csapp bomb lab phase_5

CSAPP phase

这个阶段很有意思,考察了两个知识点,一方面是数组在内存中的存储,另一方面,其采用了一个简单加密算法,对字符数组进行了加密,也就意味着需要破解密钥才能打开这关。作者花了不少时间解决这关,成就感当然也很大啦~

另外,作者想用英语写文章,提高自己的英语表达能力,可能有的地方并不流畅,还请原谅~

At the begining,I didn't find the point which this phase wants to exam.After reading the assemble code,it's obvious to find some functions like ,and.The inference I 've drawn from these functions is that this phase must have something to do with ' string'. Besides,the next courese in CSAPP  is about data,which talks about array and struct.As we all know,'string' is a kind of array,whose special part  is its terminal '\0.'

In some way ,we can regard 'string' as a array filled with 'char',whose size is one-byte.So I thought this phase_5 is to exam our mastery of knowledge about ' how data stroed in memory'.

(1)     The first part of code shows the first condition we have to satisfy.

csapp bomb lab phase_5_第1张图片

Let's focus on the address 0x40107a--0x401084,There is a very important function residing in this section,function

As we all know,the result of function will be stored in register %rax,we can conclude the action of this function from its name.

That is , what is output is the length of the input string.

The instruction , cmp $0x6,%eax,     tells us that the right length of string we input should be six,otherwise,the bomb will be blowed up.

(3)       The last part shows the second condition we have to satisfy.

When I find the solution of this program,I didn't get to the next part of assemble code linearly. Another function called 'strings_not_equal' caught my eyes.

In addition,there is no way to explode bomb between (1) and function .So,I just set a break points at the address 0x4010b8.

So we notice that the result returning from has to be 0,otherwise,the bomb will be exploded.Let's go to the inside part of .I set the point to stop and try it.Because I know the length of string is six,so I just type 'abcdef' to test.

csapp bomb lab phase_5_第2张图片

OK,In function ,the first part of assemble code is this.

csapp bomb lab phase_5_第3张图片 

This function would be called by many other functions,so when I do a experiment,I found this part just test whether the length of string is equal to six.So,In my point of view ,this part makes no sense.

So,we follow the code.

csapp bomb lab phase_5_第4张图片

This part is quite important.

 movzbl (%rbx),%eax .  The (%rbx) refers to the memory,let's see the content in this address.

csapp bomb lab phase_5_第5张图片

At the begining,I was confused by these  consequence, becasuse what I input is 'abcdef',but when program comes to here.The data stored in memory hasbecome to 'aduier'.So,there are only two possibilities,'aduier'  is final result ,or the program between (1) and (3) did something to my primitive data.

csapp bomb lab phase_5_第6张图片

Here is an obvious compare instruction,So,let's see it.

csapp bomb lab phase_5_第7张图片

OK,the string pointed by %rbp is 'flyers',Oh,it 's quite regular,we have to admit. So I guess here 'flyers' is the right answer. Well ,if you don't trust me ,you can do some expriments to test.You will find the string pointed by %rbp won't change,but the string pointed by %rbx will be changed with the input.

There is only one case to satisfy this situation.The program between (1) and (3) do something to our input, in other words , even we know the right answers,if we wants to know the 'secret code' to input,we have to know the map (映射),which maps 'abcdef' to 'aduier'.

(2)    The second part of assemble code which contains the MAP (映射,密钥) .

What actually works is only these code in white background.At the start,%rax is equal to 0,%rbx stands for the input string.So the first instruction means retrieve the character from memory one by one  and then store it in another place pointed by %rsp.Meantime,to the %rdx.

The map indeed is the instruction

and $0xf,%rdx

That's the map

So ,in other word,every character will be regarded as a number and do a opreate called '&'.Well,but here is not a happy ending.

Because the character was not encode in ASCII ,which means even you get the number corresponding to  input char ,you can't get the final char from this number.You need a table to complete it.

Here you gets the table ,we have already known %rdx  is the result of first procedure.

The seconde procedure is a table which map number to character.

csapp bomb lab phase_5_第8张图片

It's quite long.But what we need is the index stored in %edx.So I just keep going until I found the whole 'flyers'

csapp bomb lab phase_5_第9张图片

So we know the %edx should be the number '9', '15','14','5','6','7' in a order.

And now,this problem has changed to be find the character to make it be '9',...'7'.

Here shows the encode of character 'a',that's 97.

'0xf'=00001111(binary),and the operate is '&',so even I change the 4 high-bits of operand,the result makes no difference.

That means 0110abcd  is equal to 0000abcd.

besides 0110 0000 =96 .

So the primitive number is '9' --107, '15'--111,...'7'--103

As you already know,a--97,so you will easy to know 107--i

csapp bomb lab phase_5_第10张图片

You can counter it one by one ,and you will know the answer is 'ionefg'.

csapp bomb lab phase_5_第11张图片

OK,get it.~

 

 

你可能感兴趣的:(csapp系列,CSAPP,bomb,lab,phase_5)