Nat! bio photo


Senior Mull.

Twitter RSS


Fishing for clues for "my best bug ever"

(gdb) x/128x 0x30de800
0x30de800: 0x508152eb 0x50899500 0x50899b14 0x508152de
0x30de810: 0x50898e84 0x50899b14 0x508152d1 0x5089caa9
0x30de820: 0x508986b8 0x50815269 0x508983f2 0x508986b8
0x30de830: 0x5081520b 0x55105c35 0x50899b14 0x508151fe
0x30de840: 0x508a46aa 0x508986b8 0x5081510f 0x00095555
0x30de850: 0x00d0dff0 0x010011c0 0x00000009 0x00000000
0x30de860: 0x00000004 0x00020000 0xa0912ba4 0x00000000
0x30de870: 0x00000000 0x00000000 0x00000000 0x00000000
0x30de880: 0x00d0dff0 0x01001180 0x00000009 0x00000000
0x30de890: 0x00000004 0x00030000 0xa0912ba4 0x00000000
0x30de8a0: 0x00000000 0x00000000 0x00000000 0x00000000
0x30de8b0: 0x00d609f0 0x00000009 0x03078710 0x15627a70
0x30de8c0: 0x00000001 0x030dfc30 0x00000000 0x00000000
0x30de8d0: 0x04a24dc0 0x00000002 0x00000014 0x00000019
0x30de8e0: 0x030decf0 0x00000000 0x00000000 0x00000000
0x30de8f0: 0x04a24a20 0x00000000 0x00000000 0x03240960
0x30de900: 0x030dea70 0x00000000 0x00000000 0x00000000
0x30de910: 0x00000000 0x00000000 0x00000000 0x00000000
0x30de920: 0x00d0a590 0x01001384 0x00000083 0x00000083
0x30de930: 0x00000000 0x030de940 0x00000000 0x00000000
0x30de940: 0x454c4553 0x75205443 0x45422e30 0x5a54554e
0x30de950: 0x535f5245 0x4b454c45 0x4e4f4954 0x3075202c
0x30de960: 0x4d414e2e 0x75202c45 0x44492e30 0x53555a5f
0x30de970: 0x444e4154 0x3075202c 0x5f44492e 0x5453414d
0x30de980: 0x535f5245 0x4b454c45 0x4e4f4954 0x3075202c
0x30de990: 0x414c4b2e 0x2c455353 0x2e307520 0x5245554b
0x30de9a0: 0x2c4c455a 0x2e307520 0x4d4d554e 0x46205245
0x30de9b0: 0x204d4f52 0x5f544448 0x45424154 0x20454c4c
0x30de9c0: 0x00003075 0x00000000 0x00000000 0x00000000
0x30de9d0: 0x00d01af0 0x352f00d8 0x500afa60 0x00000000
0x30de9e0: 0x00000000 0x00000000 0x00000000 0x00000000
0x30de9f0: 0x35231f20 0x925c93a8 0x04a053c0 0x00d7dfa0


(gdb) set $eax = 0x30de9f4
(gdb) set $eip = 0x35204eaf
(gdb) stepi
(gdb) p/x $eax
$22 = 0x3075
(gdb) set $eax = 0x30de9ec
(gdb) set $eip = 0x35204eaf
(gdb) stepi
(gdb) p/x $eax
$23 = 0x45424154

hmm significant, I would say. It should be noted, that the address of the executable code and the memory address is somewhere in the middle of what I would expect a VM page to be, since these are supposed to be divisible by 4K as far as I know.

(gdb) x/64x 0x10000
0x10000: 0xffffff4c 0x8bb0148b 0xffff108d 0x18858bff
0x10010: 0xe8ffffff 0x00076f07 0x2785c646 0x01ffffff
0x10020: 0x858b0ceb 0xffffff10 0x0a74c085 0xb539f631
0x10030: 0xffffff50 0x858bc87f 0xffffff4c 0xe8240489
0x10040: 0x0011c3b6 0xff1c958b 0x9589ffff 0xffffff30
0x10050: 0xff2885c7 0x0000ffff 0x85c60000 0xffffff2f
0x10060: 0x1f8b8d00 0x890012c7 0xffff0c8d 0x7d838dff
0x10070: 0x8900120e 0xffff0885 0x83938dff 0x8900120e
0x10080: 0xffff0495 0x898b8dff 0x8900120e 0xffff008d
0x10090: 0x60858dff 0x89ffffff 0xfffefc85 0x8f938dff
0x100a0: 0x8900120e 0xfffef895 0x5c8d8dff 0x89ffffff
0x100b0: 0xfffef48d 0x0288e9ff 0x858b0000 0xffffff30
0x100c0: 0x00587880 0x0268840f 0xc0830000 0x20858948
0x100d0: 0xb9ffffff 0x00000007 0x0cb58bfc 0x89ffffff
0x100e0: 0xb8a6f3c7 0x00000000 0xb60f0a74 0xb60fff46
0x100f0: 0xc829ff4f 0x1d75c085 0x850c458b 0x2f840fc0
(gdb) set $eax = 0x100f0
(gdb) set $eip = 0x35204eaf
(gdb) stepi
(gdb) p/x $eax
$26 = 0xffffff30
(gdb) set $eax = 0x100f0
(gdb) set $eip = 0x35204c93
(gdb) stepi
(gdb) p/x $eax
$27 = 0x2f840fc0
(gdb) x/i 0x35204c93
0x35204c93 <-[xxx value]+9>:      mov    0xc(%eax),%eax
(gdb) x/i 0x35204eaf
0x35204eaf <-[xxx key]+9>:        mov    0x8(%eax),%eax

Just checking stuff with a different memory address and double checking the assembly code.

Try a different class in a different project with the same layout:

0x00001f0f  <+0006>  push   %ebp
0x00001f10  <+0007>  mov    %esp,%ebp
0x00001f12  <+0009>  sub    $0x8,%esp
0x00001f15  <+0012>  mov    0x8(%ebp),%eax
0x00001f18  <+0015>  mov    0x8(%eax),%eax
0x00001f1b  <+0018>  leave  
0x00001f1c  <+0019>  ret 
(gdb) stepi
(gdb) p/x $eax
$2 = 0x403f20
(gdb) x/4x $eax
0x403f20: 0x00003030 0x924e24f8 0x00002024 0x00002034
(gdb) stepi
(gdb) p/x $eax
$4 = 0x2024