GDB

GNU Debugger

Configuration

GDB Enhanced Features (GEF)

bash -c "$(curl -fsSL https://gef.blah.cat/sh)"

Pwntools

p = process('./garbage')
gdb.attach(p)

Basic Commands

Quiet mode

gdb -q <binary>

Set a break point

b <functionName>

Run execution

r

Continue execution

c

Creates unique pattern to find exact offset

pattern create 200

Shows the current values of all CPU registers, Use this always after crashing a binary

info registers

Search for Your Payload

earch-pattern AAAA

Examine Stack Frame

info frame

Examine 20 memory addresses starting at rsp

x/20x $rsp

Set Return Instruction Pointer

set $rip = <memoryAddress>

Initial Analysis

Check Binary Protections

checksec

• NX ENABLED → Need ret2libc or ROP (no shellcode on stack)

• CANARY → Can't overflow return address directly

• PIE ENABLED → Addresses change every run (harder exploitation)

• ASLR → Library addresses randomize

View Memory Layout

vmmap

What to look for:

• Stack permissions

• libc base address

• Executable regions

Disassemble Main Functions

disassemble main

disass functionName

What to look for:

• Calls to dangerous functions

• Buffer allocations

• Function calls and their arguments

Finding String Constants in Binary Comparisons

The Pattern to Look For

mov $0x3,%edx           # Set comparison length to 3 characters
lea 0xcd2(%rip),%rsi    # Load hardcoded string address (GDB shows computed address)
mov %rax,%rdi           # Move user input pointer to first argument  
call strncmp@plt        # Compare strings

Examine the string at the computed address

x/s 0xADDRESS

For longer strings or multiple strings

x/10s 0xADDRESS

Check raw bytes if string has special characters

x/20bx 0xADDRESS

Dynamic Analysis

• If you want to see the comparison in action:

Set breakpoint at the strncmp call

break *0xSTRNCMP_ADDRESS

Run with test input

run TESTINPUT

• When breakpoint hits, examine the arguments:

First string (user input)

x/s $rdi

Second string (hardcoded)

x/s $rsi

Comparison length

info registers rdx

Continue execution

c

Skip Illegal instructions by patching UD2 with NOP

Start Program and Hit First ud2

run test_input

Current crash location shows the ud2 address

Program received signal SIGILL, Illegal instruction.
0x00005555555552e6 in main ()

Patch the ud2 Instruction

set {unsigned short}0x5555555552e6 = 0x9090

Continue and Repeat

c

• Keep going: patch → continue → patch → continue

• Once all ud2s are patched, program runs without crashes

You can now analyze the actual program logic

disassemble main