T UTORIAL L ESSON Assembly
50
TUTORIAL LESSON Assembly Institute of Parallel and Distributed Systems (iPads) Shanghai Jiao Tong University Rong Chen rongchen @ sjtu.edu.cn
description
Institute of Parallel and Distributed Systems (iPads) Shanghai Jiao Tong University Rong Chen rongchen @ sjtu.edu.cn. T UTORIAL L ESSON Assembly. OUTLINE. Pre-requisite Bomb!. Pre-requisite Bomb!. GNU Tools. GDB ( G nu D e B ugger ) Start your program Stop on special conditions - PowerPoint PPT Presentation
Transcript of T UTORIAL L ESSON Assembly
TUTORIAL LESSONAssembly
Institute of Parallel and Distributed Systems (iPads)Shanghai Jiao Tong University
Rong [email protected]
OUTLINE
2
Pre-requisiteBomb!
Pre-requisiteBomb!
3
GNU Tools
GDB (Gnu DeBugger) Start your program Stop on special conditions Exams what has happened Change thing in your program
4Institute of Parallel and Distributed Systems (iPads), SJTU
GNU Tools
GDB (Gnu DeBugger) Commands
gdb <file> break FUNC | *ADDR run print</?> $REG | ADDR continue | stepi | nexti quit
5
Referencehttp://ipads.se.sjtu.edu.cn/courses/ics/tutorials/gdb-ref.txtInstitute of Parallel and Distributed Systems (iPads),
SJTU
GNU Tools
OBJDUMP (OBJect-file DUMP) Display information from object files
Disassemble object file Show file headers Show symbol table ...
Commands objdump –d | -D <object-file>
Institute of Parallel and Distributed Systems (iPads), SJTU 6
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
GNU Tools
Install GNU Tools apt-get install build-essential apt-get install gdb
8Institute of Parallel and Distributed Systems (iPads), SJTU
Pre-requisiteBomb! Binary Bomb
Defuse Bomb Using GDB
9
Defuse Bomb
What is Bomb ? Only a binary file
What should you do ? Find the key and defuse the bomb !
What can you use ? Anything from ICS course Any tools
Right key
SurviveWrong
keyBomb !
gdbstrings
calculator
pencilpaperobjdump
Institute of Parallel and Distributed Systems (iPads), SJTU
Please See Carefully ! A binary bomb Need a password to defuse it
Demo$./bombinput password:bomb!...$$./bombinput password:survive!
224
123
Demo
HACKER
Pre-requisiteBomb! Binary Bomb
Defuse Bomb Using GDB
13
Step by Step
Machine Code to Assembly Code objdump -D bomb > asm
NAME objdump - display information from object files.
SYNOPSIS objdump [-d|--disassemble] [-D|--disassemble-all] ...
Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Find key strings “bomb”, “survive” and “password”
Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
... 8048538: 69 6e 70 75 74 20 70 imul $0x70207475,0x70 ... 804853f: 61 popa 8048540: 73 73 ... 8048542: 77 6f ... 8048544: 72 64 ... 8048546: 3a 00 ... 8048548: 25 64 00 ... 804854b: 73 75 ... 804854d: 72 76 ... 804854f: 69 76 65 21 00 ... 8048554: 62 6f 6d ... 8048557: 62 21 ... 8048559: 2e ... 804855a: 2e ... 804855b: 2e ... ...
i n p u t p
as sw or d: \0
s ur vi v e ! \0b o mb !...
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Find key strings “bomb”, “survive” and “password”
Find key operators jmp, change control flow cmp, how to judgment condition
Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Password !
Pre-requisiteBomb! Binary Bomb
Defuse Bomb Using GDB
32
Defuse bomb using GDB set breakpoint on the critical path watch registers and/or memories terminate program on demand single step execution
Can we do it more efficiently and safely?
Institute of Parallel and Distributed Systems (iPads), SJTU
Command
GDB gdb <file> break FUNC | *ADDR run print</?> $REG | ADDR continue | stepi | nexti quit
Institute of Parallel and Distributed Systems (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
$gdb bomb(gdb)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb)
0x80483dc “password”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb)
0x80483dc “password”0x80483f7 “compare”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb) print/c *0x8048539$4 = 110 'n'(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb) print/c *0x8048539$4 = 110 'n'(gdb) print/s (char *)0x8048538$5 = 0x8048538 “input password:”
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224(gdb) cContinuing.
Breakpoint 4, 0x08048411 in main ()(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224(gdb) cContinuing.
Breakpoint 4, 0x08048411 in main ()(gdb) qThe program is running. Exit anyway? (y or n) y$
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
50
Thanks
Institute of Parallel and Distributed Systems (iPads), SJTU
