ARTICLES

Bomb lab

By adam

June 2, 2020

Description

From Bryant and O’Hallaron’s book Computer Systems: A Programmer’s Perspective.

One of the first labs. The Bomb Lab, contains a binary bomb that must be diffused, by disassembling the executable.

sample bomb

A sample bomb can be obtained here.

http://csapp.cs.cmu.edu/3e/labs.html

problem set and blog

Here are a couple of helpful resources:

name list (nm), strings, objdump

These are kind of unnecessary, all can be done within gdb.

nm bomb
strings bomb
objdump -t bomb : print’s program’s symbol table
objdump -d bomb : print’s program’s assembly code

gdb built in gui mode

gdb -tui bomb

https://sourceware.org/gdb/current/onlinedocs/gdb/TUI-Keys.html#TUI-Keys

Keyboard shortcuts

C-x a : enter or leave TUI mode
C-x C-a : enter or leave TUI mode
C-x 1 : one window
C-x 2 : two windows

also cycles through different layouts
C-x o : ‘other’
C-l : refresh

Navication

up, down, left, right, pgup, pgdown

c-p, c-n on the gdb history while in tui mode

Single key mode

C-x s : single key mode
C-x C-s : single key mode
(c) continue
(d) down
(f) finish
(n) next
(o) nexti (step over)
(q) exit single key mode
(r) run
(v) info locals
(w) where

getting started with gdb

https://www.youtube.com/watch?v=-n9Fkq1e6sg

sample source file

test.c

#include <stdio.h>

int main() {
  int a = 1;
  int b = 2;
  int c = 3;
  a += b;
  a = a + c;
  printf("Value of a: %d\n",a);
   return 0;
}

Compile with gcc -g test.c

gdb

bash: gdb ./a.out
gdb: b main
sets a breakpoint on main
gdb: info b
get information about breakpoints
gdb: info locals
get information about local context variables
gdb: disable #
disables a break point
gdb: delete #
deletes a breakpoint
gdb: list
prints the program source code
gdb: list 1,16
lists line numbers
gdb: run
gdb: start
start is like run but automatically sets a breakpoint at the beginning
gdb: disassemble
shows assembly

registers

http://web.stanford.edu/class/cs107/guide/x86-64.html

ebp: base point stack register
esp: stack point register

stepping

gdb: next
gdb: nexti
next instruction, use disass after to see that the instruction point moved to the next instruction
gdb: print a
prints a variable
gdb: print &a
prints the address of a variable
gdb: x /d $rdb+0x14
prints the contents in /d digit format for address in register $rdb+offset
gdb: info reg
shows all the registers

stepping into / over

gdb

nexti (ni)

steps ‘over’ the function call

gdb

stepi

steps ‘into’ the function call

may want to

clear the breakpoint on main by delete or d main
do a list, and
set a breakpoint at line of function call
run
disassemble - you will probably see some instruction before the callq
nexti to the line containing callq

gdb

disassemble

now you are inside the frame’s function

gdb

finish

to step out of the function

tui and assembly

https://sourceware.org/gdb/current/onlinedocs/gdb/TUI.html

gdb: tui enable
gdb: layout asm
gdb: layout reg
gdb: layout split
gdb: tui reg float

shortcuts

gdb: nexti (ni, enter - previous command)

movement

s: start
clear all breakpoints and watchpoints
r: run
n: next
goes to next line (step over)
s: step
steps into function
c: continue
goes till next breakpoint

breakpoints

b: breakpoint
d: delete breakpoint
d with no arguments : deletes all breakpoints

info b

gdb: b _exit.c:32 -> normal exit location

variables

p

https://sourceware.org/gdb/onlinedocs/gdb/Output-Formats.html

output format
- x: hex
- d: decimal
- u: unsigned decimal
- o: octal
- t: binary
- a: as address, both absolute hex and offset from nearest symbol
- c: character
- f: floating
- s: string
- z: like x but leading zeros added to pad to integer
- r: raw

w

watch

whenever variable changes then will break when the variable gets a new value

info locals

info args

view

l: list

x examine

gdb

x/20i $pc

examine 20 instruction at program counter

gdb

x without argument will get the next 8 bytes

x /b will get per byte

x /10b will get 10 bytes in succession

variables vs pointers x will not work since not passing an address x & will work

watch points

rwatch: watch when variable is read

stack frame

bt: backtrace
will see the stack calling frames
frame #: switch to a particular frame
can be used to print variables in different frames

set variable

set var value

python

gdb: python print(gdb.breakpoints()[0].location)
gdb: python gdb.Breakpoint(‘7’)
gdb: python var_i = gdb.parse_and_eval(‘i’)

command

https://github.com/cppcon/cppcon2015 https://github.com/cppcon/cppcon2016 https://www.youtube.com/watch?v=PorfLSr3DDI

Lightning Talks and Lunch Sessions / gdb

set breakpoints

b main

b _exit.c:32
command 3

run

end
command 2

record

continue

end
this allows you to catch a segfault

p $pc

reverse-stepi

watch when the $sp got changed

watch (long *) 0x14

reverse-continue

Bomb 1

add the following to ~/.gdbinit

https://sourceware.org/gdb/onlinedocs/gdb/gdbinit-man.html https://ccrma.stanford.edu/~jos/stkintro/Example%5Fgdbinit%5FFile.html https://gist.github.com/CocoaBeans/1879270

set auto-load safe-path /

add the following to local ./.gdbinit

# CLI args https://visualgdb.com/gdbreference/commands/set_args
# or STDIN https://stackoverflow.com/questions/13104206/how-to-debug-a-program-that-takes-user-input-from-stdin-with-gdb
# run <foo.txt
echo    set args foo.txt \n
set args foo.txt

#
# phase 1
#
echo    b bomb.c:73 \n
b bomb.c:73

#
# phase 2
#
echo    b bomb.c:82 \n
b bomb.c:82

echo    run \n
run

create a foo.txt with the following

password1
password2
password3
password4
password5
password6

gdb bomb
step into (si) phase_1, C-x C-a to be on tui
layout asm
si a few times until the comparison
x /s $eax
this will show the string which is the first password