phase_0 env#

1
wget csapp.cs.cmu.edu/3e/bomb.tar # wget -O ./bomb.tar csapp.cs.cmu.edu/3e/bomb.tar
2
tar xvf bomb.tar
3
# Bomb Lab文件目录如下：
4
# ├── bomb
5
# ├── bomb.c
6
# └── README

la as OR x/5i $pc

phase_1#

1
(gdb) disas phase_1
2
# mov    $0x402400,%esi
3
# call   0x401338 <strings_not_equal>
4
# test   %eax,%eax
5
# je     0x400ef7 <phase_1+23>
6
# call   0x40143a <explode_bomb>
7
(gdb) x/s 0x402400
8
###        "Border relations with Canada have never been better."

phase_2#

1
(gdb) disas phase_2
2
# <read_six_numbers> -- update keepgo
3
## for ()
4
(gdb) b 82
5
(gdb) r keepgo
6
(gdb) si
7
(gdb) p $rsp
8
(gdb) p *0xaddr
9
(gdb) p $eax
10
###        1 2 4 8 16 32

phase_3#

1
(gdb) disas phase_3
2
(gdb) b 89
3
(gdb) r keepgo
4
(gdb) si
5
__GI___isoc99_sscanf (s=0x603820 <input_strings+160> "test", format=0x4025cf "%d %d") at ./stdio-common/isoc99_sscanf.c:24
6
24      ./stdio-common/isoc99_sscanf.c: No such file or directory.
7
## %d %d -- update keepgo
8
(gdb) b *0x400f60
9
(gdb) b *0x400f6a
10
# -- update keepgo
11
(gdb) p $eax
12
(gdb) p *(int*)($rsp+0xc)
13
# -- update keepgo
14
## switch() // b *0x400fbe
15
###        <0,207> <1,311> <2,707> <3,256> <4,389> <5,206> <6,682>

phase_4#

1
(gdb) disas phase_4
2
(gdb) b 95
3
(gdb) r keepgo
4
## same debug
5
###        0 0

phase_5#

1
(gdb) disas phase_5
2
(gdb) b 95
3
(gdb) r keepgo
4
# call   40131b <string_length>
5
(gdb) b *0x4010d2
6
# movzbl (%rbx,%rax,1),%ecx
7
# mov    %cl,(%rsp)
8
# mov    (%rsp),%rdx
9
# and    $0xf,%edx
10
# movzbl 0x4024b0(%rdx),%edx
11
# mov    %dl,0x10(%rsp,%rax,1)
12
# mov    (%rsp),%rdx
13
(gdb) p *(char*)($rbx+offset)
14
(gdb) x/s $rbx
15
(gdb) b *0x401099
16
(gdb) x/s 0x4024b0
17
## 0x4024b0 <array.3449>:  "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
18
(gdb) p $edx
19
## $1 = 97
20
## for (str[idx]) ?
21

22
(gdb) b *0x4010b8
23
(gdb) x/s 0x40245e
24
## 0x40245e:       "flyers"
25
(gdb) x/s $rdi
26
# 0x7fffffffde40: "aiuier" # test (adcbef)
27
##   9 15 14 5 6 7
28
## & 00001111
29
## 01001001 -> I
30
## 01001111 -> O
31
## 01001110 -> N
32
## 01000101 -> E
33
## 01000110 -> F
34
## 01000111 -> G
35
### IONEFG

phase_6#

1
(gdb) disas phase_6
2
(gdb) b 108
3
(gdb) r keepgo
4
(gdb) b *0x40111e
5
## for () for (jne)  -- update keepgo
6
(gdb) b *0x401153
7
(gdb) p *(int*)($rax)
8
# mov    %ecx,%edx   # edx = 7
9
# sub    (%rax),%edx # edx -= *rax
10
# mov    %edx,(%rax) # mov back
11
(gdb) p *$ecx
12
(gdb) p *0x6032d0
13
$6 = 332 # ?
14
(gdb) x/32d 0x6032d0
15
# 0x6032d0 <node1>:       332     1       6304480 0
16
# 0x6032e0 <node2>:       168     2       6304496 0
17
# 0x6032f0 <node3>:       924     3       6304512 0
18
# 0x603300 <node4>:       691     4       6304528 0
19
# 0x603310 <node5>:       477     5       6304544 0
20
# 0x603320 <node6>:       443     6       0       0
21
(gdb) x/12a 0x6032d0
22
# 0x6032d0 <node1>:       0x10000014c     0x6032e0 <node2>
23
# 0x6032e0 <node2>:       0x2000000a8     0x6032f0 <node3>
24
# 0x6032f0 <node3>:       0x30000039c     0x603300 <node4>
25
# 0x603300 <node4>:       0x4000002b3     0x603310 <node5>
26
# 0x603310 <node5>:       0x5000001dd     0x603320 <node6>
27
# 0x603320 <node6>:       0x6000001bb     0x0
28
## std::list && sizeof(node)==16
29
## { int val; int idx; node* next; }
30
(gdb) b *0x401176
31
(gdb) r keepgo
32
(gdb) p *$rdx
33
## std::reverse(list)
34
(gdb) b *0x4011bd
35
(gdb) p *(node*)($rax)
36
# mov    (%rax),%rdx
37
# mov    %rdx,0x8(%rcx)
38
## node[i].next = node[i-1]
39
(gdb) b *0x4011d2
40
(gdb) p /x $rdx
41
$1 = 0x6032d0 # node1
42
# mov    0x8(%rbx),%rax
43
# mov    (%rax),%eax
44
# cmp    %eax,(%rbx)
45
# jge    4011ee <phase_6+0xfa>
46
# call   40143a <explode_bomb>
47
## jge list
48
## -- update keepgo
49
##      1   2   3   4   5   6
50
##    332 168 924 691 477 443
51
##  =>  3   4   5   6   1   2
52
### =>  4   3   2   1   6   5