SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

HW 2: Tracing and Understanding x86

Instructions

  • You must turn in a sheet of paper that is neatly typed or written answering the questions below. (You are strongly encouraged to type your homework.)
  • This homework is graded out of 125 points. Point values are associated to each question

Questions

  1. (15 Points) Consider the following parts of the disassembled code below. For each labeled part, provide a short, plain-English description.

    .--------------------------------------.
    | 0x0804841d <+0>: push ebp            |
    | 0x0804841e <+1>: mov ebp,esp         | (a)
    | 0x08048420 <+3>: and esp,0xfffffff0  |
    '--------------------------------------'
    .---------------------------------.
    | 0x08048423 <+6>: sub esp,0x30   | (b)
    '---------------------------------'
    
    .--------------------------------------------------------.
    | 0x08048426 <+9>: mov DWORD PTR [esp+0x1d],0x6c6c6548   |
    | 0x0804842e <+17>: mov DWORD PTR [esp+0x21],0x57202c6f  |
    | 0x08048436 <+25>: mov DWORD PTR [esp+0x25],0x646c726f  | (c)
    | 0x0804843e <+33>: mov WORD PTR [esp+0x29],0xa21        |
    | 0x08048445 <+40>: mov BYTE PTR [esp+0x2b],0x0          |
    '--------------------------------------------------------'
    .------------------------------------------------.
    | 0x0804844a <+45>: lea eax,[esp+0x1d]           |
    | 0x0804844e <+49>: mov DWORD PTR [esp+0x2c],eax | (d)
    '------------------------------------------------'
    .---------------------------------------------.
    | 0x08048452 <+53>: jmp 0x804846b <main+78>   | (e)
    '---------------------------------------------'
    
    .--------------------------------------------------.
    | 0x08048454 <+55>: mov eax,DWORD PTR [esp+0x2c]   |
    | 0x08048458 <+59>: movzx eax,BYTE PTR [eax]       |
    | 0x0804845b <+62>: movsx eax,al                   |
    | 0x0804845e <+65>: mov DWORD PTR [esp],eax        | (f)
    | 0x08048461 <+68>: call 0x8048310 <putchar@plt>   |
    | 0x08048466 <+73>: add DWORD PTR [esp+0x2c],0x1   |
    '--------------------------------------------------'
    .--------------------------------------------------.
    | 0x0804846b <+78>: mov eax,DWORD PTR [esp+0x2c]   |
    | 0x0804846f <+82>: movzx eax,BYTE PTR [eax]       |
    | 0x08048472 <+85>: test al,al                     | (g)
    | 0x08048474 <+87>: jne 0x8048454 <main+55>        |
    | 0x08048476 <+89>: mov eax,0x0                    |
    '--------------------------------------------------'
    .---------------------------.
    | 0x0804847b <+94>: leave   |
    |0x0804847c <+95>: ret      | (h)
    '---------------------------'
    
  2. (5 points) What size data element does each of the following PTR reference?
    1. BYTE PTR
    2. DWORD PTR
    3. WORD PTR
  3. (15 points) Consider the disassembled program below:

    0x0804841d <+0>: push ebp
    0x0804841e <+1>: mov ebp,esp
    0x08048420 <+3>: and esp,0xfffffff0
    0x08048423 <+6>: sub esp,0x30
    0x08048426 <+9>: mov DWORD PTR [esp+0x1f],0x74616542
    0x0804842e <+17>: mov DWORD PTR [esp+0x23],0x796d7241
    0x08048436 <+25>: mov BYTE PTR [esp+0x27],0x0
    0x0804843b <+30>: mov DWORD PTR [esp+0x2c],0x0
    0x08048443 <+38>: jmp 0x804846c <main+79>
    0x08048445 <+40>: mov DWORD PTR [esp+0x28],0x0
    0x0804844d <+48>: jmp 0x8048460 <main+67>
    0x0804844f <+50>: lea eax,[esp+0x1f]
    0x08048453 <+54>: mov DWORD PTR [esp],eax
    0x08048456 <+57>: call 0x80482f0 <puts@plt>
    0x0804845b <+62>: add DWORD PTR [esp+0x28],0x1
    0x08048460 <+67>: cmp DWORD PTR [esp+0x28],0x3
    0x08048465 <+72>: jle 0x804844f <main+50>
    0x08048467 <+74>: add DWORD PTR [esp+0x2c],0x1
    0x0804846c <+79>: cmp DWORD PTR [esp+0x2c],0x4
    0x08048471 <+84>: jle 0x8048445 <main+40>
    0x08048473 <+86>: leave
    0x08048474 <+87>: ret
    
    • How many times is puts() called? Explain.
    • What is being outputted for each puts() call? Explain.
    • Write the C equilvanent of this code.
  4. (15 point) Consider the following scenario for function a function bar() about call a function foo(): the calling function bar()'s instruction pointer will be at address 0x8045520 after foo() returns; the register ebp has value 0xbfff540; The register esp has value xbffff504; foo() takes one argument, an integer with value 0xdeadbeef.

    We can then begin to trace the stack frame like so:

                                       call <foo>
           .------------.           .------------.           
     ebp-> |            |      ebp->|            |
           |            |           |            |
           |            |           |            |
    esp -> | 0xdeadbeef |           | 0xdeadbeef |
           '------------'      esp->| 0x08045520 |
                                    '------------'
    

    Complete the remaining stack frames after each of the following instructions complete.

    • push ebp
    • mov ebp,esp
    • sub esp, 0x30
  5. (5 points) Using the stack from the previous question, consider what happens when foo() returns. In x86, write the sequence of instructions needed to reset the stack frame to bar()'s execution. That is, you should have some set of mov's sub's or pop's or whatever other instruction you might need.
  6. (5 points) If the register eax stores 0xdeadbeef, what does the following registers store?
    • ax
    • al
    • ah
  7. (10 points) Consider the following source code below and disassembly, match the memory address to the variable name.

    int foo(int a){
      int i,r;
      r=0;
      for(i=1;i<=a;i++){
        r+=i;
      }
      return r;
    }
    
    0x0804846d <+0>: push ebp
    0x0804846e <+1>: mov ebp,esp
    0x08048470 <+3>: sub esp,0x10
    0x08048473 <+6>: mov DWORD PTR [ebp-0x4],0x0
    0x0804847a <+13>: mov DWORD PTR [ebp-0x8],0x1
    0x08048481 <+20>: jmp 0x804848d <foo+32>
    0x08048483 <+22>: mov eax,DWORD PTR [ebp-0x8]
    0x08048486 <+25>: add DWORD PTR [ebp-0x4],eax
    0x08048489 <+28>: add DWORD PTR [ebp-0x8],0x1
    0x0804848d <+32>: mov eax,DWORD PTR [ebp-0x8]
    0x08048490 <+35>: cmp eax,DWORD PTR [ebp+0x8]
    0x08048493 <+38>: jle 0x8048483 <foo+22>
    0x08048495 <+40>: mov eax,DWORD PTR [ebp-0x4]
    0x08048498 <+43>: leave
    0x08048499 <+44>: ret
    
    • ebp-0x4
    • ebp-0x8
    • ebp+0x8
  8. (10 points) Clone the repository below here you will find a program called main.

    git clone git@saddleback.academy.usna.edu:aviv/HW-2.git
    

    Execute the program under gdb and place a breakpoint at foo, and then run the program with the following arguments:

    (gdb) r 5 1
    
    • Fill in the missing pieces of the memory diagram after the instruction at 0x08048448 executes.

           .------------------.
           |                  |
           |------------------|
           |                  |
           |------------------|
           |                  |
           |------------------|
      ebp->|    0xbffff658    |
           |------------------|
           |                  | 
           |------------------|
      esp->|                  |
           '------------------'
      
    • Fill in the missing pieces of the memory diagram after the instruction at 0x08048460 executes for second time.

           .------------------.
           |                  |
           |------------------|
           |                  |
           |------------------|
           |                  |
           |------------------|
      ebp->|    0xbffff658    |
           |------------------|
           |                  | 
           |------------------|
      esp->|                  |
           '------------------'
      
  9. (5 points) In the HW2 git repo you cloned before, you will find a program called stacked. Run this program under gdb and place a break point at the function baz().
    • How many functions are called before baz()?
    • How did you determine that?
  10. (20 points) In the HW2 git repo you cloned before, you will find a program called trace-me. Using gdb determine the right input for the program such that it prints the secret message.

    • What is the secret message?
    • How did you determine the right input?

    (Hint 1: Does it take arguemnts?)

    (Hint 2: Trace main using ni [next instruction])

    (Hint 3: What is being compared?)

  11. (20 points) In the HW3 git repo you cloned before, you will find a program called crack-me. Use gdb to inspect the various elements of the main() function to determine the secret message.

    • What is the secret message?
    • How did you determine the right input?

    (Hint 1: use examine [i.e., x] check things out)

    (Hint 2: use print to perform operations and see results)

    (Hint 3: use print again to reinterpret those results)