Presentation is loading. Please wait.

Presentation is loading. Please wait.

OUTLINE 2 Pre-requisite Bomb! Pre-requisite Bomb! 3.

Published byTyler Blake Modified over 8 years ago

Similar presentations

Presentation on theme: "OUTLINE 2 Pre-requisite Bomb! Pre-requisite Bomb! 3."— Presentation transcript:

1

2 OUTLINE 2 Pre-requisite Bomb!

3 Pre-requisite Bomb! 3

4 GNU Tools  GDB (Gnu DeBugger)  Start your program  Stop on special conditions  Exams what has happened  Change thing in your program 4

5 GNU Tools  GDB (Gnu DeBugger)  Commands  gdb  break FUNC | *ADDR  run  print $REG | ADDR  continue | stepi | nexti  quit 5 Reference http://beej.us/guide/bggdb/ http://csapp.cs.cmu.edu/3e/docs/gdbnotes-x86-64.pdf

6 GNU Tools  OBJDUMP (OBJect-file DUMP)  Display information from object files  Disassemble object file  Show file headers  Show symbol table ...  Commands  objdump –d | -D 6

7 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

8 GNU Tools  Install GNU Tools  apt-get install build-essential  apt-get install gdb 8

9 Pre-requisite Bomb!  Binary Bomb Defuse Bomb Using GDB 9

10 Bomb Defuse Bomb  What is Bomb ?  Only a binary file  What should you do ?  Find the key and defuse the bomb !  What can you use ?  Anything from ICS course  Any tools Right key Survive Wrong key Bomb ! gdb strings calculator pencilpaper objdump

11  Please See Carefully !  A binary bomb  Need a password to defuse it  Demo $./bomb key: bomb!!! :( $ $./bomb input password: Survive :) 224 108 Demo

12

13 Pre-requisite Bomb! Binary Bomb  Defuse Bomb Using GDB 13

14 Step by Step  Machine Code to Assembly Code  objdump -D bomb > asm NAME objdump - display information from object files. objdump - display information from object files.SYNOPSIS objdump [-d|--disassemble] objdump [-d|--disassemble] [-D|--disassemble-all] [-D|--disassemble-all]......

15 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

16 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

17 Step by Step  Find key functions and parameters  scanf:  scanf: where does the password store ?  printf:  printf: which the instruction will print “bomb” ?

18 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

19 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

20 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

21 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

22 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

23 Step by Step  Find key functions and parameters  scanf:  scanf: where does the password store ?  printf:  printf: which the instruction will print “bomb” ?  Find key strings bombsurvivekey  “ bomb ”, “ survive ” and “ key ”

24 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

25 ... 80485b4:4b 65 79 80485b7:3a 00 cmp (%eax),%al 80485b9:25 64 00 53 75 …… 80485be:72 76 80485c0:69 76 65 20 3a 29 00 80485c7:42 80485c8:6f 80485c9:6d 80485ca:62 21 80485cc:21 21 80485ce:20 3a 80485d0:28 00... yeK Su rv i ve B o m b

26 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl $0x80485b4,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl $0x80485bc,(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl $0x80485c7,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

27 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl Key,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl survive :),(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl bomb!!! :(,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

28 Step by Step  Find key functions and parameters  scanf:  scanf: where does the password store ?  printf:  printf: which the instruction will print “bomb” ?  Find key strings bombsurvivekey  “ bomb ”, “ survive ” and “ key ”  Find key operators  jmp  jmp, change control flow  cmp  cmp, how to judgment condition

29 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl Key,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl survive :),(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl bomb!!! :(,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

30 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl Key,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl survive :),(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl bomb!!! :(,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

31 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl Key,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl survive :),(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl bomb!!! :(,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret Key

32 Pre-requisite Bomb! Binary Bomb Defuse Bomb  Using GDB 32

33  Defuse bomb using GDB  set breakpoint on the critical path  watch registers and/or memories  terminate program on demand  single step execution Can we do it more efficiently and safely?

34 Command  GDB  gdb  break FUNC | *ADDR  run  print $REG | ADDR  continue | stepi | nexti  quit

35 0804849c : 804849c:55 push %ebp 804849d:89 e5 mov %esp,%ebp 804849f:83 e4 f0 and $0xfffffff0,%esp 80484a2:83 ec 20 sub $0x20,%esp 80484a5:c7 04 24 90 85 04 08 movl $0x8048590,(%esp) 80484ac:e8 af fe ff ff call 8048360 80484b1:c7 04 24 b4 85 04 08 movl Key,(%esp) 80484b8:e8 93 fe ff ff call 8048350 80484bd:8d 44 24 1c lea 0x1c(%esp),%eax 80484c1:89 44 24 04 mov %eax,0x4(%esp) 80484c5:c7 04 24 b9 85 04 08 movl $0x80485b9,(%esp) 80484cc:e8 bf fe ff ff call 8048390 80484d1:8b 44 24 1c mov 0x1c(%esp),%eax 80484d5:83 f8 6c cmp $0x6c,%eax 80484d8:75 0e jne 80484e8 80484da:c7 04 24 bc 85 04 08 movl survive :),(%esp) 80484e1:e8 7a fe ff ff call 8048360 80484e6:eb 0c jmp 80484f4 80484e8:c7 04 24 c7 85 04 08 movl bomb!!! :(,(%esp) 80484ef:e8 6c fe ff ff call 8048360 80484f4:c9 leave 80484f5:c3 ret

36 $gdb mini-bomb (gdb)

37 $gdb mini-bomb (gdb) break *0x80484b8 Breakpoint 1 at 0x80484b8 (gdb) 0x80484b8 “key”

38 $gdb mini-bomb (gdb) break *0x80484b8 Breakpoint 1 at 0x80484b8 (gdb) break *0x80484d5 Breakpoint 2 at 0x80484d5 (gdb) 0x80484b8 “password” 0x80484d5 “compare”

39 $gdb mini-bomb (gdb) break *0x80484b8 Breakpoint 1 at 0x80484b8 (gdb) break *0x80484d5 Breakpoint 2 at 0x80484d5 (gdb) break *0x80484da Breakpoint 3 at 0x80484da (gdb) 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive”

40 $gdb mini-bomb (gdb) break *0x80484b8 Breakpoint 1 at 0x80484b8 (gdb) break *0x80484d5 Breakpoint 2 at 0x80484d5 (gdb) break *0x80484da Breakpoint 3 at 0x80484da (gdb) break *0x80484e8 Breakpoint 4 at 0x80484e8 (gdb) 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

41 $gdb mini-bomb (gdb) break *0x80484b8 Breakpoint 1 at 0x80484b8 (gdb) break *0x80484d5 Breakpoint 2 at 0x80484d5 (gdb) break *0x80484da Breakpoint 3 at 0x80484da (gdb) break *0x80484e8 Breakpoint 4 at 0x80484e8 (gdb) run Starting program: /home/ics-15/lab2/bomb Breakpoint 1, 0x080484b8 in main () (gdb) 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

42 $gdb mini-bomb (gdb) break *0x80484b8 Breakpoint 1 at 0x80484b8 (gdb) break *0x80484d5 Breakpoint 2 at 0x80484d5 (gdb) break *0x80484da Breakpoint 3 at 0x80484da (gdb) break *0x80484e8 Breakpoint 4 at 0x80484e8 (gdb) run Starting program: /home/ics-15/lab2/bomb Breakpoint 1, 0x080484b8 in main () (gdb) print/c *0x80485b4 $1 = 75 ‘K' (gdb) 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

43 $gdb mini-bomb (gdb) break *0x80484b8 Breakpoint 1 at 0x80484b8 (gdb) break *0x80484d5 Breakpoint 2 at 0x80484d5 (gdb) break *0x80484da Breakpoint 3 at 0x80484da (gdb) break *0x80484e8 Breakpoint 4 at 0x80484e8 (gdb) run Starting program: /home/ics-15/lab2/bomb Breakpoint 1, 0x080484b8 in main () (gdb) print/c *0x80485b4 $1 = 75 ‘K' (gdb) print/c *0x80485b5 $2 = 101 ‘e' (gdb) 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

44 $gdb mini-bomb (gdb) break *0x80484b8 Breakpoint 1 at 0x80484b8 (gdb) break *0x80484d5 Breakpoint 2 at 0x80484d5 (gdb) break *0x80484da Breakpoint 3 at 0x80484da (gdb) break *0x80484e8 Breakpoint 4 at 0x80484e8 (gdb) run Starting program: /home/ics-15/lab2/bomb Breakpoint 1, 0x080484b8 in main () (gdb) print/c *0x80485b4 $1 = 75 ‘K' (gdb) print/c *0x80485b5 $2 = 101 ‘e' (gdb) print/s (char *)0x80485b4 $3 = 0x80485b4 "Key:" 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

45 (gdb) c Continuing. Key: 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

46 (gdb) c Continuing. Key:224 Breakpoint 2, 0x080484d5 in main () (gdb) 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

47 (gdb) c Continuing. Key:224 Breakpoint 2, 0x080484d5 in main () (gdb)print/d $eax $8 = 224 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

48 (gdb) c Continuing. Key:224 Breakpoint 2, 0x080484d5 in main () (gdb)print/d $eax $8 = 224 (gdb) c Continuing. Breakpoint 4, 0x080484e8 in main () (gdb) 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

49 (gdb) c Continuing. Key:224 Breakpoint 2, 0x080484d5 in main () (gdb)print/d $eax $8 = 224 (gdb) c Continuing. Breakpoint 4, 0x080484e8 in main () (gdb)q The program is running. Exit anyway? (y or n) y $ 0x80484b8 “password” 0x80484d5 “compare” 0x80484da “survive” 0x80484e8 “bomb”

50 50

Download ppt "OUTLINE 2 Pre-requisite Bomb! Pre-requisite Bomb! 3."

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
15-213 Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo

Recitation 4: 09/30/02 Outline The Stack! Essential skill for Lab 3 –Out-of-bound array access –Put your code on the stack Annie Luo
Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.

Gnu Debugger (GDB) Topics Overview Quick Reference Card Readings: Quick Reference Card February 7, 2012 CSCE 212Honors Computer Organization.
The art of exploitation

The art of exploitation
15-213 Recitation 8 – 3/25/02 Outline Dynamic Linking Review prior test questions 213 Course Staff Office Hours: See Posting.

Recitation 8 – 3/25/02 Outline Dynamic Linking Review prior test questions 213 Course Staff Office Hours: See Posting.
1 IKI10230 Pengantar Organisasi Komputer Kuliah no. 09: Compiling-Assembling-Linking Sumber: 1. Paul Carter, PC Assembly Language 2. Hamacher. Computer.

1 IKI10230 Pengantar Organisasi Komputer Kuliah no. 09: Compiling-Assembling-Linking Sumber: 1. Paul Carter, PC Assembly Language 2. Hamacher. Computer.
Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’

Debugging What can debuggers do? Run programs Make the program stops on specified places or on specified conditions Give information about current variables’
1 Assemblers and Linkers Professor Jennifer Rexford

1 Assemblers and Linkers Professor Jennifer Rexford
UBC104 Embedded Systems Functions & Pointers.

UBC104 Embedded Systems Functions & Pointers.
Computer Architecture and Assembly Languages Course’s web site: Teaching Assistant: Or Peri Office Hours: Thursday 37/-108.

Computer Architecture and Assembly Languages Course’s web site: Teaching Assistant: Or Peri Office Hours: Thursday 37/-108.
1 Assemblers and Linkers. 2 Goals for this Lecture Help you to learn about: The assembly process IA-32 machine language Why? Machine language is the last.

1 Assemblers and Linkers. 2 Goals for this Lecture Help you to learn about: The assembly process IA-32 machine language Why? Machine language is the last.
C Prog. To Object Code text text binary binary Code in files p1.c p2.c

C Prog. To Object Code text text binary binary Code in files p1.c p2.c
Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.

Memory & Storage Architecture Seoul National University Computer Architecture “ Bomb Lab Hints” 2nd semester, 2014 Modified version : The original.
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
Recitation 2: Assembly & gdb Andrew Faulring 15213 Section A 16 September 2002.

Recitation 2: Assembly & gdb Andrew Faulring Section A 16 September 2002.
15-213 Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.

Recitation: Bomb Lab June 5, 2015 Dipayan Bhattacharya.
Gdb is the GNU debugger on our CS machines. gdb is most effective when it is debugging a program that has debugging symbols linked in to it. With gcc and.

Gdb is the GNU debugger on our CS machines. gdb is most effective when it is debugging a program that has debugging symbols linked in to it. With gcc and.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,

Practical Session 4. Labels Definition - advanced label: (pseudo) instruction operands ; comment valid characters in labels are: letters, numbers, _,
Goals: To gain an understanding of assembly To get your hands dirty in GDB.

Goals: To gain an understanding of assembly To get your hands dirty in GDB.

Similar presentations

Ads by Google