Author | Message | Time |
---|---|---|
CrAzY | For a lab assignment, I've basically been given a compiled C program on an x86 linux machine. The goal of the assignment is to figure out the 6 strings I have to enter in order to get through the program. I've already spent over 20 hours reading my text book / internet sources and still have yet to get the first answer. Basically I have been using gdb and stepping through each line of assembly monitoring each register and searching for the answers. There are really a bunch of questions I could use help with and it would be easiest if someone could really help familiarize me a little more to why certain instructions are the way they are. AIM would be the best way of contact for this, My screen name is ooi tim ioo. If no one has time for that, here are some questions I would like answered please: What is the purpose of "test %eax, %eax"? I know its a bitwise AND and I'm assuming no matter what it is, the ZF is set. I read something like it is used to see if the SF changes or something? When I do "info registers" in gdb, it will echo the register name, a hexidecimal value, and an interger value. Are the hex and int values just the address the register points to? If so, is "print /x $reg" returning the value the address points to or the address it self. I'm aware that %ebp and %esp are the base stack pointer and the stack pointer. Is the following statement correct? 0x4(%ebp) = return address; 0x8(%ebp) = first parameter; 0xC(%ebp) = 2nd paramenter; and so on? Where there is a call such as "push %ebi", why does the %esp move a WORD in the negative direction? What is the purpose of pushing registers on the stack when you can use htem regaurdless? is "ret" always %eax? Is there any real difference between each register (without including %esp and %ebp)? I'm sure I have more questions but that is all I can think of off the top of my head. Any help would be much appreciated. Thanks, Tim | October 12, 2009, 6:23 PM |
rabbit | Does the program print anything if you enter a wrong string? | October 12, 2009, 7:49 PM |
CrAzY | Yessirr. I guess this isn't an uncommon lab for people who are CS majors. Its the "bomb lab" You enter the wrong things and it says "boom - blah. blah blah..." I got first the past part. I'm stuck on the 2nd now. Tim | October 12, 2009, 10:34 PM |
BreW | [quote author=CrAzY link=topic=18094.msg183533#msg183533 date=1255371824] Basically I have been using gdb and stepping through each line of assembly monitoring each register and searching for the answers. [/quote] That must be killer. It's pretty painful to read AT&T syntax. [quote author=CrAzY link=topic=18094.msg183533#msg183533 date=1255371824] What is the purpose of "test %eax, %eax"? I know its a bitwise AND and I'm assuming no matter what it is, the ZF is set. I read something like it is used to see if the SF changes or something? [/quote] test %eax,%eax checks if a value is zero or nonzero. x & x always will = x, which is always nonzero unless x is zero. SF is set after this op if the highest bit is set. [quote author=CrAzY link=topic=18094.msg183533#msg183533 date=1255371824] When I do "info registers" in gdb, it will echo the register name, a hexidecimal value, and an interger value. Are the hex and int values just the address the register points to? If so, is "print /x $reg" returning the value the address points to or the address it self. [/quote] No, they're the values contained inside of the registers. And no, that prints the value of the register. to check the contents of memory that a register is pointing to, you should preappend the C dereference operator, *, to the expression (ex. print /x *$eax) [quote author=CrAzY link=topic=18094.msg183533#msg183533 date=1255371824] I'm aware that %ebp and %esp are the base stack pointer and the stack pointer. Is the following statement correct? 0x4(%ebp) = return address; 0x8(%ebp) = first parameter; 0xC(%ebp) = 2nd paramenter; and so on? [/quote] No. 4(%ebp) is the stored ebp from the last frame. 0(%ebp) is the return address. But yes, 8(%ebp, %paramnumber, 4) is the expression for the parameters. [quote author=CrAzY link=topic=18094.msg183533#msg183533 date=1255371824] Where there is a call such as "push %ebi", why does the %esp move a WORD in the negative direction? [/quote] %ebi? :-? Must be a gdb thing. The stack is a LIFO queue, try to visualize it and you'll see why. You're pushing the stack down, and then when you pop, it moves a WORD in the positive direction. Like popping up! [quote author=CrAzY link=topic=18094.msg183533#msg183533 date=1255371824] What is the purpose of pushing registers on the stack when you can use htem regaurdless? [/quote] Maybe the compiler overlooked the fact that it didn't need to use the stack in that instance, or maybe it wasn't optimized to use a register in the first place. [quote author=CrAzY link=topic=18094.msg183533#msg183533 date=1255371824] is "ret" always %eax? [/quote] Huh? That's a poor question. I assume you're asking if eax is always used as the return register - yes. It certainly doesn't have to be, but people have always used that convention and will stick to it for centuries to come. ret does not do anything but pop the return address from the stack and jumps to it. [quote author=CrAzY link=topic=18094.msg183533#msg183533 date=1255371824] Is there any real difference between each register (without including %esp and %ebp)? [/quote] Well no, there's no difference between esp and ebp and the rest of them either. | October 12, 2009, 10:54 PM |
rabbit | [quote author=CrAzY link=topic=18094.msg183535#msg183535 date=1255386865] Yessirr. I guess this isn't an uncommon lab for people who are CS majors. Its the "bomb lab" You enter the wrong things and it says "boom - blah. blah blah..." I got first the past part. I'm stuck on the 2nd now. Tim [/quote]Then you can set a breakpoint on printf() or msgbox() or whatever is used to display the message, and work back from there. | October 13, 2009, 12:54 AM |
CrAzY | Thanks a ton to both of you. Brew you clarified a lot things to me and things started making a little more sense. I'm 2/3 done now. There some smaller issues that I could use some answeres to: [code]0x08048cf2 <phase_5+45>: add 0x80497c0(,%eax,4),%ecx (gdb) print (char*) 0x80497c0 $197 = 0x80497c0 "\002" [/code] is this 4x$eax+"\002" ? If so, how does that effect the "string" "\002" ? [code]0x08048ce1 <phase_5+28>: mov $0x0,%edx 0x08048ce6 <phase_5+33>: mov $0x0,%ecx 0x08048ceb <phase_5+38>: movsbl (%edx,%ebx,1),%eax 0x08048cef <phase_5+42>: and $0xf,%eax 0x08048cf2 <phase_5+45>: add 0x80497c0(,%eax,4),%ecx 0x08048cf9 <phase_5+52>: add $0x1,%edx 0x08048cfc <phase_5+55>: cmp $0x6,%edx 0x08048cff <phase_5+58>: jne 0x8048ceb <phase_5+38> [/code] Stepping into this, %eax = 0x06 I think. Can someone explain the algorithm taking place a little better? I read that "movsbl" drags the sign bit over. Can someone show a small example exactly how that will look in this code? Please don't give me the solutions to any thing either. I actually do enjoy learning. Thanks =) Tim | October 13, 2009, 3:11 PM |
BreW | [quote author=CrAzY link=topic=18094.msg183540#msg183540 date=1255446702] is this 4x$eax+"\002" ? If so, how does that effect the "string" "\002" ? [/quote] Well, that's not a string first of all. It's an integer array. I guess the first element of the array at 0x80497c0 is 0x323000 (00 30 32 00) which gdb was able to print out. [quote author=CrAzY link=topic=18094.msg183540#msg183540 date=1255446702] Stepping into this, %eax = 0x06 I think. [/quote] This is irrelevant. eax is overwritten. [quote author=CrAzY link=topic=18094.msg183540#msg183540 date=1255446702] Can someone explain the algorithm taking place a little better? I read that "movsbl" drags the sign bit over. [/quote] I'm not quite sure about movsbl. Really, that's movsb which moves a byte from esi to edi then increments each, but this takes two operands. So, I think what gdb really ment to say was "movzx (%edx, %ebx, 1), %eax". The array at 0x80497c0 contains 16 elements. The integer value in the element 0x80497c0 is added to an accumulator. The index of this is the ith byte value of the array at ebx, modulo the size of the array / size of an element. The loop runs 6 times. Spoiler alert! I encoded the solution in base64 if you need it: aSA9IDA7DQphY2N1bSA9IDA7DQpkbyB7DQoJYWNjdW0gKz0gMHg4MDQ5N2MwW2VieFtpXSAmIDB4MEZdOw0KCWkrKzsNCn0gd2hpbGUgKGkgIT0gNik7 [quote author=CrAzY link=topic=18094.msg183540#msg183540 date=1255446702] Can someone show a small example exactly how that will look in this code? [/quote] You worry way too much about what flags each instruction modifies. Instead, only worry about what flags are being set right before an instruction that reads the flags, such as a conditional jump (Jcc), or a set-byte-register-to-flag instruction (SETcc). Are you the_wiz_kid_89 on Freenode? | October 13, 2009, 5:26 PM |
CrAzY | [quote author=brew link=topic=18094.msg183541#msg183541 date=1255454761] Are you the_wiz_kid_89 on Freenode? [/quote] No. A lot of the questions I had my professor went over in class yesterday. There still some things she needs to cover, but I should know more answers after class today. (yes I know its weird to have 2 lectures 2 days in a row, weird week because of Columbus Day). If I have more time today I'll give you some feedback on how the lab is going. I'd love some references to anything useful that has helped people in the past. You can never know too much =) Tim | October 14, 2009, 3:51 PM |
BreW | [quote author=CrAzY link=topic=18094.msg183548#msg183548 date=1255535463] [quote author=brew link=topic=18094.msg183541#msg183541 date=1255454761] Are you the_wiz_kid_89 on Freenode? [/quote] No. [/quote] Are you sure? He had a question about something very similar a day before you made your second post in this thread, you both referred to the architecture as "IA32" instead of the normal "x86", his IP places him in Virginia, and your profile states you live in Burke, Virginia. If not, I suspect I've found a classmate of yours! | October 14, 2009, 8:10 PM |
CrAzY | Haha, yeah I'm really telling the truth. Dreams come true in Burke, VA tho =). I actually live in Fairfax, VA now but its adjacent to Burke. If you talk to him again tell him to give me the answers ;). lol, Tim | October 15, 2009, 9:34 PM |