GDB CheatSheet

#include <stdio.h>
#include <stdlib.h>

void unreachableFunction(void) {

  printf("\nI'm hacked! I'm a hidden function! :-)\n");
  exit (0);

}

int main(void) {
  
  printf("Hello World!");
  printf("01234567890 ...");

  return 0;

}

gcc -m32 -ggdb -o eipExample_32 eipExample.c
gcc -ggdb -o eipExample_64 eipExample.c

gdb eipExample_32

(gdb) set disassembly-flavor intel

(gdb) r
Starting program: /home/hacker/test_gdb/eipExample_32 
Hello World!01234567890 ...[Inferior 1 (process 4775) exited normally]

(gdb) b main
Breakpoint 1 at 0x1205: file eipExample.c, line 13.

(gdb) r
Starting program: /home/hacker/test_gdb/eipExample_32 

Breakpoint 1, main () at eipExample.c:13
13	  printf("Hello World!");

(gdb) info registers 
eax            0xf7fa59e8          -134587928
ecx            0xffffd3c0          -11328
edx            0xffffd3f4          -11276
ebx            0x56559000          1448448000
esp            0xffffd3a0          0xffffd3a0
ebp            0xffffd3a8          0xffffd3a8
esi            0x1                 1
edi            0x56556080          1448435840
eip            0x56556205          0x56556205 <main+26>
eflags         0x216               [ PF AF IF ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x63                99

(gdb) info r eip
eip            0x56556205          0x56556205 <main+26>

(gdb) disassemble 
Dump of assembler code for function main:
   0x565561eb <+0>:	lea    ecx,[esp+0x4]
   0x565561ef <+4>:	and    esp,0xfffffff0
   0x565561f2 <+7>:	push   DWORD PTR [ecx-0x4]
   0x565561f5 <+10>:	push   ebp
   0x565561f6 <+11>:	mov    ebp,esp
   0x565561f8 <+13>:	push   ebx
   0x565561f9 <+14>:	push   ecx
   0x565561fa <+15>:	call   0x565560c0 <__x86.get_pc_thunk.bx>
   0x565561ff <+20>:	add    ebx,0x2e01
=> 0x56556205 <+26>:	sub    esp,0xc
   0x56556208 <+29>:	lea    eax,[ebx-0x1fd0]
   0x5655620e <+35>:	push   eax
   0x5655620f <+36>:	call   0x56556030 <printf@plt>
   0x56556214 <+41>:	add    esp,0x10
   0x56556217 <+44>:	sub    esp,0xc
   0x5655621a <+47>:	lea    eax,[ebx-0x1fc3]
   0x56556220 <+53>:	push   eax
   0x56556221 <+54>:	call   0x56556030 <printf@plt>
   0x56556226 <+59>:	add    esp,0x10
   0x56556229 <+62>:	mov    eax,0x0
   0x5655622e <+67>:	lea    esp,[ebp-0x8]
   0x56556231 <+70>:	pop    ecx
   0x56556232 <+71>:	pop    ebx
   0x56556233 <+72>:	pop    ebp
   0x56556234 <+73>:	lea    esp,[ecx-0x4]
   0x56556237 <+76>:	ret    
End of assembler dump.

(gdb) disassemble unreachableFunction
Dump of assembler code for function unreachableFunction:
   0x565561bd <+0>:	push   ebp
   0x565561be <+1>:	mov    ebp,esp
   0x565561c0 <+3>:	push   ebx
   0x565561c1 <+4>:	sub    esp,0x4
   0x565561c4 <+7>:	call   0x565560c0 <__x86.get_pc_thunk.bx>
   0x565561c9 <+12>:	add    ebx,0x2e37
   0x565561cf <+18>:	sub    esp,0xc
   0x565561d2 <+21>:	lea    eax,[ebx-0x1ff8]
   0x565561d8 <+27>:	push   eax
   0x565561d9 <+28>:	call   0x56556040 <puts@plt>
   0x565561de <+33>:	add    esp,0x10
   0x565561e1 <+36>:	sub    esp,0xc
   0x565561e4 <+39>:	push   0x0
   0x565561e6 <+41>:	call   0x56556050 <exit@plt>
End of assembler dump.

(gdb) set $eip = 0x565561bd

(gdb) i r eip
eip            0x565561bd          0x565561bd <unreachableFunction>

(gdb) c
Continuing.

I'm hacked! I'm a hidden function! :-)
[Inferior 1 (process 5119) exited normally]

(gdb) list
1	#include <stdio.h>
2	#include <stdlib.h>
3	
4	void unreachableFunction(void) {
5	
6	  printf("\nI'm hacked! I'm a hidden function! :-)\n");
7	  exit (0);
8	
9	}
10

(gdb) list unreachableFunction
1	#include <stdio.h>
2	#include <stdlib.h>
3	
4	void unreachableFunction(void) {
5	
6	  printf("\nI'm hacked! I'm a hidden function! :-)\n");
7	  exit (0);
8	
9	}
10

# breakpoint main
(gdb) b main
Breakpoint 1 at 0x1205: file eipExample.c, line 13.

# breakpoint 0x56556221
b *0x56556221

# show breakpoints
(gdb) i break
Num     Type           Disp Enb Address    What
1       breakpoint     keep y   0x56556205 in main at eipExample.c:13
	breakpoint already hit 1 time
2       breakpoint     keep y   <PENDING>  0x5655622e
3       breakpoint     keep y   0x56556205 eipExample.c:13
4       breakpoint     keep y   0x56556221 in main at eipExample.c:14

# Show Register EIP
(gdb) x/x $eip
0x56556205 <main+26>:	0x8d0cec83

# Register EIP and next 4 hex Values
(gdb) x/4x $eip
0x56556205 <main+26>:	0x8d0cec83	0xffe03083	0x1ce850ff	0x83fffffe

# Next 10 Strings on Stack
(gdb) x/10s $esp
0xffffd3a0:	"\300\323\377\377"
0xffffd3a5:	""
0xffffd3a6:	""
0xffffd3a7:	""
0xffffd3a8:	""
0xffffd3a9:	""
0xffffd3aa:	""
0xffffd3ab:	""
0xffffd3ac:	"\005i\335\367\001"
0xffffd3b2:

# View String at Adress 0xfffd3a0
(gdb) x/s 0xffffd3a0
0xffffd3a0:	"\300\323\377\377"

# show assembly instruction at a register
(gdb) x/i $eip
=> 0x56556208 <main+29>:	lea    -0x1fd0(%ebx),%eax

# view next for instructions:
(gdb) x/4i $eip
=> 0x56556208 <main+29>:	lea    -0x1fd0(%ebx),%eax
   0x5655620e <main+35>:	push   %eax
   0x5655620f <main+36>:	call   0x56556030 <printf@plt>
   0x56556214 <main+41>:	add    $0x10,%esp

# next instruction, ni
(gdb) nexti
0x56556208	13	  printf("Hello World!");

# print stack
(gdb) x/xw $esp
0xffffd394:	0xffffd464

# print stack, next 4 words
(gdb) x/4xw $esp
0xffffd394:	0xffffd464	0xffffd46c	0x565561ff	0xffffd3c0