CSAPP Lab2--Defusing a Binary Bomb
来源:互联网 发布:五矿证券怎么样 知乎 编辑:程序博客网 时间:2024/04/30 22:32
实验材料:http://download.csdn.net/detail/u010560443/9458899
GDB教程:
http://heather.cs.ucdavis.edu/~matloff/UnixAndC/CLanguage/Debug.html
http://www.gnu.org/software/gdb/
x86手册:https://sourceware.org/binutils/docs/as/
phase_2
//read_line读取到的字符串地址在ebp+8处//答案:1 6 11 16 21 26//要求:read_six_numbers拆分字符串为六个数字并存到phase_2但局部数组中,//phase_2+51处要求数组中后一个元素必须比前一个元素大5Dump of assembler code for function phase_2: 0x08048ba4 <+0>: push %ebp 0x08048ba5 <+1>: mov %esp,%ebp 0x08048ba7 <+3>: sub $0x28,%esp #esp=esp-40 0x08048baa <+6>: lea -0x1c(%ebp),%eax #eax=ebp-28 0x08048bad <+9>: mov %eax,0x4(%esp) ##arg2 of read_six_numbers 0x08048bb1 <+13>: mov 0x8(%ebp),%eax #eax=*(ebp+8) input string addr 0x08048bb4 <+16>: mov %eax,(%esp) #arg1=input string addr 0x08048bb7 <+19>: call 0x8048fcc <read_six_numbers> 0x08048bbc <+24>: movl $0x1,-0x4(%ebp) #local i=1 0x08048bc3 <+31>: jmp 0x8048be3 <phase_2+63> 0x08048bc5 <+33>: mov -0x4(%ebp),%eax #eax=i 0x08048bc8 <+36>: mov -0x1c(%ebp,%eax,4),%edx #edx=a[1] 0x08048bcc <+40>: mov -0x4(%ebp),%eax #eax=i 0x08048bcf <+43>: dec %eax #eax=eax-1 0x08048bd0 <+44>: mov -0x1c(%ebp,%eax,4),%eax #eax=a[0] 0x08048bd4 <+48>: add $0x5,%eax #eax=a[0]+5 0x08048bd7 <+51>: cmp %eax,%edx #if(a[1]==a[0]+5) 0x08048bd9 <+53>: je 0x8048be0 <phase_2+60> 0x08048bdb <+55>: call 0x8049626 <explode_bomb> 0x08048be0 <+60>: incl -0x4(%ebp) # i++ 0x08048be3 <+63>: cmpl $0x5,-0x4(%ebp) # i<=5 0x08048be7 <+67>: jle 0x8048bc5 <phase_2+33> 0x08048be9 <+69>: leave 0x08048bea <+70>: ret Dump of assembler code for function read_six_numbers: 0x08048fcc <+0>: push %ebp 0x08048fcd <+1>: mov %esp,%ebp 0x08048fcf <+3>: push %esi 0x08048fd0 <+4>: push %ebx 0x08048fd1 <+5>: sub $0x30,%esp #esp=esp-30 0x08048fd4 <+8>: mov 0xc(%ebp),%eax #local eax= *(ebp+12)= a 0x08048fd7 <+11>: add $0x14,%eax # &a[5] of int a[6] 0x08048fda <+14>: mov 0xc(%ebp),%edx 0x08048fdd <+17>: add $0x10,%edx 0x08048fe0 <+20>: mov 0xc(%ebp),%ecx 0x08048fe3 <+23>: add $0xc,%ecx 0x08048fe6 <+26>: mov 0xc(%ebp),%ebx 0x08048fe9 <+29>: add $0x8,%ebx 0x08048fec <+32>: mov 0xc(%ebp),%esi 0x08048fef <+35>: add $0x4,%esi # &a[1] 0x08048ff2 <+38>: mov %eax,0x1c(%esp) # arg8 0x08048ff6 <+42>: mov %edx,0x18(%esp) # 7 0x08048ffa <+46>: mov %ecx,0x14(%esp) # 6 0x08048ffe <+50>: mov %ebx,0x10(%esp) # 5 0x08049002 <+54>: mov %esi,0xc(%esp) # 4 = &a[1] 0x08049006 <+58>: mov 0xc(%ebp),%eax #eax= *(ebp+12) 0x08049009 <+61>: mov %eax,0x8(%esp) # arg3= &a[0] 0x0804900d <+65>: movl $0x8049c45,0x4(%esp) #arg2=format string 0x08049015 <+73>: mov 0x8(%ebp),%eax #input string addr 0x08049018 <+76>: mov %eax,(%esp) #arg1=input string 0x0804901b <+79>: call 0x8048868 <sscanf@plt> 0x08049020 <+84>: mov %eax,-0xc(%ebp) # eax= return value of sscanf (string length) 0x08049023 <+87>: cmpl $0x5,-0xc(%ebp) # 5 > strlen 0x08049027 <+91>: jg 0x804902e <read_six_numbers+98> 0x08049029 <+93>: call 0x8049626 <explode_bomb> 0x0804902e <+98>: add $0x30,%esp 0x08049031 <+101>: pop %ebx 0x08049032 <+102>: pop %esi 0x08049033 <+103>: pop %ebp 0x08049034 <+104>: ret
phase_3
//答案:0 967//要求:第一个输入是跳转地址在数组中的偏移,跳转后需要和一个立即数比较,第二个输入必须和这个立即数一样//offset=0,Imm=0x3c7=967 ; offset=1,Imm=0x93......Dump of assembler code for function phase_3: 0x08048beb <+0>: push %ebp 0x08048bec <+1>: mov %esp,%ebp 0x08048bee <+3>: sub $0x28,%esp #esp-28 0x08048bf1 <+6>: movl $0x0,-0x8(%ebp) # local2=*(ebp-8)=0 0x08048bf8 <+13>: movl $0x0,-0x4(%ebp) # local1=*(ebp-4)=0 0x08048bff <+20>: lea -0x10(%ebp),%eax # eax=ebp-16=(int *)&num2 local4=num2 0x08048c02 <+23>: mov %eax,0xc(%esp) # arg4=&num2 0x08048c06 <+27>: lea -0xc(%ebp),%eax # eax=ebp-12=(int *)&num1 local3=num1 0x08048c09 <+30>: mov %eax,0x8(%esp) # arg3=&num1 0x08048c0d <+34>: movl $0x8049947,0x4(%esp) #arg2=format string 0x08048c15 <+42>: mov 0x8(%ebp),%eax #eax=input string 0x08048c18 <+45>: mov %eax,(%esp) #arg1=input string 0x08048c1b <+48>: call 0x8048868 <sscanf@plt> 0x08048c20 <+53>: mov %eax,-0x4(%ebp) #local1=ret value=num of digit 0x08048c23 <+56>: cmpl $0x1,-0x4(%ebp) 0x08048c27 <+60>: jg 0x8048c2e <phase_3+67> #if(local1>1) jmp 67; 0x08048c29 <+62>: call 0x8049626 <explode_bomb> #else bomb; 0x08048c2e <+67>: mov -0xc(%ebp),%eax #eax=num1 0x08048c31 <+70>: mov %eax,-0x14(%ebp) #local5=*(ebp+20)=num1 (offset) 0x08048c34 <+73>: cmpl $0x7,-0x14(%ebp) #local5:7 0x08048c38 <+77>: ja 0x8048c8e <phase_3+163> #if(local5>7) bomb ; 0x08048c3a <+79>: mov -0x14(%ebp),%edx #edx=num1 0x08048c3d <+82>: mov 0x8049950(,%edx,4),%eax #eax=0x8049950+4*num1 (array of address) 0x08048c44 <+89>: jmp *%eax # when num1=0,*(0x8049950+0)=0x08048c46 0x08048c46 <+91>: movl $0x3c7,-0x8(%ebp) #local2=0x3c7=967 0x08048c4d <+98>: jmp 0x8048c93 <phase_3+168> 0x08048c4f <+100>: movl $0x93,-0x8(%ebp) 0x08048c56 <+107>: jmp 0x8048c93 <phase_3+168> 0x08048c58 <+109>: movl $0x296,-0x8(%ebp) 0x08048c5f <+116>: jmp 0x8048c93 <phase_3+168> 0x08048c61 <+118>: movl $0x225,-0x8(%ebp) 0x08048c68 <+125>: jmp 0x8048c93 <phase_3+168> 0x08048c6a <+127>: movl $0x3a6,-0x8(%ebp) 0x08048c71 <+134>: jmp 0x8048c93 <phase_3+168> 0x08048c73 <+136>: movl $0x17a,-0x8(%ebp) 0x08048c7a <+143>: jmp 0x8048c93 <phase_3+168> 0x08048c7c <+145>: movl $0x1e5,-0x8(%ebp) 0x08048c83 <+152>: jmp 0x8048c93 <phase_3+168> 0x08048c85 <+154>: movl $0x16b,-0x8(%ebp) 0x08048c8c <+161>: jmp 0x8048c93 <phase_3+168> 0x08048c8e <+163>: call 0x8049626 <explode_bomb> 0x08048c93 <+168>: mov -0x10(%ebp),%eax #eax=local4=num2 0x08048c96 <+171>: cmp %eax,-0x8(%ebp) #if(num2==local2) 0x08048c99 <+174>: je 0x8048ca0 <phase_3+181> 0x08048c9b <+176>: call 0x8049626 <explode_bomb> 0x08048ca0 <+181>: leave 0x08048ca1 <+182>: ret End of assembler dump.
数组第一个元素:(gdb) x/wx 0x80499500x8049950: 0x08048c46
phase_4
//答案:10//要求:输入数的阶乘为0x375f00,即3628800Dump of assembler code for function phase_4: 0x08048cd1 <+0>: push %ebp 0x08048cd2 <+1>: mov %esp,%ebp 0x08048cd4 <+3>: sub $0x28,%esp #esp-0x28 0x08048cd7 <+6>: lea -0xc(%ebp),%eax #eax=ebp-12=&local3 0x08048cda <+9>: mov %eax,0x8(%esp) #arg3=*(esp+8)=&local3 0x08048cde <+13>: movl $0x8049970,0x4(%esp) #arg2=format string 0x08048ce6 <+21>: mov 0x8(%ebp),%eax #eax=input string 0x08048ce9 <+24>: mov %eax,(%esp) #arg1=*(esp)=input string 0x08048cec <+27>: call 0x8048868 <sscanf@plt> 0x08048cf1 <+32>: mov %eax,-0x4(%ebp) #local1=ret value 0x08048cf4 <+35>: cmpl $0x1,-0x4(%ebp) #if(local1!=1) bomb 0x08048cf8 <+39>: jne 0x8048d01 <phase_4+48> 0x08048cfa <+41>: mov -0xc(%ebp),%eax #eax=local3 = input 0x08048cfd <+44>: test %eax,%eax #if(local3>0) 0x08048cff <+46>: jg 0x8048d06 <phase_4+53> 0x08048d01 <+48>: call 0x8049626 <explode_bomb> 0x08048d06 <+53>: mov -0xc(%ebp),%eax #eax=local3 0x08048d09 <+56>: mov %eax,(%esp) #arg=local3=input 0x08048d0c <+59>: call 0x8048ca2 <func4> 0x08048d11 <+64>: mov %eax,-0x8(%ebp) #local2=ret value=input! 0x08048d14 <+67>: cmpl $0x375f00,-0x8(%ebp) #if(local2==0x375f00) 10!=0x375f00 0x08048d1b <+74>: je 0x8048d22 <phase_4+81> 0x08048d1d <+76>: call 0x8049626 <explode_bomb> 0x08048d22 <+81>: leave 0x08048d23 <+82>: ret End of assembler dump.Dump of assembler code for function func4: 0x08048ca2 <+0>: push %ebp 0x08048ca3 <+1>: mov %esp,%ebp 0x08048ca5 <+3>: sub $0x8,%esp 0x08048ca8 <+6>: cmpl $0x1,0x8(%ebp) 0x08048cac <+10>: jg 0x8048cb7 <func4+21> #if(input<1) jmp 21 0x08048cae <+12>: movl $0x1,-0x4(%ebp) #else local1=1; 0x08048cb5 <+19>: jmp 0x8048ccc <func4+42> #return local1; 0x08048cb7 <+21>: mov 0x8(%ebp),%eax #eax=input 0x08048cba <+24>: dec %eax #eax=input-1 0x08048cbb <+25>: mov %eax,(%esp) #arg1=input-1 0x08048cbe <+28>: call 0x8048ca2 <func4> #call func4 recursively 0x08048cc3 <+33>: mov %eax,%edx #edx=ret value 0x08048cc5 <+35>: imul 0x8(%ebp),%edx #edx=edx*input 0x08048cc9 <+39>: mov %edx,-0x4(%ebp) #local1=edx 0x08048ccc <+42>: mov -0x4(%ebp),%eax #eax=local1 0x08048ccf <+45>: leave 0x08048cd0 <+46>: ret End of assembler dump.
//factorial function//10!=3628800=0x375f00int func4(int input){ int local1; if(input>1) local1=input*func4(input-1); else local1=1; return local1;}
phase_5
//答案:111100//解题://phase_5中50~59取输入字符串中每个字符的低4位的ascii码值当作偏移,然后根据偏移找到int型数组(位于0x804a5c0)中对应的值//若6个字符对应的整形值相加的和等于44(phase_5+88处),则成功(gdb) disass phase_5Dump of assembler code for function phase_5: 0x08048d24 <+0>: push %ebp 0x08048d25 <+1>: mov %esp,%ebp 0x08048d27 <+3>: sub $0x18,%esp #esp-0x18 0x08048d2a <+6>: mov 0x8(%ebp),%eax #eax=input string 0x08048d2d <+9>: mov %eax,(%esp) # 0x08048d30 <+12>: call 0x8049035 <string_length> 0x08048d35 <+17>: mov %eax,-0x4(%ebp) #local1=string length 0x08048d38 <+20>: cmpl $0x6,-0x4(%ebp) 0x08048d3c <+24>: je 0x8048d43 <phase_5+31> #if(local1==6) jmp 31 0x08048d3e <+26>: call 0x8049626 <explode_bomb> #else bom6 0x08048d43 <+31>: movl $0x0,-0x8(%ebp) #local2=0 0x08048d4a <+38>: movl $0x0,-0xc(%ebp) #local3=0 0x08048d51 <+45>: jmp 0x8048d6f <phase_5+75> #loop start 0x08048d53 <+47>: mov -0xc(%ebp),%eax #eax=local3 (init=0) 0x08048d56 <+50>: add 0x8(%ebp),%eax #eax+=input string addr 0x08048d59 <+53>: movzbl (%eax),%eax #eax=first char=0x000000?? 0x08048d5c <+56>: movsbl %al,%eax #eax=0xffffff(??) 0x08048d5f <+59>: and $0xf,%eax #eax=0x0000000(?)=(lower 4 bits) 0x08048d62 <+62>: mov 0x804a5c0(,%eax,4),%eax#eax=*(0x804a5c0+4*eax) (watch *0x804a5c0 in mem) 0x08048d69 <+69>: add %eax,-0x8(%ebp) #local2+=eax; 0x08048d6c <+72>: incl -0xc(%ebp) #local3++ 0x08048d6f <+75>: cmpl $0x5,-0xc(%ebp) #local3<=5 loop; 0x08048d73 <+79>: jle 0x8048d53 <phase_5+47> 0x08048d75 <+81>: cmpl $0x2c,-0x8(%ebp) #if(loca2==44) success; else bomb; 0x08048d79 <+85>: je 0x8048d80 <phase_5+92> # 0x08048d7b <+87>: call 0x8049626 <explode_bomb> 0x08048d80 <+92>: leave 0x08048d81 <+93>: ret End of assembler dump.//整形数组(gdb) x/4wx 0x804a5c00x804a5c0 <array.2480>: 0x00000002 0x0000000a 0x00000006 0x00000001//可以看到4*0xa+2*0x2==44,偏移为2个0,4个1//在6个字符中,只要4个字符的后4位为1,2个字符后2位为0 就可以成功。。//比如0x313131313030,对应的字符串为111100
phase_6
//答案:345//解题:看到phase_6的第88行是和输入的数做比较,只要在这里设置断点直接查看edx中的值即可(gdb) disass phase_6Dump of assembler code for function phase_6: 0x08048e16 <+0>: push %ebp 0x08048e17 <+1>: mov %esp,%ebp 0x08048e19 <+3>: sub $0x18,%esp # esp-=0x18 0x08048e1c <+6>: movl $0x804a66c,-0x8(%ebp) # local2=0x804a66c 0x08048e23 <+13>: mov 0x8(%ebp),%eax # ax=input string 0x08048e26 <+16>: mov %eax,(%esp) 0x08048e29 <+19>: call 0x8048858 <atoi@plt> # eax=input number(string->int) 0x08048e2e <+24>: mov %eax,%edx # edx=input 0x08048e30 <+26>: mov -0x8(%ebp),%eax # eax=local2 0x08048e33 <+29>: mov %edx,(%eax) # *(0x804a66c)=input 0x08048e35 <+31>: mov -0x8(%ebp),%eax # eax=local2 0x08048e38 <+34>: mov %eax,(%esp) # arg=local2 0x08048e3b <+37>: call 0x8048d82 <fun6> 0x08048e40 <+42>: mov %eax,-0x8(%ebp) # local2=eax=ret value; (addr) 0x08048e43 <+45>: mov -0x8(%ebp),%eax 0x08048e46 <+48>: mov %eax,-0x4(%ebp) # local1=local2 0x08048e49 <+51>: movl $0x1,-0xc(%ebp) # local3=1 0x08048e50 <+58>: jmp 0x8048e5e <phase_6+72> #loop 0x08048e52 <+60>: mov -0x4(%ebp),%eax # eax=local1 0x08048e55 <+63>: mov 0x8(%eax),%eax # eax=*(eax+8) 0x08048e58 <+66>: mov %eax,-0x4(%ebp) # local1=eax 0x08048e5b <+69>: incl -0xc(%ebp) # local3++ 0x08048e5e <+72>: cmpl $0x5,-0xc(%ebp) # compare 5:local3 0x08048e62 <+76>: jle 0x8048e52 <phase_6+60> # if(local3<=5) loop 0x08048e64 <+78>: mov -0x4(%ebp),%eax # eax=local1 0x08048e67 <+81>: mov (%eax),%edx # edx=*(local1) 0x08048e69 <+83>: mov 0x804a66c,%eax # eax=*(0x804a66c)=input 0x08048e6e <+88>: cmp %eax,%edx # if(edx==input) 0x08048e70 <+90>: je 0x8048e77 <phase_6+97> 0x08048e72 <+92>: call 0x8049626 <explode_bomb> 0x08048e77 <+97>: leave 0x08048e78 <+98>: ret End of assembler dump.(gdb) disass 0x8048d82Dump of assembler code for function fun6: 0x08048d82 <+0>: push %ebp 0x08048d83 <+1>: mov %esp,%ebp 0x08048d85 <+3>: sub $0x10,%esp # esp-0x10 0x08048d88 <+6>: mov 0x8(%ebp),%eax # eax=arg=local2=0x804a66c 0x08048d8b <+9>: mov %eax,-0x10(%ebp) # local4=arg 0x08048d8e <+12>: mov 0x8(%ebp),%eax # 0x08048d91 <+15>: mov %eax,-0x10(%ebp) 0x08048d94 <+18>: mov 0x8(%ebp),%eax # eax=arg 0x08048d97 <+21>: mov 0x8(%eax),%eax # eax=*(arg+8)=*(0x804a66c) 0x08048d9a <+24>: mov %eax,-0xc(%ebp) # local3=eax=*(0x804a66c) 0x08048d9d <+27>: mov -0x10(%ebp),%eax # eax=local4=0x804a66c 0x08048da0 <+30>: movl $0x0,0x8(%eax) # *(0x804a66c)=0 0x08048da7 <+37>: jmp 0x8048e0b <fun6+137> #loop 0x08048da9 <+39>: mov -0x10(%ebp),%eax # eax=local4 0x08048dac <+42>: mov %eax,-0x4(%ebp) # local1=local4 0x08048daf <+45>: mov -0x10(%ebp),%eax 0x08048db2 <+48>: mov %eax,-0x8(%ebp) # local2=local4 0x08048db5 <+51>: jmp 0x8048dc6 <fun6+68> 0x08048db7 <+53>: mov -0x4(%ebp),%eax 0x08048dba <+56>: mov %eax,-0x8(%ebp) 0x08048dbd <+59>: mov -0x4(%ebp),%eax 0x08048dc0 <+62>: mov 0x8(%eax),%eax 0x08048dc3 <+65>: mov %eax,-0x4(%ebp) 0x08048dc6 <+68>: cmpl $0x0,-0x4(%ebp) 0x08048dca <+72>: je 0x8048dda <fun6+88> # if(local1==0) 0x08048dcc <+74>: mov -0x4(%ebp),%eax 0x08048dcf <+77>: mov (%eax),%edx 0x08048dd1 <+79>: mov -0xc(%ebp),%eax 0x08048dd4 <+82>: mov (%eax),%eax 0x08048dd6 <+84>: cmp %eax,%edx 0x08048dd8 <+86>: jg 0x8048db7 <fun6+53> 0x08048dda <+88>: mov -0x8(%ebp),%eax # eax=local2 0x08048ddd <+91>: cmp -0x4(%ebp),%eax # local2:local1 0x08048de0 <+94>: je 0x8048ded <fun6+107> # if(local2==local1) 0x08048de2 <+96>: mov -0x8(%ebp),%edx 0x08048de5 <+99>: mov -0xc(%ebp),%eax 0x08048de8 <+102>: mov %eax,0x8(%edx) 0x08048deb <+105>: jmp 0x8048df3 <fun6+113> 0x08048ded <+107>: mov -0xc(%ebp),%eax # eax=local3 0x08048df0 <+110>: mov %eax,-0x10(%ebp) # local4=local3 0x08048df3 <+113>: mov -0xc(%ebp),%eax # eax=local3 0x08048df6 <+116>: mov 0x8(%eax),%eax # eax=*(local3+8) 0x08048df9 <+119>: mov %eax,-0x8(%ebp) # local2=eax 0x08048dfc <+122>: mov -0xc(%ebp),%edx # edx=local3 0x08048dff <+125>: mov -0x4(%ebp),%eax # eax=local1 0x08048e02 <+128>: mov %eax,0x8(%edx) # *(local3+8)=local1 0x08048e05 <+131>: mov -0x8(%ebp),%eax # eax=local2 0x08048e08 <+134>: mov %eax,-0xc(%ebp) # local3=local2 0x08048e0b <+137>: cmpl $0x0,-0xc(%ebp) 0x08048e0f <+141>: jne 0x8048da9 <fun6+39> #if(local3!=0) jump 39; 0x08048e11 <+143>: mov -0x10(%ebp),%eax 0x08048e14 <+146>: leave 0x08048e15 <+147>: ret End of assembler dump.
0x159=345
0 0
- CSAPP Lab2--Defusing a Binary Bomb
- csapp lab2 bomb
- csapp bomb lab:csapp lab2 炸弹实验
- <csapp> bomb lab (《深入理解计算机系统》lab2)
- csapp lab2 bomb 二进制炸弹《深入理解计算机系统》
- CSAPP lab2 bomb(深入了解计算机系统 实验二)
- csapp:lab2
- csapp - lab2
- CSAPP Lab2
- CSAPP lab binary bomb 二进制炸弹
- CSAPP LAB2 BombLab
- uvalive 7635 National Bomb Defusing Squad (几何)
- 213 lab2 bomb
- CSAPP 六个重要实验 lab2
- CSAPP: bomb lab
- CSAPP Bomb Lab
- CSAPP 逆向工程试验 bomb
- CSAPP: Bomb Lab(1)
- ubuntu 下运行qtcreator
- 二叉树中从根结点到叶子结点所有路径(非递归实现)
- 使用Qt开发文本编辑器(二):标签页式文档实现
- 利用HTML5+的API实现基于MUI的文件上传
- hdu 5002
- CSAPP Lab2--Defusing a Binary Bomb
- 解释执行和编译执行的区别
- [DIV/CSS] 纯CSS制作各种图形(多图预警)
- 支付宝支付接入(安全基础 - 生成公钥、私钥)
- MBIST/paper
- Runtime(三)利用运行时来为类别添加属性
- jenkins学习第一篇
- Jsp与servlet的区别
- 2016年c#算平均分