Below is an interaction using gdb with final bomb, an executable that is similar to the bomb from homework assignment 6 In final bomb, there is one phase, called p5 footnotesize begin verbatim linux final bomb Welcome to the final exam bomb Type your user id guest Try your hand at phase p5 asodifj BOOM The bomb has blown up P5 is passed one parameter, containing the user's input (e g , asodifj'') Its behavior is dependent on the input and the user ID Here is a disassembly of p5 Notice that the user ID is stored in a global variable, whose address is 0x60104c (gdb) disas p5 Dump of assembler code for function p5 0x00000000004006b0 sub $0x18, rsp 0x00000000004006b4 xor eax, eax 0x00000000004006b6 mov $0x4007e1, esi 0x00000000004006bb lea 0xc( rsp), rdx 0x00000000004006c0 callq 0x400520 0x00000000004006c5 xor eax, eax 0x00000000004006c7 cmpb $0x0,0x20097e( rip) 0x60104c 0x00000000004006ce je 0x4006df 0x00000000004006d0 add $0x1, eax 0x00000000004006d3 movslq eax, rdx 0x00000000004006d6 cmpb $0x0,0x60104c( rdx) 0x00000000004006dd jne 0x4006d0 0x00000000004006df cmp 0xc( rsp), eax 0x00000000004006e3 jne 0x4006ea 0x00000000004006e5 add $0x18, rsp 0x00000000004006e9 retq 0x00000000004006ea xor eax, eax 0x00000000004006ec callq 0x400690 End of assembler dump (gdb) Answer the following, assuming you have reached a breakpoint at p5 16 A The second parameter that is passed to the sscanf is a format string, which determines how sscanf interprets the string that is passed as its first parameter What debugger command will display this format string B p5 passes the address of a local variable as the third parameter to sscanf Give the gdb command that reveals this address C (2 points) Assume that the debugger command in (a) displays d as the format string Given the results of the above, what is the input which will defuse p4 for the guest user ID Explain your answer That was the question whole question given by the teacher I think I know the answers for questions A and B I have x s $esi for A and print x $rdx for B The only part of the question that I can't figure out on my own is C

The Answer is in the image, click to view ...

Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Sep 25, 2024

Below is an interaction using gdb with final_bomb, an executable that is similar to the bomb from homework assignment 6. In final_bomb, there is one

Below is an interaction using gdb with final_bomb, an executable that is similar to the bomb from homework assignment 6. In final_bomb, there is one phase, called p5.

\footnotesize

\begin{verbatim}

linux> ./final_bomb

Welcome to the final exam bomb. Type your user id

guest

Try your hand at phase p5...

asodifj

BOOM!!!

The bomb has blown up.

P5 is passed one parameter, containing the user's input (e.g., ``asodifj'').

Its behavior is dependent on the input and the user ID. Here is a disassembly of p5.

Notice that the user ID is stored in a global variable, whose address is 0x60104c

(gdb) disas p5

Dump of assembler code for function p5:

0x00000000004006b0 <+0>: sub $0x18,%rsp

0x00000000004006b4 <+4>: xor %eax,%eax

0x00000000004006b6 <+6>: mov $0x4007e1,%esi

0x00000000004006bb <+11>: lea 0xc(%rsp),%rdx

0x00000000004006c0 <+16>: callq 0x400520 <__isoc99_sscanf@plt>

0x00000000004006c5 <+21>: xor %eax,%eax

0x00000000004006c7 <+23>: cmpb $0x0,0x20097e(%rip) #0x60104c

0x00000000004006ce <+30>: je 0x4006df

0x00000000004006d0 <+32>: add $0x1,%eax

0x00000000004006d3 <+35>: movslq %eax,%rdx

0x00000000004006d6 <+38>: cmpb $0x0,0x60104c(%rdx)

0x00000000004006dd <+45>: jne 0x4006d0

0x00000000004006df <+47>: cmp 0xc(%rsp),%eax

0x00000000004006e3 <+51>: jne 0x4006ea

0x00000000004006e5 <+53>: add $0x18,%rsp

0x00000000004006e9 <+57>: retq

0x00000000004006ea <+58>: xor %eax,%eax

0x00000000004006ec <+60>: callq 0x400690

End of assembler dump.

(gdb)

Answer the following, assuming you have reached a breakpoint at p5+16..

A. The second parameter that is passed to the sscanf is a format string, which determines how sscanf interprets the string that is passed as its first parameter. What debugger command will display this format string?

B. p5 passes the address of a local variable as the third parameter to sscanf. Give the gdb command that reveals this address.

C. (2 points) Assume that the debugger command in (a) displays %d as the format string. Given the results of the above, what is the input which will defuse p4 for the guest user ID? Explain your answer.

That was the question whole question given by the teacher. I think I know the answers for questions A and B. I have"x/s $esi" for A and print/x $rdx for B. The only part of the question that I can't figure out on my own is C.