Show Menu

gdb + pwndbg Cheat Sheet (DRAFT) by

GDB cheatsheet for Defcon Toronto Exploit Dev Workshop

This is a draft cheat sheet. It is a work in progress and is not finished yet.


Disass­emble a function
disass­emble vuln
Disass­emble at address
disass­emble 0x400566


Run until termin­ation or breakpoint
Run and pause at main()
Run and provide arguments
r arg1 arg2
If binary prompts for input once through stdin, pass input via file
r < in.txt
If binary prompts for input more than once through stdin
r < <(echo " input1­"; echo "­inp­ut2­")


Continue execution
Execute next instru­ction and step over a function
Execute instru­ction and step into a function


Set breakpoint at function
bp vuln
Set breakpoint at address
bp 0x4005b5
Set breakpoint at function + offset
bp vuln+47
List breakp­oints
Delete all breakp­oints
d br
Disable breakpoint 2
bd 2
Enable breakpoint 2
be 2

Examining data

Exmaine two 8-byte values at RBP in hex
x/2gx $rbp
Examine 10 instru­ctions at main+25
x/10i *main+25
Examine 4-bytes of RAX in hex
x/wx $rax
Print R10 in decimal
p/d $r10
Print sum of 0x500 and 0x39 in decimal
p/d 0x500 + 0x39
Print the address of vuln()
p vuln
Using the x or p command followed by the size of the data to examine, and format letters

Sizes include byte, word, halfword, and giant.

Format letters include octal, hex, decimal, instruc­tion, char, and string.

Modifying data

Set the RAX register to 5
set $rax = 5
Set the value pointed to by an address to 5
set *0x7ff­fff­ffe280 = 5
Set the value pointed to by RAX-8 to 5
set *($rax-8) = 5
Set the RIP register to another address
set $rip = 0x4005b5

FLAGS register

View FLAGS register
regs eflags
Set the ZF flag (bit 6)
set $eflags |= (1 << 6)
Clear the ZF flag (bit 6)
set $eflags &= ~(1 << 6)
Carry: CF=0
Parity: PF=2
Adjust: AF=4
Zero: ZF=6
Sign: SF=7
Interr­uption: IF=9
Direction: DF=10
Overflow: OF=11

Display state of the program


Get address of saved return pointer

Return address of current stack frame
x/gx $rbp+8
Discovered return addresses on the stack

Search for a string in memory

Look for "­Hel­lo"
search Hello

Get distance between addresses

Using p
p/d 0x7fff­fff­fe278 - 0x7fff­fff­fe220
Using distance
distance 0x7fff­fff­fe220 0x7fff­fff­fe278

Print hexdump

Dump register
hexdump $rsp
Dump memory address
hexdump 0x7fff­fff­fe248

Display stack

View the stack
View 30 rows of the stack
stack 30

Print virtual memory map pages

Display stack
vmmap stack
Display program
vmmap vuln01
Display heap
vmmap heap

Check security settings