How to debug ARM binary under x86 linux box

How to debug ARM binary under x86 linux box

I'm having fun solving challenges from the
root-me website. I work from a linux box. As most challenges are made for linux/x86, this is not a problem.

But there are some chall made for linux/ARM:

mitsurugi@mitsu:~/chall/R$ uname -a

Linux mitsu 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1 i686 GNU/Linux

mitsurugi@mitsu:~/chall/R$ file chall9.bin

chall9.bin: ELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, for GNU/Linux 2.6.16, not stripped

mitsurugi@mitsu:~/chall/R$

And I didn't want to install an ARM system. So I used qemu and gdb. How does it works:

First, you have to install gdb-multiarch:

mitsurugi@mitsu:~/chall/R$ apt-cache search gdb-multiarch

gdb-multiarch - The GNU Debugger (with support for multiple architectures)

mitsurugi@mitsu:~/chall/R$

Then, launch qemu-arm from one-side with the gdb server internal function, and from another side, gdb-multiarch:

mitsurugi@mitsu:~/chall/mitsu/R$ qemu-arm -g 1234 ./chall9.bin

And from another terminal with gdb-multiarch, you have to load the same file (chall9.bin), set architecture to arm and finally connect to the gdb server:

mitsurugi@mitsu:~/chall/R$ gdb-multiarch -q -nx

(gdb) file chall9.bin

Reading symbols from /home/mitsurugi/chall/R/chall9.bin...done.

(gdb) set architecture arm

The target architecture is assumed to be arm

(gdb) target remote 127.0.0.1:1234

Remote debugging using 127.0.0.1:1234

[New Remote target]

[Switching to Remote target]

0x00008150 in _start ()

(gdb) disass main

Dump of assembler code for function main:

0x00008290 <+0>: mov r12, sp

0x00008294 <+4>: push {r4, r11, r12, lr, pc}

0x00008298 <+8>: sub r11, r12, #4

0x0000829c <+12>: sub sp, sp, #36 ; 0x24

0x000082a0 <+16>: str r0, [r11, #-40] ; 0x28

0x000082a4 <+20>: str r1, [r11, #-44] ; 0x2c

0x000082a8 <+24>: ldr r3, [r11, #-40] ; 0x28

0x000082ac <+28>: cmp r3, #1

0x000082b0 <+32>: bgt 0x82c0 <main+48>

0x000082b4 <+36>: mvn r3, #0

0x000082b8 <+40>: str r3, [r11, #-48] ; 0x30

0x000082bc <+44>: b 0x8448 <main+440>

0x000082c0 <+48>: mov r3, #0

0x000082c4 <+52>: str r3, [r11, #-28]

0x000082c8 <+56>: mov r0, #32

0x000082cc <+60>: bl 0x8248 <xmalloc>

0x000082d0 <+64>: mov r3, r0

0x000082d4 <+68>: str r3, [r11, #-32]

0x000082d8 <+72>: b 0x832c <main+156>

0x000082dc <+76>: ldr r3, [r11, #-28]

Ok, time to learn some ARM assembly :-)

http://bbs.csdn.net/topics/320128734

$ gdb --core=core.9128

GNU gdb Asianux (6.0post-0.20040223.17.1AX)

Copyright 2004 Free Software Foundation, Inc.

GDB is free software, covered by the GNU General Public License, and you are

welcome to change it and/or distribute copies of it under certain conditions.

Type "show copying" to see the conditions.

There is absolutely no warranty for GDB. Type "show warranty" for details.

This GDB was configured as "i386-asianux-linux-gnu".

Core was generated by `./a.out'.

Program terminated with signal 11, Segmentation fault.

#0 0x08048373 in ?? ()

(gdb) bt

#0 0x08048373 in ?? ()

#1 0xbfffd8f8 in ?? ()

#2 0x0804839e in ?? ()

#3 0xb74cc6b3 in ?? ()

#4 0x00000000 in ?? ()

此时用bt看不到backtrace，也就是调用堆栈，原来GDB还不知道符号信息在哪里。我们告诉它一下：

(gdb) file ./a.out

Reading symbols from ./a.out...done.

Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) bt

#0 0x08048373 in sub () at foo.c:17

#1 0x08048359 in main () at foo.c:8

此时backtrace出来了。

(gdb) l

8 sub();

9 return 0;

10 }

11

12 static void sub(void)

13 {

14 int *p = NULL;

15

16 /* derefernce a null pointer, expect core dump. */

17 printf("%d", *p);

(gdb)