Csapp Lab:bomb Lab (from bomb to explosion ...)

What this experiment is going to do is to use GDB to reverse a piece of code, look at the assembly code and step through debugging to find out what this code needs you to fill in the string, as if everyone is different, so everyone needs to find their own bomb password, very interesting.

Experiment a total of 6 off, we have a close to look at:

Phase_1

Open BOMB.C to see some C source (the core method here has been deleted, only the outermost code can be seen, but to get some clues).

It is easy to find this phase_1 method is the core method of the first problem, directly reverse it, look at its assembly.

The first sentence is to open up space for the function stack, the second sentence is the key, say an immediate number assignment to%esi, and then call the strings not equal method, it is possible to use this register in the memory of our bomb-breaking string, so break point, step-by, view the contents of the%esi:

Yes, this is the key to our demolition, input, the first bomb successfully removed! You can put the answer in a text file, easy to solve later.

Phase_2

Realization of inverse phase_2 function observation

Observe read_six_numbers found this is to let us enter 6 numbers, through observation found that the input of 6 digits will be 3%rsp,%rsp+4,%rsp+8,%rsp+12...%rsp+24 these positions, then Cmpl $0x1, (%rsp This sentence is clearly can be obtained the first number is 1, and then go to see jump to 52,%rsp+4 is the second number into the%RBX, the%RBP is set to%rsp+24 (can be guessed%RBP use to determine whether the loop is exited register), and then jump to 27, Here the first number is assigned to%eax, the%eax*2 to the first number of comparisons, if the equality continues, and so on, you can find that the loop is used to determine whether the number of input is increased by one times, so the second problem of the bomb code is: 1 2 4 8 16 32

Phase_3

I first randomly entered a string, debugging found%esi in the string content of "%d%d", so that the problem requires us to enter two numbers,%eax is scanf return value, if =1 is illegal input, bomb exploded. We enter two numbers, and the jump will pass. Then found that the first number can not be greater than 7, we randomly filled out a 0, re-debug and try again, and then found that jmp to 57, go down will find%eax is the second number of answers, so the answer is 0 0xcf.

In fact, the simplest solution to this problem is to enter two numbers, followed by a single pace, you can easily determine the content of two numbers, but in fact you look at two more eyes, you will find actually here is a switch structure, the answer is not unique, jump table exists *0x402470, we print out this jump table, will be able to know all the answers to this question: the first number is index, the second number is the value of the corresponding branch assignment to%eax.

Phase_4

This problem is recursive, took a little time, but the complexity of the line, as long as step by step to follow down will be able to produce results.

Demolition key in the FUNC4 function, found that FUNC4 returned parameters eax must be 0 to not explode, we go backwards into the FUNC4

found that only when the value of%ECX and%edi is equal to the%eax assignment is 0, and%edi is our first parameter, then we just need to know the value of%ECX, by deducing that the value of ECX can be 7 3 0.

Return to Phase_4 continue to go down and find the second number of 0 to be able to dismantle the bomb.

Phase_5

Through this paragraph we can know that the question is for us to enter a string of length 6.

This section is the core code, jump to 112 after the%eax assignment to 0 to jump to 41, and then say%rbx+%rax value to%ECX,%RBX is the base address of our input content,%rax is the index, and then do the thing is actually the current character to intercept the bottom 4 bits. 55 Lines Here is a strange address, the output of this address to see the following: So here is the current character low 4 bits of the value of the index to read the string, and then the resulting characters are placed in the $rsp+16 as the starting address of the memory area.

The solution can jump out of the loop to see 76-91 lines, look at 81 lines of string "flyers",%rdi is the string we loop, and then call String_not _equal method, we know that as long as we loop the string equals "flyers" can be disassembled.

Find the "flyers" in the above-mentioned string index, and then against the ASCII table, you can get the answer, the answer is not unique, as long as the low 4-bit qualifying characters can be disassembled.

Phase_6

This problem in the use of Google's power after not very smooth completion.

Let's look at the first part.

This part is not difficult, but there is a certain complexity, a little time to figure out the logic, you can find that it is for us to enter 6 numbers, and then the 6 numbers are not equal to each other, and are not greater than 6.

The next is more difficult, did not expect to use the linked list, but also related to data alignment knowledge.

The list is stored in the 0x6032d0, the list is sorted, and finally we can get the sorted list is actually monotonically decreasing, and then the counter-push can come to our answer ~

Csapp Lab:bomb Lab (from bomb to explosion ...)