t utorial l esson assembly
DESCRIPTION
Institute of Parallel and Distributed Systems (iPads) Shanghai Jiao Tong University Rong Chen rongchen @ sjtu.edu.cn. T UTORIAL L ESSON Assembly. OUTLINE. Pre-requisite Bomb!. Pre-requisite Bomb!. GNU Tools. GDB ( G nu D e B ugger ) Start your program Stop on special conditions - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/1.jpg)
TUTORIAL LESSONAssembly
Institute of Parallel and Distributed Systems (iPads)Shanghai Jiao Tong University
Rong [email protected]
![Page 2: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/2.jpg)
OUTLINE
2
Pre-requisiteBomb!
![Page 3: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/3.jpg)
Pre-requisiteBomb!
3
![Page 4: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/4.jpg)
GNU Tools
GDB (Gnu DeBugger) Start your program Stop on special conditions Exams what has happened Change thing in your program
4Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 5: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/5.jpg)
GNU Tools
GDB (Gnu DeBugger) Commands
gdb <file> break FUNC | *ADDR run print</?> $REG | ADDR continue | stepi | nexti quit
5
Referencehttp://ipads.se.sjtu.edu.cn/courses/ics/tutorials/gdb-ref.txtInstitute of Parallel and Distributed Systems (iPads),
SJTU
![Page 6: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/6.jpg)
GNU Tools
OBJDUMP (OBJect-file DUMP) Display information from object files
Disassemble object file Show file headers Show symbol table ...
Commands objdump –d | -D <object-file>
Institute of Parallel and Distributed Systems (iPads), SJTU 6
![Page 7: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/7.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 8: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/8.jpg)
GNU Tools
Install GNU Tools apt-get install build-essential apt-get install gdb
8Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 9: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/9.jpg)
Pre-requisiteBomb! Binary Bomb
Defuse Bomb Using GDB
9
![Page 10: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/10.jpg)
Defuse Bomb
What is Bomb ? Only a binary file
What should you do ? Find the key and defuse the bomb !
What can you use ? Anything from ICS course Any tools
Right key
SurviveWrong
keyBomb !
gdbstrings
calculator
pencilpaperobjdump
Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 11: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/11.jpg)
Please See Carefully ! A binary bomb Need a password to defuse it
Demo$./bombinput password:bomb!...$$./bombinput password:survive!
224
123
Demo
![Page 12: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/12.jpg)
HACKER
![Page 13: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/13.jpg)
Pre-requisiteBomb! Binary Bomb
Defuse Bomb Using GDB
13
![Page 14: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/14.jpg)
Step by Step
Machine Code to Assembly Code objdump -D bomb > asm
NAME objdump - display information from object files.
SYNOPSIS objdump [-d|--disassemble] [-D|--disassemble-all] ...
Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 15: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/15.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 16: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/16.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 17: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/17.jpg)
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 18: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/18.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 19: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/19.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 20: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/20.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 21: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/21.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 22: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/22.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 23: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/23.jpg)
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Find key strings “bomb”, “survive” and “password”
Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 24: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/24.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 25: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/25.jpg)
... 8048538: 69 6e 70 75 74 20 70 imul $0x70207475,0x70 ... 804853f: 61 popa 8048540: 73 73 ... 8048542: 77 6f ... 8048544: 72 64 ... 8048546: 3a 00 ... 8048548: 25 64 00 ... 804854b: 73 75 ... 804854d: 72 76 ... 804854f: 69 76 65 21 00 ... 8048554: 62 6f 6d ... 8048557: 62 21 ... 8048559: 2e ... 804855a: 2e ... 804855b: 2e ... ...
i n p u t p
as sw or d: \0
s ur vi v e ! \0b o mb !...
![Page 26: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/26.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 27: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/27.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 28: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/28.jpg)
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Find key strings “bomb”, “survive” and “password”
Find key operators jmp, change control flow cmp, how to judgment condition
Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 29: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/29.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 30: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/30.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 31: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/31.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Password !
![Page 32: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/32.jpg)
Pre-requisiteBomb! Binary Bomb
Defuse Bomb Using GDB
32
![Page 33: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/33.jpg)
Defuse bomb using GDB set breakpoint on the critical path watch registers and/or memories terminate program on demand single step execution
Can we do it more efficiently and safely?
Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 34: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/34.jpg)
Command
GDB gdb <file> break FUNC | *ADDR run print</?> $REG | ADDR continue | stepi | nexti quit
Institute of Parallel and Distributed Systems (iPads), SJTU
![Page 35: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/35.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 36: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/36.jpg)
$gdb bomb(gdb)
![Page 37: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/37.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb)
0x80483dc “password”
![Page 38: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/38.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb)
0x80483dc “password”0x80483f7 “compare”
![Page 39: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/39.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”
![Page 40: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/40.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 41: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/41.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 42: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/42.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 43: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/43.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb) print/c *0x8048539$4 = 110 'n'(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 44: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/44.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb) print/c *0x8048539$4 = 110 'n'(gdb) print/s (char *)0x8048538$5 = 0x8048538 “input password:”
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 45: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/45.jpg)
(gdb) cContinuing.input password:
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 46: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/46.jpg)
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 47: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/47.jpg)
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 48: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/48.jpg)
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224(gdb) cContinuing.
Breakpoint 4, 0x08048411 in main ()(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 49: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/49.jpg)
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224(gdb) cContinuing.
Breakpoint 4, 0x08048411 in main ()(gdb) qThe program is running. Exit anyway? (y or n) y$
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 50: T UTORIAL L ESSON Assembly](https://reader030.vdocuments.mx/reader030/viewer/2022012900/56816147550346895dd0c47a/html5/thumbnails/50.jpg)
50
Thanks
Institute of Parallel and Distributed Systems (iPads), SJTU