Csapp 3e:bomb Lab (PHASE_5)

Bring up the Phase_5 function:

0000000000401062<phase_5>:401062: -                       Push%RBX401063: -  theEc -              Sub$0X20,%RSP401067: -  theFbmov%RDI,%RBX 40106a: -  -8bGeneva  -  - xx     mov%FS:0x28,%rax;I don't understand it here .  401071:xx xx   401073: -  the  -  -  -           mov%rax,0x18 (%RSP)401078: toC0XOR%eax,%eax 40107a: E8 9c Geneva xx xxCALLQ 40131b<string_length>;Detecting string Lengths40107f: theF8 .                 CMP$0x6,%eax401082: About4eJE4010d2<phase_5+0x70>;if the string length is not 6,bomb.   401084: E8 B1Geneva xx xxCALLQ 40143a<explode_bomb>401089: EB -                    jmp4010d2<phase_5+0x70> 40108b:0fB60c GenevaMovzbl (%rbx,%rax,1),%ECX;%ECX=%EAX+%EBX. 40108f: the 0c  -                 mov%CL, (%RSP);take%ecx lower 8 bits, equivalent to%ECX & 0xFF, and put values in memory address (%RSP)  401092: -8b -  -              mov(%RSP),%RDX401096: theE20f                  and$0xf,%edx;Contact the last few lines, equivalent to%ecx & 0xf, and put the operation value into register%edx.   401099:0fB6 theB0 -  + xxMovzbl 0x4024b0 (%RDX),%edx;reads data into%edx from memory address 0x4024b0, based on the value of%edx4010a0: the  Wu Geneva Ten              mov%dl,0x10 (%rsp,%rax,1);Transfer the read-in data to the memory address (%rsp+0x10+%rax)4010a4: -  theC0 on              Add$0x1,%rax;%rax+=14010a8: -  theF8 .              CMP$0x6,%rax;when rax=6 jumps out of the loop, notice here that 6 is equal to the string length required for input4010ac: theDdjne40108b<phase_5+0x29> 4010ae: C6 -  -  - xxMovb $0x0,0x16 (%RSP);the operation mechanism of strings_not_equal function is known by the previous level4010b3: BES 5e -  + xx           mov$0x40245e,%esi;%esi Store Answer string first address4010b8: -8d 7c - Ten           Lea0x10 (%RSP),%rdi;%rdi stores the first address of the detected string. 4010BD: E8 the  Geneva xx xxCallq401338<strings_not_equal> 4010c2: -C0Test%eax,%eax;the string one by one matches the completion of the hack. 4010c4: About  -                    JE4010d9<phase_5+0x77>;This focus is on the relationship between 0x4024b0 and 0x40245e two strings. 4010c6: E8 6fGeneva xx xxCALLQ 40143a<explode_bomb> 4010CB:0f1f - xx xxNOPL 0x0 (%rax,%rax,1) 4010d0: EB -                    jmp4010d9<phase_5+0x77> 4010d2: B8xx xx xx xx           mov$0x0,%eax 4010d7: EB B2jmp40108b<phase_5+0x29> 4010d9: -8b -  -  -           mov0x18 (%RSP),%rax 4010DE: -  -  - Geneva  -  - xx     XOR%FS:0x28,%rax 4010e5:xx xx4010e7: About  to                    JE4010ee<phase_5+0x8c> 4010e9: E8 theFA FF FF CALLQ 400b30<[email protected]> 4010ee: -  theC4 -              Add$0X20,%RSP 4010f2: 5bPop%RBX 4010f3: C3 RETQ

The main content is posted in the comments, read as follows:

This requires you to enter a string of length 6, but the contents of the string is not the same as the string%esi the address stored in the Strings_not_equal function, you can see that there is a conversion process before this function, and%edi store the address is the address of the%RSP data segment, which is the point.

The conversion process is to obtain the minimum 4 bits of the character, the value is between 0-15, through this value to the address 0x4024b0 the character, and stored in the%RSP data segment, you need to%rsp the string in the data segment and%rsi the total string is the same, you can pass this off.

String in address 0x4024b0: M a D u i e R S n F o t v B y L (space separated for easy viewing only)

String in address%esi=0x40245e: "Flyers"

Observe the 22 correspondence between the two strings, to select the character "Flyers" from the chaotic string, to select the character ordinal (starting from 0) to "9,15,4,5,6,7", and Hex to "9,f,e,5,6,7"

So as long as the value of the minimum 4 bits of the character of the corresponding bit in the input string equals "9,f,e,5,6,7", this pass is passed.

For example: By looking at the ASCII value, you can get

Minimum character value: 9 F E 5 6 7

Corresponding optional characters: I o n E F g

Y u v W

So the string "IONEFG" is the correct answer. (It can also be "YONEFG" or "YONUVW", as long as the string satisfies the minimum bit sequence number.) ）

Csapp 3e:bomb Lab (PHASE_5)