SGDE

Question 1

What are Debugger Symbols?

Answer 1

Debugger Symbols are information about variables, functions etc. about the binary that can be read by a debugger. The Debugger Symbols can be a part of the Binary or in a separate file. This makes the binary more understandable and readable from the debugger’s perspective. They can be specified at compile time.

Question 2

What command can be used to rip symbols off a binary?

Answer 2

objcopy –only-keep-debug [binary_file] [debug_symbols_file]

Question 3

What command can be used to strip debug symbols off a binary?

Answer 3

strip –strip-debug –strip-unneeded [debug_symbols_file]

Question 4

What is the importance of stripping debug symbols?

Answer 4

A developer should not deploy/ship a binary with debug symbols, or with anything else added on. Ideally, a stripping tool would be run on the binary before it is shipped. Additionally, this brings down the size of the binary by quite a lot!

Question 5

How can debug symbols be added to a binary?

Answer 5

Two ways:

1. During runtime with gdb ‘symbol-file [debug_file]’
2. objcopy –add-gnu-debuglink=DEBUG_symbols [binary_file]

Question 6

What do symbol files tell us?

Answer 6

1. Info sources - list of files from which the binary was compiled and linked.
2. Info variables (not local variables) - all the global and static variables.
3. Info scope function_name - all of the local variables.
4. Info functions - list of functions in the binary.
5. maint print symbols filename_to_store - dump the symbols into a different file.

Question 7

What does NM do?

Answer 7

The nm command lists symbols from object files. This is split into three columns:

1. Virtual Address
2. Symbol Type
3. Symbol Name

NM gives you a very quick snapshot on the artefacts within an executable, which you might want to analyse.

Question 8

What Symbol Types are there?

Answer 8

A: Absolute Symbol
B: In the Uninitialized Data Section (BSS)
D: In the Initialized Data Section
N: Debugging Symbol
T: In the Text Section
U: Symbol Undefined right now

nm is a mix of symbol types. Lower case symbols are local, upper case are external.

Question 9

NM usage

Answer 9

1. NM -A … | grep function_name
2. NM -n … (Display in sorted order, sorted by address)
3. NM -g (External)
4. NM -s (display size)

Question 10

What is Strace?

Answer 10

A helper tool designed to help understand how your program interacts with the OS. Traces all System Calls made by the program. Also tells us about arguments passed, and has great filtering capabilities. Allows us to perform relative timestamping, monitor specific system calls, running processes, and produce tables to summarise what it has found.

Question 11

Strace usage

Answer 11

1. strace [executable_to_trace] [arguments]
2. strace -o [output_file] [executable_to_trace] [arguments]
3. strace -t [executable_to_trace] [arguments] (timestamping)
4. strace -r [executable_to_trace] arguments
5. strace -e [send, recv, open, connect] [executable_to_trace] [arguments]
6. strace -p [pid]
7. strace -c [executable_to_trace] [arguments] (print statistics on system calls)

Question 12

How can strace filter based on system calls?

Answer 12

1. strace -e [list of system calls] [executable_to_trace] [arguments]
   e. g. strace -r -e write ./SGDE-video-4 20 30

Question 13

What is a Breakpoint?

Answer 13

A Breakpoint is a technique used to pause a program during execution based on certain criteria. The criteria can be e.g. about to execute and instruction (for debugging a particular instruction). The debugger then allows you to inspect / modify the CPU Registers, Memory, Data etc.

Question 14

How to run a program with args in gdb?

Answer 14

in GDB: run [args]

Question 15

How to add a breakpoint to a specific function?

Answer 15

in GDB: break [function name]

e.g. break main

The breakpoint will be added at the specific memory address of that function. Upon running the program, it will halt at that specific function.

From here, registers may be analysed with ‘info registers’ command.

Question 16

Can you create additional breakpoints when a program has been halted?

Answer 16

Yes. With the same syntax, ‘break [function name].
breakpoint information can be queried with ‘info breakpoints’, which numerically lists the breakpoints. From here, breakpoints can be enabled, disabled and even deleted:

disable [number]
enable [number]
delete [number]

Question 17

How can you examine areas of memory (e.g. the stack, binary code)?

Answer 17

Using the ‘x’ command’. To view the value and memory address assigned to certain variables (e.g. a command line argument passed to a programme, such as argv[1]) the ‘print’ command can also be used, to display the memory address.

e.g. to view the memory in a string format at argv[1]:

in gdb: x/s argv[1]

Question 18

How can you disassemble a function?

Answer 18

Using the disassemble command and specifying a function e.g.

in gdb: disassemble main

to examine a particular instruction, the examine command ‘x’ can also be used.

in gdb: x/i [instruction address]

Question 19

How can you set a breakpoint by address?

Answer 19

a breakpoint can be set for an address using the following syntax:

break *[address]

Question 20

How can you step through a program line by line and instruction by instruction?

Answer 20

line by line - in gdb: step

instruction by instruction - in gdb: stepi

Question 21

How can you modify CPU registers in memory?

Answer 21

Using the set command, specifying the data type, and the memory address, as well as the new value to set it to.

e.g. in gdb: set {char} 0xbffff874 = 65

to set a char at memory address 0xbffff874 to ascii value 65, which is a capital letter A.

Alternate data types, such as {int} can also be used.

To modify particular areas consecutively, arithmetic can be used on the memory addresses.

e.g. in gdb:

(gdb) set {char} 0xbffff874 = ‘B’
(gdb) set {char} (0xbffff874 + 1) = ‘B’
(gdb) set {char} (0xbffff874 + 2) = ‘B’
(gdb) set {char} (0xbffff874 + 3) = ‘B’

(gdb) x/5c argv[1]
0xbffff874: 66 ‘B’ 66 ‘B’ 66 ‘B’ 66 ‘B’ 0 ‘\000’

Question 22

How can you modify the value of a variable?

Answer 22

Using the set command as follows:

set [var_name] = [value]

e.g. in gdb: set sum = 2000

Assuming that a breakpoint has been set when the modified variable is loaded in memory.

Question 23

How can you modify registers to change the execution flow of a program?

Answer 23

The most important register for this is the eip (Instruction Pointer). This fetches the next instruction in memory to be executed from a given memory address. Therefore, the eip value can be modified to point to an alternate address to execute that function with the following command:

set $eip = [function address]

function addresses can be determined using the print command:

print [function_name]

All registers must be referenced by prepending the ‘$’ character.

Question 24

What are Convenience Variables?

Answer 24

Variables which can be created in GDB to hold data. They can be easily created using the set command, and then assigned to different variables in the program.

e.g. in gdb: set $demo = “BBBB”
set argv[1] = $demo
print argv[1]
$4 = 0x804b008 “BBBB”

Question 25

How can values be copied between data structures and variables in gdb?

Answer 25

Typical C syntax program snippets can be used in gdb. For instance, the programmer can interface with typical C libraries and functions such as malloc and strcpy. This can be performed using the 'call' keyword. e.g., to allocate 10 bytes of memory to a convenience variable 'dyn' using the 'malloc' function: set $dyn = (char* )malloc(10) to copy the value of a convenience variable 'test' to dyn using the 'strcpy' function: call strcpy($dyn, $demo)

Question 26

What does the strings command do?

Answer 26

It dumps strings found within a binary or file. usage: strings [file] Display strings in the program. Poorly coded ones may reveal private/secret information. Secret can be easily hidden by encryption/encoding

Question 27

What is Runtime Analysis?

Answer 27

Debug Symbols can make things easier. This is when we debug the programming whilst it is running, using gdb. We can view the outputs of functions, registers and variables. For instance info scope [function_name] - show in scope variables of a given function.

Question 28

What is Source Code Analysis?

Answer 28

Source Code Analysis involves viewing the source code of an application, and evaluating its contents. This requires access to the source code of the binary.

Question 29

How can a binary be disassembled in gdb?

Answer 29

By using the disassemble function: in gdb: disassemble [function]

Question 30

What are Conditional Breakpoints?

Answer 30

Conditional Breakpoints break programme execution only if the condition is met. This is handy in cases where there are loops. Conditions can be simple or complex!

Question 31

How can conditions be set for Conditional Breakpoints?

Answer 31

Using the condition keyword in gdb e.g., in gdb: condition 1 counter == 5 (gdb) info breakpoints Num Type Disp Enb Address What 1 breakpoint keep y 0x08048429 in main at main.c:10 stop only if counter == 5

Question 32

How do security researchers determine if an iPhone is jailbroken?

Answer 32

Typically, a jailbreak tester will check for files which are installed in a specific location.

Question 33

How may this be bypassed?

Answer 33

Register manipulation

Question 34

How can you set a breakpoint on iPhone functions?

Answer 34

break -[CONTROLLER_NAME FUNCTION_NAME:] (: if argument, blank if no argument) e.g. in gdb: break -[AntiPiracyViewController checkPiracy:]