GDB调试汇编堆栈
准备工作
· 终端编译工具:
· 编译64位Linux版本32位的二进制文件,需要安装一个库,使用指令sudo apt-get install libc6-dev-i386
分析过程
· 1.生成汇编代码:gcc -g test.c -o test -m32
· 2.调试:gdb test
· 
· 3.设置断点,因为目的是分析而不是调试bug,所以我们将断点设置在main函数
· 
· 4.开始gdb调试:r(un),如若想获取此时的汇编代码,可用指令:disassemble
· 
· 5.此时可以用指令查看寄存器的值:i(nfo) r(egisters),显示的格式为3列:
· 
·
第1列:寄存器名称
· 第2列:寄存器的地址
· 第3列:寄存器中存的值
· 6:结合display命令和寄存器或pc内部变量,做如下设置:display /i $pc,这样在每次执行下一条汇编语句时,都会显示出当前执行的语句。下面展示每一步时%esp、%ebp和堆栈内容的变化:
· 
过程(截图中的指令实际上是待执行指令)
· 初始
· 
· push $0x1
· 
· 
· call 0x804840d call调用f(0x804840d)
· push %ebp 执行f函数,f初始化帧指针,将上一个函数的基址入栈,将当前%esp作为新基址
· mov %esp,%ebp 分配栈空间,为传参做准备
· 
· pushl 0x8(%ebp) 将%esp中的8存入栈中
· 
· call 0x80483db call调用g(0x80483db)
· 
· push %ebp 初始化栈指针·
· mov %esp,%ebp 分配栈空间
· 
· mov 0x8(%ebp),%eax 将8存入栈
· pop %ebp %ebp在结束前弹栈
· 
· ret 返回调用位置,结束函数
· 
· add $0x4,%esp 将 %esp 与立即数 4 相加
· 
· leave 返回准备栈
· 
· ret 返回调用位置,结束函数
· 
· add $0x4,%esp 将 %esp 与立即数 4 相加
· 
· add $0x1,%eax 将 %eax 与立即数 1 相加
附上完整调试过程
jclemo@ubuntu:~/Desktop/GDB_test$ gcc -g test.c -o test -m32
jclemo@ubuntu:~/Desktop/GDB_test$ ls
test test.c
jclemo@ubuntu:~/Desktop/GDB_test$ gdb test
GNU gdb (Ubuntu 7.11-0ubuntu1) 7.11
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from test...done.
(gdb) b test.c:main
Breakpoint 1 at 0x804840b: file test.c, line 19.
(gdb) run
Starting program: /home/jclemo/Desktop/GDB_test/test
Breakpoint 1, main () at test.c:19
19 return f(8) + addend3;
(gdb) disassemble
Dump of assembler code for function main:
0x08048408 <+0>: push %ebp
0x08048409 <+1>: mov %esp,%ebp
=> 0x0804840b <+3>: push $0x8
0x0804840d <+5>: call 0x80483ef <f>
0x08048412 <+10>: add $0x4,%esp
0x08048415 <+13>: mov $0x3,%edx
0x0804841a <+18>: add %edx,%eax
0x0804841c <+20>: leave
0x0804841d <+21>: ret
End of assembler dump.
(gdb) i r
eax 0xf7fbbdbc -134496836
ecx 0xaed89f2 183339506
edx 0xffffd0b4 -12108
ebx 0x0 0
esp 0xffffd088 0xffffd088
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x804840b 0x804840b <main+3>
eflags 0x296 [ PF AF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x 0xffffd088
0xffffd088: 0x00000000
(gdb) display /i $pc
1: x/i $pc
=> 0x804840b <main+3>: push $0x8
(gdb) si
0x0804840d 19 return f(8) + addend3;
1: x/i $pc
=> 0x804840d <main+5>: call 0x80483ef <f>
(gdb) i r
eax 0xf7fbbdbc -134496836
ecx 0xaed89f2 183339506
edx 0xffffd0b4 -12108
ebx 0x0 0
esp 0xffffd084 0xffffd084
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x804840d 0x804840d <main+5>
eflags 0x296 [ PF AF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /2a 0xffffd084
0xffffd084: 0x8 0x0
(gdb) si
f (x=8) at test.c:13
13 {
1: x/i $pc
=> 0x80483ef <f>: push %ebp
(gdb) i r
eax 0xf7fbbdbc -134496836
ecx 0xaed89f2 183339506
edx 0xffffd0b4 -12108
ebx 0x0 0
esp 0xffffd080 0xffffd080
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483ef 0x80483ef <f>
eflags 0x296 [ PF AF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /3a 0xffffd080
0xffffd080: 0x8048412 <main+10> 0x8 0x0
(gdb) si
0x080483f0 13 {
1: x/i $pc
=> 0x80483f0 <f+1>: mov %esp,%ebp
(gdb) i r
eax 0xf7fbbdbc -134496836
ecx 0xaed89f2 183339506
edx 0xffffd0b4 -12108
ebx 0x0 0
esp 0xffffd07c 0xffffd07c
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483f0 0x80483f0 <f+1>
eflags 0x296 [ PF AF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /4a 0xffffd07c
0xffffd07c: 0xffffd088 0x8048412 <main+10> 0x8 0x0
(gdb) si
14 return g(x + addend2);
1: x/i $pc
=> 0x80483f2 <f+3>: mov 0x804a01c,%edx
(gdb) i r
eax 0xf7fbbdbc -134496836
ecx 0xaed89f2 183339506
edx 0xffffd0b4 -12108
ebx 0x0 0
esp 0xffffd07c 0xffffd07c
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483f2 0x80483f2 <f+3>
eflags 0x296 [ PF AF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd07c
0xffffd07c: 0xffffd088 0x8048412 <main+10> 0x8 0x0
0xffffd08c: 0xf7e22637
(gdb) si
0x080483f8 14 return g(x + addend2);
1: x/i $pc
=> 0x80483f8 <f+9>: mov 0x8(%ebp),%eax
(gdb) i r
eax 0xf7fbbdbc -134496836
ecx 0xaed89f2 183339506
edx 0x2 2
ebx 0x0 0
esp 0xffffd07c 0xffffd07c
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483f8 0x80483f8 <f+9>
eflags 0x296 [ PF AF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /6a 0xffffd07c
0xffffd07c: 0xffffd088 0x8048412 <main+10> 0x8 0x0
0xffffd08c: 0xf7e22637 0x1
(gdb) si
0x080483fb 14 return g(x + addend2);
1: x/i $pc
=> 0x80483fb <f+12>: add %edx,%eax
(gdb) i r
eax 0x8 8
ecx 0xaed89f2 183339506
edx 0x2 2
ebx 0x0 0
esp 0xffffd07c 0xffffd07c
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483fb 0x80483fb <f+12>
eflags 0x296 [ PF AF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/5a 0xffffd07c
0xffffd07c: 0xffffd088 0x8048412 <main+10> 0x8 0x0
0xffffd08c: 0xf7e22637
(gdb) si
0x080483fd 14 return g(x + addend2);
1: x/i $pc
=> 0x80483fd <f+14>: push %eax
(gdb) i r
eax 0xa 10
ecx 0xaed89f2 183339506
edx 0x2 2
ebx 0x0 0
esp 0xffffd07c 0xffffd07c
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483fd 0x80483fd <f+14>
eflags 0x206 [ PF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd07c
0xffffd07c: 0xffffd088 0x8048412 <main+10> 0x8 0x0
0xffffd08c: 0xf7e22637
(gdb) si
0x080483fe 14 return g(x + addend2);
1: x/i $pc
=> 0x80483fe <f+15>: call 0x80483db <g>
(gdb) i r
eax 0xa 10
ecx 0xaed89f2 183339506
edx 0x2 2
ebx 0x0 0
esp 0xffffd078 0xffffd078
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483fe 0x80483fe <f+15>
eflags 0x206 [ PF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd078
0xffffd078: 0xa 0xffffd088 0x8048412 <main+10> 0x8
0xffffd088: 0x0
(gdb) si
g (x=10) at test.c:8
8 {
1: x/i $pc
=> 0x80483db <g>: push %ebp
(gdb) i r
eax 0xa 10
ecx 0xaed89f2 183339506
edx 0x2 2
ebx 0x0 0
esp 0xffffd074 0xffffd074
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483db 0x80483db <g>
eflags 0x206 [ PF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd074
0xffffd074: 0x8048403 <f+20> 0xa 0xffffd088 0x8048412 <main+10>
0xffffd084: 0x8
(gdb) si
0x080483dc 8 {
1: x/i $pc
=> 0x80483dc <g+1>: mov %esp,%ebp
(gdb) i r
eax 0xa 10
ecx 0xaed89f2 183339506
edx 0x2 2
ebx 0x0 0
esp 0xffffd070 0xffffd070
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483dc 0x80483dc <g+1>
eflags 0x206 [ PF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd070
0xffffd070: 0xffffd07c 0x8048403 <f+20> 0xa 0xffffd088
0xffffd080: 0x8048412 <main+10>
(gdb) si
9 return x + addend1;
1: x/i $pc
=> 0x80483de <g+3>: movzwl 0x804a018,%eax
(gdb) i r
eax 0xa 10
ecx 0xaed89f2 183339506
edx 0x2 2
ebx 0x0 0
esp 0xffffd070 0xffffd070
ebp 0xffffd070 0xffffd070
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483de 0x80483de <g+3>
eflags 0x206 [ PF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd070
0xffffd070: 0xffffd07c 0x8048403 <f+20> 0xa 0xffffd088
0xffffd080: 0x8048412 <main+10>
(gdb) si
0x080483e5 9 return x + addend1;
1: x/i $pc
=> 0x80483e5 <g+10>: movswl %ax,%edx
(gdb) i r
eax 0x1 1
ecx 0xaed89f2 183339506
edx 0x2 2
ebx 0x0 0
esp 0xffffd070 0xffffd070
ebp 0xffffd070 0xffffd070
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483e5 0x80483e5 <g+10>
eflags 0x206 [ PF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd070
0xffffd070: 0xffffd07c 0x8048403 <f+20> 0xa 0xffffd088
0xffffd080: 0x8048412 <main+10>
(gdb) si
0x080483e8 9 return x + addend1;
1: x/i $pc
=> 0x80483e8 <g+13>: mov 0x8(%ebp),%eax
(gdb) i r
eax 0x1 1
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd070 0xffffd070
ebp 0xffffd070 0xffffd070
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483e8 0x80483e8 <g+13>
eflags 0x206 [ PF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd070
0xffffd070: 0xffffd07c 0x8048403 <f+20> 0xa 0xffffd088
0xffffd080: 0x8048412 <main+10>
(gdb) si
0x080483eb 9 return x + addend1;
1: x/i $pc
=> 0x80483eb <g+16>: add %edx,%eax
(gdb) i r
eax 0xa 10
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd070 0xffffd070
ebp 0xffffd070 0xffffd070
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483eb 0x80483eb <g+16>
eflags 0x206 [ PF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd070
0xffffd070: 0xffffd07c 0x8048403 <f+20> 0xa 0xffffd088
0xffffd080: 0x8048412 <main+10>
(gdb) si
10 }
1: x/i $pc
=> 0x80483ed <g+18>: pop %ebp
(gdb) i r
eax 0xb 11
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd070 0xffffd070
ebp 0xffffd070 0xffffd070
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483ed 0x80483ed <g+18>
eflags 0x202 [ IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd070
0xffffd070: 0xffffd07c 0x8048403 <f+20> 0xa 0xffffd088
0xffffd080: 0x8048412 <main+10>
(gdb) si
0x080483ee 10 }
1: x/i $pc
=> 0x80483ee <g+19>: ret
(gdb) i r
eax 0xb 11
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd074 0xffffd074
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x80483ee 0x80483ee <g+19>
eflags 0x202 [ IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd074
0xffffd074: 0x8048403 <f+20> 0xa 0xffffd088 0x8048412 <main+10>
0xffffd084: 0x8
(gdb) si
0x08048403 in f (x=8) at test.c:14
14 return g(x + addend2);
1: x/i $pc
=> 0x8048403 <f+20>: add $0x4,%esp
(gdb) i r
eax 0xb 11
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd078 0xffffd078
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x8048403 0x8048403 <f+20>
eflags 0x202 [ IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd078
0xffffd078: 0xa 0xffffd088 0x8048412 <main+10> 0x8
0xffffd088: 0x0
(gdb) si
15 }
1: x/i $pc
=> 0x8048406 <f+23>: leave
(gdb) i r
eax 0xb 11
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd07c 0xffffd07c
ebp 0xffffd07c 0xffffd07c
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x8048406 0x8048406 <f+23>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd07c
0xffffd07c: 0xffffd088 0x8048412 <main+10> 0x8 0x0
0xffffd08c: 0xf7e22637
(gdb) si
0x08048407 15 }
1: x/i $pc
=> 0x8048407 <f+24>: ret
(gdb) i r
eax 0xb 11
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd080 0xffffd080
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x8048407 0x8048407 <f+24>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd080
0xffffd080: 0x8048412 <main+10> 0x8 0x0 0xf7e22637
0xffffd090: 0x1
(gdb) si
0x08048412 in main () at test.c:19
19 return f(8) + addend3;
1: x/i $pc
=> 0x8048412 <main+10>: add $0x4,%esp
(gdb) i r
eax 0xb 11
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd084 0xffffd084
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x8048412 0x8048412 <main+10>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd084
0xffffd084: 0x8 0x0 0xf7e22637 0x1
0xffffd094: 0xffffd124
(gdb) si
0x08048415 19 return f(8) + addend3;
1: x/i $pc
=> 0x8048415 <main+13>: mov $0x3,%edx
(gdb) i r
eax 0xb 11
ecx 0xaed89f2 183339506
edx 0x1 1
ebx 0x0 0
esp 0xffffd088 0xffffd088
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x8048415 0x8048415 <main+13>
eflags 0x286 [ PF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd088
0xffffd088: 0x0 0xf7e22637 0x1 0xffffd124
0xffffd098: 0xffffd12c
(gdb) si
0x0804841a 19 return f(8) + addend3;
1: x/i $pc
=> 0x804841a <main+18>: add %edx,%eax
(gdb) i r
eax 0xb 11
ecx 0xaed89f2 183339506
edx 0x3 3
ebx 0x0 0
esp 0xffffd088 0xffffd088
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x804841a 0x804841a <main+18>
eflags 0x286 [ PF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd088
0xffffd088: 0x0 0xf7e22637 0x1 0xffffd124
0xffffd098: 0xffffd12c
(gdb) si
20 }
1: x/i $pc
=> 0x804841c <main+20>: leave
(gdb) i r
eax 0xe 14
ecx 0xaed89f2 183339506
edx 0x3 3
ebx 0x0 0
esp 0xffffd088 0xffffd088
ebp 0xffffd088 0xffffd088
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x804841c 0x804841c <main+20>
eflags 0x202 [ IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd088
0xffffd088: 0x0 0xf7e22637 0x1 0xffffd124
0xffffd098: 0xffffd12c
(gdb) si
0x0804841d 20 }
1: x/i $pc
=> 0x804841d <main+21>: ret
(gdb) i r
eax 0xe 14
ecx 0xaed89f2 183339506
edx 0x3 3
ebx 0x0 0
esp 0xffffd08c 0xffffd08c
ebp 0x0 0x0
esi 0xf7fba000 -134504448
edi 0xf7fba000 -134504448
eip 0x804841d 0x804841d <main+21>
eflags 0x202 [ IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x /5a 0xffffd08c
0xffffd08c: 0xf7e22637 0x1 0xffffd124 0xffffd12c
0xffffd09c: 0x0
(gdb) si
0xf7e22637 in __libc_start_main () from /lib32/libc.so.6
1: x/i $pc
=> 0xf7e22637 <__libc_start_main+247>: add $0x10,%esp
(gdb)
扫一扫
1839
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
