├── CHANGELOG ├── README.md └── gdbinit /CHANGELOG: -------------------------------------------------------------------------------- 1 | Version 8.0.6 (05/09/2013) 2 | - Add patch command to convert bytes to little-endian and patch memory 3 | 4 | Version 8.0.5 (18/08/2013) 5 | - Add commands header and loadcmds to dump Mach-O header information 6 | - Other fixes and additions from previous commits 7 | 8 | Version 8.0.4 (08/05/2013) 9 | - Detect automatically 32 or 64 bits archs using sizeof(void*). 10 | Thanks to Tyilo for the simple but very effective idea! 11 | - Typo in hexdump command also fixed by vuquangtrong. 12 | - Add shortcuts to attach to VMware kernel debugging gdb stub (kernel32 and kernel64) 13 | 14 | Version 8.0.3 (21/03/2013) 15 | - Add option to colorize or not output (thanks to argp and skier for the request and ideas!) 16 | - Convert the escape codes into functions so colors can be easily customized 17 | - Other enhancements available at git commit logs 18 | Thanks to Plouj, argp, xristos for their ideas and fixes! 19 | 20 | Version 8.0.2 (31/07/2012) 21 | - Merge pull request from mheistermann to support local modifications in a .gdbinit.local file 22 | - Add a missing opcode to the stepo command 23 | 24 | Version 8.0.1 (23/04/2012) 25 | - Small bug fix to the attsyntax and intelsyntax commands (changing X86 flavor variable was missing) 26 | 27 | Version 8.0 (13/04/2012) 28 | - Merged x86/x64 and ARM versions 29 | - Added commands intelsyntax and attsyntax to switch between x86 disassembly flavors 30 | - Added new configuration variables ARM, ARMOPCODES, and X86FLAVOR 31 | - Code cleanups and fixes to the indentation 32 | - Bug fixes to some ARM related code 33 | - Added the dumpmacho command to memory dump the mach-o header to a file 34 | 35 | Version 7.4.4 (02/01/2012) 36 | - Added the "skip" command. This will jump to the next instruction after EIP/RIP without executing the current one. 37 | Thanks to @bSr43 for the tip to retrieve the current instruction size. 38 | 39 | Version 7.4.3 (04/11/2011) 40 | - Modified "hexdump" command to support a variable number of lines (optional parameter) 41 | - Removed restrictions on type of addresses in the "dd" command - Thanks to Plouj for the warning :-) 42 | I don't know what was the original thinking behind those :-) 43 | - Modified the assemble command to support 64bits - You will need to recompile nasm since the version shipped with OS X doesn't supports 64bits (www.nasm.us). 44 | Assumes that the new binary is installed at /usr/local/bin - modify the variable at the top if you need so. 45 | It will assemble based on the target arch being debugged. If you want to use gdb for a quick asm just use the 32bits or 64bits commands to set your target. 46 | Thanks to snare for the warning and original patch :-) 47 | - Added "asm" command - it's a shortcut to the "assemble" command. 48 | - Added configuration variable for colorized prompt. Plouj reported some issues with Ubuntu's gdb 7.2 if prompt is colorized. 49 | 50 | Version 7.4.2 (11/08/2011) 51 | Small fix to a weird bug happening on FreeBSD 8.2. It doesn't like a "if(" instruction, needs to be "if (". Weird! 52 | Many thanks to Evan for reporting and sending the patch :-) 53 | Added the ptraceme/rptraceme commands to bypass PTRACE_TRACME anti-debugging technique. 54 | Grabbed this from http://falken.tuxfamily.org/?p=171 55 | It's commented out due to a gdb problem in OS X (refer to http://reverse.put.as/2011/08/20/another-patch-for-apples-gdb-the-definecommands-problem/ ) 56 | Just uncomment it if you want to use in ptrace enabled systems. 57 | 58 | Version 7.4.1 (21/06/2011) - fG! 59 | Added patch sent by sbz, more than 1 year ago, which I forgot to add :-/ 60 | This will allow to search for a given pattern between start and end address. 61 | On sbz words: "It's usefull to find call, ret or everything like that." :-) 62 | New command is "search" 63 | 64 | Version 7.4 (20/06/2011) - fG! 65 | When registers change between instructions the color will change to red (like it happens in OllyDBG) 66 | This is the default behavior, if you don't like it, modify the variable SHOWREGCHANGES 67 | Added patch sent by Philippe Langlois 68 | color the first disassembly line - change the setting below on SETCOLOR1STLINE - by default it's disabled 69 | 70 | Version 7.3.2 (21/02/2011) - fG! 71 | Added the command rint3 and modified the int3 command. The new command will restore the byte in previous int3 patch. 72 | 73 | Version 7.3.1 (29/06/2010) - fG! 74 | Added enablelib/disablelib command to quickly set the stop-on-solib-events trick 75 | Implemented the stepoh command equivalent to the stepo but using hardware breakpoints 76 | More fixes to stepo 77 | 78 | Version 7.3 (16/04/2010) - fG! 79 | Support for 64bits targets. Default is 32bits, you should modify the variable or use the 32bits or 64bits to choose the mode. 80 | I couldn't find another way to recognize the type of binary… Testing the register doesn't work that well. 81 | TODO: fix objectivec messages and stepo for 64bits 82 | Version 7.2.1 (24/11/2009) - fG! 83 | Another fix to stepo (0xFF92 missing) 84 | 85 | Version 7.2 (11/10/2009) - fG! 86 | Added the smallregisters function to create 16 and 8 bit versions from the registers EAX, EBX, ECX, EDX 87 | Revised and fixed all the dumpjump stuff, following Intel manuals. There were some errors (thx to rev who pointed the jle problem). 88 | Small fix to stepo command (missed a few call types) 89 | 90 | Version 7.1.7 - fG! 91 | Added the possibility to modify what's displayed with the context window. You can change default options at the gdb options part. For example, kernel debugging is much slower if the stack display is enabled... 92 | New commands enableobjectivec, enablecpuregisters, enablestack, enabledatawin and their disable equivalents (to support realtime change of default options) 93 | Fixed problem with the assemble command. I was calling /bin/echo which doesn't support the -e option ! DUH ! Should have used bash internal version. 94 | Small fixes to colors... 95 | New commands enablesolib and disablesolib . Just shortcuts for the stop-on-solib-events fantastic trick ! Hey... I'm lazy ;) 96 | Fixed this: Possible removal of "u" command, info udot is missing in gdb 6.8-debian . Doesn't exist on OS X so bye bye !!! 97 | Displays affected flags in jump decisions 98 | 99 | Version 7.1.6 - fG! 100 | Added modified assemble command from Tavis Ormandy (further modified to work with Mac OS X) (shell commands used use full path name, working for Leopard, modify for others if necessary) 101 | Renamed thread command to threads because thread is an internal gdb command that allows to move between program threads 102 | 103 | Version 7.1.5 (04/01/2009) - fG! 104 | Fixed crash on Leopard ! There was a If Else condition where the else had no code and that made gdb crash on Leopard (CRAZY!!!!) 105 | Better code indention 106 | 107 | Version 7.1.4 (02/01/2009) - fG! 108 | Bug in show objective c messages with Leopard ??? 109 | Nop routine support for single address or range (contribution from gln [ghalen at hack.se]) 110 | Used the same code from nop to null routine 111 | 112 | Version 7.1.3 (31/12/2008) - fG! 113 | Added a new command 'stepo'. This command will step a temporary breakpoint on next instruction after the call, so you can skip over 114 | the call. Did this because normal commands not always skip over (mainly with objc_msgSend) 115 | 116 | Version 7.1.2 (31/12/2008) - fG! 117 | Support for the jump decision (will display if a conditional jump will be taken or not) 118 | 119 | Version 7.1.1 (29/12/2008) - fG! 120 | Moved gdb options to the beginning (makes more sense) 121 | Added support to dump message being sent to msgSend (easier to understand what's going on) 122 | 123 | Version 7.1 124 | Fixed serious (and old) bug in dd and datawin, causing dereference of 125 | obviously invalid address. See below: 126 | gdb$ dd 0xffffffff 127 | FFFFFFFF : Cannot access memory at address 0xffffffff 128 | 129 | Version 7.0 130 | Added cls command. 131 | Improved documentation of many commands. 132 | Removed bp_alloc, was neither portable nor usefull. 133 | Checking of passed argument(s) in these commands: 134 | contextsize-stack, contextsize-data, contextsize-code 135 | bp, bpc, bpe, bpd, bpt, bpm, bhb,... 136 | Fixed bp and bhb inconsistencies, look at * signs in Version 6.2 137 | Bugfix in bhb command, changed "break" to "hb" command body 138 | Removed $SHOW_CONTEXT=1 from several commands, this variable 139 | should only be controlled globally with context-on and context-off 140 | Improved stack, func, var and sig, dis, n, go,... 141 | they take optional argument(s) now 142 | Fixed wrong $SHOW_CONTEXT assignment in context-off 143 | Fixed serious bug in cft command, forgotten ~ sign 144 | Fixed these bugs in step_to_call: 145 | 1) the correct logging sequence is: 146 | set logging file > set logging redirect > set logging on 147 | 2) $SHOW_CONTEXT is now correctly restored from $_saved_ctx 148 | Fixed these bugs in trace_calls: 149 | 1) the correct logging sequence is: 150 | set logging file > set logging overwrite > 151 | set logging redirect > set logging on 152 | 2) removed the "clean up trace file" part, which is not needed now, 153 | stepi output is properly redirected to /dev/null 154 | 3) $SHOW_CONTEXT is now correctly restored from $_saved_ctx 155 | Fixed bug in trace_run: 156 | 1) $SHOW_CONTEXT is now correctly restored from $_saved_ctx 157 | Fixed print_insn_type -- removed invalid semicolons!, wrong value checking, 158 | Added TODO entry regarding the "u" command 159 | Changed name from gas_assemble to assemble_gas due to consistency 160 | Output from assemble and assemble_gas is now similar, because i made 161 | both of them to use objdump, with respect to output format (AT&T|Intel). 162 | Whole code was checked and made more consistent, readable/maintainable. 163 | 164 | Version 6.2 165 | Add global variables to allow user to control stack, data and code window sizes 166 | Increase readability for registers 167 | Some corrections (hexdump, ddump, context, cfp, assemble, gas_asm, tips, prompt) 168 | 169 | Version 6.1-color-user 170 | Took the Gentoo route and ran sed s/user/user/g 171 | 172 | Version 6.1-color 173 | Added color fixes from 174 | http://gnurbs.blogsome.com/2006/12/22/colorizing-mamons-gdbinit/ 175 | 176 | Version 6.1 177 | Fixed filename in step_to_call so it points to /dev/null 178 | Changed location of logfiles from /tmp to ~ 179 | 180 | Version 6 181 | Added print_insn_type, get_insn_type, context-on, context-off commands 182 | Added trace_calls, trace_run, step_to_call commands 183 | Changed hook-stop so it checks $SHOW_CONTEXT variable 184 | 185 | Version 5 186 | Added bpm, dump_bin, dump_hex, bp_alloc commands 187 | Added 'assemble' by elaine, 'gas_asm' by mong 188 | Added Tip Topics for aspiring users ;) 189 | 190 | Version 4 191 | Added eflags-changing insns by pusillus 192 | Added bp, nop, null, and int3 patch commands, also hook-stop 193 | 194 | Version 3 195 | Incorporated elaine's if/else goodness into the hex/ascii dump 196 | 197 | Version 2 198 | Radix bugfix by elaine 199 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | Public repo for gdbinit 2 | 3 | x86/x86_64 and ARM are supported simultaneously since version 8.0. 4 | 5 | To make ARM the default CPU set the $ARM var to 1 or use the "arm" command to switch. 6 | 7 | If you are a LLDB user this has been replaced with [lldbinit](https://github.com/gdbinit/lldbinit). Same look, more features! 8 | 9 | FEEDBACK: https://reverse.put.as - reverser@put.as 10 | 11 | You should read the header of the script for important information regarding some Mac OS X/iOS gdb bugs. 12 | 13 | Have fun, 14 | fG! 15 | -------------------------------------------------------------------------------- /gdbinit: -------------------------------------------------------------------------------- 1 | # INSTALL INSTRUCTIONS: save as ~/.gdbinit 2 | # 3 | # DESCRIPTION: A user-friendly gdb configuration file, for x86/x86_64 and ARM platforms. 4 | # 5 | # REVISION : 9.01 (31/03/2024) 6 | # 7 | # CONTRIBUTORS: mammon_, elaine, pusillus, mong, zhang le, l0kit, 8 | # truthix the cyberpunk, fG!, gln 9 | # 10 | # LICENSE: No idea about original authors, I guess it's public domain (at least all my changes are public domain) 11 | # 12 | # FEEDBACK: https://reverse.put.as - reverser@put.as 13 | # GITHUB: https://github.com/gdbinit/Gdbinit 14 | # 15 | # NOTES: 'help user' in gdb will list the commands/descriptions in this file 16 | # 'context on' now enables auto-display of context screen 17 | # 18 | # MAC OS X NOTES: If you are using this on Mac OS X, you must either attach gdb to a process 19 | # or launch gdb without any options and then load the binary file you want to analyse with "exec-file" option 20 | # If you load the binary from the command line, like $gdb binary-name, this will not work as it should 21 | # For more information, read it here https://reverse.put.as/2008/11/28/apples-gdb-bug/ 22 | # 23 | # UPDATE: This bug can be fixed in gdb source. Refer to https://reverse.put.as/2009/08/10/fix-for-apples-gdb-bug-or-why-apple-forks-are-bad/ 24 | # and https://reverse.put.as/2009/08/26/gdb-patches/ (if you want the fixed binary for i386) 25 | # 26 | # An updated version of the patch and binary is available at https://reverse.put.as/2011/02/21/update-to-gdb-patches-fix-a-new-bug/ 27 | # 28 | # iOS NOTES: iOS gdb from Cydia (and Apple's) suffer from the same OS X bug. 29 | # If you are using this on Mac OS X or iOS, you must either attach gdb to a process 30 | # or launch gdb without any options and then load the binary file you want to analyse with "exec-file" option 31 | # If you load the binary from the command line, like $gdb binary-name, this will not work as it should 32 | # For more information, read it here https://reverse.put.as/2008/11/28/apples-gdb-bug/ 33 | # 34 | # RECENT CHANGELOG: 35 | # 36 | # Version 9.0 37 | # Fixes to make everything work with GNU/GDB 8.3+ 38 | # 39 | # Version 9.01 40 | # Revert the ascii code changes (not working on gdb 12) 41 | # Fix the remaining tabs mess 42 | # 43 | # TODO: 44 | # 45 | 46 | # __________________gdb options_________________ 47 | 48 | # set to 1 to have ARM target debugging as default, use the "arm" command to switch inside gdb 49 | set $ARM = 0 50 | # set to 0 if you have problems with the colorized prompt - reported by Plouj with Ubuntu gdb 7.2 51 | set $COLOREDPROMPT = 1 52 | # color the first line of the disassembly - default is green, if you want to change it search for 53 | # SETCOLOR1STLINE and modify it :-) 54 | set $SETCOLOR1STLINE = 0 55 | # set to 0 to remove disassembly display (useful for scripted commands mass dumping) 56 | set $SHOWDISASM = 1 57 | # set to 0 to remove display of objectivec messages (default is 1) 58 | set $SHOWOBJECTIVEC = 1 59 | # set to 0 to remove display of cpu registers (default is 1) 60 | set $SHOWCPUREGISTERS = 1 61 | # set to 1 to enable display of stack (default is 0) 62 | set $SHOWSTACK = 0 63 | # set to 1 to enable display of data window (default is 0) 64 | set $SHOWDATAWIN = 0 65 | # set to 0 to disable colored display of changed registers 66 | set $SHOWREGCHANGES = 1 67 | # set to 1 so skip command to execute the instruction at the new location 68 | # by default it EIP/RIP will be modified and update the new context but not execute the instruction 69 | set $SKIPEXECUTE = 0 70 | # if $SKIPEXECUTE is 1 configure the type of execution 71 | # 1 = use stepo (do not get into calls), 0 = use stepi (step into calls) 72 | set $SKIPSTEP = 1 73 | # show the ARM opcodes - change to 0 if you don't want such thing (in x/i command) 74 | set $ARMOPCODES = 0 75 | # x86 disassembly flavor: 0 for Intel, 1 for AT&T 76 | set $X86FLAVOR = 0 77 | # use colorized output or not 78 | set $USECOLOR = 1 79 | # to use with remote KDP 80 | set $KDP64BITS = -1 81 | set $64BITS = 0 82 | 83 | # macOS version works better with this setting off 84 | set startup-with-shell off 85 | 86 | set confirm off 87 | set verbose off 88 | set history filename ~/.gdb_history 89 | set history save 90 | 91 | set output-radix 0x10 92 | set input-radix 0x10 93 | 94 | # These make gdb never pause in its output 95 | set height 0 96 | set width 0 97 | 98 | set $SHOW_CONTEXT = 1 99 | set $SHOW_NEST_INSN = 0 100 | 101 | set $CONTEXTSIZE_STACK = 6 102 | set $CONTEXTSIZE_DATA = 8 103 | set $CONTEXTSIZE_CODE = 8 104 | 105 | # __________________end gdb options_________________ 106 | # 107 | 108 | # __________________color functions_________________ 109 | # 110 | # color codes 111 | set $BLACK = 0 112 | set $RED = 1 113 | set $GREEN = 2 114 | set $YELLOW = 3 115 | set $BLUE = 4 116 | set $MAGENTA = 5 117 | set $CYAN = 6 118 | set $WHITE = 7 119 | 120 | # CHANGME: If you want to modify the "theme" change the colors here 121 | # or just create a ~/.gdbinit.local and set these variables there 122 | set $COLOR_REGNAME = $GREEN 123 | set $COLOR_REGVAL = $BLACK 124 | set $COLOR_REGVAL_MODIFIED = $RED 125 | set $COLOR_SEPARATOR = $BLUE 126 | set $COLOR_CPUFLAGS = $RED 127 | 128 | # this is ugly but there's no else if available :-( 129 | define color 130 | if $USECOLOR == 1 131 | # BLACK 132 | if $arg0 == 0 133 | echo \033[30m 134 | else 135 | # RED 136 | if $arg0 == 1 137 | echo \033[31m 138 | else 139 | # GREEN 140 | if $arg0 == 2 141 | echo \033[32m 142 | else 143 | # YELLOW 144 | if $arg0 == 3 145 | echo \033[33m 146 | else 147 | # BLUE 148 | if $arg0 == 4 149 | echo \033[34m 150 | else 151 | # MAGENTA 152 | if $arg0 == 5 153 | echo \033[35m 154 | else 155 | # CYAN 156 | if $arg0 == 6 157 | echo \033[36m 158 | else 159 | # WHITE 160 | if $arg0 == 7 161 | echo \033[37m 162 | end 163 | end 164 | end 165 | end 166 | end 167 | end 168 | end 169 | end 170 | end 171 | end 172 | 173 | define color_reset 174 | if $USECOLOR == 1 175 | echo \033[0m 176 | end 177 | end 178 | 179 | define color_bold 180 | if $USECOLOR == 1 181 | echo \033[1m 182 | #echo \[\e[1m\] 183 | end 184 | end 185 | 186 | define color_underline 187 | if $USECOLOR == 1 188 | echo \033[4m 189 | end 190 | end 191 | 192 | # create ~/.gdbinit.local if file not present 193 | # suppresses any warning about not finding the file 194 | shell if ! test -f ~/.gdbinit.local; then touch ~/.gdbinit.local; fi 195 | 196 | # this way anyone can have their custom prompt - argp's idea :-) 197 | # can also be used to redefine anything else in particular the colors aka theming 198 | # just remap the color variables defined above 199 | source ~/.gdbinit.local 200 | 201 | # can't use the color functions because we are using the set command 202 | if $COLOREDPROMPT == 1 203 | set extended-prompt \[\e[0;31m\]gdb$ \[\e[0m\] 204 | end 205 | 206 | # Initialize these variables else comparisons will fail for coloring 207 | # we must initialize all of them at once, 32 and 64 bits, and ARM. 208 | set $oldrax = 0 209 | set $oldrbx = 0 210 | set $oldrcx = 0 211 | set $oldrdx = 0 212 | set $oldrsi = 0 213 | set $oldrdi = 0 214 | set $oldrbp = 0 215 | set $oldrsp = 0 216 | set $oldr8 = 0 217 | set $oldr9 = 0 218 | set $oldr10 = 0 219 | set $oldr11 = 0 220 | set $oldr12 = 0 221 | set $oldr13 = 0 222 | set $oldr14 = 0 223 | set $oldr15 = 0 224 | set $oldeax = 0 225 | set $oldebx = 0 226 | set $oldecx = 0 227 | set $oldedx = 0 228 | set $oldesi = 0 229 | set $oldedi = 0 230 | set $oldebp = 0 231 | set $oldesp = 0 232 | set $oldr0 = 0 233 | set $oldr1 = 0 234 | set $oldr2 = 0 235 | set $oldr3 = 0 236 | set $oldr4 = 0 237 | set $oldr5 = 0 238 | set $oldr6 = 0 239 | set $oldr7 = 0 240 | set $oldsp = 0 241 | set $oldlr = 0 242 | 243 | # used by ptraceme/rptraceme 244 | set $ptrace_bpnum = 0 245 | 246 | # ______________window size control___________ 247 | define contextsize-stack 248 | if $argc != 1 249 | help contextsize-stack 250 | else 251 | set $CONTEXTSIZE_STACK = $arg0 252 | end 253 | end 254 | document contextsize-stack 255 | Syntax: contextsize-stack NUM 256 | | Set stack dump window size to NUM lines. 257 | end 258 | 259 | 260 | define contextsize-data 261 | if $argc != 1 262 | help contextsize-data 263 | else 264 | set $CONTEXTSIZE_DATA = $arg0 265 | end 266 | end 267 | document contextsize-data 268 | Syntax: contextsize-data NUM 269 | | Set data dump window size to NUM lines. 270 | end 271 | 272 | 273 | define contextsize-code 274 | if $argc != 1 275 | help contextsize-code 276 | else 277 | set $CONTEXTSIZE_CODE = $arg0 278 | end 279 | end 280 | document contextsize-code 281 | Syntax: contextsize-code NUM 282 | | Set code window size to NUM lines. 283 | end 284 | 285 | 286 | # _____________breakpoint aliases_____________ 287 | define bpl 288 | info breakpoints 289 | end 290 | document bpl 291 | Syntax: bpl 292 | | List all breakpoints. 293 | end 294 | 295 | 296 | define bp 297 | if $argc != 1 298 | help bp 299 | else 300 | if $ASLR != 0 301 | break ($arg0 + $ASLR) 302 | else 303 | break $arg0 304 | end 305 | end 306 | end 307 | document bp 308 | Syntax: bp LOCATION 309 | | Set breakpoint. 310 | | LOCATION may be a line number, function name, or "*" and an address. 311 | | To break on a symbol you must enclose symbol name inside "". 312 | | Example: 313 | | bp "[NSControl stringValue]" 314 | | Or else you can use directly the break command (break [NSControl stringValue]) 315 | end 316 | 317 | 318 | define bpc 319 | if $argc != 1 320 | help bpc 321 | else 322 | clear $arg0 323 | end 324 | end 325 | document bpc 326 | Syntax: bpc LOCATION 327 | | Clear breakpoint. 328 | | LOCATION may be a line number, function name, or "*" and an address. 329 | end 330 | 331 | 332 | define bpe 333 | if $argc != 1 334 | help bpe 335 | else 336 | enable $arg0 337 | end 338 | end 339 | document bpe 340 | Syntax: bpe NUM 341 | | Enable breakpoint with number NUM. 342 | end 343 | 344 | 345 | define bpd 346 | if $argc != 1 347 | help bpd 348 | else 349 | disable $arg0 350 | end 351 | end 352 | document bpd 353 | Syntax: bpd NUM 354 | | Disable breakpoint with number NUM. 355 | end 356 | 357 | 358 | define bpt 359 | if $argc != 1 360 | help bpt 361 | else 362 | tbreak $arg0 363 | end 364 | end 365 | document bpt 366 | Syntax: bpt LOCATION 367 | | Set a temporary breakpoint. 368 | | This breakpoint will be automatically deleted when hit!. 369 | | LOCATION may be a line number, function name, or "*" and an address. 370 | end 371 | 372 | 373 | define bpm 374 | if $argc != 1 375 | help bpm 376 | else 377 | awatch $arg0 378 | end 379 | end 380 | document bpm 381 | Syntax: bpm EXPRESSION 382 | | Set a read/write breakpoint on EXPRESSION, e.g. *address. 383 | end 384 | 385 | 386 | define bhb 387 | if $argc != 1 388 | help bhb 389 | else 390 | hb $arg0 391 | end 392 | end 393 | document bhb 394 | Syntax: bhb LOCATION 395 | | Set hardware assisted breakpoint. 396 | | LOCATION may be a line number, function name, or "*" and an address. 397 | end 398 | 399 | 400 | define bht 401 | if $argc != 1 402 | help bht 403 | else 404 | thbreak $arg0 405 | end 406 | end 407 | document bht 408 | Usage: bht LOCATION 409 | | Set a temporary hardware breakpoint. 410 | | This breakpoint will be automatically deleted when hit! 411 | | LOCATION may be a line number, function name, or "*" and an address. 412 | end 413 | 414 | 415 | # ______________process information____________ 416 | define argv 417 | show args 418 | end 419 | document argv 420 | Syntax: argv 421 | | Print program arguments. 422 | end 423 | 424 | 425 | define stack 426 | if $argc == 0 427 | info stack 428 | end 429 | if $argc == 1 430 | info stack $arg0 431 | end 432 | if $argc > 1 433 | help stack 434 | end 435 | end 436 | document stack 437 | Syntax: stack 438 | | Print backtrace of the call stack, or innermost COUNT frames. 439 | end 440 | 441 | 442 | define frame 443 | info frame 444 | info args 445 | info locals 446 | end 447 | document frame 448 | Syntax: frame 449 | | Print stack frame. 450 | end 451 | 452 | 453 | define flagsarm 454 | # conditional flags are 455 | # negative/less than (N), bit 31 of CPSR 456 | # zero (Z), bit 30 457 | # Carry/Borrow/Extend (C), bit 29 458 | # Overflow (V), bit 28 459 | # negative/less than (N), bit 31 of CPSR 460 | if (($cpsr >> 0x1f) & 1) 461 | printf "N " 462 | set $_n_flag = 1 463 | else 464 | printf "n " 465 | set $_n_flag = 0 466 | end 467 | # zero (Z), bit 30 468 | if (($cpsr >> 0x1e) & 1) 469 | printf "Z " 470 | set $_z_flag = 1 471 | else 472 | printf "z " 473 | set $_z_flag = 0 474 | end 475 | # Carry/Borrow/Extend (C), bit 29 476 | if (($cpsr >> 0x1d) & 1) 477 | printf "C " 478 | set $_c_flag = 1 479 | else 480 | printf "c " 481 | set $_c_flag = 0 482 | end 483 | # Overflow (V), bit 28 484 | if (($cpsr >> 0x1c) & 1) 485 | printf "V " 486 | set $_v_flag = 1 487 | else 488 | printf "v " 489 | set $_v_flag = 0 490 | end 491 | # Sticky overflow (Q), bit 27 492 | if (($cpsr >> 0x1b) & 1) 493 | printf "Q " 494 | set $_q_flag = 1 495 | else 496 | printf "q " 497 | set $_q_flag = 0 498 | end 499 | # Java state bit (J), bit 24 500 | # When T=1: 501 | # J = 0 The processor is in Thumb state. 502 | # J = 1 The processor is in ThumbEE state. 503 | if (($cpsr >> 0x18) & 1) 504 | printf "J " 505 | set $_j_flag = 1 506 | else 507 | printf "j " 508 | set $_j_flag = 0 509 | end 510 | # Data endianness bit (E), bit 9 511 | if (($cpsr >> 9) & 1) 512 | printf "E " 513 | set $_e_flag = 1 514 | else 515 | printf "e " 516 | set $_e_flag = 0 517 | end 518 | # Imprecise abort disable bit (A), bit 8 519 | # The A bit is set to 1 automatically. It is used to disable imprecise data aborts. 520 | # It might not be writable in the Nonsecure state if the AW bit in the SCR register is reset. 521 | if (($cpsr >> 8) & 1) 522 | printf "A " 523 | set $_a_flag = 1 524 | else 525 | printf "a " 526 | set $_a_flag = 0 527 | end 528 | # IRQ disable bit (I), bit 7 529 | # When the I bit is set to 1, IRQ interrupts are disabled. 530 | if (($cpsr >> 7) & 1) 531 | printf "I " 532 | set $_i_flag = 1 533 | else 534 | printf "i " 535 | set $_i_flag = 0 536 | end 537 | # FIQ disable bit (F), bit 6 538 | # When the F bit is set to 1, FIQ interrupts are disabled. 539 | # FIQ can be nonmaskable in the Nonsecure state if the FW bit in SCR register is reset. 540 | if (($cpsr >> 6) & 1) 541 | printf "F " 542 | set $_f_flag = 1 543 | else 544 | printf "f " 545 | set $_f_flag = 0 546 | end 547 | # Thumb state bit (F), bit 5 548 | # if 1 then the processor is executing in Thumb state or ThumbEE state depending on the J bit 549 | if (($cpsr >> 5) & 1) 550 | printf "T " 551 | set $_t_flag = 1 552 | else 553 | printf "t " 554 | set $_t_flag = 0 555 | end 556 | # TODO: GE bit ? 557 | end 558 | document flagsarm 559 | Syntax: flagsarm 560 | | Auxiliary function to set ARM cpu flags. 561 | end 562 | 563 | 564 | define flagsx86 565 | # OF (overflow) flag 566 | if (((unsigned int)$eflags >> 0xB) & 1) 567 | printf "O " 568 | set $_of_flag = 1 569 | else 570 | printf "o " 571 | set $_of_flag = 0 572 | end 573 | # DF (direction) flag 574 | if (((unsigned int)$eflags >> 0xA) & 1) 575 | printf "D " 576 | else 577 | printf "d " 578 | end 579 | # IF (interrupt enable) flag 580 | if (((unsigned int)$eflags >> 9) & 1) 581 | printf "I " 582 | else 583 | printf "i " 584 | end 585 | # TF (trap) flag 586 | if (((unsigned int)$eflags >> 8) & 1) 587 | printf "T " 588 | else 589 | printf "t " 590 | end 591 | # SF (sign) flag 592 | if (((unsigned int)$eflags >> 7) & 1) 593 | printf "S " 594 | set $_sf_flag = 1 595 | else 596 | printf "s " 597 | set $_sf_flag = 0 598 | end 599 | # ZF (zero) flag 600 | if (((unsigned int)$eflags >> 6) & 1) 601 | printf "Z " 602 | set $_zf_flag = 1 603 | else 604 | printf "z " 605 | set $_zf_flag = 0 606 | end 607 | # AF (adjust) flag 608 | if (((unsigned int)$eflags >> 4) & 1) 609 | printf "A " 610 | else 611 | printf "a " 612 | end 613 | # PF (parity) flag 614 | if (((unsigned int)$eflags >> 2) & 1) 615 | printf "P " 616 | set $_pf_flag = 1 617 | else 618 | printf "p " 619 | set $_pf_flag = 0 620 | end 621 | # CF (carry) flag 622 | if ((unsigned int)$eflags & 1) 623 | printf "C " 624 | set $_cf_flag = 1 625 | else 626 | printf "c " 627 | set $_cf_flag = 0 628 | end 629 | printf "\n" 630 | end 631 | document flagsx86 632 | Syntax: flagsx86 633 | | Auxiliary function to set X86/X64 cpu flags. 634 | end 635 | 636 | 637 | define flags 638 | # call the auxiliary functions based on target cpu 639 | if $ARM == 1 640 | flagsarm 641 | else 642 | flagsx86 643 | end 644 | end 645 | document flags 646 | Syntax: flags 647 | | Print flags register. 648 | end 649 | 650 | 651 | define eflags 652 | if $ARM == 1 653 | # http://www.heyrick.co.uk/armwiki/The_Status_register 654 | printf " N <%d> Z <%d> C <%d> V <%d>",\ 655 | (($cpsr >> 0x1f) & 1), (($cpsr >> 0x1e) & 1), \ 656 | (($cpsr >> 0x1d) & 1), (($cpsr >> 0x1c) & 1) 657 | printf " Q <%d> J <%d> GE <%d> E <%d> A <%d>",\ 658 | (($cpsr >> 0x1b) & 1), (($cpsr >> 0x18) & 1),\ 659 | (($cpsr >> 0x10) & 7), (($cpsr >> 9) & 1), (($cpsr >> 8) & 1) 660 | printf " I <%d> F <%d> T <%d> \n",\ 661 | (($cpsr >> 7) & 1), (($cpsr >> 6) & 1), \ 662 | (($cpsr >> 5) & 1) 663 | else 664 | printf " OF <%d> DF <%d> IF <%d> TF <%d>",\ 665 | (((unsigned int)$eflags >> 0xB) & 1), (((unsigned int)$eflags >> 0xA) & 1), \ 666 | (((unsigned int)$eflags >> 9) & 1), (((unsigned int)$eflags >> 8) & 1) 667 | printf " SF <%d> ZF <%d> AF <%d> PF <%d> CF <%d>\n",\ 668 | (((unsigned int)$eflags >> 7) & 1), (((unsigned int)$eflags >> 6) & 1),\ 669 | (((unsigned int)$eflags >> 4) & 1), (((unsigned int)$eflags >> 2) & 1), ((unsigned int)$eflags & 1) 670 | printf " ID <%d> VIP <%d> VIF <%d> AC <%d>",\ 671 | (((unsigned int)$eflags >> 0x15) & 1), (((unsigned int)$eflags >> 0x14) & 1), \ 672 | (((unsigned int)$eflags >> 0x13) & 1), (((unsigned int)$eflags >> 0x12) & 1) 673 | printf " VM <%d> RF <%d> NT <%d> IOPL <%d>\n",\ 674 | (((unsigned int)$eflags >> 0x11) & 1), (((unsigned int)$eflags >> 0x10) & 1),\ 675 | (((unsigned int)$eflags >> 0xE) & 1), (((unsigned int)$eflags >> 0xC) & 3) 676 | end 677 | end 678 | document eflags 679 | Syntax: eflags 680 | | Print eflags register. 681 | end 682 | 683 | 684 | define cpsr 685 | eflags 686 | end 687 | document cpsr 688 | Syntax: cpsr 689 | | Print cpsr register. 690 | end 691 | 692 | define regarm 693 | printf " " 694 | # R0 695 | color $COLOR_REGNAME 696 | printf "R0:" 697 | if ($r0 != $oldr0 && $SHOWREGCHANGES == 1) 698 | color $COLOR_REGVAL_MODIFIED 699 | else 700 | color $COLOR_REGVAL 701 | end 702 | printf " 0x%08X ", $r0 703 | # R1 704 | color $COLOR_REGNAME 705 | printf "R1:" 706 | if ($r1 != $oldr1 && $SHOWREGCHANGES == 1) 707 | color $COLOR_REGVAL_MODIFIED 708 | else 709 | color $COLOR_REGVAL 710 | end 711 | printf " 0x%08X ", $r1 712 | # R2 713 | color $COLOR_REGNAME 714 | printf "R2:" 715 | if ($r2 != $oldr2 && $SHOWREGCHANGES == 1) 716 | color $COLOR_REGVAL_MODIFIED 717 | else 718 | color $COLOR_REGVAL 719 | end 720 | printf " 0x%08X ", $r2 721 | # R3 722 | color $COLOR_REGNAME 723 | printf "R3:" 724 | if ($r3 != $oldr3 && $SHOWREGCHANGES == 1) 725 | color $COLOR_REGVAL_MODIFIED 726 | else 727 | color $COLOR_REGVAL 728 | end 729 | printf " 0x%08X\n", $r3 730 | printf " " 731 | # R4 732 | color $COLOR_REGNAME 733 | printf "R4:" 734 | if ($r4 != $oldr4 && $SHOWREGCHANGES == 1) 735 | color $COLOR_REGVAL_MODIFIED 736 | else 737 | color $COLOR_REGVAL 738 | end 739 | printf " 0x%08X ", $r4 740 | # R5 741 | color $COLOR_REGNAME 742 | printf "R5:" 743 | if ($r5 != $oldr5 && $SHOWREGCHANGES == 1) 744 | color $COLOR_REGVAL_MODIFIED 745 | else 746 | color $COLOR_REGVAL 747 | end 748 | printf " 0x%08X ", $r5 749 | # R6 750 | color $COLOR_REGNAME 751 | printf "R6:" 752 | if ($r6 != $oldr6 && $SHOWREGCHANGES == 1) 753 | color $COLOR_REGVAL_MODIFIED 754 | else 755 | color $COLOR_REGVAL 756 | end 757 | printf " 0x%08X ", $r6 758 | # R7 759 | color $COLOR_REGNAME 760 | printf "R7:" 761 | if ($r7 != $oldr7 && $SHOWREGCHANGES == 1) 762 | color $COLOR_REGVAL_MODIFIED 763 | else 764 | color $COLOR_REGVAL 765 | end 766 | printf " 0x%08X\n", $r7 767 | printf " " 768 | # R8 769 | color $COLOR_REGNAME 770 | printf "R8:" 771 | if ($r8 != $oldr8 && $SHOWREGCHANGES == 1) 772 | color $COLOR_REGVAL_MODIFIED 773 | else 774 | color $COLOR_REGVAL 775 | end 776 | printf " 0x%08X ", $r8 777 | # R9 778 | color $COLOR_REGNAME 779 | printf "R9:" 780 | if ($r9 != $oldr9 && $SHOWREGCHANGES == 1) 781 | color $COLOR_REGVAL_MODIFIED 782 | else 783 | color $COLOR_REGVAL 784 | end 785 | printf " 0x%08X ", $r9 786 | # R10 787 | color $COLOR_REGNAME 788 | printf "R10:" 789 | if ($r10 != $oldr10 && $SHOWREGCHANGES == 1) 790 | color $COLOR_REGVAL_MODIFIED 791 | else 792 | color $COLOR_REGVAL 793 | end 794 | printf " 0x%08X ", $r10 795 | # R11 796 | color $COLOR_REGNAME 797 | printf "R11:" 798 | if ($r11 != $oldr11 && $SHOWREGCHANGES == 1) 799 | color $COLOR_REGVAL_MODIFIED 800 | else 801 | color $COLOR_REGVAL 802 | end 803 | printf " 0x%08X ", $r11 804 | dumpjump 805 | printf "\n" 806 | # R12 807 | color $COLOR_REGNAME 808 | printf " R12:" 809 | if ($r12 != $oldr12 && $SHOWREGCHANGES == 1) 810 | color $COLOR_REGVAL_MODIFIED 811 | else 812 | color $COLOR_REGVAL 813 | end 814 | printf " 0x%08X", $r12 815 | printf " " 816 | # SP 817 | color $COLOR_REGNAME 818 | printf "SP:" 819 | if ($sp != $oldsp && $SHOWREGCHANGES == 1) 820 | color $COLOR_REGVAL_MODIFIED 821 | else 822 | color $COLOR_REGVAL 823 | end 824 | printf " 0x%08X ", $sp 825 | # LR 826 | color $COLOR_REGNAME 827 | printf "LR:" 828 | if ($lr != $oldlr && $SHOWREGCHANGES == 1) 829 | color $COLOR_REGVAL_MODIFIED 830 | else 831 | color $COLOR_REGVAL 832 | end 833 | printf " 0x%08X ", $lr 834 | # PC 835 | color $COLOR_REGNAME 836 | printf "PC:" 837 | color $COLOR_REGVAL_MODIFIED 838 | printf " 0x%08X ", $pc 839 | color_bold 840 | color_underline 841 | color $COLOR_CPUFLAGS 842 | flags 843 | color_reset 844 | printf "\n" 845 | end 846 | document regarm 847 | Syntax: regarm 848 | | Auxiliary function to display ARM registers. 849 | end 850 | 851 | define regx64 852 | # 64bits stuff 853 | printf " " 854 | # RAX 855 | color $COLOR_REGNAME 856 | printf "RAX:" 857 | if ($rax != $oldrax && $SHOWREGCHANGES == 1) 858 | color $COLOR_REGVAL_MODIFIED 859 | else 860 | color $COLOR_REGVAL 861 | end 862 | printf " 0x%016lX ", $rax 863 | # RBX 864 | color $COLOR_REGNAME 865 | printf "RBX:" 866 | if ($rbx != $oldrbx && $SHOWREGCHANGES == 1) 867 | color $COLOR_REGVAL_MODIFIED 868 | else 869 | color $COLOR_REGVAL 870 | end 871 | printf " 0x%016lX ", $rbx 872 | # RBP 873 | color $COLOR_REGNAME 874 | printf "RBP:" 875 | if ($rbp != $oldrbp && $SHOWREGCHANGES == 1) 876 | color $COLOR_REGVAL_MODIFIED 877 | else 878 | color $COLOR_REGVAL 879 | end 880 | printf " 0x%016lX ", $rbp 881 | # RSP 882 | color $COLOR_REGNAME 883 | printf "RSP:" 884 | if ($rsp != $oldrsp && $SHOWREGCHANGES == 1) 885 | color $COLOR_REGVAL_MODIFIED 886 | else 887 | color $COLOR_REGVAL 888 | end 889 | printf " 0x%016lX ", $rsp 890 | color_bold 891 | color_underline 892 | color $COLOR_CPUFLAGS 893 | flags 894 | color_reset 895 | printf " " 896 | # RDI 897 | color $COLOR_REGNAME 898 | printf "RDI:" 899 | if ($rdi != $oldrdi && $SHOWREGCHANGES == 1) 900 | color $COLOR_REGVAL_MODIFIED 901 | else 902 | color $COLOR_REGVAL 903 | end 904 | printf " 0x%016lX ", $rdi 905 | # RSI 906 | color $COLOR_REGNAME 907 | printf "RSI:" 908 | if ($rsi != $oldrsi && $SHOWREGCHANGES == 1) 909 | color $COLOR_REGVAL_MODIFIED 910 | else 911 | color $COLOR_REGVAL 912 | end 913 | printf " 0x%016lX ", $rsi 914 | # RDX 915 | color $COLOR_REGNAME 916 | printf "RDX:" 917 | if ($rdx != $oldrdx && $SHOWREGCHANGES == 1) 918 | color $COLOR_REGVAL_MODIFIED 919 | else 920 | color $COLOR_REGVAL 921 | end 922 | printf " 0x%016lX ", $rdx 923 | # RCX 924 | color $COLOR_REGNAME 925 | printf "RCX:" 926 | if ($rcx != $oldrcx && $SHOWREGCHANGES == 1) 927 | color $COLOR_REGVAL_MODIFIED 928 | else 929 | color $COLOR_REGVAL 930 | end 931 | printf " 0x%016lX ", $rcx 932 | # RIP 933 | color $COLOR_REGNAME 934 | printf "RIP:" 935 | color $COLOR_REGVAL_MODIFIED 936 | printf " 0x%016lX\n ", $rip 937 | # R8 938 | color $COLOR_REGNAME 939 | printf "R8 :" 940 | if ($r8 != $oldr8 && $SHOWREGCHANGES == 1) 941 | color $COLOR_REGVAL_MODIFIED 942 | else 943 | color $COLOR_REGVAL 944 | end 945 | printf " 0x%016lX ", $r8 946 | # R9 947 | color $COLOR_REGNAME 948 | printf "R9 :" 949 | if ($r9 != $oldr9 && $SHOWREGCHANGES == 1) 950 | color $COLOR_REGVAL_MODIFIED 951 | else 952 | color $COLOR_REGVAL 953 | end 954 | printf " 0x%016lX ", $r9 955 | # R10 956 | color $COLOR_REGNAME 957 | printf "R10:" 958 | if ($r10 != $oldr10 && $SHOWREGCHANGES == 1) 959 | color $COLOR_REGVAL_MODIFIED 960 | else 961 | color $COLOR_REGVAL 962 | end 963 | printf " 0x%016lX ", $r10 964 | # R11 965 | color $COLOR_REGNAME 966 | printf "R11:" 967 | if ($r11 != $oldr11 && $SHOWREGCHANGES == 1) 968 | color $COLOR_REGVAL_MODIFIED 969 | else 970 | color $COLOR_REGVAL 971 | end 972 | printf " 0x%016lX ", $r11 973 | # R12 974 | color $COLOR_REGNAME 975 | printf "R12:" 976 | if ($r12 != $oldr12 && $SHOWREGCHANGES == 1) 977 | color $COLOR_REGVAL_MODIFIED 978 | else 979 | color $COLOR_REGVAL 980 | end 981 | printf " 0x%016lX\n ", $r12 982 | # R13 983 | color $COLOR_REGNAME 984 | printf "R13:" 985 | if ($r13 != $oldr13 && $SHOWREGCHANGES == 1) 986 | color $COLOR_REGVAL_MODIFIED 987 | else 988 | color $COLOR_REGVAL 989 | end 990 | printf " 0x%016lX ", $r13 991 | # R14 992 | color $COLOR_REGNAME 993 | printf "R14:" 994 | if ($r14 != $oldr14 && $SHOWREGCHANGES == 1) 995 | color $COLOR_REGVAL_MODIFIED 996 | else 997 | color $COLOR_REGVAL 998 | end 999 | printf " 0x%016lX ", $r14 1000 | # R15 1001 | color $COLOR_REGNAME 1002 | printf "R15:" 1003 | if ($r15 != $oldr15 && $SHOWREGCHANGES == 1) 1004 | color $COLOR_REGVAL_MODIFIED 1005 | else 1006 | color $COLOR_REGVAL 1007 | end 1008 | printf " 0x%016lX\n ", $r15 1009 | color $COLOR_REGNAME 1010 | printf "CS:" 1011 | color $COLOR_REGVAL 1012 | printf " %04X ", $cs 1013 | color $COLOR_REGNAME 1014 | printf "DS:" 1015 | color $COLOR_REGVAL 1016 | printf " %04X ", $ds 1017 | color $COLOR_REGNAME 1018 | printf "ES:" 1019 | color $COLOR_REGVAL 1020 | printf " %04X ", $es 1021 | color $COLOR_REGNAME 1022 | printf "FS:" 1023 | color $COLOR_REGVAL 1024 | printf " %04X ", $fs 1025 | color $COLOR_REGNAME 1026 | printf "GS:" 1027 | color $COLOR_REGVAL 1028 | printf " %04X ", $gs 1029 | color $COLOR_REGNAME 1030 | printf "SS:" 1031 | color $COLOR_REGVAL 1032 | printf " %04X", $ss 1033 | color_reset 1034 | end 1035 | document regx64 1036 | Syntax: regx64 1037 | | Auxiliary function to display X86_64 registers. 1038 | end 1039 | 1040 | 1041 | define regx86 1042 | printf " " 1043 | # EAX 1044 | color $COLOR_REGNAME 1045 | printf "EAX:" 1046 | if ($eax != $oldeax && $SHOWREGCHANGES == 1) 1047 | color $COLOR_REGVAL_MODIFIED 1048 | else 1049 | color $COLOR_REGVAL 1050 | end 1051 | printf " 0x%08X ", $eax 1052 | # EBX 1053 | color $COLOR_REGNAME 1054 | printf "EBX:" 1055 | if ($ebx != $oldebx && $SHOWREGCHANGES == 1) 1056 | color $COLOR_REGVAL_MODIFIED 1057 | else 1058 | color $COLOR_REGVAL 1059 | end 1060 | printf " 0x%08X ", $ebx 1061 | # ECX 1062 | color $COLOR_REGNAME 1063 | printf "ECX:" 1064 | if ($ecx != $oldecx && $SHOWREGCHANGES == 1) 1065 | color $COLOR_REGVAL_MODIFIED 1066 | else 1067 | color $COLOR_REGVAL 1068 | end 1069 | printf " 0x%08X ", $ecx 1070 | # EDX 1071 | color $COLOR_REGNAME 1072 | printf "EDX:" 1073 | if ($edx != $oldedx && $SHOWREGCHANGES == 1) 1074 | color $COLOR_REGVAL_MODIFIED 1075 | else 1076 | color $COLOR_REGVAL 1077 | end 1078 | printf " 0x%08X ", $edx 1079 | color_bold 1080 | color_underline 1081 | color $COLOR_CPUFLAGS 1082 | flags 1083 | color_reset 1084 | printf " " 1085 | # ESI 1086 | color $COLOR_REGNAME 1087 | printf "ESI:" 1088 | if ($esi != $oldesi && $SHOWREGCHANGES == 1) 1089 | color $COLOR_REGVAL_MODIFIED 1090 | else 1091 | color $COLOR_REGVAL 1092 | end 1093 | printf " 0x%08X ", $esi 1094 | # EDI 1095 | color $COLOR_REGNAME 1096 | printf "EDI:" 1097 | if ($edi != $oldedi && $SHOWREGCHANGES == 1) 1098 | color $COLOR_REGVAL_MODIFIED 1099 | else 1100 | color $COLOR_REGVAL 1101 | end 1102 | printf " 0x%08X ", $edi 1103 | # EBP 1104 | color $COLOR_REGNAME 1105 | printf "EBP:" 1106 | if ($ebp != $oldebp && $SHOWREGCHANGES == 1) 1107 | color $COLOR_REGVAL_MODIFIED 1108 | else 1109 | color $COLOR_REGVAL 1110 | end 1111 | printf " 0x%08X ", $ebp 1112 | # ESP 1113 | color $COLOR_REGNAME 1114 | printf "ESP:" 1115 | if ($esp != $oldesp && $SHOWREGCHANGES == 1) 1116 | color $COLOR_REGVAL_MODIFIED 1117 | else 1118 | color $COLOR_REGVAL 1119 | end 1120 | printf " 0x%08X ", $esp 1121 | # EIP 1122 | color $COLOR_REGNAME 1123 | printf "EIP:" 1124 | color $COLOR_REGVAL_MODIFIED 1125 | printf " 0x%08X\n ", $eip 1126 | color $COLOR_REGNAME 1127 | printf "CS:" 1128 | color $COLOR_REGVAL 1129 | printf " %04X ", $cs 1130 | color $COLOR_REGNAME 1131 | printf "DS:" 1132 | color $COLOR_REGVAL 1133 | printf " %04X ", $ds 1134 | color $COLOR_REGNAME 1135 | printf "ES:" 1136 | color $COLOR_REGVAL 1137 | printf " %04X ", $es 1138 | color $COLOR_REGNAME 1139 | printf "FS:" 1140 | color $COLOR_REGVAL 1141 | printf " %04X ", $fs 1142 | color $COLOR_REGNAME 1143 | printf "GS:" 1144 | color $COLOR_REGVAL 1145 | printf " %04X ", $gs 1146 | color $COLOR_REGNAME 1147 | printf "SS:" 1148 | color $COLOR_REGVAL 1149 | printf " %04X", $ss 1150 | color_reset 1151 | end 1152 | document regx86 1153 | Syntax: regx86 1154 | | Auxiliary function to display X86 registers. 1155 | end 1156 | 1157 | 1158 | define reg 1159 | if $ARM == 1 1160 | regarm 1161 | if ($SHOWREGCHANGES == 1) 1162 | set $oldr0 = $r0 1163 | set $oldr1 = $r1 1164 | set $oldr2 = $r2 1165 | set $oldr3 = $r3 1166 | set $oldr4 = $r4 1167 | set $oldr5 = $r5 1168 | set $oldr6 = $r6 1169 | set $oldr7 = $r7 1170 | set $oldr8 = $r8 1171 | set $oldr9 = $r9 1172 | set $oldr10 = $r10 1173 | set $oldr11 = $r11 1174 | set $oldr12 = $r12 1175 | set $oldsp = $sp 1176 | set $oldlr = $lr 1177 | end 1178 | else 1179 | if ($64BITS == 1) 1180 | regx64 1181 | else 1182 | regx86 1183 | end 1184 | # call smallregisters 1185 | smallregisters 1186 | # display conditional jump routine 1187 | if ($64BITS == 1) 1188 | printf "\t\t\t\t" 1189 | end 1190 | dumpjump 1191 | printf "\n" 1192 | if ($SHOWREGCHANGES == 1) 1193 | if ($64BITS == 1) 1194 | set $oldrax = $rax 1195 | set $oldrbx = $rbx 1196 | set $oldrcx = $rcx 1197 | set $oldrdx = $rdx 1198 | set $oldrsi = $rsi 1199 | set $oldrdi = $rdi 1200 | set $oldrbp = $rbp 1201 | set $oldrsp = $rsp 1202 | set $oldr8 = $r8 1203 | set $oldr9 = $r9 1204 | set $oldr10 = $r10 1205 | set $oldr11 = $r11 1206 | set $oldr12 = $r12 1207 | set $oldr13 = $r13 1208 | set $oldr14 = $r14 1209 | set $oldr15 = $r15 1210 | else 1211 | set $oldeax = $eax 1212 | set $oldebx = $ebx 1213 | set $oldecx = $ecx 1214 | set $oldedx = $edx 1215 | set $oldesi = $esi 1216 | set $oldedi = $edi 1217 | set $oldebp = $ebp 1218 | set $oldesp = $esp 1219 | end 1220 | end 1221 | end 1222 | end 1223 | document reg 1224 | Syntax: reg 1225 | | Print CPU registers. 1226 | end 1227 | 1228 | 1229 | define smallregisters 1230 | if ($64BITS == 1) 1231 | # from rax 1232 | set $eax = $rax & 0xffffffff 1233 | set $ax = $rax & 0xffff 1234 | set $al = $ax & 0xff 1235 | set $ah = $ax >> 8 1236 | # from rbx 1237 | set $ebx = $rbx & 0xffffffff 1238 | set $bx = $rbx & 0xffff 1239 | set $bl = $bx & 0xff 1240 | set $bh = $bx >> 8 1241 | # from rcx 1242 | set $ecx = $rcx & 0xffffffff 1243 | set $cx = $rcx & 0xffff 1244 | set $cl = $cx & 0xff 1245 | set $ch = $cx >> 8 1246 | # from rdx 1247 | set $edx = $rdx & 0xffffffff 1248 | set $dx = $rdx & 0xffff 1249 | set $dl = $dx & 0xff 1250 | set $dh = $dx >> 8 1251 | # from rsi 1252 | set $esi = $rsi & 0xffffffff 1253 | set $si = $rsi & 0xffff 1254 | # from rdi 1255 | set $edi = $rdi & 0xffffffff 1256 | set $di = $rdi & 0xffff 1257 | #32 bits stuff 1258 | else 1259 | # from eax 1260 | set $ax = $eax & 0xffff 1261 | set $al = $ax & 0xff 1262 | set $ah = $ax >> 8 1263 | # from ebx 1264 | set $bx = $ebx & 0xffff 1265 | set $bl = $bx & 0xff 1266 | set $bh = $bx >> 8 1267 | # from ecx 1268 | set $cx = $ecx & 0xffff 1269 | set $cl = $cx & 0xff 1270 | set $ch = $cx >> 8 1271 | # from edx 1272 | set $dx = $edx & 0xffff 1273 | set $dl = $dx & 0xff 1274 | set $dh = $dx >> 8 1275 | # from esi 1276 | set $si = $esi & 0xffff 1277 | # from edi 1278 | set $di = $edi & 0xffff 1279 | end 1280 | end 1281 | document smallregisters 1282 | Syntax: smallregisters 1283 | | Create the 16 and 8 bit cpu registers (gdb doesn't have them by default). 1284 | | And 32bits if we are dealing with 64bits binaries. 1285 | end 1286 | 1287 | 1288 | define func 1289 | if $argc == 0 1290 | info functions 1291 | end 1292 | if $argc == 1 1293 | info functions $arg0 1294 | end 1295 | if $argc > 1 1296 | help func 1297 | end 1298 | end 1299 | document func 1300 | Syntax: func 1301 | | Print all function names in target, or those matching REGEXP. 1302 | end 1303 | 1304 | 1305 | define var 1306 | if $argc == 0 1307 | info variables 1308 | end 1309 | if $argc == 1 1310 | info variables $arg0 1311 | end 1312 | if $argc > 1 1313 | help var 1314 | end 1315 | end 1316 | document var 1317 | Syntax: var 1318 | | Print all global and static variable names (symbols), or those matching REGEXP. 1319 | end 1320 | 1321 | 1322 | define lib 1323 | info sharedlibrary 1324 | end 1325 | document lib 1326 | Syntax: lib 1327 | | Print shared libraries linked to target. 1328 | end 1329 | 1330 | 1331 | define sig 1332 | if $argc == 0 1333 | info signals 1334 | end 1335 | if $argc == 1 1336 | info signals $arg0 1337 | end 1338 | if $argc > 1 1339 | help sig 1340 | end 1341 | end 1342 | document sig 1343 | Syntax: sig 1344 | | Print what debugger does when program gets various signals. 1345 | | Specify a SIGNAL as argument to print info on that signal only. 1346 | end 1347 | 1348 | 1349 | define threads 1350 | info threads 1351 | end 1352 | document threads 1353 | Syntax: threads 1354 | | Print threads in target. 1355 | end 1356 | 1357 | 1358 | define dis 1359 | if $argc == 0 1360 | disassemble 1361 | end 1362 | if $argc == 1 1363 | disassemble $arg0 1364 | end 1365 | if $argc == 2 1366 | disassemble $arg0 $arg1 1367 | end 1368 | if $argc > 2 1369 | help dis 1370 | end 1371 | end 1372 | document dis 1373 | Syntax: dis 1374 | | Disassemble a specified section of memory. 1375 | | Default is to disassemble the function surrounding the PC (program counter) of selected frame. 1376 | | With one argument, ADDR1, the function surrounding this address is dumped. 1377 | | Two arguments are taken as a range of memory to dump. 1378 | end 1379 | 1380 | 1381 | # __________hex/ascii dump an address_________ 1382 | define ascii_char 1383 | if $argc != 1 1384 | help ascii_char 1385 | else 1386 | # thanks elaine :) 1387 | set $_c = *(unsigned char *)($arg0) 1388 | if ($_c < 0x20 || $_c > 0x7E) 1389 | printf "." 1390 | else 1391 | printf "%c", $_c 1392 | end 1393 | end 1394 | end 1395 | document ascii_char 1396 | Syntax: ascii_char ADDR 1397 | | Print ASCII value of byte at address ADDR. 1398 | | Print "." if the value is unprintable. 1399 | end 1400 | 1401 | 1402 | define hex_quad 1403 | if $argc != 1 1404 | help hex_quad 1405 | else 1406 | printf "%02X %02X %02X %02X %02X %02X %02X %02X", \ 1407 | *(unsigned char*)($arg0), *(unsigned char*)($arg0 + 1), \ 1408 | *(unsigned char*)($arg0 + 2), *(unsigned char*)($arg0 + 3), \ 1409 | *(unsigned char*)($arg0 + 4), *(unsigned char*)($arg0 + 5), \ 1410 | *(unsigned char*)($arg0 + 6), *(unsigned char*)($arg0 + 7) 1411 | end 1412 | end 1413 | document hex_quad 1414 | Syntax: hex_quad ADDR 1415 | | Print eight hexadecimal bytes starting at address ADDR. 1416 | end 1417 | 1418 | 1419 | define hexdump 1420 | if $argc == 1 1421 | hexdump_aux $arg0 1422 | else 1423 | if $argc == 2 1424 | set $_count = 0 1425 | while ($_count < $arg1) 1426 | set $_i = ($_count * 0x10) 1427 | hexdump_aux $arg0+$_i 1428 | set $_count++ 1429 | end 1430 | else 1431 | help hexdump 1432 | end 1433 | end 1434 | end 1435 | document hexdump 1436 | Syntax: hexdump ADDR 1437 | | Display a 16-byte hex/ASCII dump of memory starting at address ADDR. 1438 | | Optional parameter is the number of lines to display if you want more than one. 1439 | end 1440 | 1441 | 1442 | define hexdump_aux 1443 | if $argc != 1 1444 | help hexdump_aux 1445 | else 1446 | color_bold 1447 | if ($64BITS == 1) 1448 | printf "0x%016lX : ", $arg0 1449 | else 1450 | printf "0x%08X : ", $arg0 1451 | end 1452 | color_reset 1453 | hex_quad $arg0 1454 | color_bold 1455 | printf " - " 1456 | color_reset 1457 | hex_quad $arg0+8 1458 | printf " " 1459 | color_bold 1460 | ascii_char $arg0+0x0 1461 | ascii_char $arg0+0x1 1462 | ascii_char $arg0+0x2 1463 | ascii_char $arg0+0x3 1464 | ascii_char $arg0+0x4 1465 | ascii_char $arg0+0x5 1466 | ascii_char $arg0+0x6 1467 | ascii_char $arg0+0x7 1468 | ascii_char $arg0+0x8 1469 | ascii_char $arg0+0x9 1470 | ascii_char $arg0+0xA 1471 | ascii_char $arg0+0xB 1472 | ascii_char $arg0+0xC 1473 | ascii_char $arg0+0xD 1474 | ascii_char $arg0+0xE 1475 | ascii_char $arg0+0xF 1476 | color_reset 1477 | printf "\n" 1478 | end 1479 | end 1480 | document hexdump_aux 1481 | Syntax: hexdump_aux ADDR 1482 | | Display a 16-byte hex/ASCII dump of memory at address ADDR. 1483 | end 1484 | 1485 | 1486 | # _______________data window__________________ 1487 | define ddump 1488 | if $argc != 1 1489 | help ddump 1490 | else 1491 | color $COLOR_SEPARATOR 1492 | if $ARM == 1 1493 | printf "[0x%08X]", $data_addr 1494 | else 1495 | if ($64BITS == 1) 1496 | printf "[0x%04X:0x%016lX]", $ds, $data_addr 1497 | else 1498 | printf "[0x%04X:0x%08X]", $ds, $data_addr 1499 | end 1500 | end 1501 | 1502 | color $COLOR_SEPARATOR 1503 | printf "------------------------" 1504 | printf "-------------------------------" 1505 | if ($64BITS == 1) 1506 | printf "-------------------------------------" 1507 | end 1508 | color_bold 1509 | color $COLOR_SEPARATOR 1510 | printf "[data]\n" 1511 | color_reset 1512 | set $_count = 0 1513 | while ($_count < $arg0) 1514 | set $_i = ($_count * 0x10) 1515 | hexdump $data_addr+$_i 1516 | set $_count++ 1517 | end 1518 | end 1519 | end 1520 | document ddump 1521 | Syntax: ddump NUM 1522 | | Display NUM lines of hexdump for address in $data_addr global variable. 1523 | end 1524 | 1525 | 1526 | define dd 1527 | if $argc != 1 1528 | help dd 1529 | else 1530 | set $data_addr = $arg0 1531 | ddump 0x10 1532 | end 1533 | end 1534 | document dd 1535 | Syntax: dd ADDR 1536 | | Display 16 lines of a hex dump of address starting at ADDR. 1537 | end 1538 | 1539 | 1540 | define datawin 1541 | if $ARM == 1 1542 | if ((($r0 >> 0x18) == 0x40) || (($r0 >> 0x18) == 0x08) || (($r0 >> 0x18) == 0xBF)) 1543 | set $data_addr = $r0 1544 | else 1545 | if ((($r1 >> 0x18) == 0x40) || (($r1 >> 0x18) == 0x08) || (($r1 >> 0x18) == 0xBF)) 1546 | set $data_addr = $r1 1547 | else 1548 | if ((($r2 >> 0x18) == 0x40) || (($r2 >> 0x18) == 0x08) || (($r2 >> 0x18) == 0xBF)) 1549 | set $data_addr = $r2 1550 | else 1551 | set $data_addr = $sp 1552 | end 1553 | end 1554 | end 1555 | ################################# X86 1556 | else 1557 | if ($64BITS == 1) 1558 | if ((($rsi >> 0x18) == 0x40) || (($rsi >> 0x18) == 0x08) || (($rsi >> 0x18) == 0xBF)) 1559 | set $data_addr = $rsi 1560 | else 1561 | if ((($rdi >> 0x18) == 0x40) || (($rdi >> 0x18) == 0x08) || (($rdi >> 0x18) == 0xBF)) 1562 | set $data_addr = $rdi 1563 | else 1564 | if ((($rax >> 0x18) == 0x40) || (($rax >> 0x18) == 0x08) || (($rax >> 0x18) == 0xBF)) 1565 | set $data_addr = $rax 1566 | else 1567 | set $data_addr = $rsp 1568 | end 1569 | end 1570 | end 1571 | else 1572 | if ((($esi >> 0x18) == 0x40) || (($esi >> 0x18) == 0x08) || (($esi >> 0x18) == 0xBF)) 1573 | set $data_addr = $esi 1574 | else 1575 | if ((($edi >> 0x18) == 0x40) || (($edi >> 0x18) == 0x08) || (($edi >> 0x18) == 0xBF)) 1576 | set $data_addr = $edi 1577 | else 1578 | if ((($eax >> 0x18) == 0x40) || (($eax >> 0x18) == 0x08) || (($eax >> 0x18) == 0xBF)) 1579 | set $data_addr = $eax 1580 | else 1581 | set $data_addr = $esp 1582 | end 1583 | end 1584 | end 1585 | end 1586 | end 1587 | ddump $CONTEXTSIZE_DATA 1588 | end 1589 | document datawin 1590 | Syntax: datawin 1591 | | Display valid address from one register in data window. 1592 | | Registers to choose are: esi, edi, eax, or esp. 1593 | end 1594 | 1595 | 1596 | ################################ 1597 | ##### ALERT ALERT ALERT ######## 1598 | ################################ 1599 | # Huge mess going here :) HAHA # 1600 | ################################ 1601 | define dumpjump 1602 | if $ARM == 1 1603 | ## Most ARM and Thumb instructions are conditional! 1604 | # each instruction is 32 bits long 1605 | # 4 bits are for condition codes (16 in total) (bits 31:28 in ARM contain the condition or 1111 if instruction is unconditional) 1606 | # 2x4 bits for destination and first operand registers 1607 | # one for the set-status flag 1608 | # an assorted number for other stuff 1609 | # 12 bits for any immediate value 1610 | # $_t_flag == 0 => ARM mode 1611 | # $_t_flag == 1 => Thumb or ThumbEE 1612 | # State bit (T), bit 5 1613 | if (($cpsr >> 5) & 1) 1614 | set $_t_flag = 1 1615 | else 1616 | set $_t_flag = 0 1617 | end 1618 | 1619 | if $_t_flag == 0 1620 | set $_lastbyte = *(unsigned char *)($pc+3) 1621 | #set $_bit31 = ($_lastbyte >> 7) & 1 1622 | #set $_bit30 = ($_lastbyte >> 6) & 1 1623 | #set $_bit29 = ($_lastbyte >> 5) & 1 1624 | #set $_bit28 = ($_lastbyte >> 4) & 1 1625 | set $_conditional = $_lastbyte >> 4 1626 | dumpjumphelper 1627 | else 1628 | # if bits 15-12 (opcode in Thumb instructions) are equal to 1 1 0 1 (0xD) then we have a conditional branch 1629 | # bits 11-8 for the conditional execution code (check ARMv7 manual A8.3) 1630 | if ( (*(unsigned char *)($pc+1) >> 4) == 0xD ) 1631 | set $_conditional = *(unsigned char *)($pc+1) ^ 0xD0 1632 | dumpjumphelper 1633 | end 1634 | end 1635 | ##################### X86 1636 | else 1637 | ## grab the first two bytes from the instruction so we can determine the jump instruction 1638 | set $_byte1 = *(unsigned char *)$pc 1639 | set $_byte2 = *(unsigned char *)($pc+1) 1640 | ## and now check what kind of jump we have (in case it's a jump instruction) 1641 | ## I changed the flags routine to save the flag into a variable, so we don't need to repeat the process :) (search for "define flags") 1642 | 1643 | ## opcode 0x77: JA, JNBE (jump if CF=0 and ZF=0) 1644 | ## opcode 0x0F87: JNBE, JA 1645 | if ( ($_byte1 == 0x77) || ($_byte1 == 0x0F && $_byte2 == 0x87) ) 1646 | # cf=0 and zf=0 1647 | if ($_cf_flag == 0 && $_zf_flag == 0) 1648 | color $RED 1649 | printf " Jump is taken (c=0 and z=0)" 1650 | else 1651 | # cf != 0 or zf != 0 1652 | color $RED 1653 | printf " Jump is NOT taken (c!=0 or z!=0)" 1654 | end 1655 | end 1656 | ## opcode 0x73: JAE, JNB, JNC (jump if CF=0) 1657 | ## opcode 0x0F83: JNC, JNB, JAE (jump if CF=0) 1658 | if ( ($_byte1 == 0x73) || ($_byte1 == 0x0F && $_byte2 == 0x83) ) 1659 | # cf=0 1660 | if ($_cf_flag == 0) 1661 | color $RED 1662 | printf " Jump is taken (c=0)" 1663 | else 1664 | # cf != 0 1665 | color $RED 1666 | printf " Jump is NOT taken (c!=0)" 1667 | end 1668 | end 1669 | ## opcode 0x72: JB, JC, JNAE (jump if CF=1) 1670 | ## opcode 0x0F82: JNAE, JB, JC 1671 | if ( ($_byte1 == 0x72) || ($_byte1 == 0x0F && $_byte2 == 0x82) ) 1672 | # cf=1 1673 | if ($_cf_flag == 1) 1674 | color $RED 1675 | printf " Jump is taken (c=1)" 1676 | else 1677 | # cf != 1 1678 | color $RED 1679 | printf " Jump is NOT taken (c!=1)" 1680 | end 1681 | end 1682 | ## opcode 0x76: JBE, JNA (jump if CF=1 or ZF=1) 1683 | ## opcode 0x0F86: JBE, JNA 1684 | if ( ($_byte1 == 0x76) || ($_byte1 == 0x0F && $_byte2 == 0x86) ) 1685 | # cf=1 or zf=1 1686 | if (($_cf_flag == 1) || ($_zf_flag == 1)) 1687 | color $RED 1688 | printf " Jump is taken (c=1 or z=1)" 1689 | else 1690 | # cf != 1 or zf != 1 1691 | color $RED 1692 | printf " Jump is NOT taken (c!=1 or z!=1)" 1693 | end 1694 | end 1695 | ## opcode 0xE3: JCXZ, JECXZ, JRCXZ (jump if CX=0 or ECX=0 or RCX=0) 1696 | if ($_byte1 == 0xE3) 1697 | # cx=0 or ecx=0 1698 | if (($ecx == 0) || ($cx == 0)) 1699 | color $RED 1700 | printf " Jump is taken (cx=0 or ecx=0)" 1701 | else 1702 | color $RED 1703 | printf " Jump is NOT taken (cx!=0 or ecx!=0)" 1704 | end 1705 | end 1706 | ## opcode 0x74: JE, JZ (jump if ZF=1) 1707 | ## opcode 0x0F84: JZ, JE, JZ (jump if ZF=1) 1708 | if ( ($_byte1 == 0x74) || ($_byte1 == 0x0F && $_byte2 == 0x84) ) 1709 | # ZF = 1 1710 | if ($_zf_flag == 1) 1711 | color $RED 1712 | printf " Jump is taken (z=1)" 1713 | else 1714 | # ZF = 0 1715 | color $RED 1716 | printf " Jump is NOT taken (z!=1)" 1717 | end 1718 | end 1719 | ## opcode 0x7F: JG, JNLE (jump if ZF=0 and SF=OF) 1720 | ## opcode 0x0F8F: JNLE, JG (jump if ZF=0 and SF=OF) 1721 | if ( ($_byte1 == 0x7F) || ($_byte1 == 0x0F && $_byte2 == 0x8F) ) 1722 | # zf = 0 and sf = of 1723 | if (($_zf_flag == 0) && ($_sf_flag == $_of_flag)) 1724 | color $RED 1725 | printf " Jump is taken (z=0 and s=o)" 1726 | else 1727 | color $RED 1728 | printf " Jump is NOT taken (z!=0 or s!=o)" 1729 | end 1730 | end 1731 | ## opcode 0x7D: JGE, JNL (jump if SF=OF) 1732 | ## opcode 0x0F8D: JNL, JGE (jump if SF=OF) 1733 | if ( ($_byte1 == 0x7D) || ($_byte1 == 0x0F && $_byte2 == 0x8D) ) 1734 | # sf = of 1735 | if ($_sf_flag == $_of_flag) 1736 | color $RED 1737 | printf " Jump is taken (s=o)" 1738 | else 1739 | color $RED 1740 | printf " Jump is NOT taken (s!=o)" 1741 | end 1742 | end 1743 | ## opcode: 0x7C: JL, JNGE (jump if SF != OF) 1744 | ## opcode: 0x0F8C: JNGE, JL (jump if SF != OF) 1745 | if ( ($_byte1 == 0x7C) || ($_byte1 == 0x0F && $_byte2 == 0x8C) ) 1746 | # sf != of 1747 | if ($_sf_flag != $_of_flag) 1748 | color $RED 1749 | printf " Jump is taken (s!=o)" 1750 | else 1751 | color $RED 1752 | printf " Jump is NOT taken (s=o)" 1753 | end 1754 | end 1755 | ## opcode 0x7E: JLE, JNG (jump if ZF = 1 or SF != OF) 1756 | ## opcode 0x0F8E: JNG, JLE (jump if ZF = 1 or SF != OF) 1757 | if ( ($_byte1 == 0x7E) || ($_byte1 == 0x0F && $_byte2 == 0x8E) ) 1758 | # zf = 1 or sf != of 1759 | if (($_zf_flag == 1) || ($_sf_flag != $_of_flag)) 1760 | color $RED 1761 | printf " Jump is taken (zf=1 or sf!=of)" 1762 | else 1763 | color $RED 1764 | printf " Jump is NOT taken (zf!=1 or sf=of)" 1765 | end 1766 | end 1767 | ## opcode 0x75: JNE, JNZ (jump if ZF = 0) 1768 | ## opcode 0x0F85: JNE, JNZ (jump if ZF = 0) 1769 | if ( ($_byte1 == 0x75) || ($_byte1 == 0x0F && $_byte2 == 0x85) ) 1770 | # ZF = 0 1771 | if ($_zf_flag == 0) 1772 | color $RED 1773 | printf " Jump is taken (z=0)" 1774 | else 1775 | # ZF = 1 1776 | color $RED 1777 | printf " Jump is NOT taken (z!=0)" 1778 | end 1779 | end 1780 | ## opcode 0x71: JNO (OF = 0) 1781 | ## opcode 0x0F81: JNO (OF = 0) 1782 | if ( ($_byte1 == 0x71) || ($_byte1 == 0x0F && $_byte2 == 0x81) ) 1783 | # OF = 0 1784 | if ($_of_flag == 0) 1785 | color $RED 1786 | printf " Jump is taken (o=0)" 1787 | else 1788 | # OF != 0 1789 | color $RED 1790 | printf " Jump is NOT taken (o!=0)" 1791 | end 1792 | end 1793 | ## opcode 0x7B: JNP, JPO (jump if PF = 0) 1794 | ## opcode 0x0F8B: JPO (jump if PF = 0) 1795 | if ( ($_byte1 == 0x7B) || ($_byte1 == 0x0F && $_byte2 == 0x8B) ) 1796 | # PF = 0 1797 | if ($_pf_flag == 0) 1798 | color $RED 1799 | printf " Jump is NOT taken (p=0)" 1800 | else 1801 | # PF != 0 1802 | color $RED 1803 | printf " Jump is taken (p!=0)" 1804 | end 1805 | end 1806 | ## opcode 0x79: JNS (jump if SF = 0) 1807 | ## opcode 0x0F89: JNS (jump if SF = 0) 1808 | if ( ($_byte1 == 0x79) || ($_byte1 == 0x0F && $_byte2 == 0x89) ) 1809 | # SF = 0 1810 | if ($_sf_flag == 0) 1811 | color $RED 1812 | printf " Jump is taken (s=0)" 1813 | else 1814 | # SF != 0 1815 | color $RED 1816 | printf " Jump is NOT taken (s!=0)" 1817 | end 1818 | end 1819 | ## opcode 0x70: JO (jump if OF=1) 1820 | ## opcode 0x0F80: JO (jump if OF=1) 1821 | if ( ($_byte1 == 0x70) || ($_byte1 == 0x0F && $_byte2 == 0x80) ) 1822 | # OF = 1 1823 | if ($_of_flag == 1) 1824 | color $RED 1825 | printf " Jump is taken (o=1)" 1826 | else 1827 | # OF != 1 1828 | color $RED 1829 | printf " Jump is NOT taken (o!=1)" 1830 | end 1831 | end 1832 | ## opcode 0x7A: JP, JPE (jump if PF=1) 1833 | ## opcode 0x0F8A: JP, JPE (jump if PF=1) 1834 | if ( ($_byte1 == 0x7A) || ($_byte1 == 0x0F && $_byte2 == 0x8A) ) 1835 | # PF = 1 1836 | if ($_pf_flag == 1) 1837 | color $RED 1838 | printf " Jump is taken (p=1)" 1839 | else 1840 | # PF = 0 1841 | color $RED 1842 | printf " Jump is NOT taken (p!=1)" 1843 | end 1844 | end 1845 | ## opcode 0x78: JS (jump if SF=1) 1846 | ## opcode 0x0F88: JS (jump if SF=1) 1847 | if ( ($_byte1 == 0x78) || ($_byte1 == 0x0F && $_byte2 == 0x88) ) 1848 | # SF = 1 1849 | if ($_sf_flag == 1) 1850 | color $RED 1851 | printf " Jump is taken (s=1)" 1852 | else 1853 | # SF != 1 1854 | color $RED 1855 | printf " Jump is NOT taken (s!=1)" 1856 | end 1857 | end 1858 | end 1859 | end 1860 | document dumpjump 1861 | Syntax: dumpjump 1862 | | Display if conditional jump will be taken or not. 1863 | end 1864 | 1865 | define dumpjumphelper 1866 | # 0000 - EQ: Z == 1 1867 | if ($_conditional == 0x0) 1868 | if ($_z_flag == 1) 1869 | color $RED 1870 | printf " Jump is taken (z==1)" 1871 | else 1872 | color $RED 1873 | printf " Jump is NOT taken (z!=1)" 1874 | end 1875 | end 1876 | # 0001 - NE: Z == 0 1877 | if ($_conditional == 0x1) 1878 | if ($_z_flag == 0) 1879 | color $RED 1880 | printf " Jump is taken (z==0)" 1881 | else 1882 | color $RED 1883 | printf " Jump is NOT taken (z!=0)" 1884 | end 1885 | end 1886 | # 0010 - CS: C == 1 1887 | if ($_conditional == 0x2) 1888 | if ($_c_flag == 1) 1889 | color $RED 1890 | printf " Jump is taken (c==1)" 1891 | else 1892 | color $RED 1893 | printf " Jump is NOT taken (c!=1)" 1894 | end 1895 | end 1896 | # 0011 - CC: C == 0 1897 | if ($_conditional == 0x3) 1898 | if ($_c_flag == 0) 1899 | color $RED 1900 | printf " Jump is taken (c==0)" 1901 | else 1902 | color $RED 1903 | printf " Jump is NOT taken (c!=0)" 1904 | end 1905 | end 1906 | # 0100 - MI: N == 1 1907 | if ($_conditional == 0x4) 1908 | if ($_n_flag == 1) 1909 | color $RED 1910 | printf " Jump is taken (n==1)" 1911 | else 1912 | color $RED 1913 | printf " Jump is NOT taken (n!=1)" 1914 | end 1915 | end 1916 | # 0101 - PL: N == 0 1917 | if ($_conditional == 0x5) 1918 | if ($_n_flag == 0) 1919 | color $RED 1920 | printf " Jump is taken (n==0)" 1921 | else 1922 | color $RED 1923 | printf " Jump is NOT taken (n!=0)" 1924 | end 1925 | end 1926 | # 0110 - VS: V == 1 1927 | if ($_conditional == 0x6) 1928 | if ($_v_flag == 1) 1929 | color $RED 1930 | printf " Jump is taken (v==1)" 1931 | else 1932 | color $RED 1933 | printf " Jump is NOT taken (v!=1)" 1934 | end 1935 | end 1936 | # 0111 - VC: V == 0 1937 | if ($_conditional == 0x7) 1938 | if ($_v_flag == 0) 1939 | color $RED 1940 | printf " Jump is taken (v==0)" 1941 | else 1942 | color $RED 1943 | printf " Jump is NOT taken (v!=0)" 1944 | end 1945 | end 1946 | # 1000 - HI: C == 1 and Z == 0 1947 | if ($_conditional == 0x8) 1948 | if ($_c_flag == 1 && $_z_flag == 0) 1949 | color $RED 1950 | printf " Jump is taken (c==1 and z==0)" 1951 | else 1952 | color $RED 1953 | printf " Jump is NOT taken (c!=1 or z!=0)" 1954 | end 1955 | end 1956 | # 1001 - LS: C == 0 or Z == 1 1957 | if ($_conditional == 0x9) 1958 | if ($_c_flag == 0 || $_z_flag == 1) 1959 | color $RED 1960 | printf " Jump is taken (c==0 or z==1)" 1961 | else 1962 | color $RED 1963 | printf " Jump is NOT taken (c!=0 or z!=1)" 1964 | end 1965 | end 1966 | # 1010 - GE: N == V 1967 | if ($_conditional == 0xA) 1968 | if ($_n_flag == $_v_flag) 1969 | color $RED 1970 | printf " Jump is taken (n==v)" 1971 | else 1972 | color $RED 1973 | printf " Jump is NOT taken (n!=v)" 1974 | end 1975 | end 1976 | # 1011 - LT: N != V 1977 | if ($_conditional == 0xB) 1978 | if ($_n_flag != $_v_flag) 1979 | color $RED 1980 | printf " Jump is taken (n!=v)" 1981 | else 1982 | color $RED 1983 | printf " Jump is NOT taken (n==v)" 1984 | end 1985 | end 1986 | # 1100 - GT: Z == 0 and N == V 1987 | if ($_conditional == 0xC) 1988 | if ($_z_flag == 0 && $_n_flag == $_v_flag) 1989 | color $RED 1990 | printf " Jump is taken (z==0 and n==v)" 1991 | else 1992 | color $RED 1993 | printf " Jump is NOT taken (z!=0 or n!=v)" 1994 | end 1995 | end 1996 | # 1101 - LE: Z == 1 or N != V 1997 | if ($_conditional == 0xD) 1998 | if ($_z_flag == 1 || $_n_flag != $_v_flag) 1999 | color $RED 2000 | printf " Jump is taken (z==1 or n!=v)" 2001 | else 2002 | color $RED 2003 | printf " Jump is NOT taken (z!=1 or n==v)" 2004 | end 2005 | end 2006 | end 2007 | document dumpjumphelper 2008 | Syntax: dumpjumphelper 2009 | | Helper function to decide if conditional jump will be taken or not, for ARM and Thumb. 2010 | end 2011 | 2012 | 2013 | # _______________process context______________ 2014 | # initialize variable 2015 | set $displayobjectivec = 0 2016 | 2017 | define context 2018 | color $COLOR_SEPARATOR 2019 | if $SHOWCPUREGISTERS == 1 2020 | printf "----------------------------------------" 2021 | printf "----------------------------------" 2022 | if ($64BITS == 1) 2023 | printf "---------------------------------------------" 2024 | end 2025 | color $COLOR_SEPARATOR 2026 | color_bold 2027 | printf "[regs]\n" 2028 | color_reset 2029 | reg 2030 | color $CYAN 2031 | end 2032 | if $SHOWSTACK == 1 2033 | color $COLOR_SEPARATOR 2034 | if $ARM == 1 2035 | printf "[0x%08X]", $sp 2036 | else 2037 | if ($64BITS == 1) 2038 | printf "[0x%04X:0x%016lX]", $ss, $rsp 2039 | else 2040 | printf "[0x%04X:0x%08X]", $ss, $esp 2041 | end 2042 | end 2043 | color $COLOR_SEPARATOR 2044 | printf "-------------------------" 2045 | printf "-----------------------------" 2046 | if ($64BITS == 1) 2047 | printf "-------------------------------------" 2048 | end 2049 | color $COLOR_SEPARATOR 2050 | color_bold 2051 | printf "[stack]\n" 2052 | color_reset 2053 | set $context_i = $CONTEXTSIZE_STACK 2054 | while ($context_i > 0) 2055 | set $context_t = $sp + 0x10 * ($context_i - 1) 2056 | hexdump $context_t 2057 | set $context_i-- 2058 | end 2059 | end 2060 | # show the objective C message being passed to msgSend 2061 | if $SHOWOBJECTIVEC == 1 2062 | #FIXME: X64 and ARM 2063 | # What a piece of crap that's going on here :) 2064 | # detect if it's the correct opcode we are searching for 2065 | if $ARM == 0 2066 | set $__byte1 = *(unsigned char *)$pc 2067 | set $__byte = *(int *)$pc 2068 | if ($__byte == 0x4244489) 2069 | set $objectivec = $eax 2070 | set $displayobjectivec = 1 2071 | end 2072 | 2073 | if ($__byte == 0x4245489) 2074 | set $objectivec = $edx 2075 | set $displayobjectivec = 1 2076 | end 2077 | 2078 | if ($__byte == 0x4244c89) 2079 | set $objectivec = $ecx 2080 | set $displayobjectivec = 1 2081 | end 2082 | else 2083 | set $__byte1 = 0 2084 | end 2085 | # and now display it or not (we have no interest in having the info displayed after the call) 2086 | if $__byte1 == 0xE8 2087 | if $displayobjectivec == 1 2088 | color $COLOR_SEPARATOR 2089 | printf "--------------------------------------------------------------------" 2090 | if ($64BITS == 1) 2091 | printf "---------------------------------------------" 2092 | end 2093 | color $COLOR_SEPARATOR 2094 | color_bold 2095 | printf "[ObjectiveC]\n" 2096 | color_reset 2097 | color $BLACK 2098 | x/s $objectivec 2099 | end 2100 | set $displayobjectivec = 0 2101 | end 2102 | if $displayobjectivec == 1 2103 | color $COLOR_SEPARATOR 2104 | printf "--------------------------------------------------------------------" 2105 | if ($64BITS == 1) 2106 | printf "---------------------------------------------" 2107 | end 2108 | color $COLOR_SEPARATOR 2109 | color_bold 2110 | printf "[ObjectiveC]\n" 2111 | color_reset 2112 | color $BLACK 2113 | x/s $objectivec 2114 | end 2115 | end 2116 | color_reset 2117 | # and this is the end of this little crap 2118 | 2119 | if $SHOWDATAWIN == 1 2120 | datawin 2121 | end 2122 | if $SHOWDISASM == 1 2123 | color $COLOR_SEPARATOR 2124 | printf "--------------------------------------------------------------------------" 2125 | if ($64BITS == 1) 2126 | printf "---------------------------------------------" 2127 | end 2128 | color $COLOR_SEPARATOR 2129 | color_bold 2130 | printf "[code]\n" 2131 | color_reset 2132 | set $context_i = $CONTEXTSIZE_CODE 2133 | if ($context_i > 0) 2134 | if ($SETCOLOR1STLINE == 1) 2135 | color $GREEN 2136 | if ($ARM == 1) 2137 | # | $cpsr.t (Thumb flag) 2138 | x/i (unsigned int)$pc | (($cpsr >> 5) & 1) 2139 | else 2140 | x/i $pc 2141 | end 2142 | color_reset 2143 | else 2144 | if ($ARM == 1) 2145 | # | $cpsr.t (Thumb flag) 2146 | x/i (unsigned int)$pc | (($cpsr >> 5) & 1) 2147 | else 2148 | x/i $pc 2149 | end 2150 | end 2151 | set $context_i-- 2152 | end 2153 | while ($context_i > 0) 2154 | x /i 2155 | set $context_i-- 2156 | end 2157 | end 2158 | color $COLOR_SEPARATOR 2159 | printf "----------------------------------------" 2160 | printf "----------------------------------------" 2161 | if ($64BITS == 1) 2162 | printf "---------------------------------------------\n" 2163 | else 2164 | printf "\n" 2165 | end 2166 | color_reset 2167 | end 2168 | document context 2169 | Syntax: context 2170 | | Print context window, i.e. regs, stack, ds:esi and disassemble cs:eip. 2171 | end 2172 | 2173 | 2174 | define context-on 2175 | set $SHOW_CONTEXT = 1 2176 | printf "Displaying of context is now ON\n" 2177 | end 2178 | document context-on 2179 | Syntax: context-on 2180 | | Enable display of context on every program break. 2181 | end 2182 | 2183 | 2184 | define context-off 2185 | set $SHOW_CONTEXT = 0 2186 | printf "Displaying of context is now OFF\n" 2187 | end 2188 | document context-off 2189 | Syntax: context-off 2190 | | Disable display of context on every program break. 2191 | end 2192 | 2193 | 2194 | # _______________process control______________ 2195 | define n 2196 | if $argc == 0 2197 | nexti 2198 | end 2199 | if $argc == 1 2200 | nexti $arg0 2201 | end 2202 | if $argc > 1 2203 | help n 2204 | end 2205 | end 2206 | document n 2207 | Syntax: n 2208 | | Step one instruction, but proceed through subroutine calls. 2209 | | If NUM is given, then repeat it NUM times or till program stops. 2210 | | This is alias for nexti. 2211 | end 2212 | 2213 | 2214 | define go 2215 | if $argc == 0 2216 | stepi 2217 | end 2218 | if $argc == 1 2219 | stepi $arg0 2220 | end 2221 | if $argc > 1 2222 | help go 2223 | end 2224 | end 2225 | document go 2226 | Syntax: go 2227 | | Step one instruction exactly. 2228 | | If NUM is given, then repeat it NUM times or till program stops. 2229 | | This is alias for stepi. 2230 | end 2231 | 2232 | 2233 | define pret 2234 | finish 2235 | end 2236 | document pret 2237 | Syntax: pret 2238 | | Execute until selected stack frame returns (step out of current call). 2239 | | Upon return, the value returned is printed and put in the value history. 2240 | end 2241 | 2242 | 2243 | define init 2244 | set $SHOW_NEST_INSN = 0 2245 | tbreak _init 2246 | r 2247 | end 2248 | document init 2249 | Syntax: init 2250 | | Run program and break on _init(). 2251 | end 2252 | 2253 | 2254 | define start 2255 | set $SHOW_NEST_INSN = 0 2256 | tbreak _start 2257 | r 2258 | end 2259 | document start 2260 | Syntax: start 2261 | | Run program and break on _start(). 2262 | end 2263 | 2264 | 2265 | define sstart 2266 | set $SHOW_NEST_INSN = 0 2267 | tbreak __libc_start_main 2268 | r 2269 | end 2270 | document sstart 2271 | Syntax: sstart 2272 | | Run program and break on __libc_start_main(). 2273 | | Useful for stripped executables. 2274 | end 2275 | 2276 | 2277 | define main 2278 | set $SHOW_NEST_INSN = 0 2279 | tbreak main 2280 | r 2281 | end 2282 | document main 2283 | Syntax: main 2284 | | Run program and break on main(). 2285 | end 2286 | 2287 | 2288 | # FIXME64 2289 | #### WARNING ! WARNING !! 2290 | #### More more messy stuff starting !!! 2291 | #### I was thinking about how to do this and then it ocurred me that it could be as simple as this ! :) 2292 | define stepoframework 2293 | if $ARM == 1 2294 | # bl and bx opcodes 2295 | # bx Rn => ARM bits 27-20: 0 0 0 1 0 0 1 0 , bits 7-4: 0 0 0 1 ; Thumb bits: 15-7: 0 1 0 0 0 1 1 1 0 2296 | # blx Rn => ARM bits 27-20: 0 0 0 1 0 0 1 0 , bits 7-4: 0 0 1 1 ; Thumb bits: 15-7: 0 1 0 0 0 1 1 1 1 2297 | # bl # => ARM bits 27-24: 1 0 1 1 ; Thumb bits: 15-11: 1 1 1 1 0 2298 | # blx # => ARM bits 31-25: 1 1 1 1 1 0 1 ; Thumb bits: 15-11: 1 1 1 1 0 2299 | set $_nextaddress = 0 2300 | 2301 | # ARM Mode 2302 | if ($_t_flag == 0) 2303 | set $_branchesint = *(unsigned int*)$pc 2304 | set $_bit31 = ($_branchesint >> 0x1F) & 1 2305 | set $_bit30 = ($_branchesint >> 0x1E) & 1 2306 | set $_bit29 = ($_branchesint >> 0x1D) & 1 2307 | set $_bit28 = ($_branchesint >> 0x1C) & 1 2308 | set $_bit27 = ($_branchesint >> 0x1B) & 1 2309 | set $_bit26 = ($_branchesint >> 0x1A) & 1 2310 | set $_bit25 = ($_branchesint >> 0x19) & 1 2311 | set $_bit24 = ($_branchesint >> 0x18) & 1 2312 | set $_bit23 = ($_branchesint >> 0x17) & 1 2313 | set $_bit22 = ($_branchesint >> 0x16) & 1 2314 | set $_bit21 = ($_branchesint >> 0x15) & 1 2315 | set $_bit20 = ($_branchesint >> 0x14) & 1 2316 | set $_bit7 = ($_branchesint >> 0x7) & 1 2317 | set $_bit6 = ($_branchesint >> 0x6) & 1 2318 | set $_bit5 = ($_branchesint >> 0x5) & 1 2319 | set $_bit4 = ($_branchesint >> 0x4) & 1 2320 | 2321 | # set $_lastbyte = *(unsigned char *)($pc+3) 2322 | # set $_bits2724 = $_lastbyte & 0x1 2323 | # set $_bits3128 = $_lastbyte >> 4 2324 | # if ($_bits3128 == 0xF) 2325 | # set $_bits2724 = $_lastbyte & 0xA 2326 | # set $_bits2724 = $_bits2724 >> 1 2327 | # end 2328 | # set $_previousbyte = *(unsigned char *)($pc+2) 2329 | # set $_bits2320 = $_previousbyte >> 4 2330 | # printf "bits2724: %x bits2320: %x\n", $_bits2724, $_bits2320 2331 | 2332 | if ($_bit27 == 0 && $_bit26 == 0 && $_bit25 == 0 && $_bit24 == 1 && $_bit23 == 0 && $_bit22 == 0 && $_bit21 == 1 && $_bit20 == 0 && $_bit7 == 0 && $_bit6 == 0 && $_bit5 == 0 && $_bit4 == 1) 2333 | printf "Found a bx Rn\n" 2334 | set $_nextaddress = $pc+0x4 2335 | end 2336 | if ($_bit27 == 0 && $_bit26 == 0 && $_bit25 == 0 && $_bit24 == 1 && $_bit23 == 0 && $_bit22 == 0 && $_bit21 == 1 && $_bit20 == 0 && $_bit7 == 0 && $_bit6 == 0 && $_bit5 == 1 && $_bit4 == 1) 2337 | printf "Found a blx Rn\n" 2338 | set $_nextaddress = $pc+0x4 2339 | end 2340 | if ($_bit27 == 1 && $_bit26 == 0 && $_bit25 == 1 && $_bit24 == 1) 2341 | printf "Found a bl #\n" 2342 | set $_nextaddress = $pc+0x4 2343 | end 2344 | if ($_bit31 == 1 && $_bit30 == 1 && $_bit29 == 1 && $_bit28 == 1 && $_bit27 == 1 && $_bit26 == 0 && $_bit25 == 1) 2345 | printf "Found a blx #\n" 2346 | set $_nextaddress = $pc+0x4 2347 | end 2348 | # Thumb Mode 2349 | else 2350 | # 32 bits instructions in Thumb are divided into two half words 2351 | set $_hw1 = *(unsigned short*)($pc) 2352 | set $_hw2 = *(unsigned short*)($pc+2) 2353 | 2354 | # bl/blx (immediate) 2355 | # hw1: bits 15-11: 1 1 1 1 0 2356 | # hw2: bits 15-14: 1 1 ; BL bit 12: 1 ; BLX bit 12: 0 2357 | if ( ($_hw1 >> 0xC) == 0xF && (($_hw1 >> 0xB) & 1) == 0) 2358 | if ( ((($_hw2 >> 0xF) & 1) == 1) && ((($_hw2 >> 0xE) & 1) == 1) ) 2359 | set $_nextaddress = $pc+0x4 2360 | end 2361 | end 2362 | end 2363 | # if we have found a call to bypass we set a temporary breakpoint on next instruction and continue 2364 | if ($_nextaddress != 0) 2365 | tbreak *$_nextaddress 2366 | continue 2367 | printf "[StepO] Next address will be %x\n", $_nextaddress 2368 | # else we just single step 2369 | else 2370 | nexti 2371 | end 2372 | ###################################### X86 2373 | else 2374 | ## we know that an opcode starting by 0xE8 has a fixed length 2375 | ## for the 0xFF opcodes, we can enumerate what is possible to have 2376 | # first we grab the first 3 bytes from the current program counter 2377 | set $_byte1 = *(unsigned char *)$pc 2378 | set $_byte2 = *(unsigned char *)($pc+1) 2379 | set $_byte3 = *(unsigned char *)($pc+2) 2380 | # and start the fun 2381 | # if it's a 0xE8 opcode, the total instruction size will be 5 bytes 2382 | # so we can simply calculate the next address and use a temporary breakpoint ! Voila :) 2383 | set $_nextaddress = 0 2384 | # this one is the must useful for us !!! 2385 | if ($_byte1 == 0xE8) 2386 | set $_nextaddress = $pc + 0x5 2387 | else 2388 | # just other cases we might be interested in... maybe this should be removed since the 0xE8 opcode is the one we will use more 2389 | # this is a big fucking mess and can be improved for sure :) I don't like the way it is ehehehe 2390 | if ($_byte1 == 0xFF) 2391 | # call *%eax (0xFFD0) || call *%edx (0xFFD2) || call *(%ecx) (0xFFD1) || call (%eax) (0xFF10) || call *%esi (0xFFD6) || call *%ebx (0xFFD3) || call DWORD PTR [edx] (0xFF12) 2392 | if ($_byte2 == 0xD0 || $_byte2 == 0xD1 || $_byte2 == 0xD2 || $_byte2 == 0xD3 || $_byte2 == 0xD6 || $_byte2 == 0x10 || $_byte2 == 0x11 || $_byte2 == 0xD7 || $_byte2 == 0x12) 2393 | set $_nextaddress = $pc + 0x2 2394 | end 2395 | # call *0x??(%ebp) (0xFF55??) || call *0x??(%esi) (0xFF56??) || call *0x??(%edi) (0xFF5F??) || call *0x??(%ebx) 2396 | # call *0x??(%edx) (0xFF52??) || call *0x??(%ecx) (0xFF51??) || call *0x??(%edi) (0xFF57??) || call *0x??(%eax) (0xFF50??) 2397 | if ($_byte2 == 0x55 || $_byte2 == 0x56 || $_byte2 == 0x5F || $_byte2 == 0x53 || $_byte2 == 0x52 || $_byte2 == 0x51 || $_byte2 == 0x57 || $_byte2 == 0x50) 2398 | set $_nextaddress = $pc + 0x3 2399 | end 2400 | # call *0x????????(%ebx) (0xFF93????????) || 2401 | if ($_byte2 == 0x93 || $_byte2 == 0x94 || $_byte2 == 0x90 || $_byte2 == 0x92 || $_byte2 == 0x95 || $_byte2 == 0x15) 2402 | set $_nextaddress = $pc + 6 2403 | end 2404 | # call *0x????????(%ebx,%eax,4) (0xFF94??????????) 2405 | if ($_byte2 == 0x94) 2406 | set $_nextaddress = $pc + 7 2407 | end 2408 | end 2409 | # FIXME: still missing a few? 2410 | if ($_byte1 == 0x41 || $_byte1 == 0x40) 2411 | if ($_byte2 == 0xFF) 2412 | if ($_byte3 == 0xD0 || $_byte3 == 0xD1 || $_byte3 == 0xD2 || $_byte3 == 0xD3 || $_byte3 == 0xD4 || $_byte3 == 0xD5 || $_byte3 == 0xD6 || $_byte3 == 0xD7) 2413 | set $_nextaddress = $pc + 0x3 2414 | end 2415 | end 2416 | end 2417 | end 2418 | # if we have found a call to bypass we set a temporary breakpoint on next instruction and continue 2419 | if ($_nextaddress != 0) 2420 | if ($arg0 == 1) 2421 | thbreak *$_nextaddress 2422 | else 2423 | tbreak *$_nextaddress 2424 | end 2425 | continue 2426 | # else we just single step 2427 | else 2428 | nexti 2429 | end 2430 | end 2431 | end 2432 | document stepoframework 2433 | Syntax: stepoframework 2434 | | Auxiliary function to stepo command. 2435 | end 2436 | 2437 | define stepo 2438 | stepoframework 0 2439 | end 2440 | document stepo 2441 | Syntax: stepo 2442 | | Step over calls (interesting to bypass the ones to msgSend). 2443 | | This function will set a temporary breakpoint on next instruction after the call so the call will be bypassed. 2444 | | You can safely use it instead nexti or n since it will single step code if it's not a call instruction (unless you want to go into the call function). 2445 | end 2446 | 2447 | 2448 | define stepoh 2449 | stepoframework 1 2450 | end 2451 | document stepoh 2452 | Syntax: stepoh 2453 | | Same as stepo command but uses temporary hardware breakpoints. 2454 | end 2455 | 2456 | 2457 | # FIXME: ARM 2458 | define skip 2459 | x/2i $pc 2460 | set $instruction_size = (int)($_ - $pc) 2461 | set $pc = $pc + $instruction_size 2462 | if ($SKIPEXECUTE == 1) 2463 | if ($SKIPSTEP == 1) 2464 | stepo 2465 | else 2466 | stepi 2467 | end 2468 | else 2469 | context 2470 | end 2471 | end 2472 | document skip 2473 | Syntax: skip 2474 | | Skip over the instruction located at EIP/RIP. By default, the instruction will not be executed! 2475 | | Some configurable options are available on top of gdbinit to override this. 2476 | end 2477 | 2478 | 2479 | # _______________eflags commands______________ 2480 | # conditional flags are 2481 | # negative/less than (N), bit 31 of CPSR 2482 | # zero (Z), bit 30 2483 | # Carry/Borrow/Extend (C), bit 29 2484 | # Overflow (V), bit 28 2485 | 2486 | # negative/less than (N), bit 31 of CPSR 2487 | define cfn 2488 | if $ARM == 1 2489 | set $tempflag = $cpsr->n 2490 | if ($tempflag & 1) 2491 | set $cpsr->n = $tempflag&~0x1 2492 | else 2493 | set $cpsr->n = $tempflag|0x1 2494 | end 2495 | end 2496 | end 2497 | document cfn 2498 | Syntax: cfn 2499 | | Change Negative/Less Than Flag. 2500 | end 2501 | 2502 | 2503 | define cfc 2504 | # Carry/Borrow/Extend (C), bit 29 2505 | if $ARM == 1 2506 | set $tempflag = $cpsr->c 2507 | if ($tempflag & 1) 2508 | set $cpsr->c = $tempflag&~0x1 2509 | else 2510 | set $cpsr->c = $tempflag|0x1 2511 | end 2512 | else 2513 | if ((unsigned int)$eflags & 1) 2514 | set $eflags = (unsigned int)$eflags&~0x1 2515 | else 2516 | set $eflags = (unsigned int)$eflags|0x1 2517 | end 2518 | end 2519 | end 2520 | document cfc 2521 | Syntax: cfc 2522 | | Change Carry Flag. 2523 | end 2524 | 2525 | 2526 | define cfp 2527 | if (((unsigned int)$eflags >> 2) & 1) 2528 | set $eflags = (unsigned int)$eflags&~0x4 2529 | else 2530 | set $eflags = (unsigned int)$eflags|0x4 2531 | end 2532 | end 2533 | document cfp 2534 | Syntax: cfp 2535 | | Change Parity Flag. 2536 | end 2537 | 2538 | 2539 | define cfa 2540 | if (((unsigned int)$eflags >> 4) & 1) 2541 | set $eflags = (unsigned int)$eflags&~0x10 2542 | else 2543 | set $eflags = (unsigned int)$eflags|0x10 2544 | end 2545 | end 2546 | document cfa 2547 | Syntax: cfa 2548 | | Change Auxiliary Carry Flag. 2549 | end 2550 | 2551 | 2552 | define cfz 2553 | # zero (Z), bit 30 2554 | if $ARM == 1 2555 | set $tempflag = $cpsr->z 2556 | if ($tempflag & 1) 2557 | set $cpsr->z = $tempflag&~0x1 2558 | else 2559 | set $cpsr->z = $tempflag|0x1 2560 | end 2561 | else 2562 | if (((unsigned int)$eflags >> 6) & 1) 2563 | set $eflags = (unsigned int)$eflags&~0x40 2564 | else 2565 | set $eflags = (unsigned int)$eflags|0x40 2566 | end 2567 | end 2568 | end 2569 | document cfz 2570 | Syntax: cfz 2571 | | Change Zero Flag. 2572 | end 2573 | 2574 | 2575 | define cfs 2576 | if (((unsigned int)$eflags >> 7) & 1) 2577 | set $eflags = (unsigned int)$eflags&~0x80 2578 | else 2579 | set $eflags = (unsigned int)$eflags|0x80 2580 | end 2581 | end 2582 | document cfs 2583 | Syntax: cfs 2584 | | Change Sign Flag. 2585 | end 2586 | 2587 | 2588 | define cft 2589 | if (((unsigned int)$eflags >>8) & 1) 2590 | set $eflags = (unsigned int)$eflags&~0x100 2591 | else 2592 | set $eflags = (unsigned int)$eflags|0x100 2593 | end 2594 | end 2595 | document cft 2596 | Syntax: cft 2597 | | Change Trap Flag. 2598 | end 2599 | 2600 | 2601 | define cfi 2602 | if (((unsigned int)$eflags >> 9) & 1) 2603 | set $eflags = (unsigned int)$eflags&~0x200 2604 | else 2605 | set $eflags = (unsigned int)$eflags|0x200 2606 | end 2607 | end 2608 | document cfi 2609 | Syntax: cfi 2610 | | Change Interrupt Flag. 2611 | | Only privileged applications (usually the OS kernel) may modify IF. 2612 | | This only applies to protected mode (real mode code may always modify IF). 2613 | end 2614 | 2615 | 2616 | define cfd 2617 | if (((unsigned int)$eflags >>0xA) & 1) 2618 | set $eflags = (unsigned int)$eflags&~0x400 2619 | else 2620 | set $eflags = (unsigned int)$eflags|0x400 2621 | end 2622 | end 2623 | document cfd 2624 | Syntax: cfd 2625 | | Change Direction Flag. 2626 | end 2627 | 2628 | 2629 | define cfo 2630 | if (((unsigned int)$eflags >> 0xB) & 1) 2631 | set $eflags = (unsigned int)$eflags&~0x800 2632 | else 2633 | set $eflags = (unsigned int)$eflags|0x800 2634 | end 2635 | end 2636 | document cfo 2637 | Syntax: cfo 2638 | | Change Overflow Flag. 2639 | end 2640 | 2641 | 2642 | # Overflow (V), bit 28 2643 | define cfv 2644 | if $ARM == 1 2645 | set $tempflag = $cpsr->v 2646 | if ($tempflag & 1) 2647 | set $cpsr->v = $tempflag&~0x1 2648 | else 2649 | set $cpsr->v = $tempflag|0x1 2650 | end 2651 | end 2652 | end 2653 | document cfv 2654 | Syntax: cfv 2655 | | Change Overflow Flag. 2656 | end 2657 | 2658 | 2659 | # ____________________patch___________________ 2660 | # the usual nops are mov r0,r0 for arm (0xe1a00000) 2661 | # and mov r8,r8 in Thumb (0x46c0) 2662 | # armv7 has other nops 2663 | # FIXME: make sure that the interval fits the 32bits address for arm and 16bits for thumb 2664 | # status: works, fixme 2665 | define nop 2666 | if ($argc > 2 || $argc == 0) 2667 | help nop 2668 | end 2669 | 2670 | if $ARM == 1 2671 | if ($argc == 1) 2672 | if ($cpsr->t &1) 2673 | # thumb 2674 | set *(short *)$arg0 = 0x46c0 2675 | else 2676 | # arm 2677 | set *(int *)$arg0 = 0xe1a00000 2678 | end 2679 | else 2680 | set $addr = $arg0 2681 | if ($cpsr->t & 1) 2682 | # thumb 2683 | while ($addr < $arg1) 2684 | set *(short *)$addr = 0x46c0 2685 | set $addr = $addr + 2 2686 | end 2687 | else 2688 | # arm 2689 | while ($addr < $arg1) 2690 | set *(int *)$addr = 0xe1a00000 2691 | set $addr = $addr + 4 2692 | end 2693 | end 2694 | end 2695 | else 2696 | if ($argc == 1) 2697 | set *(unsigned char *)$arg0 = 0x90 2698 | else 2699 | set $addr = $arg0 2700 | while ($addr < $arg1) 2701 | set *(unsigned char *)$addr = 0x90 2702 | set $addr = $addr + 1 2703 | end 2704 | end 2705 | end 2706 | end 2707 | document nop 2708 | Syntax: nop ADDR1 [ADDR2] 2709 | | Patch a single byte at address ADDR1, or a series of bytes between ADDR1 and ADDR2 to a NOP (0x90) instruction. 2710 | | ARM or Thumb code will be patched accordingly. 2711 | end 2712 | 2713 | 2714 | define null 2715 | if ( $argc >2 || $argc == 0) 2716 | help null 2717 | end 2718 | 2719 | if ($argc == 1) 2720 | set *(unsigned char *)$arg0 = 0 2721 | else 2722 | set $addr = $arg0 2723 | while ($addr < $arg1) 2724 | set *(unsigned char *)$addr = 0 2725 | set $addr = $addr +1 2726 | end 2727 | end 2728 | end 2729 | document null 2730 | Syntax: null ADDR1 [ADDR2] 2731 | | Patch a single byte at address ADDR1 to NULL (0x00), or a series of bytes between ADDR1 and ADDR2. 2732 | end 2733 | 2734 | # FIXME: thumb breakpoint ? 2735 | define int3 2736 | if $argc != 1 2737 | help int3 2738 | else 2739 | if $ARM == 1 2740 | set $ORIGINAL_INT3 = *(unsigned int *)$arg0 2741 | set $ORIGINAL_INT3ADDRESS = $arg0 2742 | set *(unsigned int*)$arg0 = 0xe7ffdefe 2743 | else 2744 | # save original bytes and address 2745 | set $ORIGINAL_INT3 = *(unsigned char *)$arg0 2746 | set $ORIGINAL_INT3ADDRESS = $arg0 2747 | # patch 2748 | set *(unsigned char *)$arg0 = 0xCC 2749 | end 2750 | end 2751 | end 2752 | document int3 2753 | Syntax int3 ADDR 2754 | | Patch byte at address ADDR to an INT3 (0xCC) instruction or the equivalent software breakpoint for ARM. 2755 | end 2756 | 2757 | 2758 | define rint3 2759 | if $ARM == 1 2760 | set *(unsigned int *)$ORIGINAL_INT3ADDRESS = $ORIGINAL_INT3 2761 | set $pc = $ORIGINAL_INT3ADDRESS 2762 | else 2763 | set *(unsigned char *)$ORIGINAL_INT3ADDRESS = $ORIGINAL_INT3 2764 | if ($64BITS == 1) 2765 | set $rip = $ORIGINAL_INT3ADDRESS 2766 | else 2767 | set $eip = $ORIGINAL_INT3ADDRESS 2768 | end 2769 | end 2770 | end 2771 | document rint3 2772 | Syntax: rint3 2773 | | Restore the original byte previous to int3 patch issued with "int3" command. 2774 | end 2775 | 2776 | define patch 2777 | if $argc != 3 2778 | help patch 2779 | end 2780 | set $patchaddr = $arg0 2781 | set $patchbytes = $arg1 2782 | set $patchsize = $arg2 2783 | 2784 | if ($patchsize == 1) 2785 | set *(unsigned char*)$patchaddr = $patchbytes 2786 | end 2787 | if ($patchsize == 2) 2788 | set $lendianbytes = (unsigned short)(($patchbytes << 8) | ($patchbytes >> 8)) 2789 | set *(unsigned short*)$patchaddr = $lendianbytes 2790 | end 2791 | if ($patchsize == 4) 2792 | set $lendianbytes = (unsigned int)( (($patchbytes << 8) & 0xFF00FF00 ) | (($patchbytes >> 8) & 0xFF00FF )) 2793 | set $lendianbytes = (unsigned int)($lendianbytes << 0x10 | $lendianbytes >> 0x10) 2794 | set *(unsigned int*)$patchaddr = $lendianbytes 2795 | end 2796 | if ($patchsize == 8) 2797 | set $lendianbytes = (unsigned long long)( (($patchbytes << 8) & 0xFF00FF00FF00FF00ULL ) | (($patchbytes >> 8) & 0x00FF00FF00FF00FFULL ) ) 2798 | set $lendianbytes = (unsigned long long)( (($lendianbytes << 0x10) & 0xFFFF0000FFFF0000ULL ) | (($lendianbytes >> 0x10) & 0x0000FFFF0000FFFFULL ) ) 2799 | set $lendianbytes = (unsigned long long)( ($lendianbytes << 0x20) | ($lendianbytes >> 0x20) ) 2800 | set *(unsigned long long*)$patchaddr = $lendianbytes 2801 | end 2802 | end 2803 | document patch 2804 | Syntax: patch address bytes size 2805 | | Patch a given address, converting the bytes to little-endian. 2806 | | Assumes input bytes are unsigned values and should be in hexadecimal format (0x...). 2807 | | Size must be 1, 2, 4, 8 bytes. 2808 | | Main purpose is to be used with the output from the asm commands. 2809 | end 2810 | 2811 | # ____________________cflow___________________ 2812 | define print_insn_type 2813 | if $argc != 1 2814 | help print_insn_type 2815 | else 2816 | if ($arg0 < 0 || $arg0 > 5) 2817 | printf "UNDEFINED/WRONG VALUE" 2818 | end 2819 | if ($arg0 == 0) 2820 | printf "UNKNOWN" 2821 | end 2822 | if ($arg0 == 1) 2823 | printf "JMP" 2824 | end 2825 | if ($arg0 == 2) 2826 | printf "JCC" 2827 | end 2828 | if ($arg0 == 3) 2829 | printf "CALL" 2830 | end 2831 | if ($arg0 == 4) 2832 | printf "RET" 2833 | end 2834 | if ($arg0 == 5) 2835 | printf "INT" 2836 | end 2837 | end 2838 | end 2839 | document print_insn_type 2840 | Syntax: print_insn_type INSN_TYPE_NUMBER 2841 | | Print human-readable mnemonic for the instruction type (usually $INSN_TYPE). 2842 | end 2843 | 2844 | 2845 | define get_insn_type 2846 | if $argc != 1 2847 | help get_insn_type 2848 | else 2849 | set $INSN_TYPE = 0 2850 | set $_byte1 = *(unsigned char *)$arg0 2851 | if ($_byte1 == 0x9A || $_byte1 == 0xE8) 2852 | # "call" 2853 | set $INSN_TYPE = 3 2854 | end 2855 | if ($_byte1 >= 0xE9 && $_byte1 <= 0xEB) 2856 | # "jmp" 2857 | set $INSN_TYPE = 1 2858 | end 2859 | if ($_byte1 >= 0x70 && $_byte1 <= 0x7F) 2860 | # "jcc" 2861 | set $INSN_TYPE = 2 2862 | end 2863 | if ($_byte1 >= 0xE0 && $_byte1 <= 0xE3 ) 2864 | # "jcc" 2865 | set $INSN_TYPE = 2 2866 | end 2867 | if ($_byte1 == 0xC2 || $_byte1 == 0xC3 || $_byte1 == 0xCA || \ 2868 | $_byte1 == 0xCB || $_byte1 == 0xCF) 2869 | # "ret" 2870 | set $INSN_TYPE = 4 2871 | end 2872 | if ($_byte1 >= 0xCC && $_byte1 <= 0xCE) 2873 | # "int" 2874 | set $INSN_TYPE = 5 2875 | end 2876 | if ($_byte1 == 0x0F ) 2877 | # two-byte opcode 2878 | set $_byte2 = *(unsigned char *)($arg0 + 1) 2879 | if ($_byte2 >= 0x80 && $_byte2 <= 0x8F) 2880 | # "jcc" 2881 | set $INSN_TYPE = 2 2882 | end 2883 | end 2884 | if ($_byte1 == 0xFF) 2885 | # opcode extension 2886 | set $_byte2 = *(unsigned char *)($arg0 + 1) 2887 | set $_opext = ($_byte2 & 0x38) 2888 | if ($_opext == 0x10 || $_opext == 0x18) 2889 | # "call" 2890 | set $INSN_TYPE = 3 2891 | end 2892 | if ($_opext == 0x20 || $_opext == 0x28) 2893 | # "jmp" 2894 | set $INSN_TYPE = 1 2895 | end 2896 | end 2897 | end 2898 | end 2899 | document get_insn_type 2900 | Syntax: get_insn_type ADDR 2901 | | Recognize instruction type at address ADDR. 2902 | | Take address ADDR and set the global $INSN_TYPE variable to 2903 | | 0, 1, 2, 3, 4, 5 if the instruction at that address is 2904 | | unknown, a jump, a conditional jump, a call, a return, or an interrupt. 2905 | end 2906 | 2907 | 2908 | define step_to_call 2909 | set $_saved_ctx = $SHOW_CONTEXT 2910 | set $SHOW_CONTEXT = 0 2911 | set $SHOW_NEST_INSN = 0 2912 | 2913 | set logging file /dev/null 2914 | set logging redirect on 2915 | set logging enabled on 2916 | 2917 | set $_cont = 1 2918 | while ($_cont > 0) 2919 | stepi 2920 | get_insn_type $pc 2921 | if ($INSN_TYPE == 3) 2922 | set $_cont = 0 2923 | end 2924 | end 2925 | 2926 | set logging enabled off 2927 | 2928 | if ($_saved_ctx > 0) 2929 | context 2930 | end 2931 | 2932 | set $SHOW_CONTEXT = $_saved_ctx 2933 | set $SHOW_NEST_INSN = 0 2934 | 2935 | set logging file ~/gdb.txt 2936 | set logging redirect off 2937 | set logging enabled on 2938 | 2939 | printf "step_to_call command stopped at:\n " 2940 | x/i $pc 2941 | printf "\n" 2942 | set logging enabled off 2943 | 2944 | end 2945 | document step_to_call 2946 | Syntax: step_to_call 2947 | | Single step until a call instruction is found. 2948 | | Stop before the call is taken. 2949 | | Log is written into the file ~/gdb.txt. 2950 | end 2951 | 2952 | 2953 | define trace_calls 2954 | 2955 | printf "Tracing...please wait...\n" 2956 | 2957 | set $_saved_ctx = $SHOW_CONTEXT 2958 | set $SHOW_CONTEXT = 0 2959 | set $SHOW_NEST_INSN = 0 2960 | set $_nest = 1 2961 | set listsize 0 2962 | 2963 | set logging overwrite on 2964 | set logging file ~/gdb_trace_calls.txt 2965 | set logging enabled on 2966 | set logging enabled off 2967 | set logging overwrite off 2968 | 2969 | while ($_nest > 0) 2970 | get_insn_type $pc 2971 | # handle nesting 2972 | if ($INSN_TYPE == 3) 2973 | set $_nest = $_nest + 1 2974 | else 2975 | if ($INSN_TYPE == 4) 2976 | set $_nest = $_nest - 1 2977 | end 2978 | end 2979 | # if a call, print it 2980 | if ($INSN_TYPE == 3) 2981 | set logging file ~/gdb_trace_calls.txt 2982 | set logging redirect off 2983 | set logging enabled on 2984 | 2985 | set $x = $_nest - 2 2986 | while ($x > 0) 2987 | printf "\t" 2988 | set $x = $x - 1 2989 | end 2990 | x/i $pc 2991 | end 2992 | 2993 | set logging enabled off 2994 | set logging file /dev/null 2995 | set logging redirect on 2996 | set logging enabled on 2997 | stepi 2998 | set logging redirect off 2999 | set logging enabled off 3000 | end 3001 | 3002 | set $SHOW_CONTEXT = $_saved_ctx 3003 | set $SHOW_NEST_INSN = 0 3004 | 3005 | printf "Done, check ~/gdb_trace_calls.txt\n" 3006 | end 3007 | document trace_calls 3008 | Syntax: trace_calls 3009 | | Create a runtime trace of the calls made by target. 3010 | | Log overwrites(!) the file ~/gdb_trace_calls.txt. 3011 | end 3012 | 3013 | 3014 | define trace_run 3015 | 3016 | printf "Tracing...please wait...\n" 3017 | 3018 | set $_saved_ctx = $SHOW_CONTEXT 3019 | set $SHOW_CONTEXT = 0 3020 | set $SHOW_NEST_INSN = 1 3021 | set logging overwrite on 3022 | set logging file ~/gdb_trace_run.txt 3023 | set logging redirect on 3024 | set logging enabled on 3025 | set $_nest = 1 3026 | 3027 | while ( $_nest > 0 ) 3028 | 3029 | get_insn_type $pc 3030 | # jmp, jcc, or cll 3031 | if ($INSN_TYPE == 3) 3032 | set $_nest = $_nest + 1 3033 | else 3034 | # ret 3035 | if ($INSN_TYPE == 4) 3036 | set $_nest = $_nest - 1 3037 | end 3038 | end 3039 | stepi 3040 | end 3041 | 3042 | printf "\n" 3043 | 3044 | set $SHOW_CONTEXT = $_saved_ctx 3045 | set $SHOW_NEST_INSN = 0 3046 | set logging redirect off 3047 | set logging enabled off 3048 | 3049 | # clean up trace file 3050 | shell grep -v ' at ' ~/gdb_trace_run.txt > ~/gdb_trace_run.1 3051 | shell grep -v ' in ' ~/gdb_trace_run.1 > ~/gdb_trace_run.txt 3052 | shell rm -f ~/gdb_trace_run.1 3053 | printf "Done, check ~/gdb_trace_run.txt\n" 3054 | end 3055 | document trace_run 3056 | Syntax: trace_run 3057 | | Create a runtime trace of target. 3058 | | Log overwrites(!) the file ~/gdb_trace_run.txt. 3059 | end 3060 | 3061 | define entry_point 3062 | set logging redirect on 3063 | set logging file /tmp/gdb-entry_point 3064 | set logging enabled on 3065 | info files 3066 | set logging enabled off 3067 | shell entry_point="$(/usr/bin/grep 'Entry point:' /tmp/gdb-entry_point | /usr/bin/awk '{ print $3 }')"; echo "$entry_point"; echo 'set $entry_point_address = '"$entry_point" > /tmp/gdb-entry_point 3068 | source /tmp/gdb-entry_point 3069 | shell /bin/rm -f /tmp/gdb-entry_point 3070 | end 3071 | document entry_point 3072 | Syntax: entry_point 3073 | | Prints the entry point address of the target and stores it in the variable entry_point. 3074 | end 3075 | 3076 | define break_entrypoint 3077 | entry_point 3078 | break *$entry_point_address 3079 | end 3080 | document break_entrypoint 3081 | Syntax: break_entrypoint 3082 | | Sets a breakpoint on the entry point of the target. 3083 | end 3084 | 3085 | define objc_symbols 3086 | set logging redirect on 3087 | set logging file /tmp/gdb-objc_symbols 3088 | set logging enabled on 3089 | info target 3090 | set logging enabled off 3091 | # XXX: define paths for objc-symbols and SymTabCreator 3092 | shell target="$(/usr/bin/head -1 /tmp/gdb-objc_symbols | /usr/bin/head -1 | /usr/bin/awk -F '"' '{ print $2 }')"; objc-symbols "$target" | SymTabCreator -o /tmp/gdb-symtab 3093 | set logging enabled on 3094 | add-symbol-file /tmp/gdb-symtab 3095 | set logging enabled off 3096 | shell /bin/rm -f /tmp/gdb-objc_symbols 3097 | end 3098 | document objc_symbols 3099 | Syntax: objc_symbols 3100 | | Loads stripped objc symbols into gdb using objc-symbols and SymTabCreator 3101 | | See http://stackoverflow.com/questions/17554070/import-class-dump-info-into-gdb 3102 | | and https://github.com/0xced/class-dump/tree/objc-symbols (for the required utils) 3103 | end 3104 | 3105 | #define ptraceme 3106 | # catch syscall ptrace 3107 | # commands 3108 | # if ($64BITS == 0) 3109 | # if ($ebx == 0) 3110 | # set $eax = 0 3111 | # continue 3112 | # end 3113 | # else 3114 | # if ($rdi == 0) 3115 | # set $rax = 0 3116 | # continue 3117 | # end 3118 | # end 3119 | # end 3120 | # set $ptrace_bpnum = $bpnum 3121 | #end 3122 | #document ptraceme 3123 | #Syntax: ptraceme 3124 | #| Hook ptrace to bypass PTRACE_TRACEME anti debugging technique 3125 | #end 3126 | 3127 | define rptraceme 3128 | if ($ptrace_bpnum != 0) 3129 | delete $ptrace_bpnum 3130 | set $ptrace_bpnum = 0 3131 | end 3132 | end 3133 | document rptraceme 3134 | Syntax: rptraceme 3135 | | Remove ptrace hook. 3136 | end 3137 | 3138 | 3139 | # ____________________misc____________________ 3140 | define hook-stop 3141 | if (sizeof(void*) == 8) 3142 | set $64BITS = 1 3143 | else 3144 | set $64BITS = 0 3145 | end 3146 | 3147 | if ($KDP64BITS != -1) 3148 | if ($KDP64BITS == 0) 3149 | set $64BITS = 0 3150 | else 3151 | set $64BITS = 1 3152 | end 3153 | end 3154 | 3155 | # Display instructions formats 3156 | if $ARM == 1 3157 | if $ARMOPCODES == 1 3158 | set arm show-opcode-bytes 1 3159 | end 3160 | else 3161 | if $X86FLAVOR == 0 3162 | set disassembly-flavor intel 3163 | else 3164 | set disassembly-flavor att 3165 | end 3166 | end 3167 | 3168 | # this makes 'context' be called at every BP/step 3169 | if ($SHOW_CONTEXT > 0) 3170 | context 3171 | end 3172 | if ($SHOW_NEST_INSN > 0) 3173 | set $x = $_nest 3174 | while ($x > 0) 3175 | printf "\t" 3176 | set $x = $x - 1 3177 | end 3178 | end 3179 | end 3180 | document hook-stop 3181 | Syntax: hook-stop 3182 | | !!! FOR INTERNAL USE ONLY - DO NOT CALL !!! 3183 | end 3184 | 3185 | 3186 | # original by Tavis Ormandy (http://my.opera.com/taviso/blog/index.dml/tag/gdb) (great fix!) 3187 | # modified to work with Mac OS X by fG! 3188 | # seems nasm shipping with Mac OS X has problems accepting input from stdin or heredoc 3189 | # input is read into a variable and sent to a temporary file which nasm can read 3190 | define assemble 3191 | # dont enter routine again if user hits enter 3192 | dont-repeat 3193 | if ($argc) 3194 | if (*$arg0 = *$arg0) 3195 | # check if we have a valid address by dereferencing it, 3196 | # if we havnt, this will cause the routine to exit. 3197 | end 3198 | printf "Instructions will be written to %#x.\n", $arg0 3199 | else 3200 | printf "Instructions will be written to stdout.\n" 3201 | end 3202 | printf "Type instructions, one per line." 3203 | color_bold 3204 | printf " Do not forget to use NASM assembler syntax!\n" 3205 | color_reset 3206 | printf "End with a line saying just \"end\".\n" 3207 | 3208 | if ($argc) 3209 | if ($64BITS == 1) 3210 | # argument specified, assemble instructions into memory at address specified. 3211 | shell ASMOPCODE="$(while read -ep '>' r && test "$r" != end ; do echo -E "$r"; done)" ; GDBASMFILENAME=$RANDOM; \ 3212 | echo -e "BITS 64\n$ASMOPCODE" >/tmp/$GDBASMFILENAME ; /usr/local/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/hexdump -ve '1/1 "set *((unsigned char *) $arg0 + %#2_ax) = %#02x\n"' >/tmp/gdbassemble ; /bin/rm -f /tmp/$GDBASMFILENAME 3213 | source /tmp/gdbassemble 3214 | # all done. clean the temporary file 3215 | shell /bin/rm -f /tmp/gdbassemble 3216 | else 3217 | # argument specified, assemble instructions into memory at address specified. 3218 | shell ASMOPCODE="$(while read -ep '>' r && test "$r" != end ; do echo -E "$r"; done)" ; GDBASMFILENAME=$RANDOM; \ 3219 | echo -e "BITS 32\n$ASMOPCODE" >/tmp/$GDBASMFILENAME ; /usr/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/hexdump -ve '1/1 "set *((unsigned char *) $arg0 + %#2_ax) = %#02x\n"' >/tmp/gdbassemble ; /bin/rm -f /tmp/$GDBASMFILENAME 3220 | source /tmp/gdbassemble 3221 | # all done. clean the temporary file 3222 | shell /bin/rm -f /tmp/gdbassemble 3223 | end 3224 | else 3225 | if ($64BITS == 1) 3226 | # no argument, assemble instructions to stdout 3227 | shell ASMOPCODE="$(while read -ep '>' r && test "$r" != end ; do echo -E "$r"; done)" ; GDBASMFILENAME=$RANDOM; \ 3228 | echo -e "BITS 64\n$ASMOPCODE" >/tmp/$GDBASMFILENAME ; /usr/local/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/local/bin/ndisasm -i -b64 /dev/stdin ; \ 3229 | /bin/rm -f /tmp/$GDBASMFILENAME 3230 | else 3231 | # no argument, assemble instructions to stdout 3232 | shell ASMOPCODE="$(while read -ep '>' r && test "$r" != end ; do echo -E "$r"; done)" ; GDBASMFILENAME=$RANDOM; \ 3233 | echo -e "BITS 32\n$ASMOPCODE" >/tmp/$GDBASMFILENAME ; /usr/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/ndisasm -i -b32 /dev/stdin ; \ 3234 | /bin/rm -f /tmp/$GDBASMFILENAME 3235 | end 3236 | end 3237 | end 3238 | document assemble 3239 | Syntax: assemble 3240 | | Assemble instructions using nasm. 3241 | | Type a line containing "end" to indicate the end. 3242 | | If an address is specified, insert/modify instructions at that address. 3243 | | If no address is specified, assembled instructions are printed to stdout. 3244 | | Use the pseudo instruction "org ADDR" to set the base address. 3245 | end 3246 | 3247 | define assemble32 3248 | # dont enter routine again if user hits enter 3249 | dont-repeat 3250 | if ($argc) 3251 | if (*$arg0 = *$arg0) 3252 | # check if we have a valid address by dereferencing it, 3253 | # if we havnt, this will cause the routine to exit. 3254 | end 3255 | printf "Instructions will be written to %#x.\n", $arg0 3256 | else 3257 | printf "Instructions will be written to stdout.\n" 3258 | end 3259 | printf "Type instructions, one per line." 3260 | color_bold 3261 | printf " Do not forget to use NASM assembler syntax!\n" 3262 | color_reset 3263 | printf "End with a line saying just \"end\".\n" 3264 | 3265 | if ($argc) 3266 | # argument specified, assemble instructions into memory at address specified. 3267 | shell ASMOPCODE="$(while read -ep '>' r && test "$r" != end ; do echo -E "$r"; done)" ; GDBASMFILENAME=$RANDOM; \ 3268 | echo -e "BITS 32\n$ASMOPCODE" >/tmp/$GDBASMFILENAME ; /usr/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/hexdump -ve '1/1 "set *((unsigned char *) $arg0 + %#2_ax) = %#02x\n"' >/tmp/gdbassemble ; /bin/rm -f /tmp/$GDBASMFILENAME 3269 | source /tmp/gdbassemble 3270 | # all done. clean the temporary file 3271 | shell /bin/rm -f /tmp/gdbassemble 3272 | else 3273 | # no argument, assemble instructions to stdout 3274 | shell ASMOPCODE="$(while read -ep '>' r && test "$r" != end ; do echo -E "$r"; done)" ; GDBASMFILENAME=$RANDOM; \ 3275 | echo -e "BITS 32\n$ASMOPCODE" >/tmp/$GDBASMFILENAME ; /usr/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/ndisasm -i -b32 /dev/stdin ; \ 3276 | /bin/rm -f /tmp/$GDBASMFILENAME 3277 | end 3278 | end 3279 | document assemble32 3280 | Syntax: assemble32 3281 | | Assemble 32 bits instructions using nasm. 3282 | | Type a line containing "end" to indicate the end. 3283 | | If an address is specified, insert/modify instructions at that address. 3284 | | If no address is specified, assembled instructions are printed to stdout. 3285 | | Use the pseudo instruction "org ADDR" to set the base address. 3286 | end 3287 | 3288 | define assemble64 3289 | # dont enter routine again if user hits enter 3290 | dont-repeat 3291 | if ($argc) 3292 | if (*$arg0 = *$arg0) 3293 | # check if we have a valid address by dereferencing it, 3294 | # if we havnt, this will cause the routine to exit. 3295 | end 3296 | printf "Instructions will be written to %#x.\n", $arg0 3297 | else 3298 | printf "Instructions will be written to stdout.\n" 3299 | end 3300 | printf "Type instructions, one per line." 3301 | color_bold 3302 | printf " Do not forget to use NASM assembler syntax!\n" 3303 | color_reset 3304 | printf "End with a line saying just \"end\".\n" 3305 | 3306 | if ($argc) 3307 | # argument specified, assemble instructions into memory at address specified. 3308 | shell ASMOPCODE="$(while read -ep '>' r && test "$r" != end ; do echo -E "$r"; done)" ; GDBASMFILENAME=$RANDOM; \ 3309 | echo -e "BITS 64\n$ASMOPCODE" >/tmp/$GDBASMFILENAME ; /usr/local/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/bin/hexdump -ve '1/1 "set *((unsigned char *) $arg0 + %#2_ax) = %#02x\n"' >/tmp/gdbassemble ; /bin/rm -f /tmp/$GDBASMFILENAME 3310 | source /tmp/gdbassemble 3311 | # all done. clean the temporary file 3312 | shell /bin/rm -f /tmp/gdbassemble 3313 | else 3314 | # no argument, assemble instructions to stdout 3315 | shell ASMOPCODE="$(while read -ep '>' r && test "$r" != end ; do echo -E "$r"; done)" ; GDBASMFILENAME=$RANDOM; \ 3316 | echo -e "BITS 64\n$ASMOPCODE" >/tmp/$GDBASMFILENAME ; /usr/local/bin/nasm -f bin -o /dev/stdout /tmp/$GDBASMFILENAME | /usr/local/bin/ndisasm -i -b64 /dev/stdin ; \ 3317 | /bin/rm -f /tmp/$GDBASMFILENAME 3318 | end 3319 | end 3320 | document assemble64 3321 | Syntax: assemble64 3322 | | Assemble 64 bits instructions using nasm. 3323 | | Type a line containing "end" to indicate the end. 3324 | | If an address is specified, insert/modify instructions at that address. 3325 | | If no address is specified, assembled instructions are printed to stdout. 3326 | | Use the pseudo instruction "org ADDR" to set the base address. 3327 | end 3328 | 3329 | define asm 3330 | if $argc == 1 3331 | assemble $arg0 3332 | else 3333 | assemble 3334 | end 3335 | end 3336 | document asm 3337 | Syntax: asm 3338 | | Shortcut to the asssemble command. 3339 | end 3340 | 3341 | define asm32 3342 | if $argc == 1 3343 | assemble32 $arg0 3344 | else 3345 | assemble32 3346 | end 3347 | end 3348 | document asm32 3349 | Syntax: asm32 3350 | | Shortcut to the assemble32 command. 3351 | end 3352 | 3353 | define asm64 3354 | if $argc == 1 3355 | assemble64 $arg0 3356 | else 3357 | assemble64 3358 | end 3359 | end 3360 | document asm64 3361 | Syntax: asm64 3362 | | Shortcut to the assemble64 command. 3363 | end 3364 | 3365 | define assemble_gas 3366 | printf "\nType code to assemble and hit Ctrl-D when finished.\n" 3367 | printf "You must use GNU assembler (AT&T) syntax.\n" 3368 | 3369 | shell filename=$(mktemp); \ 3370 | binfilename=$(mktemp); \ 3371 | echo -e "Writing into: ${filename}\n"; \ 3372 | cat > $filename; echo ""; \ 3373 | as -o $binfilename < $filename; \ 3374 | objdump -d -j .text $binfilename; \ 3375 | rm -f $binfilename; \ 3376 | rm -f $filename; \ 3377 | echo -e "temporaly files deleted.\n" 3378 | end 3379 | document assemble_gas 3380 | Syntax: assemble_gas 3381 | | Assemble instructions to binary opcodes. Uses GNU as and objdump. 3382 | end 3383 | 3384 | 3385 | define dump_hexfile 3386 | dump ihex memory $arg0 $arg1 $arg2 3387 | end 3388 | document dump_hexfile 3389 | Syntax: dump_hexfile FILENAME ADDR1 ADDR2 3390 | | Write a range of memory to a file in Intel ihex (hexdump) format. 3391 | | The range is specified by ADDR1 and ADDR2 addresses. 3392 | end 3393 | 3394 | 3395 | define dump_binfile 3396 | dump memory $arg0 $arg1 $arg2 3397 | end 3398 | document dump_binfile 3399 | Syntax: dump_binfile FILENAME ADDR1 ADDR2 3400 | | Write a range of memory to a binary file. 3401 | | The range is specified by ADDR1 and ADDR2 addresses. 3402 | end 3403 | 3404 | 3405 | define dumpmacho 3406 | if $argc != 2 3407 | help dumpmacho 3408 | end 3409 | set $headermagic = *$arg0 3410 | # the || operator isn't working as it should, wtf!!! 3411 | if $headermagic != 0xfeedface 3412 | if $headermagic != 0xfeedfacf 3413 | printf "[Error] Target address doesn't contain a valid Mach-O binary!\n" 3414 | help dumpmacho 3415 | end 3416 | end 3417 | set $headerdumpsize = *($arg0+0x14) 3418 | if $headermagic == 0xfeedface 3419 | dump memory $arg1 $arg0 ($arg0+0x1c+$headerdumpsize) 3420 | end 3421 | if $headermagic == 0xfeedfacf 3422 | dump memory $arg1 $arg0 ($arg0+0x20+$headerdumpsize) 3423 | end 3424 | end 3425 | document dumpmacho 3426 | Syntax: dumpmacho STARTADDRESS FILENAME 3427 | | Dump the Mach-O header to a file. 3428 | | You need to input the start address (use info shared command to find it). 3429 | end 3430 | 3431 | 3432 | define cls 3433 | shell clear 3434 | end 3435 | document cls 3436 | Syntax: cls 3437 | | Clear screen. 3438 | end 3439 | 3440 | 3441 | define search 3442 | set $start = (char *) $arg0 3443 | set $end = (char *) $arg1 3444 | set $pattern = (short) $arg2 3445 | set $p = $start 3446 | while $p < $end 3447 | if (*(short *) $p) == $pattern 3448 | printf "pattern 0x%hx found at 0x%x\n", $pattern, $p 3449 | end 3450 | set $p++ 3451 | end 3452 | end 3453 | document search 3454 | Syntax: search 3455 | | Search for the given pattern beetween $start and $end address. 3456 | end 3457 | 3458 | 3459 | # _________________user tips_________________ 3460 | # The 'tips' command is used to provide tutorial-like info to the user 3461 | define tips 3462 | printf "Tip Topic Commands:\n" 3463 | printf "\ttip_display : Automatically display values on each break\n" 3464 | printf "\ttip_patch : Patching binaries\n" 3465 | printf "\ttip_strip : Dealing with stripped binaries\n" 3466 | printf "\ttip_syntax : AT&T vs Intel syntax\n" 3467 | end 3468 | document tips 3469 | Syntax: tips 3470 | | Provide a list of tips from users on various topics. 3471 | end 3472 | 3473 | 3474 | define tip_patch 3475 | printf "\n" 3476 | printf " PATCHING MEMORY\n" 3477 | printf "Any address can be patched using the 'set' command:\n" 3478 | printf "\t`set ADDR = VALUE` \te.g. `set *0x8049D6E = 0x90`\n" 3479 | printf "\n" 3480 | printf " PATCHING BINARY FILES\n" 3481 | printf "Use `set write` in order to patch the target executable\n" 3482 | printf "directly, instead of just patching memory\n" 3483 | printf "\t`set write on` \t`set write off`\n" 3484 | printf "Note that this means any patches to the code or data segments\n" 3485 | printf "will be written to the executable file\n" 3486 | printf "When either of these commands has been issued,\n" 3487 | printf "the file must be reloaded.\n" 3488 | printf "\n" 3489 | end 3490 | document tip_patch 3491 | Syntax: tip_patch 3492 | | Tips on patching memory and binary files. 3493 | end 3494 | 3495 | 3496 | define tip_strip 3497 | printf "\n" 3498 | printf " STOPPING BINARIES AT ENTRY POINT\n" 3499 | printf "Stripped binaries have no symbols, and are therefore tough to\n" 3500 | printf "start automatically. To debug a stripped binary, use\n" 3501 | printf "\tinfo file\n" 3502 | printf "to get the entry point of the file\n" 3503 | printf "The first few lines of output will look like this:\n" 3504 | printf "\tSymbols from '/tmp/a.out'\n" 3505 | printf "\tLocal exec file:\n" 3506 | printf "\t `/tmp/a.out', file type elf32-i386.\n" 3507 | printf "\t Entry point: 0x80482e0\n" 3508 | printf "Use this entry point to set an entry point:\n" 3509 | printf "\t`tbreak *0x80482e0`\n" 3510 | printf "The breakpoint will delete itself after the program stops as\n" 3511 | printf "the entry point\n" 3512 | printf "\n" 3513 | end 3514 | document tip_strip 3515 | Syntax: tip_strip 3516 | | Tips on dealing with stripped binaries. 3517 | end 3518 | 3519 | 3520 | define tip_syntax 3521 | printf "\n" 3522 | printf "\t INTEL SYNTAX AT&T SYNTAX\n" 3523 | printf "\tmnemonic dest, src, imm mnemonic src, dest, imm\n" 3524 | printf "\t[base+index*scale+disp] disp(base, index, scale)\n" 3525 | printf "\tregister: eax register: %%eax\n" 3526 | printf "\timmediate: 0xFF immediate: $0xFF\n" 3527 | printf "\tdereference: [addr] dereference: addr(,1)\n" 3528 | printf "\tabsolute addr: addr absolute addr: *addr\n" 3529 | printf "\tbyte insn: mov byte ptr byte insn: movb\n" 3530 | printf "\tword insn: mov word ptr word insn: movw\n" 3531 | printf "\tdword insn: mov dword ptr dword insn: movd\n" 3532 | printf "\tfar call: call far far call: lcall\n" 3533 | printf "\tfar jump: jmp far far jump: ljmp\n" 3534 | printf "\n" 3535 | printf "Note that order of operands in reversed, and that AT&T syntax\n" 3536 | printf "requires that all instructions referencing memory operands \n" 3537 | printf "use an operand size suffix (b, w, d, q)\n" 3538 | printf "\n" 3539 | end 3540 | document tip_syntax 3541 | Syntax: tip_syntax 3542 | | Summary of Intel and AT&T syntax differences. 3543 | end 3544 | 3545 | 3546 | define tip_display 3547 | printf "\n" 3548 | printf "Any expression can be set to automatically be displayed every time\n" 3549 | printf "the target stops. The commands for this are:\n" 3550 | printf "\t`display expr' : automatically display expression 'expr'\n" 3551 | printf "\t`display' : show all displayed expressions\n" 3552 | printf "\t`undisplay num' : turn off autodisplay for expression # 'num'\n" 3553 | printf "Examples:\n" 3554 | printf "\t`display/x *(int *)$esp` : print top of stack\n" 3555 | printf "\t`display/x *(int *)($ebp+8)` : print first parameter\n" 3556 | printf "\t`display (char *)$esi` : print source string\n" 3557 | printf "\t`display (char *)$edi` : print destination string\n" 3558 | printf "\n" 3559 | end 3560 | document tip_display 3561 | Syntax: tip_display 3562 | | Tips on automatically displaying values when a program stops. 3563 | end 3564 | 3565 | # bunch of semi-useless commands 3566 | 3567 | # enable and disable shortcuts for stop-on-solib-events fantastic trick! 3568 | define enablesolib 3569 | set stop-on-solib-events 1 3570 | printf "Stop-on-solib-events is enabled!\n" 3571 | end 3572 | document enablesolib 3573 | Syntax: enablesolib 3574 | | Shortcut to enable stop-on-solib-events trick. 3575 | end 3576 | 3577 | 3578 | define disablesolib 3579 | set stop-on-solib-events 0 3580 | printf "Stop-on-solib-events is disabled!\n" 3581 | end 3582 | document disablesolib 3583 | Syntax: disablesolib 3584 | | Shortcut to disable stop-on-solib-events trick. 3585 | end 3586 | 3587 | 3588 | # enable commands for different displays 3589 | define enabledisasm 3590 | set $SHOWDISASM = 1 3591 | end 3592 | document enabledisasm 3593 | Syntax: enabledisasm 3594 | | Enable disassembly display. 3595 | end 3596 | 3597 | define enableobjectivec 3598 | set $SHOWOBJECTIVEC = 1 3599 | end 3600 | document enableobjectivec 3601 | Syntax: enableobjectivec 3602 | | Enable display of objective-c information in the context window. 3603 | end 3604 | 3605 | 3606 | define enablecpuregisters 3607 | set $SHOWCPUREGISTERS = 1 3608 | end 3609 | document enablecpuregisters 3610 | Syntax: enablecpuregisters 3611 | | Enable display of cpu registers in the context window. 3612 | end 3613 | 3614 | 3615 | define enablestack 3616 | set $SHOWSTACK = 1 3617 | end 3618 | document enablestack 3619 | Syntax: enablestack 3620 | | Enable display of stack in the context window. 3621 | end 3622 | 3623 | 3624 | define enabledatawin 3625 | set $SHOWDATAWIN = 1 3626 | end 3627 | document enabledatawin 3628 | Syntax: enabledatawin 3629 | | Enable display of data window in the context window. 3630 | end 3631 | 3632 | 3633 | # disable commands for different displays 3634 | define disabledisasm 3635 | set $SHOWDISASM = 0 3636 | end 3637 | document disabledisasm 3638 | Syntax: disabledisasm 3639 | | Disable disassembly display. 3640 | end 3641 | 3642 | define disableobjectivec 3643 | set $SHOWOBJECTIVEC = 0 3644 | end 3645 | document disableobjectivec 3646 | Syntax: disableobjectivec 3647 | | Disable display of objective-c information in the context window. 3648 | end 3649 | 3650 | 3651 | define disablecpuregisters 3652 | set $SHOWCPUREGISTERS = 0 3653 | end 3654 | document disablecpuregisters 3655 | Syntax: disablecpuregisters 3656 | | Disable display of cpu registers in the context window. 3657 | end 3658 | 3659 | 3660 | define disablestack 3661 | set $SHOWSTACK = 0 3662 | end 3663 | document disablestack 3664 | Syntax: disablestack 3665 | | Disable display of stack information in the context window. 3666 | end 3667 | 3668 | 3669 | define disabledatawin 3670 | set $SHOWDATAWIN = 0 3671 | end 3672 | document disabledatawin 3673 | Syntax: disabledatawin 3674 | | Disable display of data window in the context window. 3675 | end 3676 | 3677 | 3678 | define arm 3679 | if $ARMOPCODES == 1 3680 | set arm show-opcode-bytes 1 3681 | end 3682 | set $ARM = 1 3683 | end 3684 | document arm 3685 | Syntax: arm 3686 | | Set gdb to work with ARM binaries. 3687 | end 3688 | 3689 | define ioskdp 3690 | set $SHOW_CONTEXT = 0 3691 | set $SHOW_NEST_INSN = 0 3692 | end 3693 | document ioskdp 3694 | Syntax: ioskdp 3695 | | Disable dumping context information for iOS KDP debugging 3696 | end 3697 | 3698 | define intelsyntax 3699 | if $ARM == 0 3700 | set disassembly-flavor intel 3701 | set $X86FLAVOR = 0 3702 | end 3703 | end 3704 | document intelsyntax 3705 | Syntax: intelsyntax 3706 | | Change disassembly syntax to intel flavor. 3707 | end 3708 | 3709 | 3710 | define attsyntax 3711 | if $ARM == 0 3712 | set disassembly-flavor att 3713 | set $X86FLAVOR = 1 3714 | end 3715 | end 3716 | document attsyntax 3717 | Syntax: attsyntax 3718 | | Change disassembly syntax to at&t flavor. 3719 | end 3720 | 3721 | define kernel32 3722 | if $argc != 0 3723 | # try to load kgmacros files 3724 | # failure is silent if non-existent... 3725 | source $arg0 3726 | set architecture i386 3727 | if $argc == 2 3728 | target remote localhost:$arg1 3729 | else 3730 | target remote localhost:8832 3731 | end 3732 | else 3733 | help kernel32 3734 | end 3735 | end 3736 | document kernel32 3737 | Syntax: kernel32 PATH_TO_KGMACROS 3738 | | Attach to VMware gdb stub for 32 bits kernel. 3739 | | The path to kgmacros must be supplied as first parameter. 3740 | | If you don't want to load kgmacros just put something as the first parameter. 3741 | | Optional parameter is the port to connect to, in case you are not using the default 8832 3742 | | or want to kernel debug more than one active virtual machine. 3743 | | By supplying a bogus kgmacros this command should be compatible with any OS. 3744 | end 3745 | 3746 | define kernel64 3747 | if $argc != 0 3748 | # try to load kgmacros files 3749 | # failure is silent if non-existent... 3750 | source $arg0 3751 | set architecture i386:x86-64 3752 | if $argc == 2 3753 | target remote localhost:$arg1 3754 | else 3755 | target remote localhost:8864 3756 | end 3757 | else 3758 | help kernel64 3759 | end 3760 | end 3761 | document kernel64 3762 | Syntax: kernel64 PATH_TO_KGMACROS 3763 | | Attach to VMware gdb stub for 64 bits kernel. 3764 | | The path to kgmacros must be supplied as first parameter. 3765 | | If you don't want to load kgmacros just put something as the first parameter. 3766 | | Optional parameter is the port to connect to, in case you are not using the default 8864 3767 | | or want to kernel debug more than one active virtual machine. 3768 | | By supplying a bogus kgmacros this command should be compatible with any OS. 3769 | end 3770 | 3771 | define 32bits 3772 | set $KDP64BITS = 0 3773 | set $64BITS = 0 3774 | end 3775 | 3776 | define 64bits 3777 | set $KDP64BITS = 1 3778 | set $64BITS = 1 3779 | end 3780 | 3781 | define resetkdp 3782 | set $KDP64BITS = -1 3783 | end 3784 | 3785 | define header 3786 | if $argc != 1 3787 | help header 3788 | else 3789 | dump memory /tmp/gdbinit_header_dump $arg0 $arg0 + 4096 3790 | shell /usr/bin/otool -h /tmp/gdbinit_header_dump 3791 | shell /bin/rm -f /tmp/gdbinit_header_dump 3792 | end 3793 | end 3794 | document header 3795 | Syntax: header MACHO_HEADER_START_ADDRESS 3796 | | Dump the Mach-O header located at given address 3797 | end 3798 | 3799 | define loadcmds 3800 | if $argc != 1 3801 | help loadcmds 3802 | else 3803 | # this size should be good enough for most binaries 3804 | dump memory /tmp/gdbinit_header_dump $arg0 $arg0 + 4096 * 10 3805 | shell /usr/bin/otool -l /tmp/gdbinit_header_dump 3806 | shell /bin/rm -f /tmp/gdbinit_header_dump 3807 | end 3808 | end 3809 | document loadcmds 3810 | Syntax: loadcmds MACHO_HEADER_START_ADDRESS 3811 | | Dump the Mach-O load commands 3812 | end 3813 | 3814 | # defining it here doesn't get the space #$#$%"#! 3815 | define disablecolorprompt 3816 | set prompt gdb$ 3817 | end 3818 | document disablecolorprompt 3819 | | Remove color from prompt 3820 | end 3821 | 3822 | define enablecolorprompt 3823 | set prompt \033[31mgdb$ \033[0m 3824 | end 3825 | document enablecolorprompt 3826 | | Enable color prompt 3827 | end 3828 | 3829 | #EOF 3830 | --------------------------------------------------------------------------------