CSAPP phase
这个阶段很有意思,考察了两个知识点,一方面是数组在内存中的存储,另一方面,其采用了一个简单加密算法,对字符数组进行了加密,也就意味着需要破解密钥才能打开这关。作者花了不少时间解决这关,成就感当然也很大啦~
另外,作者想用英语写文章,提高自己的英语表达能力,可能有的地方并不流畅,还请原谅~
At the begining,I didn't find the point which this phase wants to exam.After reading the assemble code,it's obvious to find some functions like
In some way ,we can regard 'string' as a array filled with 'char',whose size is one-byte.So I thought this phase_5 is to exam our mastery of knowledge about ' how data stroed in memory'.
(1) The first part of code shows the first condition we have to satisfy.
Let's focus on the address 0x40107a--0x401084,There is a very important function residing in this section,function
As we all know,the result of function will be stored in register %rax,we can conclude the action of this function from its name.
That is , what is output is the length of the input string.
The instruction , cmp $0x6,%eax, tells us that the right length of string we input should be six,otherwise,the bomb will be blowed up.
(3) The last part shows the second condition we have to satisfy.
When I find the solution of this program,I didn't get to the next part of assemble code linearly. Another function called 'strings_not_equal' caught my eyes.
In addition,there is no way to explode bomb between (1) and function
So we notice that the result returning from
OK,In function
This function would be called by many other functions,so when I do a experiment,I found this part just test whether the length of string is equal to six.So,In my point of view ,this part makes no sense.
So,we follow the code.
This part is quite important.
movzbl (%rbx),%eax . The (%rbx) refers to the memory,let's see the content in this address.
At the begining,I was confused by these consequence, becasuse what I input is 'abcdef',but when program comes to here.The data stored in memory hasbecome to 'aduier'.So,there are only two possibilities,'aduier' is final result ,or the program between (1) and (3) did something to my primitive data.
Here is an obvious compare instruction,So,let's see it.
OK,the string pointed by %rbp is 'flyers',Oh,it 's quite regular,we have to admit. So I guess here 'flyers' is the right answer. Well ,if you don't trust me ,you can do some expriments to test.You will find the string pointed by %rbp won't change,but the string pointed by %rbx will be changed with the input.
There is only one case to satisfy this situation.The program between (1) and (3) do something to our input, in other words , even we know the right answers,if we wants to know the 'secret code' to input,we have to know the map (映射),which maps 'abcdef' to 'aduier'.
(2) The second part of assemble code which contains the MAP (映射,密钥) .
What actually works is only these code in white background.At the start,%rax is equal to 0,%rbx stands for the input string.So the first instruction means retrieve the character from memory one by one and then store it in another place pointed by %rsp.Meantime,to the %rdx.
The map indeed is the instruction
and $0xf,%rdx
That's the map
So ,in other word,every character will be regarded as a number and do a opreate called '&'.Well,but here is not a happy ending.
Because the character was not encode in ASCII ,which means even you get the number corresponding to input char ,you can't get the final char from this number.You need a table to complete it.
Here you gets the table ,we have already known %rdx is the result of first procedure.
The seconde procedure is a table which map number to character.
It's quite long.But what we need is the index stored in %edx.So I just keep going until I found the whole 'flyers'
So we know the %edx should be the number '9', '15','14','5','6','7' in a order.
And now,this problem has changed to be find the character to make it be '9',...'7'.
Here shows the encode of character 'a',that's 97.
'0xf'=00001111(binary),and the operate is '&',so even I change the 4 high-bits of operand,the result makes no difference.
That means 0110abcd is equal to 0000abcd.
besides 0110 0000 =96 .
So the primitive number is '9' --107, '15'--111,...'7'--103
As you already know,a--97,so you will easy to know 107--i
You can counter it one by one ,and you will know the answer is 'ionefg'.
OK,get it.~