Reputation: 337
Calling fopen in gdb
I'm reversing a compiled program (written in C) and this one opens a file (which I don't have permission to read) like this:
fopen("/home/user00/.pass", 'r')
then it checks the return:
...
0x4008a8 <main+148>: call 0x400700 <fopen@plt>
0x4008ad <main+153>: mov QWORD PTR [rbp-0x8],rax
=> 0x4008b1 <main+157>: cmp QWORD PTR [rbp-0x8],0x0
0x4008b6 <main+162>: jne 0x4008e6 <main+210>
0x4008dc <main+200>: mov edi,0x1
0x4008e1 <main+205>: call 0x400710 <exit@plt>
...
So if the file doesn't open the program exits.
I obviously can trick this, setting $rax=1, but then the program will try to read the file and it receives a segfault.
So I thought I can:
gdb call fopen("/a/file/I/can/read", 'r')
And continue my reverse work, but sadly the program receives a different segfault when I execute this command.
So I wonder, is it possible in some way (by allocating or whatever) to call fopen ?
I already searched answers on the internet without success.
This program is part of my school's Security ISO CTF challenge.
Thanks!
Upvotes: 1
Views: 1561
Answers (1)
Reputation: 213764
sadly the program receives a different segfault when I execute this command.
That's because you have a bug in your command. It should be:
(gdb) call fopen("/a/file/I/can/read", "r")
(Unlike in Python, the kind of quotes you use in C matters.)
Upvotes: 2
Related Questions
- Print file contents opened with fopen in GDB?
- How can I debug functions in shared object libraries with GDB?
- fopen returning NULL in gdb
- Analyzing obfuscated ELF binary
- ELF entry point is not valid
- set breakpoint in an stripped ELF executable
- GDB assembler debugging
- Backtrace points to fopen crash
- How to disassemble elf stripped file in gdb?
- How to use gdb to reverse engineer an ELF which runs another program?