Debug the unsigned ELF File Using GDB in Android

The following uses the gdb tool to debug/system/bin/ping in adb shell as an example:

#/Data/local/tmp/gdb -- args/system/bin/ping
GNU gdb (GDB) 7.3.1-gg2
...
(Gdb) info target
Symbols from "/system/bin/ping ".
Local exec file:
'/System/bin/ping', file type elf32-littlearm.
Entry point: 0x1078
0x00000134-0x00000147 is. interp
0x00000148-0x00000598 is. dynsym
0x00000598-0x0000081e is. dynstr
0x00000820-0x00000a48 is. hash
0x00000a48-0x00000bf0 is. rel. dyn
0x00000bf0-0x00000db8 is. rel. plt
0x00000db8-0x00001078 is. plt
0x00001078-0x0000436c is. text
0x0000436c-0x00004384 is. note. android. ident
0x00004384-0x00004454 is. ARM. exidx
0x00004454-0x0000446c is. ARM. extab
0x0000446c-0x00005466 is. rodata
0x00006d40-0x00006d48 is. preinit_array
0x00006d48-0x00006d50 is. init_array
0x00006d50-0x00006d58 is. fini_array
0x00006d58-0x00006e50 is. dynamic
0x00006e50-0x00007000 is. got
0x00007000-0x000070c0 is. data
0x000070c0-0x0001a1ee is. bss
(Gdb) B * 0x1078 // you can specify the header address from the breakpoint to the text field.
Breakpoint 1 at 0x1078
(Gdb) r
Starting program:/system/bin/ping
Warning: Breakpoint address adjusted from 0x40003ca5 to 0x40003ca4.
Warning:
Cannot insert breakpoint 1.
Error accessing memory address 0x1078: Input/output error.


(Gdb) d 1 // in the kernel with the memory layout randomization enabled, the above exception is inevitable. Ignore it and delete breakpoint 1 directly.
(Gdb) info target
Symbols from "/system/bin/ping ".
Unix child process:
Using the running image of child process 9782.
While running this, GDB does not access memory from...
Local exec file:
'/System/bin/ping', file type elf32-littlearm.
Entry point: 0x2a001078
0x2a000134-0x2a000147 is. interp
0x2a000148-0x2a000598 is. dynsym
0x2a000598-0x2a00081e is. dynstr
0x2a000820-0x2a000a48 is. hash
0x2a000a48-0x2a000bf0 is. rel. dyn
0x2a000bf0-0x2a000db8 is. rel. plt
0x2a000db8-0x2a001078 is. plt
0x2a001078-0x2a00436c is. text
0x2a00436c-0x2a004384 is. note. android. ident
0x2a004384-0x2a004454 is. ARM. exidx
0x2a004454-0x2a00446c is. ARM. extab
0x2a00446c-0x2a005466 is. rodata
0x2a006d40-0x2a006d48 is. preinit_array
0x2a006d48-0x2a006d50 is. init_array
0x2a006d50-0x2a006d58 is. fini_array
0x2a006d58-0x2a006e50 is. dynamic
0x2a006e50-0x2a007000 is. got
0x2a007000-0x2a0070c0 is. data
0x2a0070c0-0x2a01a1ee is. bss
........

(Gdb) x/32i 0x2a001078 // view the new text segment Assembly command to find the libc_init call
0x2a001078: push {r11, lr}
0x2a000000c: add r11, sp, #4
0x2a001080: sub sp, sp, #16
0x2a001084: ldr r3, [pc, #80]; 0x2a0010dc
0x2a001088: add r3, pc, r3
0x2a0020.c: ldr r2, [pc, #76]; 0x2a0010e0
0x2a001090: ldr r2, [r3, r2]
0x2a001094: str r2, [r11, #-20]
0x2a001098: ldr r2, [pc, #68]; 0x2a0010e4
0x2a0020.c: ldr r2, [r3, r2]
0x2a0010a0: str r2, [r11, #-16]
0x2a0010a4: ldr r2, [pc, #60]; 0x2a0010e8
0x2a0010a8: ldr r2, [r3, r2]
0x2a0010ac: str r2, [r11, #-12]
0x2a0010b0: mov r2, r11
0x2a0010b4: add r2, r2, #4
0x2a0010b8: str r2, [r11, #-8]
0x2a0010bc: sub r12, r11, #20
0x2a0010c0: ldr r0, [r11, #-8]
0x2a0010c4: mov r1, #0
0x2a0010c8: ldr r2, [pc, #28]; 0x2a0010ec
0x2a0010cc: ldr r3, [r3, r2]
0x2a0010d0: mov r2, r3
0x2a0010d4: mov r3, r12
0x2a0010d8: bl 0x2a000dcc (see note. r2 is the main function)
0x2a0010dc: andeq r5, r0, r0, lsl #29
0x2a0010e0 :; Instruction: 0xffffff40
0x2a0010e4 :; Instruction: 0xffffff44
0x2a0010e8 :; Instruction: 0xffffff48
0x2a0010ec :; Instruction: 0xffffff4c
0x2a0010f0: push {r11, lr}
0x2a0010f4: add r11, sp, #4
(Gdb) B * 0x2a0010d8
Breakpoint 2 at 0x2a0010d8
(Gdb) c
Continuing.


Breakpoint 2, 0x2a0010d8 in ?? ()
(Gdb) p/x $ r2 // view the main function address
$1 = 0x2a0017c9
(Gdb) B * 0x2a0017c9 // The main function breakpoint, now libc. so has been loaded, you can also B open/fputs/exit...
Warning: Breakpoint address adjusted from 0x2a0017c9 to 0x2a0017c8.
Breakpoint 3 at 0x2a0017c8
(Gdb) c
Continuing.
Warning: Breakpoint 3 address previusly adjusted from 0x2a0017c9 to 0x2a0017c8.


Breakpoint 3, 0x2a0017c8 in ?? ()
(Gdb) display/4i $ pc
1: x/4i $ pc
=> 0x2a0017c8: Analytic dB sp !, {R4, r5, r6, r7, r8, r9, r10, r11, lr}
0x2a0017cc: ldr. w r4, [pc, #2600]; 0x2a0021f8
0x2a0017d0: ldr. w r3, [pc, #2600]; 0x2a0021fc
0x2a0017d4: add r4, pc
(Gdb) ni
0x2a0017cc in ?? ()
1: x/4i $ pc
=> 0x2a0017cc: ldr. w r4, [pc, #2600]; 0x2a0021f8
0x2a0017d0: ldr. w r3, [pc, #2600]; 0x2a0021fc
0x2a0017d4: add r4, pc
0x2a0017d6: mov r6, r0
(Gdb)
0x2a0017d0 in ?? ()
1: x/4i $ pc
=> 0x2a0017d0: ldr. w r3, [pc, #2600]; 0x2a0021fc
0x2a0017d4: add r4, pc
0x2a0017d6: mov r6, r0
0x2a0017d8: ldr r0, [r4, r3]
(Gdb)

....

Note:

ELF executable file entry, __libc_init. The 3rd parameter is main:

Bionic \ libc \ arch-arm \ bionic \ crtbegin. c

_ LIBC_HIDDEN _ void _ start (){
......
Void * raw_args = (void *) (uintptr_t) _ builtin_frame_address (0) + sizeof (void *));
_ Libc_init (raw_args, NULL, & main, & array );
}

Gdb uses the gdb7.3.1-gg2 source code compilation in the Android toolchain. The compilation tool uses the codesourcery arm-none-linux-gnueabi.