debug

修pwndbg血泪史

前情提要

起gdb的时候发现自己pwndbg起不来。。。

import问题

1
/root/.gdbinit:1: Error in sourced command file:  Undefind command “import“.

配置了一下source但是没有用,查了一下,可能是因为同时安装了两个gdb(源码make一个,apt装一个)导致gdbinit定位错误。于是把gdb全卸了连带pwndbg重新装了一遍,依然没有用。

不过安装pwndbg的时候发现python scripting is not supported in the copy of gdb.

于是尝试编译gdb的时候 ./configure –with-python 然后make。这个方法有用。

pip问题

重新安装pwndbg。发现

1
2
3
4
5
6
7
8
9
10
ensurepip is disabled in Debian/Ubuntu for the system python.
Python modules For the system python are usually handled by dpkg and apt-get.

    apt-get install python-<module name>

Install the python-pip package to use pip itself.  Using pip together
with the system python might have unexpected results for any system installed
module, so use it on your own risk, or make sure to only use it in virtual
environments.

这个pwndbg用的是python2.7。

那么问题来了,新版本的apt不再支持pip2的安装。

1
2
3
4
5
6
7
8
9
10
11
fr3y@ubuntu:~/pwndbg$ sudo apt install python-pip
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package python-pip is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  python3-pip

E: Package 'python-pip' has no installation candidate

我们试试看手动安装。

1
2
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
sudo python2 get-pip.py

使用python2安装pwntools。

1
sudo python2 -m pip install --upgrade pwntools
1
2
3
4
5
6
7
8
fr3y@ubuntu:~/pwndbg$ python2 
Python 2.7.18 (default, Mar  8 2021, 13:02:45) 
[GCC 9.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pwn
>>> pwn.asm('xor eax,eax')
'1\xc0'
>>>

重新安装pwndbg。sudo ./setup.sh

出现 + grep pwndbg /root/.gdbinit

好像安装成功了。。

然而。。。还是不行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
fr3y@ubuntu:~/pwndbg$ gdb -q
Traceback (most recent call last):
  File "/home/fr3y/pwndbg/gdbinit.py", line 24, in <module>
    import pwndbg # isort:skip
  File "/home/fr3y/pwndbg/pwndbg/__init__.py", line 7, in <module>
    import pwndbg.android
  File "/home/fr3y/pwndbg/pwndbg/android.py", line 5, in <module>
    import pwndbg.color.message as message
  File "/home/fr3y/pwndbg/pwndbg/color/__init__.py", line 4, in <module>
    import pwndbg.memoize
  File "/home/fr3y/pwndbg/pwndbg/memoize.py", line 42
    print("Cannot memoize %r!", file=sys.stderr)
                                    ^
SyntaxError: invalid syntax
(gdb) q

这是python3的语法。。。

我先去编译一个python3的gdb。

python3之路

1
./configure --with-python=/usr/bin/python3

然后make,让我们检查一下python版本。

1
2
fr3y@ubuntu:~/gdb-11.2$ readelf -d $(which gdb) | grep python
 0x0000000000000001 (NEEDED)             Shared library: [libpython3.8.so.1.0]

重新安装pwndbg,试试运行一下。

1
2
3
4
fr3y@ubuntu:~/pwndbg$ gdb -q
pwndbg: loaded 198 commands. Type pwndbg [filter] for a list.
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
pwndbg> q

成功(流泪)

以下为rwctf2022 hso-groupie那道题的调试界面(终于可以调了):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
► 0x555555675150    mov    rax, qword ptr [rdi + 0x48]
   0x555555675154    mov    edx, dword ptr [rax + 0xc]
   0x555555675157    test   edx, edx
   0x555555675159    jle    0x555555675190                <0x555555675190>
 
   0x55555567515b    mov    rax, qword ptr [rax]
   0x55555567515e    sub    edx, 1
   0x555555675161    lea    rdx, [rax + rdx*8 + 8]
   0x555555675166    jmp    0x555555675179                <0x555555675179>

   0x555555675179    mov    r8, qword ptr [rax]
   0x55555567517c    cmp    dword ptr [r8 + 8], esi
   0x555555675180    jne    0x555555675170                <0x555555675170>
───────────────────────────────────────[ SOURCE (CODE) ]────────────────────────────────────────
In file: /home/fr3y/hso-groupie/chall/xpdf-4.03/xpdf/JBIG2Stream.cc
   4035 
   4036 JBIG2Segment *JBIG2Stream::findSegment(Guint segNum) {
   4037   JBIG2Segment *seg;
   4038   int i;
   4039 
 ► 4040   for (i = 0; i < globalSegments->getLength(); ++i) {
   4041     seg = (JBIG2Segment *)globalSegments->get(i);
   4042     if (seg->getSegNum() == segNum) {
   4043       return seg;
   4044     }
   4045   }
───────────────────────────────────────────[ STACK ]────────────────────────────────────────────
00:0000│ rsp 0x7fffffffdd08 —▸ 0x555555676c72 ◂— mov    r12, rax
01:0008│     0x7fffffffdd10 ◂— 0x0
02:0010│     0x7fffffffdd18 ◂— 0x0
03:0018│     0x7fffffffdd20 —▸ 0x555561ec0ac0 ◂— 0x200000001
04:0020│     0x7fffffffdd28 —▸ 0x555561f40824 ◂— 0x207e100000000
05:0028│     0x7fffffffdd30 ◂— 0x0
... ↓        2 skipped
─────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────
 ► f 0   0x555555675150
   f 1   0x555555676c72
   f 2   0x555555679198 JBIG2Stream::readSegments()+1032
   f 3   0x555555679473 JBIG2Stream::reset()+211
   f 4   0x55555560139a
   f 5   0x5555556494a9
   f 6   0x55555564aba0
   f 7   0x55555563c9e5
────────────────────────────────────────────────────────────────────────────────────────────────
pwndbg>

反思

早点查看官方文档,搞清楚版本,不要盲目debug。。