Hexcellents CTF Wiki
Gdb cheat sheet
Source
- Showing source code
(gdb) list 1 void f() 2 { 3 printf("How did you do that?\n"); 4 } 5 int main() 6 { 7 char name[10]; 8 scanf("%s", name); 9 printf("Hello %s\n", name); 10 return 0;
- Showing source code after previous list
(gdb) list 11 }
Breakpoints
- Breaking on a function
(gdb) b main Breakpoint 1 at 0x80484c9: file ret.c, line 8.
- Breaking on a specific line
(gdb) b ret.c:10 Breakpoint 2 at 0x80484f1: file ret.c, line 10.
- Breaking on a code address
(gdb) b *0x80484f1 Breakpoint 3 at 0x80484f1: file ret.c, line 10.
- Deleting all breakpoints
(gdb) delete Delete all breakpoints? (y or n) y
- Viewing all breakpoints
(gdb) info breakpoints Num Type Disp Enb Address What 4 breakpoint keep y 0x080484f1 in main at ret.c:10
- Deleting a specific breakpoint
(gdb) info break Num Type Disp Enb Address What 4 breakpoint keep y 0x080484f1 in main at ret.c:10 5 breakpoint keep y 0x080484c9 in main at ret.c:7 6 breakpoint keep y 0x080484c9 in main at ret.c:8 (gdb) delete 5 (gdb) info break Num Type Disp Enb Address What 4 breakpoint keep y 0x080484f1 in main at ret.c:10 6 breakpoint keep y 0x080484c9 in main at ret.c:8
Running
- Starting the executable
(gdb) run Starting program: /tmp/example/ret warning: Could not load shared library symbols for linux-gate.so.1. Do you need "set solib-search-path" or "set sysroot"? Breakpoint 6, main () at ret.c:8 8 scanf("%s", name); (gdb) list main 1 void f() 2 { 3 printf("How did you do that?\n"); 4 } 5 int main() 6 { 7 char name[10]; 8 scanf("%s", name); 9 printf("Hello %s\n", name); 10 return 0;
- Running with specific arguments
(gdb) run A B C Starting program: /tmp/example/ret A B C
- Running with input from a file
(gdb) run < /path/to_file Starting program: /tmp/example/ret < /path/to_file
Variables
- Printing contents
(gdb) print name $2 = "AAAAAAAAAA"
- Printing address
(gdb) print &name $4 = (char (*)[10]) 0xffffcd46
- Setting a variable (array)
(gdb) set var *name = 0x0 (gdb) print name $3 = "\000AAAAAAAAA" (gdb) set var name[4]='C' (gdb) print name $6 = "\000AAACAAAAA"
- Setting a variable (non-array) and register
Breakpoint 1, main () at ret.c:9 9 scanf("%s", name); (gdb) next test 10 len = strlen(name); (gdb) print len $1 = -134635948 (gdb) next 11 printf("Hello %s\n", name); (gdb) print len $2 = 4 (gdb) set var len = 42 (gdb) print len $3 = 42 (gdb) set $eax 2
Control flow
- Running until next breakpoint: 'continue'
- Running until return of current function 'finish'
- Stepping to the next line in source code: 'step'
- Stepping to the next line in source code without entering functions: 'next'
- Equivalents for stepping to the next line of assembly code: 'stepi' and 'nexti'
Frame jumping and backtracing
(gdb) list 1 void f() 2 { 3 int var2 = 5; 4 printf("How did you do that?\n"); 5 } 6 int main() 7 { 8 int len = 0; 9 char name[10]; 10 scanf("%s", name); (gdb) 11 len = strlen(name); 12 printf("Hello %s\n", name); 13 f(); 14 return 0; 15 } (gdb) bt #0 f () at ret.c:3 #1 0x08048545 in main () at ret.c:13 (gdb) info locals var2 = 0 (gdb) up #1 0x08048545 in main () at ret.c:13 13 f(); (gdb) info locals len = 6 name = "test34\000\205\004\b" (gdb) frame #1 0x08048545 in main () at ret.c:13 13 f(); (gdb) down #0 f () at ret.c:3 3 int var2 = 5; (gdb) frame #0 f () at ret.c:3 3 int var2 = 5; (gdb)
Information
- Seeing current local variable values
(gdb) info locals len = 42 name = "test\000\000K\205\004\b"
- Seeing current register values
(gdb) info registers eax 0x4 4 ecx 0x2 2 edx 0x4 4 ebx 0xf7f99e54 -134635948 esp 0xffffcd30 0xffffcd30 ebp 0xffffcd58 0xffffcd58 esi 0x0 0 edi 0x0 0 eip 0x804851d 0x804851d <main+45> eflags 0x202 [ IF ] cs 0x23 35 ss 0x2b 43 ds 0x2b 43 es 0x2b 43 fs 0x0 0 gs 0x63 99
- Seeing current frame information
(gdb) info frame Stack level 0, frame at 0xffffcd60: eip = 0x804851d in main (ret.c:11); saved eip 0xf7e0fce5 source language c. Arglist at 0xffffcd58, args: Locals at 0xffffcd58, Previous frame's sp is 0xffffcd60 Saved registers: ebp at 0xffffcd58, eip at 0xffffcd5c
- Seeing current address space layout
(gdb) info proc mappings process 28754 Mapped address spaces: Start Addr End Addr Size Offset objfile 0x8048000 0x8049000 0x1000 0x0 /tmp/example/ret 0x8049000 0x804a000 0x1000 0x0 /tmp/example/ret 0x804a000 0x804b000 0x1000 0x1000 /tmp/example/ret 0xf7df2000 0xf7df3000 0x1000 0x0 0xf7df3000 0xf7f98000 0x1a5000 0x0 /lib32/libc-2.17.so 0xf7f98000 0xf7f9a000 0x2000 0x1a5000 /lib32/libc-2.17.so 0xf7f9a000 0xf7f9b000 0x1000 0x1a7000 /lib32/libc-2.17.so 0xf7f9b000 0xf7f9e000 0x3000 0x0 0xf7fd9000 0xf7fdb000 0x2000 0x0 0xf7fdb000 0xf7fdc000 0x1000 0x0 [vdso] 0xf7fdc000 0xf7ffc000 0x20000 0x0 /lib32/ld-2.17.so 0xf7ffc000 0xf7ffd000 0x1000 0x1f000 /lib32/ld-2.17.so 0xf7ffd000 0xf7ffe000 0x1000 0x20000 /lib32/ld-2.17.so 0xfffdc000 0xffffe000 0x22000 0x0 [stack]
Various useful stuff
- Searching for strings in memory: 'x /15s 0xffffcd42' (searches for 15 strings from that address onwards)
(gdb) list 5 int main() 6 { 7 int len; 8 char name[10]="bla1"; 9 char name1[10]="bla2"; 10 char name2[10]="bla3"; (gdb) x /15s &name2 0xffffcd2e: "bla3" 0xffffcd33: "" 0xffffcd34: "" 0xffffcd35: "" 0xffffcd36: "" 0xffffcd37: "" 0xffffcd38: "bla2" 0xffffcd3d: "" 0xffffcd3e: "" 0xffffcd3f: "" 0xffffcd40: "" 0xffffcd41: "" 0xffffcd42: "hau" 0xffffcd46: "" 0xffffcd47: ""
- Displaying instructions from an address onwards, in this case the address of the current program counter
(gdb) x /10i $pc => 0x8048552 <main+98>: lea 0x32(%esp),%eax 0x8048556 <main+102>: mov %eax,(%esp) 0x8048559 <main+105>: call 0x80483c0 <strlen@plt> 0x804855e <main+110>: mov %eax,0x3c(%esp) 0x8048562 <main+114>: lea 0x32(%esp),%eax 0x8048566 <main+118>: mov %eax,0x4(%esp) 0x804856a <main+122>: movl $0x8048628,(%esp) 0x8048571 <main+129>: call 0x8048380 <printf@plt> 0x8048576 <main+134>: mov $0x0,%eax 0x804857b <main+139>: leave
- Dump memory to a file (e.g. for unpacking)
(gdb) dump binary memory dump.raw 0x00800000 0x01000000