Upload
conley
View
60
Download
0
Embed Size (px)
DESCRIPTION
Institute of Parallel and Distributed System (iPads) Shanghai Jiao Tong University Rong Chen rongchen @ sjtu.edu.cn. T UTORIAL L ESSON GNU Tools. OUTLINE. Pre-requisite Debugging Bomb!. Pre-requisite Debugging Bomb!. GNU Tools. GDB ( G nu D e B ugger ) Start your program - PowerPoint PPT Presentation
Citation preview
TUTORIAL LESSONGNU ToolsInstitute of Parallel and Distributed System (iPads)
Shanghai Jiao Tong University
Rong [email protected]
OUTLINE
2
Pre-requisiteDebuggingBomb!
Pre-requisiteDebugging Bomb!
3
GNU Tools
GDB (Gnu DeBugger) Start your program Stop on special conditions Exams what has happened Change thing in your program
4Institute of Parallel and Distributed System (iPads), SJTU
GNU Tools
GDB (Gnu DeBugger) Commands
gdb <file> break FUNC | *ADDR run print</?> $REG | ADDR continue | stepi | nexti quit
5
Referencehttp://ipads.se.sjtu.edu.cn/courses/ics/tutorials/gdb-ref.txtInstitute of Parallel and Distributed System (iPads),
SJTU
GNU Tools
OBJDUMP (OBJect-file DUMP) Display information from object files
Disassemble object file Show file headers Show symbol table ...
Commands objdump –d | -D <object-file>
6
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
GNU Tools
Install GNU Tools apt-get install build-essential apt-get install gdb
8Institute of Parallel and Distributed System (iPads), SJTU
Pre-requisite
DebuggingBomb!
bug & warning debugging examples
9
Bug & Warning
Bug Grammar
int a b; Semantics
int a[2]; a[2]=2;
Warning int a; b=a;
10
int a, b;
a[0]=2;
int a=0; b=a;
Institute of Parallel and Distributed System (iPads), SJTU
Pre-requisite
DebuggingBomb!
bug & warning debugging examples
11
Debugging
Debugging = Find + Fix Core Competency !
Compiling (HINTS: don’t miss warning) gcc –Wall –o test test.c
Debugging (HINTS: code review first) gdb test
12Institute of Parallel and Distributed System (iPads), SJTU
Debugging
Debugging = Find + Fix + Experience example#1: “Segmentation fault” example#2: test.c:6: error: expected ‘,’ or ‘;’ before ‘struct’test.c:9: warning: data definition has no type or storage classtest.c:9: warning: type defaults to ‘int’ in ...test.c:16: warning: (near initialization for ‘s’)test.c:16: error: storage size of ‘s’ isn’t knowntest.c:21: error: request for member ‘a’ in something not a structure or uniontest.c:16: warning: unused variable ‘s’ 13
Institute of Parallel and Distributed System (iPads), SJTU
Pre-requisite
DebuggingBomb!
Bug & Warning Debugging Examples
14
Example#1test.c: In function ‘main’:test.c:18: warning: implicit declaration of function ‘malloc’
Example#2test.c:6: error: expected ‘,’ or ‘;’ before ‘struct’
Example#4test.c:18: error: expected ‘;’ before ‘)’ tokentest.c:18: error: expected statement before ‘)’ token
Example#3test.c:18: error: ‘j’ undeclared (first use in this function)
Example#5test.c:27: error: conflicting types for ‘test’test.c:4: note: previous declaration of ‘test’ was here
Example#3test.c:19: warning: too few arguments for formattest.c:22: warning: ‘x’ is used uninitialized in this function
Example#2test.c:16: warning: unused variable ‘s’
Example#4test.c: In function ‘main’:test.c:24: warning: control reaches end of non-void function
Example#1test.c:22: warning: ‘x’ is used uninitialized in this function
Example#5test.c: In function ‘test’:test.c:30: warning: assignment makes pointer from integer
without a cast
It’s a joke ^o^
It’s a “Hello world!”int main(void) { printf(“hello world!\n”); return 0;}
How about this code?int main(void) { printf(“hello world!\n”);
http://ipads.se.sjtu.edu.cn/courses/ics
return 0;}
Pre-requisiteDebuggingBomb! Binary Bomb
Defuse Bomb Using GDB
18
Defuse Bomb
What is Bomb ? Only a binary file
What should you do ? Find the key and defuse the bomb !
What can you use ? Anything from ICS course Any tools
Right key
SurviveWrong
keyBomb !
gdbstrings
calculator
pencilpaperobjdump
Institute of Parallel and Distributed System (iPads), SJTU
Please See Carefully ! A binary bomb Need a password to defuse it
Demo$./bombinput password:bomb!...$$./bombinput password:survive!
224
123
Demo
HACKER
Pre-requisiteDebuggingBomb! Binary Bomb
Defuse Bomb Using GDB
22
Step by Step
Machine Code to Assembly Code objdump -D bomb > asm
NAME objdump - display information from object files.
SYNOPSIS objdump [-d|--disassemble] [-D|--disassemble-all] ...
Institute of Parallel and Distributed System (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Institute of Parallel and Distributed System (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Find key strings “bomb”, “survive” and “password”
Institute of Parallel and Distributed System (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
... 8048538: 69 6e 70 75 74 20 70 imul $0x70207475,0x70 ... 804853f: 61 popa 8048540: 73 73 ... 8048542: 77 6f ... 8048544: 72 64 ... 8048546: 3a 00 ... 8048548: 25 64 00 ... 804854b: 73 75 ... 804854d: 72 76 ... 804854f: 69 76 65 21 00 ... 8048554: 62 6f 6d ... 8048557: 62 21 ... 8048559: 2e ... 804855a: 2e ... 804855b: 2e ... ...
i n p u t p
as sw or d: \0
s ur vi v e ! \0b o mb !...
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl $0x8048538,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl $0x804854b,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl $0x8048554,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Step by Step
Find key functions and parameters scanf: where does the password store ? printf: which the instruction will print
“bomb” ?
Find key strings “bomb”, “survive” and “password”
Find key operators jmp, change control flow cmp, how to judgment condition
Institute of Parallel and Distributed System (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
Password !
Pre-requisiteDebuggingBomb! Binary Bomb
Defuse Bomb Using GDB
41
Defuse bomb using GDB set breakpoint on the critical path watch registers and/or memories terminate program on demand single step execution
Can we do it more efficiently and safely?
Institute of Parallel and Distributed System (iPads), SJTU
Command
GDB gdb <file> break FUNC | *ADDR run print</?> $REG | ADDR continue | stepi | nexti quit
Institute of Parallel and Distributed System (iPads), SJTU
080483c4 <main>: ... 80483d5: c7 04 24 38 85 04 08 movl password ,(%esp) 80483dc: e8 17 ff ff ff call 80482f8 <printf@plt> 80483e1: 8d 45 f8 lea 0xfffffff8(%ebp),%eax 80483e4: 89 44 24 04 mov %eax,0x4(%esp) 80483e8: c7 04 24 48 85 04 08 movl $0x8048548,(%esp) 80483ef: e8 e4 fe ff ff call 80482d8 <scanf@plt> 80483f4: 8b 45 f8 mov 0xfffffff8(%ebp),%eax 80483f7: 83 f8 7b cmp $0x7b,%eax 80483fa: 75 0e jne 804840a <main+0x46> 80483fc: c7 04 24 4b 85 04 08 movl survive ,(%esp) 8048403: e8 c0 fe ff ff call 80482c8 <puts@plt> 8048408: eb 0c jmp 8048416 <main+0x52> 804840a: c7 04 24 54 85 04 08 movl bomb ,(%esp) 8048411: e8 b2 fe ff ff call 80482c8 <puts@plt> 8048416: b8 00 00 00 00 mov $0x0,%eax ... 8048423: c3 ret
$gdb bomb(gdb)
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb)
0x80483dc “password”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb)
0x80483dc “password”0x80483f7 “compare”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i‘(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb) print/c *0x8048539$4 = 110 'n'(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
$gdb bomb(gdb) break *0x80483dcBreakpoint 1 at 0x80483dc(gdb) break *0x80483f7Breakpoint 2 at 0x80483f7(gdb) break *0x8048403Breakpoint 3 at 0x8048403(gdb) break *0x8048411Breakpoint 4 at 0x8048411(gdb) runStarting program: /home/rong/tut1/bombBreakpoint 1, 0x080483dc in main ()
(gdb) print/c *0x8048538$3 = 105 'i'(gdb) print/c *0x8048539$4 = 110 'n'(gdb) print/s (char *)0x8048538$5 = 0x8048538 “input password:”
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224(gdb) cContinuing.
Breakpoint 4, 0x08048411 in main ()(gdb)
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
(gdb) cContinuing.input password:224
Breakpoint 2, 0x080483f7 in main ()(gdb) print/d $eax$8 = 224(gdb) cContinuing.
Breakpoint 4, 0x08048411 in main ()(gdb) qThe program is running. Exit anyway? (y or n) y$
0x80483dc “password”0x80483f7 “compare”0x8048403 “survive”0x8048411 “bomb”
59
Thanks
Institute of Parallel and Distributed System (iPads), SJTU