15-213 Recitation: BombLab
_______________18Sep2017
Agenda
LogisticsBomb Lab OverviewIntroduction to GDBGDB and Assembly Tips
What is Bomb Lab?
An exercise in reading x86-64 assembly code.A chance to practice using GDB (a debugger).Why?x86 assembly is low level machine code. Useful for understanding security exploits or tuning performance.GDB can save you days of work in future labs*coughMalloccough*and can be helpful long after you finish this class.
Downloading Your Bomb
All the details you’ll need are in the write-up, which you most definitely have to read carefully before starting this lab anyway.Moving on.
Downloading Your Bomb
Fine, here are some highlights of the write-up:Bombs can only run on thesharkmachines.Theyfail ifyou attempt to run themlocally or on some other CMU server.Yourbomb is unique to you.Dr.Evilhascreated billions of bombs, and can distribute as many new ones as he pleases.Ifyou download a second bomb, it will bedifferent. You cannot mix and match bombs. Stick to only one bomb.Bombshave six phases which get progressivelyharder.
Detonating Your Bomb
Blowing up your bomb notifiesAutolabautomatically.Dr. Evildeducts 0.5 pointseach time the bomb explodes.It’s very easy to prevent explosions using break points in GDB. More information on that soon.Inputting thecorrect stringmoves you to the next phase.Don’t tamper with the bomb. Jumpingbetween phases detonates the bomb – youcan’t just skip them.You have to solve the phases in order they are given. Finishing a phase also notifiesAutolabautomatically.
GDB
You can opengdbby typing into the shell:$gdbThis is the notation we’re using for the next few slides:$cd// Type the command into the bash shell(gdb)break// The command should be typed in GDB
Form Pairs
One student needs a laptopLogin to a sharkmachine and type these commands:$wgethttp://www.cs.cmu.edu/~213/activities/rec4.tar$tarxvpfrec4.tar$cd rec4$make$gdbact1
Source code for Activity 1 (Abridged)
#include <stdio.h>intmain(intargc, char**argv){intret =printf("%s\n",argv[argc-1]);return ret;// number of characters printed}
Activity 1
(gdb)breakmain// tells GDB to pause right before entering main(gdb)run 15213// starts execution with the argument “15213”You should see GDB print out:Breakpoint 1, main (argc=1,argv=[…])at act1.c:5(gdb)continue// this continues execution until another break point(gdb)clear main// remove the breakpoint at function main(gdb)run15213// Q:What happens now?
Activity 1cont
(gdb)disassemblemain// show the assembly instructions in main(gdb)print (char*)[0x…]//prints a stringFind the seemingly random $0x… valuein theassembly codeQ:Does the printed value correspond to anything in theC code?(gdb)break main(gdb)run(gdb)printargv[1]// Q: What does this print out?(gdb)quit// exit GDB; agree to kill the running process
Activity 2
$gdbact2(gdb)break main(gdb)run(gdb)print /x $rsi// ‘/x’ means print in hexadecimal(gdb)print /x $rdiQ.RDIandRSIare registers that pass the first two arguments. Looking at their values, which is the first argument tomain (the ‘argc’ argument)?Why?(gdb)disassemble main(gdb)breakstc// main calls thestcfunction, so we’ll study that function too(gdb)continueQ. How could you view thearguments thathave been passed tostc?
Activity 2 cont.
(gdb)run 18213//gdbwill ask if you want torestart; choose yes(gdb)continue// Q. Which function is in execution now?(gdb)disassemble(gdb)stepi// step through a single x86 instruction(gdb)// just press enter 3 to 4 timesGDB will repeat your previous instruction. Useful forsingle-stepping.(gdb)disassembleQ. Where are the “=>” characters printed on the left side?
Activity 3
Activity 3 has a Bomb Lab feel to it. It will print out “goodargs!” if you type in the right numbers into the command line. Use GDB to find what numbers to use.$catact3.c// display the source code of act3$gdbact3Q. Which register holds the return value from a function?(Hint:Use disassemble in main and look at what register is used right after the function call to compare)
Activity 3 cont.
(gdb)disassemble compareQ. Where is the return value set in compare?(gdb)breakcompareNow runact3 with two numbersQ. Usingnextiorstepi,how does the value in register%rbxchange, leadingto thecmpinstruction?
Activity 3 trace
About to runpush $rbx$rdi= 5208$rsi= 10000$rbx=[$rbxfrom somewhere else]$rax=[garbage value]Stack:[some old stack items]
Activity 3 trace
About to runmov%rdi, %rbx$rdi= 5208$rsi= 10000$rbx=[$rbxfrom somewhere else]$rax=[garbage value]Stack:[$rbxfrom somewhere else][some old stack items]
Activity 3 trace
About to runadd $0x5, %rbx$rdi= 5208$rsi= 10000$rbx= 5208$rax=[garbagevalue]Stack:[$rbxfrom somewhere else][some old stack items]
Activity 3 trace
About to runadd %rsi, %rbx$rdi= 5208$rsi= 10000$rbx= 5213$rax=[garbagevalue]Stack:[$rbxfrom somewhere else][some old stack items]
Activity 3 trace
About to runcmp0x3b6d, %rbx& other instructions$rdi= 5208$rsi= 10000$rbx= 15213(= 0x3b6d)$rax=[garbagevalue]Stack:[$rbxfrom somewhere else][some old stack items]
Activity 3 trace
About to runpop %rbx$rdi= 5208$rsi= 10000$rbx= 15213 = 0x3b6d$rax=1Stack:[$rbxfrom somewhere else][some old stack items]
Activity 3 trace
About to runret$rdi= 5208$rsi= 10000$rbx=[$rbxfrom somewhere else]$rax=1Stack:[some old stack items]
Activity 4 (practice at home / OH)
Usewhat you have learned to get act4 toprint“Finish.”Thesourcecode is available in act4.c if you get stuck. Also, you can ask TAs for help understanding the assembly code.
Basic GDB tips
(gdb)print[any valid C expression]This can be used to study any kind of local variable or memory locationUse casting to get the right type (e.g.print *(long *)ptr)(gdb)x[some formatspecifier][some memory address]Examines memory. See the handout for more information.You still can do the same thing withprint, though it’s less convenient.(gdb)setdisassemble-next-lineon(gdb)show disassemble-next-lineShows the next assembly instruction after each step instruction(gdb)inforegistersShows the values of the registers
GDB in TUI mode (optional)
(gdb)layoutasm(gdb)layoutreg(gdb)focuscmdSwitch between TUI andregular mode withCtrl-XCtrl-ATUI mode is buggy on the shark machines, so you still need to know how to use regular mode in case TUI glitches out.Tip: Only use TUI when single stepping your code. For all other use cases, use regular mode. If you see glitches and your screen get garbled, you might have to exit GDB and start over.
Quick Assembly Info
$rdiholds the first argument to a function call, $rsiholds the second argument, and $raxwill hold the return value of the function call.Many functions start with “push %rbx” and end with “pop %rbx”. Long story short, this is because %rbxis “callee-saved”.The stack is often used to hold local variablesAddresses in the stack are usually in the 0x7fffffff…rangeKnow how $raxis related to $eaxand $al.Most cryptic function calls you’ll see (e.g.callq… <_exit@plt>) are calls to C library functions. If necessary, use the Unix man pages to figure out what the functions do.
Quick Assembly Info
$objdump-d[name of executable]>[any file name]Saves the assembly code of the executable into the file.Feel free to annotate the assembly in your favorite text editor.
What to do
Don’t understand what a big block of assembly does?GDBNeed to figure out what’s in a specific memory address?GDBCan’t trace how 4 – 6 registers are changing over time?GDBHave no idea how to start the assignment?HandoutNeed to know how to use certain GDB commands?HandoutAlso useful:http://csapp.cs.cmu.edu/2e/docs/gdbnotes-x86-64.pdfDon’t know what an assembly instruction does?Lecture slidesConfused about control flow or stack discipline?Lecture slides
0
Embed
Upload