CSAPP bomblab phase1

最近学习了CSAPP的第三章并做了一下bomblab 感觉很有意思，接下来整理一下笔记

phase1比较简单主要是熟悉一下gdb的使用

gdb的基本用法

run:启动程序

break *addr：在指定地址打一个断点

step：使程序继续执行

stepi：单步执行

disassemble funcname：得到汇编代码

print (char*) *addr:指定类型输出指定地址的数据

x /x $rsp: 输出栈内存段指定地址的数据

phase1解析

首先执行disassemble main得到main函数的反汇编

   0x0000000000400e14 <+116>:   callq  0x400c20 <exit@plt>
   0x0000000000400e19 <+121>:   callq  0x4013a2 <initialize_bomb>
   0x0000000000400e1e <+126>:   mov    $0x402338,%edi
   0x0000000000400e23 <+131>:   callq  0x400b10 <puts@plt>
   0x0000000000400e28 <+136>:   mov    $0x402378,%edi
   0x0000000000400e2d <+141>:   callq  0x400b10 <puts@plt>
   0x0000000000400e32 <+146>:   callq  0x40149e <read_line>
   0x0000000000400e37 <+151>:   mov    %rax,%rdi
   0x0000000000400e3a <+154>:   callq  0x400ee0 <phase_1>
   0x0000000000400e3f <+159>:   callq  0x4015c4 <phase_defused>
   0x0000000000400e44 <+164>:   mov    $0x4023a8,%edi
   0x0000000000400e49 <+169>:   callq  0x400b10 <puts@plt>
   0x0000000000400e4e <+174>:   callq  0x40149e <read_line>
   0x0000000000400e53 <+179>:   mov    %rax,%rdi
   0x0000000000400e56 <+182>:   callq  0x400efc <phase_2>
   0x0000000000400e5b <+187>:   callq  0x4015c4 <phase_defused>
   0x0000000000400e60 <+192>:   mov    $0x4022ed,%edi
   0x0000000000400e65 <+197>:   callq  0x400b10 <puts@plt>
   0x0000000000400e6a <+202>:   callq  0x40149e <read_line>
   0x0000000000400e6f <+207>:   mov    %rax,%rdi
   0x0000000000400e72 <+210>:   callq  0x400f43 <phase_3>
   0x0000000000400e77 <+215>:   callq  0x4015c4 <phase_defused>
   0x0000000000400e7c <+220>:   mov    $0x40230b,%edi
   0x0000000000400e81 <+225>:   callq  0x400b10 <puts@plt>
   0x0000000000400e86 <+230>:   callq  0x40149e <read_line>
   0x0000000000400e8b <+235>:   mov    %rax,%rdi
   0x0000000000400e8e <+238>:   callq  0x40100c <phase_4>
   0x0000000000400e93 <+243>:   callq  0x4015c4 <phase_defused>
   0x0000000000400e98 <+248>:   mov    $0x4023d8,%edi
   0x0000000000400e9d <+253>:   callq  0x400b10 <puts@plt>
   0x0000000000400ea2 <+258>:   callq  0x40149e <read_line>
   0x0000000000400ea7 <+263>:   mov    %rax,%rdi
   0x0000000000400eaa <+266>:   callq  0x401062 <phase_5>
   0x0000000000400eaf <+271>:   callq  0x4015c4 <phase_defused>
   0x0000000000400eb4 <+276>:   mov    $0x40231a,%edi
   0x0000000000400eb9 <+281>:   callq  0x400b10 <puts@plt>
   0x0000000000400ebe <+286>:   callq  0x40149e <read_line>
   0x0000000000400ec3 <+291>:   mov    %rax,%rdi
   0x0000000000400ec6 <+294>:   callq  0x4010f4 <phase_6>
   0x0000000000400ecb <+299>:   callq  0x4015c4 <phase_defused>

可见有六个阶段的拆除步骤，接下来执行disassemble phase_1

   0x0000000000400ee0 <+0>:     sub    $0x8,%rsp
   0x0000000000400ee4 <+4>:     mov    $0x402400,%esi
   0x0000000000400ee9 <+9>:     callq  0x401338 <strings_not_equal>
   0x0000000000400eee <+14>:    test   %eax,%eax
   0x0000000000400ef0 <+16>:    je     0x400ef7 <phase_1+23>
   0x0000000000400ef2 <+18>:    callq  0x40143a <explode_bomb>
   0x0000000000400ef7 <+23>:    add    $0x8,%rsp
   0x0000000000400efb <+27>:    retq

test eax,eax用于对eax进行and运算，je代表运算结果为0，即eax为0时跳转不引爆炸弹，根据函数名可以推断是需要某个字符串相等。进入strings_not_equal查看

   0x0000000000401338 <+0>:     push   %r12
   0x000000000040133a <+2>:     push   %rbp
   0x000000000040133b <+3>:     push   %rbx
   0x000000000040133c <+4>:     mov    %rdi,%rbx
   0x000000000040133f <+7>:     mov    %rsi,%rbp
   0x0000000000401342 <+10>:    callq  0x40131b <string_length>
   0x0000000000401347 <+15>:    mov    %eax,%r12d
   0x000000000040134a <+18>:    mov    %rbp,%rdi
   0x000000000040134d <+21>:    callq  0x40131b <string_length>
   0x0000000000401352 <+26>:    mov    $0x1,%edx
   0x0000000000401357 <+31>:    cmp    %eax,%r12d
   0x000000000040135a <+34>:    jne    0x40139b <strings_not_equal+99>
   0x000000000040135c <+36>:    movzbl (%rbx),%eax
   0x000000000040135f <+39>:    test   %al,%al
   0x0000000000401361 <+41>:    je     0x401388 <strings_not_equal+80>
   0x0000000000401363 <+43>:    cmp    0x0(%rbp),%al
   0x0000000000401366 <+46>:    je     0x401372 <strings_not_equal+58>
   0x0000000000401368 <+48>:    jmp    0x40138f <strings_not_equal+87>
   0x000000000040136a <+50>:    cmp    0x0(%rbp),%al
   0x000000000040136d <+53>:    nopl   (%rax)
   0x0000000000401370 <+56>:    jne    0x401396 <strings_not_equal+94>
   0x0000000000401372 <+58>:    add    $0x1,%rbx
   0x0000000000401376 <+62>:    add    $0x1,%rbp
   0x000000000040137a <+66>:    movzbl (%rbx),%eax
   0x000000000040137d <+69>:    test   %al,%al
   0x000000000040137f <+71>:    jne    0x40136a <strings_not_equal+50>
   0x0000000000401381 <+73>:    mov    $0x0,%edx
   0x0000000000401386 <+78>:    jmp    0x40139b <strings_not_equal+99>
--Type <RET> for more, q to quit, c to continue without paging--c
   0x0000000000401388 <+80>:    mov    $0x0,%edx #相等返回0结束
   0x000000000040138d <+85>:    jmp    0x40139b <strings_not_equal+99>
   0x000000000040138f <+87>:    mov    $0x1,%edx
   0x0000000000401394 <+92>:    jmp    0x40139b <strings_not_equal+99>
   0x0000000000401396 <+94>:    mov    $0x1,%edx #不相等返回1
   0x000000000040139b <+99>:    mov    %edx,%eax
   0x000000000040139d <+101>:   pop    %rbx
   0x000000000040139e <+102>:   pop    %rbp
   0x000000000040139f <+103>:   pop    %r12
   0x00000000004013a1 <+105>:   retq

rsi中存放的数据是需要比较的字符串的地址（rsi一般用于存放参数），执行命令print (char*) 0x402400得到答案Border relations with Canada have never been better.