Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Week 5 - ETH Zürich

advertisement 
Exercise Session 5
Computer Architecture and
Systems Programming
Herbstsemester 2014
© Systems Group | Department of Computer Science | ETH Zürich
Exercise 5: Part 1
• More assembly pen&paper exercises
– Matching C code fragments to assembly fragments
–
Understanding assembly control flow
–
Translating assembly into C code
●
only use the given C variable names in your solution
–
Matching switch statement in C to it's assembly variant
–
Arrays in assembly
–
Structs in assembly
Exercise 5: Part 1
• Translating assembly into C code
foo:
pushq
movq
movq
movq
movl
incl
movl
movq
movq
popq
retq
%rbp
%rsp, %rbp
%rdi, %rdx
%rdi, %rax
(%rax), %eax
%eax
%eax, (%rdx)
$0, %rax
%rbp, %rsp
%rbp
Exercise 5: Part 1
• Translating assembly into C code
foo:
pushq
movq
movq
movq
movl
incl
movl
movl
movq
popq
retq
%rbp
%rsp, %rbp
%rdi, %rdx
%rdi, %rax
(%rax), %eax
%eax
%eax, (%rdx)
$0, %eax
%rbp, %rsp
%rbp
int foo(
return 0;
}
) {
Exercise 5: Part 1
• Translating assembly into C code
foo:
pushq
movq
movq
movq
movl
incl
movl
movq
movq
popq
retq
%rbp
%rsp, %rbp
%rdi, %rdx
%rdi, %rax
(%rax), %eax
%eax
%eax, (%rdx)
$0, %rax
%rbp, %rsp
%rbp
int foo(??? *x) {
?? = *x + 1;
return 0;
}
Exercise 5: Part 1
• Translating assembly into C code
foo:
pushq
movq
movq
movq
movl
incl
movl
movq
movq
popq
retq
%rbp
%rsp, %rbp
%rdi, %rdx
%rdi, %rax
(%rax), %eax
%eax
%eax, (%rdx)
$0, %rax
%rbp, %rsp
%rbp
int foo(int *x) {
*x = *x + 1;
return 0;
}
Exercise 5: Part 1
• Translating assembly into C code
foo:
pushq
movq
movq
movq
movl
incl
movl
movq
movq
popq
retq
%rbp
%rsp, %rbp
%rdi, %rdx
%rdi, %rax
(%rax), %eax
%eax
%eax, (%rdx)
$0, %rax
%rbp, %rsp
%rbp
int foo(int *x) {
*x = *x + 1;
return 0;
}
Exercise 5: Part 1
• Translating assembly into C code
foo:
pushq
movq
movq
movq
movl
incl
movl
movq
movq
popq
retq
%rbp
%rsp, %rbp
%rdi, %rdx
%rdi, %rax
(%rax), %eax
%eax
%eax, (%rdx)
$0, %rax
%rbp, %rsp
%rbp
int foo(int *x) {
*x = *x + 1;
return 0;
}
int main(void) {
int val = 0;
int r = foo(&val);
assert(val == 1
&& r == 0);
return 0;
}
Exercise 5: Part 1
• Translating assembly with jumps into C code
dog:
movl $1, %eax
cmpl %esi, %edi
jge .L2
.L1:
imull %edi, %eax
addl $2, %edi
cmpl %esi, %edi
jl .L1
.L2:
retq
int dog(int x, int y)
{
int i, result;
result = _____;
for (i = _; ___; ____)
{
result = ____;
}
return result;
}
Exercise 5: Part 1
• Translating assembly with jumps into C code
dog:
movl $1, %eax
cmpl %esi, %edi
jge .L2
.L1:
imull %edi, %eax
addl $2, %edi
cmpl %esi, %edi
jl .L1
.L2:
retq
int dog(int x, int y)
{
int i, result;
result = 1;
for (i = _; ___; ____)
{
result = ____;
}
return result;
}
Exercise 5: Part 1
• Translating assembly with jumps
C code
edi: x, esi: into
y
dog:
movl $1, %eax
cmpl %esi, %edi
jge .L2
.L1:
imull %edi, %eax
addl $2, %edi
cmpl %esi, %edi
jl .L1
.L2:
retq
compare x and y
goto .L2 if x >= y
int dog(int x, int y)
{
int i, result;
result = 1;
for (i = _; ___; ____)
{
result = ____;
}
return result;
}
Exercise 5: Part 1
• Translating assembly with%edi:
jumps
into
x, %esi:
y C code
dog:
movl $1, %eax
cmpl %esi, %edi
jge .L2
.L1:
imull %edi, %eax
addl $2, %edi
cmpl %esi, %edi
jl .L1
.L2:
retq
compare x and y
goto .L2 if x >= y
int dog(int x, int y)
{
int i, result;
result = result
x
result
= * 1;
for (i = _; ___; ____)
{
result = ____;
}
return result;
}
Exercise 5: Part 1
• Translating assembly with%edi:
jumps
into
x, %esi:
y C code
dog:
movl $1, %eax
cmpl %esi, %edi
jge .L2
.L1:
imull %edi, %eax
addl $2, %edi
cmpl %esi, %edi
jl .L1
.L2:
retq
compare x and y
goto .L2 if x >= y
int dog(int x, int y)
{
int i, result;
result = result
x
result
= * 1;
for (i = _; ___; ____)
{
result = ____;
}
x=x+2
return
compare x andresult;
y
} goto .L1 if x < y
Exercise 5: Part 1
• Translating assembly
%edi: x, %esi: y
compare x and y
with
jumps
goto .L2
if x >= yinto
C code
dog:
int dog(int x, int y)
movl $1, %eax
{
cmpl %esi, %edi
int i, result;
jge .L2
result = result
x
result
= * 1;
.L1:
for (i = _; x<y; x=x+2)
imull %edi, %eax
{
addl $2, %edi
result = ____;
cmpl %esi, %edi
}
jl .L1
return result;
.L2:
x=x+2
}
retq
compare x and y
goto .L1 if x < y
Exercise 5: Part 1
• Translating assembly
%edi: x, %esi: y
compare x and y
with
jumps
goto .L2
if x >= yinto
C code
dog:
int dog(int x, int y)
movl $1, %eax
{
cmpl %esi, %edi
int i, result;
jge .L2
result = result
x
result
= * 1;
.L1:
for (i = _; x<y; x=x+2)
imull %edi, %eax
{
addl $2, %edi
result = result * x;
cmpl %esi, %edi
}
jl .L1
return result;
.L2:
x=x+2
}
retq
compare x and y
goto .L1 if x < y
Exercise 5: Part 1
• Translating assembly with jumps into C code
dog:
movl $1, %eax
cmpl %esi, %edi
jge .L2
.L1:
imull %edi, %eax
addl $2, %edi
cmpl %esi, %edi
jl .L1
.L2:
retq
int dog(int x, int y)
{
int i, result;
result = 1;
for (i = _; x<y; x=x+2)
{
result = result * x;
}
return result;
}
Exercise 5: Part 1
• Translating assembly with jumps into C code
dog:
movl $1, %eax
cmpl %esi, %edi
jge .L2
.L1:
imull %edi, %eax
addl $2, %edi
cmpl %esi, %edi
jl .L1
.L2:
retq
int dog(int x, int y)
{
int i, result;
result = 1;
for (i = x; i<y; i=i+2)
{
result = result * i;
}
return result;
}
Exercise 5: Part 2
• Defuse the Bomb
• A 64-bit x86 binary (the bomb) has been uploaded to
your SVN directory
• Figure out what inputs (passwords) it wants to
defuse a number of stages
• Provide the correct password to go to the next stage
• Difficulty increases with the every stage
Exercise 5
• Try to defuse all stages
• Your binary does not contain debug symbols
• You can share your progress and view the progress of
your friends
Link is on the course website.
Exercise 5
• This exercise will test your debug and reverse
engineering skills
• You’ll have to read and understand assembly
• You’ll have to learn how to use a debugger (gdb)
• It is possible to solve the exercise without the
debugger, but the last couple of stages are pretty
tricky
GDB – GNU Debugger
• Commandline tool for debugging C programs
• Compile with gcc using the -g option
gcc –g –o main main.c
• Tutorials
http://www.cs.cmu.edu/~gilpin/tutorial/
http://www.unknownroad.com/rtfm/gdbtut/gdbuse.html
• Cheat Sheet (see course website)
GDB – GNU Debugger
A very powerful debugger but unfortunately not very
user-friendly.
• (Somewhat) better interface
• Split screen code and commands: gdb –tui
– use layout asm to get assembly instead of source code view
• Or use: cgdb
sudo apt-get install cgdb
• GUIs for GDB
•
•
DDD (http://www.gnu.org/software/ddd/)
Kdbg (http://www.kdbg.org/)
GDB – A typical session
1.$ gdb your_executable
Starts gdb with your_executable as input. Does not
start the executable yet.
2.break place
Places a breakpoint at place.
– function_name
– line_number (of current c-file)
– file:line_number (of another c-file)
3.run
Starts running the program and breaks at the first breakpoint
4.kill
Kills the program. You can run it again using run.
GDB – Stepping
• step
go to next instruction (source line)
• next
same as step, but don’t dive into functions
• finish
continue to the end of the current function
• continue
continue normal execution (until the next
breakpoint)
New in GDB 7
• reverse-stepi
Step backward one instruction
• reverse-next
Step backward but don’t go into function calls
• reverse-contnue
Continue program but in reverse
• reverse-finish
Execute backward until just before the stack frame
You may need to type “target record” after “run” to enable
these features!
GDB – Introspection
• print expr
– expr can be a variable or even an expression concerning a variable
– e.g. print x, print x+1, print x+y, print &x
• display expr
– like print, but prints out variable after each step
– use undisplay expr do remove expr from the list
• x/nfu address
prints out memory where
– n is the number of units to be shown (1,2,3,…)
– f is the format (c,d,i…) like in C printf()
– u is the type of units to be shown
•
•
•
•
b=byte
h=half-word (2 bytes)
w=word (4 bytes)
g=giant word (8 bytes)
GDB – Reusing Expressions
• Each time you call print, the result is not only
printed, but also stored in a new variable.
• This variables look like this: $1, $2, $3,…
• You can even use them in expressions, which
may be very useful, especially if $1 is a pointer
to a large chunk of memory that you would like
to print out.
e.g. x\10cb $1
will print out 10 chars located at address $1.
GDB – Command Files
• Nice to have: $HOME/.gdbinit
– Loaded every time you run gdb
– Use for basic settings and definition of macros
• Or use a specific command file:
$ gdb –x <command file> <binary>
GDB – Command Files
• Useful .gdbinit for bomb-lab
display/10i $eip
display/x $eax
display/x $ebx
display/x $ecx
display/x $edx
display/x $edi
display/x $esi
display/x $ebp
display/32xw $esp
Demo
Short demo on example bomb
● Has three phases
● Similar to first three phases of exercise bombs
Related documents
US-EDI-Teacher-Instruction-Sheet-for-software
US-EDI-Teacher-Instruction-Sheet-for-software
Plan for today Instruction selection for x86-64
Plan for today Instruction selection for x86-64
This is “Halstead`s Software Science”
This is “Halstead`s Software Science”
EDI registration form - Department of Agriculture
EDI registration form - Department of Agriculture
MidtermReviewQuestions
MidtermReviewQuestions
Processing Tutorial 1: Loops
Processing Tutorial 1: Loops
UCF Textbook Scholarship Application Cover
UCF Textbook Scholarship Application Cover
Lecture 10: Machine-Level Programming IV: Data
Lecture 10: Machine-Level Programming IV: Data
Download
advertisement