我使用gdb在Mac OS上反转恶意软件。 然后我尝试在堆栈中查看局部变量,Gdb告诉我:"无法访问地址为0xbffffd58的内存"。为什么?
(gdb) ni
0x000086cc in ?? ()
=> 0x000086cc: 85 c0 test eax,eax
(gdb) i r
eax 0xbffffe0b -1073742325
ecx 0xbffffd58 -1073742504
edx 0x190fc 102652
ebx 0x868e 34446
esp 0xbffffb10 0xbffffb10
ebp 0xbffffb58 0xbffffb58
esi 0x1 1
edi 0x17e9a 97946
eip 0x86cc 0x86cc
eflags 0x302 [ TF IF ]
cs 0x1b 27
ss 0x23 35
ds 0x23 35
es 0x23 35
fs 0x0 0
gs 0xf 15
(gdb) ni
0x000086ce in ?? ()
=> 0x000086ce: 74 e4 je 0x86b4
(gdb) ni
0x000086d0 in ?? ()
=> 0x000086d0: 80 38 2d cmp BYTE PTR [eax],0x2d
(gdb) x/3cb $eax
0xbffffe0b: Cannot access memory at address 0xbffffe0b
(gdb) ni
0x000086d3 in ?? ()
=> 0x000086d3: 75 df jne 0x86b4
(gdb) ni
0x000086b4 in ?? ()
=> 0x000086b4: bf ff ff ff ff mov edi,0xffffffff
(gdb)
答案 0 :(得分:0)
嗯,我认为这是GDB中的一个错误:
(gdb) x/12i $pc-0x2a
0x2473: push ebx
0x2474: call 0x2479
0x2479: pop ebx
0x247a: sub esp,0x34
0x247d: lea edx,[ebp-0x19]
0x2480: mov DWORD PTR [esp],edx
0x2483: mov DWORD PTR [esp+0x8],0x6
0x248b: lea eax,[ebx+0x15a3e]
0x2491: mov DWORD PTR [esp+0x4],eax
0x2495: call 0xd900
0x249a: mov DWORD PTR [esp],eax
=> 0x249d: call 0x300b3
(gdb) x/10xb $eax
0xbffffcdf: Cannot access memory at address 0xbffffcdf
(gdb) x/1xw $esp
0xbffffcc0: 0xbffffcdf
(gdb) x/10xb 0xbffffcdf
0xbffffcdf: 0x2f 0x74 0x6d 0x70 0x00 0x05 0x7e 0x01
0xbffffce7: 0x00 0x27
(gdb) ni
0x000300b3 in ?? ()
=> 0x000300b3: e8 48 42 de 8f call 0x8fe14300
(gdb)
然后,我输入了' ni'命令,GDB没有步骤!
Gdb在Mac OS X上运行不佳?