pwndbg: After patchelf is used to modify the elf file, the heap and bin commands cannot be used

I did the following:

  1. patchelf --set-interpreter $libc_dir/ld-$LIBC_VERSION.so --set-rpath $libc_dir/ tsh

View binary file: ldd tsh

linux-vdso.so.1 (0x00007fff4fcfc000)
libc.so.6 => /glibc/2.31/64/lib/libc.so.6 (0x00007f7f994f2000)
/glibc/2.31/64/lib/ld-2.31.so => /lib64/ld-linux-x86-64.so.2 (0x00007f7f996ec000)
  1. run command gdb tsh
pwndbg> r
Starting program: /home/yrl/Desktop/gdbtest/tsh 
warning: the debug information found in "/glibc/2.31/64/lib/.debug/ld-2.31.so" does not match "/glibc/2.31/64/lib/ld-2.31.so" (CRC mismatch).

ERROR: Could not find ELF base!
warning: the debug information found in "/glibc/2.31/64/lib/.debug/libc-2.31.so" does not match "/glibc/2.31/64/lib/libc.so.6" (CRC mismatch).

warning: the debug information found in "/glibc/2.31/64/lib/.debug/libc-2.31.so" does not match "/glibc/2.31/64/lib/libc.so.6" (CRC mismatch).

Prompt the debug information does not match,Then run the bin command:

pwndbg> bin
bins: This command only works with libc debug symbols.
They can probably be installed via the package manager of your choice.
See also: https://sourceware.org/gdb/onlinedocs/gdb/Separate-Debug-Files.html

E.g. on Ubuntu/Debian you might need to do the following steps (for 64-bit and 32-bit binaries):
sudo apt-get install libc6-dbg
sudo dpkg --add-architecture i386
sudo apt-get install libc-dbg:i386

This seems to be unable to find the symbol table for debugging,I try to do this:

pwndbg> set debug-file-directory /glibc/2.31/64/lib/
pwndbg> r

Did not solve the problem Note: I use patchelf to modify the binary file, and use the libc provided by glibc-all-in-one, which contains the .debug folder

Which step did I do wrong? Or pwngdb can only use the debug symbol table of system libc?

About this issue

  • Original URL
  • State: open
  • Created 3 years ago
  • Reactions: 2
  • Comments: 15 (8 by maintainers)

Most upvoted comments

Sorry I had a typo. I fixed it in 3.3.1 so please upgrade your pwninit and try again 😊

+1
anthraxx on Mar 16, 2024

Run info func main for both. One result returned for junior_formatter, zero results returned for junior_formatter_patched. main can be found in junior_formatter_patched with readelf and pwntools (via elf.symbols[‘main’]).

I’m not sure the reason why info func main can’t find main after patchelf, but at least this is not the pwndbg’s issue I guess. This can be reproduced with:

$ gdb -q -nx ./junior_formatter_patched -ex 'starti'
...
(gdb) info func main
All functions matching regular expression "main":
(gdb)

Regarding the original issue about our heap and bins commands, it seems to work fine with the libc and ld you provided after patchelf. This can be verified with:

$ cat a.c
#include <stdlib.h>

int main(){
    free(malloc(0x10));
}
$ gcc a.c
$ pwninit
bin: ./a.out
libc: ./libc.so.6
ld: ./ld-linux.so

copying ./a.out to ./a.out_patched
running patchelf on ./a.out_patched
$ ldd a.out_patched
	linux-vdso.so.1 (0x00007ffe52fc7000)
	libc.so.6 => ./libc.so.6 (0x00007f8aff2eb000)
	./ld-linux.so => /lib64/ld-linux-x86-64.so.2 (0x00007f8aff51c000)
$ gdb -q a.out_patched -ex 'set debug-file-directory' -ex 'start' -ex 'next' -ex 'next' -ex 'next' -ex 'next' -ex 'heap' -ex 'bins'
...
Allocated chunk | PREV_INUSE
Addr: 0x55855568d000
Size: 0x290 (with flag bits: 0x291)

Free chunk (tcachebins) | PREV_INUSE
Addr: 0x55855568d290
Size: 0x20 (with flag bits: 0x21)
fd: 0x55855568d

Top chunk | PREV_INUSE
Addr: 0x55855568d2b0
Size: 0x20d50 (with flag bits: 0x20d51)

tcachebins
0x20 [  1]: 0x55855568d2a0 ◂— 0x0
fastbins
empty
unsortedbin
empty
smallbins
empty
largebins
empty
...
+1
lebr0nli on Mar 15, 2024
Read more comments on GitHub
← Undecimus: [iOS 11+12] Please fix cydia-no-network error for China devices
pwndbg: 'Could not allocate dynamic translator buffer' Error when execute "start" command →