GDB examine command confusion with address

Question

GDB examine command confusion with address

I know it might be and obvious question, but I've decided to learn a little bit of low level programming. I began with c and the gdb.

First problem:

`(gdb) x/10xb $rip
0x4005a5 <main+4>:  0xb9    0x04    0x00    0x00    0x00    0xba    0x03    0x00
0x4005ad <main+12>: 0x00    0x00
(gdb) x/10xh $rip
0x4005a5 <main+4>:  0x04b9  0x0000  0xba00  0x0003  0x0000  0x02be  0x0000  0xbf00
0x4005b5 <main+20>: 0x0001  0x0000
(gdb) x/10xw $rip
0x4005a5 <main+4>:  0x000004b9  0x0003ba00  0x02be0000  0xbf000000
0x4005b5 <main+20>: 0x00000001  0xffff9fe8  0x0000b8ff  0xc35d0000
`

Question: Why when I use unit size b the next address is 0x4005ad but when I use h or w the next address is 0x4005b5?

Second problem:

`(gdb) x/4xw $rip + 0
0x4005a5 <main+4>:  0x000004b9  0x0003ba00  0x02be0000  0xbf000000 
(gdb) x/4xw $rip + 1
0x4005a6 <main+5>:  0x00000004  0x000003ba  0x0002be00  0x01bf0000
(gdb) x/4xw $rip + 2
0x4005a7 <main+6>:  0xBA000000  0x00000003  0x000002be  0x0001bf00
(gdb) x/4xw $rip + 3
0x4005a8 <main+7>:  0x03BA0000  0xbe000000  0x00000002  0x000001bf
(gdb) x/4xw $rip + 4
0x4005a9 <main+8>:  0x0003BA00  0x02be0000  0xbf000000  0x00000001
(gdb) x/4xw $rip + 5
0x4005aa <main+9>:  0x000003BA  0x0002be00  0x01bf0000  0xe8000000
(gdb) x/4xw $rip + 6
0x4005ab <main+10>: 0x00000003  0x000002be  0x0001bf00  0x9fe80000
(gdb) x/4xw $rip + 7
0x4005ac <main+11>: 0xBE000000  0x00000002  0x000001bf  0xff9fe800
(gdb) x/4xw $rip + 8
0x4005ad <main+12>: 0x02BE0000  0xbf000000  0x00000001  0xffff9fe8`

Question: Why the same value is repeated(Capital letters) for example: in the first column but move to the right, like from $rip + 2 to $rip + 5 where BA is first at the beginning, then at the middle and finally at the end?

c++

c

debugging

gdb

asked on Stack Overflow Feb 15, 2017 by

V -TT

1 Answer

When you ask any low-level debugger to display values from memory startingat a given address it will get some number of bytes from successive locations and display them. (Each address refers to a particular byte in memory)

In your first problem you're asking it to display ten bytes and it displays each byte as a two-digit hexadecimal value, eight bytes per line, and the address goes from 0x4005a5 to (0x4005a55 + 8) or 0x4005ad

Then you ask to display ten half words, eight half words per line, and because each half word is two bytes, the address goes from 0x4005a5 to (0x4005b5 + 16) or 0x4005b5

Your second problem is a little more complicated. Remember that when you ask it to display the contents of memory starting at a location it just fetches your four words STARTING at that location. When you pick one higher address then you're mostly getting the same memory values, just shifted by one.

So why do the values in the words seem to be shifting around in the wrong direction? That has to do with the fact that you're asking for words and x86 CPUs fetch words in a somewhat unintuitive order, from least significant byte to most.

This should help: https://en.wikipedia.org/wiki/Endianness

answered on Stack Overflow Feb 15, 2017 by

Ray Fischer

User contributions licensed under CC BY-SA 3.0