CSAPP bomblab phase1
最近学习了CSAPP的第三章并做了一下bomblab 感觉很有意思,接下来整理一下笔记
phase1比较简单主要是熟悉一下gdb的使用
gdb的基本用法
run:启动程序
break *addr:在指定地址打一个断点
step:使程序继续执行
stepi:单步执行
disassemble funcname:得到汇编代码
print (char*) *addr:指定类型输出指定地址的数据
x /x $rsp: 输出栈内存段指定地址的数据
phase1解析
首先执行disassemble main得到main函数的反汇编
0x0000000000400e14 <+116>: callq 0x400c20 <exit@plt>
0x0000000000400e19 <+121>: callq 0x4013a2 <initialize_bomb>
0x0000000000400e1e <+126>: mov $0x402338,%edi
0x0000000000400e23 <+131>: callq 0x400b10 <puts@plt>
0x0000000000400e28 <+136>: mov $0x402378,%edi
0x0000000000400e2d <+141>: callq 0x400b10 <puts@plt>
0x0000000000400e32 <+146>: callq 0x40149e <read_line>
0x0000000000400e37 <+151>: mov %rax,%rdi
0x0000000000400e3a <+154>: callq 0x400ee0 <phase_1>
0x0000000000400e3f <+159>: callq 0x4015c4 <phase_defused>
0x0000000000400e44 <+164>: mov $0x4023a8,%edi
0x0000000000400e49 <+169>: callq 0x400b10 <puts@plt>
0x0000000000400e4e <+174>: callq 0x40149e <read_line>
0x0000000000400e53 <+179>: mov %rax,%rdi
0x0000000000400e56 <+182>: callq 0x400efc <phase_2>
0x0000000000400e5b <+187>: callq 0x4015c4 <phase_defused>
0x0000000000400e60 <+192>: mov $0x4022ed,%edi
0x0000000000400e65 <+197>: callq 0x400b10 <puts@plt>
0x0000000000400e6a <+202>: callq 0x40149e <read_line>
0x0000000000400e6f <+207>: mov %rax,%rdi
0x0000000000400e72 <+210>: callq 0x400f43 <phase_3>
0x0000000000400e77 <+215>: callq 0x4015c4 <phase_defused>
0x0000000000400e7c <+220>: mov $0x40230b,%edi
0x0000000000400e81 <+225>: callq 0x400b10 <puts@plt>
0x0000000000400e86 <+230>: callq 0x40149e <read_line>
0x0000000000400e8b <+235>: mov %rax,%rdi
0x0000000000400e8e <+238>: callq 0x40100c <phase_4>
0x0000000000400e93 <+243>: callq 0x4015c4 <phase_defused>
0x0000000000400e98 <+248>: mov $0x4023d8,%edi
0x0000000000400e9d <+253>: callq 0x400b10 <puts@plt>
0x0000000000400ea2 <+258>: callq 0x40149e <read_line>
0x0000000000400ea7 <+263>: mov %rax,%rdi
0x0000000000400eaa <+266>: callq 0x401062 <phase_5>
0x0000000000400eaf <+271>: callq 0x4015c4 <phase_defused>
0x0000000000400eb4 <+276>: mov $0x40231a,%edi
0x0000000000400eb9 <+281>: callq 0x400b10 <puts@plt>
0x0000000000400ebe <+286>: callq 0x40149e <read_line>
0x0000000000400ec3 <+291>: mov %rax,%rdi
0x0000000000400ec6 <+294>: callq 0x4010f4 <phase_6>
0x0000000000400ecb <+299>: callq 0x4015c4 <phase_defused>
可见有六个阶段的拆除步骤,接下来执行disassemble phase_1
0x0000000000400ee0 <+0>: sub $0x8,%rsp
0x0000000000400ee4 <+4>: mov $0x402400,%esi
0x0000000000400ee9 <+9>: callq 0x401338 <strings_not_equal>
0x0000000000400eee <+14>: test %eax,%eax
0x0000000000400ef0 <+16>: je 0x400ef7 <phase_1+23>
0x0000000000400ef2 <+18>: callq 0x40143a <explode_bomb>
0x0000000000400ef7 <+23>: add $0x8,%rsp
0x0000000000400efb <+27>: retq
test eax,eax用于对eax进行and运算,je代表运算结果为0,即eax为0时跳转不引爆炸弹,根据函数名可以推断是需要某个字符串相等。进入strings_not_equal查看
0x0000000000401338 <+0>: push %r12
0x000000000040133a <+2>: push %rbp
0x000000000040133b <+3>: push %rbx
0x000000000040133c <+4>: mov %rdi,%rbx
0x000000000040133f <+7>: mov %rsi,%rbp
0x0000000000401342 <+10>: callq 0x40131b <string_length>
0x0000000000401347 <+15>: mov %eax,%r12d
0x000000000040134a <+18>: mov %rbp,%rdi
0x000000000040134d <+21>: callq 0x40131b <string_length>
0x0000000000401352 <+26>: mov $0x1,%edx
0x0000000000401357 <+31>: cmp %eax,%r12d
0x000000000040135a <+34>: jne 0x40139b <strings_not_equal+99>
0x000000000040135c <+36>: movzbl (%rbx),%eax
0x000000000040135f <+39>: test %al,%al
0x0000000000401361 <+41>: je 0x401388 <strings_not_equal+80>
0x0000000000401363 <+43>: cmp 0x0(%rbp),%al
0x0000000000401366 <+46>: je 0x401372 <strings_not_equal+58>
0x0000000000401368 <+48>: jmp 0x40138f <strings_not_equal+87>
0x000000000040136a <+50>: cmp 0x0(%rbp),%al
0x000000000040136d <+53>: nopl (%rax)
0x0000000000401370 <+56>: jne 0x401396 <strings_not_equal+94>
0x0000000000401372 <+58>: add $0x1,%rbx
0x0000000000401376 <+62>: add $0x1,%rbp
0x000000000040137a <+66>: movzbl (%rbx),%eax
0x000000000040137d <+69>: test %al,%al
0x000000000040137f <+71>: jne 0x40136a <strings_not_equal+50>
0x0000000000401381 <+73>: mov $0x0,%edx
0x0000000000401386 <+78>: jmp 0x40139b <strings_not_equal+99>
--Type <RET> for more, q to quit, c to continue without paging--c
0x0000000000401388 <+80>: mov $0x0,%edx #相等返回0结束
0x000000000040138d <+85>: jmp 0x40139b <strings_not_equal+99>
0x000000000040138f <+87>: mov $0x1,%edx
0x0000000000401394 <+92>: jmp 0x40139b <strings_not_equal+99>
0x0000000000401396 <+94>: mov $0x1,%edx #不相等返回1
0x000000000040139b <+99>: mov %edx,%eax
0x000000000040139d <+101>: pop %rbx
0x000000000040139e <+102>: pop %rbp
0x000000000040139f <+103>: pop %r12
0x00000000004013a1 <+105>: retq
rsi中存放的数据是需要比较的字符串的地址(rsi一般用于存放参数),执行命令print (char*) 0x402400得到答案Border relations with Canada have never been better.