■ Bomb Lab Overview
■ Assembly Refresher
■ Introduction to GDB
Copyright By PowCoder代写 加微信 powcoder
■ Unix Refresher
■ Bomb Lab Demo
Downloading Your Bomb
■ Please read the writeup. Please read the writeup. Please Read The Writeup.
■ Your bomb is unique to you. Dr. Evil has created one million billion bombs, and can distribute as many new ones as he pleases.
■ Bombs have six phases which get progressively harder more fun to use.
■ Bombs can only run on the shark clusters. They will blow up if you attempt to run them locally.
Exploding Your Bomb
■ Blowing up your bomb notifies Autolab.
■ Dr. Evil takes 0.5 of your points each time.
■ Inputting the right string moves you to the next phase.
■ Jumping between phases detonates the bomb
Examining Your Bomb
■ You get:
■ An executable
■ A readme
■ A heavily redacted source file
■ Source file just makes fun of you.
■ Outsmart Dr. Evil by examining the executable
x64 Assembly: Registers
Arg 4 Arg 3 Arg 2 Arg 1
Arg 5 Arg 6
x64 Assembly: Operands
Start with $
Don’t mix up decimal and hex
Start with %
Can store values or addresses
Memory Locations
Parentheses around a register or an addressing mode
0x1c(%rax)
0x4(%rcx, %rdi, 0x1)
Parentheses dereference. Look up addressing modes!
x64 Assembly: Arithmetic Operations
Instruction Effect
mov %rbx, %rdx
add (%rdx), %r8
mul $3, %r8
sub $1, %r8
lea (%rdx,%rbx,2), %rdx
r8 += value at rdx r8*=3
rdx = rdx + rbx*2
■ Doesn’t dereference
x64 Assembly: Comparisons
■ Comparison, cmp, compares two values
■ Result determines next conditional jump instruction
■ cmp b,a computes a-b, test b,a computes a&b
■ Pay attention to operand order
cmpl %r9, %r10
jg 8675309
If %r10 > %r9, then jump to 8675309
x64 Assembly: Jumps
Instruction
Instruction
Always jump
Jump if above (unsigned >)
Jump if eq / zero
Jump if above / equal
Jump if !eq / !zero
Jump if below (unsigned <)
Jump if greater
Jump if below / equal
Jump if greater / eq
Jump if sign bit is 1 (neg)
Jump if less
Jump if sign bit is 0 (pos)
Jump if less / eq
x64 Assembly: A Quick Drill
cmp $0x15213, %r12 If , jump to addr
jge deadbeef 0xdeadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
If , jump to addr
If , jump to .
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
If %r12 >= 0x15213, jump to 0xdeadbeef
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
If the unsigned value of %rdi is at or above the
unsigned value of %rax, jump to 0x15213b.
x64 Assembly: A Quick Drill
cmp $0x15213, %r12
jge deadbeef
cmp %rax, %rdi
jae 15213b
test %r8, %r8
jnz (%rsi)
If %r8 & %r8 is not zero, jump to the address stored in %rsi.
Diffusing Your Bomb
■ objdump -t bomb examines the symbol table
■ objdump -d bomb disassembles all bomb code
■ strings bomb prints all printable strings
■ gdb bomb will open up the GNU Debugger
■ Examine while stepping through your program
▪ registers
▪ the stack
▪ contents of program memory
▪ instruction stream
■ break
■ Stop execution at function name or address
■ Reset breakpoints when restarting gdb
■ run
■ Run program with args
■ Convenient for specifying text file with answers
■ disas
■ Steps / does not step through function calls
■ inforegisters
■ Print hex values in every register
■ print(/xor/d)$eax-Yes,use$
■ Print hex or decimal contents of %eax ■ x$register,x0xaddress
■ Prints what’s in the register / at the given address
■ By default, prints one word (4 bytes)
■ Specify format: /s, /[num][size][format]
▪ x/8a 0x15213
▪ x/4wd 0xdeadbeef
■ Bomb uses sscanf for reading strings
■ Figure out what phase expects for input
■ Check out man sscanf for formatting string details
If you get stuck
■ Please read the writeup. Please read the writeup. Please Read The Writeup.
■ CS:APP Chapter 3
■ View lecture notes and course FAQ at
http://cs.cmu.edu/~213
■ Office hours Sun – Thu 6:00-9:00PM in WeH 5207
■ mangdb,mansscanf,manobjdump
Unix Refresher – This Saturday – 9/19/2015
You should know cd, ls, scp, ssh, tar, and chmod by now. Use man
Bomb Lab Demo…
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com