Csapp 3e:bomb Lab (Secret_phase)

This is a secret level that needs to be triggered by actively invoking the Secret_phase function and can be invoked via call secret or jump *0x address.

Paste out function: (fun7 function part without comments, and then continued on the handwritten figure to parse the function)

0000000000401204<fun7>:401204: -  theEc ,              Sub$0X8,%RSP401208: -  -FfTest%rdi,%rdi 40120b: About2bJE     401238<fun7+0x34>;if%rdi==0,ret. 40120d: 8b -                    mov(%rdi),%edx 40120f: theF2CMP%esi,%edx401211: 7e0d                    Jle    401220<fun7+0x1c>401213: -8b 7f ,              mov0x8 (%rdi),%rdi401217: E8 E8 FF FF FF CALLQ401204<fun7> 40121c: onC0Add%eax,%eax 40121e: EB 1djmp40123d<fun7+0x39>401220: B8xx xx xx xx           mov$0x0,%eax401225: theF2CMP%esi,%edx401227: About  -                    JE40123d<fun7+0x39>401229: -8b 7fTen              mov0x10 (%rdi),%rdi 40122d: E8 D2 FF FF FF CALLQ401204<fun7>401232: 8d - xx  on              Lea0x1 (%rax,%rax,1),%eax401236: EB to                    jmp40123d<fun7+0x39>401238: B8 FF FF FF FFmov$0xffffffff,%eax 40123d: -  theC4 ,              Add$0X8,%RSP401241: C3 retq0000000000401242<secret_phase>:401242: -                       Push%RBX401243: E8 About  Geneva xx xxCALLQ 40149e<read_line>;return value%rax to the first address of the input string  401248: BA0a xx xx xx           mov$0xa,%edx;strtol function parameter, which allows the function to read a string as 10 binary40124d: Bexx xx xx xx           mov$0x0,%esi;null,strtol Function Parameters  401252: -  theC7mov%rax,%rdi;string header address, as parameter  401255: E8 theF9 FF FF CALLQ 400bd0<[email protected]> 40125a: -  theC3mov%rax,%rbx;%rax is the Strtol function return value, is a long int number40125d: 8d +FfLea-0x1 (%rax),%eax;The requirement (%rax-1) value is less than 0x3e8 (1000).   401260: 3d E8Geneva xx xx           CMP$0x3e8,%eax401265: the  to                    Jbe40126c<secret_phase+0x2a>401267: E8 CE on xx xxCALLQ 40143a<explode_bomb> 40126c: theDemov%ebx,%esi;%esi equals the long int number returned by the Strtol function.40126e: BF F0 -  - xx           mov$0x6030f0,%edi;an address used by the FUN7 function  401273: E8 8c FF FF FF CALLQ401204<fun7>401278: theF8 Geneva                 CMP$0x2,%eax;the FUN7 function is required to return a value of 2, otherwise bomb.40127b: About  to                    JE     401282<secret_phase+0x40> 40127d: E8 B8 on xx xxCALLQ 40143a<explode_bomb>401282: BF -  -  + xx           mov$0x402438,%edi401287: E8 -F8 FF FF CALLQ 400B10<[email protected]> 40128c: E8 - Geneva xx xxCALLQ 4015C4<phase_defused>401291: 5bPop%RBX401292: C3 retq401293: -                       NOP  401294: -                       NOP  401295: -                       NOP  401296: -                       NOP  401297: -                       NOP  401298: -                       NOP  401299: -                       NOP40129a: -                       NOP40129b: -                       NOP40129c: -                       NOP40129d: -                       NOP40129e: -                       NOP40129f: -                       NOP

First study the Secret_phase function, which first called the Read_line function, through the GDB Trace run discovery, after running the Read_line function,%rax and%rsi values are the first address of the input string,%RCX is the length of the input string.

The three lines after call Read_line are assigned parameters to the calling Strtol function, and the Mov $0xa,%edx indicates that the Strtol function converts the string to a decimal value output. The use of the Strtol function is (specific Baidu you will know):

/**************************************************************/
table header files : #include <stdlib.h>
define function : Long int strtol (const char *nptr, char **endptr, int base)
function Description : strtol () converts the parameter nptr string to the number of growth integers based on the parameter base. The parameter base range is from 2 to 36, or 0. The parameter base represents the method used, such as the base value of 10 is 10 binary (string in 10 notation), if the base value of 16 is 16 binary (string in 16 notation). When the base value is 0, the conversion is made in 10, but encountering a character such as ' 0x ' will use the 16 binary. At first Strtol () scans the parameter nptr string, skips the preceding space character until it encounters a number or sign, and then ends the conversion with a non-numeric or string end (' "") and returns the result. If the parameter endptr is not NULL, the character pointer in nptr that terminates with an unqualified condition is returned by ENDPTR.

Return value: Returns the number of converted long integers, otherwise returns ERANGE and stores the error code in errno

Like what:

Char a[] = "100";
Char b[] = "100";
Char c[] = "FFFF";
printf ("A =%d\n", Strtol (A, NULL, 10)); 100
printf ("B =%d\n", strtol (b, NULL, 2)); 4
printf ("c =%d\n", Strtol (c, NULL, 16)); 65535

/*****************************************************************/

The input string is converted to a decimal value, and then the value entered by the FUNC7 function is correct, and the process needs to study the FUN7 function.

Note: In path C less a call fun7;

In Func7, the value of%rsi is always the value that is converted after being entered.

Calculate the path b--->c--->d as shown in the figure:

First time B:%edx= (%rdi); The value of%rdi is 0x6030f0; So the value of%edx is 0x24

Description%rsi is less than 0x24; (the value of%rsi is the value that is entered and is converted)

Second time C:%rdi= (%rdi+0x8); %RDI==0X603110, and then calls the fun7 itself,%edx= (%rdi); At this point the value of%edx is 0x8;

Description%rsi Although less than 0x24, but not equal to 0x8, and greater than 0x8;

Third time D: Note that at this point the%rdi value is 0x603110, then%rdi= (%rdi+0x10); The value of the new%rdi is 0x603150; Then call itself fun7,%edx= (%rdi); %edx value is 0x16;

At this point can be gradually returned, indicating that the value of%rsi is 0x16, that is, 10 binary 22;

Thus, the string entered in the Read_line function should be 22 after it is converted to a value of 10, so "22" is the correct answer.

"22" is converted to decimal with a value of 22, which is 0x16, which conforms to the result of the calculation in the FUN7 function.

Validation: (call error is called, so jump jumps are called, 0x401242 is the Secret_phase function entry)

wow!

I ' ve defused the secret stage!

Congraduations!!!

Csapp 3e:bomb Lab (Secret_phase)