csapp bomb lab phase_5

CSAPP phase

这个阶段很有意思,考察了两个知识点,一方面是数组在内存中的存储,另一方面,其采用了一个简单加密算法,对字符数组进行了加密,也就意味着需要破解密钥才能打开这关。作者花了不少时间解决这关,成就感当然也很大啦~

另外,作者想用英语写文章,提高自己的英语表达能力,可能有的地方并不流畅,还请原谅~

At the begining,I didn't find the point which this phase wants to exam.After reading the assemble code,it's obvious to find some functions like <string_length>,and<strings_not_equal>.The inference I 've drawn from these functions is that this phase must have something to do with ' string'. Besides,the next courese in CSAPP  is about data,which talks about array and struct.As we all know,'string' is a kind of array,whose special part  is its terminal '\0.'

In some way ,we can regard 'string' as a array filled with 'char',whose size is one-byte.So I thought this phase_5 is to exam our mastery of knowledge about ' how data stroed in memory'.

(1)     The first part of code shows the first condition we have to satisfy.

Let's focus on the address 0x40107a--0x401084,There is a very important function residing in this section,function <string_length>

As we all know,the result of function will be stored in register %rax,we can conclude the action of this function from its name.

That is , what is output is the length of the input string.

The instruction , cmp $0x6,%eax,     tells us that the right length of string we input should be six,otherwise,the bomb will be blowed up.

(3)       The last part shows the second condition we have to satisfy.

When I find the solution of this program,I didn't get to the next part of assemble code linearly. Another function called 'strings_not_equal' caught my eyes.

In addition,there is no way to explode bomb between (1) and function <strings_not_equal>.So,I just set a break points at the address 0x4010b8.

So we notice that the result returning from <strings_not_equal> has to be 0,otherwise,the bomb will be exploded.Let's go to the inside part of <strings_not_equal>.I set the point to stop and try it.Because I know the length of string is six,so I just type 'abcdef' to test.

OK,In function <strings_not_equal>,the first part of assemble code is this.

 

This function would be called by many other functions,so when I do a experiment,I found this part just test whether the length of string is equal to six.So,In my point of view ,this part makes no sense.

So,we follow the code.

This part is quite important.

 movzbl (%rbx),%eax .  The (%rbx) refers to the memory,let's see the content in this address.

At the begining,I was confused by these  consequence, becasuse what I input is 'abcdef',but when program comes to here.The data stored in memory hasbecome to 'aduier'.So,there are only two possibilities,'aduier'  is final result ,or the program between (1) and (3) did something to my primitive data.

Here is an obvious compare instruction,So,let's see it.

OK,the string pointed by %rbp is 'flyers',Oh,it 's quite regular,we have to admit. So I guess here 'flyers' is the right answer. Well ,if you don't trust me ,you can do some expriments to test.You will find the string pointed by %rbp won't change,but the string pointed by %rbx will be changed with the input.

There is only one case to satisfy this situation.The program between (1) and (3) do something to our input, in other words , even we know the right answers,if we wants to know the 'secret code' to input,we have to know the map (映射),which maps 'abcdef' to 'aduier'.

(2)    The second part of assemble code which contains the MAP (映射,密钥) .

What actually works is only these code in white background.At the start,%rax is equal to 0,%rbx stands for the input string.So the first instruction means retrieve the character from memory one by one  and then store it in another place pointed by %rsp.Meantime,to the %rdx.

The map indeed is the instruction

and $0xf,%rdx

That's the map

So ,in other word,every character will be regarded as a number and do a opreate called '&'.Well,but here is not a happy ending.

Because the character was not encode in ASCII ,which means even you get the number corresponding to  input char ,you can't get the final char from this number.You need a table to complete it.

Here you gets the table ,we have already known %rdx  is the result of first procedure.

The seconde procedure is a table which map number to character.

It's quite long.But what we need is the index stored in %edx.So I just keep going until I found the whole 'flyers'

So we know the %edx should be the number '9', '15','14','5','6','7' in a order.

And now,this problem has changed to be find the character to make it be '9',...'7'.

Here shows the encode of character 'a',that's 97.

'0xf'=00001111(binary),and the operate is '&',so even I change the 4 high-bits of operand,the result makes no difference.

That means 0110abcd  is equal to 0000abcd.

besides 0110 0000 =96 .

So the primitive number is '9' --107, '15'--111,...'7'--103

As you already know,a--97,so you will easy to know 107--i

You can counter it one by one ,and you will know the answer is 'ionefg'.

OK,get it.~

 

 

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值