Gdbinit 7.1.7 and some bla bla bla…

August 5, 2009 in Tools | 9 comments

Greetings !

For the past weeks I have been pretty much bored with any kind of reversing so all my projects are stopped. Today I decided to fix some bugs at gdbinit and the result is version 7.1.7. The assemble command is finally fixed, added some semi useful commands and changed some colours. Nothing big :)

Blackhat USA 2009 had a very interesting presentation about hacking Apple’s keyboard firmware updates. The paper and presentation are really very nice and create a very interesting attack vector. If you can’t trust your keyboard then it’s very difficult to trust the whole system (if not impossible)! Grab the paper here and the presentation here. Dino’s presentation about  advanced OS X rootkits is interesting too. Check the whole archive here.

That’s it for now. Let’s see if I can get back to my projects and release something before I get back to school ! I was accepted to the MBA program, so next year will be dedicated to school. Of course I hope to have some free time to keep posting some crap ;)

Yours,
fG!

gdbinit717 SHA1(gdbinit717)= 1f0536488d72930d39a3d0fa191ab688aaf7446d

The latest version can always be found here.

  1. TheTuKays’s avatar

    TheTuKays on August 6, 2009 at 8:33 am

    i’ve noticed that when gdbinit is loaded, all numbers are output as hex. Is there a way to turn that off or to tell gdb to print decimal numbers? i sometimes use gdb for some quick calculations and thinking hex is not the most intuitive ;-)

    Reply

    1. fG!’s avatar

      fG! on August 6, 2009 at 10:38 am

      Yes. Have a look at this post http://reverse.put.as/2007/10/18/gdb-input-radix-option/

      You need to change the input-radix setting :)

      Reply

  2. Anthony’s avatar

    Anthony on August 6, 2009 at 9:34 am

    Hello man,
    You’re job is awesome but I’ve a question on the starting of gdb with this gdbinit…
    It requires to start gdb like this : “gdb” and after make a “exec-file $EXEC_FILE” but doesn’t work with “gdb $EXEC_FILE”.
    You already say it before…. but have you a solution to bypass this “trick” ?
    Because when I do that, my $EXEC-FILE doesn’t has it symbols analyzed…

    thanks

    Reply

    1. fG!’s avatar

      fG! on August 6, 2009 at 10:36 am

      Hello,

      It’s not a trick but a bug ! The only solution is to find the fix in the original gnu version. It might be a bit complicated to track down :(
      The “file” command loads the symbols but it reproduces the bug.

      Well it seems you are lucky… While writing this I found a workaround for the problem. You can use “gdb program_to_analyse” or the “file” command inside the gdb. After gdb starts, you need to issue the command “source ~/.gdbinit”. And that’s it… That will workaround and make it usable :) Weeeeeeeee

      fG!

      Reply

  3. TheTuKays’s avatar

    TheTuKays on August 6, 2009 at 11:07 am

    grand, thx a lot!!

    Reply

  4. iorek’s avatar

    iorek on August 8, 2009 at 7:30 am

    hi fg,
    there is one drawback for me with the new gdbinit, perhaps you can fix that. in the previous version, i often see:
    gdb$ context
    ————————————————————————–[regs]
    EAX: 003821C0 EBX: 0000001E ECX: 003821C0 EDX: 001E0007 o d I t s z a P c
    ESI: 000000BE EDI: 0038222C EBP: BFFFDD98 ESP: BFFFDD60 EIP: 00042FE7
    CS: 0017 DS: 001F ES: 001F FS: 0000 GS: 0037 SS: 001F Jump is NOT taken (z flag)
    [001F:BFFFDD60]———————————————————-[stack]
    Invalid type combination in ordering comparison.

    but now only this

    gdb$ context
    Invalid type combination in ordering comparison.

    shows up. thats the reason, why i downgraded.

    thanks

    Reply

    1. fG!’s avatar

      fG! on August 10, 2009 at 11:37 am

      Hello,

      Could you please tell me how to reproduce that ? Which program and at what breakpoint ? I see you have the stack window activated. Does the same happens if you remove it ?

      Thanks,
      fG!

      Reply

  5. iorek’s avatar

    iorek on August 20, 2009 at 6:01 pm

    sorry for the late answer, i didn’t noticed your comment.

    app: Opacity: http://likethought.com/opacity/
    Breakpoint 1, 0x00041ac5 in PCDrawAllLayerInContext ()

    no change, when stack is disabled:

    gdb$ context
    Invalid type combination in equality test.
    gdb$ disablestack
    gdb$ context
    Invalid type combination in equality test.

    hope that helps.

    Reply

  6. rev’s avatar

    rev on September 8, 2009 at 2:51 pm

    There is a bug in gdbinit 7.1.7:
    Defination for jump/not jump for JLE is not correct.

    To reproduct the bug:
    1. download Layers 1.1.4:
    http://www.megaupload.com/?d=MD29L66I
    2. set breakpoint to 2 different JLE locations:
    $ b *0xbc78
    $ b *0x7fcb
    $ r

    Result:
    0000bc78 7e5f jle 0x0000bcd9 > gdb shows “Jump is taken”. It jump indeed.
    00007fcb 7e5f jle 0x0000802c > gdb shows “Jump is NOT taken”. But It still jumps

    Fix:
    Search for ## JLE or JNG:
    if ((($_zf_flag == 1) && ($_sf_flag == $_of_flag))
    Relace with:
    if ((($_zf_flag == 1) && ($_sf_flag == $_of_flag)) || (($_sf_flag == 1) && ($_zf_flag == $_of_flag)))

    Reply