CMU_CSAPP_LAB2_BOMBLAB

原創 AI_Study 2020-06-20 00:45

CSAPP第二章的第一個實驗BombLab實驗記錄。

實驗內容主要使用 gdb 、objdump 等指令在終端調試程序,利用反彙編查看各個函數運行的彙編代碼,瞭解各個函數的執行過程。

附gdb指令精簡手冊:http://csapp.cs.cmu.edu/public/students.html

Phase_1

首先打開終端輸入 gdb bomb 進入調試界面。

查看 phase_1 的彙編指令:

(gdb) disas phase_1
Dump of assembler code for function phase_1:
   0x0000000000400ee0 <+0>:	sub    $0x8,%rsp
   0x0000000000400ee4 <+4>:	mov    $0x402400,%esi
   0x0000000000400ee9 <+9>:	callq  0x401338 <strings_not_equal>
   0x0000000000400eee <+14>:	test   %eax,%eax
   0x0000000000400ef0 <+16>:	je     0x400ef7 <phase_1+23>
   0x0000000000400ef2 <+18>:	callq  0x40143a <explode_bomb>
   0x0000000000400ef7 <+23>:	add    $0x8,%rsp
   0x0000000000400efb <+27>:	retq   
End of assembler dump.

函數首先接收戶輸入的字符串,再將立即數 0x402400 輸入到寄存器 esi ,接着調用函數<string_not_equal>,很容易猜到寄存器 esi 中保存了要和用戶輸入的字符串進行比較的字符串的首地址,即立即數 0x402400 。

(gdb) x/s 0x402400
0x402400:	"Border relations with Canada have never been better."

通過地址直接查看字符串,這就是我們需要輸入的內容!

(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?

通過測試!

進一步細緻理解函數運行過程:

將函數 phase_1 設置斷點,運行程序,隨便輸入一些內容( "Nice day!" ),程序會停留在進入函數體的過程之前:

(gdb) break phase_1
Breakpoint 1 at 0x400ee0
(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Nice day!

Breakpoint 1, 0x0000000000400ee0 in phase_1 ()

此時查看各個寄存器的數據:

(gdb) info registers
rax            0x603780	6305664
rbx            0x0	0
rcx            0x9	9
rdx            0x1	1
rsi            0x603780	6305664
rdi            0x603780	6305664
rbp            0x402210	0x402210 <__libc_csu_init>
rsp            0x7fffffffdd98	0x7fffffffdd98
r8             0x60467a	6309498
r9             0x7ffff7fe5540	140737354028352
r10            0x3	3
r11            0x7ffff7a14890	140737347930256
r12            0x400c90	4197520
r13            0x7fffffffde80	140737488346752
r14            0x0	0
r15            0x0	0
rip            0x400ee0	0x400ee0 <phase_1>
eflags         0x202	[ IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

這是並沒有出現 0x402400 。猜測剛剛輸入的數據保存地址爲 0x603780:

(gdb) x/s 0x603780
0x603780 <input_strings>:	"Nice day!"

回到前面的彙編指令,第二條指令將立即數 0x402400 移到寄存器 esi,讓程序執行兩條彙編指令,再查看寄存器的狀態:

(gdb) stepi 2
0x0000000000400ee9 in phase_1 ()
(gdb) i r
rax            0x603780	6305664
rbx            0x0	0
rcx            0x9	9
rdx            0x1	1
rsi            0x402400	4203520
rdi            0x603780	6305664
rbp            0x402210	0x402210 <__libc_csu_init>
rsp            0x7fffffffdd90	0x7fffffffdd90
r8             0x60467a	6309498
r9             0x7ffff7fe5540	140737354028352
r10            0x3	3
r11            0x7ffff7a14890	140737347930256
r12            0x400c90	4197520
r13            0x7fffffffde80	140737488346752
r14            0x0	0
r15            0x0	0
rip            0x400ee9	0x400ee9 <phase_1+9>
eflags         0x206	[ PF IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

看到寄存器 esi (即 rsi 的低 32 位)被更新了!

Phase_2

首先查看 Phase_2 的彙編代碼:

(gdb) disas phase_2
Dump of assembler code for function phase_2:
=> 0x0000000000400efc <+0>:	push   %rbp
   0x0000000000400efd <+1>:	push   %rbx
   0x0000000000400efe <+2>:	sub    $0x28,%rsp
   0x0000000000400f02 <+6>:	mov    %rsp,%rsi
   0x0000000000400f05 <+9>:	callq  0x40145c <read_six_numbers>
   0x0000000000400f0a <+14>:	cmpl   $0x1,(%rsp)
   0x0000000000400f0e <+18>:	je     0x400f30 <phase_2+52>
   0x0000000000400f10 <+20>:	callq  0x40143a <explode_bomb>
   0x0000000000400f15 <+25>:	jmp    0x400f30 <phase_2+52>
   0x0000000000400f17 <+27>:	mov    -0x4(%rbx),%eax
   0x0000000000400f1a <+30>:	add    %eax,%eax
   0x0000000000400f1c <+32>:	cmp    %eax,(%rbx)
   0x0000000000400f1e <+34>:	je     0x400f25 <phase_2+41>
   0x0000000000400f20 <+36>:	callq  0x40143a <explode_bomb>
   0x0000000000400f25 <+41>:	add    $0x4,%rbx
   0x0000000000400f29 <+45>:	cmp    %rbp,%rbx
   0x0000000000400f2c <+48>:	jne    0x400f17 <phase_2+27>
   0x0000000000400f2e <+50>:	jmp    0x400f3c <phase_2+64>
   0x0000000000400f30 <+52>:	lea    0x4(%rsp),%rbx
   0x0000000000400f35 <+57>:	lea    0x18(%rsp),%rbp
   0x0000000000400f3a <+62>:	jmp    0x400f17 <phase_2+27>
   0x0000000000400f3c <+64>:	add    $0x28,%rsp
   0x0000000000400f40 <+68>:	pop    %rbx
   0x0000000000400f41 <+69>:	pop    %rbp
   0x0000000000400f42 <+70>:	retq   
End of assembler dump.

函數基本棧幀處理後,調用了一個名爲 <read_six_numbers> 的函數,顧名思義,應該是讀取六個數字,我們也可以反彙編這個函數的機器指令,查看其彙編指令:

(gdb) disas 0x40145c
Dump of assembler code for function read_six_numbers:
   0x000000000040145c <+0>:	sub    $0x18,%rsp
   0x0000000000401460 <+4>:	mov    %rsi,%rdx
   0x0000000000401463 <+7>:	lea    0x4(%rsi),%rcx
   0x0000000000401467 <+11>:	lea    0x14(%rsi),%rax
   0x000000000040146b <+15>:	mov    %rax,0x8(%rsp)
   0x0000000000401470 <+20>:	lea    0x10(%rsi),%rax
   0x0000000000401474 <+24>:	mov    %rax,(%rsp)
   0x0000000000401478 <+28>:	lea    0xc(%rsi),%r9
   0x000000000040147c <+32>:	lea    0x8(%rsi),%r8
   0x0000000000401480 <+36>:	mov    $0x4025c3,%esi
   0x0000000000401485 <+41>:	mov    $0x0,%eax
   0x000000000040148a <+46>:	callq  0x400bf0 <__isoc99_sscanf@plt>
   0x000000000040148f <+51>:	cmp    $0x5,%eax
   0x0000000000401492 <+54>:	jg     0x401499 <read_six_numbers+61>
   0x0000000000401494 <+56>:	callq  0x40143a <explode_bomb>
   0x0000000000401499 <+61>:	add    $0x18,%rsp
   0x000000000040149d <+65>:	retq   
End of assembler dump.

這裏是涉及到調用庫函數 scanf 時的一些參數配置,筆者也看不太明白,嘗試查看了一下調用 scanf 之前配置的寄存器 esi 的立即尋址的內容:

(gdb) x/s 0x4025c3
0x4025c3:	"%d %d %d %d %d %d"

可以看出是逐位讀取六個數字。觀察寄存器 rsp 在 <read_six_numbers> 中的操作,又注意到返回 phase_2 後的第一個指令 cmpl   $0x1,(%rsp) ,猜測 rsp 就是指向我們輸入的六個數字的第一個數字,六個數字是順序保存在程序棧當中的。

我們驗證一下:在進入指令 cmpl   $0x1,(%rsp) 之前設置斷點,查看寄存器 rsp 保存的內存地址數據。

(gdb) break *0x0000000000400f0a
Breakpoint 1 at 0x400f0a
(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 3 4 5 6

Breakpoint 1, 0x0000000000400f0a in phase_2 ()
(gdb) i r
rax            0x6	6
rbx            0x0	0
rcx            0x0	0
rdx            0x7fffffffdd74	140737488346484
rsi            0x0	0
rdi            0x7fffffffd6d0	140737488344784
rbp            0x402210	0x402210 <__libc_csu_init>
rsp            0x7fffffffdd60	0x7fffffffdd60
r8             0x0	0
r9             0x0	0
r10            0x7ffff7b82cc0	140737349430464
r11            0x4025d4	4203988
r12            0x400c90	4197520
r13            0x7fffffffde80	140737488346752
r14            0x0	0
r15            0x0	0
rip            0x400f0a	0x400f0a <phase_2+14>
eflags         0x202	[ IF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0

查看 0x7fffffffdd60 地址的內存單元保存的 int 型數據,並查看相鄰的五個數據(int 型爲 32 位,每次偏移 8 字節):

(gdb) x/d 0x7fffffffdd60
0x7fffffffdd60:	1
(gdb) x/d 0x7fffffffdd64
0x7fffffffdd64:	2
(gdb) x/d 0x7fffffffdd68
0x7fffffffdd68:	3
(gdb) x/d 0x7fffffffdd6c
0x7fffffffdd6c:	4
(gdb) x/d 0x7fffffffdd70
0x7fffffffdd70:	5
(gdb) x/d 0x7fffffffdd74
0x7fffffffdd74:	6

和預期一致!接着讀 phase_2 的彙編指令,很容易讀出,第一位數必須是 1 ,每一位數(除了第一位)必須是相鄰的前一位數的 2 倍,所以我們需要輸出的是 1 2 4 8 16 32。

(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!

完成!

Phase_3

還是先找到彙編代碼:

(gdb) disas phase_3
Dump of assembler code for function phase_3:
   0x0000000000400f43 <+0>:	sub    $0x18,%rsp
   0x0000000000400f47 <+4>:	lea    0xc(%rsp),%rcx
   0x0000000000400f4c <+9>:	lea    0x8(%rsp),%rdx
   0x0000000000400f51 <+14>:	mov    $0x4025cf,%esi
   0x0000000000400f56 <+19>:	mov    $0x0,%eax
   0x0000000000400f5b <+24>:	callq  0x400bf0 <__isoc99_sscanf@plt>
   0x0000000000400f60 <+29>:	cmp    $0x1,%eax
   0x0000000000400f63 <+32>:	jg     0x400f6a <phase_3+39>
   0x0000000000400f65 <+34>:	callq  0x40143a <explode_bomb>
   0x0000000000400f6a <+39>:	cmpl   $0x7,0x8(%rsp)
   0x0000000000400f6f <+44>:	ja     0x400fad <phase_3+106>
   0x0000000000400f71 <+46>:	mov    0x8(%rsp),%eax
   0x0000000000400f75 <+50>:	jmpq   *0x402470(,%rax,8)
   0x0000000000400f7c <+57>:	mov    $0xcf,%eax
   0x0000000000400f81 <+62>:	jmp    0x400fbe <phase_3+123>
   0x0000000000400f83 <+64>:	mov    $0x2c3,%eax
   0x0000000000400f88 <+69>:	jmp    0x400fbe <phase_3+123>
   0x0000000000400f8a <+71>:	mov    $0x100,%eax
   0x0000000000400f8f <+76>:	jmp    0x400fbe <phase_3+123>
   0x0000000000400f91 <+78>:	mov    $0x185,%eax
   0x0000000000400f96 <+83>:	jmp    0x400fbe <phase_3+123>
   0x0000000000400f98 <+85>:	mov    $0xce,%eax
   0x0000000000400f9d <+90>:	jmp    0x400fbe <phase_3+123>
   0x0000000000400f9f <+92>:	mov    $0x2aa,%eax
   0x0000000000400fa4 <+97>:	jmp    0x400fbe <phase_3+123>
   0x0000000000400fa6 <+99>:	mov    $0x147,%eax
---Type <return> to continue, or q <return> to quit---<return>
   0x0000000000400fab <+104>:	jmp    0x400fbe <phase_3+123>
   0x0000000000400fad <+106>:	callq  0x40143a <explode_bomb>
   0x0000000000400fb2 <+111>:	mov    $0x0,%eax
   0x0000000000400fb7 <+116>:	jmp    0x400fbe <phase_3+123>
   0x0000000000400fb9 <+118>:	mov    $0x137,%eax
   0x0000000000400fbe <+123>:	cmp    0xc(%rsp),%eax
   0x0000000000400fc2 <+127>:	je     0x400fc9 <phase_3+134>
   0x0000000000400fc4 <+129>:	callq  0x40143a <explode_bomb>
   0x0000000000400fc9 <+134>:	add    $0x18,%rsp
   0x0000000000400fcd <+138>:	retq   
End of assembler dump.

類似之前的方法,先查看調用 scanf 之前配置寄存器 esi 的立即尋址的內容:

(gdb) x/s 0x4025cf
0x4025cf:	"%d %d"

那麼這個函數就是需要讀取兩個整數了,保存的方式應該也是相同的,可以通過 rsp 做偏址尋址找到,我們嘗試一下,斷點依舊設置在剛剛結束調用 scanf 函數的位置,輸入 1 2 兩個數,情況如下:

(gdb) x/d 0x7fffffffdd80
0x7fffffffdd80:	0
(gdb) x/d 0x7fffffffdd84
0x7fffffffdd84:	0
(gdb) x/d 0x7fffffffdd88
0x7fffffffdd88:	1
(gdb) x/d 0x7fffffffdd8c
0x7fffffffdd8c:	2

第一個數值就是 rsp 保存的內存地址,進一步比較,可以歸納出調用 scanf 函數的參數情況:一個計數器(eax),一個指定讀取數據格式的字符串(esi),以及指定各個數據存儲在棧幀當中的地址(用多個寄存器表示)。

繼續閱讀彙編代碼,可以看到要求輸入的第一個數字 x1 <= 7(無符號比較),即 0 <= x1 <=7。然後經過一個根據 x1 的值進行跳轉的指令,類似於 C 語言當中的 switch 指令,我們逐個測試一下跳轉地址:

That's number 2.  Keep going!
0 0

Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f7c in phase_3 ()

eax = 0xcf

That's number 2.  Keep going!
1 0

Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400fb9 in phase_3 ()

eax = 0x137

That's number 2.  Keep going!
2 0

Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f83 in phase_3 ()

 eax = 0x2c3

That's number 2.  Keep going!
3 0

Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f8a in phase_3 ()

eax = 0x100

That's number 2.  Keep going!
4 0

Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f91 in phase_3 ()

eax = 0x185

That's number 2.  Keep going!
5 0

Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f98 in phase_3 ()

eax = 0xce

That's number 2.  Keep going!
6 0

Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f9f in phase_3 ()

eax = 0x2aa

That's number 2.  Keep going!
7 0

Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400fa6 in phase_3 ()

eax = 0x147

這裏有 8 個答案,選取第一個,x1 = 0,x2 = 0xcf = 207,輸入:

(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
0 207
Halfway there!

完成!這裏筆者曾嘗試利用指令 jmpq   *0x402470(,%rax,8) ,通過尋址方式計算,得不到結果,最後還是利用逐步調試的方法觀察程序的走向,得到了正確的答案。

Plase_4

(gdb) disas phase_4
Dump of assembler code for function phase_4:
   0x000000000040100c <+0>:	sub    $0x18,%rsp
   0x0000000000401010 <+4>:	lea    0xc(%rsp),%rcx
   0x0000000000401015 <+9>:	lea    0x8(%rsp),%rdx
   0x000000000040101a <+14>:	mov    $0x4025cf,%esi
   0x000000000040101f <+19>:	mov    $0x0,%eax
   0x0000000000401024 <+24>:	callq  0x400bf0 <__isoc99_sscanf@plt>
   0x0000000000401029 <+29>:	cmp    $0x2,%eax
   0x000000000040102c <+32>:	jne    0x401035 <phase_4+41>
   0x000000000040102e <+34>:	cmpl   $0xe,0x8(%rsp)
   0x0000000000401033 <+39>:	jbe    0x40103a <phase_4+46>
   0x0000000000401035 <+41>:	callq  0x40143a <explode_bomb>
   0x000000000040103a <+46>:	mov    $0xe,%edx
   0x000000000040103f <+51>:	mov    $0x0,%esi
   0x0000000000401044 <+56>:	mov    0x8(%rsp),%edi
   0x0000000000401048 <+60>:	callq  0x400fce <func4>
   0x000000000040104d <+65>:	test   %eax,%eax
   0x000000000040104f <+67>:	jne    0x401058 <phase_4+76>
   0x0000000000401051 <+69>:	cmpl   $0x0,0xc(%rsp)
   0x0000000000401056 <+74>:	je     0x40105d <phase_4+81>
   0x0000000000401058 <+76>:	callq  0x40143a <explode_bomb>
   0x000000000040105d <+81>:	add    $0x18,%rsp
   0x0000000000401061 <+85>:	retq   
End of assembler dump.

經過前面幾個實驗,讀這段彙編程序應該很輕鬆了,翻譯過來就是輸入兩個整數 x1 、x2,要求 0 <= x1 <= 14,x2 = 0。之後是三個參數 edx = 14, esi = 0,edi = x1 穿給一個函數<func4>,要求返回的一個值必須爲 0。我們可以查看一下函數<func4>的彙編代碼:

(gdb) disas 0x400fce
Dump of assembler code for function func4:
   0x0000000000400fce <+0>:	sub    $0x8,%rsp
   0x0000000000400fd2 <+4>:	mov    %edx,%eax
   0x0000000000400fd4 <+6>:	sub    %esi,%eax
   0x0000000000400fd6 <+8>:	mov    %eax,%ecx
   0x0000000000400fd8 <+10>:	shr    $0x1f,%ecx
   0x0000000000400fdb <+13>:	add    %ecx,%eax
   0x0000000000400fdd <+15>:	sar    %eax
   0x0000000000400fdf <+17>:	lea    (%rax,%rsi,1),%ecx
   0x0000000000400fe2 <+20>:	cmp    %edi,%ecx
   0x0000000000400fe4 <+22>:	jle    0x400ff2 <func4+36>
   0x0000000000400fe6 <+24>:	lea    -0x1(%rcx),%edx
   0x0000000000400fe9 <+27>:	callq  0x400fce <func4>
   0x0000000000400fee <+32>:	add    %eax,%eax
   0x0000000000400ff0 <+34>:	jmp    0x401007 <func4+57>
   0x0000000000400ff2 <+36>:	mov    $0x0,%eax
   0x0000000000400ff7 <+41>:	cmp    %edi,%ecx
   0x0000000000400ff9 <+43>:	jge    0x401007 <func4+57>
   0x0000000000400ffb <+45>:	lea    0x1(%rcx),%esi
   0x0000000000400ffe <+48>:	callq  0x400fce <func4>
   0x0000000000401003 <+53>:	lea    0x1(%rax,%rax,1),%eax
   0x0000000000401007 <+57>:	add    $0x8,%rsp
   0x000000000040100b <+61>:	retq   
End of assembler dump.

這段代碼我懶得看了,有了前面的經驗,我覺得這個實驗的目的不是精讀彙編,而是利用容易得到的信息結合調試的方法得到結果,直接把這段函數當做黑盒,測試一下即可,這裏就不貼過程了,注意好斷點就行,直接上結果:

1 0
So you got that one.  Try this one.

Phase_5

(gdb) disas phase_5
Dump of assembler code for function phase_5:
   0x0000000000401062 <+0>:	push   %rbx
   0x0000000000401063 <+1>:	sub    $0x20,%rsp
   0x0000000000401067 <+5>:	mov    %rdi,%rbx
   0x000000000040106a <+8>:	mov    %fs:0x28,%rax
   0x0000000000401073 <+17>:	mov    %rax,0x18(%rsp)
   0x0000000000401078 <+22>:	xor    %eax,%eax
   0x000000000040107a <+24>:	callq  0x40131b <string_length>
   0x000000000040107f <+29>:	cmp    $0x6,%eax
   0x0000000000401082 <+32>:	je     0x4010d2 <phase_5+112>
   0x0000000000401084 <+34>:	callq  0x40143a <explode_bomb>
   0x0000000000401089 <+39>:	jmp    0x4010d2 <phase_5+112>
   0x000000000040108b <+41>:	movzbl (%rbx,%rax,1),%ecx
   0x000000000040108f <+45>:	mov    %cl,(%rsp)
   0x0000000000401092 <+48>:	mov    (%rsp),%rdx
   0x0000000000401096 <+52>:	and    $0xf,%edx
   0x0000000000401099 <+55>:	movzbl 0x4024b0(%rdx),%edx
   0x00000000004010a0 <+62>:	mov    %dl,0x10(%rsp,%rax,1)
   0x00000000004010a4 <+66>:	add    $0x1,%rax
   0x00000000004010a8 <+70>:	cmp    $0x6,%rax
   0x00000000004010ac <+74>:	jne    0x40108b <phase_5+41>
   0x00000000004010ae <+76>:	movb   $0x0,0x16(%rsp)
   0x00000000004010b3 <+81>:	mov    $0x40245e,%esi
   0x00000000004010b8 <+86>:	lea    0x10(%rsp),%rdi
   0x00000000004010bd <+91>:	callq  0x401338 <strings_not_equal>
   0x00000000004010c2 <+96>:	test   %eax,%eax
   0x00000000004010c4 <+98>:	je     0x4010d9 <phase_5+119>
---Type <return> to continue, or q <return> to quit---return
   0x00000000004010c6 <+100>:	callq  0x40143a <explode_bomb>
   0x00000000004010cb <+105>:	nopl   0x0(%rax,%rax,1)
   0x00000000004010d0 <+110>:	jmp    0x4010d9 <phase_5+119>
   0x00000000004010d2 <+112>:	mov    $0x0,%eax
   0x00000000004010d7 <+117>:	jmp    0x40108b <phase_5+41>
   0x00000000004010d9 <+119>:	mov    0x18(%rsp),%rax
   0x00000000004010de <+124>:	xor    %fs:0x28,%rax
   0x00000000004010e7 <+133>:	je     0x4010ee <phase_5+140>
   0x00000000004010e9 <+135>:	callq  0x400b30 <__stack_chk_fail@plt>
   0x00000000004010ee <+140>:	add    $0x20,%rsp
   0x00000000004010f2 <+144>:	pop    %rbx
   0x00000000004010f3 <+145>:	retq   
End of assembler dump.

分析:首先由 24 和 29 ,猜測是輸入一個長度爲 6 的字符串;然後將 eax 置 0,跳轉到 41 到 74 的循環,循環了 6 次進棧操作,然後進入 76 到 98 ,補上字符串尾部的 '\0' ,判斷前面依次得到的 6 個字符組成的字符串是否與 0x40245e 上保存的字符串相同,相同則通過。

首先看看我們最終要得到的字符串是什麼:

(gdb) x/s 0x40245e
0x40245e:	"flyers"

再仔細分析 6 個字符的壓棧過程(進入之前 eax 已置 0):

   0x000000000040108b <+41>:	movzbl (%rbx,%rax,1),%ecx
   0x000000000040108f <+45>:	mov    %cl,(%rsp)
   0x0000000000401092 <+48>:	mov    (%rsp),%rdx
   0x0000000000401096 <+52>:	and    $0xf,%edx
   0x0000000000401099 <+55>:	movzbl 0x4024b0(%rdx),%edx
   0x00000000004010a0 <+62>:	mov    %dl,0x10(%rsp,%rax,1)
   0x00000000004010a4 <+66>:	add    $0x1,%rax
   0x00000000004010a8 <+70>:	cmp    $0x6,%rax
   0x00000000004010ac <+74>:	jne    0x40108b <phase_5+41>

分析:rax 其實就是一個計數器,每完成一個字符的進棧就 +1,直至等於 6;rbx 存放的是我們輸入的 6 個字符組成的字符串的首地址,rax 在這裏又作爲索引,依次取其中一個字符,傳給 rcx ,又傳給 rdx ;rdx 截取其中的低 4 位,又作爲索引,找到 0x4024b0 保存的字符串的相應位置的字符,寫入棧中 0x10(%rsp) 到 0x15(%rsp) 的位置上。

那麼我們看看0x4024b0 保存的字符串是什麼:

(gdb) x/s 0x4024b0
0x4024b0 <array.3449>:	"maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"

對應 "flyers" 的索引分別是 +9、+15、+14、+5、+6、+7。二進制數分別爲 1001、 1111、 1110 、0101、 0110、 0111,將高 4 位都置爲 0110 ,組成的 ascii 碼代表字母分別爲:i o n e f g,即爲我們要輸入的字符串:

ionefg
Good work!  On to the next...

Phase_6

這段彙編代碼是真的長,分段貼:

(gdb) disas phase_6
Dump of assembler code for function phase_6:
   0x00000000004010f4 <+0>:	push   %r14
   0x00000000004010f6 <+2>:	push   %r13
   0x00000000004010f8 <+4>:	push   %r12
   0x00000000004010fa <+6>:	push   %rbp
   0x00000000004010fb <+7>:	push   %rbx
   0x00000000004010fc <+8>:	sub    $0x50,%rsp
   0x0000000000401100 <+12>:	mov    %rsp,%r13
   0x0000000000401103 <+15>:	mov    %rsp,%rsi
   0x0000000000401106 <+18>:	callq  0x40145c <read_six_numbers>

這裏對一些寄存器做了數據保存,然後是輸入 6 個整數,和第二個實驗調用的函數相同。

   0x000000000040110b <+23>:	mov    %rsp,%r14
   0x000000000040110e <+26>:	mov    $0x0,%r12d
   0x0000000000401114 <+32>:	mov    %r13,%rbp
   0x0000000000401117 <+35>:	mov    0x0(%r13),%eax
   0x000000000040111b <+39>:	sub    $0x1,%eax
   0x000000000040111e <+42>:	cmp    $0x5,%eax
   0x0000000000401121 <+45>:	jbe    0x401128 <phase_6+52>
   0x0000000000401123 <+47>:	callq  0x40143a <explode_bomb>
   0x0000000000401128 <+52>:	add    $0x1,%r12d
   0x000000000040112c <+56>:	cmp    $0x6,%r12d
   0x0000000000401130 <+60>:	je     0x401153 <phase_6+95>
   0x0000000000401132 <+62>:	mov    %r12d,%ebx
   0x0000000000401135 <+65>:	movslq %ebx,%rax
   0x0000000000401138 <+68>:	mov    (%rsp,%rax,4),%eax
   0x000000000040113b <+71>:	cmp    %eax,0x0(%rbp)
   0x000000000040113e <+74>:	jne    0x401145 <phase_6+81>
   0x0000000000401140 <+76>:	callq  0x40143a <explode_bomb>
---Type <return> to continue, or q <return> to quit---continue
   0x0000000000401145 <+81>:	add    $0x1,%ebx
   0x0000000000401148 <+84>:	cmp    $0x5,%ebx
   0x000000000040114b <+87>:	jle    0x401135 <phase_6+65>
   0x000000000040114d <+89>:	add    $0x4,%r13
   0x0000000000401151 <+93>:	jmp    0x401114 <phase_6+32>

簡單說就是要求輸入的 6 個整數都大於 0 且小於等於 6,並且 6 個數彼此互不相等。

   0x0000000000401158 <+100>:	mov    %r14,%rax
   0x000000000040115b <+103>:	mov    $0x7,%ecx
   0x0000000000401160 <+108>:	mov    %ecx,%edx
   0x0000000000401162 <+110>:	sub    (%rax),%edx
   0x0000000000401164 <+112>:	mov    %edx,(%rax)
   0x0000000000401166 <+114>:	add    $0x4,%rax
   0x000000000040116a <+118>:	cmp    %rsi,%rax
   0x000000000040116d <+121>:	jne    0x401160 <phase_6+108>

將原來的 6 個整數分別用 7 減並替換,如原來是 3 則替換爲 4。

   0x000000000040116f <+123>:	mov    $0x0,%esi
   0x0000000000401174 <+128>:	jmp    0x401197 <phase_6+163>
   0x0000000000401176 <+130>:	mov    0x8(%rdx),%rdx
   0x000000000040117a <+134>:	add    $0x1,%eax
   0x000000000040117d <+137>:	cmp    %ecx,%eax
   0x000000000040117f <+139>:	jne    0x401176 <phase_6+130>
   0x0000000000401181 <+141>:	jmp    0x401188 <phase_6+148>
   0x0000000000401183 <+143>:	mov    $0x6032d0,%edx
   0x0000000000401188 <+148>:	mov    %rdx,0x20(%rsp,%rsi,2)
   0x000000000040118d <+153>:	add    $0x4,%rsi
   0x0000000000401191 <+157>:	cmp    $0x18,%rsi
   0x0000000000401195 <+161>:	je     0x4011ab <phase_6+183>
   0x0000000000401197 <+163>:	mov    (%rsp,%rsi,1),%ecx
---Type <return> to continue, or q <return> to quit---continue
   0x000000000040119a <+166>:	cmp    $0x1,%ecx
   0x000000000040119d <+169>:	jle    0x401183 <phase_6+143>
   0x000000000040119f <+171>:	mov    $0x1,%eax
   0x00000000004011a4 <+176>:	mov    $0x6032d0,%edx
   0x00000000004011a9 <+181>:	jmp    0x401176 <phase_6+130>

這一段是創建了一個鏈表,直接查看其中立即數直接賦值的地址:

(gdb) x/24w 0x6032d0
0x6032d0 <node1>:	0x0000014c	0x00000001	0x006032e0	0x00000000
0x6032e0 <node2>:	0x000000a8	0x00000002	0x006032f0	0x00000000
0x6032f0 <node3>:	0x0000039c	0x00000003	0x00603300	0x00000000
0x603300 <node4>:	0x000002b3	0x00000004	0x00603310	0x00000000
0x603310 <node5>:	0x000001dd	0x00000005	0x00603320	0x00000000
0x603320 <node6>:	0x000001bb	0x00000006	0x00000000	0x00000000

 接着往下看:

   0x00000000004011ab <+183>:	mov    0x20(%rsp),%rbx
   0x00000000004011b0 <+188>:	lea    0x28(%rsp),%rax
   0x00000000004011b5 <+193>:	lea    0x50(%rsp),%rsi
   0x00000000004011ba <+198>:	mov    %rbx,%rcx
   0x00000000004011bd <+201>:	mov    (%rax),%rdx
   0x00000000004011c0 <+204>:	mov    %rdx,0x8(%rcx)
   0x00000000004011c4 <+208>:	add    $0x8,%rax
   0x00000000004011c8 <+212>:	cmp    %rsi,%rax
   0x00000000004011cb <+215>:	je     0x4011d2 <phase_6+222>
   0x00000000004011cd <+217>:	mov    %rdx,%rcx
   0x00000000004011d0 <+220>:	jmp    0x4011bd <phase_6+201>
   0x00000000004011d2 <+222>:	movq   $0x0,0x8(%rdx)
   0x00000000004011da <+230>:	mov    $0x5,%ebp
   0x00000000004011df <+235>:	mov    0x8(%rbx),%rax
   0x00000000004011e3 <+239>:	mov    (%rax),%eax
   0x00000000004011e5 <+241>:	cmp    %eax,(%rbx)
   0x00000000004011e7 <+243>:	jge    0x4011ee <phase_6+250>
   0x00000000004011e9 <+245>:	callq  0x40143a <explode_bomb>
   0x00000000004011ee <+250>:	mov    0x8(%rbx),%rbx
   0x00000000004011f2 <+254>:	sub    $0x1,%ebp
   0x00000000004011f5 <+257>:	jne    0x4011df <phase_6+235>

配置鏈表各個節點的 next 域,將各個節點關聯起來,並將鏈表按照數值部分降序排序,根據第一列的數值降序排序重組鏈表順序,得到的第二值順序是 3 4 5 6 1 2 :

(gdb) x/24w 0x6032d0
0x6032d0 <node1>:	0x0000014c	0x00000001	0x006032e0	0x00000000
0x6032e0 <node2>:	0x000000a8	0x00000002	0x00000000	0x00000000
0x6032f0 <node3>:	0x0000039c	0x00000003	0x00603300	0x00000000
0x603300 <node4>:	0x000002b3	0x00000004	0x00603310	0x00000000
0x603310 <node5>:	0x000001dd	0x00000005	0x00603320	0x00000000
0x603320 <node6>:	0x000001bb	0x00000006	0x006032d0	0x00000000

即我們要輸入的值爲 4 3 2 1 6 5:

4 3 2 1 6 5
Congratulations! You've defused the bomb!

完成,還有隱藏任務,這裏就先不做了。

發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章

CMU_CSAPP_LAB3_ATTACKLAB

本實驗要仔細閱讀對應的 write up ,上面給了大量的提示信息,主要是介紹兩種攻擊方式,分兩部分,第一部分的方式對於現代計算機已經基本無效了,第二部分的方式過程比較繁雜,不過原理還是很容易理解的。實驗的主要目的還是熟悉計算機的程序控制

AI_Study 2020-06-20 01:51:41

哈工大劉宏偉《計算機組成原理》課程框架總結

哈工大劉宏偉老師的《計算機組成原理》採用自頂向下方法,系統介紹了計算機各個基本部件的體系結構、邏輯實現、控制方式。(一定數電基礎是必要的,如果瞭解彙編更有助於理解部分內容) B站鏈接計算機組成原理——哈工大劉宏偉(B站) 慕課鏈接(上)計

AI_Study 2020-06-20 01:51:41