Starting from:
$35

$29

LAB 07 QUESTIONS SOLUTION

Answer the questions below according to the lab specification. Write
your answers directly in this text file and submit it to complete the
lab.


PROBLEM 1: Division and Assembly Errors
=======================================

A: Incorrect Types
~~~~~~~~~~~~~~~~~~

  Examine the following codes.
  - `dodiv_main.c' contains a main function which calls the `dodiv()'
    function
  - `dodiv_badtypes.s' contains the function written in assembly but has
    an error which leads to incorrect results.

  Compile and run the codes and report your results with
  ,----
  | > gcc -g dodiv_main.c dodiv_badtype.s
  `----
  Identify which assembly instructions are incorrect and why.
    
   movq %rax,(%r8) and movq %rdx,(%rcx)        
   move too many bytes to int locations. switch to movl %eax and movl %edx

B: Correct Version
~~~~~~~~~~~~~~~~~~

  After identify the error in `dodiv_badtypes.s', correct the errors and
  paste your whole code below. Make sure to compile and test the code.

      .text
    .global    dodiv
dodiv:
    cmpl $0,%edi            # compare arg1 to 0
        je .ERROR_ZERO

        movl %edi,%eax          # copy arg1 to eax for division
        movq %rdx,%r8           # copy arg3 to r8 as rdx is used in division
        cqto                    # set up division by copy to edx
        idivl %esi              # divide by arg2, eax has quot, edx has rem
        movl %eax,(%r8)         # write quot to arg3
        movl %edx,(%rcx)        # write rem  to arg4
        movl $0,%eax            # return 0 on success
    ret

.ERROR_ZERO:
        movl $1,%eax            # return 1 on failure
        ret


C: Segmentation Fault
~~~~~~~~~~~~~~~~~~~~~

  Examine the codes below.
  - `dodiv_main.c' contains a main function which calls the `dodiv()'
    function
  - `dodiv_segfault.s' contains the function written in assembly but has
    a bad memory error in it.

  Compile the code and run it. Make sure to include debug information
  and run under Valgrind.
  ,----
  | > gcc -g dodiv_main.c dodiv_segfault.s
  | > valgrind ./a.out
  `----
  After running it, report your output. Look very carefully at the out
  of bounds address which is identified by valgrind as an 'Invalid
  Write'.  Determine why the strange and SMALL memory address shows up
  in and why it is problematic.  What differences are present in this
  version over your corrected version that explain the trouble?

   Segmentation fault (core dumped)
   > valgrind ./a.out
   ==18731== Memcheck, a memory error detector
   ==18731== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
   ==18731== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
   ==18731== Command: ./a.out
   ==18731== 
   ==18731== Invalid write of size 4
   ==18731==    at 0x1091CE: ??? (dodiv_segfault.s:18)
   ==18731==    by 0x489BCE2: (below main) (in /usr/lib/libc-2.29.so)
   ==18731==  Address 0x9 is not stack'd, malloc'd or (recently) free'd
   ==18731== 
   ==18731== 
   ==18731== Process terminating with default action of signal 11 (SIGSEGV): dumping core
   ==18731==  Access not within mapped region at address 0x9
   ==18731==    at 0x1091CE: ??? (dodiv_segfault.s:18)
   ==18731==    by 0x489BCE2: (below main) (in /usr/lib/libc-2.29.so)
   ==18731==  If you believe this happened as a result of a stack
   ==18731==  overflow in your program's main thread (unlikely but
   ==18731==  possible), you can try to increase the size of the
   ==18731==  main thread stack using the --main-stacksize= flag.
   ==18731==  The main thread stack size used in this run was 10022912.
   ==18731== 
   ==18731== HEAP SUMMARY:
   ==18731==     in use at exit: 0 bytes in 0 blocks
   ==18731==   total heap usage: 0 allocs, 0 frees, 0 bytes allocated
   ==18731== 
   ==18731== All heap blocks were freed -- no leaks are possible
   ==18731== 
   ==18731== For counts of detected and suppressed errors, rerun with: -v
   ==18731== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
   Segmentation fault (core dumped)
   
   %rdx contains the address for the quotient but it is overwritten and therefore leads to an
   out of bound write at line 18.

   movq %rx,%r8 should be added and movl %eax,(%rdx) should be changed to movl %eax, (%r8)


D: Calling from Assembly
~~~~~~~~~~~~~~~~~~~~~~~~

  The C code in `dodiv_main.c' provides a main function that can also be
  written in assembly though setting up calls to `printf()' are a bit
  tedious.  Analyze the assembly version provided in `dodiv_main_asm.s'
  and answer the following questions. Focus on filling in the following
  C-Assembly correspondence table.

  ---------------------------------------------------------------------
   Location in                                            Assembly     
   main()            C Code                               Instructions 
  ---------------------------------------------------------------------
   Call to dodiv()   int numer = 42;                      movl $42 %edi               
                     int denom = 11;                      movl $11 %esi             
                     &quot                                movq %rsp, %rdx             
                     &rem                                 leaq 4(%rsp), %rcx             
  ---------------------------------------------------------------------
   Call to printf()  printf("%d / %d = %d rem %d\n",...)  leaq    .FMT_STRING(%rip)%rdi           
   arguments         printf(..., quot)                    movl    (%rsp), %ecx
                     printf(..., rem)                     movl 4(%rsp), %r8d             
  ---------------------------------------------------------------------

  Also describe what the following two bits of assembly do:
  - Beginning of main(): `subq $8, %rsp' - allocates 8 bytes of memory on the stack for rem and quotient and aligns stack so it is ready for call to dodiv
  - End of main(): `addq $8, %rsp'
    - shrinks stack and stack pointer to point at return address


PROBLEM 2: Binary Analysis
==========================

  The two files verify_main.c and verify.o can be compiled together to
  form an executable as in the following.
  ,----
  | > gcc verify.o verify_main.c
  | > ./a.out
  | Complete this sentence by C creator Dennis Ritchie:
  | C has the power of assembly language and the convenience of ...
  | pizza?
  | Have a nice tall glass of ... NOPE.
  | > 
  `----

  The intent of the executable is to enter the correct string to
  complete a sentence.  Unfortunately the source code for the verify()
  function in verify.o has been lost.  This problem analyzes how one
  might determine the correct answer without source code.


A: strings utility for binaries
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Make use of the `strings' program which is available on most Unix
  platforms. This program shows the ASCII strings present in a binary
  object such as verify.o. Run it by typing:
  ,----
  | > strings verify.o
  `----
  Show the results you of the run for you answer and speculate about
  what strings seem probable as completions to the sentence in
  verify_main.

a set of dental instruments
C++ without the ++ part
assembly language
Dvorak keyboards
trick question: it isn't convenient
a gun that shoots forwards and backwards
OCaml without type inference, garbage collection, or first-class functions
GCC: (GNU) 7.2.1 20171128
verify.c
verify
answers
_GLOBAL_OFFSET_TABLE_
strcmp
.symtab
.strtab
.shstrtab
.rela.text
.data
.bss
.rodata.str1.1
.rodata.str1.8
.rela.data.rel.local
.comment
.note.GNU-stack
.rela.eh_frame

The answer is most likely one of the first few strings.



B: nm utility to show symbol names
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

  Run the `nm' utility which is short for "names". It produces the set
  of symbols present in a binary file.
  ,----
  | > nm verify.o
  `----
  Such symbols are identified by 1-letter codes such as
  - T/t : program instructions (text) in the object
  - D/d : data defined in the objects
  - U : undefined symbols in the object which must come from other
    objects

  Show the output of you run of `nm' and speculate on what variable
  might contain the completion to the sentences.

0000000000000000 D answers
                 U _GLOBAL_OFFSET_TABLE_
                 U strcmp
0000000000000000 T verify

The variable answers seems most likely.



C: GDB with Assembly
~~~~~~~~~~~~~~~~~~~~

  The binary utilities mentioned can give some insight and perhaps
  enable problems like this to be "brute forced": once all possible
  answers are known, try all of them until something works.

  However, `gdb' can provide a faster route as it handles assembly code
  as easily as C code.  Take the following approach.

  1. Run gdb on the executable resulting from compiling verify_main.c
     and verify.o
  2. In TUI mode, use the command
     ,----
     | (gdb) layout asm
     `----
     to show assembly code for the program being debugged. This is
     necessary when dealing with binary files like verify.o.  If you
     neglected to run `gdb' in TUI mode, you can enable it with
     ,----
     | (gdb) tui enable
     `----
  3. Set a breakpoint on the function that verifies the input.
  4. Run the program to the breakpoint. You will need to enter a guess
     for the sentence completion but anything will work to move the
     program forward.
  5. Once the verifying function is entered, look for a string
     comparison to be done, likely using the `strcmp()' function.  Step
     forwards to just before this function. Use the `stepi' instruction
     to step forward by single assembly instructions.
  6. Immediately preceding this call will be some movement of pointers
     into registers which are the arguments to the function. You should
     inspect the strings pointed to by these registers.
  7. You can print the values of registers as various things in `gdb'
     using the `print' command and C-style casting. Examples are below.
     Note register names are preceded with a dollar sign ($).
     ,----
     |    (gdb) print (int) $rax
     |    $1 = -8448
     |    (gdb) print (char *) $rax
     |    $2 = 0x7fffffffdf00 "cruft\n"
     |    (gdb) print (double) $rax
     |    $3 = 140737488346880
     |    (gdb) print (int *) $rax
     |    $4 = (int *) 0x7fffffffdf00
     `----
  8. Look particularly at "argument" registers which are used to pass
     information to functions like `strcmp()'.  Some of these should
     contain pointers to the string entered and the correct string.

  Give the correct string to enter to complete the sentence.


  The correct string is "assembly language"

More products