flat assembler
Message board for the users of flat assembler.

Index > Linux > Question about debuggers for Linux

Author
Thread Post new topic Reply to topic
marywilliam



Joined: 07 Jun 2018
Posts: 10
marywilliam 07 Jun 2018, 07:23
hello!

I'm new to assembler so please forgive my beginner question. I'm using FDBG to debug a program I created. I'm simply trying to push words onto the stack a total of 10 times, but when I trace the program using FDBG, I get results on the stack that don't make sense (see attachment)

1) After the first push the stack gets updated. But after the second push, it seems like the first push is undone and there is only one qword pushed on the stack. Could someone explain what is going on?

2) The instruction is pushd 0x00. But I see it is only pushing qwords. In 64 bit, can you push only qwords or can you push other amounts?

thanks for the help


Description:
Filesize: 41.73 KB
Viewed: 11235 Time(s)

stack.png


Post 07 Jun 2018, 07:23
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 07 Jun 2018, 08:41
If your code is 32-bit then all pushes can be 2 bytes or 4 bytes. In 64-bit mode all pushes can be either 2 bytes or 8 bytes (never 4 bytes).

So I guess your code is 32-bit, FDBG is displaying the stack as 64-bit values, and each push is 4 bytes.
Post 07 Jun 2018, 08:41
View user's profile Send private message Visit poster's website Reply with quote
marywilliam



Joined: 07 Jun 2018
Posts: 10
marywilliam 07 Jun 2018, 21:22
revolution wrote:
If your code is 32-bit then all pushes can be 2 bytes or 4 bytes. In 64-bit mode all pushes can be either 2 bytes or 8 bytes (never 4 bytes).

So I guess your code is 32-bit, FDBG is displaying the stack as 64-bit values, and each push is 4 bytes.


I'm not sure I understand. If it is displaying it as 64bit values, after the first push, shouldn't it show:
0000000000000000
FFED62CA00000001

But instead it results in:
0000000100000000
00000000FFED62CA

What is all that extra stuff? Sorry for my confusion.
Post 07 Jun 2018, 21:22
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20356
Location: In your JS exploiting you and your system
revolution 08 Jun 2018, 01:05
If the push is only 4 bytes then all the values shift by half in the 64 bit display.

Ideally FDBG should display 32 bit values and then each push would simply move everything down one slot, instead of what you see where it moves everything horizontally and then down. If you follow the path of the 32 bit value "FFED62CA" you can see it go from one side the the other side and move down one slot for each two pushes.

Can you change FDBG to show 32 bit values?
Post 08 Jun 2018, 01:05
View user's profile Send private message Visit poster's website Reply with quote
marywilliam



Joined: 07 Jun 2018
Posts: 10
marywilliam 08 Jun 2018, 06:47
I don't know if it's possible to change FDBG to do that. Are there other debuggers for Linux? Could you recommend some?
Post 08 Jun 2018, 06:47
View user's profile Send private message Reply with quote
Feryno



Joined: 23 Mar 2005
Posts: 509
Location: Czech republic, Slovak republic
Feryno 09 Jun 2018, 05:32
hi, the e command always displays qwords coz fdbg is 64 bit debugger
if you need to display dwords, use command d
d d rsp
(just from my head, maybe I'm mistaken in the syntax)
Post 09 Jun 2018, 05:32
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 2519
Furs 09 Jun 2018, 15:30
marywilliam wrote:
I don't know if it's possible to change FDBG to do that. Are there other debuggers for Linux? Could you recommend some?
gdb is pretty much the "standard" though I dislike it.
Post 09 Jun 2018, 15:30
View user's profile Send private message Reply with quote
moveax41h



Joined: 18 Feb 2018
Posts: 59
moveax41h 21 Jul 2018, 04:37
I recommend https://github.com/hugsy/gef

You guys will really like it. You need to first install GDB version 7.7+ (8 works too) and then you run that script and then run gdb -q somebinary.

This is great for an assembly programmer on Linux. See screenshot attached to this post.


Description:
Filesize: 988.74 KB
Viewed: 10778 Time(s)

Screenshot from 2018-07-20 21-36-29.png



_________________
-moveax41h
Post 21 Jul 2018, 04:37
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.