gdb 没有命中断点
为了更多地了解 FreeBSD 和 *nix 系统,我开始查看 DEFCON 17 Capture The Flag 游戏中的二进制文件。现在,我正在反转 tucod 二进制文件。以下是有关 tucod 的一些可能有用的信息:
tucod: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 7.2, dynamically linked (uses shared libs), FreeBSD-style, stripped
从一些简短的静态分析中获得的其他一些可能有用的信息是 tucod 绑定在端口 0xDEAD 上(可爱,呃?),如果您给它一个特定的密码(“HANGEMHIGH!”),它会播放和你玩绞刑吏游戏。
我遇到的问题是我没有到达 gdb 中的断点。具体来说,我尝试到达的断点位于处理客户端连接的代码中。如果没有断点,代码将按预期执行。当我在该代码上设置断点时,子进程将退出(而不是按预期闯入 gdb)。如果我在服务器分叉子进程之前设置断点,我可以很好地完成这些任务,但是在单击“继续”后,子进程不会继续处理我的连接(也就是说,它不会要求我输入密码或玩绞刑吏游戏) )。
由于守护进程在收到新连接时会分叉,因此我尝试告诉 gdb 使用以下命令跟随子进程:
(gdb) set follow-fork-mode child
但是在分叉后单步执行指令后,这似乎不起作用。
我尝试寻找对 signal 的调用,认为它们实现了自定义 SIGINT 处理程序(或类似的),但我能看到的唯一对 signal 的调用处理 SIGCHLD。
我在 gdb 中的断点目前如下所示:
(gdb) info breakpoints
Num Type Disp Enb Address What
1 breakpoint keep y 0x080497d0
0x080497d0 是我想要在客户端处理代码中中断的地址。
我对分析 *nix 系统上的软件有点陌生,可以使用一些指针。 我还应该如何解决为什么 GDB 不会达到我的断点?或者是否有一些我只是忽略的重大问题?
对于那些有兴趣的人来说,有一个torrent,其中包含所有游戏二进制文件亲眼目睹二进制文件。
To learn a bit more about FreeBSD and *nix systems in general, I'm starting to look at the binaries from the DEFCON 17 Capture The Flag game. Right now, I'm reversing the tucod binary. Here's some possibly useful information on tucod:
tucod: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 7.2, dynamically linked (uses shared libs), FreeBSD-style, stripped
Some other possibly useful information gained from some brief static analysis is that tucod binds on port 0xDEAD (cute, eh?) and if you give it a specific password ("HANGEMHIGH!") it will play a game of hang-man with you.
The problem that I'm encountering is that I'm not hitting my breakpoints in gdb. Specifically, the breakpoint that I'm trying to reach is in the code that handles the client connection. Without breakpoints, the code executes as expected. When I set a breakpoint on that code, the child exits (instead of breaking into gdb, as expected). If I set breakpoints before the server forks off the child, I can hit those fine but after hitting "continue" the child does not continue to process my connection (that is, it won't ask me for a password or play hang-man).
Since the daemon forks when it receives a new connection, I try to tell gdb to follow the child with this command:
(gdb) set follow-fork-mode child
But after single-stepping the instructions after the fork, it appears that this isn't working.
I've tried looking for calls to signal, thinking they implemented a custom SIGINT handler (or similar), but the only call to signal that I can see handles SIGCHLD.
My breakpoint in gdb currently looks like this:
(gdb) info breakpoints
Num Type Disp Enb Address What
1 breakpoint keep y 0x080497d0
And 0x080497d0 is the address I want to break on in the client processing code.
I'm sort of new to analyzing software on *nix systems and could use some pointers. How else should I go about troubleshooting why GDB will not hit my breakpoints? Or is there something major I'm just overlooking?
There's a torrent available with all of the game binaries for those interested in seeing the binary first-hand.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
请查看此处答案。简而言之,看起来 GDB 仅在 HP-UX 和 Linux 上支持子调试模式。
Look here for the answer. In short, it looks like GDB supports child debug mode only on HP-UX and Linux.