二进制炸弹
这学期选修了计算机系统这门课,这门课的六个实验可以称作经典,特别是二进制炸弹这一实验,实验内容不断更新。
简介
Binary Bombs
A “binary bomb” is a Linux executable C program that consists of six
“phases.” Each phase expects the student to enter a particular string
on stdin. If the student enters the expected string, then that phase
is “defused.” Otherwise the bomb “explodes” by printing “BOOM!!!”.
The goal for the students is to defuse as many phases as possible.
平台: Linux
调试工具: GDB
语言: 汇编语言
Phase 1
使用GDB命令反汇编bomb可执行文件,得到 < phase_1 > 函数的汇编代码:
(gdb) disas phase_1
Dump of assembler code for function phase_1:
=> 0x0000000000400ee0 <+0>: sub $0x8,%rsp
0x0000000000400ee4 <+4>: mov $0x402400,%esi
0x0000000000400ee9 <+9>: callq 0x401338 <strings_not_equal>
0x0000000000400eee <+14>: test %eax,%eax
0x0000000000400ef0 <+16>: je 0x400ef7 <phase_1+23>
0x0000000000400ef2 <+18>: callq 0x40143a <explode_bomb>
0x0000000000400ef7 <+23>: add $0x8,%rsp
0x0000000000400efb <+27>: retq
End of assembler dump.
解题过程
利用GDB调试程序,在phase_1函数的入口处设置断点,查看寄存器的状态,查看0x603780地址的值,发现此时%rdi和%rsi中存储的值是刚刚输入的字符串的首地址。这是在意料之中的,因为我们的输入一定会作为phase_1函数的参数,而%rdi,%rsi寄存器的作用就是存放第一个参数和第二个参数。
在phase_1的汇编代码中,注意到第二行:
mov $0x402400,%esi
即将一个特定的值放到了第二个参数的位置上,接下来就进入到<strings_not_equal>函数(稍后分析)中,再看接下来的代码:
0x0000000000400eee <+14>:test %eax,%eax
0x0000000000400ef0 <+16>:je 0x400ef7 <phase_1+23>
0x0000000000400ef2 <+18>:callq 0x40143a <explode_bomb>
返回值是否为0,如过不等于0,调用<explode_bomb>函数,从函数名就能看出来,调用它就爆炸了。那么关键就是这个<strings_not_equal>函数,我们希望这个函数的返回结果为0。
先看看它的汇编代码:
(gdb) disas strings_not_equal
Dump of assembler code for function strings_not_equal:
0x0000000000401338 <+0>: push %r12
0x000000000040133a <+2>: push %rbp
0x000000000040133b <+3>: push %rbx
0x000000000040133c <+4>: mov %rdi,%rbx
0x000000000040133f <+7>: mov %rsi,%rbp
0x0000000000401342 <+10>: callq 0x40131b <string_length>
0x0000000000401347 <+15>: mov %eax,%r12d
0x000000000040134a <+18>: mov %rbp,%rdi
0x000000000040134d <+21>: callq 0x40131b <string_length>
0x0000000000401352 <+26>: mov $0x1,%edx
0x0000000000401357 <+31>: cmp %eax,%r12d
0x000000000040135a <+34>: jne 0x40139b <strings_not_equal+99>
0x000000000040135c <+36>: movzbl (%rbx),%eax
0x000000000040135f <+39>: test %al,%al
0x0000000000401361 <+41>: je 0x401388 <strings_not_equal+80>
0x0000000000401363 <+43>: cmp 0x0(%rbp),%al
0x0000000000401366 <+46>: je 0x401372 <strings_not_equal+58>
0x0000000000401368 <+48>: jmp 0x40138f <strings_not_equal+87>
0x000000000040136a <+50>: cmp 0x0(%rbp),%al
0x000000000040136d <+53>: nopl (%rax)
0x0000000000401370 <+56>: jne 0x401396 <strings_not_equal+94>
0x0000000000401372 <+58>: add $0x1,%rbx
0x0000000000401376 <+62>: add $0x1,%rbp
0x000000000040137a <+66>: movzbl (%rbx),%eax
0x000000000040137d <+69>: test %al,%al
0x000000000040137f <+71>: jne 0x40136a <strings_not_equal+50>
0x0000000000401381 <+73>: mov $0x0,%edx
0x0000000000401386 <+78>: jmp 0x40139b <strings_not_equal+99>
0x0000000000401388 <+80>: mov $0x0,%edx
0x000000000040138d <+85>: jmp 0x40139b <strings_not_equal+99>
0x000000000040138f <+87>: mov $0x1,%edx
0x0000000000401394 <+92>: jmp 0x40139b <strings_not_equal+99>
0x0000000000401396 <+94>: mov $0x1,%edx
0x000000000040139b <+99>: mov %edx,%eax
0x000000000040139d <+101>: pop %rbx
0x000000000040139e <+102>: pop %rbp
0x000000000040139f <+103>: pop %r12
0x00000000004013a1 <+105>: retq
End of assembler dump.
由汇编代码可知,<strings_not_equal>函数判断两个字符串是否相等,相等返回0,不相等返回1.所以我们只要保证我们的输入和<strings_not_equal>的第二个参数指向的字符串相等就好了,即找到首地址为0x402400的字符串。
即Solution: Border relations with Canada have never been better.
Phase 2
汇编代码:
(gdb) disas phase_2
Dump of assembler code for function phase_2:
0x0000000000400efc <+0>: push %rbp
0x0000000000400efd <+1>: push %rbx
0x0000000000400efe <+2>: sub $0x28,%rsp
0x0000000000400f02 <+6>: mov %rsp,%rsi
0x0000000000400f05 <+9>: callq 0x40145c <read_six_numbers>
0x0000000000400f0a <+14>: cmpl $0x1,(%rsp)
0x0000000000400f0e <+18>: je 0x400f30 <phase_2+52>
0x0000000000400f10 <+20>: callq 0x40143a <explode_bomb>
0x0000000000400f15 <+25>: jmp 0x400f30 <phase_2+52>
0x0000000000400f17 <+27>: mov -0x4(%rbx),%eax
0x0000000000400f1a <+30>: add %eax,%eax
0x0000000000400f1c <+32>: cmp %eax,(%rbx)
0x0000000000400f1e <+34>: je 0x400f25 <phase_2+41>
0x0000000000400f20 <+36>: callq 0x40143a <explode_bomb>
0x0000000000400f25 <+41>: add $0x4,%rbx
0x0000000000400f29 <+45>: cmp %rbp,%rbx
0x0000000000400f2c <+48>: jne 0x400f17 <phase_2+27>
0x0000000000400f2e <+50>: jmp 0x400f3c <phase_2+64>
0x0000000000400f30 <+52>: lea 0x4(%rsp),%rbx
0x0000000000400f35 &