inaz2 · September 28, 2016 04:35
diff --git a/gistfile1.txt b/gistfile1.txt
 $ gdb ./test
 Reading symbols from ./test...(no debugging symbols found)...done.
 (gdb) start
 Temporary breakpoint 1 at 0x4004f1
 Starting program: /home/user/tmp/test

 Temporary breakpoint 1, 0x00000000004004f1 in main ()
 1: x/i $pc
 => 0x4004f1 <main+4>:   pop    rbp
 (gdb) i r
 rax            0x4004ed 4195565
 rbx            0x0      0
 rcx            0x0      0
 rdx            0x7fffffffebc8   140737488350152
 rsi            0x7fffffffebb8   140737488350136
 rdi            0x1      1
 rbp            0x7fffffffead0   0x7fffffffead0
 rsp            0x7fffffffead0   0x7fffffffead0
 r8             0x7ffff7dd4e80   140737351863936
 r9             0x7ffff7dea530   140737351951664
 r10            0x7fffffffe960   140737488349536
 r11            0x7ffff7a36e50   140737348070992
 r12            0x400400 4195328
 r13            0x7fffffffebb0   140737488350128
 r14            0x0      0
 r15            0x0      0
 rip            0x4004f1 0x4004f1 <main+4>
 eflags         0x246    [ PF ZF IF ]
 cs             0x33     51
 ss             0x2b     43
 ds             0x0      0
 es             0x0      0
 fs             0x0      0
 gs             0x0      0
 (gdb) generate-core-file
 warning: Memory read failed for corefile section, 8192 bytes at 0x7ffff7ff8000.
 Saved corefile core.12739
 (gdb) quit
 A debugging session is active.

        Inferior 1 [process 12739] will be killed.

 Quit anyway? (y or n) y

 $ python parse_core_x64.py core.12739
 gs      = 0x7fff00000000
 gs_base         = 0x0
 rip     = 0x4004f1
 rdx     = 0x7fffffffebc8
 fs      = 0x0
 cs      = 0x33
 rax     = 0x4004ed
 rsi     = 0x7fffffffebb8
 rcx     = 0x0
 es      = 0x0
 r14     = 0x0
 r15     = 0x0
 r12     = 0x400400
 r13     = 0x7fffffffebb0
 r10     = 0x7fffffffe960
 r11     = 0x7ffff7a36e50
 orig_rax        = 0xffffffffffffffff
 fs_base         = 0x0
 rsp     = 0x7fffffffead0
 ds      = 0x0
 rbx     = 0x0
 ss      = 0x2b
 r8      = 0x7ffff7dd4e80
 r9      = 0x7ffff7dea530
 rbp     = 0x7fffffffead0
 eflags  = 0x246
 rdi     = 0x1
diff --git a/parse_core_x64.py b/parse_core_x64.py
 import sys
 import struct

 def regs_from_core(fpath):
    with open(fpath) as f:
        f.seek(0x550)
        data = f.read(0xd8)

    # struct user_regs_struct
    keys = "r15 r14 r13 r12 rbp rbx r11 r10 r9 r8 rax rcx rdx rsi rdi orig_rax rip cs eflags rsp ss fs_base gs_base ds es fs gs".split()
    values = struct.unpack('<QQQQQQQQQQQQQQQQQQQQQQQQQQQ', data)
    return {k: v for k, v in zip(keys, values)}


 if __name__ == '__main__':
    regs = regs_from_core(sys.argv[1])
    for k, v in regs.iteritems():
        print "%s \t= 0x%x" % (k, v)
	$ gdb ./test
	Reading symbols from ./test...(no debugging symbols found)...done.
	(gdb) start
	Temporary breakpoint 1 at 0x4004f1
	Starting program: /home/user/tmp/test

	Temporary breakpoint 1, 0x00000000004004f1 in main ()
	1: x/i $pc
	=> 0x4004f1 <main+4>: pop rbp
	(gdb) i r
	rax 0x4004ed 4195565
	rbx 0x0 0
	rcx 0x0 0
	rdx 0x7fffffffebc8 140737488350152
	rsi 0x7fffffffebb8 140737488350136
	rdi 0x1 1
	rbp 0x7fffffffead0 0x7fffffffead0
	rsp 0x7fffffffead0 0x7fffffffead0
	r8 0x7ffff7dd4e80 140737351863936
	r9 0x7ffff7dea530 140737351951664
	r10 0x7fffffffe960 140737488349536
	r11 0x7ffff7a36e50 140737348070992
	r12 0x400400 4195328
	r13 0x7fffffffebb0 140737488350128
	r14 0x0 0
	r15 0x0 0
	rip 0x4004f1 0x4004f1 <main+4>
	eflags 0x246 [ PF ZF IF ]
	cs 0x33 51
	ss 0x2b 43
	ds 0x0 0
	es 0x0 0
	fs 0x0 0
	gs 0x0 0
	(gdb) generate-core-file
	warning: Memory read failed for corefile section, 8192 bytes at 0x7ffff7ff8000.
	Saved corefile core.12739
	(gdb) quit
	A debugging session is active.

	Inferior 1 [process 12739] will be killed.

	Quit anyway? (y or n) y

	$ python parse_core_x64.py core.12739
	gs = 0x7fff00000000
	gs_base = 0x0
	rip = 0x4004f1
	rdx = 0x7fffffffebc8
	fs = 0x0
	cs = 0x33
	rax = 0x4004ed
	rsi = 0x7fffffffebb8
	rcx = 0x0
	es = 0x0
	r14 = 0x0
	r15 = 0x0
	r12 = 0x400400
	r13 = 0x7fffffffebb0
	r10 = 0x7fffffffe960
	r11 = 0x7ffff7a36e50
	orig_rax = 0xffffffffffffffff
	fs_base = 0x0
	rsp = 0x7fffffffead0
	ds = 0x0
	rbx = 0x0
	ss = 0x2b
	r8 = 0x7ffff7dd4e80
	r9 = 0x7ffff7dea530
	rbp = 0x7fffffffead0
	eflags = 0x246
	rdi = 0x1
	import sys
	import struct

	def regs_from_core(fpath):
	with open(fpath) as f:
	f.seek(0x550)
	data = f.read(0xd8)

	# struct user_regs_struct
	keys = "r15 r14 r13 r12 rbp rbx r11 r10 r9 r8 rax rcx rdx rsi rdi orig_rax rip cs eflags rsp ss fs_base gs_base ds es fs gs".split()
	values = struct.unpack('<QQQQQQQQQQQQQQQQQQQQQQQQQQQ', data)
	return {k: v for k, v in zip(keys, values)}


	if __name__ == '__main__':
	regs = regs_from_core(sys.argv[1])
	for k, v in regs.iteritems():
	print "%s \t= 0x%x" % (k, v)