Below is an interaction using gdb with final_bomb, an executable that is similar

Question

Below is an interaction using gdb with final_bomb, an executable that is similar to the bomb from homework assignment 6.  In final_bomb, there is one phase, called p5.

ootnotesize

egin{verbatim}

linux> ./final_bomb

Welcome to the final exam bomb.  Type your user id

guest

Try your hand at phase p5...

asodifj

BOOM!!!

The bomb has blown up.

P5 is passed one parameter, containing the user's input (e.g., ``asodifj'').  

Its behavior is dependent on the input and the user ID.  Here is a disassembly of p5.

Notice that the user ID is stored in a global variable, whose address is 0x60104c

(gdb) disas p5

Dump of assembler code for function p5:

  0x00000000004006b0 <+0>:    sub    $0x18,%rsp

  0x00000000004006b4 <+4>:    xor    %eax,%eax

  0x00000000004006b6 <+6>:    mov    $0x4007e1,%esi

  0x00000000004006bb <+11>:   lea    0xc(%rsp),%rdx

  0x00000000004006c0 <+16>:   callq  0x400520 <__isoc99_sscanf@plt>

  0x00000000004006c5 <+21>:   xor    %eax,%eax

  0x00000000004006c7 <+23>:    cmpb  $0x0,0x20097e(%rip)       #0x60104c

  0x00000000004006ce <+30>:   je     0x4006df

  0x00000000004006d0 <+32>:   add    $0x1,%eax

  0x00000000004006d3 <+35>:   movslq %eax,%rdx

  0x00000000004006d6 <+38>:   cmpb   $0x0,0x60104c(%rdx)

  0x00000000004006dd <+45>:   jne    0x4006d0

  0x00000000004006df <+47>:   cmp    0xc(%rsp),%eax

  0x00000000004006e3 <+51>:   jne    0x4006ea

  0x00000000004006e5 <+53>:   add    $0x18,%rsp

  0x00000000004006e9 <+57>:   retq

  0x00000000004006ea <+58>:   xor    %eax,%eax

  0x00000000004006ec <+60>:   callq  0x400690

End of assembler dump.

(gdb)

Answer the following, assuming you have reached a breakpoint at p5+16..

A. The second parameter that is passed to the sscanf is a format string, which determines how sscanf interprets the string that is passed as its first parameter.  What debugger command will display this format string?

B. p5 passes the address of a local variable as the third parameter to sscanf. Give the gdb command that reveals this address.

C. (2 points)  Assume that the debugger command in (a) displays %d as the format string.  Given the results of the above, what is the input which will defuse p4 for the guest user ID?  Explain your answer.

That was the question whole question given by the teacher. I think I know the answers for questions A and B. I have"x/s $esi" for A and “print/x $rdx” for B. The only part of the question that I can't figure out on my own is C.

Explanation / Answer

Answer: If the format string being returned is '%d', it means that the expected input is an integer that should be passed to defuse the bomb.

Related Questions

Navigate

• Browse (All)
• Browse B
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.