Fatal编程技术网
  • linux/
  • Linux 远程调试时将参数传递给ARM程序

Linux 远程调试时将参数传递给ARM程序

linux gdb arm

Linux 远程调试时将参数传递给ARM程序,linux,gdb,arm,remote-debugging,qemu,Linux,Gdb,Arm,Remote Debugging,Qemu,我正试图从我的Linux机器上调试ARM代码。代码的开头如下所示: .text:00008290 MOV R12, SP .text:00008294 STMFD SP!, {R4,R11,R12,LR,PC} .text:00008298 SUB R11, R12, #4 .text:0000829C SUB SP, SP, #0x24 .

我正试图从我的Linux机器上调试ARM代码。代码的开头如下所示:

.text:00008290                 MOV     R12, SP
.text:00008294                 STMFD   SP!, {R4,R11,R12,LR,PC}
.text:00008298                 SUB     R11, R12, #4
.text:0000829C                 SUB     SP, SP, #0x24
.text:000082A0                 STR     R0, [R11,#var_28]
.text:000082A4                 STR     R1, [R11,#var_2C]
.text:000082A8                 LDR     R3, [R11,#var_28]
.text:000082AC                 CMP     R3, #1          ; Check whether arg has been provided
.text:000082B0                 BGT     loc_82C0        ; Jump to 0x82C0 if arg provided
.text:000082B4                 MOV     R3, #0xFFFFFFFF
.text:000082B8                 STR     R3, [R11,#var_30]
.text:000082BC                 B       loc_8448

$ qemu-arm -g 1234 ./chall9.bin 12345
如您所见,如果提供了arg,代码将跳转到0x82C0,但我找不到使用参数运行代码的方法

为了调试它,我在我的机器上使用服务器/客户机体系结构,如下所示:

.text:00008290                 MOV     R12, SP
.text:00008294                 STMFD   SP!, {R4,R11,R12,LR,PC}
.text:00008298                 SUB     R11, R12, #4
.text:0000829C                 SUB     SP, SP, #0x24
.text:000082A0                 STR     R0, [R11,#var_28]
.text:000082A4                 STR     R1, [R11,#var_2C]
.text:000082A8                 LDR     R3, [R11,#var_28]
.text:000082AC                 CMP     R3, #1          ; Check whether arg has been provided
.text:000082B0                 BGT     loc_82C0        ; Jump to 0x82C0 if arg provided
.text:000082B4                 MOV     R3, #0xFFFFFFFF
.text:000082B8                 STR     R3, [R11,#var_30]
.text:000082BC                 B       loc_8448

$ qemu-arm -g 1234 ./chall9.bin 12345
第一个终端窗口:

$ qemu-arm -g 1234 ./chall9.bin

$ gdb-multiarch
(gdb) file chall9.bin 
Reading symbols from /data/malware/chall9.bin...done.
(gdb) set architecture arm
The target architecture is assumed to be arm
(gdb) target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
[New Remote target]
[Switching to Remote target]
0x00008150 in _start ()
(gdb) break *0x82b0
Breakpoint 1 at 0x82b0
(gdb) set args 12345
(gdb) show args 
Argument list to give program being debugged when it is started is "12345".
(gdb) r
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) c
Continuing.

Breakpoint 1, 0x000082b0 in main ()
(gdb) x /12i $pc
=> 0x82b0 <main+32>:    bgt 0x82c0 <main+48>
   0x82b4 <main+36>:    mvn r3, #0
   0x82b8 <main+40>:    str r3, [r11, #-48] ; 0x30
   0x82bc <main+44>:    b   0x8448 <main+440>
   0x82c0 <main+48>:    mov r3, #0
   0x82c4 <main+52>:    str r3, [r11, #-28]
   0x82c8 <main+56>:    mov r0, #32
   0x82cc <main+60>:    bl  0x8248 <xmalloc>
   0x82d0 <main+64>:    mov r3, r0
   0x82d4 <main+68>:    str r3, [r11, #-32]
   0x82d8 <main+72>:    b   0x832c <main+156>
   0x82dc <main+76>:    ldr r3, [r11, #-28]
(gdb) si
0x000082b4 in main ()
第二个终端窗口:

$ qemu-arm -g 1234 ./chall9.bin

$ gdb-multiarch
(gdb) file chall9.bin 
Reading symbols from /data/malware/chall9.bin...done.
(gdb) set architecture arm
The target architecture is assumed to be arm
(gdb) target remote 127.0.0.1:1234
Remote debugging using 127.0.0.1:1234
[New Remote target]
[Switching to Remote target]
0x00008150 in _start ()
(gdb) break *0x82b0
Breakpoint 1 at 0x82b0
(gdb) set args 12345
(gdb) show args 
Argument list to give program being debugged when it is started is "12345".
(gdb) r
The "remote" target does not support "run".  Try "help target" or "continue".
(gdb) c
Continuing.

Breakpoint 1, 0x000082b0 in main ()
(gdb) x /12i $pc
=> 0x82b0 <main+32>:    bgt 0x82c0 <main+48>
   0x82b4 <main+36>:    mvn r3, #0
   0x82b8 <main+40>:    str r3, [r11, #-48] ; 0x30
   0x82bc <main+44>:    b   0x8448 <main+440>
   0x82c0 <main+48>:    mov r3, #0
   0x82c4 <main+52>:    str r3, [r11, #-28]
   0x82c8 <main+56>:    mov r0, #32
   0x82cc <main+60>:    bl  0x8248 <xmalloc>
   0x82d0 <main+64>:    mov r3, r0
   0x82d4 <main+68>:    str r3, [r11, #-32]
   0x82d8 <main+72>:    b   0x832c <main+156>
   0x82dc <main+76>:    ldr r3, [r11, #-28]
(gdb) si
0x000082b4 in main ()

$gdb多拱
(gdb)文件chall9.bin
从/data/malware/chall9.bin读取符号…完成。
(gdb)设置架构arm
目标体系结构假定为arm
(gdb)目标远程127.0.0.1:1234
使用127.0.0.1:1234进行远程调试
[新远程目标]
[切换到远程目标]
0x00008150英寸\u开始()
(gdb)中断*0x82b0
断点1位于0x82b0
(gdb)设置参数12345
(gdb)显示参数
启动时给出正在调试的程序的参数列表为“12345”。
(gdb)r
“远程”目标不支持“运行”。尝试“帮助目标”或“继续”。
(gdb)c
持续的。
主()中的断点1,0x000082b0
(gdb)x/12i$pc
=>0x82b0:bgt 0x82c0
0x82b4:mvn r3,#0
0x82b8:str r3,[r11,#-48];0x30
0x82bc:b 0x8448
0x82c0:mov r3#0
0x82c4:str r3[r11,#-28]
0x82c8:mov r0#32
0x82cc:bl 0x8248
0x82d0:mov r3,r0
0x82d4:str r3[r11,#-32]
0x82d8:b 0x832c
0x82dc:ldr r3[r11,#-28]
(gdb)si
主管道中的0x000082b4()
似乎没有接受我的参数,因为代码通常应该跳转到0x82c0,但它会跳转到0x82b4

有什么想法吗?提前感谢您的投入。

我找到了!arg应按如下方式传递给qemu:

.text:00008290                 MOV     R12, SP
.text:00008294                 STMFD   SP!, {R4,R11,R12,LR,PC}
.text:00008298                 SUB     R11, R12, #4
.text:0000829C                 SUB     SP, SP, #0x24
.text:000082A0                 STR     R0, [R11,#var_28]
.text:000082A4                 STR     R1, [R11,#var_2C]
.text:000082A8                 LDR     R3, [R11,#var_28]
.text:000082AC                 CMP     R3, #1          ; Check whether arg has been provided
.text:000082B0                 BGT     loc_82C0        ; Jump to 0x82C0 if arg provided
.text:000082B4                 MOV     R3, #0xFFFFFFFF
.text:000082B8                 STR     R3, [R11,#var_30]
.text:000082BC                 B       loc_8448

$ qemu-arm -g 1234 ./chall9.bin 12345