500 likes | 642 Views
Institute of Parallel and Distributed Systems (iPads) Shanghai Jiao Tong University Rong Chen rongchen @ sjtu.edu.cn. T UTORIAL L ESSON Assembly. OUTLINE. Pre-requisite Bomb!. Pre-requisite Bomb!. GNU Tools. GDB ( G nu D e B ugger ) Start your program Stop on special conditions
E N D
Institute of Parallel and Distributed Systems (iPads) Shanghai Jiao Tong University Rong Chen rongchen@sjtu.edu.cn TUTORIAL LESSONAssembly
OUTLINE Pre-requisite Bomb!
Pre-requisite Bomb!
GNU Tools • GDB(Gnu DeBugger) • Start your program • Stop on special conditions • Exams what has happened • Change thing in your program Institute of Parallel and Distributed Systems (iPads), SJTU
GNU Tools • GDB(Gnu DeBugger) • Commands • gdb <file> • break FUNC | *ADDR • run • print</?> $REG | ADDR • continue | stepi | nexti • quit Reference http://ipads.se.sjtu.edu.cn/courses/ics/tutorials/gdb-ref.txt Institute of Parallel and Distributed Systems (iPads), SJTU
GNU Tools • OBJDUMP(OBJect-file DUMP) • Display information from object files • Disassemble object file • Show file headers • Show symbol table • ... • Commands • objdump–d | -D <object-file> Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
GNU Tools • Install GNU Tools • apt-get install build-essential • apt-get install gdb Institute of Parallel and Distributed Systems (iPads), SJTU
Pre-requisite Bomb! • Binary Bomb Defuse Bomb Using GDB
Defuse Bomb Right key Survive • What is Bomb ? • Only a binary file • What should you do ? • Find the key and defuse the bomb ! • What can you use ? • Anything from ICS course • Any tools Wrong key Bomb ! gdb calculator strings objdump paper pencil Institute of Parallel and Distributed Systems (iPads), SJTU
Demo • Please See Carefully ! • A binary bomb • Need a password to defuse it • Demo $./bomb input password: • bomb!... • $ • $./bomb • input password: • survive! 224 123
Pre-requisite Bomb! Binary Bomb • Defuse Bomb Using GDB
Step by Step • Machine Code to Assembly Code • objdump -D bomb > asm NAME objdump - display information from object files. SYNOPSIS objdump [-d|--disassemble] [-D|--disassemble-all] ... Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step • Find key functions and parameters • scanf: where does the password store ? • printf: which the instruction will print “bomb” ? Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step • Find key functions and parameters • scanf: where does the password store ? • printf: which the instruction will print “bomb” ? • Find key strings • “bomb”, “survive” and “password” Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
i n p u t p a ss w o r d ... 8048538: 69 6e 70 75 74 20 70 imul $0x70207475,0x70 ... 804853f: 61 popa 8048540: 73 73 ... 8048542: 77 6f ... 8048544: 72 64 ... 8048546: 3a 00 ... 8048548: 25 64 00 ... 804854b: 73 75 ... 804854d: 72 76 ... 804854f: 69 76 65 21 00 ... 8048554: 62 6f 6d ... 8048557: 62 21 ... 8048559: 2e ... 804855a: 2e ... 804855b: 2e ... ... :\0 su rv iv e ! \0 bo m b! . . .
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step • Find key functions and parameters • scanf: where does the password store ? • printf: which the instruction will print “bomb” ? • Find key strings • “bomb”, “survive” and “password” • Find key operators • jmp, change control flow • cmp, how to judgment condition Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret Password !
Pre-requisite Bomb! Binary Bomb Defuse Bomb • Using GDB
Can we do it more efficiently and safely? • Defuse bomb using GDB • set breakpoint on the critical path • watch registers and/or memories • terminate program on demand • single step execution Institute of Parallel and Distributed Systems (iPads), SJTU
Command • GDB • gdb <file> • break FUNC | *ADDR • run • print</?> $REG | ADDR • continue | stepi | nexti • quit Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password,(%esp) 80483dc: e8 17 ff ffff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
$gdb bomb (gdb)
0x80483dc “password” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb)
0x80483dc“password” 0x80483f7“compare” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb)
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb)
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb)
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb) run Starting program: /home/rong/tut1/bomb Breakpoint 1, 0x080483dc in main () (gdb)
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb) run Starting program: /home/rong/tut1/bomb Breakpoint 1, 0x080483dc in main () (gdb) print/c *0x8048538 $3 = 105 'i' (gdb)
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb) run Starting program: /home/rong/tut1/bomb Breakpoint 1, 0x080483dc in main () (gdb) print/c *0x8048538 $3 = 105 'i' (gdb) print/c *0x8048539 $4 = 110 'n' (gdb)
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” $gdb bomb (gdb) break *0x80483dc Breakpoint 1 at 0x80483dc (gdb) break *0x80483f7 Breakpoint 2 at 0x80483f7 (gdb) break *0x8048403 Breakpoint 3 at 0x8048403 (gdb) break *0x8048411 Breakpoint 4 at 0x8048411 (gdb) run Starting program: /home/rong/tut1/bomb Breakpoint 1, 0x080483dc in main () (gdb) print/c *0x8048538 $3 = 105 'i' (gdb) print/c *0x8048539 $4 = 110 'n' (gdb) print/s (char *)0x8048538 $5 = 0x8048538 “input password:”
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:224 Breakpoint 2, 0x080483f7 in main () (gdb)
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:224 Breakpoint 2, 0x080483f7 in main () (gdb) print/d $eax $8 = 224
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:224 Breakpoint 2, 0x080483f7 in main () (gdb) print/d $eax $8 = 224 (gdb) c Continuing. Breakpoint 4, 0x08048411 in main () (gdb)
0x80483dc “password” 0x80483f7 “compare” 0x8048403 “survive” 0x8048411 “bomb” (gdb) c Continuing. input password:224 Breakpoint 2, 0x080483f7 in main () (gdb) print/d $eax $8 = 224 (gdb) c Continuing. Breakpoint 4, 0x08048411 in main () (gdb) q The program is running. Exit anyway? (y or n) y $
Thanks Institute of Parallel and Distributed Systems (iPads), SJTU