More gdbinit addons!

End of the year is slow and I was a bit inspired so I decided to hack around another features I was missing from gdbinit !

First one is about conditional jump display. Original gdbinit doesn’t tell you what will be the decision that will be taken on a conditional jump. You must look at the flags and check that ! Well… I can’t memorize this kind of stuff (in reality I can but it’s useless so I refuse to) and computers were created to automate tasks! So I just added a nice “Jump is taken” or “Jump is NOT taken” (ripped from Ollydbg 😉 ) display !

Example:

Much easier to follow the code ! JCXZ and JECXZ are the only calls not implemented.

The other feature is a step over calls. I don’t know why but gdb instructions to step over calls sometimes fail (mainly with objc_msgSend), which is a pain because you either follow into the call or set a manual breakpoint on next instruction. That’s what I’ve implemented, a temporary breakpoint on next instruction after the call. The call opcode which is most interesting is 0xE8 (I was grepped most of my disassemblies). The whole call will take 6 bytes so we can easily calculate the next address and set a temporary breakpoint (using gdb ‘tbreak’ function). I have called this new command ‘stepo’. You can use it when the current instruction to be executed is a call or, if you don’t mind stepping over calls, you can use it always since when it’s not a call opcode, it will call the ‘nexti’ command (step one instruction). Else just use it when you want to skip over the calls.
I have added a few other call opcodes but the list is incomplete. The code for this is a real mess and there is certainly a better way to do it. Suggestions ? 🙂 Anyway, opcode 0xE8 is really the most interesting one to skip over!

I made a few tests and things seem to be working as expected. If you find any bugs please report it or fix and send the patch 🙂

These three addons fill some personal missing features while working with gdb. If you have any suggestions or code to add, feel free to share.

After all this bla bla bla, here it is the code: gdbinit713

Have fun and a Happy 2009!
fG!

Update:
Grab version 7.1.4 here: gdbinit714

I think I fixed the ObjectiveC bug (I suspect it’s due to the fact I was using the same $_byte1 variable since I can’t reproduce it on Tiger) and added range support to nop and null routines (Thanks gln!)

Update 2:
Grab version 7.1.5 here: gdbinit715

The latest version can always be found here.

This one is really working on Leopard (forgot I had a Leopard at hand to test ! duh!!!).
The bug was really nice ! I had a If Else construct where the else code was empty ! Gdb on Leopard doesn’t like such thing 😉

22 thoughts on “More gdbinit addons!

  1. Yo.

    Are you (or anybody else) experiencing crashes on OS X with this gdbinit? It works fine for me on Linux, but on OS X it makes gdb segfault (but only when im running with context-on). Any ideas? 🙂

  2. Hello,

    I’m using OS X 10.4.11 with Apple gdb 7.68 (GNU gdb 6.3.50-20050815 (Apple version gdb-696) (Sat Oct 20 18:16:54 GMT 2007)).
    What versions are you using ? What program are you trying to debug ? Can you paste the segfault ?

    Thx,
    fG!

  3. Hi again,

    Of course, I’m using OS X 10.5.6 with GNU gdb 6.3.50-20050815 (Apple version gdb-962).

    $ cat test.c
    #include
    int main(void) { return 0; }
    $ make test >/dev/null
    $ gdb -silent
    gdb$ exec-file test
    Reading symbols for shared libraries … done
    gdb$ break *0x00001ff5
    Breakpoint 1 at 0x1ff5
    gdb$ r
    Reading symbols for shared libraries …. done

    Breakpoint 1, 0x00001ff5 in main ()
    ————————————————————————–[regs]
    EAX: 00000000 EBX: BFFFFA58 ECX: BFFFF9F0 EDX: 00000000 o d I t s Z a P c
    ESI: 00000000 EDI: 00000000 EBP: BFFFF9C8 ESP: BFFFF9C8 EIP: 00001FF5
    CS: 0017 DS: 001F ES: 001F FS: 0000 GS: 0037 SS: 001F
    [001F:BFFFF9C8]———————————————————-[stack]
    BFFFFA18 : 88 FB FF BF 93 FB FF BF – A9 FB FF BF D4 FB FF BF …………….
    BFFFFA08 : F5 FA FF BF 00 FB FF BF – 3A FB FF BF 6F FB FF BF ……..:…o…
    BFFFF9F8 : 86 FA FF BF BF FA FF BF – DB FA FF BF E5 FA FF BF …………….
    BFFFF9E8 : 00 00 00 00 01 00 00 00 – 74 FA FF BF 00 00 00 00 ……..t…….
    BFFFF9D8 : F8 F9 FF BF 58 FA FF BF – 00 00 00 00 00 00 00 00 ….X………..
    BFFFF9C8 : E8 F9 FF BF C6 1F 00 00 – 01 00 00 00 F0 F9 FF BF …………….
    Segmentation fault
    $

    Quite annoying… But as i said before, if i use “context-off”, it works flawlessly, i’m guessing it crashes when displaying the disassembly.

  4. Yes, I’ve just tested.
    I’m using OS X 10.5.6 with GNU gdb 6.3.50-20050815 (Apple version gdb-768) (Tue Oct 2 04:07:49 UTC 2007)
    and I’m experiencing the same problem as gln.

    — beowulf

  5. For this same binary ? I just tested and gave me no problems. That breakpoint is where ? start: or __start: ???

    Try to change this option to 0 in gdbinit: set $SHOWOBJECTIVEC = 0

  6. Hi again,

    “set $SHOWOBJECTIVEC = 0” does the trick for me, works like a charm. Thanks!
    Btw, here’s a modified version of the “nop” command which allows you to patch a series of bytes instead of just one. Hope it comes in handy, enjoy. 🙂
    —————————-8<—————————-
    define nop
    if ($argc 2)
    help nop
    end

    if ($argc == 1)
    set *(unsigned char *)$arg0 = 0x90
    else
    set $addr = $arg0
    while ($addr < $arg1)
    set *(unsigned char *)$addr = 0x90
    set $addr = $addr + 1
    end
    end
    end
    document nop
    Patch a single byte at address ADDR1, or a series of bytes between ADDR1 and
    ADDR2 to a nop (0x90) instruction.
    Usage: nop ADDR1 ADDR2
    end
    —————————-8<—————————-

  7. Can you try version 7.1.4 I just posted and see if the bug still happens ? I think it might be fixed in this new version 🙂

    Thanks for the code, just included it in this version.

  8. What’s the include you are using on that piece of code ? Stupid wordpress interpreted that as an html tag 🙂

    Can you mail me your binary to reverse AT put.as ?

  9. I still have the same problem if $SHOWOBJECTIVEC is set to 1. I tested it on many binaries (like B_l_o_g_o from d_r_i_n_k_b_r_a_i_n_j_u_i_c_e.. w/o underscores, of course), and it crashes when it reach the 1st breakpoint or when you hit ^C. I haven’t much time now, but I’ll look into this soon…

    — beowulf

  10. Yeah it does crash ! I remembered gf’s Mac is with Leopard ! Very weird… I’m trying to debug it why is it failing. With Tiger gives no problem ehhehe

  11. Grab the new version 🙂 It’s working on Leopard.

    The bug was something like:
    If (condition)
    do something here
    else
    end

    Leaving the else empty makes gdb segfault ! Crazyyyyyy…..!

  12. Hey,

    I didn’t knew where to write this, so i’m putting it in first news comment. I was wondering do you guys have some form of IRC channel or forum where you can discuss/ask different types of things about RCE on MacOS ? I have quite few questions (mainly regarding remote debugging using IDA) and i would gladly discuss about mac rce 🙂

    Cheers, and keep up the good work.

  13. sorry for that question but how to use the gdbinit file ??

    i put the .gdbinit file in my home folder but don’t work.

    how to use ?
    gdb command ?

  14. Hello,

    Just execute gdb without any parameters.
    Then you can attach to a process via PID or debug a new executable with the command “exec-file path_to_executable”
    Setup a breakpoint where you want and start program with “run” command.
    Help user displays the custom commands provided by this gdbinit.

    fG!

  15. Hi!
    I just ried the version 7.1.5 on my OS X 10.5.5 and GNU gdb 6.3.50-20050815 (Apple version gdb-768)
    and whenever I try to Ctrl-C a running program it says something like this:

    Program received signal SIGINT, Interrupt.
    0x9242d4a6 in mach_msg_trap ()
    Error while running hook_stop:
    Invalid type combination in ordering comparison.

    This behavior happens regardless of the program being debugged.

    also whenever I type context on I get:

    ————————————————————————–[regs]
    EAX: 10004005 EBX: 91D849E7 ECX: BFFFE8BC EDX: 9242D4A6 o d I t s z a P c
    ESI: 00000000 EDI: 00000000 EBP: BFFFE8F8 ESP: BFFFE8BC EIP: 9242D4A6
    CS: 0007 DS: 001F ES: 001F FS: 0000 GS: 0037 SS: 001F
    [001F:BFFFE8BC]———————————————————-[stack]
    Invalid type combination in ordering comparison.

    Any suggestions? Please???

Leave a Reply

Your email address will not be published. Required fields are marked *