Phase 3:
Note: This is a very long section mostly because I kept a long bit of dissasembly code and register data. This is just to show that in order to understand what's going on in the assembly code, one must iterate through the code using gdb fully.
Let's take a look at the assembly here. It's pretty long. We
seem to be dealing with another string solution, because at the bottom we see
another string not equal solution. In the center we see a blue block of movl
statements, all going to %eax register from some hex constant.
08048ce8 <phase_3>:
8048ce8: 83 ec 1c sub $0x1c,%esp
8048ceb: c7 04 24 60 a5 04 08 movl
$0x804a560,(%esp)
8048cf2:
e8 04 05 00 00 call
80491fb <string_length>
8048cf7:
83 c0 01 add $0x1,%eax
8048cfa:
89 04 24 mov %eax,(%esp)
8048cfd:
e8 6e fb ff ff call 8048870 <malloc@plt>
8048d02:
c7 00 42 6f 72 64 movl $0x64726f42,(%eax)
8048d08:
c7 40 04 65 72 20 72 movl $0x72207265,0x4(%eax)
8048d0f:
c7 40 08 65 6c 61 74 movl $0x74616c65,0x8(%eax)
8048d16:
c7 40 0c 69 6f 6e 73 movl $0x736e6f69,0xc(%eax)
8048d1d:
c7 40 10 20 77 69 74 movl $0x74697720,0x10(%eax)
8048d24:
c7 40 14 68 20 43 61 movl $0x61432068,0x14(%eax)
8048d2b:
c7 40 18 6e 61 64 61 movl $0x6164616e,0x18(%eax)
8048d32:
c7 40 1c 20 68 61 76 movl $0x76616820,0x1c(%eax)
8048d39:
c7 40 20 65 20 6e 65 movl $0x656e2065,0x20(%eax)
8048d40:
c7 40 24 76 65 72 20 movl $0x20726576,0x24(%eax)
8048d47:
c7 40 28 62 65 65 6e movl $0x6e656562,0x28(%eax)
8048d4e:
c7 40 2c 20 62 65 74 movl $0x74656220,0x2c(%eax)
8048d55:
c7 40 30 74 65 72 2e movl $0x2e726574,0x30(%eax)
8048d5c:
c6 40 34 00 movb $0x0,0x34(%eax)
8048d60:
c6 40 13 63 movb $0x63,0x13(%eax)
8048d64:
89 44 24 04 mov %eax,0x4(%esp)
8048d68:
8b 44 24 20 mov 0x20(%esp),%eax
8048d6c:
89 04 24 mov %eax,(%esp)
8048d6f:
e8 a6 04 00 00 call 804921a <strings_not_equal>
8048d74:
85 c0 test %eax,%eax
8048d76:
74 05 je 8048d7d <phase_3+0x95>
8048d78:
e8 98 07 00 00 call 8049515 <explode_bomb>
8048d7d:
83 c4 1c add $0x1c,%esp
8048d80:
c3 ret
Let's use gdb the same way we did in the phase 2 (make sure
you've updated defuser.txt) and enter another "test string" and see
what happens in "disas"
(gdb) disas
Dump of assembler code for function phase_3:
=> 0x08048ce8 <+0>:
sub
$0x1c,%esp
0x08048ceb <+3>:
movl
$0x804a560,(%esp)
0x08048cf2 <+10>: call
0x80491fb <string_length>
0x08048cf7
<+15>: add $0x1,%eax
0x08048cfa
<+18>: mov %eax,(%esp)
0x08048cfd
<+21>: call 0x8048870 <malloc@plt>
0x08048d02
<+26>: movl $0x64726f42,(%eax)
0x08048d08
<+32>: movl $0x72207265,0x4(%eax)
0x08048d0f
<+39>: movl $0x74616c65,0x8(%eax)
0x08048d16
<+46>: movl $0x736e6f69,0xc(%eax)
0x08048d1d
<+53>: movl $0x74697720,0x10(%eax)
0x08048d24
<+60>: movl $0x61432068,0x14(%eax)
0x08048d2b
<+67>: movl $0x6164616e,0x18(%eax)
0x08048d32
<+74>: movl $0x76616820,0x1c(%eax)
0x08048d39
<+81>: movl $0x656e2065,0x20(%eax)
0x08048d40
<+88>: movl $0x20726576,0x24(%eax)
0x08048d47
<+95>: movl $0x6e656562,0x28(%eax)
0x08048d4e
<+102>: movl $0x74656220,0x2c(%eax)
0x08048d55
<+109>: movl $0x2e726574,0x30(%eax)
0x08048d5c
<+116>: movb $0x0,0x34(%eax)
0x08048d60
<+120>: movb $0x63,0x13(%eax)
0x08048d64
<+124>: mov %eax,0x4(%esp)
---Type <return>
to continue, or q <return> to quit---return
0x08048d68
<+128>: mov 0x20(%esp),%eax
0x08048d6c
<+132>: mov %eax,(%esp)
0x08048d6f
<+135>: call 0x804921a <strings_not_equal>
0x08048d74
<+140>: test %eax,%eax
0x08048d76
<+142>: je 0x8048d7d <phase_3+149>
0x08048d78
<+144>: call 0x8049515 <explode_bomb>
0x08048d7d
<+149>: add $0x1c,%esp
0x08048d80
<+152>: ret
End of assembler dump.
(gdb)
Check to see where the inputted "test string" is
located. It should be located in eax. Do p/x $eax to get the mem address and
then do x /25c to get the string characters. It should be located here. Now
check the red line at <+3> =>
(gdb) x /25c
0x804a560
0x804a560: 66 'B' 111 'o' 114 'r' 100 'd' 101 'e' 114 'r' 32 ' ' 114 'r'
0x804a568: 101 'e' 108 'l' 97 'a' 116 't' 105 'i' 111 'o' 110 'n' 115 's'
0x804a570: 32 ' ' 119 'w' 105 'i' 116 't' 104 'h' 32 ' ' 67 'C' 97 'a'
0x804a578: 110 'n'
This matches the string " Border relations with Canada
have never been better."
But wait!. There's more to the code. I didn't properly check through the whole code.
How can I do that?
The first thing to do is to get a general
understanding of the code. I understand that a malloc function is being called
and I know that malloc function keeps space available for memory. I can
understand from the disassembled code that there are about 13 statements of
mov:
0x08048d02 <+26>:
movl $0x64726f42,(%eax)
0x08048d08 <+32>:
movl $0x72207265,0x4(%eax)
0x08048d0f <+39>:
movl $0x74616c65,0x8(%eax)
0x08048d16 <+46>:
movl $0x736e6f69,0xc(%eax)
0x08048d1d <+53>:
movl $0x74697720,0x10(%eax)
0x08048d24 <+60>:
movl $0x61432068,0x14(%eax)
0x08048d2b <+67>:
movl $0x6164616e,0x18(%eax)
0x08048d32 <+74>:
movl $0x76616820,0x1c(%eax)
0x08048d39 <+81>:
movl $0x656e2065,0x20(%eax)
0x08048d40 <+88>:
movl $0x20726576,0x24(%eax)
0x08048d47 <+95>:
movl $0x6e656562,0x28(%eax)
0x08048d4e <+102>:
movl $0x74656220,0x2c(%eax)
0x08048d55 <+109>:
movl $0x2e726574,0x30(%eax)
0x08048d5c <+116>:
movb $0x0,0x34(%eax)
We can understand from this that each hex code is 4 away
from the previous, going from 0 to 0x34, which is in decimal from 0->52.
Keep 52 in mind. These are the # of characters in the string ("Border
relations with Canada have never been better").
But, note: " %eax holds the pointer returned by malloc.
All those moves are moving immediate data values into the malloc'ed memory
area. The values appear to be text encoded as 32 bit integers. 4 bytes of text
can fit in a 32bit value. movl $0x776f7242,(%eax) for example appears to be
moving the ascii characters of 0x42, 0x72, 0x6f, 0x77 (remember we are little
endian so the order is reversed) to the first 4 bytes of the malloc'ed memory
area. – Michael Petch " (http://stackoverflow.com/questions/33513761/assembly-binary-bomb
)
It still spells Border relations with Canada have never been
better. The fun part is the next line:
0x08048d60 <+120>: movb
$0x63,0x13(%eax)
This is the 19th spot (0x13=19) and the ASCII is
'c'. Why is it here? What is it's purpose? Well, it's here to replace the
original 0x13 spot, which is incidentally where 't' is in the word
"with", so the string becomes "Border relations wich Canada have
never been better." Still 52 characters, but with a replacement.
**This is the answer. If you understand this fully right now, you definitely don't need the following:
--------------------------------------------------------------------------------------------------------------------------
The only way to fully understand how and where the registers
move and are copied is to follow through in gdb, not just pick and choose the
strings you want to choose. I exploded this bomb many times because of this
issue.
I went through the whole gdb process using the following
main commands:
p/x $eax - to get the address of the
register %eax
x/s $eax or x/s $esp or x/s
$edx - to get the full string
x /25c $eax or x /52c $eax - to
get the characters with the decimal equivalent, for ASCII
x/d $esp - to get the number
ni - next instruction
s or step - if you need to go through
a function
disas - to get the disassembled code
i r - to get the int register so we can
understand how eax and esp moves
Now for my gdb work. You can see the exact moment where
everything happened. If you're going through this, I urge you to fully examine
the whole thing. I went through each and every instruction and mov statement,
to get an idea of how this worked:
(gdb) ni
0x08048d16 in phase_3 ()
(gdb) disas
Dump
of assembler code for function phase_3:
0x08048ce8 <+0>: sub
$0x1c,%esp
0x08048ceb <+3>: movl
$0x804a560,(%esp)
0x08048cf2 <+10>:
call 0x80491fb <string_length>
0x08048cf7 <+15>:
add $0x1,%eax
0x08048cfa <+18>:
mov %eax,(%esp)
0x08048cfd <+21>:
call 0x8048870 <malloc@plt>
0x08048d02 <+26>:
movl $0x64726f42,(%eax)
0x08048d08 <+32>:
movl $0x72207265,0x4(%eax)
0x08048d0f <+39>:
movl $0x74616c65,0x8(%eax)
=> 0x08048d16 <+46>: movl
$0x736e6f69,0xc(%eax)
0x08048d1d <+53>:
movl $0x74697720,0x10(%eax)
0x08048d24 <+60>:
movl $0x61432068,0x14(%eax)
0x08048d2b <+67>:
movl $0x6164616e,0x18(%eax)
0x08048d32 <+74>:
movl $0x76616820,0x1c(%eax)
0x08048d39 <+81>:
movl $0x656e2065,0x20(%eax)
0x08048d40 <+88>:
movl $0x20726576,0x24(%eax)
0x08048d47 <+95>:
movl $0x6e656562,0x28(%eax)
0x08048d4e <+102>:
movl $0x74656220,0x2c(%eax)
0x08048d55 <+109>:
movl $0x2e726574,0x30(%eax)
0x08048d5c <+116>:
movb $0x0,0x34(%eax)
0x08048d60 <+120>:
movb $0x63,0x13(%eax)
0x08048d64 <+124>:
mov %eax,0x4(%esp)
0x08048d68 <+128>:
mov 0x20(%esp),%eax
0x08048d6c <+132>:
mov %eax,(%esp)
0x08048d6f <+135>:
call 0x804921a <strings_not_equal>
0x08048d74 <+140>:
test %eax,%eax
0x08048d76 <+142>: je 0x8048d7d <phase_3+149>
0x08048d78 <+144>:
call 0x8049515 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048d7d <+149>:
add $0x1c,%esp
0x08048d80 <+152>:
ret
End
of assembler dump.
(gdb) i r
eax 0x804e590 134538640
ecx 0x0 0
edx 0x804e590 134538640
ebx 0xffffcf04 -12540
esp 0xffffce30 0xffffce30
ebp 0xffffce68 0xffffce68
esi 0x0 0
edi 0x0 0
eip 0x8048d16 0x8048d16 <phase_3+46>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs
0x0 0
gs
0x63 99
(gdb) ni
0x08048d60 in phase_3 ()
(gdb) disas
Dump
of assembler code for function phase_3:
0x08048ce8 <+0>: sub $0x1c,%esp
0x08048ceb <+3>: movl $0x804a560,(%esp)
0x08048cf2 <+10>:
call 0x80491fb <string_length>
0x08048cf7 <+15>:
add $0x1,%eax
0x08048cfa <+18>:
mov %eax,(%esp)
0x08048cfd <+21>:
call 0x8048870 <malloc@plt>
0x08048d02 <+26>:
movl $0x64726f42,(%eax)
0x08048d08 <+32>:
movl $0x72207265,0x4(%eax)
0x08048d0f <+39>:
movl $0x74616c65,0x8(%eax)
0x08048d16 <+46>:
movl $0x736e6f69,0xc(%eax)
0x08048d1d <+53>:
movl $0x74697720,0x10(%eax)
0x08048d24 <+60>: movl $0x61432068,0x14(%eax)
0x08048d2b <+67>:
movl $0x6164616e,0x18(%eax)
0x08048d32 <+74>:
movl $0x76616820,0x1c(%eax)
0x08048d39 <+81>:
movl $0x656e2065,0x20(%eax)
0x08048d40 <+88>:
movl $0x20726576,0x24(%eax)
0x08048d47 <+95>:
movl $0x6e656562,0x28(%eax)
0x08048d4e <+102>:
movl $0x74656220,0x2c(%eax)
0x08048d55 <+109>:
movl $0x2e726574,0x30(%eax)
0x08048d5c <+116>:
movb $0x0,0x34(%eax)
=> 0x08048d60 <+120>: movb
$0x63,0x13(%eax)
0x08048d64 <+124>:
mov %eax,0x4(%esp)
0x08048d68 <+128>:
mov 0x20(%esp),%eax
0x08048d6c <+132>:
mov %eax,(%esp)
0x08048d6f <+135>:
call 0x804921a <strings_not_equal>
0x08048d74 <+140>:
test %eax,%eax
0x08048d76 <+142>: je 0x8048d7d <phase_3+149>
0x08048d78 <+144>:
call 0x8049515 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048d7d <+149>:
add $0x1c,%esp
0x08048d80 <+152>:
ret
End
of assembler dump.
(gdb) i r
eax 0x804e590 134538640
ecx 0x0 0
edx 0x804e590 134538640
ebx 0xffffcf04 -12540
esp 0xffffce30 0xffffce30
ebp 0xffffce68 0xffffce68
esi 0x0 0
edi 0x0 0
eip 0x8048d60 0x8048d60 <phase_3+120>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/s $eax
0x804e590: "Border relations with Canada have never
been better."
(gdb) x/s $edx
0x804e590: "Border relations with Canada have never
been better."
(gdb) x/d
$esp
0xffffce30: 53
(gdb) ni
0x08048d64 in phase_3 ()
(gdb) disas
Dump
of assembler code for function phase_3:
0x08048ce8 <+0>: sub
$0x1c,%esp
0x08048ceb <+3>: movl
$0x804a560,(%esp)
0x08048cf2 <+10>:
call 0x80491fb <string_length>
0x08048cf7 <+15>:
add $0x1,%eax
0x08048cfa <+18>:
mov %eax,(%esp)
0x08048cfd <+21>:
call 0x8048870 <malloc@plt>
0x08048d02 <+26>:
movl $0x64726f42,(%eax)
0x08048d08 <+32>:
movl $0x72207265,0x4(%eax)
0x08048d0f <+39>:
movl $0x74616c65,0x8(%eax)
0x08048d16 <+46>:
movl $0x736e6f69,0xc(%eax)
0x08048d1d <+53>:
movl $0x74697720,0x10(%eax)
0x08048d24 <+60>:
movl $0x61432068,0x14(%eax)
0x08048d2b <+67>:
movl $0x6164616e,0x18(%eax)
0x08048d32 <+74>:
movl $0x76616820,0x1c(%eax)
0x08048d39 <+81>:
movl $0x656e2065,0x20(%eax)
0x08048d40 <+88>: movl $0x20726576,0x24(%eax)
0x08048d47 <+95>:
movl $0x6e656562,0x28(%eax)
0x08048d4e <+102>:
movl $0x74656220,0x2c(%eax)
0x08048d55 <+109>:
movl $0x2e726574,0x30(%eax)
0x08048d5c <+116>:
movb $0x0,0x34(%eax)
0x08048d60 <+120>: movb
$0x63,0x13(%eax)
=> 0x08048d64 <+124>: mov
%eax,0x4(%esp)
0x08048d68 <+128>:
mov 0x20(%esp),%eax
0x08048d6c <+132>:
mov %eax,(%esp)
0x08048d6f <+135>:
call 0x804921a <strings_not_equal>
0x08048d74 <+140>:
test %eax,%eax
0x08048d76 <+142>: je 0x8048d7d <phase_3+149>
0x08048d78 <+144>:
call 0x8049515 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048d7d <+149>:
add $0x1c,%esp
0x08048d80 <+152>:
ret
End
of assembler dump.
(gdb) i r
eax 0x804e590 134538640
ecx 0x0 0
edx 0x804e590 134538640
ebx 0xffffcf04 -12540
esp 0xffffce30 0xffffce30
ebp 0xffffce68 0xffffce68
esi 0x0 0
edi 0x0 0
eip 0x8048d64 0x8048d64 <phase_3+124>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/s $eax
0x804e590: "Border relations wich Canada have never
been better."
(gdb) x/s $edx
0x804e590: "Border relations wich Canada have never
been better."
(gdb) x/s $esp
0xffffce30: "5"
(gdb) x/d
$esp
0xffffce30: 53
(gdb) ni
0x08048d68 in phase_3 ()
(gdb) disas
Dump
of assembler code for function phase_3:
0x08048ce8 <+0>: sub
$0x1c,%esp
0x08048ceb <+3>: movl
$0x804a560,(%esp)
0x08048cf2 <+10>:
call 0x80491fb <string_length>
0x08048cf7 <+15>:
add $0x1,%eax
0x08048cfa <+18>: mov %eax,(%esp)
0x08048cfd <+21>:
call 0x8048870 <malloc@plt>
0x08048d02 <+26>:
movl $0x64726f42,(%eax)
0x08048d08 <+32>:
movl $0x72207265,0x4(%eax)
0x08048d0f <+39>:
movl $0x74616c65,0x8(%eax)
0x08048d16 <+46>: movl $0x736e6f69,0xc(%eax)
0x08048d1d <+53>:
movl $0x74697720,0x10(%eax)
0x08048d24 <+60>:
movl $0x61432068,0x14(%eax)
0x08048d2b <+67>:
movl $0x6164616e,0x18(%eax)
0x08048d32 <+74>:
movl $0x76616820,0x1c(%eax)
0x08048d39 <+81>:
movl $0x656e2065,0x20(%eax)
0x08048d40 <+88>:
movl $0x20726576,0x24(%eax)
0x08048d47 <+95>:
movl $0x6e656562,0x28(%eax)
0x08048d4e <+102>:
movl $0x74656220,0x2c(%eax)
0x08048d55 <+109>:
movl $0x2e726574,0x30(%eax)
0x08048d5c <+116>:
movb $0x0,0x34(%eax)
0x08048d60 <+120>:
movb $0x63,0x13(%eax)
0x08048d64 <+124>:
mov %eax,0x4(%esp)
=> 0x08048d68 <+128>: mov
0x20(%esp),%eax
0x08048d6c <+132>:
mov %eax,(%esp)
0x08048d6f <+135>: call 0x804921a <strings_not_equal>
0x08048d74 <+140>:
test %eax,%eax
0x08048d76 <+142>: je 0x8048d7d <phase_3+149>
0x08048d78 <+144>:
call 0x8049515 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048d7d <+149>:
add $0x1c,%esp
0x08048d80 <+152>:
ret
End
of assembler dump.
(gdb) i r
eax 0x804e590 134538640
ecx 0x0 0
edx 0x804e590 134538640
ebx 0xffffcf04 -12540
esp 0xffffce30 0xffffce30
ebp 0xffffce68 0xffffce68
esi 0x0 0
edi 0x0 0
eip 0x8048d68 0x8048d68 <phase_3+128>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/s $eax
0x804e590: "Border relations wich Canada have never
been better."
(gdb) x/s $esp
0xffffce30: "5"
(gdb) x/d
$esp
0xffffce30: 53
(gdb) ni
0x08048d6c in phase_3 ()
(gdb) disas
Dump
of assembler code for function phase_3:
0x08048ce8 <+0>: sub
$0x1c,%esp
0x08048ceb <+3>: movl
$0x804a560,(%esp)
0x08048cf2 <+10>:
call 0x80491fb <string_length>
0x08048cf7 <+15>:
add $0x1,%eax
0x08048cfa <+18>:
mov %eax,(%esp)
0x08048cfd <+21>:
call 0x8048870 <malloc@plt>
0x08048d02 <+26>:
movl $0x64726f42,(%eax)
0x08048d08 <+32>:
movl $0x72207265,0x4(%eax)
0x08048d0f <+39>:
movl $0x74616c65,0x8(%eax)
0x08048d16 <+46>:
movl $0x736e6f69,0xc(%eax)
0x08048d1d <+53>:
movl $0x74697720,0x10(%eax)
0x08048d24 <+60>:
movl $0x61432068,0x14(%eax)
0x08048d2b <+67>:
movl $0x6164616e,0x18(%eax)
0x08048d32 <+74>:
movl $0x76616820,0x1c(%eax)
0x08048d39 <+81>: movl $0x656e2065,0x20(%eax)
0x08048d40 <+88>:
movl $0x20726576,0x24(%eax)
0x08048d47 <+95>:
movl $0x6e656562,0x28(%eax)
0x08048d4e <+102>:
movl $0x74656220,0x2c(%eax)
0x08048d55 <+109>:
movl $0x2e726574,0x30(%eax)
0x08048d5c <+116>:
movb $0x0,0x34(%eax)
0x08048d60 <+120>:
movb $0x63,0x13(%eax)
0x08048d64 <+124>:
mov %eax,0x4(%esp)
0x08048d68 <+128>:
mov 0x20(%esp),%eax
=> 0x08048d6c <+132>: mov
%eax,(%esp)
0x08048d6f <+135>:
call 0x804921a <strings_not_equal>
0x08048d74 <+140>:
test %eax,%eax
0x08048d76 <+142>: je 0x8048d7d <phase_3+149>
0x08048d78 <+144>:
call 0x8049515 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048d7d <+149>: add $0x1c,%esp
0x08048d80 <+152>:
ret
End
of assembler dump.
(gdb) i r
eax 0x804d8c0 134535360
ecx 0x0 0
edx 0x804e590 134538640
ebx 0xffffcf04 -12540
esp 0xffffce30 0xffffce30
ebp 0xffffce68 0xffffce68
esi 0x0 0
edi 0x0 0
eip 0x8048d6c 0x8048d6c <phase_3+132>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/s $eax
0x804d8c0 <input_strings+160>: "I don't have one."
(gdb) x/s $esp
0xffffce30: "5"
(gdb) x/d
$esp
0xffffce30: 53
(gdb) ni
0x08048d6f in phase_3 ()
(gdb) disas
Dump
of assembler code for function phase_3:
0x08048ce8 <+0>: sub
$0x1c,%esp
0x08048ceb <+3>: movl
$0x804a560,(%esp)
0x08048cf2 <+10>:
call 0x80491fb <string_length>
0x08048cf7 <+15>:
add $0x1,%eax
0x08048cfa <+18>:
mov %eax,(%esp)
0x08048cfd <+21>: call 0x8048870 <malloc@plt>
0x08048d02 <+26>:
movl $0x64726f42,(%eax)
0x08048d08 <+32>:
movl $0x72207265,0x4(%eax)
0x08048d0f <+39>:
movl $0x74616c65,0x8(%eax)
0x08048d16 <+46>:
movl $0x736e6f69,0xc(%eax)
0x08048d1d <+53>:
movl $0x74697720,0x10(%eax)
0x08048d24 <+60>:
movl $0x61432068,0x14(%eax)
0x08048d2b <+67>:
movl $0x6164616e,0x18(%eax)
0x08048d32 <+74>:
movl $0x76616820,0x1c(%eax)
0x08048d39 <+81>:
movl $0x656e2065,0x20(%eax)
0x08048d40 <+88>: movl
$0x20726576,0x24(%eax)
0x08048d47 <+95>:
movl $0x6e656562,0x28(%eax)
0x08048d4e <+102>:
movl $0x74656220,0x2c(%eax)
0x08048d55 <+109>:
movl $0x2e726574,0x30(%eax)
0x08048d5c <+116>:
movb $0x0,0x34(%eax)
0x08048d60 <+120>:
movb $0x63,0x13(%eax)
0x08048d64 <+124>:
mov %eax,0x4(%esp)
0x08048d68 <+128>:
mov 0x20(%esp),%eax
0x08048d6c <+132>:
mov %eax,(%esp)
=> 0x08048d6f <+135>: call
0x804921a <strings_not_equal>
0x08048d74 <+140>:
test %eax,%eax
0x08048d76 <+142>: je 0x8048d7d <phase_3+149>
0x08048d78 <+144>:
call 0x8049515 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048d7d <+149>:
add $0x1c,%esp
0x08048d80 <+152>:
ret
End
of assembler dump.
(gdb) i r
eax 0x804d8c0 134535360
ecx 0x0 0
edx 0x804e590 134538640
ebx 0xffffcf04 -12540
esp 0xffffce30 0xffffce30
ebp 0xffffce68 0xffffce68
esi 0x0 0
edi 0x0 0
eip 0x8048d6f 0x8048d6f <phase_3+135>
eflags 0x282 [ SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb) x/s $eax
0x804d8c0 <input_strings+160>: "I don't have one."
(gdb) x/s $esp
0xffffce30: "\300\330\004\b\220\345\004\b\b"
(gdb) ^CQuit
(gdb) ^CQuit
(gdb) ni
0x08048d74 in phase_3 ()
(gdb) disas
Dump
of assembler code for function phase_3:
0x08048ce8 <+0>: sub
$0x1c,%esp
0x08048ceb <+3>: movl
$0x804a560,(%esp)
0x08048cf2 <+10>:
call 0x80491fb <string_length>
0x08048cf7 <+15>:
add $0x1,%eax
0x08048cfa <+18>:
mov %eax,(%esp)
0x08048cfd <+21>: call 0x8048870 <malloc@plt>
0x08048d02 <+26>:
movl $0x64726f42,(%eax)
0x08048d08 <+32>:
movl $0x72207265,0x4(%eax)
0x08048d0f <+39>:
movl $0x74616c65,0x8(%eax)
0x08048d16 <+46>:
movl $0x736e6f69,0xc(%eax)
0x08048d1d <+53>:
movl $0x74697720,0x10(%eax)
0x08048d24 <+60>:
movl $0x61432068,0x14(%eax)
0x08048d2b <+67>:
movl $0x6164616e,0x18(%eax)
0x08048d32 <+74>:
movl $0x76616820,0x1c(%eax)
0x08048d39 <+81>:
movl $0x656e2065,0x20(%eax)
0x08048d40 <+88>:
movl $0x20726576,0x24(%eax)
0x08048d47 <+95>:
movl $0x6e656562,0x28(%eax)
0x08048d4e <+102>:
movl $0x74656220,0x2c(%eax)
0x08048d55 <+109>:
movl $0x2e726574,0x30(%eax)
0x08048d5c <+116>:
movb $0x0,0x34(%eax)
0x08048d60 <+120>:
movb $0x63,0x13(%eax)
0x08048d64 <+124>:
mov %eax,0x4(%esp)
0x08048d68 <+128>:
mov 0x20(%esp),%eax
0x08048d6c <+132>:
mov %eax,(%esp)
0x08048d6f <+135>:
call 0x804921a <strings_not_equal>
=> 0x08048d74 <+140>: test
%eax,%eax
0x08048d76 <+142>: je 0x8048d7d <phase_3+149>
0x08048d78 <+144>:
call 0x8049515 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048d7d <+149>:
add $0x1c,%esp
0x08048d80 <+152>:
ret
End
of assembler dump.
(gdb) i r
eax 0x1 1
ecx 0x0 0
edx 0x1 1
ebx 0xffffcf04 -12540
esp 0xffffce30 0xffffce30
ebp 0xffffce68 0xffffce68
esi 0x0 0
edi 0x0 0
eip 0x8048d74 0x8048d74 <phase_3+140>
eflags 0x292 [ AF SF IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
(gdb)
Note that at the utter end, eax is 1. This means that the
test failed. If the test were not to fail, we would have to have the input as "Border
relations wich Canada have never been better."
So! On to phase 4!
No comments:
Post a Comment