Andrew login ID: Full Name:
15-213/18-243, Fall 2010 Exam 1 – Version A
Tuesday, September 28, 2010
Instructions:
Copyright By PowCoder代写 加微信 powcoder
• Make sure that your exam is not missing any sheets, then write your Andrew login ID, full name, and section on the front.
• This exam is closed book, closed notes, although you may use a single 8 1/2 x 11 sheet of paper with your own notes. You may not use any electronic devices.
• Write your answers in the space provided below the problem. If you make a mess, clearly indicate your final answer.
• The exam has a maximum score of 60 points.
• The problems are of varying difficulty. The point value of each problem is indicated. Good luck!
TOTAL (60):
Page 1 of 13
Problem 1. (10 points):
General systems concepts. Write the correct answer for each question in the following table:
1. Consider the following code, what is the output of the printf?
int x = 0x15213F10 >> 4;
char y = (char) x;
unsigned char z = (unsigned char) x; printf(“%d, %u”, y, z);
(a) -241, 15 (b) -15, 241 (c) -241, 241 (d) -15, 15
2. Intwo’scompliment,whatis−TMin?
(a) Tmin (b) Tmax (c) 0
3. Letintx=−31/8andinty=−31>>3.Whatarethevaluesofxandy?
(a) x=−3,y=−3 (b) x=−4,y=−4 (c) x=−3,y=−4 (d) x=−4,y=−3
4. In C, the expression ”15213U > −1” evaluates to: (a) True (1)
(b) False (0)
5. In two’s compliment, what is the minimum number of bits needed to represent the numbers -1 and the number 1 respectively?
(a) 1 and 2 (b) 2 and 2 (c) 2 and 1 (d) 1 and 1
Page 2 of 13
6. Consider the following program. Assuming the user correctly types an integer into stdin, what will the program output in the end?
#include
int x = 0;
printf(“Please input an integer:”); scanf(“%d”,x);
printf(“%d”, (!!x)<<31);
(c) Depends on the integer read from stdin (d) Segmentation fault
7. By default, on Intel x86, the stack
(a) Is located at the bottom of memory.
(b) Grows down towards smaller addresses (c) Grows up towards larger addresses
(d) Is located in the heap
8. Which of the following registers stores the return value of functions in Intel x86 64?
(a) %rax (b) %rcx (c) %rdx (d) %rip (e) %cr3
9. The leave instruction is effectively the same as which of the following:
(a) mov %ebp, %esp pop %ebp
(b) pop %eip
(c) mov %esp, %ebp pop %esp
10. Arguments to a function, in Intel IA32 assembly, are passed via
(a) The stack
(b) Registers
(c) Physical memory
(d) The.textsection
(e) A combination of the stack and registers.
Page 3 of 13
11. A buffer overflow attack can only be executed against programs that use the gets function. (a) True
12. Intel x86 64 systems are
(a) Little endian
(b) Big endian
(c) Have no endianess
(d) Depend on the operating system
13. Please fill in the return value for the following function calls on both an Intel IA32 and Intel x86 64 system:
sizeof(char) sizeof(int) sizeof(void *) sizeof(int *)
Intel IA32 Intel x86 64
14. Select the two’s complement negation of the following binary value: 0000101101:
(a) 1111010011 (b) 1111010010 (c) 1000101101 (d) 1111011011
15. Which line of C-code will perform the same operation as leal 0x10(%rax,%rcx,4),%rax?
(a) rax = 16 + rax + 4*rcx
(b) rax = *(16 + rax + 4*rcx) (c) rax = 16 + *(rax + 4*rcx) (d) *(16 + rcx + 4*rax) = rax (e) rax = 16 + 4*rax + rcx
16. WhichlineofIntelx86-64assemblywillperformthesameoperationasrcx=((int*)rax)[rcx]?
(a) mov (%rax,%rcx,4),%rcx (b) lea (%rax,%rcx,4),%rcx (c) lea (%rax,4,%rcx),%rcx (d) mov (%rax,4,%rcx),%rcx
17. Ifaisoftype(int)andbisoftype(unsignedint),then(a
long blinky(struct ms_pacman *ptr){ return ptr->connector->
transistor.vacuum_tube[1];
int pinky(struct ms_pacman *ptr){ return ptr->resistor;
int clyde(struct ms_pacman *ptr){ return *(ptr->transistor.mosfet);
In the following table, next to the name of each x86-64 code block, write the name of the C function that it implements.
mov 0x8(%rdi), %rax retq
lea 0x8(%rdi), %rax retq
mov 0x4(%rdi), %eax retq
mov 0x18(%rdi),%rax mov 0x10(%rax),%rax retq
Code Block
Function Name
Page 9 of 13
Problem 6. (10 points):
Switch statement encoding. Consider the following C code and assembly code for a strange but simple function:
int lol(int a, int b) {
switch(a) {
40045c
40045c: lea
400462: cmp
400465: ja
400467: mov
400469: jmpq
400470: lea
400473: lea
400476: retq
400477: mov
40047c: mov
40047e: imul
400481: retq
400482: mov
400484: sub
400486: retq
400487: add
40048a: lea
40048d: retq
-0xd2(%rdi),%eax
40048a
*0x400590(,%rax,8)
(%rsi,%rsi,2),%eax
(%rsi,%rax,4),%eax
$0x4743,%esi
-0x9(%rsi),%eax
case 210: b*=13;
b = 18243;
return b; }
Using the available information, fill in the jump table below. (Feel free to omit leading zeros.) Also, for each case in the switch block which should have a break, write break on the corresponding blank line.
Hint: 0xd2 = 210 and 0x4743 = 18243.
0x400590: ________________ 0x4005a0: ________________ 0x4005b0: ________________ 0x4005c0: ________________ 0x4005d0: ________________
0x400598: ________________ 0x4005a8: ________________ 0x4005b8: ________________ 0x4005c8: ________________
0x4005d8: ________________
Page 10 of 13
Problem 7. (14 points):
Stack discipline. This problem concerns the following C code, compiled on a 32-bit machine:
void foo(char * str, int a) {
int buf[2];
a = a; /* Keep GCC happy */ strcpy((char *) buf, str);
The base pointer for the stack frame of caller() is: 0xffffd3e8
void caller() {
foo(‘‘0123456’’, 0xdeadbeef);
Here is the corresponding machine code on a 32-bit Linux/x86 machine:
080483c8
080483c8
080483c9
080483cb
080483ce
080483d1
080483d4
080483e2
mov %esp,%ebp
sub $0x18,%esp
lea -0x8(%ebp),%edx
mov 0x8(%ebp),%eax
mov %eax,0x4(%esp)
mov %edx,(%esp)
call 0x80482c0
mov %esp,%ebp
sub $0x8,%esp
movl $0xdeadbeef,0x4(%esp) movl $0x80484d0,(%esp) call 0x80483c8
Page 11 of 13
This problem tests your understanding of the stack discipline and byte ordering. Here are some notes to help you work the problem:
• strcpy(char *dst, char *src) copies the string at address src (including the terminating ’\0’ character) to address dst.
• Keep endianness in mind.
• You will need to know the hex values of the following characters:
Now consider what happens on a Linux/x86 machine when caller calls foo.
A. Stack Concepts:
a) Briefly describe the difference between the x86 instructions call and jmp.
b) Why doesn’t ret take an address to return to, like jmp takes an address to jump to?
B. Justbeforefoocallsstrcpy,whatintegerx,ifany,canyouguaranteethatbuf[x]==a?
C. At what memory address is the string “0123456” stored (before it is strcpy’d)?
We encourage you to use this space to draw pictures:
’0’ ’1’ ’2’ ’3’
’4’ ’5’ ’6’ ’\0’
Page 12 of 13
D. Just after strcpy returns to foo, fill in the following with hex values: buf[0] = 0x_____ _____ _____ _____
buf[1] = 0x_____ _____ _____ _____
buf[2] = 0x_____ _____ _____ _____
buf[3] = 0x_____ _____ _____ _____ buf[4] = 0x_____ _____ _____ _____
E. Immediately before the call to strcpy, what is the the value at %ebp (not what is %ebp)?
F. Immediately before foo’s ret call, what is the value at %esp (what’s on the top of the stack)?
G. Will a function that calls caller() segfault or notice any stack corruption? Explain.
Page 13 of 13
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com