t utorial l esson gnu tools
DESCRIPTION
Institute of Parallel and Distributed System (iPads) Shanghai Jiao Tong University Rong Chen rongchen @ sjtu.edu.cn. T UTORIAL L ESSON GNU Tools. OUTLINE. Pre-requisite Debugging Bomb!. Pre-requisite Debugging Bomb!. GNU Tools. GDB ( G nu D e B ugger ) Start your program - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/1.jpg)
TUTORIAL LESSONGNU ToolsInstitute of Parallel and Distributed System (iPads)
Shanghai Jiao Tong University
Rong [email protected]
![Page 2: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/2.jpg)
OUTLINE
2
Pre-requisiteDebuggingBomb!
![Page 3: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/3.jpg)
Pre-requisiteDebugging Bomb!
3
![Page 4: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/4.jpg)
GNU Tools
GDB (Gnu DeBugger) Start your program Stop on special conditions Exams what has happened Change thing in your program
4Institute of Parallel and Distributed System (iPads), SJTU
![Page 5: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/5.jpg)
GNU Tools
GDB (Gnu DeBugger) Commands
gdb <file> break FUNC | *ADDR run print</?> $REG | ADDR continue | stepi | nexti quit
5
Referencehttp://ipads.se.sjtu.edu.cn/courses/ics/tutorials/gdb-ref.txtInstitute of Parallel and Distributed System (iPads),
SJTU
![Page 6: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/6.jpg)
GNU Tools
OBJDUMP (OBJect-file DUMP) Display information from object files
Disassemble object file Show file headers Show symbol table ...
Commands objdump –d | -D <object-file>
6
![Page 7: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/7.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 8: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/8.jpg)
GNU Tools
Install GNU Tools apt-get install build-essential apt-get install gdb
8Institute of Parallel and Distributed System (iPads), SJTU
![Page 9: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/9.jpg)
Pre-requisite
DebuggingBomb!
bug & warning debugging examples
9
![Page 10: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/10.jpg)
Bug & Warning
Bug Grammar
int a b; Semantics
int a[2]; a[2]=2;
Warning int a; b=a;
10
int a, b;
a[0]=2;
int a=0; b=a;
Institute of Parallel and Distributed System (iPads), SJTU
![Page 11: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/11.jpg)
Pre-requisite
DebuggingBomb!
bug & warning debugging examples
11
![Page 12: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/12.jpg)
Debugging
Debugging = Find + Fix Core Competency !
Compiling (HINTS: don’t miss warning) gcc –Wall –o test test.c
Debugging (HINTS: code review first) gdb test
12Institute of Parallel and Distributed System (iPads), SJTU
![Page 13: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/13.jpg)
Debugging
Debugging = Find + Fix + Experience example#1: “Segmentation fault” example#2: test.c:6: error: expected ‘,’ or ‘;’ before ‘struct’test.c:9: warning: data definition has no type or storage classtest.c:9: warning: type defaults to ‘int’ in ...test.c:16: warning: (near initialization for ‘s’)test.c:16: error: storage size of ‘s’ isn’t knowntest.c:21: error: request for member ‘a’ in something not a structure or uniontest.c:16: warning: unused variable ‘s’ 13
Institute of Parallel and Distributed System (iPads), SJTU
![Page 14: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/14.jpg)
Pre-requisite
DebuggingBomb!
Bug & Warning Debugging Examples
14
![Page 15: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/15.jpg)
Example#1test.c: In function ‘main’:test.c:18: warning: implicit declaration of function ‘malloc’
Example#2test.c:6: error: expected ‘,’ or ‘;’ before ‘struct’
Example#4test.c:18: error: expected ‘;’ before ‘)’ tokentest.c:18: error: expected statement before ‘)’ token
Example#3test.c:18: error: ‘j’ undeclared (first use in this function)
Example#5test.c:27: error: conflicting types for ‘test’test.c:4: note: previous declaration of ‘test’ was here
![Page 16: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/16.jpg)
Example#3test.c:19: warning: too few arguments for formattest.c:22: warning: ‘x’ is used uninitialized in this function
Example#2test.c:16: warning: unused variable ‘s’
Example#4test.c: In function ‘main’:test.c:24: warning: control reaches end of non-void function
Example#1test.c:22: warning: ‘x’ is used uninitialized in this function
Example#5test.c: In function ‘test’:test.c:30: warning: assignment makes pointer from integer
without a cast
![Page 17: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/17.jpg)
It’s a joke ^o^
It’s a “Hello world!”int main(void) { printf(“hello world!\n”); return 0;}
How about this code?int main(void) { printf(“hello world!\n”);
http://ipads.se.sjtu.edu.cn/courses/ics
return 0;}
![Page 18: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/18.jpg)
Pre-requisiteDebuggingBomb! Binary Bomb
Defuse Bomb Using GDB
18
![Page 19: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/19.jpg)
Defuse Bomb
What is Bomb ? Only a binary file
What should you do ? Find the key and defuse the bomb !
What can you use ? Anything from ICS course Any tools
Right key
SurviveWrong
keyBomb !
gdbstrings
calculator
pencilpaperobjdump
Institute of Parallel and Distributed System (iPads), SJTU
![Page 20: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/20.jpg)
Please See Carefully ! A binary bomb Need a password to defuse it
Demo$./bombinput password:bomb!...$$./bombinput password:survive!
224
123
Demo
![Page 21: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/21.jpg)
HACKER
![Page 22: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/22.jpg)
Pre-requisiteDebuggingBomb! Binary Bomb
Defuse Bomb Using GDB
22
![Page 23: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/23.jpg)
Step by Step
Machine Code to Assembly Code objdump -D bomb > asm
NAME objdump - display information from object files.
SYNOPSIS objdump [-d|--disassemble] [-D|--disassemble-all] ...
Institute of Parallel and Distributed System (iPads), SJTU
![Page 24: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/24.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 25: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/25.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 26: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/26.jpg)
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Institute of Parallel and Distributed System (iPads), SJTU
![Page 27: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/27.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 28: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/28.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 29: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/29.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 30: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/30.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 31: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/31.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 32: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/32.jpg)
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Find key strings “bomb”, “survive” and “password”
Institute of Parallel and Distributed System (iPads), SJTU
![Page 33: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/33.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 34: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/34.jpg)
... 8048538: 69 6e 70 75 74 20 70 imul $0x70207475,0x70 ... 804853f: 61 popa 8048540: 73 73 ... 8048542: 77 6f ... 8048544: 72 64 ... 8048546: 3a 00 ... 8048548: 25 64 00 ... 804854b: 73 75 ... 804854d: 72 76 ... 804854f: 69 76 65 21 00 ... 8048554: 62 6f 6d ... 8048557: 62 21 ... 8048559: 2e ... 804855a: 2e ... 804855b: 2e ... ...
i n p u t p
as sw or d: \0
s ur vi v e ! \0b o mb !...
![Page 35: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/35.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 36: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/36.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 37: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/37.jpg)
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Find key strings “bomb”, “survive” and “password”
Find key operators jmp, change control flow cmp, how to judgment condition
Institute of Parallel and Distributed System (iPads), SJTU
![Page 38: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/38.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 39: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/39.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 40: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/40.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Password !
![Page 41: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/41.jpg)
Pre-requisiteDebuggingBomb! Binary Bomb
Defuse Bomb Using GDB
41
![Page 42: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/42.jpg)
Defuse bomb using GDB set breakpoint on the critical path watch registers and/or memories terminate program on demand single step execution
Can we do it more efficiently and safely?
Institute of Parallel and Distributed System (iPads), SJTU
![Page 43: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/43.jpg)
Command
GDB gdb <file> break FUNC | *ADDR run print</?> $REG | ADDR continue | stepi | nexti quit
Institute of Parallel and Distributed System (iPads), SJTU
![Page 44: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/44.jpg)
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
![Page 45: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/45.jpg)
$gdb bomb(gdb)
![Page 46: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/46.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb)
0x80483dc “password”
![Page 47: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/47.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb)
0x80483dc “password”0x80483f7 “compare”
![Page 48: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/48.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”
![Page 49: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/49.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 50: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/50.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 51: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/51.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i‘(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 52: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/52.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb) print/c *0x8048539$4 = 110 'n'(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 53: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/53.jpg)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb) print/c *0x8048539$4 = 110 'n'(gdb) print/s (char *)0x8048538$5 = 0x8048538 “input password:”
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 54: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/54.jpg)
(gdb) cContinuing.input password:
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 55: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/55.jpg)
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 56: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/56.jpg)
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 57: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/57.jpg)
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224(gdb) cContinuing.
Breakpoint 4, 0x08048411 in main ()(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 58: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/58.jpg)
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224(gdb) cContinuing.
Breakpoint 4, 0x08048411 in main ()(gdb) qThe program is running. Exit anyway? (y or n) y$
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
![Page 59: T UTORIAL L ESSON GNU Tools](https://reader036.vdocuments.mx/reader036/viewer/2022081513/56816147550346895dd0c481/html5/thumbnails/59.jpg)
59
Thanks
Institute of Parallel and Distributed System (iPads), SJTU