I have a puzzle where i must reverse-engineer a function to decipher what the correct function inputs are (in order to proceed to the next function). While debugging, I used the following as my function input:
6 d 358
Now I'm stepping through gdb
debugger to see if the input was correct.
When running gdb
in AT&T syntax, I've run in to the following cmp
instruction:
0x0040107b <+315>: movzbl -0x19(%ebp),%eax
0x0040107f <+319>: cmp %al,-0x9(%ebp)
0x00401082 <+322>: je 0x401089 <phase_3+329>
This cmp
instruction is theoretically comparing one of my inputs (either 6
, d
, or 358
) to %al
.
I ran:
(gdb) i r al
al 0x64 100
...to find that the value at %al
was 100 .
So whatever value is at -0x9(%ebp)
is being compared to 100 . But how do I determine what value is stored at -0x9(%ebp)
?
I tried seeing what decimal value/string value was stored at %ebp
with the following commands:
(gdb) i r ebp
ebp 0xbfffef58 0xbfffef58
(gdb) x/d 0xbfffef58
0xbfffef58: -104
(gdb) x/s 0xbfffef58
0xbfffef58: "\230\357\377\277\003\016@"
...but neither -104
nor \\230\\357\\377\\277\\003\\016@
are inputs I entered into the function.
I assume the -0x9
prefix is referring to another address to get the value. I'm thinking I need to use the other register values/addresses to help me:
(gdb) i r
eax 0x64 100
ecx 0xbfffea00 -1073747456
edx 0xbfffef40 -1073746112
ebx 0x405000 4214784
esp 0xbfffef30 0xbfffef30
ebp 0xbfffef58 0xbfffef58
esi 0xbfffefb0 -1073746000
edi 0xb7fb8000 -1208254464
eip 0x401084 0x401084 <phase_3+324>
eflags 0x206 [ PF IF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
Any help figuring out what this value is would be greatly appreciated!
As stated here:
https://www.cs.uaf.edu/2015/fall/cs301/lecture/09_16_stack.html
al and ah are the 8-bit, "char" size parts of the register.
So, %al
refers to a 'char'
in the register. Therefore, this cmp
statement is comparing 2 char
's.
Let's refer to the ir al
command's output:
(gdb) i r al
al 0x64 100
To determine the char
value of al
, we need to take the provided hex value and refer to a hex-to-ASCII chart . The 0x64
hex value for al
in our case, according to the hex-to-ASCII chart, corresponds to the char d
. Hey, that's one of our inputs!
So, we know our input of d
is being compared to -0x9(%ebp)
.
To find -0x9(%ebp)
's value, we need to go to the memory address of %ebp
, subtract 0x9
from that address' value, and, finally, de-reference that address. This is the command to find that value:
(gdb) x/b $ebp-9
This gives the output of 118
(decimal), which is 0x76
in hex. Refer to the hex-to-ASCII chart once more to find that 0x76
corresponds to the char v
.
In summary: Our [incorrect] input of d
was being compared to the [correct] input of v
.
SOLUTION: Our input of d
should be changed to v
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.