Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

28 minutes
Video Transcription
well, everyone and welcome to the latest breaking stuff with Joe. Episode I, as always in your opponent's host, Joe Perry, the director of research here, it's cyber Eri. I can't tell you how excited I am to be teaching this course. Today's video. We're talking about the nudie bugger G. D B. It's one of the most useful tools on with sort of utilitarian tools out there.
It's useful for what it's used for debugging programs, but that means that it could be used for
malware reverse engineering. It can be used for exploit development of vulnerability analysis. It can be used to actually debug a program and figure out what's wrong with it. It's an incredibly powerful tool that's gonna see us across Red Team's Blue Team's Dev ops pen testers everywhere. If you work in I T. Or Security, there's probably a good use case for you and Jeannie be
so because of that. Obviously, we're making one of our earlier videos here and breaking stuff with Joe because it's just such a phenomenal, useful tool.
Over the course of the next 15 to 30 minutes, we're gonna go through three primary topics. We're gonna discuss what GDP is which we actually just did. So now we all know Judy Bee is a debunker. Second, what we're actually gonna start on a video with is going to be learning what the actually uses of GDP are.
Look at some of the command arguments. We're gonna use it. We're gonna look at some of the functionality of the tool.
And then finally the last objective that we're gonna focus on here The last thing we're going to do in this video is we're actually going to find it. We're gonna use a program that's not operating quite up to code. And we're gonna use GB to figure out what's wrong with.
So I'm very excited to be teaching this class. Hopefully, you're very excited to be taking it. We're gonna learn a little bit about GB. And of course, thank you for watching breaking stuff with Joe here on Cyber Eri on demand.
So as usual in the breaking stuff with Joe Siri's, we're gonna be working out of a rube onto VM one of our videos last week. In a lot of the videos, they're gonna be coming up down the road. We're actually working out of labs on Cyber Aires website. But for this one, we're just going to working out over a bunch of'em
because fortunately, Judy Bee actually comes installed on this operating system and you can invoke it simply by using the man. Should be
now, as I mentioned in the intro video of the first objective is pretty much already done. The first objective is just to find out what GDP is, which is G d. B is the new D bugger G N u the nudie bugger. What it's for is actually what all the buggers are. Four, which is finding errors in code. Now those errors may be causing the code to crash,
you just causing it to perform incorrectly, which is the example we're gonna see here in a little while.
Just in general. Debunker is there so you can figure out what's wrong with your code without necessarily having that code in front of you. Or maybe the problem is something you can easily identify in the code. And something's happening in the in the behavior. One of the things that's really useful to do with Jeannie be one of my favorite uses of GB is actually to combine its use with tools like Ida
disassemble er so that you could look at that Miss assembler and see. Okay,
this is what the program's code is supposed to be doing. This is the sort of operational pattern, And then in GB, you can slowly isolate down where the errors are happening and reference back toe Ida to figure out what the problems are. So that's one of the main uses of G be when you're talking about reverse engineering is this is sort of the active part of passive and active
disassembly or reverse engineering.
So, as I showed just a second ago, we can run Judy Bee just by typing or just by invoking the command within Judy be the first man we're gonna learn here is actually the shell command. I absolutely love this command. All it does is it takes whatever or whatever command you give to that argument, and it passes it back to the operating system. So, for example, if you die Michelle clear,
it'll clear your screen
for those who have seen my videos before, you know that I compulsively clear the screen. So when I first learned about that function, it was very, very useful to me.
First, though, we're gonna quit Junie B before we dig into any more arguments or anymore, huh?
Tools and functions inside of it.
And we're going to see a couple of other ways that you might invoke the D bugger the first other. The first way that we showed was just by typing Jeannie be additionally, you might type Judy Bee with the name of the program you want to run, which in this case is gonna be called Bug. That's what we're gonna do our example on here just a little bit.
So you can see here that by running it with bug, it's gonna show you the same error. And then down here, the bottom it says, reading symbols from bug.
What's happening there actually is that I compiled bug with debugging symbols from a little bit easier to interpret and understand. Ah, lot of times it will fail toe load special symbols or fail to load the debugging information. You'll still get some message telling you that it read symbols that they had identified certain symbols from it, or if it failed to do so for some reason, you'll get that message as well.
So it's a second way that you can invoke GB.
But there are a lot of programs that you'll find that actually take taken argument. For example, you might use something like, uh, less
so here you can see that less takes an argument. And if you try to type Jeannie, be less
and you get run, which is going to our first command. You see, that's gonna crash because it's just asking for help. It's It gives you the missing file name, error.
So what you would want to do in that case. And I know we got just slightly ahead of ourselves by using the run command. But I needed to show you that to show you how you can actually pass arguments to a program. So, for example, we might do bless buggy dot c
and see here. That's the code that we're gonna get to cheat with later to check our work. But instead, we might want to do GB tak tak a r g s, and then you're going to give it the program name again, which in this case of course, is going to be less. And then we're going to give it the actual argument of buggy dot c,
and you can see here
that now it's actually able to run the program with information and perform the actual execution that it's supposed to be performing.
So that's an easy way to past arguments will show in just a little bit away. You can actually change the arguments while running.
Additionally, you can actually run against a specific process. I d using GDP
with the double dash P i. D.
So, with this command, you can actually attached to a process that's running based on its process. I D on will give long give a quick example doing that. So you're gonna run g et it with an ampersand. What that's gonna do is going to start it up while giving control back to your terminal so you can keep executing other commands. But it's also going to return to you the process idea of the process it just created,
not too attached to that. You're gonna run the command. We just showed
Judy B dash, dash pit, and then I'm going to give it 1845 Now if you just run it like a fist, you're going to see that it doesn't actually work. You're going to get an operation not permitted. Generally speaking, the cause of that is that their settings you can do so that you can attach to processes that are running yourself or much more easily. You can just
run it as pseudo that exists is sort of, ah, both of security and a sanity protection. From a security standpoint, if you attach to a process, you can basically do whatever you want to it. You can use that to tow brake crypto, or you can use it to get past passwords and things like that. So it's very important that you not be able to attach to a process that you're not allowed to touch
but additionally, just for sort of a sanity check.
When you're performing, you're attaching rather toe a process in GB. That process is actually gonna freeze, and if you attach to the wrong process, the process that freezes could be something that's essential for your system to function. You can break your machine by attaching to the wrong process and just wrecking everything inside so
pseudo the double exclamation mark just says Run the last command
so pseudo and then we're going to attach to G ET it and you could see is an example of what I was just saying a second ago that g et it is now frozen. It's no longer responsive, but actually, if you if you click it a couple of times, you'll see the text editor is not responding. Lennox will actually think that it's crashed.
One of the command that we're gonna talk about here in just a second continue.
We'll give execution back to it, and it will start operating the way it's supposed to, and you can see you can type. You didn't do whatever you want,
then if you want to interject again, a very easy way to do that from your shell here is just in control. C to send a signal interrupt
and once again, Judy Bee will lock in and you'll see that it's stopped in place.
So fantastic. That's a pretty easy straightforward. Once you're done using a process that you attached to you, neither kill that process or you can just run detach
and you'll see that once we've detached from it, G et it has returned to his normal operations and We'll close that without saving.
And we will quit GB So those are just a few of the ways you can invoke GB. You know, you can use it as just running Judy bee and then pulling in a file later. You're gonna run it with that file name. You can run with that file name and some arguments, or you can attach to a process I need any of those methods are reasonable and functional and will work just fine for you
so long as you use the proper permissions that you're doing that.
But once you've actually started GB and we're actually gonna change doc change directories here while I'm talking once you actually started should be we should have a look at what you can actually do with it.
inside of our Breaking Stuff folder
and then inside of our
Judy Bee folder, you can see here that we have a couple of different documents and the buggy dot C and bug. We're gonna actually look at in depth here in just a minute. But just to explore the command, we're gonna go ahead and we're gonna load bug up with Jeannie. Be
so GB bug again. You're just giving it a thought of the name
you can see here. Okay, it read the symbols from bug. Everything's ready to roll.
Cool. We're gonna give our command again of shell Clear. Just kind of clear a screen a little bit. Now, let's look at some of the different options we can do now. One of the most important commands you can give in G B. Is this one right here, which is break. And what breaks is actually gonna do is it's gonna create a break point, or it's going to
create a place in execution where execution will stop and control given back to
the D bugger. So this is you so that you could start the program running and figure out okay, where my problem's going to be wearing my bugs. What's what's wrong here? You can kind of start stepping through it piece by piece. And the way you're gonna do that again is just by typing break and then giving it the location of that break. I generally, with any program that I start running, I'm just going to a break. Maine.
So long as you have symbols for that program,
it will be able to establish. Okay, this is the beginning of the main function. And we can set our break point there at the beginning, essentially of execution. And we can kind of skip pass a lot of the environment construction that operating systems do, and a lot of sort of the under the hood work that we don't really care about for our project. You can also see if you want to find out what break points you have
have you can list
the break points you've established by using the band. Info
involves has a bunch of other arguments that could be given to her. They're gonna look at here in just a second, but so that's That's the way you create break points by giving the name breaker by giving you the command break. One of the things that's really cool about you to be one of things I really like about Judy Bee is that you can use abbreviated commands all the time.
So, for example, you might do be instead of break and you might say,
Let's do
break. I think we could do Line 25.
There you can see that break 0.2 is created at Line 25.
If you want to get rid of your break points, all you have to do is delete. So we could delete
and just have our one again. We could look and see in the break.
Do you only have one break point?
So you create and delete break points again. Those are going to kind of the core part of the process of debugging a file or debugging a project just because it's gonna give you okay, this is what's happening. You know this, you can stop executions. See, this is what's happening at this moment in execution.
So once we've done our break points, one of the other things that we might want to look at here is what our stack actually looks like. And the way we can do that is by first we want to let it run a little bit. So the run command is how you actually invoked whatever, whatever process you're running and you could see that we've gotten to break 10.1 online 22 you can see their first line of actual execute herbal code. Here is this create entry.
Now it's worth noting for those who've written see before
that that line is definitely not the first line in the program. They're gonna be variable. Definitions are probably be function definitions even, you know, just the main itself is probably gonna have a couple of lines of code on. What's important understand here is that what's actually happening is that Jeannie be ignores all of the variable definitions. Unless unless you tell it not to
on and it just jump straight to the first line of actual execution code of actual code, it's
performing some operation. In this case, in this particular program, we can see that our first operation is actually going to be invoking a different function. But now they were actually inside of Maine. We've got a little bit of context established. We're gonna be able to actually run a few different operations here. For example, we might do
back trace,
which is going to show us our current stack frame. You can see the rent mehn. If we do step, we're gonna we're going to go one step forward and execution, which in this case is gonna take us into the create entry function. Then we can run back trace again and see, Now we've got a couple of
frames that were inside of we've got Maine and then inside of Maine, we've had called create entry.
You could see those air labeled with numbers on the left side for for easy interpretation. So do a quick show. Clear
s. So that's one of the things you could do. You could find out about sort of your stack frame information. Understand what's going on, where I already showed you can step. You can additionally do something called next. The difference would be next, and step is, that step actually goes in tow functions that air cold. Where is next? Just executes the next line of code at whatever level you're currently at
so tight. Next you can see that it's gonna run the next line of code.
If you enter, it will just repeat whatever the last command you gave is you can see here that we've got a couple of variables being defined, that we're going to get into here in just a just a minute once we finish running through our basic commands. But one of things that we might want to do, for example, is see what's actually being stored in those variables. And to do that, what we would do is just use prints. So here will do print
E u I d.
And see that there's that there's not actually anything stored in it yet because it was just defined with this Malik.
But we can see that the address is being presented to us. We know where it's located and if there were anything being stored and we could make use of that,
so those were not all of the commands. Obviously those air just sort of some very basic step, you know, start early steps of learning how to use g be effectively. What we're gonna do now is we're actually gonna take those, we're gonna put him together, and we're just gonna try and debug this program and you're out. What's going wrong with? So I mentioned earlier that the sort of the thing that we're working with you and I'm just gonna completely quit gtb
restart it.
The thing that we're working with here is a novice Programmers come to us and said There's something wrong with my program. I can't figure out what's happening to us. Actually, before we run, Jeannie, be. What we want to do is we want to do is what we do with basically any program that isn't running right. And we want to try it again just to see what happens. Now. This program might tell us
that is going to create and use a file called records. Not that.
So we're going to run this bug and we're gonna see what happens.
And he could see here. It says Enter Created for James Enter, Created for Steven and your created for din ery storm borne of house targaryen first for name. And then this weird little blurb right here and then enter created for Timmy.
So Okay, we know that there's a problem in the code because that doesn't seem like any person's name. Obviously, the beginning of it obviously seems like a person's name, a very important person who is definitely going to kill Seriously, Lannister
uh, anyway, back to programming more seriously. But we can see that this this bit here doesn't really seem to make much sense. So if we look at our records will be able to identify
sure enough, in the same way we've got these different sort of records being created. We have what looks like some kind of number that we have the name of the person and an apartment they're in. And you can see that this name here this day Neri Storm boardinghouse, Hungarian first name
is in the marketing department and for some reason that marketing is also being written right here in her name. So that's the bug we've identified. What's wrong with the program? Before we've ever actually stepped into HGTV to try and fix it. We know what's going wrong, and so we know that we can kind of start to get a sense of OK, what is the problem here? What's causing this specific? But it happened
so we can go ahead and just run GTB bug.
And again we're going to load into the program here is gonna give us our message telling us that we don't have any warranty, et cetera, et cetera,
and as, well, shell clear. And as I said before, one of the first things you always want to do when you step into GDP is just create your first break point, which in my case, is going to break main now. This was created with debugging symbols because this novice programmer is being very kind and is trying to help us help him. Eso We've got break Maine.
It's breaking at Line 22 which you saw when I was just walking through a couple of the basic tool or a couple of basic arguments
as an hour are just going to hit Run.
See that it's starting the program and it's gotten us to this entrance. So create entry here is given is being given two or three arguments. The first is what looks like a pointer to some item. We don't really know what that thing is yet.
The second is this name James, with a no bite of the end. And the third is this term sales with a no biting again. Now we can recall from looking at the record that James is this person's name and sales is their department. So let's step into this create entry and see what it's actually doing.
And inside of this function, you can see ah, a little bit more information on those arguments that were being given to it. We have what looks like memory addresses here, name department and P uh, these these specific arguments are being given a little bit more context because we're inside of the create entry function. And so because it was created with debugging symbols,
GB knows what these arguments were called. And generally speaking, what it's looking for.
So again, we have P name and department and the first sexual line of executed code in this function. Is this Malik here? And we're setting e whatever e might be? We don't know yet. We're setting e to the return from Malik, and you can see here that once we've run, that line of code
will hit next. Once we run that line of code, one of the things that we might want to do is to print
and you can see here that it's got a pointer on weaken C also what it actually is, it gives us This is something called P entry, which we can pretty safely assume because we might know a little bit about See that this is some sort of pointed to a structure,
and we can see that the next thing that's happening here is that this value U i. D is being assigned with a Malik we're gonna run just for a little bit of this code here and just get a sense of what's happening.
And we can actually just do well, just do next.
We've got you I d name, department, all being created. Then we're doing a stir. Copy. Now, for those of you who have programmed C, you know that this line of code is pretty atrocious already. Stir copy is not a safe function, not a smart function. And there's a better than better than even chance that whatever bug we're gonna find is gonna be the responsibility of this
nightmare of a function.
We're gonna keep running next. We've got another stir coffee. Then we have this generate you. I d function now. We don't know what that is, so we should probably go ahead and have a look at it.
And you could see the Now we're inside. Generate your I d. And if at any point since we're getting into kind of nested functions, remember that you can just do a back trace and see where you are in the execution of the program. You can see that from main function, create entry was called and from create entry. The function generate you, I D was called.
So once we're inside of generate, you idea, we can keep looking and have a have a look and see if maybe this is creating our bug.
It's doing an MD five in it and the five Update and Final and then it's returning. So what's honestly useful here is that we can immediately tell there's probably not anything happening in this function that's creating the problem. And the five minute update and final are all functions that could be imported from the ER
SSL libraries, which means that most likely their implementation is not what's creating the bug.
Now. We've got an entire function here, generate you I D. That we're able to say is safe and not creating our problem. Now that is a little bit of an assumption. It's possible that this person has horrific. Lee decided to roll their own MD five hash, but weaken generally safely assume that that's not what's happening. So we've gone through that function we've identified. That's not our source of our problem,
and we're gonna return back up for create injury,
and then you could see that the next line of code that's about to be run. Is this print death enter created So things are executing correctly so far, it should print out this e name
and we could identify what what is contained in the name by again. Just doing a print e arrow name.
And you can see here that that again is a pointer. And this time and now it's pointing to the name James, so that was successfully stir copied, which is useful information. Now we know, Okay, for whatever reason, you know, the bug for sure isn't happening here. Which, of course, when we looked at the records file, we were pretty sure this isn't the one creating that bug. But it's worth checking to make sure that stir copy is happening. Correct
correctly and at least some cases.
we have a hunch based on that stir copy that we saw just a minute ago that the problem probably is happening in the create entry function. We may not know exactly what it is, but we know that it's happening in this function.
Or at least we suspect so. What we can do is we can create a new break point, and we'll just created at the create entry.
We're just gonna run
and you see it's created break to We're just gonna continue the code and let it run
until we get back to our break point. Here, we see is being passed the argument Stephen and product waken go through and first of all, before I before I hit next again you'd see here that the entry was created for James s. Oh, that's actually being printed from the problem from the process that were controlling with Judy Bee. That's really useful. You still control the in and out pipes.
So we created our break point. We've got our second entry. We know that Steven is not having a problem, so we're gonna continue again. We're gonna get to this great point now. This time we see this is the actual name being passed to this function Din ery storm born of the house Targaryen first rename the upper queen of the handles of the first men police of the great grass seed, breaker of chains and mother
of dragons. Now, for various reasons, I feel a certain kinship to this dragon based character.
If you don't know why, that's totally okay it has something to do with the tattoo I got in my Navy days. That may end up being regrettable in my later years, but for now I like it. So we're gonna keep rolling with this class. So it's being passed. This ridiculously long name, which might be,
might be something that's creating our issue. Because if you'll remember from earlier, uh, this store copy that we're using is a dumb function. It doesn't actually know how long the string that is copying is and it doesn't know if there's gonna be a problem. And again here, we can see that the next argue, whether we get is marketing. And you could see here when we're looking at this pointer
four b e 84 BD seven.
So marketing is coming right after this string. It's the next thing in memory,
and that's gonna be relevant here in just a second. So you can see here we have equals Malik 5 12 Malik is just signing that much memory space to eat
and we're creating. Remember, E is a process entry or a process entry, huh?
It's a pointer to an entry s so we're gonna hit next now
we're gonna run the next line of code,
and I am aware that this is kind of, ah, arduous process the first few times you do it. It's a lot of just looking at what's being printed and hitting next and printing out variables when you get into advanced debugging. It's actually even more of that.
I I have debugged a program and sat there for three hours looking at a single function, just trying to identify what was creating our problem. So here you can see that you ideas being created mallet with length of MD five Digest length. So we know that the MD five hash is being stored there. Which makes sense based on that thing we were seeing.
No, it's not being stored as an MP five hash because it was all in base 10 instead of based 16.
But we know that it's being used in some way to create that user. I d.
We're gonna hit next again. You can see that now that name field is being created, but what's really important and we're pretty sure we found our bug is that the name field is being created with 56 bites now I'm not gonna sit here and count all of the queen of the end. I was in the first men's titles,
but I'm willing to bet that those there are more than 56 characters in those titles.
So what we found here is that what's actually causing this problem? At least what we think is causing this problem is that there's not enough space being assigned to name. And the way we're gonna be able to verify that very, very easily is by hitting next again, which we can shorten toe end,
letting the department get at it.
I've got our stir copies. We got name and we could check that again by printing E
arrow name.
And you could see her that right now the name looks totally fine. But once you're on this next stir coffee with the department,
you can see here that this has been overwritten and the reason for that is because this department, the pointer that exists for that is just the next item in memory department is right after the name. So when you have this giant name that goes over the area that it's supposed to be in marketing just gets slapped down right in the middle of it.
Now the reason why printing it Prince, you know that whole string and then gets to marketing
is because there's a no bite at the end of the world marketing. Remember when we got that those arguments earlier, we saw that they had no bites at the end of him and print F or print statements. No to stop reading once they reach it. No bite. So what's actually happening here is that the name that's being given from his storm borne
is just too long, and it's being overwritten by something that has a no bite and therefore cuts off the rest of the name.
And again we can verify. We can look at
print E
We could see that marketing is being stored there correctly on gyu can. Again, you could notice that these addresses here are very close together. They're so close together, in fact, that this overlaps the memory space that is being used right here.
So now we know what the bug is. We understand that the problem is that the memory being allocated just isn't enough, and we can test that theory very easily.
We test that theory very easily by making a quick edit This young programmers code, we're gonna real quick, open vim and again it's getting this is actually gonna be called buggy dot c.
You can see the code that was created here. We've got this structure that way figured out existed earlier that has these three fields in it. We have the functions that we've identified. We haven't looked at record entry yet because we didn't even need to get that far Very often. When someone's writing stuff to a file, they're going to assume that the writing to the file is what went wrong.
And I've seen people who will, you know, just unintentionally will spend hours in that function trying to figure out their mistake
when, as we identified here, the problem is actually happening much earlier. That's one of the reasons why using any bugger is so valuable because you can identify as the program executes exactly where the bug shows up and you can save yourself a lot of time and effort trying to figure out where that bug exists, And we could see this giant entry is being created here
now to test our theory and to fix the problem, all we have to do is change the size of the memory being allocated. So in this case, we're gonna do 10. 24 because we can pretty safely say we have enough. That's enough bites.
And then we're just going to we have a make files we're gonna hit make,
and it's gonna give us a warning that we're gonna ignore because it's not. This is not a C programming class, so GB bug,
we're gonna run it
and you could see that it exited normally. And the name that it printed here in areas Storm born of the house door Gary in first Rene of the unburned Tween of the Angel's and the First Men Khaleesi of the Great Ressie, Breaker of Change in chains and Mother of Dragons. Her Highness has her titles back, so we're able to
what we're able to do. There is actually just using jdb identify all of the things that are happening in this program.
And we were only using some of the most basic commands. And Judy Bee. We didn't really examine deep memory. We didn't go really far into the return values and how we could modify arguments as it's running. All we did there is we actually looked at what was happening on screen, and we set some important break points and she looked at the data as it was being written.
And that's one of the great uses of GDP. You know, it is functionally at its core. It is a D bugger to use for finding and removing bugs.
So even though it's going to be used as I mentioned the beginning of the video for anybody who's working in reverse engineering arm our analysis or exploit development at its core, it's a phenomenal, useful tool for programming to identify what's going wrong as soon as it goes wrong.
So that again, in this video, we kind of talked about three main things. We figured out what Judy Bee is, what deep buggers are. We talked about a few of the commands you give Judy be in our supplemental material. You'll see we have an awesome sheet sheet that you'll be able to make use of and really dig into a bunch more of the commands. And then, of course, we actually sat down and went through a program
and with no a priori knowledge. We were able to identify what was going wrong with that program
based on what we saw in GI me. So hopefully found this video valuable. Hopefully, Jenny B is a tool that you think you could make good use of. I absolutely love it. I use it all the time on you'll be able to use sort of the basic information you got from this video in order to keep exploring this tool. I want to thank you again for watching is always It is my absolute pleasure to do these courses.
And I'm glad that we had some people who might be able to benefit from DDB.
Please continue watching. Please check out some of our other breaking stuff with Joe videos. And this one, we have about six of them up, and they're gonna be a whole bunch more as time goes on. So the more you watch, the more we know that these are gonna be valuable to people. So give us feedback, give us information, give us some ideas that there's a specific tool you'd like to see a video on. But that's gonna be the end of this particular breaking stuff with Joe Video.
Thank you for watching eyes. Always instructive. Joe Perry and I look forward to having you