260 likes | 341 Views
Lecture 12 Lab – Bomb Lab Hints. CSCE 212 Computer Architecture. Topics Bomb hints Y86-64 implementation Stages Fetch Decode Execute Memory Write results. March 8, 2018. Examining string arguments. x /s $ rdi. Objdump –d bomb > bomb.assembler. …
E N D
Lecture 12 Lab – Bomb Lab Hints CSCE 212 Computer Architecture • Topics • Bomb hints • Y86-64 implementation • Stages • Fetch • Decode • Execute • Memory • Write results March 8, 2018
Examining string arguments • x /s $rdi
Objdump –d bomb > bomb.assembler • … • 400e36: e8 57 05 00 00 callq401392 <initialize_bomb> • 400e3b: bf 28 23 40 00 mov$0x402328,%edi • 400e40: e8 fb fc ffffcallq400b40 <puts@plt> • 400e45: bf 68 23 40 00 mov$0x402368,%edi • 400e4a: e8 f1 fc ffffcallq400b40 <puts@plt> • 400e4f: e8 3a 06 00 00 callq40148e <read_line> • 400e54: 48 89 c7 mov %rax,%rdi • 400e57: e8 a4 00 00 00 callq400f00 <phase_1> • 400e5c: e8 53 07 00 00 callq4015b4 <phase_defused> • 400e61: bf 98 23 40 00 mov$0x402398,%edi • 400e66: e8 d5 fc ffffcallq 400b40 <puts@plt> • 400e6b: e8 1e 06 00 00 callq40148e <read_line> • 400e70: 48 89 c7 mov %rax,%rdi • 400e73: e8 a4 00 00 00 callq400f1c <phase_2> • 400e78: e8 37 07 00 00 callq4015b4 <phase_defused> • 400e7d: bf dd 22 40 00 mov$0x4022dd,%edi • …
Phase_1 • 0000000000400f00 <phase_1>: • 400f00: 48 83 ec 08 sub $0x8,%rsp • 400f04: be ec 23 40 00 mov$0x4023ec,%esi • 400f09: e8 1a 04 00 00 callq401328 <strings_not_equal> • 400f0e: 85 c0 test %eax,%eax • 400f10: 74 05 je 400f17 <phase_1+0x17> • 400f12: e8 13 05 00 00 callq40142a <explode_bomb> • 400f17: 48 83 c4 08 add $0x8,%rsp • 400f1b: c3 retq
phase_2 • 0000000000400f1c <phase_2>: • 400f1c: 55 push %rbp • 400f1d: 53 push %rbx • 400f1e: 48 83 ec 28 sub $0x28,%rsp • 400f22: 48 89 e6 mov%rsp,%rsi • 400f25: e8 22 05 00 00 callq40144c <read_six_numbers> • 400f2a: 83 3c 24 01 cmpl$0x1,(%rsp) • 400f2e: 74 20 je 400f50 <phase_2+0x34> • 400f30: e8 f5 04 00 00 callq40142a <explode_bomb> • 400f35: eb 19 jmp400f50 <phase_2+0x34> • 400f37: 8b 43 fc mov-0x4(%rbx),%eax • 400f3a: 01 c0 add %eax,%eax • 400f3c: 39 03 cmp%eax,(%rbx) • 400f3e: 74 05 je 400f45 <phase_2+0x29> • 400f40: e8 e5 04 00 00 callq40142a <explode_bomb>
400f45: 48 83 c3 04 add $0x4,%rbx • 400f49: 48 39 ebcmp %rbp,%rbx • 400f4c: 75 e9 jne400f37 <phase_2+0x1b> • 400f4e: eb 0c jmp400f5c <phase_2+0x40> • 400f50: 48 8d 5c 24 04 lea 0x4(%rsp),%rbx • 400f55: 48 8d 6c 24 18 lea 0x18(%rsp),%rbp • 400f5a: ebdbjmp400f37 <phase_2+0x1b> • 400f5c: 48 83 c4 28 add $0x28,%rsp • 400f60: 5b pop %rbx • 400f61: 5d pop %rbp • 400f62: c3 retq
phase_3 • 0000000000400f63 <phase_3>: • 400f63: 48 83 ec 18 sub $0x18,%rsp • 400f67: 48 8d 4c 24 0c lea 0xc(%rsp),%rcx • 400f6c: 48 8d 54 24 08 lea 0x8(%rsp),%rdx • 400f71: be b7 25 40 00 mov$0x4025b7,%esi • 400f76: b8 00 00 00 00 mov$0x0,%eax • 400f7b: e8 b0 fc ffffcallq400c30 <__isoc99_sscanf@plt> • 400f80: 83 f8 01 cmp$0x1,%eax • 400f83: 7f 05 jg400f8a <phase_3+0x27> • 400f85: e8 a0 04 00 00 callq40142a <explode_bomb> • 400f8a: 83 7c 24 08 07 cmpl$0x7,0x8(%rsp) • 400f8f: 77 66 ja400ff7 <phase_3+0x94> • 400f91: 8b 44 24 08 mov0x8(%rsp),%eax • 400f95: ff 24 c5 00 24 40 00 jmpq *0x402400(,%rax,8)
Notes on Assembly • <__isoc99_sscanf@plt> • man sscanf • cmp$0x1,%eax • Like sub $0x1, %eax // eax eax -0x1 except no store • Just sets flags • Tst similar except the operation is an AND • jg400f8a <phase_3+0x27> • Jumps if %eax > 0x1
Phase_3 page 2 • 400f8a: 83 7c 24 08 07 cmpl$0x7,0x8(%rsp) • 400f8f: 77 66 ja400ff7 <phase_3+0x94> • 400f91: 8b 44 24 08 mov0x8(%rsp),%eax • 400f95: ff 24 c5 00 24 40 00 jmpq *0x402400(,%rax,8) JUMP TABLE • 400f9c: b8 00 00 00 00 mov$0x0,%eax • 400fa1: eb 05 jmp400fa8 <phase_3+0x45> • 400fa3: b8 f5 00 00 00 mov$0xf5,%eax • 400fa8: 2d b3 00 00 00 sub $0xb3,%eax • 400fad: eb 05 jmp400fb4 <phase_3+0x51> • 400faf: b8 00 00 00 00 mov$0x0,%eax • 400fb4: 05 dc 01 00 00 add $0x1dc,%eax • 400fb9: eb 05 jmp400fc0 <phase_3+0x5d> • 400fbb: b8 00 00 00 00 mov$0x0,%eax • 400fc0: 2d 15 02 00 00 sub $0x215,%eax • 400fc5: eb 05 jmp400fcc <phase_3+0x69>
400fc7: b8 00 00 00 00 mov$0x0,%eax • 400fcc: 05 15 02 00 00 add $0x215,%eax • 400fd1: eb 05 jmp400fd8 <phase_3+0x75> • 400fd3: b8 00 00 00 00 mov$0x0,%eax • 400fd8: 2d 15 02 00 00 sub $0x215,%eax • 400fdd: eb 05 jmp400fe4 <phase_3+0x81> • 400fdf: b8 00 00 00 00 mov$0x0,%eax • 400fe4: 05 15 02 00 00 add $0x215,%eax • 400fe9: eb 05 jmp400ff0 <phase_3+0x8d> • 400feb: b8 00 00 00 00 mov$0x0,%eax • 400ff0: 2d 15 02 00 00 sub $0x215,%eax • 400ff5: eb 0a jmp401001 <phase_3+0x9e> • 400ff7: e8 2e 04 00 00 callq40142a <explode_bomb> • 400ffc: b8 00 00 00 00 mov$0x0,%eax • 401001: 83 7c 24 08 05 cmpl$0x5,0x8(%rsp) • 401006: 7f 06 jg40100e <phase_3+0xab> • 401008: 3b 44 24 0c cmp0xc(%rsp),%eax • 40100c: 74 05 je 401013 <phase_3+0xb0> • 40100e: e8 17 04 00 00 callq40142a <explode_bomb> • 401013: 48 83 c4 18 add $0x18,%rsp • 401017: c3 retq
Startup phase_3 • (gdb) b phase_3 • Breakpoint 1 at 0x400f63 • (gdb) display /i $rip • (gdb) r sol.txt • Starting program: /acct/matthews/Courses/212H/Labs/bomb sol.txt • Welcome to my fiendish little bomb. You have 6 phases with • which to blow yourself up. Have a nice day! • Phase 1 defused. How about the next one? • That's number 2. Keep going! • MyStringInputToPhase3. • Breakpoint 1, 0x0000000000400f63 in phase_3 () • 1: x /i $rip • => 0x400f63 <phase_3>: sub $0x18,%rsp
(gdb) si • 0x0000000000400f7b in phase_3 () • => 0x400f7b <phase_3+24>: callq0x400c30 <__isoc99_sscanf@plt> • (gdb) si • 0x0000000000400c30 in __isoc99_sscanf@plt () • => 0x400c30 <__isoc99_sscanf@plt>: • jmpq *0x202472(%rip) # 0x6030a8 <__isoc99_sscanf@got.plt> • (gdb) x /s $rdi • 0x603840 <input_strings+160>: "MyString." • (gdb) x /s $rsi • 0x4025b7: "%d %d” // format string
Restart and enter two integers • (gdb) r sol.txt • The program being debugged has been started already. • Start it from the beginning? (y or n) y • Starting program: /acct/matthews/Courses/212H/Labs/bomb sol.txt • Welcome to my fiendish little bomb. You have 6 phases with • which to blow yourself up. Have a nice day! • Phase 1 defused. How about the next one? • That's number 2. Keep going! • 1 2 • Breakpoint 1, 0x0000000000400f63 in phase_3 () • 1: x/i $rip • => 0x400f63 <phase_3>: sub $0x18,%rsp • (gdb)
(gdb) x /20i $rip • => 0x400f63 <phase_3>: sub $0x18,%rsp • 0x400f67 <phase_3+4>: lea 0xc(%rsp),%rcx • 0x400f6c <phase_3+9>: lea 0x8(%rsp),%rdx • 0x400f71 <phase_3+14>: mov $0x4025b7,%esi • 0x400f76 <phase_3+19>: mov $0x0,%eax • 0x400f7b <phase_3+24>: callq 0x400c30 <__isoc99_sscanf@plt> • 0x400f80 <phase_3+29>: cmp $0x1,%eax • // eaxrv = number of numbers read (2) • 0x400f83 <phase_3+32>: jg 0x400f8a <phase_3+39> • 0x400f85 <phase_3+34>: callq 0x40142a <explode_bomb> • 0x400f8a <phase_3+39>: cmpl $0x7,0x8(%rsp) • 0x400f8f <phase_3+44>: ja 0x400ff7 <phase_3+148> • 0x400f91 <phase_3+46>: mov 0x8(%rsp),%eax • 0x400f95 <phase_3+50>: jmpq *0x402400(,%rax,8) • si several times then ni (to not step into sscanf)
Gdb bomb – examine jmp table • (gdb) x /8gx 0x402400 • 0x402400: 0x0000000000400fa3 0x0000000000400f9c • 0x402410: 0x0000000000400faf 0x0000000000400fbb • 0x402420: 0x0000000000400fc7 0x0000000000400fd3 • 0x402430: 0x0000000000400fdf 0x0000000000400feb • (gdb) • 0x400f8a <phase_3+39>: cmpl$0x7,0x8(%rsp) • 0x400f8f <phase_3+44>: ja0x400ff7 <phase_3+148> • 0x400f91 <phase_3+46>: mov0x8(%rsp), %eax • 0x400f95 <phase_3+50>: jmpq*0x402400(,%rax,8) • Find out where we jump!
Phase_3 page 2 • 400f8a: 83 7c 24 08 07 cmpl$0x7,0x8(%rsp) • 400f8f: 77 66 ja400ff7 <phase_3+0x94> • 400f91: 8b 44 24 08 mov0x8(%rsp),%eax • 400f95: ff 24 c5 00 24 40 00 jmpq *0x402400(,%rax,8) JUMP TABLE • 400f9c:(eax=1) b8 00 00 00 00 mov$0x0,%eax • 400fa1: eb 05 jmp400fa8 <phase_3+0x45> • 400fa3:(eax = 0) b8 f5 00 00 00 mov$0xf5,%eax • 400fa8: 2d b3 00 00 00 sub $0xb3,%eax • 400fad: eb 05 jmp400fb4 <phase_3+0x51> • 400faf: (eax = 2)b8 00 00 00 00 mov$0x0,%eax • 400fb4: 05 dc 01 00 00 add $0x1dc,%eax • 400fb9: eb 05 jmp400fc0 <phase_3+0x5d> • 400fbb: (eax = 3) b8 00 00 00 00 mov$0x0,%eax • 400fc0: 2d 15 02 00 00 sub $0x215,%eax • 400fc5: eb 05 jmp400fcc <phase_3+0x69>
400fc7: b8 00 00 00 00 mov$0x0,%eax • 400fcc: 05 15 02 00 00 add $0x215,%eax • 400fd1: eb 05 jmp400fd8 <phase_3+0x75> • 400fd3: b8 00 00 00 00 mov$0x0,%eax • 400fd8: 2d 15 02 00 00 sub $0x215,%eax • 400fdd: eb 05 jmp400fe4 <phase_3+0x81> • 400fdf: b8 00 00 00 00 mov$0x0,%eax • 400fe4: 05 15 02 00 00 add $0x215,%eax • 400fe9: eb 05 jmp400ff0 <phase_3+0x8d> • 400feb: b8 00 00 00 00 mov$0x0,%eax • 400ff0: 2d 15 02 00 00 sub $0x215,%eax • 400ff5: eb 0a jmp401001 <phase_3+0x9e> • 400ff7: e8 2e 04 00 00 callq40142a <explode_bomb> • 400ffc: b8 00 00 00 00 mov$0x0,%eax • 401001: 83 7c 24 08 05 cmpl$0x5,0x8(%rsp) • 401006: 7f 06 jg40100e <phase_3+0xab> • 401008: 3b 44 24 0c cmp0xc(%rsp),%eax • 40100c: 74 05 je 401013 <phase_3+0xb0> • 40100e: e8 17 04 00 00 callq40142a <explode_bomb> • 401013: 48 83 c4 18 add $0x18,%rsp • 401017: c3 retq
(gdb) r sol.txt • … • Phase 1 defused. How about the next one? • That's number 2. Keep going! • 3 4 • Breakpoint 1, 0x0000000000400f63 in phase_3 () • 1: x/i $rip • (gdb) ni 5 • => 0x400f7b <phase_3+24>: callq 0x400c30 <__isoc99_sscanf@plt> • (gdb) ni • => 0x400f80 <phase_3+29>: cmp $0x1,%eax • (gdb) p $eax • $2 = 2 • (gdb) x /6wd $rsp • 0x7fffffffe930: -5576 32767 3 4 • 0x7fffffffe940: 4197584 0 • (gdb) p $rsp • $3 = (void *) 0x7fffffffe930 • (gdb)
=> 0x400f91 <phase_3+46>: mov 0x8(%rsp),%eax • (gdb) si • p/d $eax = 3 • => 0x400f95 <phase_3+50>: jmpq *0x402400(,%rax,8) • => 0x400fbb <phase_3+88>: mov $0x0,%eax • => 0x400fc0 <phase_3+93>: sub $0x215,%eax • 2: /d $eax = -533 • => 0x400fc5 <phase_3+98>: jmp 0x400fcc <phase_3+105> • => 0x400fcc <phase_3+105>: add $0x215,%eax • => 0x400fd1 <phase_3+110>: jmp 0x400fd8 <phase_3+117>
=> 0x400fd8 <phase_3+117>: sub $0x215,%eax • 2: /d $eax = -533 • => 0x400fdd <phase_3+122>: jmp 0x400fe4 <phase_3+129> • => 0x400fe4 <phase_3+129>: add $0x215,%eax • => 0x400fe9 <phase_3+134>: jmp 0x400ff0 <phase_3+141> • => 0x400ff0 <phase_3+141>: sub $0x215,%eax • => 0x400ff5 <phase_3+146>: jmp 0x401001 <phase_3+158> • 0x401001 <phase_3+158>: cmpl $0x5,0x8(%rsp) • => 0x401006 <phase_3+163>: jg 0x40100e <phase_3+171> • => 0x401008 <phase_3+165>: cmp 0xc(%rsp),%eax • => 0x40100c <phase_3+169>: je 0x401013 <phase_3+176> • (gdb)
=> 0x401006 <phase_3+163>: jg 0x40100e <phase_3+171> • (gdb) si • 0x0000000000401008 in phase_3 () • 2: /d $eax = -533 • 1: x/i $rip • => 0x401008 <phase_3+165>: cmp 0xc(%rsp),%eax • (gdb) ni • 0x000000000040100c in phase_3 () • 2: /d $eax = -533 • 1: x/i $rip • => 0x40100c <phase_3+169>: je 0x401013 <phase_3+176> • (gdb) ni • 0x0000000000401013 in phase_3 () • 2: /d $eax = -533 • 1: x/i $rip • => 0x401013 <phase_3+176>: add $0x18,%rsp • (gdb) ni • => 0x401017 <phase_3+180>: retq
Phase_4 • (gdb) x /30i $rip • => 0x401050 <phase_4>: sub $0x18,%rsp • 0x401054 <phase_4+4>: lea 0x8(%rsp),%rcx • 0x401059 <phase_4+9>: lea 0xc(%rsp),%rdx • 0x40105e <phase_4+14>: mov $0x4025b7,%esi • 0x401063 <phase_4+19>: mov $0x0,%eax • 0x401068 <phase_4+24>: callq 0x400c30 <__isoc99_sscanf@plt> • 0x40106d <phase_4+29>: cmp $0x2,%eax • 0x401070 <phase_4+32>: jne 0x40107e <phase_4+46> • 0x401072 <phase_4+34>: mov 0x8(%rsp),%eax • 0x401076 <phase_4+38>: sub $0x2,%eax • 0x401079 <phase_4+41>: cmp $0x2,%eax • 0x40107c <phase_4+44>: jbe 0x401083 <phase_4+51> • 0x40107e <phase_4+46>: callq 0x40142a <explode_bomb> • 0x401083 <phase_4+51>: mov 0x8(%rsp),%esi • 0x401087 <phase_4+55>: mov $0x9,%edi • 0x40108c <phase_4+60>: callq 0x401018 <func4> • 0x401091 <phase_4+65>: cmp 0xc(%rsp),%eax • 0x401095 <phase_4+69>: je 0x40109c <phase_4+76> • 0x401097 <phase_4+71>: callq 0x40142a <explode_bomb> • 0x40109c <phase_4+76>: add $0x18,%rsp • 0x4010a0 <phase_4+80>: retq • 0x4010a1 <phase_5>: sub $0x18,%rsp • 0x4010a5 <phase_5+4>: lea 0xc(%rsp),%rcx
(gdb) b phase_4 • (gdb) r sol.txt • … • (gdb) x /s $rdi • 0x603890 <input_strings+240>: " 4 6" • (gdb) x /s 0x4025b7 • … • 0x4025b7: "%d %d“ • (gdb) ni10 • BOOM!!! The bomb has blown up.
Phase_5 • 0x4010a1 <phase_5>: sub $0x18,%rsp • 0x4010a5 <phase_5+4>: lea 0xc(%rsp),%rcx • 0x4010aa <phase_5+9>: lea 0x8(%rsp),%rdx • 0x4010af <phase_5+14>: mov $0x4025b7,%esi • 0x4010b4 <phase_5+19>: mov $0x0,%eax • 0x4010b9 <phase_5+24>: callq 0x400c30 <__isoc99_sscanf@plt> • 0x4010be <phase_5+29>: cmp $0x1,%eax • 0x4010c1 <phase_5+32>: jg 0x4010c8 <phase_5+39> • 0x4010c3 <phase_5+34>: callq 0x40142a <explode_bomb> • 0x4010c8 <phase_5+39>: mov 0x8(%rsp),%eax • 0x4010cc <phase_5+43>: and $0xf,%eax • 0x4010cf <phase_5+46>: mov %eax,0x8(%rsp) • 0x4010d3 <phase_5+50>: cmp $0xf,%eax • 0x4010d6 <phase_5+53>: je 0x401104 <phase_5+99> • 0x4010d8 <phase_5+55>: mov $0x0,%ecx • 0x4010dd <phase_5+60>: mov $0x0,%edx • 0x4010e2 <phase_5+65>: add $0x1,%edx • 0x4010e5 <phase_5+68>: cltq • 0x4010e7 <phase_5+70>: mov 0x402440(,%rax,4),%eax • 0x4010ee <phase_5+77>: add %eax,%ecx • 0x4010f0 <phase_5+79>: cmp $0xf,%eax • 0x4010f3 <phase_5+82>: jne 0x4010e2 <phase_5+65> • 0x4010f5 <phase_5+84>: mov %eax,0x8(%rsp) • 0x4010f9 <phase_5+88>: cmp $0xf,%edx • 0x4010fc <phase_5+91>: jne 0x401104 <phase_5+99> • 0x4010fe <phase_5+93>: cmp 0xc(%rsp),%ecx • 0x401102 <phase_5+97>: je 0x401109 <phase_5+104> • 0x401104 <phase_5+99>: callq 0x40142a <explode_bomb> • 0x401109 <phase_5+104>: add $0x18,%rsp
Google m86-64 cltq • Google m86-64 cltq • cltqsign-extends eax to a quadword • Google m86-64 tst • https://en.wikipedia.org/wiki/TEST_(x86_instruction) • The TEST operation sets the flags CF and OF to zero. • The SF is set to the most significant bit of the result of the AND. • If the result is 0, the ZF is set to 1, otherwise set to 0.