table of Contents
Lab_2 test report
Screenshots
Content inspection
The lab is mainly on the assembly instructions for a variety of familiarity and mastery of the gdb.
Answer each question
bomb1
Border relations with Canada have never been better.The answer is unique.
bomb2
1 2 4 8 16 32The answer is unique.
bomb3
6 682The answer is not unique.
The answer sheet:
| x | Y |
|---|---|
| 0 | 207(0xcf) |
| 1 | 311(0x137) |
| 2 | 707(0x2c3) |
| 3 | 256(0x100) |
| 4 | 389(0x185) |
| 5 | 206(0xce) |
| 6 | 682 (0x2aa) |
| 7 | 327(0x147) |
bomb4
0 0The answer is not unique.
The answer sheet:
| x | Y |
|---|---|
| 0 | 0 |
| 1 | 0 |
| 3 | 0 |
| 7 | 0 |
bomb5
9/.567The answer is not unique.
The answer rules:
A string of length 6, wherein the last bit ASCII code in hexadecimal form left to right of each character were: 9, e, f, 5,6,7.
bomb6
4 3 2 1 6 5The answer is unique.
Problem-solving ideas
bomb1
Only a part of the core code:
400ee4: be 00 24 40 00 mov $0x402400,%esi
400ee9: e8 4a 04 00 00 callq 401338 <strings_not_equal>
400eee: 85 c0 test %eax,%eax
400ef0: 74 05 je 400ef7 <phase_1+0x17>
400ef2: e8 43 05 00 00 callq 40143a <explode_bomb>
400ef7: 48 83 c4 08 add $0x8,%rspView function
Therefore, in conjunction with bomb1 scene can be found, call
bomb2
The core code and translation:
400f0a: 83 3c 24 01 cmpl $0x1,(%rsp)
400f0e: 74 20 je 400f30 <phase_2+0x34>
400f10: e8 25 05 00 00 callq 40143a <explode_bomb>
400f15: eb 19 jmp 400f30 <phase_2+0x34>
400f17: 8b 43 fc mov -0x4(%rbx),%eax
400f1a: 01 c0 add %eax,%eax
400f1c: 39 03 cmp %eax,(%rbx)
400f1e: 74 05 je 400f25 <phase_2+0x29>
400f20: e8 15 05 00 00 callq 40143a <explode_bomb>
400f25: 48 83 c3 04 add $0x4,%rbx
400f29: 48 39 eb cmp %rbp,%rbx
400f2c: 75 e9 jne 400f17 <phase_2+0x1b>
400f2e: eb 0c jmp 400f3c <phase_2+0x40>
400f30: 48 8d 5c 24 04 lea 0x4(%rsp),%rbx
400f35: 48 8d 6c 24 18 lea 0x18(%rsp),%rbp
400f3a: eb db jmp 400f17 <phase_2+0x1b>if(*rsp!=1)explode_bomb;
rbx=rsp+4;
rbp=rsp+24;
do
eax=rbx-4;
eax*=2;
if(eax!=(*rbx))explode_bomb;
rbx+=4;
while(rbp!=rbx);phase_2 calling
bomb3
The input section
400f51: be cf 25 40 00 mov $0x4025cf,%esi
400f56: b8 00 00 00 00 mov $0x0,%eax
400f5b: e8 90 fc ff ff callq 400bf0 <__isoc99_sscanf@plt>
400f60: 83 f8 01 cmp $0x1,%eax
400f63: 7f 05 jg 400f6a <phase_3+0x27>
400f65: e8 d0 04 00 00 callq 40143a <explode_bomb>
400f6a: 83 7c 24 08 07 cmpl $0x7,0x8(%rsp)
400f6f: 77 3c ja 400fad <phase_3+0x6a>See the gdb 0x4025cf first address string, the result "% d% d", in conjunction with the following __isoc99_sscanf @ plt understood, is asked to enter the digits 2, whether by further 0x400f63 ~ 0x400f65 "Analyzing the number of input is greater than 1 "can also come to the same conclusion. Finally, 0x400f63 ~ 0x400f6f statement indicates the first number of input non-negative number less than 7.
Branch section
400f71: 8b 44 24 08 mov 0x8(%rsp),%eax
400f75: ff 24 c5 70 24 40 00 jmpq *0x402470(,%rax,8)
400f7c: b8 cf 00 00 00 mov $0xcf,%eax
400f81: eb 3b jmp 400fbe <phase_3+0x7b>
...
400fad: e8 88 04 00 00 callq 40143a <explode_bomb>
400fb2: b8 00 00 00 00 mov $0x0,%eax
400fb7: eb 05 jmp 400fbe <phase_3+0x7b>
400fb9: b8 37 01 00 00 mov $0x137,%eax
400fbe: 3b 44 24 0c cmp 0xc(%rsp),%eax
400fc2: 74 05 je 400fc9 <phase_3+0x86>
400fc4: e8 71 04 00 00 callq 40143a <explode_bomb>The longer part of the code is not fully displayed.
The observation that, in a large part of the content is "jmp 400fbe <phase_3 + 0x7b>" statement, it should be determined branched structure, the source code should be mapped to a switch statement. The key to a conditional jump is 0x400f75 statement: "jmpq * 0x402470 (,% rax, 8)". This statement means that the jump to 0x402470 + 8 *% rax directed at the statement number of the address. Gdb can be drawn by the answers above table.
bomb4
Recursive section
Recursive part is the whole
Determine the midpoint
400fd2: 89 d0 mov %edx,%eax
400fd4: 29 f0 sub %esi,%eax
400fd6: 89 c1 mov %eax,%ecx
400fd8: c1 e9 1f shr $0x1f,%ecx
400fdb: 01 c8 add %ecx,%eax
400fdd: d1 f8 sar %eax
400fdf: 8d 0c 30 lea (%rax,%rsi,1),%ecxIn this section,% esi points to the left closed interval,% edx right end of a closed section. Essence 0x400fd2 ~ 0x400fdb statement that is the% eax =% edx-% esi, followed by the% ecx =% rsi + (% eax >> 1) This statement can be known,% ecx is the midpoint of the interval.
Relatively narrow range of size &
400fe2: 39 f9 cmp %edi,%ecx
400fe4: 7e 0c jle 400ff2 <func4+0x24>
400fe6: 8d 51 ff lea -0x1(%rcx),%edx
400fe9: e8 e0 ff ff ff callq 400fce <func4>
400fee: 01 c0 add %eax,%eax
400ff0: eb 15 jmp 401007 <func4+0x39>
400ff2: b8 00 00 00 00 mov $0x0,%eax
400ff7: 39 f9 cmp %edi,%ecx
400ff9: 7d 0c jge 401007 <func4+0x39>
400ffb: 8d 71 01 lea 0x1(%rcx),%esi
400ffe: e8 cb ff ff ff callq 400fce <func4>
401003: 8d 44 00 01 lea 0x1(%rax,%rax,1),%eax% edi number you are looking for. Comparison% ecx and% edi size, if the% ecx>% edi, showing the left section falls% edi. Thus the right end of% edx modify% rcx-1, the next layer recursion, when backtracking modify the% eax% eax * 2 . Otherwise, the right half represents% edi falling range, when the judgment% ecx and% edi are equal, if they are equal then exit the recursive part. If not equal, then the left end point to modify% esi% rcx + 1, the next layer recursion, when backtracking modify the% eax% eax +. 1 * 2 .
Input & determination section
This part in
bomb5
Phase_5 nature of input from left to right in hexadecimal last bit of each character string of ASCII code as an index look-up table after a new string to the target string matching.
Section index
40108b: 0f b6 0c 03 movzbl (%rbx,%rax,1),%ecx
40108f: 88 0c 24 mov %cl,(%rsp)
401092: 48 8b 14 24 mov (%rsp),%rdx
401096: 83 e2 0f and $0xf,%edx
401099: 0f b6 92 b0 24 40 00 movzbl 0x4024b0(%rdx),%edx
4010a0: 88 54 04 10 mov %dl,0x10(%rsp,%rax,1)
4010a4: 48 83 c0 01 add $0x1,%rax
4010a8: 48 83 f8 06 cmp $0x6,%rax
4010ac: 75 dd jne 40108b <phase_5+0x29>Translation Code:
do
ecx=rax+rbx; //movzbl
*rsp=cl;
rdx=*rsp;
edx&=0xf;
edx=*(rdx+4024b0); //movzbl
*(rsp+rax+4*4)=dl;
rax++;
while(rax!=6);This part is to walk all the characters,% rbx is read into the string first address,% edx used to store the last bit hexadecimal character ASCII code, followed by the index to% edx% rdx + 0x4024b0 place, and kept % rsp +% rax + 16 place.
Gdb debugger that led to a string 0x4024b0 address is: "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?", In which the effective term (before 16) as "maduiersnfotvbyl".
Test section
Part test is to determine whether the new string equal to the target string, that led to 0x40245e address string. Gdb debugger to know the target string is "flyers", where each character at its 9,14,15,5,6,7 position table. So pour the introduction of the input string of ASCII code in hexadecimal last one should be 9, e, f, 5,6,7.
bomb6
PS :( This phase're just extremely long ...... inside jmp instruction is very much, not paper printed really do not see ah QAQ)
Phase_6 essence is arranged in the input negated after a sequence rearranged in this reference, descending into it.
It is determined whether the arrangement
401128: 41 83 c4 01 add $0x1,%r12d
40112c: 41 83 fc 06 cmp $0x6,%r12d
401130: 74 21 je 401153 <phase_6+0x5f>
401132: 44 89 e3 mov %r12d,%ebx
401135: 48 63 c3 movslq %ebx,%rax
401138: 8b 04 84 mov (%rsp,%rax,4),%eax
40113b: 39 45 00 cmp %eax,0x0(%rbp)
40113e: 75 05 jne 401145 <phase_6+0x51>
401140: e8 f5 02 00 00 callq 40143a <explode_bomb>
401145: 83 c3 01 add $0x1,%ebx
401148: 83 fb 05 cmp $0x5,%ebx
40114b: 7e e8 jle 401135 <phase_6+0x41>Translation Code:
do
r12d++;
ebx=r12d;
do
rax=ebx; //movslq
eax=rsp+4*rax;
if(eax==*rbp)explode_bomb;
ebx++;
while(ebx<=5);
while(r12d!=6);After reading six figures, first of all it requires that each number is not more than 6, otherwise the call
Negated part
401153: 48 8d 74 24 18 lea 0x18(%rsp),%rsi
401158: 4c 89 f0 mov %r14,%rax
40115b: b9 07 00 00 00 mov $0x7,%ecx
401160: 89 ca mov %ecx,%edx
401162: 2b 10 sub (%rax),%edx
401164: 89 10 mov %edx,(%rax)
401166: 48 83 c0 04 add $0x4,%rax
40116a: 48 39 f0 cmp %rsi,%rax
40116d: 75 f1 jne 401160 <phase_6+0x6c>Translation Code:
rsi=*(rsp+4*6);
rax=r14;
do
ecx=7;
edx=ecx;
edx-=*rax;
*rax=edx; //*rax=7-*rax
rax+=4;
while(rax!=rsi);The use of a portion of the cycle, the element x into 7-x.
Section index
PS :( conditions of this part of the jump instruction particularly ...... so this part of the paper I was done, no way to put the code translation)
In the portion of each element value x is an index, to 0x6032d0 + 16 * x, the value assigned to the% rsp + 8 * x + 32. After debugging gdb found, 0x6032d0 + 16 * x point values were 332,168,924,691,477,443.
Test section
4011da: bd 05 00 00 00 mov $0x5,%ebp
4011df: 48 8b 43 08 mov 0x8(%rbx),%rax
4011e3: 8b 00 mov (%rax),%eax
4011e5: 39 03 cmp %eax,(%rbx)
4011e7: 7d 05 jge 4011ee <phase_6+0xfa>
4011e9: e8 4c 02 00 00 callq 40143a <explode_bomb>
4011ee: 48 8b 5b 08 mov 0x8(%rbx),%rbx
4011f2: 83 ed 01 sub $0x1,%ebp
4011f5: 75 e8 jne 4011df <phase_6+0xeb>Translation Code:
ebp=5;
do
rax=*(rbx+8);
eax=*rax;
if(*rbx<eax)explode_bomb;
rbx=*(rbx+8);
while(--ebp!=0);The use of a portion of the cycle, it is determined whether the sequence is descending, if the call is not
Reference
- pin