GDB
介绍
gdb 是 GNU Debugger 的缩写,是一个强大的调试工具,广泛用于调试 C/C++ 程序。它允许开发者在程序运行时检查变量、设置断点、单步执行代码等操作。掌握 gdb 是进行 Pwn 挑战的基础技能之一。
安装 gdb
- archlinux:
sudo pacman -S gdb - macOS:
brew install gdb - ubuntu:
sudo apt install gdb
gdb 基础命令
| 命令(缩写) | 说明 |
|---|
break <位置>/b | 在指定位置设置断点 |
run/r | 启动程序(可带参数) |
next/n | 执行下一行,不进入函数 |
step/s | 执行下一行,若为函数则进入 |
finish | 执行到当前函数结束并返回 |
continue/c | 继续执行程序,直到下一个断点 |
set args <参数> | 设置程序运行时的命令行参数 |
info breakpoints /i b | 查看所有断点信息 |
delete <编号> | 删除指定编号的断点 |
print <表达式>/p | 打印变量或表达式的值 |
x/<格式> <地址> | 查看内存内容,如 x/4x 以十六进制格式查看 4 个字节 |
bt | 打印当前调用栈(backtrace) |
info registers/ i r | 查看所有寄存器的值 |
disassemble/disas | 反汇编当前函数或指定地址段 |
quit/q | 退出 gdb |
x 指令常用用法
| 用法 | 说明 |
|---|
x/4x <addr> | 以十六进制格式查看 4 个字(4*4=16 字节) |
x/8d <addr> | 以十进制格式查看 8 个字 |
x/16b <addr> | 以字节(byte)为单位查看 16 个字节 |
x/4i <addr> | 以汇编指令格式查看 4 条指令 |
x/s <addr> | 以字符串格式查看内存内容 |
x/wx <addr> | 以 word(4 字节)为单位十六进制显示 |
x/gx <addr> | 以 giant word(8 字节)为单位十六进制显示 |
x/a <addr> | 以地址格式显示指针内容 |
说明:
<addr> 可以是变量名、寄存器(如 $esp)、或具体地址(如 0x8048000)- 常用格式:
b=byte, h=halfword(2字节), w=word(4字节), g=giant word(8字节), x=hex, d=decimal, i=instruction, s=string, a=address
pwndbg
安装 pwndbg 以增强 gdb 的功能和用户体验
安装 pwndbg
- archlinux:
sudo pacman -S pwndbg
在 ~/.gdbinit 中添加以下内容:
1
| source /usr/share/pwndbg/gdbinit.py
|
安装 angelheap 进一步增强 pwn 体验:
1
| git clone https://github.com/scwuaptx/Pwngdb.git ~/Pwn/Pwngdb
|
添加以下内容到 ~/.gdbinit:
1
2
3
4
5
6
7
8
| source ~/Pwn/Pwngdb/angelheap/gdbinit.py
define hook-run
python
import angelheap
angelheap.init_angelheap()
end
end
|
常用命令
| 命令 | 说明 |
|---|
telescope <addr> | 查看指定地址处的内存内容(类似 x 命令) |
heap | 显示堆相关信息 |
heap chunks | 显示所有堆块信息 |
vis | 可视化显示内存内容 |
search <value> | 在内存中查找指定值 |
canary | 显示栈保护 canary 的值 |
rop | rop 工具集,查找 gadget |
vmmap | 显示虚拟内存映射信息 |
fastbin | 显示 fastbin 分配信息 |
实战
编写一个简单的 C 程序,使用 gdb 进行调试。
1
2
3
4
5
6
7
8
9
10
11
| #include <stdio.h>
int add(int a, int b) {
return a + b;
}
int main() {
printf("Satrt!\n");
int result = add(3, 4);
return 0;
}
|
使用如下命令进行编译
1
| $ gcc main.c -o main -g -fno-stack-protector -no-pie
|
下面将逐一解释这些参数:
- gcc: GNU 编译器集合,用于编译 C 代码。
- main.c: 源代码文件名。
- -o main: 指定输出文件名为 main。
- -g: 生成调试信息,使得 gdb 可以更好地调试程序。
- -fno-stack-protector: 禁用栈保护机制
- -no-pie: 禁用位置无关可执行文件(PIE),使得程序的地址在每次运行时保持不变,便于调试。
开始 gdb 调试:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
| $ gdb ./main
GNU gdb (GDB) 16.3
Copyright (C) 2024 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
pwndbg: loaded 188 pwndbg commands and 39 shell commands. Type pwndbg [--shell | --all] [filter] for a list.
pwndbg: created $rebase, $base, $hex2ptr, $argv, $envp, $argc, $environ, $bn_sym, $bn_var, $bn_eval, $ida GDB functions (can be used with print/break)
warning: ~/Pwngdb/angelheap/gdbinit.py: 没有那个文件或目录
Reading symbols from main...
------- tip of the day (disable with set show-tips off) -------
Use the procinfo command for better process introspection (than the GDB's info proc command)
pwndbg> l
2
3 int add(int a, int b) {
4 return a + b;
5 }
6
7 int main() {
8 printf("Satrt!\n");
9 int result = add(3, 4);
10 return 0;
11 }
pwndbg>
|
若启用了 -g 编译参数, 则可以使用 l 命令查看源代码。
可以直接使用 b 行号 命令设置断点,例如:
1
2
| pwndbg> b 8
Breakpoint 1 at 0x401142: file main.c, line 8.
|
使用 i b 查看断点信息:
1
2
3
| pwndbg> i b
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000401142 in main at main.c:8
|
使用 r 命令运行程序:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
| pwndbg> r
Starting program: /home/lhon901/Code/cpp/main
This GDB supports auto-downloading debuginfo from the following URLs:
<https://debuginfod.archlinux.org>
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Breakpoint 1, main () at main.c:8
8 printf("Satrt!\n");
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────
RAX 0x7ffff7f6de28 (environ) —▸ 0x7fffffffe108 —▸ 0x7fffffffe542 ◂— 'HOME=/home/lhon901'
RBX 0
RCX 0x403df0 —▸ 0x4010f0 ◂— endbr64
RDX 0x7fffffffe108 —▸ 0x7fffffffe542 ◂— 'HOME=/home/lhon901'
RDI 1
RSI 0x7fffffffe0f8 —▸ 0x7fffffffe526 ◂— '/home/lhon901/Code/cpp/main'
R8 0x7ffff7f66680 —▸ 0x7ffff7f68000 ◂— 0
R9 0x7ffff7f68000 ◂— 0
R10 0x7fffffffdd10 ◂— 0x800000
R11 0x203
R12 0x7fffffffe0f8 —▸ 0x7fffffffe526 ◂— '/home/lhon901/Code/cpp/main'
R13 1
R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe310 ◂— 0
R15 0x403df0 —▸ 0x4010f0 ◂— endbr64
RBP 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
RSP 0x7fffffffdfc0 ◂— 0
RIP 0x401142 (main+8) ◂— lea rax, [rip + 0xebb]
─────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────
► 0x401142 <main+8> lea rax, [rip + 0xebb] RAX => 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
0x401149 <main+15> mov rdi, rax RDI => 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
0x40114c <main+18> call puts@plt <puts@plt>
0x401151 <main+23> mov esi, 4 ESI => 4
0x401156 <main+28> mov edi, 3 EDI => 3
0x40115b <main+33> call add <add>
0x401160 <main+38> mov dword ptr [rbp - 4], eax
0x401163 <main+41> mov eax, 0 EAX => 0
0x401168 <main+46> leave
0x401169 <main+47> ret
0x40116a add byte ptr [rax], al
──────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────
In file: /home/lhon901/Code/cpp/main.c:8
3 int add(int a, int b) {
4 return a + b;
5 }
6
7 int main() {
► 8 printf("Satrt!\n");
9 int result = add(3, 4);
10 return 0;
11 }
──────────────────────────────────────[ STACK ]───────────────────────────────────────
00:0000│ rsp 0x7fffffffdfc0 ◂— 0
01:0008│-008 0x7fffffffdfc8 —▸ 0x7ffff7fe49a0 ◂— endbr64
02:0010│ rbp 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
03:0018│+008 0x7fffffffdfd8 —▸ 0x7ffff7da76b5 ◂— mov edi, eax
04:0020│+010 0x7fffffffdfe0 —▸ 0x7ffff7fc6000 ◂— 0x3010102464c457f
05:0028│+018 0x7fffffffdfe8 —▸ 0x7fffffffe0f8 —▸ 0x7fffffffe526 ◂— '/home/lhon901/Code/cpp/main'
06:0030│+020 0x7fffffffdff0 ◂— 0x1ffffe030
07:0038│+028 0x7fffffffdff8 —▸ 0x40113a (main) ◂— push rbp
────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────
► 0 0x401142 main+8
1 0x7ffff7da76b5 None
2 0x7ffff7da7769 __libc_start_main+137
3 0x401065 _start+37
──────────────────────────────────────────────────────────────────────────────────────
|
REGISTERS / show-flags off / show-compact-regs off 区域显示寄存器相关信息DISASM / x86-64 / set emulate on 区域显示 PC (RIP 寄存器) 附近的反汇编和汇编代码SOURCE (CODE) 当用户指定源码目录或源码在当前启动目录下,会自动显示源码STACK 当前栈的内容BACKTRACE 当前调用栈信息
使用 ni 命令单步执行下一条指令:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
| pwndbg> ni
0x0000000000401149 8 printf("Satrt!\n");
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────
*RAX 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
RBX 0
RCX 0x403df0 —▸ 0x4010f0 ◂— endbr64
RDX 0x7fffffffe108 —▸ 0x7fffffffe542 ◂— 'HOME=/home/lhon901'
RDI 1
RSI 0x7fffffffe0f8 —▸ 0x7fffffffe526 ◂— '/home/lhon901/Code/cpp/main'
R8 0x7ffff7f66680 —▸ 0x7ffff7f68000 ◂— 0
R9 0x7ffff7f68000 ◂— 0
R10 0x7fffffffdd10 ◂— 0x800000
R11 0x203
R12 0x7fffffffe0f8 —▸ 0x7fffffffe526 ◂— '/home/lhon901/Code/cpp/main'
R13 1
R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe310 ◂— 0
R15 0x403df0 —▸ 0x4010f0 ◂— endbr64
RBP 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
RSP 0x7fffffffdfc0 ◂— 0
*RIP 0x401149 (main+15) ◂— mov rdi, rax
─────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────
b+ 0x401142 <main+8> lea rax, [rip + 0xebb] RAX => 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
► 0x401149 <main+15> mov rdi, rax RDI => 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
0x40114c <main+18> call puts@plt <puts@plt>
0x401151 <main+23> mov esi, 4 ESI => 4
0x401156 <main+28> mov edi, 3 EDI => 3
0x40115b <main+33> call add <add>
0x401160 <main+38> mov dword ptr [rbp - 4], eax
0x401163 <main+41> mov eax, 0 EAX => 0
0x401168 <main+46> leave
0x401169 <main+47> ret
0x40116a add byte ptr [rax], al
──────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────
In file: /home/lhon901/Code/cpp/main.c:8
3 int add(int a, int b) {
4 return a + b;
5 }
6
7 int main() {
► 8 printf("Satrt!\n");
9 int result = add(3, 4);
10 return 0;
11 }
──────────────────────────────────────[ STACK ]───────────────────────────────────────
00:0000│ rsp 0x7fffffffdfc0 ◂— 0
01:0008│-008 0x7fffffffdfc8 —▸ 0x7ffff7fe49a0 ◂— endbr64
02:0010│ rbp 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
03:0018│+008 0x7fffffffdfd8 —▸ 0x7ffff7da76b5 ◂— mov edi, eax
04:0020│+010 0x7fffffffdfe0 —▸ 0x7ffff7fc6000 ◂— 0x3010102464c457f
05:0028│+018 0x7fffffffdfe8 —▸ 0x7fffffffe0f8 —▸ 0x7fffffffe526 ◂— '/home/lhon901/Code/cpp/main'
06:0030│+020 0x7fffffffdff0 ◂— 0x1ffffe030
07:0038│+028 0x7fffffffdff8 —▸ 0x40113a (main) ◂— push rbp
────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────
► 0 0x401149 main+15
1 0x7ffff7da76b5 None
2 0x7ffff7da7769 __libc_start_main+137
3 0x401065 _start+37
──────────────────────────────────────────────────────────────────────────────────────
pwndbg>
|
在 DISASM / x86-64 / set emulate on 窗口可以看到程序的 PC (RIP 寄存器) 在 0x401149 处,表示 0x401142 处的 printf("Satrt!\n"); 指令已经执行完毕,接下来将执行 mov rdi, rax 指令。
PC (Program Counter) 寄存器是 CPU 中用于存储下一条要执行的指令地址的寄存器。
当实行到 call puts@plt 指令时,使用 si 命令可进入函数内部执行
因为编译器的优化,这里 printf 函数被替换成了 puts 函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
| pwndbg>
0x0000000000401030 in puts@plt ()
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────
RAX 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
RBX 0
RCX 0x403df0 —▸ 0x4010f0 ◂— endbr64
RDX 0x7fffffffe108 —▸ 0x7fffffffe541 ◂— 'HOME=/home/lhon901'
RDI 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
RSI 0x7fffffffe0f8 —▸ 0x7fffffffe525 ◂— '/home/lhon901/Code/cpp/main'
R8 0x7ffff7f66680 —▸ 0x7ffff7f68000 ◂— 0
R9 0x7ffff7f68000 ◂— 0
R10 0x7fffffffdd10 ◂— 0x800000
R11 0x203
R12 0x7fffffffe0f8 —▸ 0x7fffffffe525 ◂— '/home/lhon901/Code/cpp/main'
R13 1
R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe310 ◂— 0
R15 0x403df0 —▸ 0x4010f0 ◂— endbr64
RBP 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
*RSP 0x7fffffffdfb8 —▸ 0x401151 (main+23) ◂— mov esi, 4
*RIP 0x401030 (puts@plt) ◂— jmp qword ptr [rip + 0x2fca]
─────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────
► 0x401030 <puts@plt> jmp qword ptr [rip + 0x2fca] <puts@plt+6>
↓
0x401036 <puts@plt+6> push 0
0x40103b <puts@plt+11> jmp 0x401020 <0x401020>
↓
0x401020 push qword ptr [rip + 0x2fca]
0x401026 jmp qword ptr [rip + 0x2fcc] <0x7ffff7fd8e90>
↓
0x7ffff7fd8e90 endbr64
0x7ffff7fd8e94 push rbx
0x7ffff7fd8e95 mov rbx, rsp RBX => 0x7fffffffdfa0 ◂— 0
0x7ffff7fd8e98 and rsp, 0xffffffffffffffc0 RSP => 0x7fffffffdf80 (0x7fffffffdfa0 & -0x40)
0x7ffff7fd8e9c sub rsp, qword ptr [rip + 0x23dad] RSP => 0x7fffffffd580 (0x7fffffffdf80 - 0xa00)
0x7ffff7fd8ea3 mov qword ptr [rsp], rax [0x7fffffffd580] <= 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
──────────────────────────────────────[ STACK ]───────────────────────────────────────
00:0000│ rsp 0x7fffffffdfb8 —▸ 0x401151 (main+23) ◂— mov esi, 4
01:0008│-010 0x7fffffffdfc0 ◂— 0
02:0010│-008 0x7fffffffdfc8 —▸ 0x7ffff7fe49a0 ◂— endbr64
03:0018│ rbp 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
04:0020│+008 0x7fffffffdfd8 —▸ 0x7ffff7da76b5 ◂— mov edi, eax
05:0028│+010 0x7fffffffdfe0 —▸ 0x7ffff7fc6000 ◂— 0x3010102464c457f
06:0030│+018 0x7fffffffdfe8 —▸ 0x7fffffffe0f8 —▸ 0x7fffffffe525 ◂— '/home/lhon901/Code/cpp/main'
07:0038│+020 0x7fffffffdff0 ◂— 0x1ffffe030
────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────
► 0 0x401030 puts@plt
1 0x401151 main+23
2 0x7ffff7da76b5 None
3 0x7ffff7da7769 __libc_start_main+137
4 0x401065 _start+37
──────────────────────────────────────────────────────────────────────────────────────
pwndbg>
|
使用 fin 命令执行到函数结束:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
| pwndbg> fin
Run till exit from #0 0x0000000000401030 in puts@plt ()
Satrt!
main () at main.c:9
9 int result = add(3, 4);
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────
*RAX 7
RBX 0
*RCX 0x7ffff7f687b0 ◂— 0
*RDX 0x7ffff7f687b0 ◂— 0
*RDI 0
*RSI 0x4052a0 ◂— 0xa217472746153 /* 'Satrt!\n' */
*R8 0
*R9 0
*R10 0
*R11 0x202
R12 0x7fffffffe0f8 —▸ 0x7fffffffe525 ◂— '/home/lhon901/Code/cpp/main'
R13 1
R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe310 ◂— 0
R15 0x403df0 —▸ 0x4010f0 ◂— endbr64
RBP 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
*RSP 0x7fffffffdfc0 ◂— 0
*RIP 0x401151 (main+23) ◂— mov esi, 4
─────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────
b+ 0x401142 <main+8> lea rax, [rip + 0xebb] RAX => 0x402004 ◂— 0x217472746153 /* 'Satrt!' */
0x401149 <main+15> mov rdi, rax
0x40114c <main+18> call puts@plt <puts@plt>
► 0x401151 <main+23> mov esi, 4 ESI => 4
0x401156 <main+28> mov edi, 3 EDI => 3
0x40115b <main+33> call add <add>
0x401160 <main+38> mov dword ptr [rbp - 4], eax
0x401163 <main+41> mov eax, 0 EAX => 0
0x401168 <main+46> leave
0x401169 <main+47> ret
0x40116a add byte ptr [rax], al
──────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────
In file: /home/lhon901/Code/cpp/main.c:9
4 return a + b;
5 }
6
7 int main() {
8 printf("Satrt!\n");
► 9 int result = add(3, 4);
10 return 0;
11 }
──────────────────────────────────────[ STACK ]───────────────────────────────────────
00:0000│ rsp 0x7fffffffdfc0 ◂— 0
01:0008│-008 0x7fffffffdfc8 —▸ 0x7ffff7fe49a0 ◂— endbr64
02:0010│ rbp 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
03:0018│+008 0x7fffffffdfd8 —▸ 0x7ffff7da76b5 ◂— mov edi, eax
04:0020│+010 0x7fffffffdfe0 —▸ 0x7ffff7fc6000 ◂— 0x3010102464c457f
05:0028│+018 0x7fffffffdfe8 —▸ 0x7fffffffe0f8 —▸ 0x7fffffffe525 ◂— '/home/lhon901/Code/cpp/main'
06:0030│+020 0x7fffffffdff0 ◂— 0x1ffffe030
07:0038│+028 0x7fffffffdff8 —▸ 0x40113a (main) ◂— push rbp
────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────
► 0 0x401151 main+23
1 0x7ffff7da76b5 None
2 0x7ffff7da7769 __libc_start_main+137
3 0x401065 _start+37
──────────────────────────────────────────────────────────────────────────────────────
pwndbg>
|
使用 p 命令可以查看变量的值:
1
2
| pwndbg> p result
$1 = 7
|
后续可以通过 $1 快速引用变量 result 的值。
使用 c 命令继续执行程序(直到遇到下一个断点或者程序结束):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
| pwndbg> i b
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000401142 in main at main.c:8
breakpoint already hit 1 time
2 breakpoint keep y 0x0000000000401163 in main at main.c:10
pwndbg> p $rip
$3 = (void (*)()) 0x401142 <main+8>
pwndbg> c
Continuing.
Satrt!
Breakpoint 2, main () at main.c:10
10 return 0;
LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA
────────────────[ REGISTERS / show-flags off / show-compact-regs off ]────────────────
*RAX 7
RBX 0
*RCX 0x7ffff7f687b0 ◂— 0
*RDX 3
*RDI 3
*RSI 4
*R8 0
*R9 0
*R10 0
*R11 0x202
R12 0x7fffffffe0f8 —▸ 0x7fffffffe526 ◂— '/home/lhon901/Code/cpp/main'
R13 1
R14 0x7ffff7ffd000 (_rtld_global) —▸ 0x7ffff7ffe310 ◂— 0
R15 0x403df0 —▸ 0x4010f0 ◂— endbr64
RBP 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
RSP 0x7fffffffdfc0 ◂— 0
*RIP 0x401163 (main+41) ◂— mov eax, 0
─────────────────────────[ DISASM / x86-64 / set emulate on ]─────────────────────────
0x40114c <main+18> call puts@plt <puts@plt>
0x401151 <main+23> mov esi, 4 ESI => 4
0x401156 <main+28> mov edi, 3 EDI => 3
0x40115b <main+33> call add <add>
0x401160 <main+38> mov dword ptr [rbp - 4], eax
► 0x401163 <main+41> mov eax, 0 EAX => 0
0x401168 <main+46> leave
0x401169 <main+47> ret <0x7ffff7da76b5>
↓
0x7ffff7da76b5 mov edi, eax EDI => 0
0x7ffff7da76b7 call exit <exit>
0x7ffff7da76bc call 0x7ffff7e12be0 <0x7ffff7e12be0>
──────────────────────────────────[ SOURCE (CODE) ]───────────────────────────────────
In file: /home/lhon901/Code/cpp/main.c:10
5 }
6
7 int main() {
8 printf("Satrt!\n");
9 int result = add(3, 4);
► 10 return 0;
11 }
──────────────────────────────────────[ STACK ]───────────────────────────────────────
00:0000│ rsp 0x7fffffffdfc0 ◂— 0
01:0008│-008 0x7fffffffdfc8 ◂— 0x7f7fe49a0
02:0010│ rbp 0x7fffffffdfd0 —▸ 0x7fffffffe070 —▸ 0x7fffffffe0d0 ◂— 0
03:0018│+008 0x7fffffffdfd8 —▸ 0x7ffff7da76b5 ◂— mov edi, eax
04:0020│+010 0x7fffffffdfe0 —▸ 0x7ffff7fc6000 ◂— 0x3010102464c457f
05:0028│+018 0x7fffffffdfe8 —▸ 0x7fffffffe0f8 —▸ 0x7fffffffe526 ◂— '/home/lhon901/Code/cpp/main'
06:0030│+020 0x7fffffffdff0 ◂— 0x1ffffe030
07:0038│+028 0x7fffffffdff8 —▸ 0x40113a (main) ◂— push rbp
────────────────────────────────────[ BACKTRACE ]─────────────────────────────────────
► 0 0x401163 main+41
1 0x7ffff7da76b5 None
2 0x7ffff7da7769 __libc_start_main+137
3 0x401065 _start+37
──────────────────────────────────────────────────────────────────────────────────────
pwndbg>
|
使用 disable <序号>/<地址> enable <序号>/<地址> 命令可以禁用/开启断点,例如:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| pwndbg> i b
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000401142 in main at main.c:8
breakpoint already hit 1 time
2 breakpoint keep y 0x0000000000401163 in main at main.c:10
pwndbg> disable 2
pwndbg> i b
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000401142 in main at main.c:8
breakpoint already hit 1 time
2 breakpoint keep n 0x0000000000401163 in main at main.c:10
pwndbg> enable 2
pwndbg> i b
Num Type Disp Enb Address What
1 breakpoint keep y 0x0000000000401142 in main at main.c:8
breakpoint already hit 1 time
2 breakpoint keep y 0x0000000000401163 in main at main.c:10
pwndbg>
|
使用 q 退出 gdb 调试: