Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Assembly Language

EC312 Security Exercise 3

advertisement 
EC312 Security Exercise 3
Part 1: Initial Set-up
Open VMware and power on the EC310 virtual machine. You should be in your home directory:
List the various files and directories using ls. You should see:
Shown pictorially, the files and directories under your home directory look like this:
As you progress through the course, you should ensure the programs you are working on are located in your
work directory. The program you will use today is named sx3.c and it is in the ec310code directory:
We need to copy this file to the work directory. To copy the file named sx3.c from the ec310code
directory to the work directory, carefully enter the following at the home directory prompt:
midshipman@EC310:~ $
cp
ec310code/sx3.c
Make sure you are at your home directory!
Enter this!
1
work
If all went well, you should have a copy of sx3.c in your work directory.
Verify that you have sx3.c in your work directory by changing to the work directory:
cd work
and then listing the files in the work directory:
ls
You should see the sx3.c file (along with perhaps some additional files from last lab):
If you do not have sx3.c in your work directory
Otherwise, proceed to Part 2.
STOP and ask your instructor or lab tech for help.
Part 2: Running the C Program
You should now be in the work directory:
Examine the program sx3.c using nano (i.e., type in: nano sx3.c ). The C program is shown below:
#include<stdio.h>
int main( )
{
int x;
x = 5;
if( x == 4)
printf( "Army\n");
else
printf("Navy\n");
}
2
Note that this is a silly program, because it is designed to always print out Navy. In other words, this program
has no need for an if-else statement. We have intentionally written the program this way to give you
practice traipsing through memory.
Save the program by entering Control-o (where that is the letter o, not the number 0) saving the file under
its current name, and exit nano by entering Control-x.
Compile your program using gcc:
gcc –g sx3.c
and then run your program
./a.out
to confirm it executes as expected. If your program is not working
tech for help. Otherwise, proceed to Part 3.
STOP and ask your instructor or lab
Part 3: Program Autopsy: Case 2
Set up the debugger using the code shown below:
gdb –q
./a.out
After you press enter, you should see a line of gobbledygook (Using host libthread…) and then you should see
the prompt change to (gdb) indicating that you are using the debugger. Then continue by entering the
following commands (hitting ENTER after each command).
set dis intel
list
disassemble main
break main
run
.
3
Here is a screen capture of the assembly code you should see:
Program has stopped here, at this
breakpoint.
Notice that the program has stopped at the breakpoint shown above. The line:
Breakpoint 1 at 0x8048384: file sx3.c, line 5.
means, in English: The next instruction that will be executed (but has not yet been executed) is stored in address
0x8048384. If we look for this address in the top part of the assembly code, we quickly find it:
4
Question 1:
From the picture above, what should be the current value of the instruction pointer (i.e.,
what address is stored in the instruction pointer)? Verify your answer by inspecting the
value of the instruction pointer by entering: i r eip
Question 2:
What is the next assembly language instruction that will be executed (but has not yet
been executed)?
Look at the line of code:
mov
DWORD PTR [ebp-4],0x5
What is this assembly language code trying to accomplish? In English, this assembly language instruction is
saying:
Place the value 5 in main memory at the location that has the address: ebp-4.
Recall that ebp is one of the CPU's registers. Specifically, ebp points to one end of the region in main memory
that the program has available to store the variables and values that it needs. Again: ebp holds an address.
Whatever value is in ebp, the value of "ebp-4" will be the address four bytes earlier than ebp:
So, the instruction
mov
location specified by ebp – 4:
DWORD PTR [ebp-4],0x5
5
would place the value 5 in the memory
Question 3:
In my illustrative example on the prior page, where I entered the value 5 into address
baaaa810, why did I block out (in blue) four bytes of memory?
Recall that our C program is:
#include<stdio.h>
int main( )
{
int x;
x = 5;
if( x == 4)
printf( "Army\n");
else
printf("Navy\n");
}
And the next assembly language instruction that will be executed (but has not yet been executed) is:
mov
DWORD PTR [ebp-4],0x5
Question 4:
What line(s) of C code does this assembly language correspond to?
Now, execute one line of machine code—the line above—by entering nexti
So… you have just executed the instruction
Question 5:
mov
DWORD PTR [ebp-4],0x5.
Examine the assembly language code shown on page 104. What values do you expect to
be stored in the instruction pointer? Verify your answer by examining the value of eip.
(You know how to do this! i r eip .)
If your answer to Question 5 did not end in the hexadecimal number b then
or lab tech for help. Otherwise, proceed to Part 4.
STOP and ask your instructor
Part 4: Program Autopsy Continued
Recall that the assembly language instruction you recently executed – mov DWORD PTR [ebp-4],0x5 –
places the value 5 in the memory location specified by ebp–4 . Let's see if this is accurate!
Question 6:
What is the value stored in ebp?
Question 7:
What is the value of ebp-4?
Question 8:
Examine memory to determine what is stored in the address specified by ebp-4 . Use
the examine command: x/x followed by the address you want to examine. For
example, if you want to look at the contents of memory location 0xbffff800 you
would enter x/x 0xbffff800.
6
Question 9:
In the picture below, which shows a section of the stack, fill in the value of ebp, write
the addresses next to all memory locations, and fill in the values stored in locations.
Specifically, fill in the hex value corresponding to the byte stored at each memory
location shown in the diagram. (This picture is also replicated on your answer sheet.)
Now look at the next line of code that will be (but has not yet been) executed:
cmp
DWORD PTR [ebp-4],0x4
In x86 assembly language, cmp means compare. Specifically, this line of code is comparing the value stored at
the address ebp-4 to the value 4.
Question 10: Are the two values — the value stored at location ebp – 4 and the integer 4 – equal to
each other or not equal to each other?
Question 11 Look again at your C program. What portion of C code do you think the assembly
language instruction
cmp
DWORD PTR [ebp-4],0x4
corresponds to?
Now, execute one line of code by entering nexti .
You have just executed the instruction: cmp DWORD PTR [ebp-4],0x4 ).
Question 12: By looking at the value stored in the instruction pointer, and by looking at the assembly
language code shown on page 104, what is the next line of assembly code that will be
executed (but has not yet been executed)?
If your answer to Question 12 did not end in the hexadecimal number f then
instructor or lab tech for help. Otherwise, proceed to Part 5.
STOP and ask your
Part 5: Program Autopsy Continued Continued
Look at the instruction:
jne
0x804839f
In x86, jne stands for jump if not equal. Recall that the preceding instruction did a comparison, and, based on
the results of the comparison, we will have the answer:
Yes, the two items that were compared are equal
So the line of code jne
0x804839f
or
No, the two items that were compared are not equal.
means, in English:
If the two items we just compared are not equal, jump to instruction at address 0x804839f.
Otherwise (if the items were equal), just continue with the next instruction in sequence.
7
Question 13: Do you expect that after we execute the assembly language instruction
jne
0x804839f
the CPU will jump to 0x804839f as the next instruction? Explain.
Now, execute one line of code by entering nexti . This will execute the line:
jne
0x804839f
.
Question 14: What is the new value of the instruction pointer? Explain.
Question 15: What is the next line of assembly language code that will be executed? (Look at the
address in the eip register and find the corresponding assembly language instruction.)
Let’s examine the assembly language instruction:
mov
DWORD PTR [esp],0x804848a
This essentially says: The variable esp holds an address. Place the value 0x804848a in the location
specified by this address. So, for example, if esp holds the address 56, then this will place the value
0x804848a in memory location 56.
Execute this instruction by entering nexti.
Question 16. The picture below shows a portion of the program's stack in main memory. Notice that
the value 5 is stored at addresses bffff814 – bffff817. Complete the picture by
filling in the value of the stack pointer (esp) as well as the contents of memory locations
bffff810 – bffff813. Note that this figure is replicated on your answer sheet.
STOP . Show your instructor or lab tech your answer to Question 16. Then proceed to Part 6.
8
Part 6: Be a Hacker!
Our program is very interested in the address 0x804848a. It took the time to store this value on the stack, and
the stack is used to store information the program needs to successfully execute.
Question 17: Investigate what is so special about address 0x804848a . Look inside this address
using the x/x command. Be a sleuth! Why does this address matter? (Hint: there are
characters stored there!)
The remaining part of the program simply prints the string of characters at address 0x804848a to the
monitor.
To exit out of the debugger, enter: quit . When you are asked:
The program is running.
Exit anyway? (y or n)
select y.
Part 7: EXTRA CREDIT Program Autopsy: Case 3
Using nano, change your C program by replacing the line
x = 5;
with the line
x = 4;
Then run the program line-by-line in the debugger (gdb) as before.
Question 18: Your first breakpoint was at main. As you execute the program by repeatedly entering
nexti, what is the first line of assembly language that is executed in this program that
was not executed in the prior program?
Question 19: What is the significance of the number 0x8048484 which appears in the assembly
code?
9
10
EC312 Security Exercise 3
Name:
Question 1:
Question 2:
Question 3:
Question 4:
Question 5:
Question 6:
Question 7:
Question 8:
Question 9:
Question 10:
Question 11:
Question 12:
Question 13:
Question 14:
Question 15:
Question 16:
11
Question 17:
EXTRA CREDIT
Question 18:
Question 19:
12
Related documents
SI202: Week 1
SI202: Week 1
Solutions to End of Chapter Problems
Solutions to End of Chapter Problems
reading
reading
Solutions to Practice Problems
Solutions to Practice Problems
Construction Check List for The Preserve, Delwood Point, and
Construction Check List for The Preserve, Delwood Point, and
Download
advertisement