0

I am disassembling the memory of the following Python program. The disassembly should start with int 3 instruction, or 0xcc, but GDB (running through either clion or qt develop) does not see it and instead shows some kind of add instruction that results from decoding one previous byte with it, that is 0x00 0xcc.

I am aware that x86 assembly is not self-synchronizing (What happens if `objdump -d --start-address` starts printing from the middle of an x86 instruction?).

How can I help GDB to synchronize this properly?

qt creator screenshot

import ctypes
import mmap

buf = mmap.mmap(-1, mmap.PAGESIZE, prot=mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC)
buf.write(
    b'\xcc'  # int 3

    b'\x8b\xc7'  # mov eax, edi
    b'\x83\xc0\x01'  # add eax, 1
    b'\xc3'  # ret
)

f_type = ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_int)
f_pointer = ctypes.c_void_p.from_buffer(buf)
f = f_type(ctypes.addressof(f_pointer))

result = f(42)
print(f"{result=}")

del f_pointer
buf.close()
user7610
  • 25,267
  • 15
  • 124
  • 150
  • Looks like qt develop issues `37-interpreter-exec console "disassemble /rs 0x7ff5ddc4ffed,0x7ff5ddc50065"`. Looks like I can right click, select "Open Disassembler at Address..." and type my own start address. Is there a way to get the IDE figure out the right address automatically? Can I do this in Clion which does not seem to have the Open Disassembler at Address command? – user7610 May 21 '23 at 18:39
  • It is weird that the address for the function is odd; I would have expected it to be 0x7ff5ddc500000 instead — a full page boundary for the mapping. Can you try maybe doing `buf.tell()` both before & after the `buf.write` and sharing those results? Also share value of `f_pointer` & `f`. Also share the return value from `buf.write`. – Erik Eidt May 21 '23 at 18:39
  • The address (of the `int 3` instruction) is `0x7ff5ddc50000`, indeed. it's just that IP has already moved onto the next instruction when the coredump was created (due to SIGTRAP caused by the `int 3`). – user7610 May 21 '23 at 18:48

0 Answers0