-2

I want to understand how my data String ends up in rdx. In my mind the mov instruction puts data found at address into the target. So the content from rbp-0x28 is put into rdx. I checked whats in rbp-0x28 and it is not the data string ('AAAAAAA'). If, however, I let the command execute with ni then rdx contains the string. I dont know how the String ends up in rdx as it is not contained in rbp-0x28 beforehand. I know that my data is contained in 0x7fffffffe58f but Im not sure how or when its loaded into rdx. Any help is greatly appreciated!

GDB

Ok iDoki
  • 79
  • 2
  • 10
  • So [rbp-28] wasn't the string itself but a pointer to the string. then [rdx] becomes the first character. Also how are you checking rbp-0x28? Because offsets and dereferencing can be tricky. – Irelia Sep 07 '19 at 23:54
  • [link](https://i.gyazo.com/b8ad65c91aa497b7eaa6f22e71add47e.png) [link](https://i.gyazo.com/9dc24d03e14e3c573acfb9a39279a652.png) is how I checked the content. I am sorry that I cannot paste anything from the terminal but I use a VM. For some reason the same command gives me different answers after executing e.g. x/6x. Could you elaborate on that? – Ok iDoki Sep 08 '19 at 00:10
  • 1
    Can I see the C code generating that output? – Irelia Sep 08 '19 at 01:32
  • [sure](https://i.gyazo.com/1672bf930571cf8841fc664658b354e2.png). – Ok iDoki Sep 08 '19 at 12:51
  • But you are right. when I check $rbp-0x28 with x/a there is the correct address. I was confused because I did not know the x/a command. Also, it is confusing to me that output changes based on different commands before. Anyhow, thanks for your help! – Ok iDoki Sep 08 '19 at 13:00

1 Answers1

2

This depends a lot on which compiler or debugger you're using as well as the architecture and calling convention. I did run your code with Apple's Clang compiler and lldb and got the expected results. There are minior variations between my output and your output but it's relatively easily to follow. Since you only posted partial output of your functions debug at offset+0x12 I'll assume that prior whichever register register held the first argument to the function call (in my case RDI) moved the pointer into [rbp-0x28] This was my output. enter image description here mov rsi, qword ptr[rbp-0x30] is the equivellent of your mov rdx,[rbp-0x28] I think you're under Microsoft's x64 ABI calling convention so your first argument is passed through rcx. But prior to that instruction it's mov [rbp-0x30], rdi which I believe in your case will be mov [rbp-0x28],rcx

In the next instruction mov rdi,rcx I breakpointed again. Here I read the contents rsi which in your case would be rdx. It printed rsi = 0x00007ffeefbff94a At that specific memory address I got the results 'AAAAAAA'enter image description here Next I read the register rbp and printed rbp = 0x00007ffeefbff740 Then I read the memory address of 0x0x00007ffeefbff740-0x30 (in your case it would be -0x28) which is 0x0x7ffeefbff710 and here it was the same address stored in rsi enter image description here 0x7ffeefbff94a (Little endian). Which we know points to the string 'AAAAAAA' So I'm going to assume what you're expecting at RBP-0x28 is the string itself. It should be the address which holds a pointer to the string. Also make sure to do your offsets correctly. Follow these steps:

Breakpoint at lea rax,[rbp-0x20]

Check the value of rdx, view the memory at that address and it should give you the string.

Then check the value of rbp. Subtract 0x28 from it. View the memory at the offset.

This should give you the value of rdx. Which should in turn point to the string you're looking for.

Irelia
  • 3,407
  • 2
  • 10
  • 31