Tui gdb - CCOM4702

gdb -q a.out

ctrl-x a

Enters the TUI mode. The top screen shows the source. If what you want is the disassembly, then:

layout asm

If you would also like a view of the registers then:

tui reg general

* ecx = esp + 4  <-- this is an argument to the main function
* esp = esp & 0xff0 : lets get a 0 based esp
* push esp - 4      : 
* push ebp
* mov esp, ebp
* push ecx
* esp = esp - 4
* eax = ecx
* eax = eax

initially ecx value: 0xffff4440

0xffff4440: an address to where the cma lives, lets say 0xffff6660

0xffff6660: value of argv     value of argc (a pointer)

|0x80484af <main>         lea    0x4(%esp),%ecx            │
│0x80484b3 <main+4>       and    $0xfffffff0,%esp          │
│0x80484b6 <main+7>       pushl  -0x4(%ecx)                │
│0x80484b9 <main+10>      push   %ebp                      │
│0x80484ba <main+11>      mov    %esp,%ebp                 │
│0x80484bc <main+13>      push   %ecx                      │
│0x80484bd <main+14>      sub    $0x4,%esp                 │
│0x80484c0 <main+17>      mov    %ecx,%eax                 │
│0x80484c2 <main+19>      mov    0x4(%eax),%eax            │
│0x80484c5 <main+22>      add    $0x4,%eax                 │
│0x80484c8 <main+25>      mov    (%eax),%eax               │
│0x80484ca <main+27>      sub    $0xc,%esp                 │
│0x80484cd <main+30>      push   %eax                      │
│0x80484ce <main+31>      call   0x8048494 <vulnerable_func│
│0x80484d3 <main+36>      add    $0x10,%esp                │
│0x80484d6 <main+39>      mov    $0x0,%eax                 │
│0x80484db <main+44>      mov    -0x4(%ebp),%ecx           │
│0x80484de <main+47>      leave                            │
│0x80484df <main+48>      lea    -0x4(%ecx),%esp           │
│0x80484e2 <main+51>      ret

To run with arguments from command line:

gdb --args executablename arg1 arg2 arg3

To run with arguments:

r arg1 arg2 arg3

To run python script:

source ~/Dropbox/ccom4702/code/pst.py

0xffffc9a0: 0x00000001 0xffffc9a4: 0xffffca64 0xffffc9a8: 0xffffca6c <-- ESP 0xffffc9ac: 0x08048431 0xffffc9b0: 0xf7fa03dc 0xffffc9b4: 0x080481ec 0xffffc9b8: 0x08048419 0xffffc9bc: 0x00000000 0xffffc9c0: 0xf7fa0000 0xffffc9c4: 0xf7fa0000 0xffffc9c8: 0x00000000 <-- EBP 0xffffc9cc: 0xf7e06637 0xffffc9d0: 0x00000001

0xffffc9a0: 0x00000001 0xffffc9a4: 0xffffca64 0xffffc9a8: 0xffffca6c <-- ESP 0xffffc9ac: 0x08048431 0xffffc9b0: 0xf7fa03dc 0xffffc9b4: 0x080481ec 0xffffc9b8: 0x08048419 0xffffc9bc: 0x0000002a <-- a = 42 0xffffc9c0: 0xf7fa0000 0xffffc9c4: 0xf7fa0000 0xffffc9c8: 0x00000000 <-- EBP 0xffffc9cc: 0xf7e06637 0xffffc9d0: 0x00000001

0xffffc9a0: 0x00000001 0xffffc9a4: 0xffffca64 0xffffc9a8: 0xffffca6c <-- ESP 0xffffc9ac: 0x08048431 0xffffc9b0: 0xf7fa03dc 0xffffc9b4: 0x080481ec 0xffffc9b8: 0x08048419 0xffffc9bc: 0x0000002a 0xffffc9c0: 0xf7fa0000 0xffffc9c4: 0xffffc9bc <-- b = & a 0xffffc9c8: 0x00000000 <-- EBP 0xffffc9cc: 0xf7e06637 0xffffc9d0: 0x00000001

0xffffc9a0: 0x00000001 0xffffc9a4: 0xffffca64 0xffffc9a8: 0xffffca6c <-- ESP 0xffffc9ac: 0x08048431 0xffffc9b0: 0xf7fa03dc 0xffffc9b4: 0x680481ec 0xffffc9b8: 0x00616c6f <-- st[] = "hola" 0xffffc9bc: 0x0000002a 0xffffc9c0: 0xf7fa0000 0xffffc9c4: 0xffffc9bc 0xffffc9c8: 0x00000000 <-- EBP 0xffffc9cc: 0xf7e06637 0xffffc9d0: 0x00000001

0xffffc9a0: 0x00000001 0xffffc9a4: 0xffffca64 0xffffc9a8: 0xffffca6c <-- ESP 0xffffc9ac: 0x08048431 0xffffc9b0: 0xf7fa03dc 0xffffc9b4: 0x680481ec 0xffffc9b8: 0x00616c6f 0xffffc9bc: 0x0000002a 0xffffc9c0: 0x47fa0000 <-- c = 'G' (0x47) 0xffffc9c4: 0xffffc9bc 0xffffc9c8: 0x00000000 <-- EBP 0xffffc9cc: 0xf7e06637 0xffffc9d0: 0x00000001

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search