while running elf program gdb, witnessing rather unexpected behavior specific add instruction:
intel syntax: add cl,byte ptr [eax]
at&t syntax: add (%eax),%cl
i expect instruction have same meaning gdb's set $cl=$cl+*((char*) $eax) (regardless of triggered flags). behavior not same debugging session (see below): value of (char) *$eax 0xb8 , value of $cl 0, resulting value of $cl 0xcc.
my question is: 0xcc comes from? why result not 0xb8?
the program crackme program may found here.
to answer jester's comment below, following gdb session works expected though:
(gdb) b *0x08048119 breakpoint 1 @ 0x8048119 (gdb) r starting program: /tmp/ch20.bin welcome root-me challenges pass: foo breakpoint 1, 0x08048119 in ?? () (gdb) x/i $eip => 0x8048119: add (%eax),%cl (gdb) x/bx $eax 0x8048080: 0xb8 (gdb) p/x $cl $1 = 0x0 (gdb) si 0x0804811b in ?? () (gdb) p/x $cl $2 = 0xb8 but don't understand why following 1 not give same result:
(gdb) b *0x8048080 breakpoint 1 @ 0x8048080 (gdb) r starting program: /home/baz1/downloads/ch20.bin breakpoint 1, 0x08048080 in ?? () (gdb) ni 0x08048085 in ?? () (gdb) 0x0804808a in ?? () (gdb) 0x0804808f in ?? () (gdb) 0x08048094 in ?? () (gdb) welcome root-me challenges pass: 0x08048096 in ?? () (gdb) 0x0804809b in ?? () (gdb) 0x0804809d in ?? () (gdb) 0x080480a2 in ?? () (gdb) 0x080480a7 in ?? () (gdb) 0x080480a9 in ?? () (gdb) 0x080480ab in ?? () (gdb) 0x080480b0 in ?? () (gdb) 0x080480b5 in ?? () (gdb) 0x08048115 in ?? () (gdb) 0x08048117 in ?? () (gdb) 0x08048119 in ?? () (gdb) x/i $eip => 0x8048119: add (%eax),%cl (gdb) x/bx $eax 0x8048080: 0xb8 (gdb) p/x $cl $1 = 0x0 (gdb) si 0x0804811b in ?? () (gdb) p/x $cl $2 = 0xcc thank help.
the b *0x8048080 places software breakpoint memory happens int3 instruction opcode 0xcc. add instruction read instead of original memory content. can delete breakpoint after got hit or use hardware breakpoints don't modify code.
Comments
Post a Comment