All geek questions in one place

Live editing code with gdb

I don't have much experience with gdb, so I'm not sure what I ask is possible, but is it possible to edit the code in real time using gdb?

On startup (after reaching a breakpoint), disas looks like this:

0x080487d8 <+9>: movl $0x80485e4,0x1c(%esp) 0x080487e0 <+17>: movl $0x8048640,0x20(%esp) 0x080487e8 <+25>: movl $0x804869c,0x24(%esp) 0x080487f0 <+33>: movl $0x8048719,0x28(%esp)

In an attempt to change the address in one of these instructions, I did the following:

 set (*0x080487e1)=0x5b870408

But instead of just changing the address, as I expected, the new disas looked like this:

 0x080487d8 <+9>: movl $0x80485e4,0x1c(%esp) 0x080487e0 <+17>: (bad) 0x080487e1 <+18>: or %al,(%edi,%eax,4) 0x080487e4 <+21>: pop %ebx 0x080487e5 <+22>: xchg %al,(%eax,%ecx,1) 0x080487e8 <+25>: movl $0x804869c,0x24(%esp) 0x080487f0 <+33>: movl $0x8048719,0x28(%esp)

So, I have 3 questions: Is what I'm trying to make possible? If so, am I doing something wrong? If so, what am I doing wrong and how can I fix it?

+4
source share
2 answers

Am I trying to do this?

Yes, you can change the .text binary file.

Please note that this change will only affect the current execution; after run your change will "evaporate" (if you want to permanently fix the binary, this is possible, but the procedure is different).

If so, am I doing something wrong?

Most likely. You did not tell us that you are trying to change the instructions.

If so, what am I doing wrong and how can I fix it?

Using (gdb) disas/r will show you the actual raw command bytes and will most likely simplify what you did wrong. When I use it, I see the following:

  0x080483ed <+9>: c7 44 24 1c d0 84 04 08 movl $0x80484d0,0x1c(%esp)

That is, the address (which you apparently wanted to rewrite) for the instruction above [1] does not start with &instruction+1 , it starts with &instruction+4 . Also, you shouldn't discard bytes when you ask GDB to write a word (I assume you need a new address 0x0804785b , not 0x5b870408 ):

 (gdb) set *(0x080483ed+4)=0x01020304 (gdb) disas Dump of assembler code for function main: 0x080483e4 <+0>: push %ebp 0x080483e5 <+1>: mov %esp,%ebp 0x080483e7 <+3>: and $0xfffffff0,%esp 0x080483ea <+6>: sub $0x20,%esp => 0x080483ed <+9>: movl $0x1020304,0x1c(%esp) 0x080483f5 <+17>: mov 0x1c(%esp),%eax 0x080483f9 <+21>: mov %eax,(%esp) 0x080483fc <+24>: call 0x8048318 < puts@plt > 0x08048401 <+29>: mov $0x0,%eax 0x08048406 <+34>: leave 0x08048407 <+35>: ret

[1] It is very likely that your instruction:

 0x080487e0 <+17>: movl $0x8048640,0x20(%esp)

has the same encoding as my instruction:

 0x080483ed <+9>: movl $0x80484d0,0x1c(%esp)

since they are β€œthe same” and have the same length of 8 bytes, but, as FrankH noted, there may be a different encoding of the same instruction. In any case, disas/r will show you everything you need to know.

+7
source

First, I never used gdb to change the text of a program, as you seem to be doing.

You are changing the value at 0x080487e1, which is simply ahead of your program counter. These values ​​are machine bytecode β€” for example, the encoding for movl $ 0x8048640,0x20.

What is even more complicated is that they have a variable length depending on the instruction, so if you corrupt one command like you, it changes the starting address of the next command, which means that it will be interpreted as another instruction . This is because you write between instructions.

I'm not sure where you get 0x080487e1 or what you are trying to do with it. If you want the chagne address that movl uses as the first parameter, you need to know what the bytecode of the movl command looks like, and then perhaps replace only the part corresponding to the address value. But then you were stuck on how to get gdb to write only certain bits (instructions are not even aligned on a line). Sounds are possible, but difficult.

You may be trying to change to another address. You can do this by rewriting the jump (keep in mind that this will be a constant change throughout this program). But the same rules apply to knowing the format and behavior of jumps.

+2
source

Source: https://habr.com/ru/post/1398174/

More articles:


All Articles