1、在xv6 内核中 通过 nm kernel | grep _start 找到kernel的起始地址是0010000c
8010b50c D _binary_entryother_start 8010b4e0 D _binary_initcode_start 0010000c T _start
2、 br * 0x0010000c 设置断点,(如果在函数start处设断点就是 br start)
3、c 继续执行到这个断点
4、查看寄存器,找到通过esp找到程序在内存中的地址
info reg
(gdb) info reg
eax 0x0 0
ecx 0x0 0
edx 0x1f0 496
ebx 0x10074 65652
esp 0x7bcc 0x7bcc
ebp 0x7bf8 0x7bf8
esi 0x10074 65652
edi 0x0 0
eip 0x10000c 0x10000c
eflags 0x46 [ PF ZF ]
cs 0x8 8
ss 0x10 16
ds 0x10 16
es 0x10 16
fs 0x0 0
gs 0x0 0
5、x/24x $esp x/x 以十六进制输出,x/d 以十进制输出,x/c 以单字符输出
(gdb) x/24x $esp
0x7bcc: 0x00007db7 0x00000000 0x00000000 0x00000000
0x7bdc: 0x00000000 0x00000000 0x00000000 0x00000000
0x7bec: 0x00000000 0x00000000 0x00000000 0x00000000
0x7bfc: 0x00007c4d 0x8ec031fa 0x8ec08ed8 0xa864e4d0
0x7c0c: 0xb0fa7502 0xe464e6d1 0x7502a864 0xe6dfb0fa
0x7c1c: 0x16010f60 0x200f7c78 0xc88366c0 0xc0220f01
6、x/i 反汇编 – 通常,我们会使用 x/10i $eip-20 来查看当前的汇编($ip是指令寄存器)
0xffff8: xor (%ebx),%dh
0xffffa: das
0xffffb: cmp %edi,(%ecx)
0xffffd: add %bh,%ah
0xfffff: pop %ebx
0x100000: add 0x1bad(%eax),%dh
0x100006: add %al,(%eax)
0x100008: decb 0x52(%edi)
0x10000b: in $0xf,%al
0x10000d: and %ah,%al
7、以16进制的形式打印当前程序中的变量tf里面的内容
(gdb) p /x *tf
$2 = {edi = 0x0, esi = 0x10074, ebp = 0x8010c5b8, oesp = 0x8010c578,
ebx = 0x10074, edx = 0x0, ecx = 0x80112960, eax = 0x200, gs = 0x18,
padding1 = 0x0, fs = 0x0, padding2 = 0x0, es = 0x10, padding3 = 0x0,
ds = 0x10, padding4 = 0x0, trapno = 0x24, err = 0x0, eip = 0x80104e68,
cs = 0x8, padding5 = 0x0, eflags = 0x206, esp = 0x801050ac, ss = 0xc5b8,
padding6 = 0x8010}