buffer, argv[ 1 ] );
(gdb) disas main
Dump of assembler code for function main:
0x00005555555546b0 <+0>: push %rbp
0x00005555555546b1 <+1>: mov %rsp,%rbp
0x00005555555546b4 <+4>: sub $0x20,%rsp
0x00005555555546b8 <+8>: mov %edi,-0x14(%rbp)
0x00005555555546bb <+11>: mov %rsi,-0x20(%rbp)
=> 0x00005555555546bf <+15>: mov -0x20(%rbp),%rax
0x00005555555546c3 <+19>: add $0x8,%rax
0x00005555555546c7 <+23>: mov (%rax),%rdx
0x00005555555546ca <+26>: lea -0xa(%rbp),%rax
0x00005555555546ce <+30>: mov %rdx,%rsi
0x00005555555546d1 <+33>: mov %rax,%rdi
0x00005555555546d4 <+36>: callq 0x555555554560 <strcpy@plt>
0x00005555555546d9 <+41>: mov $0x0,%eax
0x00005555555546de <+46>: leaveq
0x00005555555546df <+47>: retq
End of assembler dump.
(gdb) info registers rsp
rsp 0x7fffffffde20 0x7fffffffde20
(gdb) x/-20x 0x7fffffffde20
0x7fffffffddd0: 0x00000000 0x00000000 0x00000002 0x00000000
0x7fffffffdde0: 0xffffdf40 0x00007fff 0xffffde60 0x00007fff
0x7fffffffddf0: 0xf7ffe150 0x00007fff 0x00000000 0x00000000
0x7fffffffde00: 0x00000001 0x00000000 0x5555472d 0x00005555
0x7fffffffde10: 0x00000000 0x00000000 0x00000000 0x00000000
(gdb) step
__strcpy_ssse3 () at ../sysdeps/x86_64/multiarch/strcpy-ssse3.S:32
32 ../sysdeps/x86_64/multiarch/strcpy-ssse3.S: No such file or directory.
(gdb) x/-20x 0x7fffffffde20
0x7fffffffddd0: 0x00000000 0x00000000 0x00000002 0x00000000
0x7fffffffdde0: 0xffffdf40 0x00007fff 0xffffde60 0x00007fff
0x7fffffffddf0: 0xf7ffe150 0x00007fff 0x00000000 0x00000000
0x7fffffffde00: 0x00000001 0x00000000 0x5555472d 0x00005555
0x7fffffffde10: 0x00000000 0x00000000 0x555546d9 0x00005555
(gdb)
The last line starts at 0x7fffffffde10 and ends with 0x7fffffffde1F (one address less than rsp). Why I don't see ascii code of 'a' 10 times? Any idea?
Regards,
Mahmood
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: View memory content with gdb
[not found] ` <CAHEcG97K-Zy=hWCtChDbDrsrOxoBnquFTBqrPnLNOzJtq6Faag@mail.gmail.com>
@ 2018-07-05 6:51 ` Mahmood Naderan via gdb
[not found] ` <CAHEcG95wWetm2kUQ8hz7v=NWw4w5vprN97z9ty1sKKnUxk=TBg@mail.gmail.com>
0 siblings, 1 reply; 3+ messages in thread
From: Mahmood Naderan via gdb @ 2018-07-05 6:51 UTC (permalink / raw)
To: Ruslan Kabatsayev, gdb
>Firstly, why are you examining data just _outside_ the stack? These
>data would be overwritten by any function called by `main`, while the
>arguments should be retained until `main` returns. So, the arguments
>must either be somewhere _inside_ the stack, or far from the stack
>(e.g. heap).
It isn't outside of the stack. According to the disas
Dump of assembler code for function main:
0x00005555555546b0 <+0>: push %rbp
0x00005555555546b1 <+1>: mov %rsp,%rbp
0x00005555555546b4 <+4>: sub $0x20,%rsp
...
it is reserving 32 addresses below the rsp. That should be the place of buffer. Isn't that?
>You can get actual
>value of `argv[1]` pointer by simply using `p argv[1]` command (if you
>compiled your program with -g flag).
(gdb) break 1
Breakpoint 1 at 0x6bf: file mico.c, line 1.
(gdb) run aaaaaaaaa
Starting program: /home/mahmood/mico aaaaaaaaa
Breakpoint 1, main (argc=2, argv=0x7fffffffdf58) at mico.c:6
6 strcpy( buffer, argv[ 1 ] );
(gdb) p argv[1]
$1 = 0x7fffffffe302 "aaaaaaaaa"
I think $1 is the location of "aaaaaaaaaa" in the memory as supplied by the command line. However, that is not the destination. I am actually trying to copy from a source ($1) to a destination. The destination is the location of buffer and according to the disas, it is 32 bytes below the rsp. Since the stack grows downward, it makes sense.
>You've only, by using `step` command,>entered _into_ the `strcpy` function – note the `__strcpy_ssse3`
>becoming the current function after your `step` command.
I tried from scratch. I set two breakpoints in the first and third lines. However, it seems that it doesn't stop at the second breakpoint.
(gdb) list
1 #include <stdio.h>
2 #include <string.h>
3 int main( int argc, char **argv )
4 {
5 char buffer[10];
6 strcpy( buffer, argv[ 1 ] );
7 return 0;
8 }
(gdb) break 1
Breakpoint 1 at 0x6bf: file mico.c, line 1.
(gdb) break 3
Note: breakpoint 1 also set at pc 0x6bf.
Breakpoint 2 at 0x6bf: file vuln.c, line 3.
(gdb) run aaaaaaaaaa
Starting program: /home/mahmood/mico aaaaaaaaaa
Breakpoint 1, main (argc=2, argv=0x7fffffffdf58) at mico.c:6
6 strcpy( buffer, argv[ 1 ] );
(gdb) continue
Continuing.
[Inferior 1 (process 6899) exited normally]
So, how can I step over the stdcpy line?
Thanks for the help.
Regards,
Mahmood
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: View memory content with gdb
[not found] ` <CAHEcG95wWetm2kUQ8hz7v=NWw4w5vprN97z9ty1sKKnUxk=TBg@mail.gmail.com>
@ 2018-07-05 8:27 ` Mahmood Naderan via gdb
0 siblings, 0 replies; 3+ messages in thread
From: Mahmood Naderan via gdb @ 2018-07-05 8:27 UTC (permalink / raw)
To: Ruslan Kabatsayev, gdb
>No it doesn't. Stack grows downward when you extend it — by reserving
>bytes or by `push`ing onto it. But after you've reserved the space in
>it, further addressing of that space is via positive offsets to $rsp.
Agreed... I can now see that 61H is inserted into those locations
(gdb) info registers rsp
rsp 0x7fffffffde50 0x7fffffffde50
(gdb) x/8x 0x7fffffffde50
0x7fffffffde50: 0xffffdf58 0x00007fff 0x55554580 0x00000002
0x7fffffffde60: 0xffffdf50 0x00007fff 0x00000000 0x00000000
(gdb) next
7 return 0;
(gdb) x/10x 0x7fffffffde50
0x7fffffffde50: 0xffffdf58 0x00007fff 0x55554580 0x00000002
0x7fffffffde60: 0xffffdf50 0x61617fff 0x61616161 0x61616161
0x7fffffffde70: 0x55554600 0x00005555
I wonder why it didn't insert 61H starting from 0x7fffffffde50?
>You've set two breakpoints: first at `#include <stdio.h>`, and second>at `int main( int argc, char **argv )`, which are the lines 1 and 3 of
>your current source file, respectively.
But what I did seems to be correct!
Please see that although I set "break 1" and then "run", the program stops at strcpy line (line 6). That means it didn't set the breakpoint at the include line.
(gdb) break 1
Breakpoint 1 at 0x6bf: file mico.c, line 1.
(gdb) run aaaaaaaaa
Starting program: /home/mahmood/mico aaaaaaaaa
Breakpoint 1, main (argc=2, argv=0x7fffffffdf58) at mico.c:6
6 strcpy( buffer, argv[ 1 ] );
(gdb) p argv[1]
$1 = 0x7fffffffe302 "aaaaaaaaa"
Regards,
Mahmood
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-07-05 8:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <319102187.2792322.1530734849586.ref@mail.yahoo.com>
2018-07-04 20:07 ` View memory content with gdb Mahmood Naderan via gdb
[not found] ` <CAHEcG97K-Zy=hWCtChDbDrsrOxoBnquFTBqrPnLNOzJtq6Faag@mail.gmail.com>
2018-07-05 6:51 ` Mahmood Naderan via gdb
[not found] ` <CAHEcG95wWetm2kUQ8hz7v=NWw4w5vprN97z9ty1sKKnUxk=TBg@mail.gmail.com>
2018-07-05 8:27 ` Mahmood Naderan via gdb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).