Link to this headingGDB

https://github.com/al13n321/nnd debugger

Link to this headingReading Values from Memory

Read 32 bits:

gdb$ x/64wx 0x606000 0x606000 <path.4275+3360>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606010 <path.4275+3376>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606020 <path.4275+3392>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606030 <path.4275+3408>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606040 <path.4275+3424>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606050 <path.4275+3440>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606060 <path.4275+3456>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606070 <path.4275+3472>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606080 <path.4275+3488>: 0x00000000 0x00000000 0x00000000 0x00000000 0x606090 <path.4275+3504>: 0x00000000 0x00000000 0x00000000 0x00000000 0x6060a0 <path.4275+3520>: 0x00000000 0x00000000 0x00000000 0x00000000 0x6060b0 <path.4275+3536>: 0x00000000 0x00000000 0x00000000 0x00000000 0x6060c0 <path.4275+3552>: 0x00000000 0x00000000 0x00000000 0x00000000 0x6060d0 <path.4275+3568>: 0x00000000 0x00000000 0x00000000 0x00000000 0x6060e0 <path.4275+3584>: 0x00000000 0x00000000 0x00000000 0x00000000 0x6060f0 <path.4275+3600>: 0x00000000 0x00000000 0x00000000 0x00000000

Read 64 bits:

gef➤ x/20gx $rsp-0x8 0x7ffd6864d4d8: 0x0000000000401062 0x0000000000401001 0x7ffd6864d4e8: 0x00007ffd6864f1c7 0x00007ffd6864f1e4 0x7ffd6864d4f8: 0x0000000000000000 0x00007ffd6864f1ec 0x7ffd6864d508: 0x00007ffd6864f220 0x00007ffd6864f238 0x7ffd6864d518: 0x00007ffd6864f24b 0x00007ffd6864f264 0x7ffd6864d528: 0x00007ffd6864f26c 0x00007ffd6864f27c 0x7ffd6864d538: 0x00007ffd6864f299 0x00007ffd6864f2b0 0x7ffd6864d548: 0x00007ffd6864f2d6 0x00007ffd6864f2e5 0x7ffd6864d558: 0x00007ffd6864f2f9 0x00007ffd6864f304 0x7ffd6864d568: 0x00007ffd6864f33e 0x00007ffd6864f367

Read Strings from the stack:

gef➤ x/5s $rsp -0x8 0x7fffffffde38: "8Af9Ag0Ag1Ag2Ag3\272\341\377\377\377\177" 0x7fffffffde4f: "" 0x7fffffffde50: "" 0x7fffffffde51: "" 0x7fffffffde52: ""

Link to this headingUseful GEF Commands

For permissions a s means shared memory and a p means private memory.
MAP_SHARED allows any other process that has that same memory mapped to access the data
MAP_PRIVATE does not allow any other process that has the same memory mapped to access the data

View mapped memory segments the heap/stack and the actual program code:

gef➤ vmmap Start End Offset Perm Path 0x00400000 0x00401000 0x00000000 r-x /home/user/challenges-day1/challenge1 0x00410000 0x00411000 0x00000000 r-x /home/user/challenges-day1/challenge1 0x00411000 0x00412000 0x00001000 rwx /home/user/challenges-day1/challenge1 0xb6ede000 0xb6fc0000 0x00000000 r-x /lib/arm-linux-gnueabihf/libc-2.27.so 0xb6fc0000 0xb6fd0000 0x000e2000 --- /lib/arm-linux-gnueabihf/libc-2.27.so 0xb6fd0000 0xb6fd2000 0x000e2000 r-x /lib/arm-linux-gnueabihf/libc-2.27.so 0xb6fd2000 0xb6fd3000 0x000e4000 rwx /lib/arm-linux-gnueabihf/libc-2.27.so 0xb6fd3000 0xb6fd6000 0x00000000 rwx 0xb6fd6000 0xb6fee000 0x00000000 r-x /lib/arm-linux-gnueabihf/ld-2.27.so 0xb6ff9000 0xb6ffb000 0x00000000 rwx 0xb6ffb000 0xb6ffc000 0x00000000 r-x [sigpage] 0xb6ffc000 0xb6ffd000 0x00000000 r-- [vvar] 0xb6ffd000 0xb6ffe000 0x00000000 r-x [vdso] 0xb6ffe000 0xb6fff000 0x00018000 r-x /lib/arm-linux-gnueabihf/ld-2.27.so 0xb6fff000 0xb7000000 0x00019000 rwx /lib/arm-linux-gnueabihf/ld-2.27.so 0xbefdf000 0xbf000000 0x00000000 rwx [stack] 0xffff0000 0xffff1000 0x00000000 r-x [vectors]

Run command after breakpoint is reached:

gdb$ define hook-stop Type commands for definition of "hook-stop". End with a line saying just "end". >x/64wx 0x606000 >end

Define variable with type:

gdb$ set $i1 = (struct internet*) 0x606000 gdb$ print *$i1 $2 = {piroity = 1, name = 0x0}

Set breakpoint on read of memory address:

gdb$ rwatch *0xfeedface Hardware read watchpoint 2: *0xfeedface

Set breakpoint on read or write of memory address:

gdb$ watch *0xfeedface

Disable ASLR:

gef➤ aslr off [+] Disabling ASLR

Figure out what is at an address anywhere in memory:

gef➤ telescope 0x7ffe48142898 0x00007ffe48142898│+0x0000: 0x00007ffe4814293f → 0x0000000040103c00 ← $rsi 0x00007ffe481428a0│+0x0008: 0x0000000000000000 0x00007ffe481428a8│+0x0010: 0x00007ffe48142979 → 0x5900007ffe481432 0x00007ffe481428b0│+0x0018: 0x00007ffe48142940 → 0x000000000040103c → add rbp, rbx 0x00007ffe481428b8│+0x0020: 0x0000000000000000 0x00007ffe481428c0│+0x0028: 0xfffffffffffffff8 0x00007ffe481428c8│+0x0030: 0x0068732f6e69622f ("/bin/sh"?) 0x00007ffe481428d0│+0x0038: 0x000000000000003b (";"?) 0x00007ffe481428d8│+0x0040: "qaaaraaasaaataaauaaavaaawaaaxaaayaaazaabbaabcaabda[...]" 0x00007ffe481428e0│+0x0048: "saaataaauaaavaaawaaaxaaayaaazaabbaabcaabdaabeaabfa[...]"

Link to this headingPwnDbg

https://github.com/pwndbg/pwndbg