Gdbinit v7.3

I was bored and decided to fix gdbinit to support 64bits binaries. I had tried it before but the solution was a piece of crap (not that this one is much better). I was testing the registers to see if the binary was 32 or 64bits. Now there is a default setting to 32bits (change it if you want to default to 64bits) and two commands, 32bits and 64bits to change between the two types of targets. If you have 32bits by default and debug a 64bits target, the first time gdb breaks you will get an error; just issue the 64bits command to change and you can issue the context command to get the correct display and continue your debug session. I remember I couldn’t find a better way to detect the type of binary inside gdbinit, since there’s no support for regex and all that kind of tools. If you have an elegant method feel free to tell me about or patch this version and send it back ๐Ÿ™‚

I have patched too the 64bits mode to have available the 32 and 16bits registers versions. The ObjectiveC messages display and the stepo command still need to be fixed to 64bits. The calls are different in 64bits so I need to rework that part. Everything else seems to be working; please report if not!

Can’t remember anything else to say about this one.
As usual, have fun!
fG!

Grab it here: gdbinit73 (SHA1(gdbinit73)= c4da85f3ba6e8cfa311fb63c2ab5d606df6b837c)

The latest version can always be found here.

25 thoughts on “Gdbinit v7.3

  1. “Onyx The Black Cat”—PLS…

    i tried to compile it myself…nogood…
    hope u get time publish it soon…

    cheers

    1. You can’t compile it since it needs modifications to the code to work on Snow Leopard.
      I will try to get it published asap hehehe

  2. hi fG!
    I don’t know how else to talk to you hence why i’m writing here, i hope you read it.

    I’m desperate to learn RE on macOSX and find your way of showing how its done by tutorials excellent. Following your SlidePad tutorial i learnt a fair bit but i don’t think my skill are up to scratch and i am desperate for more tutorial or a resource you can direct me to to learn more. I know there are “Crackme” tutorials out there but they’re mostly very old (not even intel mac) and i could hardly apply the skills on snowLeopard.

    My intention isn’t to become a cracker , i just find RE exciting . To me you’re like a god in mac RE field ,Please show me where i can learn more , something like your slidepad tutorials where everything is up-to-date and explanations on what to do with gdb , otool and class-dump are clear instead of assumed knowledge.

    1. Hello,
      There are some crackmes around and I might give a try at creating some tutorials for them.
      The problem today with OS X is the lack of crackmes.
      fG!

      1. Thank you for replying fG!

        I can’t wait to see a new tutorial written by you. Maybe a tutorial based on some new app of fair size that allows for teaching of varying techniques in RE would be a dream for someone like me who’s keen on learning but am struggling to find resources, It can’t come soon enough, mean time its back to SlidePad tutorial for me.

        1. just about anything that uses aquatic primes (you can tell usually if it accepts a license file) is weak to crack despite the level of security put into the framework

  3. hawkesays thanks for the crackme file, i hope it means new tutorials by fG! ๐Ÿ™‚

    may i also use this section to ask two questions?

    1) what do i do with the gdbinit file that seems to be popular amongst the folks here? is it useful? what does it do? How is it applied?

    2) what is the equivalent command line command for otx that can produces the same output as when done through otx itself, when i do “otool -vt …” the output is not as clean and readable as when done though otx , reason why i need it is because sometimes otx doesn’t recognize the programs i write in c saying “No mach-o file” even for something as simple as the “Hello world” in fG! tutorial, but command line otool has no problems with it.

    3) The reason to why the hexadecimal values i see on my machine have extra zeros is because i’m using a 64bit machine (snow leopard) where as the tutorials were written on 32bit?

    ie : fG!’s tutorial outout (shell$ vmmap -allSplitLibs 303 | grep xprogram
    __TEXT 00036000-00051000)

    compared to my out put(vmmap -allSplitLibs 1860 | grep xprogram
    __TEXT 0000000100243000-000000010024c000)

    or am i wrong?

    1. 1) Install gdbinit by copying it to your home dir as “.gdbinit”. It will give you a softice look, for example, disassembly output and registers info. Without it you must script yourself or do it by hand.
      2) I not sure about this but I think you have the otx command line tool in the otx install package. If not, download otx source and compile it. It will compile the command line version for you.
      3) Yes, Snow Leopard is 64bits and defaults to it if binary has it available. You should use the 32bits version since it’s easier for you to follow the tutorials and the code.

      1. Thanks for your answers fG!
        I’ve set the option via “Get info” to open in 32-bit mode making it easier to follow the tutorials so thanks for the hint.

        about the gdbinit file you’ve made , From what you’ve written it has some issues with snow leopard, would that effect me doing basic RE or is it just effecting the more complex scenarios you guys get into? In short, is it safe gdbinit safe to use for someone like me(newbie) on snow leopard?

        as for otx commandline tool, it tell me the same thing as the GUI otx, “otx: main is not a Mach-O file.” , main being the same “Hello world” code in C from your SlidePad tutorial!

        also can anyone get into CorruptFire.Com? I’ve been trying to get into the site to see what else is in there but it just times out.

        Lastly (fG! is probably going to IP block me soon with all these questions) when should one expect to see a new tutorial :)?

        1. You will need to download latest otx source and compile it. The problem is that the downloadable version doesn’t support 64bits and that’s the reason for the error.
          The latest version doesn’t have issues with Snow Leopard (just some minor stuff). It’s fine if you debug 32bits binaries.

  4. Thanks fG! i’ll look into that.

    also when you get a chance can you please look at this post (tinyurl.com/2cnb83d) i made about my problems trying to debug the “Hello world” program in gdb. I think the problem might be with the gdbinit (but what do i know so is possibly wrong). Thanks in advance

    1. It seems you are trying to debug the 64bits version with the 32bits settings in gdbinit. If you want to do that you need to change to 32bits ๐Ÿ™‚
      Check gdbinit header about how to do it (basically issue the command 32bit or modify the preferences in the script).

  5. Is it possible to debug 32-bit binaries in a 64-bit OS?
    If I set a file via exec-file and then run it, it’s the 64-bit binary that opens.

    It is very appreciated that you make tutorials for RE on the Mac. ๐Ÿ™‚
    The first one you made (I don’t think it exists on this site anymore) was very helpful in getting to know GDB.

    Thanks for sharing so much information ^^

    1. Sure! By default Snow Leopard will try to run the 64bit version if available. You can try to use the arch command to run the selected architecture.
      What I usually do is to lipo the original binary into a 32bit version only; I’m lazy!

      1. How exactly would I do it?
        Looking at the command arch, it looks like I can run the app directly as a 32-bit app but how can I debug it in gdb? (Without attaching into it, cause in that case it would be the same as Get Info ยป Open in 32-bit)

        arch -i386 gdb doesn’t open gdb in 32-bit.

        (I’ll probably end up creating 32-bit versions too but I would like to know how to do it the other way too :D)

        1. Try gdb -arch i386 binary. Gdb natively supports this option (just learnt a new trick ehehe).
          It seems that arch binary doesn’t like to be run inside gdb (well, it can but you probably have to edit a plist and add the binary).

Leave a Reply

Your email address will not be published. Required fields are marked *