Show context stack offset from rbp instead of rsp

[DavidDeLille]

Stack output currently looks like this, where the offsets are printed in regards to $rsp:

0x00007fffffffe1b0│+0x0000: 0x361616161    ← $rsp
0x00007fffffffe1b8│+0x0008: 0x603110
0x00007fffffffe1c0│+0x0010: 0x0
0x00007fffffffe1c8│+0x0018: 0x00007fffffffe1f7  →  0x6031a000
0x00007fffffffe1d0│+0x0020: 0xf700603107
0x00007fffffffe1d8│+0x0028: 0x603010
0x00007fffffffe1e0│+0x0030: 0x0000000000401129  →  "Welcome %s"
0x00007fffffffe1e8│+0x0038: 0x3

Maybe it's a good idea to also have the option to print the stack from the perspective of $rbp, since some binaries use that to point to things on the stack ($rbp = 0x00007fffffffe210 ; $rbp-$rsp = 0x60):

0x00007fffffffe1b0│-0x0060: 0x361616161    ← $rsp
0x00007fffffffe1b8│-0x0058: 0x603110
0x00007fffffffe1c0│-0x0050: 0x0
0x00007fffffffe1c8│-0x0048: 0x00007fffffffe1f7  →  0x6031a000
0x00007fffffffe1d0│-0x0040: 0xf700603107
0x00007fffffffe1d8│-0x0038: 0x603010
0x00007fffffffe1e0│-0x0030: 0x0000000000401129  →  "Welcome %s"
0x00007fffffffe1e8│-0x0028: 0x3

[hugsy]

No, because $ebp/$rbp is

1. specific to x86 architectures (some archs simply do not have frame pointers)
2. can be omitted by the compiler directive -fomit-frame-pointer
   Whereas $rsp (aka $sp) has to always be there.

You can use the dereference command to dump N entries from $rbp when it exists. Example:

gef➤  dereference $ebp 10
0xffffd3f8│+0x0000: 0x0  ← $ebp
0xffffd3fc│+0x0004: 0xf7e0f5f7  →  <__libc_start_main+247>: add esp,0x10
0xffffd400│+0x0008: 0x1
0xffffd404│+0x000c: 0xffffd494  →  0xffffd654  →  "/home/hugsy/code/gef/tests/win32"
0xffffd408│+0x0010: 0xffffd49c  →  0xffffd675  →  "ALTERNATE_EDITOR=/usr/bin/nano"
0xffffd40c│+0x0014: 0x0
0xffffd410│+0x0018: 0x0
0xffffd414│+0x001c: 0x0
0xffffd418│+0x0020: 0xf7fa6000  →  0x1aedb0
0xffffd41c│+0x0024: 0xf7ffdc04  →  0x0

[DavidDeLille]

Would it be possible to generically define a register from which the offset would be calculated and just set it to $rsp by default? I'm mostly wondering because some binaries have code like this:

gef➤  x/10i 0x0000000000400B90
   0x400b90:    mov    rax,QWORD PTR [rbp-0x30]
   0x400b94:    mov    rdx,QWORD PTR [rbp-0x18]
   0x400b98:    add    rdx,rax
   0x400b9b:    mov    rax,QWORD PTR [rbp-0x30]
   0x400b9f:    mov    rcx,QWORD PTR [rbp-0x18]
   0x400ba3:    add    rax,rcx
   0x400ba6:    movzx  ecx,BYTE PTR [rax]
   0x400ba9:    mov    rax,QWORD PTR [rbp-0x58]
   0x400bad:    mov    rsi,QWORD PTR [rax+0x8]
   0x400bb1:    mov    rax,QWORD PTR [rbp-0x30]

Being able to see stack value offsets based on $rbp would make it a bit easier to find the values mentioned in the code. Otherwise you have to constantly remember "oh yeah, $rbp-0x30 is $rsp+0x30".

[hugsy]

This seems like a not simple thing to implement for a very little gain, especially since you can use the dereference command.
If you want, submit a PR and I will have a look.

Thanks.