Posted:

22 May 2024

More exploration of low-level software basics: debugging in hard mode and (a very little bit of) tampering.

Preparation | Procedure

1. Preparation

Complete the following steps before coming to the lab. For this week, you do not need to submit your pre-lab work, but you are very welcome to ask questions if anything doesn’t make sense to you.

  1. Download, compile and run some of the C and C++ examples from Lecture 2. Ensure that you understand their outputs.

2. Procedure

Complete the following procedure, recording all commands that you execute and their outputs.

2.1. Compilation

Ensure that you have all output files from Lab 0.

2.2. Debugging in hard mode

  1. Edit Makefile to remove the -g flag from CPPFLAGS and LDFLAGS. Clean the build directory (run make clean), then run make to re-build everything. How does the size of the new product.o compare with the previous one?

  2. Download and save the executable binary game.

    1. How does its nm output compare to that the of C++ program product (from last week)?

    2. How does its objdump output compare to that the of product?

  3. Use the strings program to inspect all of the string literals in game. What is the secret word?

  4. Run the game program and make a guess at the secret number. What do you observe?

  5. Using your objdump output, set a breakpoint at the beginning of the main function. run until you hit the breakpoint. When the game prompts you, enter the guess 4660 (0x1234).

  6. Run the disas command to disassemble the current function. Locate the address of the cmp instruction just before the call to the play_game function (this comparison is part of the conditional check that will either allow you to play the game or not, depending on whether or not you guessed the secret number). Set a breakpoint at this address and continue execution.

    1. When the game pauses at your breakpoint, what is the value of rbp?

    2. What is the value of eax?

    3. What is the value of rbp minus the offset shown in the current instruction (e.g., -0x10(%rbp) means "the value of rbp minus 0x10")?

  7. Use the mem read command to read the four bytes of memory at the indicated offset from rbp. What are these four bytes (in hexadecimal representation)? What is the decimal representation of this integer?

  8. Use the mem write command (see help mem write for information) to modify the secret value in memory to match your already-inputted guess (1). Demonstrate that you have bypassed the "secret number" check.

  9. Having learned the program’s "secret value" above, re-run the program and input the correct guess. Demonstrate that this works.

  10. Bonus: without modifying any source code, modify the product program from the previous section lab to fix its bug.

2.3. Stack smashing

Graduate students (ENGI 9823) are expected to complete this section of the lab. Undergraduate students (ECE 7420) may complete it for extra credit but are not required to do so.

Use the techniques we covered in lecture 3 to smash the stack of the sum program that was presented in that lecture. You may find it helpful to start a shell with ASLR disabled by running the setarch command:

[p15jra@hostname]$ setarch -R bash   # or fish, or zsh, or your favourite shell
$ ./foo    # whatever you run now will have ASLR disabled