/ Security

Making gdb More Useful For Reversing

Unless you're using something like DDD or Gdbinit, gdb vanilla is pretty hard to work with when reversing binaries.

The following is a bunch of display commands that gdb will execute after every 'step'; put them in a file called gdb.cmd somewhere in ~/:

# cat ~/gdb.cmd 
set disassembly-flavor intel
display/10i $eip
display/x $eax
display/x $ebx
display/x $ecx
display/x $edx
display/x $edi
display/x $esi
display/x $ebp
display/16xw $esp
break main

Now you can use the -x gdb commandline parameter and running a program with start
or run will show the following:

# gdb bomb -x ~/gdb.cmd
GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
...
Reading symbols from bomb...done.
Breakpoint 1 at 0x80489b7: file bomb.c, line 36.
(gdb) r
Starting program: /root/bomb 

Breakpoint 1, main (argc=1, argv=0xf7faf000) at bomb.c:36
36	bomb.c: No such file or directory.
9: x/16xw $esp
0xffffd440:	0xf7faf000	0xf7ffd000	0xf7ffd938	0xffffd458
0xffffd450:	0x0804870a	0xf7faf000	0x00000000	0xf7e22a63
0xffffd460:	0x00000001	0xffffd4f4	0xffffd4fc	0xf7feac7a
0xffffd470:	0x00000001	0xffffd4f4	0xffffd494	0x0804b55c
8: /x $ebp = 0xffffd458
7: /x $esi = 0x0
6: /x $edi = 0x0
5: /x $edx = 0xffffd484
4: /x $ecx = 0x85f15fd7
3: /x $ebx = 0xf7faf000
2: /x $eax = 0x1
1: x/10i $eip
=> 0x80489b7 <main+7>:	mov    eax,DWORD PTR [ebp+0x8]
   0x80489ba <main+10>:	mov    ebx,DWORD PTR [ebp+0xc]
   0x80489bd <main+13>:	cmp    eax,0x1
   0x80489c0 <main+16>:	jne    0x80489d0 <main+32>
   0x80489c2 <main+18>:	mov    eax,ds:0x804b648
   0x80489c7 <main+23>:	mov    ds:0x804b664,eax
   0x80489cc <main+28>:	jmp    0x8048a30 <main+128>
   0x80489ce <main+30>:	mov    esi,esi
   0x80489d0 <main+32>:	cmp    eax,0x2
   0x80489d3 <main+35>:	jne    0x8048a10 <main+96>
(gdb) 

I prefer intel syntax, but you can set the flavor to att in gdb.cmd (line 1).