Android下使用GDB调试无符号ELF文件
2014-06-18 20:05
423 查看
以下以adb shell下通过gdb工具调试/system/bin/ping举例:
# /data/local/tmp/gdb --args /system/bin/ping
GNU gdb (GDB) 7.3.1-gg2
...
(gdb) info target
Symbols from "/system/bin/ping".
Local exec file:
`/system/bin/ping', file type elf32-littlearm.
Entry point: 0x1078
0x00000134 - 0x00000147 is .interp
0x00000148 - 0x00000598 is .dynsym
0x00000598 - 0x0000081e is .dynstr
0x00000820 - 0x00000a48 is .hash
0x00000a48 - 0x00000bf0 is .rel.dyn
0x00000bf0 - 0x00000db8 is .rel.plt
0x00000db8 - 0x00001078 is .plt
0x00001078 - 0x0000436c is .text
0x0000436c - 0x00004384 is .note.android.ident
0x00004384 - 0x00004454 is .ARM.exidx
0x00004454 - 0x0000446c is .ARM.extab
0x0000446c - 0x00005466 is .rodata
0x00006d40 - 0x00006d48 is .preinit_array
0x00006d48 - 0x00006d50 is .init_array
0x00006d50 - 0x00006d58 is .fini_array
0x00006d58 - 0x00006e50 is .dynamic
0x00006e50 - 0x00007000 is .got
0x00007000 - 0x000070c0 is .data
0x000070c0 - 0x0001a1ee is .bss
(gdb) b *0x1078 // 设置断点到text段首地址
Breakpoint 1 at 0x1078
(gdb) r
Starting program: /system/bin/ping
warning: Breakpoint address adjusted from 0x40003ca5 to 0x40003ca4.
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x1078: Input/output error.
(gdb) d 1 // 在开启了内存布局随机化的kernel中,必然出现上述异常,无视,直接删掉断点1
(gdb) info target
Symbols from "/system/bin/ping".
Unix child process:
Using the running image of child process 9782.
While running this, GDB does not access memory from...
Local exec file:
`/system/bin/ping', file type elf32-littlearm.
Entry point: 0x2a001078
0x2a000134 - 0x2a000147 is .interp
0x2a000148 - 0x2a000598 is .dynsym
0x2a000598 - 0x2a00081e is .dynstr
0x2a000820 - 0x2a000a48 is .hash
0x2a000a48 - 0x2a000bf0 is .rel.dyn
0x2a000bf0 - 0x2a000db8 is .rel.plt
0x2a000db8 - 0x2a001078 is .plt
0x2a001078 - 0x2a00436c is .text
0x2a00436c - 0x2a004384 is .note.android.ident
0x2a004384 - 0x2a004454 is .ARM.exidx
0x2a004454 - 0x2a00446c is .ARM.extab
0x2a00446c - 0x2a005466 is .rodata
0x2a006d40 - 0x2a006d48 is .preinit_array
0x2a006d48 - 0x2a006d50 is .init_array
0x2a006d50 - 0x2a006d58 is .fini_array
0x2a006d58 - 0x2a006e50 is .dynamic
0x2a006e50 - 0x2a007000 is .got
0x2a007000 - 0x2a0070c0 is .data
0x2a0070c0 - 0x2a01a1ee is .bss
........
(gdb) x/32i 0x2a001078 // 查看新text段汇编指令,寻找libc_init调用
0x2a001078: push {r11, lr}
0x2a00107c: add r11, sp, #4
0x2a001080: sub sp, sp, #16
0x2a001084: ldr r3, [pc, #80] ; 0x2a0010dc
0x2a001088: add r3, pc, r3
0x2a00108c: ldr r2, [pc, #76] ; 0x2a0010e0
0x2a001090: ldr r2, [r3, r2]
0x2a001094: str r2, [r11, #-20]
0x2a001098: ldr r2, [pc, #68] ; 0x2a0010e4
0x2a00109c: ldr r2, [r3, r2]
0x2a0010a0: str r2, [r11, #-16]
0x2a0010a4: ldr r2, [pc, #60] ; 0x2a0010e8
0x2a0010a8: ldr r2, [r3, r2]
0x2a0010ac: str r2, [r11, #-12]
0x2a0010b0: mov r2, r11
0x2a0010b4: add r2, r2, #4
0x2a0010b8: str r2, [r11, #-8]
0x2a0010bc: sub r12, r11, #20
0x2a0010c0: ldr r0, [r11, #-8]
0x2a0010c4: mov r1, #0
0x2a0010c8: ldr r2, [pc, #28] ; 0x2a0010ec
0x2a0010cc: ldr r3, [r3, r2]
0x2a0010d0: mov r2, r3
0x2a0010d4: mov r3, r12
0x2a0010d8: bl 0x2a000dcc (参见附注,r2即为main函数)
0x2a0010dc: andeq r5, r0, r0, lsl #29
0x2a0010e0: ; <UNDEFINED> instruction: 0xffffff40
0x2a0010e4: ; <UNDEFINED> instruction: 0xffffff44
0x2a0010e8: ; <UNDEFINED> instruction: 0xffffff48
0x2a0010ec: ; <UNDEFINED> instruction: 0xffffff4c
0x2a0010f0: push {r11, lr}
0x2a0010f4: add r11, sp, #4
(gdb) b *0x2a0010d8
Breakpoint 2 at 0x2a0010d8
(gdb) c
Continuing.
Breakpoint 2, 0x2a0010d8 in ?? ()
(gdb) p/x $r2 // 查看main函数地址
$1 = 0x2a0017c9
(gdb) b *0x2a0017c9 //
main函数上下断点,此时libc.so已加载,还可以b open/fputs/exit ...
warning: Breakpoint address adjusted from 0x2a0017c9 to 0x2a0017c8.
Breakpoint 3 at 0x2a0017c8
(gdb) c
Continuing.
warning: Breakpoint 3 address previously adjusted from 0x2a0017c9 to 0x2a0017c8.
Breakpoint 3, 0x2a0017c8 in ?? ()
(gdb) display /4i $pc
1: x/4i $pc
=> 0x2a0017c8: stmdb sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr}
0x2a0017cc: ldr.w r4, [pc, #2600] ; 0x2a0021f8
0x2a0017d0: ldr.w r3, [pc, #2600] ; 0x2a0021fc
0x2a0017d4: add r4, pc
(gdb) ni
0x2a0017cc in ?? ()
1: x/4i $pc
=> 0x2a0017cc: ldr.w r4, [pc, #2600] ; 0x2a0021f8
0x2a0017d0: ldr.w r3, [pc, #2600] ; 0x2a0021fc
0x2a0017d4: add r4, pc
0x2a0017d6: mov r6, r0
(gdb)
0x2a0017d0 in ?? ()
1: x/4i $pc
=> 0x2a0017d0: ldr.w r3, [pc, #2600] ; 0x2a0021fc
0x2a0017d4: add r4, pc
0x2a0017d6: mov r6, r0
0x2a0017d8: ldr r0, [r4, r3]
(gdb)
....
附注:
ELF可执行文件入口,__libc_init第3个参数即为main:
bionic\libc\arch-arm\bionic\crtbegin.c
__LIBC_HIDDEN__ void _start() {
......
void* raw_args = (void*) ((uintptr_t) __builtin_frame_address(0) + sizeof(void*));
__libc_init(raw_args, NULL, &main, &array);
}
gdb采用的是Android toolchain中的gdb7.3.1-gg2源码编译生成,编译工具使用codesourcery的arm-none-linux-gnueabi。
# /data/local/tmp/gdb --args /system/bin/ping
GNU gdb (GDB) 7.3.1-gg2
...
(gdb) info target
Symbols from "/system/bin/ping".
Local exec file:
`/system/bin/ping', file type elf32-littlearm.
Entry point: 0x1078
0x00000134 - 0x00000147 is .interp
0x00000148 - 0x00000598 is .dynsym
0x00000598 - 0x0000081e is .dynstr
0x00000820 - 0x00000a48 is .hash
0x00000a48 - 0x00000bf0 is .rel.dyn
0x00000bf0 - 0x00000db8 is .rel.plt
0x00000db8 - 0x00001078 is .plt
0x00001078 - 0x0000436c is .text
0x0000436c - 0x00004384 is .note.android.ident
0x00004384 - 0x00004454 is .ARM.exidx
0x00004454 - 0x0000446c is .ARM.extab
0x0000446c - 0x00005466 is .rodata
0x00006d40 - 0x00006d48 is .preinit_array
0x00006d48 - 0x00006d50 is .init_array
0x00006d50 - 0x00006d58 is .fini_array
0x00006d58 - 0x00006e50 is .dynamic
0x00006e50 - 0x00007000 is .got
0x00007000 - 0x000070c0 is .data
0x000070c0 - 0x0001a1ee is .bss
(gdb) b *0x1078 // 设置断点到text段首地址
Breakpoint 1 at 0x1078
(gdb) r
Starting program: /system/bin/ping
warning: Breakpoint address adjusted from 0x40003ca5 to 0x40003ca4.
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x1078: Input/output error.
(gdb) d 1 // 在开启了内存布局随机化的kernel中,必然出现上述异常,无视,直接删掉断点1
(gdb) info target
Symbols from "/system/bin/ping".
Unix child process:
Using the running image of child process 9782.
While running this, GDB does not access memory from...
Local exec file:
`/system/bin/ping', file type elf32-littlearm.
Entry point: 0x2a001078
0x2a000134 - 0x2a000147 is .interp
0x2a000148 - 0x2a000598 is .dynsym
0x2a000598 - 0x2a00081e is .dynstr
0x2a000820 - 0x2a000a48 is .hash
0x2a000a48 - 0x2a000bf0 is .rel.dyn
0x2a000bf0 - 0x2a000db8 is .rel.plt
0x2a000db8 - 0x2a001078 is .plt
0x2a001078 - 0x2a00436c is .text
0x2a00436c - 0x2a004384 is .note.android.ident
0x2a004384 - 0x2a004454 is .ARM.exidx
0x2a004454 - 0x2a00446c is .ARM.extab
0x2a00446c - 0x2a005466 is .rodata
0x2a006d40 - 0x2a006d48 is .preinit_array
0x2a006d48 - 0x2a006d50 is .init_array
0x2a006d50 - 0x2a006d58 is .fini_array
0x2a006d58 - 0x2a006e50 is .dynamic
0x2a006e50 - 0x2a007000 is .got
0x2a007000 - 0x2a0070c0 is .data
0x2a0070c0 - 0x2a01a1ee is .bss
........
(gdb) x/32i 0x2a001078 // 查看新text段汇编指令,寻找libc_init调用
0x2a001078: push {r11, lr}
0x2a00107c: add r11, sp, #4
0x2a001080: sub sp, sp, #16
0x2a001084: ldr r3, [pc, #80] ; 0x2a0010dc
0x2a001088: add r3, pc, r3
0x2a00108c: ldr r2, [pc, #76] ; 0x2a0010e0
0x2a001090: ldr r2, [r3, r2]
0x2a001094: str r2, [r11, #-20]
0x2a001098: ldr r2, [pc, #68] ; 0x2a0010e4
0x2a00109c: ldr r2, [r3, r2]
0x2a0010a0: str r2, [r11, #-16]
0x2a0010a4: ldr r2, [pc, #60] ; 0x2a0010e8
0x2a0010a8: ldr r2, [r3, r2]
0x2a0010ac: str r2, [r11, #-12]
0x2a0010b0: mov r2, r11
0x2a0010b4: add r2, r2, #4
0x2a0010b8: str r2, [r11, #-8]
0x2a0010bc: sub r12, r11, #20
0x2a0010c0: ldr r0, [r11, #-8]
0x2a0010c4: mov r1, #0
0x2a0010c8: ldr r2, [pc, #28] ; 0x2a0010ec
0x2a0010cc: ldr r3, [r3, r2]
0x2a0010d0: mov r2, r3
0x2a0010d4: mov r3, r12
0x2a0010d8: bl 0x2a000dcc (参见附注,r2即为main函数)
0x2a0010dc: andeq r5, r0, r0, lsl #29
0x2a0010e0: ; <UNDEFINED> instruction: 0xffffff40
0x2a0010e4: ; <UNDEFINED> instruction: 0xffffff44
0x2a0010e8: ; <UNDEFINED> instruction: 0xffffff48
0x2a0010ec: ; <UNDEFINED> instruction: 0xffffff4c
0x2a0010f0: push {r11, lr}
0x2a0010f4: add r11, sp, #4
(gdb) b *0x2a0010d8
Breakpoint 2 at 0x2a0010d8
(gdb) c
Continuing.
Breakpoint 2, 0x2a0010d8 in ?? ()
(gdb) p/x $r2 // 查看main函数地址
$1 = 0x2a0017c9
(gdb) b *0x2a0017c9 //
main函数上下断点,此时libc.so已加载,还可以b open/fputs/exit ...
warning: Breakpoint address adjusted from 0x2a0017c9 to 0x2a0017c8.
Breakpoint 3 at 0x2a0017c8
(gdb) c
Continuing.
warning: Breakpoint 3 address previously adjusted from 0x2a0017c9 to 0x2a0017c8.
Breakpoint 3, 0x2a0017c8 in ?? ()
(gdb) display /4i $pc
1: x/4i $pc
=> 0x2a0017c8: stmdb sp!, {r4, r5, r6, r7, r8, r9, r10, r11, lr}
0x2a0017cc: ldr.w r4, [pc, #2600] ; 0x2a0021f8
0x2a0017d0: ldr.w r3, [pc, #2600] ; 0x2a0021fc
0x2a0017d4: add r4, pc
(gdb) ni
0x2a0017cc in ?? ()
1: x/4i $pc
=> 0x2a0017cc: ldr.w r4, [pc, #2600] ; 0x2a0021f8
0x2a0017d0: ldr.w r3, [pc, #2600] ; 0x2a0021fc
0x2a0017d4: add r4, pc
0x2a0017d6: mov r6, r0
(gdb)
0x2a0017d0 in ?? ()
1: x/4i $pc
=> 0x2a0017d0: ldr.w r3, [pc, #2600] ; 0x2a0021fc
0x2a0017d4: add r4, pc
0x2a0017d6: mov r6, r0
0x2a0017d8: ldr r0, [r4, r3]
(gdb)
....
附注:
ELF可执行文件入口,__libc_init第3个参数即为main:
bionic\libc\arch-arm\bionic\crtbegin.c
__LIBC_HIDDEN__ void _start() {
......
void* raw_args = (void*) ((uintptr_t) __builtin_frame_address(0) + sizeof(void*));
__libc_init(raw_args, NULL, &main, &array);
}
gdb采用的是Android toolchain中的gdb7.3.1-gg2源码编译生成,编译工具使用codesourcery的arm-none-linux-gnueabi。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- GDB远程调试Android上的可执行ELF文件
- 在Linux下使用arm-elf-gdb调试lm3s系列
- 使用 Microsoft Symbol Server 获取调试符号文件
- 如何使用gdb调试android webkit内核代码
- 使用gdb和gdbserver调试Android C/C++程序
- ELF格式文件符号表全解析及readelf命令使用方法
- 使用 Microsoft Symbol Server 获取调试符号文件
- android 使用gdb调试的方式
- 使用GDB调试Android手机中的程序
- Android使用ndk-gdb调试jni程序
- Android使用gdb调试native程序
- Android中使用arm-eabi-gdb和vim进行调试
- 如何使用arm-eabi-gdb调试android c/c++程序
- 使用 GDB 调试 core dump 文件
- 使用 Microsoft Symbol Server 获取调试符号文件
- 如何使用arm-eabi-gdb调试android c/c++程序
- Android 使用gdb调试
- 如何使用gdb调试android webkit内核代码
- ELF格式文件符号表全解析及readelf命令使用方法
- 转载_Linux core dump file详解及使用GDB调试Coredump文件