第一步:进入shell模式
Switch#mEnter into super shell mode!!
BCM.0> shell
->
第二步:反汇编要设置的断点所在的函数
l fsFileValidCheck
一直执行l进行反汇编,直到找到需要设置断点的位置为止。
-> l fsFileValidCheck
fsFileValidCheck:
0xafbd18 9421ffc0 stwu r1,-64(r1)
0xafbd1c 7c0802a6 mfspr r0,LR
0xafbd20 9361002c stw r27,44(r1)
0xafbd24 93810030 stw r28,48(r1)
0xafbd28 93a10034 stw r29,52(r1)
0xafbd2c 93c10038 stw r30,56(r1)
0xafbd30 93e1003c stw r31,60(r1)
0xafbd34 90010044 stw r0,68(r1)
0xafbd38 7cbc2b78 or r28,r5,r5
0xafbd3c 817c0000 lwz r11,0(r28)
value = 11517248 = 0xafbd40 = fsFileValidCheck + 0x28
-> l
0xafbd40 7cde3378 or r30,r6,r6
0xafbd44 801e0000 lwz r0,0(r30)
0xafbd48 7c9f2378 or r31,r4,r4
0xafbd4c 813f0008 lwz r9,8(r31)
0xafbd50 7c7b1b78 or r27,r3,r3
0xafbd54 9001000c stw r0,12(r1)
0xafbd58 71200010 andi. r0,r9,0x10
0xafbd5c 91610008 stw r11,8(r1)
0xafbd60 418200c4 bc 0xc,2, 0xafbe24 # 0x00afbe24
0xafbd64 801f0000 lwz r0,0(r31)
value = 11517288 = 0xafbd68 = fsFileValidCheck + 0x50
…………..
-> l
0xafbf48 7f83e378 or r3,r28,r28
0xafbf4c 7fbdf214 add r29,r29,r30
0xafbf50 4b5bfbdd bl 0xbbb2c # strlen
0xafbf54 7c651b78 or r5,r3,r3
0xafbf58 7fa3eb78 or r3,r29,r29
0xafbf5c 7f84e378 or r4,r28,r28
0xafbf60 4b5bfa9d bl 0xbb9fc # strncmp
0xafbf64 2c030000 cmpi crf0,0,r3,0x0 # 0
0xafbf68 41820028 bc 0xc,2, 0xafbf90 # 0x00afbf90
0xafbf6c 3d2001ae lis r9,0x1ae # 430
value = 11517808 = 0xafbf70 = fsFileValidCheck + 0x258
第三步:设置断点,并退出shell
-> b 0xafbf60
value = 0 = 0x0
-> exit
BCM.0> exit
第四步:执行命令
Switch#copy ftp://xzy:xzy@192.168.139.36/boot.rom boot.rom
Confirm to overwrite the existed destination file? [Y/N]:
220 Serv-U FTP-Server v2.5 build 6 for WinSock ready...
331 User name okay, need password.
230 User logged in, proceed.
200 Type set to I.
200 PORT Command successful.
150 Opening BINARY mode data connection for boot.rom (3085200 bytes).
Recv total 3085200 bytes
226 Transfer complete.
Close ftp client.
pTypeStr = =EIH@=HCDG=YY
Break at 0x00afbf60: fsFileValidCheck+0x248 Task: 0x1a5e1610 (ftpCopyFile)
第五步:再次进入shell模式
Enter into super shell mode!!
BCM.0> shell
->
输入i查看任务的状态
-> i
NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY
---------- ------------ -------- --- ---------- -------- -------- ------- -----
tExcTask excTask 1effe718 0 PEND 10652c8 1effe5f8 0 0
tLogTask logTask 1effbd30 0 PEND 10652c8 1effbc20 0 0
tShell shell 1a5d7e78 1 READY bc0b60 1a5d7a58 0 0
shellMsgTasinit_shell_m 1ef15eb0 5 DELAY bc04ac 1ef15bb0 30065 4
cpu_measuremeasure_cpu_ 1a60ed10 6 DELAY bc04ac 1a60ec30 0 66
tLogMsg logMsgTask 1e00e778 8 PEND bbb26c 1e00e688 0 0
tWatchDog d8f24 1a60d290 10 PEND+T 10652c8 1a60d140 30065 691
tSDiag sdiag_entry 1dbb5d40 20 PEND 10652c8 1dbb5ae0 0 0
tRxDaemon rateLimitDea 1db56ff8 38 DELAY bc04ac 1db56f18 0 4
bcmTX _bcm_tx_call 1e9aec38 39 PEND bbb26c 1e9aeb38 0 0
bcmXGS3Asyn_xgs3_async_ 1e9aa9d0 39 PEND bbba80 1e9aa8c0 0 0
tRCUdpc c47f4 1dfe9a28 46 PEND 10652c8 1dfe9908 0 0
tDMLL1Tx 1fa224 1dbb0c10 48 PEND 10652c8 1dbb0b00 0 0
bcmRX rx_pkt_threa 1db607b0 48 PEND+T bbb26c 1db60680 3d0004 2
bcmDPC sal_dpc_thre 1ef028b8 50 PEND bbb26c 1ef027d8 0 0
tFastLink fast_link_ma 1b8e7a80 50 PEND 10652c8 1b8e7960 0 0
pbrTimer pbr_timer 1b1fedd8 50 DELAY bc04ac 1b1fed28 0 1596
tDpc c47f4 1dff5c68 55 PEND 10652c8 1dff5b48 0 0
tLacp lacp_main_ta 1af381a0 58 PEND+T bbb26c 1af37ac0 3d0004 20
tFDBTmr d2d80 1d083098 60 PEND bbb26c 1d082fc8 0 0
tMstp 5e3fc4 1b360158 60 PEND+T bbb26c 1b35d9b8 3d0004 25
tNeighApp 230edc 1de0e9e8 61 PEND 10652c8 1de0e8a8 0 0
tLoopback loopback_det 1b0948d0 61 PEND 10652c8 1b094750 0 0
tUldp uldp_main 1b05bd68 61 PEND 10652c8 1b05bc08 0 0
tAAAMainTasaaaMainTask 1b7b5410 62 PEND+T bbb26c 1b7b4030 3d0004 51
tNACTask network_acce 1b39ce58 62 PEND+T bbb26c 1b39c778 3d0004 46
tPppoeIa pppoe_ia_mai 1b38a238 62 PEND+T 10652c8 1b38a108 3d0004 11
tIgmpsnoopiigmp_snoopin 1b300008 63 PEND+T bbb26c 1b2ff918 3d0004 36
tMldsnoopinmld_snooping 1b2f3c08 63 PEND 10652c8 1b2f3ab8 0 0
tLldp lldp_main 1b09a738 64 PEND+T bbb26c 1b09a058 3d0004 26
tVlanMsg execVlanEven 1d9e8950 65 PEND 10652c8 1d9e87e0 3d0004 0
tMrpp mrpp_main 1b0a9730 65 PEND 10652c8 1b0a95c0 0 0
tUlpp ulpp_main 1b051658 65 PEND+T 10652c8 1b0514f8 3d0004 10
tUlsm ulsm_main 1b046f48 65 PEND+T 10652c8 1b046e18 3d0004 6
tIPTimer 277694 1df617e8 69 PEND bbb26c 1df61718 3d0002 0
tPoePwInt poePowerUpDo 1da18490 69 DELAY bc04ac 1da183e0 0 74
tGvrpTimer d2d80 1b36a118 69 PEND bbb26c 1b36a048 0 0
tphyDaemon serialDaemon 1a5f4910 69 PEND+T bbb26c 1a5f4820 3d0004 53
tDftInput 228d0c 1df42aa0 70 PEND bbb26c 1df429c0 0 0
tHgTest drvHgTest 1db599c8 70 DELAY bbceb4 1db595e8 0 1
tClusterv2Tclusterv2Tas 1b208cd8 70 PEND+T bbb26c 1b2085f8 3d0004 32
tSflow sflow_main 1b0703f0 70 PEND+T 10652c8 1b0702a0 3d0004 27
tIpfix ipfix_main 1b069578 70 PEND+T bbb26c 1b068e78 3d0004 22
tL2Input 228d0c 1df5c790 71 PEND bbb26c 1df5c6b0 0 0
tNetInput 228d0c 1df4f918 72 PEND bbb26c 1df4f838 3d0001 0
tNdpsTask ndp_snooping 1b375548 72 PEND+T bbb26c 1b374e78 3d0004 308
tL2DrvUpdat1fabec 1e35cc78 79 PEND 10652c8 1e35cb48 0 0
bcmLINK.0 _bcm_esw_lin 1e3eaad0 80 READY bbd4ac 1e3ea8f0 3d0004 0
bcmLINK.1 _bcm_esw_lin 1e0ed990 70 READY+I bbceb4 1e0ed5e0 3d0004 0
tSflowInput228d0c 1df35c28 80 PEND bbb26c 1df35b48 0 0
bcmL2X.0 _soc_l2x_thr 1d9e3680 80 PEND+T bbb26c 1d9e3550 3d0004 22
bcmL2X.1 _soc_l2x_thr 1e0e9780 80 PEND+T bbb26c 1e0e9650 3d0004 16
shellTask console_task 1a613dc0 80 PEND+T bbb26c 1a612e80 3d0004 137
zL2_shell l2_shell_ent 1ac520c8 86 PEND+T bbb26c 1ac51858 3d0002 1
zIMI imi_entry 1ab04de8 88 READY bbb26c 1ab044d8 3d0004 0
zNSM nsm_entry 1ae1cdc0 89 READY bbb26c 1ae1c540 3d0004 0
tTelnetd telnet_serve 1b894178 90 READY bbb26c 1b893598 3d0004 0
zOSPF ospf_entry 1ac48250 90 PEND bbb26c 1ac479e0 3d0004 0
zBGP bgp_entry 1ac431f8 90 PEND bbb26c 1ac42978 16 0
zRIP rip_entry 1ac3e1a0 90 PEND bbb26c 1ac3d930 16 0
zMSDP msdp_entry 1ac39148 90 PEND bbb26c 1ac388c8 0 0
zRIPNGD ripng_entry 1ac2efe8 90 PEND bbb26c 1ac2e778 0 0
zLDPD ldp_entry 1ac29f38 90 PEND bbb26c 1ac296c8 16 0
zOSPF6D ospf6_entry 1ac20068 90 PEND bbb26c 1ac1f7f8 16 0
zPIM6D pim6_entry 1ac1afb8 90 PEND bbb26c 1ac1a738 0 0
tSNTP startSNTP 1b233e98 92 PEND+T bbb26c 1b233788 3d0004 179
tNTP startNTP 1b219e08 92 PEND+T bbb26c 1b219698 3d0004 16
zPIMD pim_entry 1ac34098 92 PEND bbb26c 1ac33818 16 0
zDVMRPD dvmrp_entry 1ac15f08 92 PEND bbb26c 1ac15688 16 0
tVlanSync 5c1e80 1e359d78 96 PEND bbb26c 1e359c78 0 0
tSyncFlushFsyncFlushFdb 1d08d148 96 PEND+T 10652c8 1d08cfe8 3d0004 3
tMonitorFdbmonitorFdbCh 1d0880f0 96 READY 10652c8 1d087fc0 3d0004 0
tTffsPTask flPollTask 1effa408 100 READY bc04ac 1effa358 0 0
tMacbindTmrd2d80 1b2ed918 100 PEND bbb26c 1b2ed848 0 0
tAntiArpscaansTask 1b0ae698 100 READY 10652c8 1b0ae558 3d0004 0
tSsld ssl_main 1af2cb70 100 PEND 10652c8 1af2c990 0 0
tGratuitousgratuitous_a 1a5fdcc0 100 DELAY bc04ac 1a5fdc00 0 124
tDhcpRcv fnDhcpReceiv 1b59c8e0 110 PEND+T bbb26c 1b59a900 3d0004 119
tDhcp6Rcv fnDhcp6Recei 1b56fd40 110 PEND bbb26c 1b56e5c0 3d0002 0
tSnmpd 42cd04 1b1deda8 110 PEND+T bbb26c 1b1dd928 3d0004 12
tDnsTask dns_main 1ae21ed0 110 PEND+T bbb26c 1ae215c0 3d0004 8
tDhcpcTask fnDhcpClient 1b586738 115 PEND+T bbb26c 1b5855f8 3d0004 99
bcmCNTR.0 soc_counter_ 1ea22378 120 PEND+T bbb26c 1ea22268 3d0004 4
bcmCNTR.1 soc_counter_ 1e344af0 120 READY bbb26c 1e3449e0 3d0004 0
ttyTask ttyTask 1e0021f0 120 PEND 10652c8 1e001c10 0 0
tNeighFlush230b00 1de14d70 120 DELAY bc04ac 1de14ca0 3d0002 28
tDmlL1Timerd2d80 1dbaaae0 120 PEND bbb26c 1dbaaa10 0 0
tTimeRange pfTimeRange 1b1fcab8 120 DELAY bc04ac 1b1fca18 0 142
tTftpServernew_tftp_ser 1b0bb920 120 PEND+T bbb26c 1b0bad40 3d0004 3
tSshdTask ssh_main 1b841f80 130 PEND+T bbb26c 1b8413e0 3d0004 22
tFtpTask ftpbackup_ma 1b6aa530 130 PEND+T bbb26c 1b6a9e20 3d0004 16
tHwMonitor hwMonitor 1a605000 136 DELAY bc04ac 1a604f20 0 60
tDevMonitorhwDevMonitor 1a5fff50 136 DELAY bc04ac 1a5ffeb0 0 6
tFtpStart ftpServerCon 1b0be298 150 PEND+T bbb26c 1b0bdb18 3d0004 1
ftpCopyFilerun_ftp_copy 1a5e1610 150 SUSPEND afbf60 1a5e0b40 3d0004 0
tL3DrvUpdat208550 1b9d3258 160 PEND 10652c8 1b9d30d8 3d0004 0
tDcacheUpd dcacheUpd 1ef58f28 250 READY bc04ac 1ef58e68 0 0
value = 0 = 0x0
输入ti查看寄存器的使用情况
-> ti
NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY
---------- ------------ -------- --- ---------- -------- -------- ------- -----
ftpCopyFilerun_ftp_copy 1a5e1610 150 SUSPEND afbf60 1a5e0b40 3d0004 0
stack: base 0x1a5e1610 end 0x1a5da0b8 size 29720 high 11136 margin 18584
options: 0xc
VX_DEALLOC_STACK VX_FP_TASK
VxWorks Events
--------------
Events Pended on : Not Pended
Received Events : 0x0
Options : N/A
r0 = 0 sp = 1a5e0b40 r2 = 0 r3 = 1a265c74
r4 = 1418cf0 r5 = d r6 = 0 r7 = a
r8 = 3 r9 = 1418cf0 r10 = 1a5e1610 r11 = 1a5e1610
r12 = 20000028 r13 = 0 r14 = 0 r15 = 0
r16 = 0 r17 = 0 r18 = 0 r19 = 0
r20 = 0 r21 = 0 r22 = 0 r23 = 0
r24 = 2000000 r25 = 1a5e0f30 r26 = 1ae0000 r27 = 7
r28 = 1418cf0 r29 = 1a265c74 r30 = 134 r31 = 17e99b0
msr = b032 lr = afbf54 ctr = 0 pc = afbf60
cr = 20000084 xer = 0
fpcsr = 0
fr0 = NaN fr1 = NaN fr2 = NaN fr3 = NaN
fr4 = NaN fr5 = NaN fr6 = NaN fr7 = NaN
fr8 = NaN fr9 = NaN fr10 = NaN fr11 = NaN
fr12 = NaN fr13 = NaN fr14 = NaN fr15 = NaN
fr16 = NaN fr17 = NaN fr18 = NaN fr19 = NaN
fr20 = NaN fr21 = NaN fr22 = NaN fr23 = NaN
fr24 = NaN fr25 = NaN fr26 = NaN fr27 = NaN
fr28 = NaN fr29 = NaN fr30 = NaN fr31 = NaN
value = 0 = 0x0
通过第二步中的汇编代码,得出r3和r4是strncmp的参数,执行
-> d 0x1a265c74 (d 0x1418cf0)查看strncmp的两个参数的值
1a265c70: 3d45 4946 403d 4843 4447 3d59 * =EIF@=HCDG=Y*
1a265c80: 5900 0000 0000 0000 0000 0000 0000 0000 *Y...............*
1a265c90: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265ca0: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265cb0: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265cc0: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265cd0: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265ce0: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265cf0: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265d00: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265d10: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265d20: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265d30: 0000 0000 0000 0000 0000 0000 0000 0000 *................*
1a265d40: 3860 0002 3c80 e000 6084 0000 3ca0 0020 *8`..<...`...<.. *
1a265d50: 7c00 04ac 4c00 012c 7cb3 fba6 3ca0 0002 *|...L..,|...<...*
1a265d60: 90a4 0110 3ca0 0010 90a4 0800 4c00 012c *....<.......L..,*
1a265d70: 3ca0 e000 *<...............*
value = 21 = 0x15
执行
-> c 继续任务的继续执行