Csapp 3e:bomb Lab (Phase_1)

This lab dragged on for a long time to start to finish slowly, spend a lot more, I also didn't expect to need so much time to toss. Consider that it is too long to have all the levels of content sent out at once. So let's do it separately.

Then, one thing is, it's really time to get to know gdb before you start solving the problem, because you want to use this tool. Although I also feel that some things can wait for the time to check again, but later found an introduction to GDB command, write more detailed, downloaded the print out, took a few lessons time to read a bit, it feels particularly useful, more familiar with gdb than before. Probably in the Web page to look at the time is relatively impatient, so absorption is not good 23333. Also, in the process of solving the problem of reference to a lot of online predecessors, to each of the predecessors to share the knowledge to pay tribute.

My way of doing this is to disassemble the program into a single text, disassemble two versions, one is objdump-d bomb > bomb_disas.s (those that need to execute instructions in disassembly bomb), and the other is objdump-d bomb > B OMB_DISAS2.S (Disassembly of all sections in bomb). This is placed in the Windows system, easy to view, analysis, mainly feel notepad++ look comfortable. Then, the debugging is done in the virtual machine.

About the GDB command, if you have not touched, it is better to understand the first, or can be encountered in the reading of Baidu.

In Linux, GdB bomb opens bomb with GDB and enters list to see the code. However, the Bomb Lab folder also has source code. This allows you to see a common format for each level in your code, such as:

    input = Read_line ();             /* Get Input                    */     phase_1 (input);                   /* Run the phase                */     phase_defused ();                  /* drat!  They figured it out!                       */

The function for each level is phase_x, where x is the number of levels. Looking at the first off of the assembler function phase_1, we found that two functions were called.

0000000000400ee0<phase_1>: 400ee0: -  theEc ,              Sub$0X8,%RSP 400ee4: Bexx  -  + xx           mov$0x402400,%esi 400ee9: E8 4aGeneva xx xxCallq401338<strings_not_equal> 400eee: -C0Test%eax,%eax
400EF0: About  to                    JE400ef7<phase_1+0x17>
400ef2: E8 +  to xx xxCALLQ 40143a<explode_bomb>
400ef7: -  theC4 ,              Add$0X8,%RSP 400EFB: C3 RETQ

One is strings_not_eaqual, the other is Explode_bomb. Here's the first one. Explode_bomb is a function that causes an explosion (bomb) after a decryption failure. Specifically, you can call the view on your own, find the function in BOMB_DISAS.S to see its execution, not to elaborate. Then another function here is strings_not_eaqual. It is literally understandable that the function is to check whether two strings are the same. The application is the string you typed if it's not the same string that he points to, look at the code for this function, bomb.

0000000000401338<strings_not_equal>:401338: A  Wu                    Push%r12 40133a: -                       Push%RBP 40133b: -                       Push%RBX 40133c: -  theFbmov%rdi,%rbx;%rdi is the first address of the string that stores the input40133f: -  theF5mov%rsi,%rbp;known by phase (1);%rsi is the first address to store the reload password string.  401342: E8 d4 FF FF FF CALLQ 40131b<string_length>;calculates the string length,  401347: A  theC4mov%eax,%r12d 40134a: -  theEfmov%rbp,%rdi 40134d: E8 C9 FF FF FF CALLQ 40131b<string_length>401352: BA on xx xx xx           mov$0x1,%edx401357: A  theC4CMP%eax,%r12d;if the string is not the same length, it bomb.40135a: the3fjne40139b<strings_not_equal+0x63> 40135c:0fB6GenevaMovzbl (%RBX),%eax;the 0 extension passes the first character to%eax.40135f: -C0Test%al,%al;The first one is 0 for RET, with 0 as the return value.   401361: About  -                    JE     401388<strings_not_equal+0x50>;but consider the length of the string, so 0 is not the correct answer.  401363: 3a $ xx                 CMP0x0 (%RBP),%al;Compare the first string, the same goes into the loop, otherwise bomb  401366: About 0a                    JE     401372<strings_not_equal+0x3a>;0x401372 into the loop.   401368: EB -                    jmp40138f<strings_not_equal+0x57> 40136a: 3a $ xx                 CMP0x0 (%RBP),%al;start Address of the loop40136d:0f1fxxnopl (%rax)401370: the  -                    jne    401396<strings_not_equal+0x5e>;the nth characters are not the same bomb.  401372: -  theC3 on              Add$0x1,%rbx;the input string is moved backward one bit, in order to check backwards  401376: -  theC5 on              Add$0x1,%rbp;The password string is moved backward, in order to check backwards40137a:0fB6GenevaMovzbl (%RBX),%eax;0 Extension Pass nth character to%eax40137d: -C0Test%al,%al 40137f: theE9jne40136a<strings_not_equal+0x32>;the nth character is not%0, that is, the string does not end, then the loop continues  401381: BAxx xx xx xx           mov$0x0,%edx401386: EB -                    jmp40139b<strings_not_equal+0x63>401388: BAxx xx xx xx           mov$0x0,%edx 40138d: EB0c                    jmp40139b<strings_not_equal+0x63> 40138f: BA on xx xx xx           mov$0x1,%edx401394: EB to                    jmp40139b<strings_not_equal+0x63>401396: BA on xx xx xx           mov$0x1,%edx 40139b: theD0mov%edx,%eax 40139d: 5bPop%RBX 40139e: 5dPop%RBP 40139f: A5cPop%r12 4013A1: C3 RETQ

The point here is that%rdi stores the first address of the string entered by the input,%rsi stores the first address of the bomb-breaking password string.

Come back to see Phase_1, the second row 0x402400 assigned to the register%esi.

0000000000400ee0<phase_1>: 400ee0: -  theEc ,              Sub$0X8,%RSP 400ee4: Bexx  -  + xx           mov$0x402400,%esi 400ee9: E8 4aGeneva xx xxCallq401338<strings_not_equal> 400eee: -C0Test%eax,%eax;%eax return value of 1 is bomb400EF0: About  to                    JE400ef7<phase_1+0x17>;You know by looking at the Strings_not_equal function400ef2: E8 +  to xx xxCALLQ 40143a<explode_bomb>;the 0x402400 position of the string is the first pass of the answer.400ef7: -  theC4 ,              Add$0x8,%rsp;See the answer with X/S 0x402400 in GDB to see the memory. 400EFB: C3 RETQ

The answer is given in gdb using x/s 0x402400 to view the strings in memory.

　　

Enter the string to go through the first pass.

　　

At this point, the first close ends. Come on, Challenge!

For me, I feel this bomb lab dragged for a long time to complete the reason, mainly lies in the GDB tools do not understand, so it is impossible. So if you have a later person to see this article, I hope you have a good understanding of GDB, so that you can do more with less.

Csapp 3e:bomb Lab (Phase_1)