The ???why??? you seek here is not the root cause of the
crash, such as the fact that there is a buffer overflow problem in function xyz. Instead,
initially you need to know whether the program segfaulted or perhaps executed an illegal
instruction. A good debugger will provide this information the moment the program
crashes. A segfault might be reported by gdb as follows:
Program received signal SIGSEGV, Segmentation fault.
0x08048327 in main ()
Always make note of whether the address resembles user input in any way. It is common
to use large strings of As when attacking a program. One of the benefits to this is that the
address 0x41414141 is easily recognized as originating from your input rather than correct
program operation. Using the addresses reported in any error messages as clues, you
next examine the CPU registers to correlate the problem to specific program activity. An
OllyDbg register display is shown in Figure 18-1.
Instruction Pointer Analysis During analysis, the instruction pointer (eip on
an x86) is often a good place to start looking for problems. There are generally two cases
you can expect to encounter with regard to eip. In the first case, eip may point at valid
program code, either within the application or within a library used by the application.
Pages:
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806