BASICS

LOADING PROGRAM INTO GDB

root@sre:~$ gdb {programName}
(gdb)>

DISPLAY LINES

(gdb)> list
(gdb)> list 1

 * list will show a number of lines
 * list {#} will list a specific line,

RUN PROGRAM

This will run the program until a breakpoint (if set) or end of the program is reached

(gdb)> run

EXITING DEBUGGER

(gdb)> quit

SWITCHING BETWEEN AT&T AND INTEL SYNTAX

(gdb)> set disassembly-flavor intel

DISPLAY CODE DISASSEMBLY

The returned source code will not exactly be the same as the original source code.

(gdb)> disassemble main
 Dump of assembler code for function main
  0x00000000004004e0 <+0>:   mov    eax, 0x1
  0x00000000004004e5 <+5>:   mov    edi, 0x1
  0x00000000004004ea <+10>:  movabs rsi, 0x601030
  0x00000000004004f4 <+20>:  mov    edx, 0xc
  0x00000000004004f9 <+25>:  syscall
  0x00000000004004fb <+27>:  mov    eax, 0x3c
  0x0000000000400500 <+32>:  mov    edi, 0x0
  0x0000000000400505 <+37>:  syscall
  0x0000000000400507 <+39>:  nop    WORD PTR [rax+rax*1+0x0]
 End of assembler dump.
(gdb)

 * 0x00000000004004e0 — virtual memory address
    - This is the virtual address where the instruction lives (in hex).
       - In an ELF/binary context it’s the load-time 
         address (i.e. the address the CPU will use at runtime).
       - If you see a different tool (objdump, gdb, radare2) the number may be the 
         same but sometimes tools show file offsets instead — here it’s the VA.
 * <+0> — offset from the start of the current symbol / function
    - This means “this instruction is at offset 0 bytes from the start of the 
      surrounding symbol/function.”
    - Usually you will see it together with the function name, e.g. main+0> or 
      some_function+5>. If the function name is omitted you may just 
      see <+0> (or the disassembler was asked to show raw addresses).
       - Example meanings:
          - <+0>: instruction is the first instruction of the function.
          - <+5>: this instruction is 5 bytes into the function.
             - Tools: objdump -d or gdb disassemble print this form.
 * : — separator
    - Simple punctuation separating address/offset from the textual instruction.

ANALYSIS

//SYNTAX
x/[count][formatSpecifier][sizeSpecifier] address

STRINGS

(gdb)>  x/s 0x601030
 0x601030 <msg>: "hello, world"
 
 * The x stands for “examine,”
 * The s stands for “string.”
 * 0x601030 is the memory address where msg resides
 
(gdb)> x/s &msg

 * The &msg refers to the memory address of msg
    - think C's "address of" operator

CHARACTERS & CHARACTER REPRESENTATIONS

(gdb)>  x/c 0x601030
 0x601030 <msg>: 104 'h'
 
 * The c stands for "character"
    - GDB returns the first character of msg, preceded by the decimal ASCII code 
      of that character
      
(gdb> x/13c 0x601030
 0x601030 <msg>: 104 'h' 101 'e' 108 'l' 108 'l' 111 'o' 44 ',' 32 ' ' 119 'w'
 0x601038:       111 'o' 114 'r' 108 'l' 100 'd' 0 '\000'

 * display "13" characters starting from the specified address
 
(gdb)> x/13d 0x601030
 0x601030 <msg>: 104 101 108 108 111 44 32 119
 0x601038:       111 114 108 100 0 

 * display "13" characters starting from the specified address but in decimal
   representation
   
(gdb)> x/13x 0x601030
 0x601030 <msg>: 0x68  0x65  0x6c  0x6c  0x6f  0x2c  0x20  0x77
 0x601038:      0x6f  0x72  0x6c  0x64  0x00
 
 * display "13" characters starting from the specified address but in hexidecimal
   representation

DISPLAY SPECIFIC INSTRUCTION IN HEX

(gdb)> x/2x 0x004004e0

 * shows in hexadecimal the content of the two memory addresses 
   starting at 0x004004e0
    - this is the first instruction, mov eax,0x1 , in machine language

DISPLAY NUMERIC VALUES: (INTEGERS)

This displays the numeric values stored in variables

(gdb)> x/dw      &radius
 0x601053 <radius>:   357
 * x → examine memory
 * / → introduces the format
 * d → display format → print as signed decimal
 * w → unit size → read a word (4 bytes)

(gdb)> x/xw      &radius
 0x601053 <radius>:   0x00000165

DISPLAY NUMERIC VALUES: (FLOATS)

(gdb)> x/fg &pi
 * 0x60105b <pi>:   3.140000000000001
(gdb)> x/fx &pi
 * 0x60105b <pi>:   0x40091eb851eb851f

SETTING BREAKPOINTS

(gdb)> info functions
 ...
(gdb)> break main
 Breakpoint 1 at 0x4004e0: file hello.asm, line 7.
 
 * BREAKPOINT CMDS
    - disable breakpoint number
    - enable breakpoint number
    - delete breakpoint number

VIEWING REGISTER INFORMATION (AFTER BREAKPOINT HITS)

(gdb)> info registers
 rax       0x4004e0        4195552
 rbx       0x0             0
 rcx       0x0             0
 rdx       0x7ffffffffddd8 140737488346584
 ....

STEPPING

//advance one step
(gdb)> step

 * stepping cmds
    - continue or c: Continue execution until next breakpoint.
    - step or s: Step into the current line, eventually jumping into the called function.
    - next or n: Step over the current line and stop at the next line.

OTHER CMDS



 * help or h: Show help.
 * tui enable: Enable a simple text user interface; to disable, use tui disable.
 * print or p: Print the value of a variable, register, and so on.
    - Print rax: p $rax.
    - Print rax in binary: p/t $rax.
    - Print rax in hexadecimal: p/x $rax.
PreviousGDB/GEFNextVIEWING ADDRESSES

Last updated