tags:

views:

502

answers:

1
+4  Q: 

gdb not hitting breakpoints

To learn a bit more about FreeBSD and *nix systems in general, I'm starting to look at the binaries from the DEFCON 17 Capture The Flag game. Right now, I'm reversing the tucod binary. Here's some possibly useful information on tucod:

tucod: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), for FreeBSD 7.2, dynamically linked (uses shared libs), FreeBSD-style, stripped

Some other possibly useful information gained from some brief static analysis is that tucod binds on port 0xDEAD (cute, eh?) and if you give it a specific password ("HANGEMHIGH!") it will play a game of hang-man with you.

The problem that I'm encountering is that I'm not hitting my breakpoints in gdb. Specifically, the breakpoint that I'm trying to reach is in the code that handles the client connection. Without breakpoints, the code executes as expected. When I set a breakpoint on that code, the child exits (instead of breaking into gdb, as expected). If I set breakpoints before the server forks off the child, I can hit those fine but after hitting "continue" the child does not continue to process my connection (that is, it won't ask me for a password or play hang-man).

Since the daemon forks when it receives a new connection, I try to tell gdb to follow the child with this command:

(gdb) set follow-fork-mode child

But after single-stepping the instructions after the fork, it appears that this isn't working.

I've tried looking for calls to signal, thinking they implemented a custom SIGINT handler (or similar), but the only call to signal that I can see handles SIGCHLD.

My breakpoint in gdb currently looks like this:

(gdb) info breakpoints
Num Type           Disp Enb Address    What
1   breakpoint     keep y   0x080497d0

And 0x080497d0 is the address I want to break on in the client processing code.

I'm sort of new to analyzing software on *nix systems and could use some pointers. How else should I go about troubleshooting why GDB will not hit my breakpoints? Or is there something major I'm just overlooking?

There's a torrent available with all of the game binaries for those interested in seeing the binary first-hand.

+2  A: 

Look here for the answer. In short, it looks like GDB supports child debug mode only on HP-UX and Linux.

Nikolai N Fetissov  2009-10-07 17:21:25
Thanks! The work-around I employed for this was to just patch the binary and have the parent execute the child's portion. For me, this is simpler than trying to add a call to sleep, since I'm without source. But an explanation of what was happening was what I was really looking for. Thanks again.
mrduclaw  2009-10-07 17:46:28

related questions

Wrapping Visual C++ in C#
Open source ER diagramming tool for mysql
What are the best ways to understand an unfamiliar database?
Is reverse engineering evil?
Best way to inject functionality into a binary...
Good techniques for understanding someone else's code
How is the photoshop cutout filter implemented?
Best way to reverse-engineer a web service interface from a WSDL file?
How to reverse engineer undocumented legacy application?
Is there a C++ decompiler?
What's a good C decompiler?
Reverse engineering war stories
How do I decompile a .NET EXE into readable C# source code?
Creating a new rrd database based on an existing one
how are serial generators / cracks developed?
Is it legal to reverse engineer binary file formats
How would you go about reverse engineering a set of binary data pulled from a device?
Reverse Engineering C# code using StarUML
What are the best tools for reverse engineering z80 machine code?
Sequence Diagram Reverse Engineering
Stored procedures reverse engineering
How do I disassemble a VC++ application?
best tool to reverse-engineer a WinXP PS/2 touchpad driver?
Reverse engineer (oracle) schema to ERD
Annotating YouTube videos programatically