GDB Cheatsheet (linux)

This article provides an overview of essential GDB commands and shortcuts for debugging and reverse-engineering binary applications.

Summary

[I] General presentation

*What is GDB?

GDB is a powerful command-line tool used for debugging programs written in languages like C and C++. It allows developers to inspect the internal workings of a running application, step through code line by line, analyze variables, set breakpoints, and even reverse-engineer binaries. Whether you're troubleshooting a crash or tracking down elusive bugs, GDB gives you full control over program execution and memory analysis—essential for deep diagnostics and performance tuning.

The following article presents various GDB commands for debugging binaries.

To explore GDB’s features and commands in detail, refer to the GDB manpage.

[II] Starting GDB & executing binaries

*Open GDB

Run this command to launch the GDB shell.

auditer@linux:#
gdb

*File selection

From within the GDB shell, execute the following command to specify the file to be analyzed (e.g., unknown.bin)

>(gdb)
file unknown.bin

*Binary execution

It’s recommended to execute the binary at least once before conducting further analysis, as this helps obtain accurate assembly addresses.

>(gdb)
run

*Continue execution after a breakpoint

When execution halts at a breakpoint, this command resumes the binary’s execution until either the next breakpoint or the program’s termination.

>(gdb)
c

[III] Inspecting functions

*List functions

Display all defined functions in the loaded binary, including their memory addresses.

>(gdb)
info functions

*Filter functions by Name

Display only functions matching a Name Replace (Example: `info functions main` will show only functions matching "main".

>(gdb)
info functions main

*Inspect a function content (disas)

The following command disassembles a function to analyze its behavior (e.g., main).

>(gdb)
disas main

[IV] Breakpoint management

*List breakpoints

The following command list the defined breakpoint.

>(gdb)
info b

*Add a breakpoint

This command sets a new breakpoint at a specified memory address (I.e 0x000055555555532f).

>(gdb)
b *0x000055555555532f

*Delete a breakpoint

This command delete a previously set breakpoint defined by its breakpoint number (I.e 1).

>(gdb)
delete 1

*Delete all breakpoints

This command delete all previously set breakpoints.

>(gdb)
delete

[V] Analyzing variables & registers

*With Debug Symbols

If the binary was compiled with debug symbols (-g flag in GCC/Clang), GDB can easily list variables

Lists all global and static variables.

>(gdb)
info variables

Shows local variables in the current stack frame.

>(gdb)
info locals

Shows function arguments in the current frame.

>(gdb)
info args

Lists all functions (can help infer variable usage).

>(gdb)
info functions

Show a variable content. The variable should exist in the souce code when triggered (I.e variable str).

>(gdb)
x/s str

*Without Debug Symbols

If the binary is stripped, variable names are gone. You’ll need to reverse-engineer memory structures.

View the contents of CPU registers.

>(gdb)
info registers

To include floating-point and vector registers (like xmm, ymm, st0–st7), use:

>(gdb)
info all-registers

Inspect memory manually: Use x/<format> <address or register> to examine memory regions (s for string). $rax, $rbx, $rsp, etc., depending on the architecture (x86 vs x86_64) can be used.

>(gdb)
x/s $eax

[VI] Common registers

The registers readable by GDB depend on the CPU architecture of the debugged program. Here's a breakdown of common registers for popular architectures.

*Architecture identification

check the architecture of a binary

auditer@linux:#
file 

*x86 (32-bit)

Register	Purpose
eax, ebx, ecx, edx	General-purpose
esi, edi	Source/destination index
esp	Stack pointer
ebp	Base/frame pointer
eip	Instruction pointer
eflags	Flags register
cs, ds, ss, es, fs, gs	Segment registers

*x86_64 (64-bit)

Register	Purpose
rax, rbx, rcx, rdx	General-purpose
rsi, rdi	Source/destination index
rsp	Stack pointer
rbp	Base/frame pointer
rip	Instruction pointer
r8–r15	Additional general-purpose registers
eflags	Flags
cs, ds, ss, es, fs, gs	Segment registers

*ARM (32-bit)

Register	Purpose
r0–r12	General-purpose
sp	Stack pointer
lr	Link register (return address)
pc	Program counter
cpsr	Current program status register

*AArch64 (ARM 64-bit)

Register	Purpose
x0–x30	General-purpose
sp	Stack pointer
pc	Program counter
fp	Frame pointer
lr	Link register
nzcv	Condition flags

Back