From 5feb29cc9588ca3e3162c47e83631f7ef1c846fa Mon Sep 17 00:00:00 2001 From: Void-Deer Date: Tue, 14 Apr 2026 09:57:35 +0800 Subject: [PATCH] Lab: bomb lab phase 6 update. We're close to finishing --- CMU-CSAPP/labs/bomb_lab/dbomb.asm | 112 +++++++++++++++++++----------- 1 file changed, 72 insertions(+), 40 deletions(-) diff --git a/CMU-CSAPP/labs/bomb_lab/dbomb.asm b/CMU-CSAPP/labs/bomb_lab/dbomb.asm index ced11aa..350b85d 100644 --- a/CMU-CSAPP/labs/bomb_lab/dbomb.asm +++ b/CMU-CSAPP/labs/bomb_lab/dbomb.asm @@ -562,64 +562,96 @@ Disassembly of section .text: 4010f3: c3 ret 00000000004010f4 : +# breakpoint 1 at explode_bomb 4010f4: 41 56 push %r14 4010f6: 41 55 push %r13 4010f8: 41 54 push %r12 4010fa: 55 push %rbp 4010fb: 53 push %rbx - 4010fc: 48 83 ec 50 sub $0x50,%rsp - 401100: 49 89 e5 mov %rsp,%r13 - 401103: 48 89 e6 mov %rsp,%rsi + 4010fc: 48 83 ec 50 sub $0x50,%rsp # stack frame setup + 401100: 49 89 e5 mov %rsp,%r13 # store stack frame here + 401103: 48 89 e6 mov %rsp,%rsi 401106: e8 51 03 00 00 call 40145c 40110b: 49 89 e6 mov %rsp,%r14 - 40110e: 41 bc 00 00 00 00 mov $0x0,%r12d + 40110e: 41 bc 00 00 00 00 mov $0x0,%r12d # r12 = 0 +# L6OuterLoop 401114: 4c 89 ed mov %r13,%rbp 401117: 41 8b 45 00 mov 0x0(%r13),%eax +# breakpoint - +# %eax here is the passwords. they needs to be <= 6 40111b: 83 e8 01 sub $0x1,%eax 40111e: 83 f8 05 cmp $0x5,%eax - 401121: 76 05 jbe 401128 + 401121: 76 05 jbe 401128 # if eax - 1 <= 5, pass the test 401123: e8 12 03 00 00 call 40143a - 401128: 41 83 c4 01 add $0x1,%r12d + 401128: 41 83 c4 01 add $0x1,%r12d # r12d += 1 40112c: 41 83 fc 06 cmp $0x6,%r12d - 401130: 74 21 je 401153 + 401130: 74 21 je 401153 # if r12d == 6, jump to L6OuterEnd. + # seems like a for loop. loop 5 times. 401132: 44 89 e3 mov %r12d,%ebx - 401135: 48 63 c3 movslq %ebx,%rax - 401138: 8b 04 84 mov (%rsp,%rax,4),%eax - 40113b: 39 45 00 cmp %eax,0x0(%rbp) - 40113e: 75 05 jne 401145 - 401140: e8 f5 02 00 00 call 40143a - 401145: 83 c3 01 add $0x1,%ebx - 401148: 83 fb 05 cmp $0x5,%ebx - 40114b: 7e e8 jle 401135 +# L6InnerLoop + 401135: 48 63 c3 movslq %ebx,%rax # move rbx to rax, with sign extension. + 401138: 8b 04 84 mov (%rsp,%rax,4),%eax # rax = 4 * rax + rsp, and move the value at that address to eax. + # looks like accessing an array of integers on the stack. + # since the outer loop iterates 5 times, maybe this is the array + # of numbers we just read? + # Notes that r12d starts with 1. The first number read here is + # the second number in pswd. + 40113b: 39 45 00 cmp %eax,0x0(%rbp) # compare eax with *rbp. What's rbp here? + # rbp = r13, which is the address of arr[0] in the beginning + # and increases by 4 each, or get the next number in array. + 40113e: 75 05 jne 401145 # if equal, pass the test. + # I think this means we cannot have any equal number. + 401140: e8 f5 02 00 00 call 40143a + 401145: 83 c3 01 add $0x1,%ebx # rbx += 1 + 401148: 83 fb 05 cmp $0x5,%ebx # compare rbx with 5 + 40114b: 7e e8 jle 401135 # if rbx <= 5, jump to L6InnerLoop 40114d: 49 83 c5 04 add $0x4,%r13 - 401151: eb c1 jmp 401114 - 401153: 48 8d 74 24 18 lea 0x18(%rsp),%rsi - 401158: 4c 89 f0 mov %r14,%rax - 40115b: b9 07 00 00 00 mov $0x7,%ecx - 401160: 89 ca mov %ecx,%edx - 401162: 2b 10 sub (%rax),%edx - 401164: 89 10 mov %edx,(%rax) - 401166: 48 83 c0 04 add $0x4,%rax + 401151: eb c1 jmp 401114 # jump to L6OuterLoop +# L6OuterEnd +# breakpoint - + 401153: 48 8d 74 24 18 lea 0x18(%rsp),%rsi # load the address of arr[0] + 0x18 in rsi + 401158: 4c 89 f0 mov %r14,%rax # rax = arr + 40115b: b9 07 00 00 00 mov $0x7,%ecx # rcx = 7 +# L6Loop2Start, start with t = 0 + 401160: 89 ca mov %ecx,%edx # rdx = 7 + 401162: 2b 10 sub (%rax),%edx # rdx = 7 - arr[t] + 401164: 89 10 mov %edx,(%rax) # arr[0] = 7 - arr[t] + 401166: 48 83 c0 04 add $0x4,%rax # rax set to arr[t + 1] 40116a: 48 39 f0 cmp %rsi,%rax - 40116d: 75 f1 jne 401160 - 40116f: be 00 00 00 00 mov $0x0,%esi - 401174: eb 21 jmp 401197 - 401176: 48 8b 52 08 mov 0x8(%rdx),%rdx - 40117a: 83 c0 01 add $0x1,%eax - 40117d: 39 c8 cmp %ecx,%eax - 40117f: 75 f5 jne 401176 - 401181: eb 05 jmp 401188 - 401183: ba d0 32 60 00 mov $0x6032d0,%edx - 401188: 48 89 54 74 20 mov %rdx,0x20(%rsp,%rsi,2) - 40118d: 48 83 c6 04 add $0x4,%rsi - 401191: 48 83 fe 18 cmp $0x18,%rsi + 40116d: 75 f1 jne 401160 # stop after processed all numbers +# L6Loop2End + 40116f: be 00 00 00 00 mov $0x0,%esi # rsi = 0 +# breakpoint -, set t = 0 + 401174: eb 21 jmp 401197 # jump to L6s1 +# L6OuterLoop3Begin +# breakpoint - + 401176: 48 8b 52 08 mov 0x8(%rdx),%rdx # rdx = *(rdx+8). rdx there is a linked list on heap + 40117a: 83 c0 01 add $0x1,%eax # rax += 1 + 40117d: 39 c8 cmp %ecx,%eax + 40117f: 75 f5 jne 401176 # if rcx == 0 goto L6OuterLoop3Begin + 401181: eb 05 jmp 401188 # otherwise goto L6s3 +# L6s2 + 401183: ba d0 32 60 00 mov $0x6032d0,%edx # rdx = unknown_node +# L6s3 + 401188: 48 89 54 74 20 mov %rdx,0x20(%rsp,%rsi,2) # arr2[rsi] = unknown_node. + # arr2 have 8 bytes per member, actually a 32-bit pointer. + 40118d: 48 83 c6 04 add $0x4,%rsi # rsi += 4, basically jump to next member + 401191: 48 83 fe 18 cmp $0x18,%rsi # compare rsi with 18.... really? 401195: 74 14 je 4011ab - 401197: 8b 0c 34 mov (%rsp,%rsi,1),%ecx +# L6s1 - What name should I give this? + 401197: 8b 0c 34 mov (%rsp,%rsi,1),%ecx # rcx = arr[rsi] 40119a: 83 f9 01 cmp $0x1,%ecx - 40119d: 7e e4 jle 401183 - 40119f: b8 01 00 00 00 mov $0x1,%eax - 4011a4: ba d0 32 60 00 mov $0x6032d0,%edx - 4011a9: eb cb jmp 401176 + 40119d: 7e e4 jle 401183 # if arr[rsi] <= 1 goto L6s2 + 40119f: b8 01 00 00 00 mov $0x1,%eax # eax = 1 + 4011a4: ba d0 32 60 00 mov $0x6032d0,%edx # edx = unknown_node + # 0x6032d0 : 0x000000010000014c 0x00000000006032e0 + # 0x6032e0 : 0x00000002000000a8 0x00000000006032f0 + # 0x6032f0 : 0x000000030000039c 0x0000000000603300 + # 0x603300 : 0x00000004000002b3 0x0000000000603310 + # 0x603310 : 0x00000005000001dd 0x0000000000603320 + # 0x603320 : 0x00000006000001bb 0x0000000000000000 + 4011a9: eb cb jmp 401176 # goto L6OuterLoop3Begin +# L6OuterLoop3Exit 4011ab: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx 4011b0: 48 8d 44 24 28 lea 0x28(%rsp),%rax 4011b5: 48 8d 74 24 50 lea 0x50(%rsp),%rsi