A problem occurred when the program that inserted the vulnerability was reversed

Question

A problem occurred when the program that inserted the vulnerability was reversed

Closed this issue 2 years ago · 0 comments

I used lava for the bug injection test ， The program I chose was toy.

When I look at the source code, I see that the program's output is inconsistent with the source code.

For example, in the line of code that triggered the vulnerability, the source code is as follows:
consume_record(data_flow, ent + (data_flow[0] * (0x70444c46 == data_flow[0])));

When I look at the Assembly code using GDB, I find that the operational logic is different from the source code.
The corresponding assembly code for the source code is as follows:

`

0x56555899 <+156>: cmp eax,0x70444c46
0x5655589e <+161>: sete al
0x565558a1 <+164>: movzx eax,al
0x565558a4 <+167>: imul eax,edx
0x565558a7 <+170>: mov edx,eax
0x565558a9 <+172>: mov eax,edx
0x565558ab <+174>: add eax,eax
0x565558ad <+176>: add eax,edx
0x565558af <+178>: shl eax,0x3
0x565558b2 <+181>: mov edx,eax
0x565558b4 <+183>: mov eax,DWORD PTR [ebp-0x18]
0x565558b7 <+186>: add eax,edx

`

The logic of the source code is: when the condition is satisfied, The second argument of the consume_record function is ent+data_flow[0]*1

but the logic for assembly code is:when the condition is satisfied, The second argument of the consume_record function is ent+((data_flow[0]*1)*3)<<3

In addition, other programs that insert vulnerabilities also have this problem.

I don't know why the compiler compiles the source code like this. Am I missing something?

Can someone give me some help or advice ?