1 / 50

T UTORIAL L ESSON Assembly

Institute of Parallel and Distributed Systems (iPads) Shanghai Jiao Tong University Rong Chen rongchen @ sjtu.edu.cn. T UTORIAL L ESSON Assembly. OUTLINE. Pre-requisite Bomb!. Pre-requisite Bomb!. GNU Tools. GDB ( G nu D e B ugger ) Start your program Stop on special conditions

thelma
Download Presentation

T UTORIAL L ESSON Assembly

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Institute of Parallel and Distributed Systems (iPads) Shanghai Jiao Tong University Rong Chen rongchen@sjtu.edu.cn TUTORIAL LESSONAssembly

  2. OUTLINE Pre-requisite Bomb!

  3. Pre-requisite Bomb!

  4. GNU Tools • GDB(Gnu DeBugger) • Start your program • Stop on special conditions • Exams what has happened • Change thing in your program Institute of Parallel and Distributed Systems (iPads), SJTU

  5. GNU Tools • GDB(Gnu DeBugger) • Commands • gdb <file> • break FUNC | *ADDR • run • print</?> $REG | ADDR • continue | stepi | nexti • quit Reference http://ipads.se.sjtu.edu.cn/courses/ics/tutorials/gdb-ref.txt Institute of Parallel and Distributed Systems (iPads), SJTU

  6. GNU Tools • OBJDUMP(OBJect-file DUMP) • Display information from object files • Disassemble object file • Show file headers • Show symbol table • ... • Commands • objdump–d | -D <object-file> Institute of Parallel and Distributed Systems (iPads), SJTU

  7. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  8. GNU Tools • Install GNU Tools • apt-get install build-essential • apt-get install gdb Institute of Parallel and Distributed Systems (iPads), SJTU

  9. Pre-requisite Bomb! • Binary Bomb Defuse Bomb Using GDB

  10. Defuse Bomb Right key Survive • What is Bomb ? • Only a binary file • What should you do ? • Find the key and defuse the bomb ! • What can you use ? • Anything from ICS course • Any tools Wrong key Bomb ! gdb calculator strings objdump paper pencil Institute of Parallel and Distributed Systems (iPads), SJTU

  11. Demo • Please See Carefully ! • A binary bomb • Need a password to defuse it • Demo $./bomb input password: • bomb!... • $ • $./bomb • input password: • survive! 224 123

  12. HACKER

  13. Pre-requisite Bomb! Binary Bomb • Defuse Bomb Using GDB

  14. Step by Step • Machine Code to Assembly Code • objdump -D bomb > asm NAME objdump - display information from object files. SYNOPSIS objdump [-d|--disassemble] [-D|--disassemble-all] ... Institute of Parallel and Distributed Systems (iPads), SJTU

  15. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  16. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  17. Step by Step • Find key functions and parameters • scanf: where does the password store ? • printf: which the instruction will print “bomb” ? Institute of Parallel and Distributed Systems (iPads), SJTU

  18. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  19. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  20. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  21. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  22. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  23. Step by Step • Find key functions and parameters • scanf: where does the password store ? • printf: which the instruction will print “bomb” ? • Find key strings • “bomb”, “survive” and “password” Institute of Parallel and Distributed Systems (iPads), SJTU

  24. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  25. i n p u t p a ss w o r d ... 8048538: 69 6e 70 75 74 20 70 imul $0x70207475,0x70 ... 804853f: 61 popa 8048540: 73 73 ... 8048542: 77 6f ... 8048544: 72 64 ... 8048546: 3a 00 ... 8048548: 25 64 00 ... 804854b: 73 75 ... 804854d: 72 76 ... 804854f: 69 76 65 21 00 ... 8048554: 62 6f 6d ... 8048557: 62 21 ... 8048559: 2e ... 804855a: 2e ... 804855b: 2e ... ... :\0 su rv iv e ! \0 bo m b! . . .

  26. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  27. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  28. Step by Step • Find key functions and parameters • scanf: where does the password store ? • printf: which the instruction will print “bomb” ? • Find key strings • “bomb”, “survive” and “password” • Find key operators • jmp, change control flow • cmp, how to judgment condition Institute of Parallel and Distributed Systems (iPads), SJTU

  29. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  30. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  31. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret Password !

  32. Pre-requisite Bomb! Binary Bomb Defuse Bomb • Using GDB

  33. Can we do it more efficiently and safely? • Defuse bomb using GDB • set breakpoint on the critical path • watch registers and/or memories • terminate program on demand • single step execution Institute of Parallel and Distributed Systems (iPads), SJTU

  34. Command • GDB • gdb <file> • break FUNC | *ADDR • run • print</?> $REG | ADDR • continue | stepi | nexti • quit Institute of Parallel and Distributed Systems (iPads), SJTU

  35. 080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret

  36. $gdb bomb (gdb)

  37. 0x80483dc “password” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb)

  38. 0x80483dc“password” 0x80483f7“compare” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb)

  39. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb)

  40. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb)

  41. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb) run Starting program: /home/rong/tut1/bomb Breakpoint 1, 0x080483dc in main () (gdb)

  42. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb) run Starting program: /home/rong/tut1/bomb Breakpoint 1, 0x080483dc in main () (gdb) print/c *0x8048538 $3 = 105 'i' (gdb)

  43. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb) run Starting program: /home/rong/tut1/bomb Breakpoint 1, 0x080483dc in main () (gdb) print/c *0x8048538 $3 = 105 'i' (gdb) print/c *0x8048539 $4 = 110 'n' (gdb)

  44. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb) run Starting program: /home/rong/tut1/bomb Breakpoint 1, 0x080483dc in main () (gdb) print/c *0x8048538 $3 = 105 'i' (gdb) print/c *0x8048539 $4 = 110 'n' (gdb) print/s (char *)0x8048538 $5 = 0x8048538 “input password:”

  45. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:

  46. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:224 Breakpoint 2, 0x080483f7 in main () (gdb)

  47. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:224 Breakpoint 2, 0x080483f7 in main () (gdb) print/d $eax $8 = 224

  48. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:224 Breakpoint 2, 0x080483f7 in main () (gdb) print/d $eax $8 = 224 (gdb) c Continuing. Breakpoint 4, 0x08048411 in main () (gdb)

  49. 0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:224 Breakpoint 2, 0x080483f7 in main () (gdb) print/d $eax $8 = 224 (gdb) c Continuing. Breakpoint 4, 0x08048411 in main () (gdb) q The program is running. Exit anyway? (y or n) y $

  50. Thanks Institute of Parallel and Distributed Systems (iPads), SJTU

More Related