Sample bomb
Nothing to hand in
Goals
- Get prepped to do the bombs assignment
- Start using gdb
Resources you might find helpful
- gdb quick reference
- another gdb quick reference
- Good discussion of ways to view assembly code in gdb
What to do
- Login to mantis using a normal terminal. VS Code isn't going to be any help here.
In a suitable working directory, download the sample bomb:
wget https://cs.carleton.edu/faculty/jondich/courses/cs208_s23/assignments/files/sample-bomband the source code for main() and explode():
wget https://cs.carleton.edu/faculty/jondich/courses/cs208_s23/assignments/files/sample-bomb.cYou'll probably need to make sample-bomb executable:
chmod +x sample-bomb- You might also find it instructive to look at the main program's source code. This isn't all of the source code for sample-bomb, but should help.
Run the program once or twice at the Unix prompt:
./sample-bombLaunch gdb:
gdb sample-bombLook around and try some basic gdb commands.
(gdb) r [run the program] (gdb) list [show the top of the available source code] (gdb) [hit Enter/Return to repeat the previous command] (gdb) br 23 [set a breakpoint at line 23--the phase0() function call] (gdb) r [run--execution should stop just before doing line 23] (gdb) info reg [look at the contents of all the registers] (gdb) info reg rdx [look at just rdx] (gdb) info reg edx [look at just the lower-order half of rdx] (gdb) info reg rsp [hey, where's the stack pointer pointing? 0x7fffffffea00 or something like that, right?] (gdb) x/20b 0x7fffffffea00 [look at the top 20 bytes on the stack] (gdb) x/20w 0x7fffffffea00 [look at the top 20 4-byte words on the stack] (gdb) x/20g 0x7fffffffea00 [look at the top 20 8-byte "giant" words on the stack] (gdb) x/20bx 0x7fffffffea00 [look at the top 20 bytes on the stack, but in hexadecimal] (gdb) x/20wx 0x7fffffffea00 [look at the top 20 4-byte words on the stack, but in hexadecimal] (gdb) x/20gx 0x7fffffffea00 [look at the top 20 8-byte "giant" words on the stack, but in hexadecimal] (gdb) x/20bx $rsp [look at the top 20 bytes on the stack, but easier] (gdb) x/20wx $rsp [look at the top 20 4-byte words on the stack, but easier] (gdb) x/20gx $rsp [look at the top 20 8-byte "giant" words on the stack, but easier] (gdb) quitStart again, and this time we'll step into the assembly language that makes up the function phase0(). We're going to use the "layout asm" command to give us an extremely handy split screen with assembly language on the top and the (gdb) command prompt on the bottom.
In my experience, "layout asm" is a bit erratic, so sometimes the top of the split screen will get messed up visually. When that happens, do Ctrl-L to redraw the screen.
$ gdb sample-bomb (gdb) r [run] (gdb) list [show source] (gdb) [show more source until you see the call to phase0()] (gdb) br 23 [set a breakpoint before the phase0() call] (gdb) r [run to the breakpoint] (gdb) layout asm [get your split screen] (gdb) stepi [step one instruction, including "into" function calls] (gdb) si [same as stepi; does one more line] [Use the up/down arrow keys to move your assembly language display up and down without executing any instructions]- Study the phase0 function. Where is/are its ret statement(s)? What functions does it call? Where are its if statements (look for test and cmp instructions)?
Try putting a breakpoint just past the fgets call (which, presumably, will be retrieving your input string once you type it). Then step right up to the fgets call. (I'm pretending that the relevant address is 0x5555555548f5.)
(gdb) br* 0x5555555548f5 [the * is necessary for breaking at an address instead of a label] (gdb) si [a bunch of times until you're at the callq fgets instruction] (gdb) info reg rdi [what did that lea instruction put into rdi?] (gdb) x/s blah [where blah is the address in rdi] (gdb) c ["continue" executing, presumably breaking just after the fgets call] (gdb) x/s blah [look at that rdi address again]- et cetera...
What exactly is phase0 doing?
Here's the source code for phase0. The only thing you're missing now (as far as C source code goes) is the values of BUFFER_LENGTH and SECRET_NUMBER. Those are both discoverable in the assembly code.