Reversing with gdb

Click to edit Master title style
1
REVERSING WITH GDB

2
$whoami
MIHIR SHAH | SHAHENSHAH
GitHub:
www.github.com/shahenshah99
2

3
About Today
• Basic to Advance Usage
• Hands on Multiple Platforms:
x86
ARM
• Open Source and Closed Source Binaries
• Using GDB for:
Runtime Analysis
Manipulating Program Flow
Disassembly
Reverse Engineering
3

4
Initial setup
• A Machine running with GCC and GDB
installed
• Initially breaking 32 bit machines
• Continuing onto 64 bit
• ARM Debian as console
4

5
What is Debugging?
•Debug = “De” + “Bug”
•The Art and Science of finding and
eliminating bugs in software
•Bugs can be simply functional issues or can
have security implications
5

6
What is a Debugger?
6
• Program to analyse and debug other programs
• Examples –
 GNU Debugger
 Java Debugger
 Intel Debugger
 Immunity Debugger
 WinGDB

7
DEMO TIME!!!
• Compile a simple C program
• Load it in GDB

8
• Information about Variables, Functions etc.
about the binary which can be read by a
debugger
• Debugger now understands the binary better
• Debug symbols can be a part of the binary
or can be in a separate file
8
What are Debugger Symbols

9
• Need to be explicitly mentioned at
compile time
• Debug symbol file types
 DWARF 2
 COFF
 XCOFF
 Stabs
• GCC use the –g option
• GCC –ggdb for GDB specific symbols 9
Debugging Symbols

10
• Compile Program with GCC using
–ggdb option
• Load file in GDB
10
DEMO TIME!!!!

1111
SIGNIFICANCE OF SYMBOL FILES
• Info sources
• Info Variables(Only for global instances)
• Info scope function_name
• Info functions
• Maint print symbols filename_to_store

1212
Extracting Symbols off a Binary
• Objcopy
--only-keep-debug binary_file debug_file

1313
Stripping Symbols off a Binary
• strip
--strip-debug binary_file
• strip absolutely everything
--strip-debug --strip-unneeded binary_file

1414
Adding Debug Symbols to a
Binary
• 2 ways:
 Add it to the Binary itself
objcopy –add-gnu-debuglink=debug_file
 Load the symbol file within GDB
symbol-file file_name

1515
NM – List Symbols from Object Files

1616
Symbol Types

1717
NM usage
• NM –A …. | grep function_name
• NM –n …. (Display in sorted Order)
• NM –g (External)
• NM –s (display size)

1818
Strace
• Helper tool to understand how your program
interacts with the OS
• Traces all System Calls made by the Program
• Tells us about arguments passed and has great
filtering capabilities

1919
1 Tracing an execution
• Strace executable_to_trace arguments
• ‘-o’ output_file
• ‘-t’ for timestamp
• ‘-r’ for relative timestamping

2020
2 Trace by specific SysCall
Strace –e open, socket, connect, recv
executable_to_trace arguments

2121
3 Attaching to a Running
Process
Strace –p process_id

2222
4 Statistics on Syscalls
Strace –c executable arguments

2323
What are Breakpoints?
• Technique used to “Pause” the program during the
execution, based on certain criteria
• Criteria can be “about to execute an
instruction”(that you want to examine)
• Debugger allows you to inspect / modify CPU
Registers, Memory, Data etc.

2424
Setting a Breakpoint in GDB
Multiple Options:
• Break address
• Break function_name
• Break line_number
• …..

2525
Things to do after hitting a
breakpoint
• Examine CPU registers
• Examine Memory
• Understand the program flow

2626
View all the Breakpoints
• Info breakpoints

2727
Enable / Disable / Delete a
breakpoint
• Disable XXX
• Enable XXX
• Delete XXX

2828
More Power to You!
• Modify CPU registers
• Modify data in Memory

2929
Convenience Variables
• You can create variables in GDB to hold data
• Set $i = 10
• Set $dyn = (char *)malloc(10)
• $demo=“show”
• Set argv[1] = $demo
• Call Function(args_list)
• Call strlen(“show”)
• ….. Anything and everything which is linked

3030
Strings
• Display all the strings in the program
• Poorly coded ones may reveal private / secret
information
• Secret can be easily hidden by encryption / encoding
• Not helpful all the times but is always a good starting
point

3131
Runtime Analysis
• Debug Symbols make things easier
• Info functions
• Info variables
• Info scope function_name ; good point to start
• Breakpoints and checking input / output functions

3232
Source code Analysis
• If available, makes life easy!
• Open Source software or paid assignment
• Too easy in this case 

3333
AT&T or Intel
• Set disassembly-flavour
• Disassemble ADDRESS

3434
LETS START CRACKING!!!

3535
Conditional Breakpoints
• Break only if the condition is met
• Handy in cases where there are loops
• Conditions can be simple / complex

3636
LETS GET INTO CRACKING
AGAIN!!

3737
DEBIAN ARMEL ON QEMU

3838
ARM Calling Conventions
• R0-r3 function arguments and return value
• R4-r11 local variables
• R13 stack pointer
• R15 program counter

3939
Lets get into x64
• Everything remains almost the same except for
the terminologies.
• Understand the terminology using the wiki for
intel x64 bit architecture
• Now, Lets get cracking

4040
THAT’S PRETTY MUCH ALL I HAD
IN MY MIND
QUESTIONS?

Reversing with gdb

More Related Content

Similar to Reversing with gdb

More from Mihir Shah

Recently uploaded

Reversing with gdb