Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Reversing with gdb

130 views

Published on

This is the slide check that I prepared for Null Pulliya session. I had prepared this presentation with the usage and the depth of coverage of GDB for any typical reverse engineer to have in his/her arsenal

Published in: Technology
  • Be the first to comment

Reversing with gdb

  1. 1. Click to edit Master title style 1 REVERSING WITH GDB
  2. 2. Click to edit Master title style 2 $whoami MIHIR SHAH | SHAHENSHAH GitHub: www.github.com/shahenshah99 2
  3. 3. Click to edit Master title style 3 About Today • Basic to Advance Usage • Hands on Multiple Platforms: x86 ARM • Open Source and Closed Source Binaries • Using GDB for: Runtime Analysis Manipulating Program Flow Disassembly Reverse Engineering 3
  4. 4. Click to edit Master title style 4 Initial setup • A Machine running with GCC and GDB installed • Initially breaking 32 bit machines • Continuing onto 64 bit • ARM Debian as console 4
  5. 5. Click to edit Master title style 5 What is Debugging? •Debug = “De” + “Bug” •The Art and Science of finding and eliminating bugs in software •Bugs can be simply functional issues or can have security implications 5
  6. 6. Click to edit Master title style 6 What is a Debugger? 6 • Program to analyse and debug other programs • Examples –  GNU Debugger  Java Debugger  Intel Debugger  Immunity Debugger  WinGDB
  7. 7. Click to edit Master title style 7 DEMO TIME!!! • Compile a simple C program • Load it in GDB
  8. 8. Click to edit Master title style 8 • Information about Variables, Functions etc. about the binary which can be read by a debugger • Debugger now understands the binary better • Debug symbols can be a part of the binary or can be in a separate file 8 What are Debugger Symbols
  9. 9. Click to edit Master title style 9 • Need to be explicitly mentioned at compile time • Debug symbol file types  DWARF 2  COFF  XCOFF  Stabs • GCC use the –g option • GCC –ggdb for GDB specific symbols 9 Debugging Symbols
  10. 10. Click to edit Master title style 10 • Compile Program with GCC using –ggdb option • Load file in GDB 10 DEMO TIME!!!!
  11. 11. Click to edit Master title style 1111 SIGNIFICANCE OF SYMBOL FILES • Info sources • Info Variables(Only for global instances) • Info scope function_name • Info functions • Maint print symbols filename_to_store
  12. 12. Click to edit Master title style 1212 Extracting Symbols off a Binary • Objcopy --only-keep-debug binary_file debug_file
  13. 13. Click to edit Master title style 1313 Stripping Symbols off a Binary • strip --strip-debug binary_file • strip absolutely everything --strip-debug --strip-unneeded binary_file
  14. 14. Click to edit Master title style 1414 Adding Debug Symbols to a Binary • 2 ways:  Add it to the Binary itself objcopy –add-gnu-debuglink=debug_file  Load the symbol file within GDB symbol-file file_name
  15. 15. Click to edit Master title style 1515 NM – List Symbols from Object Files
  16. 16. Click to edit Master title style 1616 Symbol Types
  17. 17. Click to edit Master title style 1717 NM usage • NM –A …. | grep function_name • NM –n …. (Display in sorted Order) • NM –g (External) • NM –s (display size)
  18. 18. Click to edit Master title style 1818 Strace • Helper tool to understand how your program interacts with the OS • Traces all System Calls made by the Program • Tells us about arguments passed and has great filtering capabilities
  19. 19. Click to edit Master title style 1919 1 Tracing an execution • Strace executable_to_trace arguments • ‘-o’ output_file • ‘-t’ for timestamp • ‘-r’ for relative timestamping
  20. 20. Click to edit Master title style 2020 2 Trace by specific SysCall Strace –e open, socket, connect, recv executable_to_trace arguments
  21. 21. Click to edit Master title style 2121 3 Attaching to a Running Process Strace –p process_id
  22. 22. Click to edit Master title style 2222 4 Statistics on Syscalls Strace –c executable arguments
  23. 23. Click to edit Master title style 2323 What are Breakpoints? • Technique used to “Pause” the program during the execution, based on certain criteria • Criteria can be “about to execute an instruction”(that you want to examine) • Debugger allows you to inspect / modify CPU Registers, Memory, Data etc.
  24. 24. Click to edit Master title style 2424 Setting a Breakpoint in GDB Multiple Options: • Break address • Break function_name • Break line_number • …..
  25. 25. Click to edit Master title style 2525 Things to do after hitting a breakpoint • Examine CPU registers • Examine Memory • Understand the program flow
  26. 26. Click to edit Master title style 2626 View all the Breakpoints • Info breakpoints
  27. 27. Click to edit Master title style 2727 Enable / Disable / Delete a breakpoint • Disable XXX • Enable XXX • Delete XXX
  28. 28. Click to edit Master title style 2828 More Power to You! • Modify CPU registers • Modify data in Memory
  29. 29. Click to edit Master title style 2929 Convenience Variables • You can create variables in GDB to hold data • Set $i = 10 • Set $dyn = (char *)malloc(10) • $demo=“show” • Set argv[1] = $demo • Call Function(args_list) • Call strlen(“show”) • ….. Anything and everything which is linked
  30. 30. Click to edit Master title style 3030 Strings • Display all the strings in the program • Poorly coded ones may reveal private / secret information • Secret can be easily hidden by encryption / encoding • Not helpful all the times but is always a good starting point
  31. 31. Click to edit Master title style 3131 Runtime Analysis • Debug Symbols make things easier • Info functions • Info variables • Info scope function_name ; good point to start • Breakpoints and checking input / output functions
  32. 32. Click to edit Master title style 3232 Source code Analysis • If available, makes life easy! • Open Source software or paid assignment • Too easy in this case 
  33. 33. Click to edit Master title style 3333 AT&T or Intel • Set disassembly-flavour • Disassemble ADDRESS
  34. 34. Click to edit Master title style 3434 LETS START CRACKING!!!
  35. 35. Click to edit Master title style 3535 Conditional Breakpoints • Break only if the condition is met • Handy in cases where there are loops • Conditions can be simple / complex
  36. 36. Click to edit Master title style 3636 LETS GET INTO CRACKING AGAIN!!
  37. 37. Click to edit Master title style 3737 DEBIAN ARMEL ON QEMU
  38. 38. Click to edit Master title style 3838 ARM Calling Conventions • R0-r3 function arguments and return value • R4-r11 local variables • R13 stack pointer • R15 program counter
  39. 39. Click to edit Master title style 3939 Lets get into x64 • Everything remains almost the same except for the terminologies. • Understand the terminology using the wiki for intel x64 bit architecture • Now, Lets get cracking
  40. 40. Click to edit Master title style 4040 THAT’S PRETTY MUCH ALL I HAD IN MY MIND QUESTIONS?

×