Solution: Exercise 03

The following is the solution for Exercise 03.

For this exercise, make sure you run all commands from the directory:

  /path/to/cbat_tools/docs/exercises/03

Task 1

Compare the output in RAX of the function calculate_price in the older program (binary/main_1) and the newer program (binary/main_2). Can binary/main_2 produce different output than main_1, when given the same argument?

Run wp on the calculate_price function in the two binaries, and compare the output values in RAX:

    $ bap wp \
          --func=calculate_price \
          --compare-post-reg-values=RAX \
          binary/main_1 \
          binary/main_2

When you run this, you will see that wp responds with SAT, meaning that it did indeed find a way to make the second version of the calculate_price function produce a different output than the first version, given the same input.

So, the answer to the first task is: yes, binary/main_2 can produce a different result than binary/main_1, when given the same argument.

Task 2

If so, what is an example of an argument that makes calculate_price behave differently than the original version?

To find an example of an argument that causes binary/main_1 and binary/main_2 to produce different results, look at the output of wp. When you run the above command, you should see output that looks like this (yours may not be exactly like this, but it should be similar):

SAT!

Model:
	ZF  |->  0x0
	SF  |->  0x0
	RSP |->  0x000000003fc00000
	RSI |->  0x0000000000000000
	RDX |->  0x0000000000000000
	RDI |->  0x0000000000000064  <-- An argument that yields different results
	RCX |->  0x0000000000000000
	RBP |->  0x0000000000000000
	RAX |->  0x0000000000000000
	R9  |->  0x0000000000000000
	R8  |->  0x0000000000000000
	PF  |->  0x0
	OF  |->  0x0
	CF  |->  0x0
	AF  |->  0x0
	mem_orig |-> [
		#x000000003fbfffee |-> 0xff ;
		#x000000003fbffff6 |-> 0xff ;
		else |-> 0x00]
	mem_mod |-> [
		else |-> 0x00]

In particular, you want to look at the value that wp suggests for RDI, which is the argument to the calculate_price function. Here, it gives me 0x0000000000000064 as an example of an argument that will cause the two versions of calculate_price to produce different values.

We can confirm that this value does cause the two versions of calculate_price to yield different results. First, try it with binary/main_1:

    $ ./binary/main_1 0x0000000000000064
    Total price: 5000.00

Then, try it with binary/main_2:

    $ ./binary/main_2 0x0000000000000064
    Total price: 10000.00

As you can see, these two programs calculate different prices if the input is 0x0000000000000064 (which in decimal is exactly 100).

Go back to the list of exercises.