发布于 

MIT 6.828 HW1 Boot xv6

Notes of MIT 6.828 HW1.

Boot xv6

Clone the repository and build xv6.

Finding and breaking at an address

We can find the address of _start at 0x0010000c.

1
2
3
4
❯ nm kernel | grep _start
8010a48c D _binary_entryother_start
8010a460 D _binary_initcode_start
0010000c T _start

Set a break point there and run into it in gdb.

1
2
3
4
5
6
7
8
9
10
11
12
13
pwndbg> target remote localhost:26000
Remote debugging using localhost:26000
0x0000fff0 in ?? ()

pwndbg> b * 0x0010000c
Breakpoint 1 at 0x10000c
pwndbg> c
Continuing.

Thread 1 hit Breakpoint 1, 0x0010000c in ?? ()
► 0x10000c    mov    eax, cr4

pwndbg>

Exercise: What is on the stack?

At the above breakpoint, inspect the register valuea and the stack contents.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
pwndbg> info reg
eax            0x0                 0
ecx            0x0                 0
edx            0x1f0               496
ebx            0x10094             65684
esp            0x7bdc              0x7bdc
ebp            0x7bf8              0x7bf8
esi            0x10094             65684
edi            0x0                 0
eip            0x10000c            0x10000c
eflags         0x46                [ PF ZF ]
cs             0x8                 8
ss             0x10                16
ds             0x10                16
es             0x10                16
fs             0x0                 0
gs             0x0                 0
pwndbg> x/24x $esp
0x7bdc: 0x00007d97      0x00000000      0x00000000      0x00000000
0x7bec: 0x00000000      0x00000000      0x00000000      0x00000000
0x7bfc: 0x00007c4d      0x8ec031fa      0x8ec08ed8      0xa864e4d0
0x7c0c: 0xb0fa7502      0xe464e6d1      0x7502a864      0xe6dfb0fa
0x7c1c: 0x16010f60      0x200f7c78      0xc88366c0      0xc0220f01
0x7c2c: 0x087c31ea      0x10b86600      0x8ed88e00      0x66d08ec0
  • Where in bootasm.S is the stack pointer initialized?
    • At line 65, movl $start, %esp, esp was set to 0x7c00.
  • Single step through the call to bootmain; what is on the stack now?
    • The saved eip which points to 0x7c4d, otherwise, the return address of bootmain().
  • What do the first assembly instructions of bootmain do to the stack?
    • They save the old ebp and make a stack frame by set ebp to the value of esp, then save the old edi, esi, ebx, and subtract esp by 0x10.
  • Look for the call that changes eip to 0x10000c. What does that call do to the stack?
    • The call is at 0x7d91, call *0x10018. This call pushes current eip on the stack.

So now we can figure out the non-zero value on the stack at the above breakpoint. The 0x7c4d at 0x7bfc and 0x7d97 at 0x7bdc are both old eip saved by call.

1
2
3
4
5
6
7
8
9
10
0x7c00: 0x8ec031fa not the stack
0x7bfc: 0x00007c4d bootmain() return address
0x7bf8: 0x00000000 old ebp
0x7bf4: 0x00000000 old edi
0x7bf0: 0x00000000 old esi
0x7bec: 0x00000000 old ebx
0x7be8: 0x00000000
0x7be4: 0x00000000
0x7be0: 0x00000000 local vars
0x7bdc: 0x00007d97 entry() return addres
许可协议

本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。