Finding a value of a variable pointed by debug symbols on a hex editor

Question

An example scenario would be compiled with gcc -g:

void main() {
    int find_me = 123;
    char find_me1 = 'h';
}

and from dwarfdump -d:

0000000000001119 <main>:
    1119:       55                      push   %rbp
    111a:       48 89 e5                mov    %rsp,%rbp
    111d:       c7 45 fc 7b 00 00 00    movl   $0x7b,-0x4(%rbp)
    1124:       c6 45 fb 68             movb   $0x68,-0x5(%rbp)
    1128:       90                      nop
    1129:       5d                      pop    %rbp
    112a:       c3                      retq
    112b:       0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)

find_me is in the movl:0x111d as 0x7b

find_me1 is in the movb:0x1123 as 0x68

dwarfdump output:

.debug_str
                      DW_AT_high_pc               <offset-from-lowpc>18
                      DW_AT_frame_base            len 0x0001: 0x9c:
                          DW_OP_call_frame_cfa
                      DW_AT_GNU_all_call_sites    yes(1)
                      DW_AT_sibling               <0x0000006a>
< 2><0x0000004b>      DW_TAG_variable
                        DW_AT_name                  find_me
                        DW_AT_decl_file             0x00000001 /home/vik/code/hexi/ho.c
                        DW_AT_decl_line             0x00000002
                        DW_AT_decl_column           0x00000006
                        DW_AT_type                  <0x0000006a>
                        DW_AT_location              len 0x0002: 0x916c:
                            DW_OP_fbreg -20
< 2><0x0000005a>      DW_TAG_variable
                        DW_AT_name                  find_me1
                        DW_AT_decl_file             0x00000001 /home/vik/code/hexi/ho.c
                        DW_AT_decl_line             0x00000003
                        DW_AT_decl_column           0x00000007
                        DW_AT_type                  <0x00000071>
                        DW_AT_location              len 0x0002: 0x916b:
                            DW_OP_fbreg -21

can I somehow parse the values without running the program from a c program without running it?

You mean the `123`? That's probably in an instruction as an immediate. — Jester, Feb 03 '21 at 15:05
`char* find_me = 123;` isn't valid C. [“Pointer from integer/integer from pointer without a cast” issues](https://stackoverflow.com/questions/52186834/pointer-from-integer-integer-from-pointer-without-a-cast-issues) Perhaps you meant `char* find_me = (char*)123;`. — Lundin, Feb 03 '21 at 15:21
@Jester yes! But can I find the memory address to extract the immediate from? — katsifolis, Feb 03 '21 at 15:24
Probably only by finding the machine-code block for that source line and disassembling to decode the immediate. e.g. `disas main`. There won't be a debug symbol for the `123` itself, because it's an anonymous constant. In a debug build (where the `find_me` variable isn't optimized away), there will be debug info indicating where it is within the stack frame of the function (or even in a register with different surrounding code and optimization options), but it will only contain the value after the code runs — Peter Cordes, Feb 04 '21 at 01:22
Note that what you're asking is kind of different from the title question: the variable doesn't even *exist* statically, only while `main` is running, because it's in automatic storage. Static storage is just sitting there in `.data`, `.bss`, or `.rodata` for you to find. — Peter Cordes, Feb 04 '21 at 01:24
@thebusybee writing a hex editor that i want these values to be highlighted. — katsifolis, Feb 04 '21 at 11:41
What files (target system, processor, your programs, other's programs, ...) shall this hex editor handle? Commonly only your own files have debug information, and then you don't need a hex editor to change values. — the busybee, Feb 04 '21 at 11:49
Do you take optimization into account? Compilers do funny things with your permission. — the busybee, Feb 04 '21 at 11:53
@thebusybee the primary scope of my program is just a terminal hex editor. Complementary to that I would highlight values found on the source program. x86, my own programs, or programs with debug symbols. — katsifolis, Feb 04 '21 at 12:00
OK. One more step back: What would you like to accomplish with the hex editor? Get an understanding of the bytes in an object file? Patch a value? It sounds like an [X-Y-problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem) to me. — the busybee, Feb 04 '21 at 12:09
Oh, and constant folding is done already with `-O0` (no optimization) on GCC. You will not find your numbers involved in expressions with multiple constants. — the busybee, Feb 04 '21 at 12:10
It's the final project of my uni. a hex editor with patching capabilities as you said! — katsifolis, Feb 04 '21 at 12:27
Did you look into the sources of objdump? Called with `-dS` on an object file it shows bytes, assembly, and source code. So it can be done, but might not be trivial. — the busybee, Feb 04 '21 at 12:31
already tried that seems daunting enough to parse the values correctly.. — katsifolis, Feb 04 '21 at 12:42

Finding a value of a variable pointed by debug symbols on a hex editor

0 Answers0