0

enter image description hereI have a program I'm trying to look at in GDB which has been compiled without debug options, so no symbols table, can't see the source code etcetc. The main function has 2 variables:

  char *p;
  char buffer[128];

Can I identify the memory locations of these variables without the symbols table?

If yes, how? and would x/x <addr of p> correctly tell me what address in memory the pointer is pointing to?

I have access to the source code seperately, and I see that the pointer should be pointing to the address of the buffer + an offset value, but I don't know how to actually find the location in memory of that pointer so that I can examine what it the pointer looks like at different stages of execution.

A. Trevelyan
  • 136
  • 5
  • 2
    If those are the only locals in `main` it should be pretty easy to spot the assignment to `p` from the disassembly. Also since they are locals you can limit the address to the current stack frame and there are only a few options for the layout. – Jester Nov 05 '22 at 23:11
  • Spot the assignment from the instructions in the disassembly you mean? I'm not sure how this part works - since I can't break on specific line numbers, what i do is **gdb myprog** and then **b main**, then **r**, does this break immediately when main is called? The first things that happen in main are the local variable definitions, then an if statement, would this be breaking at the if statement, or before? [this](https://i.stack.imgur.com/L69s7.png) is what I see, but my assembly isn't too hot to fully ID everything. – A. Trevelyan Nov 05 '22 at 23:49
  • 1
    The 3 lines from +97 is what you are interested in. The `buffer` is at `ebp-0x9c` and `p` is at `ebp-0x1c`. The added offset is in `edx` at that point. – Jester Nov 06 '22 at 00:01
  • If you're a beginner with assembly, I'd suggest compiling 32-bit code with `gcc -m32 -fno-pie -no-pie` to avoid calling `__x86.get_pc_thunk.bx`. Only 32-bit code does that, 64-bit code can use RIP-relative addressing to be position-independent. Preferably also with at least `-Og` or `-O1`, unless you want to look at how each statement compiles separately, including stuff with local vars that you don't use later so would optimize away. [How to remove "noise" from GCC/clang assembly output?](https://stackoverflow.com/q/38552116) – Peter Cordes Nov 06 '22 at 00:17
  • @Jester Thanks for that explanation, that was a huge help, some things started to click after that and I think I'm understanding the flow of the code a bit better now. – A. Trevelyan Nov 06 '22 at 02:13
  • @PeterCordes thanks for the tip, this isn't my code though, I'm trying to learn some stuff so I have to work with it as-is, but those code samples are helpful for stuff I can look at to gain some more insight. – A. Trevelyan Nov 06 '22 at 02:14

0 Answers0