Fishing for clues for "my best bug ever"
(gdb) x/128x 0x30de800 0x30de800: 0x508152eb 0x50899500 0x50899b14 0x508152de 0x30de810: 0x50898e84 0x50899b14 0x508152d1 0x5089caa9 0x30de820: 0x508986b8 0x50815269 0x508983f2 0x508986b8 0x30de830: 0x5081520b 0x55105c35 0x50899b14 0x508151fe 0x30de840: 0x508a46aa 0x508986b8 0x5081510f 0x00095555 0x30de850: 0x00d0dff0 0x010011c0 0x00000009 0x00000000 0x30de860: 0x00000004 0x00020000 0xa0912ba4 0x00000000 0x30de870: 0x00000000 0x00000000 0x00000000 0x00000000 0x30de880: 0x00d0dff0 0x01001180 0x00000009 0x00000000 0x30de890: 0x00000004 0x00030000 0xa0912ba4 0x00000000 0x30de8a0: 0x00000000 0x00000000 0x00000000 0x00000000 0x30de8b0: 0x00d609f0 0x00000009 0x03078710 0x15627a70 0x30de8c0: 0x00000001 0x030dfc30 0x00000000 0x00000000 0x30de8d0: 0x04a24dc0 0x00000002 0x00000014 0x00000019 0x30de8e0: 0x030decf0 0x00000000 0x00000000 0x00000000 0x30de8f0: 0x04a24a20 0x00000000 0x00000000 0x03240960 0x30de900: 0x030dea70 0x00000000 0x00000000 0x00000000 0x30de910: 0x00000000 0x00000000 0x00000000 0x00000000 0x30de920: 0x00d0a590 0x01001384 0x00000083 0x00000083 0x30de930: 0x00000000 0x030de940 0x00000000 0x00000000 0x30de940: 0x454c4553 0x75205443 0x45422e30 0x5a54554e 0x30de950: 0x535f5245 0x4b454c45 0x4e4f4954 0x3075202c 0x30de960: 0x4d414e2e 0x75202c45 0x44492e30 0x53555a5f 0x30de970: 0x444e4154 0x3075202c 0x5f44492e 0x5453414d 0x30de980: 0x535f5245 0x4b454c45 0x4e4f4954 0x3075202c 0x30de990: 0x414c4b2e 0x2c455353 0x2e307520 0x5245554b 0x30de9a0: 0x2c4c455a 0x2e307520 0x4d4d554e 0x46205245 0x30de9b0: 0x204d4f52 0x5f544448 0x45424154 0x20454c4c 0x30de9c0: 0x00003075 0x00000000 0x00000000 0x00000000 0x30de9d0: 0x00d01af0 0x352f00d8 0x500afa60 0x00000000 0x30de9e0: 0x00000000 0x00000000 0x00000000 0x00000000 0x30de9f0: 0x35231f20 0x925c93a8 0x04a053c0 0x00d7dfa0
and
(gdb) set $eax = 0x30de9f4 (gdb) set $eip = 0x35204eaf (gdb) stepi (gdb) p/x $eax $22 = 0x3075 (gdb) set $eax = 0x30de9ec (gdb) set $eip = 0x35204eaf (gdb) stepi (gdb) p/x $eax $23 = 0x45424154 (gdb)
hmm significant, I would say. It should be noted, that the address of the executable code and the memory address is somewhere in the middle of what I would expect a VM page to be, since these are supposed to be divisible by 4K as far as I know.
(gdb) x/64x 0x10000 0x10000: 0xffffff4c 0x8bb0148b 0xffff108d 0x18858bff 0x10010: 0xe8ffffff 0x00076f07 0x2785c646 0x01ffffff 0x10020: 0x858b0ceb 0xffffff10 0x0a74c085 0xb539f631 0x10030: 0xffffff50 0x858bc87f 0xffffff4c 0xe8240489 0x10040: 0x0011c3b6 0xff1c958b 0x9589ffff 0xffffff30 0x10050: 0xff2885c7 0x0000ffff 0x85c60000 0xffffff2f 0x10060: 0x1f8b8d00 0x890012c7 0xffff0c8d 0x7d838dff 0x10070: 0x8900120e 0xffff0885 0x83938dff 0x8900120e 0x10080: 0xffff0495 0x898b8dff 0x8900120e 0xffff008d 0x10090: 0x60858dff 0x89ffffff 0xfffefc85 0x8f938dff 0x100a0: 0x8900120e 0xfffef895 0x5c8d8dff 0x89ffffff 0x100b0: 0xfffef48d 0x0288e9ff 0x858b0000 0xffffff30 0x100c0: 0x00587880 0x0268840f 0xc0830000 0x20858948 0x100d0: 0xb9ffffff 0x00000007 0x0cb58bfc 0x89ffffff 0x100e0: 0xb8a6f3c7 0x00000000 0xb60f0a74 0xb60fff46 0x100f0: 0xc829ff4f 0x1d75c085 0x850c458b 0x2f840fc0 (gdb) set $eax = 0x100f0 (gdb) set $eip = 0x35204eaf (gdb) stepi (gdb) p/x $eax $26 = 0xffffff30 (gdb) set $eax = 0x100f0 (gdb) set $eip = 0x35204c93 (gdb) stepi (gdb) p/x $eax $27 = 0x2f840fc0 (gdb) x/i 0x35204c93 0x35204c93 <-[xxx value]+9>: mov 0xc(%eax),%eax (gdb) x/i 0x35204eaf 0x35204eaf <-[xxx key]+9>: mov 0x8(%eax),%eax (gdb)
Just checking stuff with a different memory address and double checking the assembly code.
Try a different class in a different project with the same layout:
0x00001f0f <+0006> push %ebp 0x00001f10 <+0007> mov %esp,%ebp 0x00001f12 <+0009> sub $0x8,%esp 0x00001f15 <+0012> mov 0x8(%ebp),%eax 0x00001f18 <+0015> mov 0x8(%eax),%eax 0x00001f1b <+0018> leave 0x00001f1c <+0019> ret (gdb) stepi (gdb) p/x $eax $2 = 0x403f20 (gdb) x/4x $eax 0x403f20: 0x00003030 0x924e24f8 0x00002024 0x00002034 (gdb) stepi (gdb) p/x $eax $4 = 0x2024 (gdb)