TransWikia.com

Setting Breakpoints on Thumb Instructions in GDB

Reverse Engineering Asked by Caustic on April 13, 2021

I’m practicing reversing a stripped arm binary, and found that when I set a breakpoint at say 0x010451, and run the program, gdb spins forever until I hit ctrl+c. When I do, the current pc is at the address, but I can’t continue the program.

When I set the breakpoint to 0x010450, gdb hits the breakpoint fine, but the instructions are being decoded as non-thumb instructions.

Is this expected? A bug? I will try to upload examples later today.

Version info (under qemu usermode emulation):

debian@debian-arm:~/lab$ gdb --version
GNU gdb (Debian 8.2.1-2+b3) 8.2.1
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
debian@debian-arm:~/lab$ uname -a
Linux debian-arm 4.19.0-10-armmp-lpae #1 SMP Debian 4.19.132-1 (2020-07-24) armv7l GNU/Linux

One Answer

when I set a breakpoint at say 0x010451

It's critical to first understand that there is actually no such valid address for an instruction.

On an ARM processor, instructions are always aligned to their width - 16 bit thumb instructions are aligned to 16 bits, 32 bit ARM instructions are aligned to 32 bits, etc.

Rather, such values that are not actually addresses sneak into code disassemblies you may be reading because when a branch is performed, the LSB of the target operand indicates the mode in which the processor should start executing the instruction at the target address - but the target address always has its LSB masked to zero by the hardware!

So trying to set a breakpoint at 0x010451 is formally invalid.

Some tools may as a convenience interpret that to mean "set a thumb-mode breakpoint at 0x010450" - but that's playing a bit fast and loose with the rules.

What is actually correct is to specify the aligned address of the instruction, and the processor operating mode of the breakpoint to be set; eg, if the breakpoint is implemented by actually replacing an instruction in RAM (rather than using a hardware breakpoint) then the replacement instruction will have to be of the ARM type or the Thumb type.

Answered by Chris Stratton on April 13, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP