1 / 25

Lecture 12 Lab – Bomb Lab Hints

Lecture 12 Lab – Bomb Lab Hints. CSCE 212 Computer Architecture. Topics Bomb hints Y86-64 implementation Stages Fetch Decode Execute Memory Write results. March 8, 2018. Examining string arguments. x /s $ rdi. Objdump –d bomb > bomb.assembler. …

mrobins
Download Presentation

Lecture 12 Lab – Bomb Lab Hints

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lecture 12 Lab – Bomb Lab Hints CSCE 212 Computer Architecture • Topics • Bomb hints • Y86-64 implementation • Stages • Fetch • Decode • Execute • Memory • Write results March 8, 2018

  2. Examining string arguments • x /s $rdi

  3. Objdump –d bomb > bomb.assembler • … • 400e36: e8 57 05 00 00 callq401392 <initialize_bomb> • 400e3b: bf 28 23 40 00 mov$0x402328,%edi • 400e40: e8 fb fc ffffcallq400b40 <puts@plt> • 400e45: bf 68 23 40 00 mov$0x402368,%edi • 400e4a: e8 f1 fc ffffcallq400b40 <puts@plt> • 400e4f: e8 3a 06 00 00 callq40148e <read_line> • 400e54: 48 89 c7 mov %rax,%rdi • 400e57: e8 a4 00 00 00 callq400f00 <phase_1> • 400e5c: e8 53 07 00 00 callq4015b4 <phase_defused> • 400e61: bf 98 23 40 00 mov$0x402398,%edi • 400e66: e8 d5 fc ffffcallq 400b40 <puts@plt> • 400e6b: e8 1e 06 00 00 callq40148e <read_line> • 400e70: 48 89 c7 mov %rax,%rdi • 400e73: e8 a4 00 00 00 callq400f1c <phase_2> • 400e78: e8 37 07 00 00 callq4015b4 <phase_defused> • 400e7d: bf dd 22 40 00 mov$0x4022dd,%edi • …

  4. Phase_1 • 0000000000400f00 <phase_1>: • 400f00: 48 83 ec 08 sub $0x8,%rsp • 400f04: be ec 23 40 00 mov$0x4023ec,%esi • 400f09: e8 1a 04 00 00 callq401328 <strings_not_equal> • 400f0e: 85 c0 test %eax,%eax • 400f10: 74 05 je 400f17 <phase_1+0x17> • 400f12: e8 13 05 00 00 callq40142a <explode_bomb> • 400f17: 48 83 c4 08 add $0x8,%rsp • 400f1b: c3 retq

  5. phase_2 • 0000000000400f1c <phase_2>: • 400f1c: 55 push %rbp • 400f1d: 53 push %rbx • 400f1e: 48 83 ec 28 sub $0x28,%rsp • 400f22: 48 89 e6 mov%rsp,%rsi • 400f25: e8 22 05 00 00 callq40144c <read_six_numbers> • 400f2a: 83 3c 24 01 cmpl$0x1,(%rsp) • 400f2e: 74 20 je 400f50 <phase_2+0x34> • 400f30: e8 f5 04 00 00 callq40142a <explode_bomb> • 400f35: eb 19 jmp400f50 <phase_2+0x34> • 400f37: 8b 43 fc mov-0x4(%rbx),%eax • 400f3a: 01 c0 add %eax,%eax • 400f3c: 39 03 cmp%eax,(%rbx) • 400f3e: 74 05 je 400f45 <phase_2+0x29> • 400f40: e8 e5 04 00 00 callq40142a <explode_bomb>

  6. 400f45: 48 83 c3 04 add $0x4,%rbx • 400f49: 48 39 ebcmp %rbp,%rbx • 400f4c: 75 e9 jne400f37 <phase_2+0x1b> • 400f4e: eb 0c jmp400f5c <phase_2+0x40> • 400f50: 48 8d 5c 24 04 lea 0x4(%rsp),%rbx • 400f55: 48 8d 6c 24 18 lea 0x18(%rsp),%rbp • 400f5a: ebdbjmp400f37 <phase_2+0x1b> • 400f5c: 48 83 c4 28 add $0x28,%rsp • 400f60: 5b pop %rbx • 400f61: 5d pop %rbp • 400f62: c3 retq

  7. phase_3 • 0000000000400f63 <phase_3>: • 400f63: 48 83 ec 18 sub $0x18,%rsp • 400f67: 48 8d 4c 24 0c lea 0xc(%rsp),%rcx • 400f6c: 48 8d 54 24 08 lea 0x8(%rsp),%rdx • 400f71: be b7 25 40 00 mov$0x4025b7,%esi • 400f76: b8 00 00 00 00 mov$0x0,%eax • 400f7b: e8 b0 fc ffffcallq400c30 <__isoc99_sscanf@plt> • 400f80: 83 f8 01 cmp$0x1,%eax • 400f83: 7f 05 jg400f8a <phase_3+0x27> • 400f85: e8 a0 04 00 00 callq40142a <explode_bomb> • 400f8a: 83 7c 24 08 07 cmpl$0x7,0x8(%rsp) • 400f8f: 77 66 ja400ff7 <phase_3+0x94> • 400f91: 8b 44 24 08 mov0x8(%rsp),%eax • 400f95: ff 24 c5 00 24 40 00 jmpq *0x402400(,%rax,8)

  8. Notes on Assembly • <__isoc99_sscanf@plt> • man sscanf • cmp$0x1,%eax • Like sub $0x1, %eax // eax eax -0x1 except no store • Just sets flags • Tst similar except the operation is an AND • jg400f8a <phase_3+0x27> • Jumps if %eax > 0x1

  9. Phase_3 page 2 • 400f8a: 83 7c 24 08 07 cmpl$0x7,0x8(%rsp) • 400f8f: 77 66 ja400ff7 <phase_3+0x94> • 400f91: 8b 44 24 08 mov0x8(%rsp),%eax • 400f95: ff 24 c5 00 24 40 00 jmpq *0x402400(,%rax,8) JUMP TABLE • 400f9c: b8 00 00 00 00 mov$0x0,%eax • 400fa1: eb 05 jmp400fa8 <phase_3+0x45> • 400fa3: b8 f5 00 00 00 mov$0xf5,%eax • 400fa8: 2d b3 00 00 00 sub $0xb3,%eax • 400fad: eb 05 jmp400fb4 <phase_3+0x51> • 400faf: b8 00 00 00 00 mov$0x0,%eax • 400fb4: 05 dc 01 00 00 add $0x1dc,%eax • 400fb9: eb 05 jmp400fc0 <phase_3+0x5d> • 400fbb: b8 00 00 00 00 mov$0x0,%eax • 400fc0: 2d 15 02 00 00 sub $0x215,%eax • 400fc5: eb 05 jmp400fcc <phase_3+0x69>

  10. 400fc7: b8 00 00 00 00 mov$0x0,%eax • 400fcc: 05 15 02 00 00 add $0x215,%eax • 400fd1: eb 05 jmp400fd8 <phase_3+0x75> • 400fd3: b8 00 00 00 00 mov$0x0,%eax • 400fd8: 2d 15 02 00 00 sub $0x215,%eax • 400fdd: eb 05 jmp400fe4 <phase_3+0x81> • 400fdf: b8 00 00 00 00 mov$0x0,%eax • 400fe4: 05 15 02 00 00 add $0x215,%eax • 400fe9: eb 05 jmp400ff0 <phase_3+0x8d> • 400feb: b8 00 00 00 00 mov$0x0,%eax • 400ff0: 2d 15 02 00 00 sub $0x215,%eax • 400ff5: eb 0a jmp401001 <phase_3+0x9e> • 400ff7: e8 2e 04 00 00 callq40142a <explode_bomb> • 400ffc: b8 00 00 00 00 mov$0x0,%eax • 401001: 83 7c 24 08 05 cmpl$0x5,0x8(%rsp) • 401006: 7f 06 jg40100e <phase_3+0xab> • 401008: 3b 44 24 0c cmp0xc(%rsp),%eax • 40100c: 74 05 je 401013 <phase_3+0xb0> • 40100e: e8 17 04 00 00 callq40142a <explode_bomb> • 401013: 48 83 c4 18 add $0x18,%rsp • 401017: c3 retq

  11. Startup  phase_3 • (gdb) b phase_3 • Breakpoint 1 at 0x400f63 • (gdb) display /i $rip • (gdb) r sol.txt • Starting program: /acct/matthews/Courses/212H/Labs/bomb sol.txt • Welcome to my fiendish little bomb. You have 6 phases with • which to blow yourself up. Have a nice day! • Phase 1 defused. How about the next one? • That's number 2. Keep going! • MyStringInputToPhase3. • Breakpoint 1, 0x0000000000400f63 in phase_3 () • 1: x /i $rip • => 0x400f63 <phase_3>: sub $0x18,%rsp

  12. (gdb) si • 0x0000000000400f7b in phase_3 () • => 0x400f7b <phase_3+24>: callq0x400c30 <__isoc99_sscanf@plt> • (gdb) si • 0x0000000000400c30 in __isoc99_sscanf@plt () • => 0x400c30 <__isoc99_sscanf@plt>: • jmpq *0x202472(%rip) # 0x6030a8 <__isoc99_sscanf@got.plt> • (gdb) x /s $rdi • 0x603840 <input_strings+160>: "MyString." • (gdb) x /s $rsi • 0x4025b7: "%d %d” // format string

  13. Restart and enter two integers • (gdb) r sol.txt • The program being debugged has been started already. • Start it from the beginning? (y or n) y • Starting program: /acct/matthews/Courses/212H/Labs/bomb sol.txt • Welcome to my fiendish little bomb. You have 6 phases with • which to blow yourself up. Have a nice day! • Phase 1 defused. How about the next one? • That's number 2. Keep going! • 1 2 • Breakpoint 1, 0x0000000000400f63 in phase_3 () • 1: x/i $rip • => 0x400f63 <phase_3>: sub $0x18,%rsp • (gdb)

  14. (gdb) x /20i $rip • => 0x400f63 <phase_3>: sub $0x18,%rsp • 0x400f67 <phase_3+4>: lea 0xc(%rsp),%rcx • 0x400f6c <phase_3+9>: lea 0x8(%rsp),%rdx • 0x400f71 <phase_3+14>: mov $0x4025b7,%esi • 0x400f76 <phase_3+19>: mov $0x0,%eax • 0x400f7b <phase_3+24>: callq 0x400c30 <__isoc99_sscanf@plt> • 0x400f80 <phase_3+29>: cmp $0x1,%eax • // eaxrv = number of numbers read (2) • 0x400f83 <phase_3+32>: jg 0x400f8a <phase_3+39> • 0x400f85 <phase_3+34>: callq 0x40142a <explode_bomb> • 0x400f8a <phase_3+39>: cmpl $0x7,0x8(%rsp) • 0x400f8f <phase_3+44>: ja 0x400ff7 <phase_3+148> • 0x400f91 <phase_3+46>: mov 0x8(%rsp),%eax • 0x400f95 <phase_3+50>: jmpq *0x402400(,%rax,8) • si several times then ni (to not step into sscanf)

  15. Gdb bomb – examine jmp table • (gdb) x /8gx 0x402400 • 0x402400: 0x0000000000400fa3 0x0000000000400f9c • 0x402410: 0x0000000000400faf 0x0000000000400fbb • 0x402420: 0x0000000000400fc7 0x0000000000400fd3 • 0x402430: 0x0000000000400fdf 0x0000000000400feb • (gdb) • 0x400f8a <phase_3+39>: cmpl$0x7,0x8(%rsp) • 0x400f8f <phase_3+44>: ja0x400ff7 <phase_3+148> • 0x400f91 <phase_3+46>: mov0x8(%rsp), %eax • 0x400f95 <phase_3+50>: jmpq*0x402400(,%rax,8) • Find out where we jump!

  16. Phase_3 page 2 • 400f8a: 83 7c 24 08 07 cmpl$0x7,0x8(%rsp) • 400f8f: 77 66 ja400ff7 <phase_3+0x94> • 400f91: 8b 44 24 08 mov0x8(%rsp),%eax • 400f95: ff 24 c5 00 24 40 00 jmpq *0x402400(,%rax,8) JUMP TABLE • 400f9c:(eax=1) b8 00 00 00 00 mov$0x0,%eax • 400fa1: eb 05 jmp400fa8 <phase_3+0x45> • 400fa3:(eax = 0) b8 f5 00 00 00 mov$0xf5,%eax • 400fa8: 2d b3 00 00 00 sub $0xb3,%eax • 400fad: eb 05 jmp400fb4 <phase_3+0x51> • 400faf: (eax = 2)b8 00 00 00 00 mov$0x0,%eax • 400fb4: 05 dc 01 00 00 add $0x1dc,%eax • 400fb9: eb 05 jmp400fc0 <phase_3+0x5d> • 400fbb: (eax = 3) b8 00 00 00 00 mov$0x0,%eax • 400fc0: 2d 15 02 00 00 sub $0x215,%eax • 400fc5: eb 05 jmp400fcc <phase_3+0x69>

  17. 400fc7: b8 00 00 00 00 mov$0x0,%eax • 400fcc: 05 15 02 00 00 add $0x215,%eax • 400fd1: eb 05 jmp400fd8 <phase_3+0x75> • 400fd3: b8 00 00 00 00 mov$0x0,%eax • 400fd8: 2d 15 02 00 00 sub $0x215,%eax • 400fdd: eb 05 jmp400fe4 <phase_3+0x81> • 400fdf: b8 00 00 00 00 mov$0x0,%eax • 400fe4: 05 15 02 00 00 add $0x215,%eax • 400fe9: eb 05 jmp400ff0 <phase_3+0x8d> • 400feb: b8 00 00 00 00 mov$0x0,%eax • 400ff0: 2d 15 02 00 00 sub $0x215,%eax • 400ff5: eb 0a jmp401001 <phase_3+0x9e> • 400ff7: e8 2e 04 00 00 callq40142a <explode_bomb> • 400ffc: b8 00 00 00 00 mov$0x0,%eax • 401001: 83 7c 24 08 05 cmpl$0x5,0x8(%rsp) • 401006: 7f 06 jg40100e <phase_3+0xab> • 401008: 3b 44 24 0c cmp0xc(%rsp),%eax • 40100c: 74 05 je 401013 <phase_3+0xb0> • 40100e: e8 17 04 00 00 callq40142a <explode_bomb> • 401013: 48 83 c4 18 add $0x18,%rsp • 401017: c3 retq

  18. (gdb) r sol.txt • … • Phase 1 defused. How about the next one? • That's number 2. Keep going! • 3 4 • Breakpoint 1, 0x0000000000400f63 in phase_3 () • 1: x/i $rip • (gdb) ni 5 • => 0x400f7b <phase_3+24>: callq 0x400c30 <__isoc99_sscanf@plt> • (gdb) ni • => 0x400f80 <phase_3+29>: cmp $0x1,%eax • (gdb) p $eax • $2 = 2 • (gdb) x /6wd $rsp • 0x7fffffffe930: -5576 32767 3 4 • 0x7fffffffe940: 4197584 0 • (gdb) p $rsp • $3 = (void *) 0x7fffffffe930 • (gdb)

  19. => 0x400f91 <phase_3+46>: mov 0x8(%rsp),%eax • (gdb) si • p/d $eax = 3 • => 0x400f95 <phase_3+50>: jmpq *0x402400(,%rax,8) • => 0x400fbb <phase_3+88>: mov $0x0,%eax • => 0x400fc0 <phase_3+93>: sub $0x215,%eax • 2: /d $eax = -533 • => 0x400fc5 <phase_3+98>: jmp 0x400fcc <phase_3+105> • => 0x400fcc <phase_3+105>: add $0x215,%eax • => 0x400fd1 <phase_3+110>: jmp 0x400fd8 <phase_3+117>

  20. => 0x400fd8 <phase_3+117>: sub $0x215,%eax • 2: /d $eax = -533 • => 0x400fdd <phase_3+122>: jmp 0x400fe4 <phase_3+129> • => 0x400fe4 <phase_3+129>: add $0x215,%eax • => 0x400fe9 <phase_3+134>: jmp 0x400ff0 <phase_3+141> • => 0x400ff0 <phase_3+141>: sub $0x215,%eax • => 0x400ff5 <phase_3+146>: jmp 0x401001 <phase_3+158> • 0x401001 <phase_3+158>: cmpl $0x5,0x8(%rsp) • => 0x401006 <phase_3+163>: jg 0x40100e <phase_3+171> • => 0x401008 <phase_3+165>: cmp 0xc(%rsp),%eax • => 0x40100c <phase_3+169>: je 0x401013 <phase_3+176> • (gdb)

  21. => 0x401006 <phase_3+163>: jg 0x40100e <phase_3+171> • (gdb) si • 0x0000000000401008 in phase_3 () • 2: /d $eax = -533 • 1: x/i $rip • => 0x401008 <phase_3+165>: cmp 0xc(%rsp),%eax • (gdb) ni • 0x000000000040100c in phase_3 () • 2: /d $eax = -533 • 1: x/i $rip • => 0x40100c <phase_3+169>: je 0x401013 <phase_3+176> • (gdb) ni • 0x0000000000401013 in phase_3 () • 2: /d $eax = -533 • 1: x/i $rip • => 0x401013 <phase_3+176>: add $0x18,%rsp • (gdb) ni • => 0x401017 <phase_3+180>: retq

  22. Phase_4 • (gdb) x /30i $rip • => 0x401050 <phase_4>: sub $0x18,%rsp • 0x401054 <phase_4+4>: lea 0x8(%rsp),%rcx • 0x401059 <phase_4+9>: lea 0xc(%rsp),%rdx • 0x40105e <phase_4+14>: mov $0x4025b7,%esi • 0x401063 <phase_4+19>: mov $0x0,%eax • 0x401068 <phase_4+24>: callq 0x400c30 <__isoc99_sscanf@plt> • 0x40106d <phase_4+29>: cmp $0x2,%eax • 0x401070 <phase_4+32>: jne 0x40107e <phase_4+46> • 0x401072 <phase_4+34>: mov 0x8(%rsp),%eax • 0x401076 <phase_4+38>: sub $0x2,%eax • 0x401079 <phase_4+41>: cmp $0x2,%eax • 0x40107c <phase_4+44>: jbe 0x401083 <phase_4+51> • 0x40107e <phase_4+46>: callq 0x40142a <explode_bomb> • 0x401083 <phase_4+51>: mov 0x8(%rsp),%esi • 0x401087 <phase_4+55>: mov $0x9,%edi • 0x40108c <phase_4+60>: callq 0x401018 <func4> • 0x401091 <phase_4+65>: cmp 0xc(%rsp),%eax • 0x401095 <phase_4+69>: je 0x40109c <phase_4+76> • 0x401097 <phase_4+71>: callq 0x40142a <explode_bomb> • 0x40109c <phase_4+76>: add $0x18,%rsp • 0x4010a0 <phase_4+80>: retq • 0x4010a1 <phase_5>: sub $0x18,%rsp • 0x4010a5 <phase_5+4>: lea 0xc(%rsp),%rcx

  23. (gdb) b phase_4 • (gdb) r sol.txt • … • (gdb) x /s $rdi • 0x603890 <input_strings+240>: " 4 6" • (gdb) x /s 0x4025b7 • … • 0x4025b7: "%d %d“ • (gdb) ni10 • BOOM!!! The bomb has blown up.

  24. Phase_5 • 0x4010a1 <phase_5>: sub $0x18,%rsp • 0x4010a5 <phase_5+4>: lea 0xc(%rsp),%rcx • 0x4010aa <phase_5+9>: lea 0x8(%rsp),%rdx • 0x4010af <phase_5+14>: mov $0x4025b7,%esi • 0x4010b4 <phase_5+19>: mov $0x0,%eax • 0x4010b9 <phase_5+24>: callq 0x400c30 <__isoc99_sscanf@plt> • 0x4010be <phase_5+29>: cmp $0x1,%eax • 0x4010c1 <phase_5+32>: jg 0x4010c8 <phase_5+39> • 0x4010c3 <phase_5+34>: callq 0x40142a <explode_bomb> • 0x4010c8 <phase_5+39>: mov 0x8(%rsp),%eax • 0x4010cc <phase_5+43>: and $0xf,%eax • 0x4010cf <phase_5+46>: mov %eax,0x8(%rsp) • 0x4010d3 <phase_5+50>: cmp $0xf,%eax • 0x4010d6 <phase_5+53>: je 0x401104 <phase_5+99> • 0x4010d8 <phase_5+55>: mov $0x0,%ecx • 0x4010dd <phase_5+60>: mov $0x0,%edx • 0x4010e2 <phase_5+65>: add $0x1,%edx • 0x4010e5 <phase_5+68>: cltq • 0x4010e7 <phase_5+70>: mov 0x402440(,%rax,4),%eax • 0x4010ee <phase_5+77>: add %eax,%ecx • 0x4010f0 <phase_5+79>: cmp $0xf,%eax • 0x4010f3 <phase_5+82>: jne 0x4010e2 <phase_5+65> • 0x4010f5 <phase_5+84>: mov %eax,0x8(%rsp) • 0x4010f9 <phase_5+88>: cmp $0xf,%edx • 0x4010fc <phase_5+91>: jne 0x401104 <phase_5+99> • 0x4010fe <phase_5+93>: cmp 0xc(%rsp),%ecx • 0x401102 <phase_5+97>: je 0x401109 <phase_5+104> • 0x401104 <phase_5+99>: callq 0x40142a <explode_bomb> • 0x401109 <phase_5+104>: add $0x18,%rsp

  25. Google m86-64 cltq • Google m86-64 cltq • cltqsign-extends eax to a quadword • Google m86-64 tst • https://en.wikipedia.org/wiki/TEST_(x86_instruction) • The TEST operation sets the flags CF and OF to zero. • The SF is set to the most significant bit of the result of the AND. • If the result is 0, the ZF is set to 1, otherwise set to 0.

More Related