00000000004005bc <explode_bomb>:
4005bc:
55
push %rbp
4005bd: 48 89
e5
mov %rsp,%rbp
4005c0: bf 34 07 40
00
mov $0x400734,%edi
4005c5: e8 c6 fe ff
ff
callq 400490 <puts@plt>
4005ca:
5d
pop %rbp
4005cb:
c3
retq
00000000004005cc <func>:
4005cc:
55
push %rbp
4005cd: 48 89
e5
mov %rsp,%rbp
4005d0: 89 7d
fc
mov %edi,-0x4(%rbp)
4005d3: 89 75
f8
mov %esi,-0x8(%rbp)
4005d6: 89 55
f4
mov %edx,-0xc(%rbp)
4005d9: 83 7d fc
01
cmpl $0x1,-0x4(%rbp)
4005dd: 75
0a
jne 4005e9
<func+0x1d>
4005df: 8b 45
f4
mov -0xc(%rbp),%eax
4005e2: 8b 55
f8
mov -0x8(%rbp),%edx
4005e5: 01
d0
add %edx,%eax
4005e7: eb
07
jmp 4005f0
<func+0x24>
4005e9: 8b 45
f8
mov -0x8(%rbp),%eax
4005ec: 0f af 45
f4
imul -0xc(%rbp),%eax
4005f0:
5d
pop %rbp
4005f1:
c3
retq
00000000004005f2 <read_three_numbers>:
4005f2:
55
push %rbp
4005f3: 48 89
e5
mov %rsp,%rbp
4005f6: 48 83 ec
20
sub $0x20,%rsp
4005fa: 48 89 7d
f8
mov %rdi,-0x8(%rbp)
4005fe: 48 89 75
f0
mov %rsi,-0x10(%rbp)
400602: 48 89 55
e8
mov %rdx,-0x18(%rbp)
400606: 48 8b 4d
e8
mov -0x18(%rbp),%rcx
40060a: 48 8b 55
f0
mov -0x10(%rbp),%rdx
40060e: 48 8b 45
f8
mov -0x8(%rbp),%rax
400612: 48 89
c6
mov %rax,%rsi
400615: bf 43 07 40
00
mov $0x400743,%edi
40061a: b8 00 00 00
00
mov $0x0,%eax
40061f: e8 9c fe ff
ff
callq 4004c0 <__isoc99_scanf@plt>
400624:
c9
leaveq
400625:
c3
retq
0000000000400626 <main>:
400626:
55
push %rbp
400627: 48 89
e5
mov %rsp,%rbp
40062a: 48 83 ec
10
sub $0x10,%rsp
40062e: 48 8d 55
f4
lea -0xc(%rbp),%rdx
400632: 48 8d 4d
f8
lea -0x8(%rbp),%rcx
400636: 48 8d 45
fc
lea -0x4(%rbp),%rax
40063a: 48 89
ce
mov %rcx,%rsi
40063d: 48 89
c7
mov %rax,%rdi
400640: e8 ad ff ff
ff
callq 4005f2 <read_three_numbers>
400645: 8b 45
fc
mov -0x4(%rbp),%eax
400648: 83 f8
01
cmp $0x1,%eax
40064b: 75
0c
jne 400659
<main+0x33>
40064d: b8 00 00 00
00
mov $0x0,%eax
400652: e8 65 ff ff
ff
callq 4005bc <explode_bomb>
400657: eb
2d
jmp 400686
<main+0x60>
400659: 8b 55
f4
mov -0xc(%rbp),%edx
40065c: 8b 4d
f8
mov -0x8(%rbp),%ecx
40065f: 8b 45
fc
mov -0x4(%rbp),%eax
400662: 89
ce
mov %ecx,%esi
400664: 89
c7
mov %eax,%edi
400666: e8 61 ff ff
ff
callq 4005cc <func>
40066b: 83 f8
18
cmp $0x18,%eax
40066e: 74
0c
je 40067c
<main+0x56>
400670: b8 00 00 00
00
mov $0x0,%eax
400675: e8 42 ff ff
ff
callq 4005bc <explode_bomb>
40067a: eb
0a
jmp 400686
<main+0x60>
40067c: bf 4c 07 40
00
mov $0x40074c,%edi
400681: e8 0a fe ff
ff
callq 400490 <puts@plt>
400686: b8 00 00 00
00
mov $0x0,%eax
40068b:
c9
leaveq
40068c:
c3
retq
40068d: 0f 1f
00
nopl (%rax)
In this exercise, you will learn how to use GDB and prepare to
do Lab 2. This program is simple and easy for you to check in each
step.
The bombt is an executable. You can directly run the program by
using ./bombt
I wrote a C program and use gcc -o bombt bombt.c to generate
bombt
If you want to see the assembly code, use
objdump -d bombt
You can also save it to a file
objdump -d bombt > bombt.txt
The output of objdump -d bombt will be saved to bombt.txt
You can read bombt.txt by using any editor or use
cat bombt.txt
You should pay attention to the functions: main,
read_three_numbers, fund, explode_bomb. The functions of main and
func are the most important ones.
Your job is to find three integers so that the program will run
till the end without exploding the bomb. There are many
solutions, so just get one solution. You will use gdb to
find out the three numbers.
To use gdb, run:
>gdb bombt
(gdb) disas main
==== give the assembly code for main function
==== see there, you will find some function calls:
read_three_numbers, fund, explode_bomb
==== The next command of disas will disassemble the code for
fund and read_three_numbers
(gdb) disas func
(gdb) disas read_three_numbers
===== In read_three_numbers, you will find this function
calls scanf
(gdb) b main
==== This break command will set a breakpoint at the beginning
of main function.
==== breakpoint means that when you run the program , it will
stop at the next breakpoint
(gdb) r
==== now we run the program and it will pause at the next
breakpoint, in our case, the main function
(gdb) disas
==== you will see the current instruction that will be executed
next.
(gdb) si
==== use step to execute the program by one
instruction. The program will go to the next instruction
(gdb) b *0x0804851a
==== let the breakpoint be at the instruction address
0x0804851a
(gdb) c
==== continue run our program. now we get to 0x0804851a
==== during this process, the program will wait for you to
input three integers.
==== for example, you can type in 1 2 3
(gdb) disas
==== to check where we are now
(gdb) x/1xw 0x1c+$esp
==== this command displays the content of memory at address
0x1c+$rsp. 1xw: x means hexadecimal form, w means 32 bits word, 1
means 1 word (4 bytes)
==== we use $rsp instead of %esp in gdb for registers
(gdb) x/40wx $rsp
==== displays the content of memory starting at address $rsp,
shown 40 words (40 four bytes)in hexadecimal form
(gdb) x/20wx 0xffffd150
==== show 20 words in hexadecimal form of the memory starting
at 0xffffd150
==== you will see the numbers you input 1 2 3
==== now pretty much you know where the three numbers are
stored in memory.
(gdb) p/x $rip
==== You can also use this command to check which
instruction will be executed next
(gdb) p/x $rsp
(gdb) p/x $rax
===== p command shows the content of resisters.
(gdb) quit
==== to quit GDB