5

Coming from a Windows environment, when I do kernel debugging or even in user mode for that matter, I can see the disassembled code in a way that is quite detailed, for example:

80526db2 6824020000      push    224h
80526db7 6808a14d80      push    offset nt!ObWatchHandles+0x8dc (804da108)
80526dbc e81f030100      call    nt!_SEH_prolog (805370e0)
80526dc1 a140a05480      mov     eax,dword ptr [nt!__security_cookie (8054a040)]

The first number is the address quite obviously but the second represent the opcode bytes and that is lacking on GDB or at least, I don't know how to get a similar result.

I usually will do something like this:

(gdb): display /i $pc

But all I get is something like this:

x/i $pc 0x21c4c: pop %eax

I can see what the code bytes are which is sometimes a bit of an issue for me. Is there something I can do with display that could help?

Edit: GDB in question is 6.3.50 on Mac OS X 10.8.3.

E.T
  • 1,095
  • 1
  • 10
  • 19

2 Answers2

7

I think disassemble /r should give you what you are looking for:

(gdb) help disass
Disassemble a specified section of memory.
Default is the function surrounding the pc of the selected frame.
With a /m modifier, source lines are included (if available).
With a /r modifier, raw instructions in hex are included.
With a single argument, the function surrounding that address is dumped.
Two arguments (separated by a comma) are taken as a range of memory to dump,
  in the form of "start,end", or "start,+length".
(gdb) disass /r main
Dump of assembler code for function main:
   0x004004f8 <+0>:      55     push   %ebp
   0x004004f9 <+1>:      48     dec    %eax
   0x004004fa <+2>:      89 e5  mov    %esp,%ebp
   0x004004fc <+4>:      48     dec    %eax
   0x004004fd <+5>:      83 ec 10       sub    $0x10,%esp
   0x00400500 <+8>:      89 7d fc       mov    %edi,-0x4(%ebp)
   0x00400503 <+11>:     48     dec    %eax
   0x00400504 <+12>:     89 75 f0       mov    %esi,-0x10(%ebp)
   0x00400507 <+15>:     bf 0c 06 40 00 mov    $0x40060c,%edi
   0x0040050c <+20>:     b8 00 00 00 00 mov    $0x0,%eax
   0x00400511 <+25>:     e8 0a ff ff ff call   0x400420
   0x00400516 <+30>:     bf 00 00 00 00 mov    $0x0,%edi
   0x0040051b <+35>:     e8 10 ff ff ff call   0x400430
End of assembler dump.
(gdb)

GDB disassemble command documentation

Digital Trauma
  • 15,475
  • 3
  • 51
  • 83
  • Thanks. I did see that.I didn't provide all the information though. This is using GDB on Mac OS Mountain Lion and I have GDB 6.3.50, which incidentally doesn't have /r – E.T Oct 22 '13 at 17:20
  • @E.T - no idea why OSX would package such an old version of GDB. Anyway, one way forward would be to pull in a newer GDB: http://stackoverflow.com/questions/8336433/gdb-on-macosx-lion – Digital Trauma Oct 22 '13 at 17:28
  • Will look into it. I found the part of the code in GDB that does the byte code so I'll prolly end up pulling that code off GDB for Linux and update my own GDB on Mac OS, recompile, sign it and go from there :) Thanks! very helpful. – E.T Oct 22 '13 at 17:42
3

If you use lldb, you can use the -b option to disassemble to get the same effect:

(lldb) disassemble -b -p
Sketch`main + 46 at SKTMain.m:17:
-> 0x10001aa0e:  48 89 c7              movq   %rax, %rdi
   0x10001aa11:  b0 00                 movb   $0, %al
   0x10001aa13:  e8 f2 48 00 00        callq  0x10001f30a               ; symbol stub for: NSLog
   0x10001aa18:  48 8d 35 99 fa 00 00  leaq   64153(%rip), %rsi         ; @Sketch`.str3
Jim Ingham
  • 25,260
  • 2
  • 55
  • 63