美文网首页
BombLab 下

BombLab 下

作者: 早睡使人快乐 | 来源:发表于2022-05-12 19:01 被阅读0次

    Phase3

    (gdb) disas
    Dump of assembler code for function phase_3:
       0x0000000000400f43 <+0>:     sub    $0x18,%rsp
       0x0000000000400f47 <+4>:     lea    0xc(%rsp),%rcx
       0x0000000000400f4c <+9>:     lea    0x8(%rsp),%rdx
       0x0000000000400f51 <+14>:    mov    $0x4025cf,%esi
       0x0000000000400f56 <+19>:    mov    $0x0,%eax
       //scanf这个函数需要传入格式字符串,应该是$0x4025cf这个地址的模板字符串
       //打印出来看到是"%d %d"
       //所以输入是两个数字
       0x0000000000400f5b <+24>:    callq  0x400bf0 <__isoc99_sscanf@plt>
       //比较scanf的返回值如果返回值小于1直接爆炸
       //scanf的返回值一般是读入的数字的数量,我们输入两个数字应该就ok了
       0x0000000000400f60 <+29>:    cmp    $0x1,%eax
       0x0000000000400f63 <+32>:    jg     0x400f6a <phase_3+39>
       0x0000000000400f65 <+34>:    callq  0x40143a <explode_bomb>
       //比较读入的第一个数字,如果大于7则爆炸
       0x0000000000400f6a <+39>:    cmpl   $0x7,0x8(%rsp)
    => 0x0000000000400f6f <+44>:    ja     0x400fad <phase_3+106>
       0x0000000000400f71 <+46>:    mov    0x8(%rsp),%eax
       //这里是关键
       //swithc语句构建了一个跳转表,这是一个类似数组的东西
       //所以我们要看下0x402470这个位置的东西
       //跳转的地址就是 0x402470[%rax] 跳转到%rax这个索引的地方
       0x0000000000400f75 <+50>:    jmpq   *0x402470(,%rax,8)
       0x0000000000400f7c <+57>:    mov    $0xcf,%eax
       0x0000000000400f81 <+62>:    jmp    0x400fbe <phase_3+123>
       0x0000000000400f83 <+64>:    mov    $0x2c3,%eax
       0x0000000000400f88 <+69>:    jmp    0x400fbe <phase_3+123>
       0x0000000000400f8a <+71>:    mov    $0x100,%eax
       0x0000000000400f8f <+76>:    jmp    0x400fbe <phase_3+123>
       0x0000000000400f91 <+78>:    mov    $0x185,%eax
       0x0000000000400f96 <+83>:    jmp    0x400fbe <phase_3+123>
       0x0000000000400f98 <+85>:    mov    $0xce,%eax
       0x0000000000400f9d <+90>:    jmp    0x400fbe <phase_3+123>
       0x0000000000400f9f <+92>:    mov    $0x2aa,%eax
       0x0000000000400fa4 <+97>:    jmp    0x400fbe <phase_3+123>
       0x0000000000400fa6 <+99>:    mov    $0x147,%eax
       0x0000000000400fab <+104>:   jmp    0x400fbe <phase_3+123>
       0x0000000000400fad <+106>:   callq  0x40143a <explode_bomb>
       0x0000000000400fb2 <+111>:   mov    $0x0,%eax
       0x0000000000400fb7 <+116>:   jmp    0x400fbe <phase_3+123>
       0x0000000000400fb9 <+118>:   mov    $0x137,%eax
       0x0000000000400fbe <+123>:   cmp    0xc(%rsp),%eax
       0x0000000000400fc2 <+127>:   je     0x400fc9 <phase_3+134>
       0x0000000000400fc4 <+129>:   callq  0x40143a <explode_bomb>
       0x0000000000400fc9 <+134>:   add    $0x18,%rsp
       0x0000000000400fcd <+138>:   retq
    (gdb) x /32xb 0x402470
    //打印出来了可以看到如果x = 1则跳转到 b9这个位置,这里比较了第二个参数 0xc(%rsp) 的值和0x137
    //10进制就是311,这就是答案
    0x402470:       0x7c    0x0f    0x40    0x00    0x00    0x00    0x00    0x00
    0x402478:       0xb9    0x0f    0x40    0x00    0x00    0x00    0x00    0x00
    0x402480:       0x83    0x0f    0x40    0x00    0x00    0x00    0x00    0x00
    0x402488:       0x8a    0x0f    0x40    0x00    0x00    0x00    0x00    0x00
    (gdb) continue
    
    [Inferior 1 (process 4665) exited with code 010]
    (gdb) r answers.txt
    Starting program: /home/going/workspace/csappLab/bomb/bomb answers.txt
    Welcome to my fiendish little bomb. You have 6 phases with
    which to blow yourself up. Have a nice day!
    Phase 1 defused. How about the next one?
    That's number 2.  Keep going!
    1 311
    
    Breakpoint 3, 0x0000000000400f43 in phase_3 ()
    (gdb) continue
    Continuing.
    Halfway there!
    

    Phase 4

    (gdb) disas
    Dump of assembler code for function phase_4:
       0x000000000040100c <+0>:     sub    $0x18,%rsp
       0x0000000000401010 <+4>:     lea    0xc(%rsp),%rcx
       0x0000000000401015 <+9>:     lea    0x8(%rsp),%rdx
       //到这里都很熟悉,读取输入的两个数,然后传给scanf
       0x000000000040101a <+14>:    mov    $0x4025cf,%esi
       0x000000000040101f <+19>:    mov    $0x0,%eax
       0x0000000000401024 <+24>:    callq  0x400bf0 <__isoc99_sscanf@plt>
       //如果没有两个数就爆炸
       0x0000000000401029 <+29>:    cmp    $0x2,%eax
       0x000000000040102c <+32>:    jne    0x401035 <phase_4+41>
       0x000000000040102e <+34>:    cmpl   $0xe,0x8(%rsp)
       0x0000000000401033 <+39>:    jbe    0x40103a <phase_4+46>
       0x0000000000401035 <+41>:    callq  0x40143a <explode_bomb>
       0x000000000040103a <+46>:    mov    $0xe,%edx
       0x000000000040103f <+51>:    mov    $0x0,%esi
       0x0000000000401044 <+56>:    mov    0x8(%rsp),%edi
       //给func传入三个参数 0xe 0x0 还有输入的第一个值
    => 0x0000000000401048 <+60>:    callq  0x400fce <func4>
       //如果结果不是0就直接爆炸
       0x000000000040104d <+65>:    test   %eax,%eax
       0x000000000040104f <+67>:    jne    0x401058 <phase_4+76>
       //如果第二个参数不是0就直接爆炸
       0x0000000000401051 <+69>:    cmpl   $0x0,0xc(%rsp)
       0x0000000000401056 <+74>:    je     0x40105d <phase_4+81>
       0x0000000000401058 <+76>:    callq  0x40143a <explode_bomb>
       0x000000000040105d <+81>:    add    $0x18,%rsp
       0x0000000000401061 <+85>:    retq
    End of assembler dump.
    (gdb) disas
    Dump of assembler code for function func4:
    => 0x0000000000400fce <+0>:     sub    $0x8,%rsp
       0x0000000000400fd2 <+4>:     mov    %edx,%eax
       0x0000000000400fd4 <+6>:     sub    %esi,%eax
       0x0000000000400fd6 <+8>:     mov    %eax,%ecx
       0x0000000000400fd8 <+10>:    shr    $0x1f,%ecx
       0x0000000000400fdb <+13>:    add    %ecx,%eax
       0x0000000000400fdd <+15>:    sar    %eax
       0x0000000000400fdf <+17>:    lea    (%rax,%rsi,1),%ecx
       0x0000000000400fe2 <+20>:    cmp    %edi,%ecx
       0x0000000000400fe4 <+22>:    jle    0x400ff2 <func4+36>
       0x0000000000400fe6 <+24>:    lea    -0x1(%rcx),%edx
       0x0000000000400fe9 <+27>:    callq  0x400fce <func4>
       0x0000000000400fee <+32>:    add    %eax,%eax
       0x0000000000400ff0 <+34>:    jmp    0x401007 <func4+57>
       0x0000000000400ff2 <+36>:    mov    $0x0,%eax
       0x0000000000400ff7 <+41>:    cmp    %edi,%ecx
       0x0000000000400ff9 <+43>:    jge    0x401007 <func4+57>
       0x0000000000400ffb <+45>:    lea    0x1(%rcx),%esi
       0x0000000000400ffe <+48>:    callq  0x400fce <func4>
       0x0000000000401003 <+53>:    lea    0x1(%rax,%rax,1),%eax
       0x0000000000401007 <+57>:    add    $0x8,%rsp
       0x000000000040100b <+61>:    retq
    (gdb) continue
    //第二个参数必然是0,第一个参数随便输入了个1进去,居然过了.....
    Continuing.
    So you got that one.  Try this one.
    
    

    虽然蒙对了但是还是要看下func4的代码

    反向出来func4的c语言代码

    int fun(int a1, int a2, int x){
        int b = (a1 - a2) >> 31;
        int result = ((a1-a2) + b) >> 1;
        b = result + a2;
        if(b == x) return 0;
        if(b < x) {
            result = fun(a1, b + 1, x);
            return result * 2 + 1;
        }else{
            result = fun(b - 1, a2, x);
            return result * 2;
        }
    }
    

    a1,a2的初始值分别是0xe,0x0

    Phase5

      0x0000000000401062 <+0>:     push   %rbx
      0x0000000000401063 <+1>:     sub    $0x20,%rsp
      0x0000000000401067 <+5>:     mov    %rdi,%rbx
      0x000000000040106a <+8>:     mov    %fs:0x28,%rax
      0x0000000000401073 <+17>:    mov    %rax,0x18(%rsp)
      0x0000000000401078 <+22>:    xor    %eax,%eax
      0x000000000040107a <+24>:    callq  0x40131b <string_length>
      0x000000000040107f <+29>:    cmp    $0x6,%eax
      //如果输入的字符串长度不是6就爆炸
      0x0000000000401082 <+32>:    je     0x4010d2 <phase_5+112>
      0x0000000000401084 <+34>:    callq  0x40143a <explode_bomb>
      0x0000000000401089 <+39>:    jmp    0x4010d2 <phase_5+112>
      //这里开启了一个循环
      //这里%rbx指向了我们输入的第一个字符的地址
      //%rax被不断的累加1所以是不断的往下读我们输入的字符(1字节)
      0x000000000040108b <+41>:    movzbl (%rbx,%rax,1),%ecx
      0x000000000040108f <+45>:    mov    %cl,(%rsp)
      //%cl -> %rdx
      0x0000000000401092 <+48>:    mov    (%rsp),%rdx
      //把%edx和0xf与一下,即保留后四位最大为16
      0x0000000000401096 <+52>:    and    $0xf,%edx
      //用与出来的这个数字作为索引去读0x4024b0这个位置的字符串
      0x0000000000401099 <+55>:    movzbl 0x4024b0(%rdx),%edx
      //把用这个索引读出来的字节放到%rsp + 0x10这个位置,这就是我们新的字符串
      0x00000000004010a0 <+62>:    mov    %dl,0x10(%rsp,%rax,1)
      //for i = 0;i < 6;i ++
      0x00000000004010a4 <+66>:    add    $0x1,%rax
      0x00000000004010a8 <+70>:    cmp    $0x6,%rax
      0x00000000004010ac <+74>:    jne    0x40108b <phase_5+41>
      
      //准备参数,从0x40245e这个地址和$rsp + 10 这个地址开始比较两个字符串,如果不相等就引爆
      0x00000000004010ae <+76>:    movb   $0x0,0x16(%rsp)
      0x00000000004010b3 <+81>:    mov    $0x40245e,%esi
      0x00000000004010b8 <+86>:    lea    0x10(%rsp),%rdi
      0x00000000004010bd <+91>:    callq  0x401338 <strings_not_equal>
      0x00000000004010c2 <+96>:    test   %eax,%eax
      0x00000000004010c4 <+98>:    je     0x4010d9 <phase_5+119>
      0x00000000004010c6 <+100>:   callq  0x40143a <explode_bomb>
      0x00000000004010cb <+105>:   nopl   0x0(%rax,%rax,1)
      0x00000000004010d0 <+110>:   jmp    0x4010d9 <phase_5+119>
      0x00000000004010d2 <+112>:   mov    $0x0,%eax
      0x00000000004010d7 <+117>:   jmp    0x40108b <phase_5+41>
      0x00000000004010d9 <+119>:   mov    0x18(%rsp),%rax
      0x00000000004010de <+124>:   xor    %fs:0x28,%rax
      0x00000000004010e7 <+133>:   je     0x4010ee <phase_5+140>
      0x00000000004010e9 <+135>:   callq  0x400b30 <__stack_chk_fail@plt>
      0x00000000004010ee <+140>:   add    $0x20,%rsp
      0x00000000004010f2 <+144>:   pop    %rbx
      0x00000000004010f3 <+145>:   retq
    

    Phase6

    Phase 6

    => 0x00000000004010f4 <+0>:     push   %r14
       0x00000000004010f6 <+2>:     push   %r13
       0x00000000004010f8 <+4>:     push   %r12
       0x00000000004010fa <+6>:     push   %rbp
       0x00000000004010fb <+7>:     push   %rbx
       0x00000000004010fc <+8>:     sub    $0x50,%rsp #预留空间
       0x0000000000401100 <+12>:    mov    %rsp,%r13 #r13 = rsp
       0x0000000000401103 <+15>:    mov    %rsp,%rsi #rsi = rsp
       0x0000000000401106 <+18>:    callq  0x40145c <read_six_numbers>
       0x000000000040110b <+23>:    mov    %rsp,%r14 #r14 = r13 = rsp
       0x000000000040110e <+26>:    mov    $0x0,%r12d #r12d = 0
       0x0000000000401114 <+32>:    mov    %r13,%rbp #rbp = r13
       0x0000000000401117 <+35>:    mov    0x0(%r13),%eax #*(r13 + 0) -> eax eax = nums[0]
       0x000000000040111b <+39>:    sub    $0x1,%eax # eax - 1
       0x000000000040111e <+42>:    cmp    $0x5,%eax # if eax - 1 > 5 blow up
       0x0000000000401121 <+45>:    jbe    0x401128 <phase_6+52>
       0x0000000000401123 <+47>:    callq  0x40143a <explode_bomb>
       0x0000000000401128 <+52>:    add    $0x1,%r12d #r12d++
       0x000000000040112c <+56>:    cmp    $0x6,%r12d #r12d < 6
       0x0000000000401130 <+60>:    je     0x401153 <phase_6+95>
       0x0000000000401132 <+62>:    mov    %r12d,%ebx #ebx = r12d 
       0x0000000000401135 <+65>:    movslq %ebx,%rax #rax = ebx = r12d
       0x0000000000401138 <+68>:    mov    (%rsp,%rax,4),%eax #eax = *(rsp + 4 * rax) #int是4字节
       0x000000000040113b <+71>:    cmp    %eax,0x0(%rbp) #*(rbp + 0) != eax ? => nums[i] != nums[j] #第一次
       0x000000000040113e <+74>:    jne    0x401145 <phase_6+81>
       0x0000000000401140 <+76>:    callq  0x40143a <explode_bomb>
       0x0000000000401145 <+81>:    add    $0x1,%ebx #j ++
       0x0000000000401148 <+84>:    cmp    $0x5,%ebx #j < 5
       0x000000000040114b <+87>:    jle    0x401135 <phase_6+65>
       0x000000000040114d <+89>:    add    $0x4,%r13 #r13 = rbp = nums[i + 1]
       0x0000000000401151 <+93>:    jmp    0x401114 <phase_6+32>
       
      ---- ---- ----  ---- ---- ----  ---- ---- ----  ---- ---- ----part1 finish
       0x0000000000401153 <+95>:    lea    0x18(%rsp),%rsi # rsi = *(rsp + 18)  
       0x0000000000401158 <+100>:   mov    %r14,%rax #rax = r14
       0x000000000040115b <+103>:   mov    $0x7,%ecx #ecx = 7
       0x0000000000401160 <+108>:   mov    %ecx,%edx #edx = exc = 7
       0x0000000000401162 <+110>:   sub    (%rax),%edx #edx = edx - *(rax) = 7 - *eax
       0x0000000000401164 <+112>:   mov    %edx,(%rax) #*(rax) = edx
       0x0000000000401166 <+114>:   add    $0x4,%rax # rax = rax + 4
       0x000000000040116a <+118>:   cmp    %rsi,%rax # rax != rsi
       0x000000000040116d <+121>:   jne    0x401160 <phase_6+108>
        ---- ----  ---- ---- ----  ---- ---- ----  ---- ---- ----part2 finish
       0x000000000040116f <+123>:   mov    $0x0,%esi # esi = 0
       0x0000000000401174 <+128>:   jmp    0x401197 <phase_6+163>
       0x0000000000401176 <+130>:   mov    0x8(%rdx),%rdx # rdx = *(rdx + 8) #node = node.next
       0x000000000040117a <+134>:   add    $0x1,%eax # eax ++
       0x000000000040117d <+137>:   cmp    %ecx,%eax # ecx != eax
       0x000000000040117f <+139>:   jne    0x401176 <phase_6+130>
       0x0000000000401181 <+141>:   jmp    0x401188 <phase_6+148>
       0x0000000000401183 <+143>:   mov    $0x6032d0,%edx #edx = *node1
       0x0000000000401188 <+148>:   mov    %rdx,0x20(%rsp,%rsi,2) #rsp + 20 = rdx #新开辟的空间
       0x000000000040118d <+153>:   add    $0x4,%rsi  #rsi += 4
       0x0000000000401191 <+157>:   cmp    $0x18,%rsi #rsi == 18
       0x0000000000401195 <+161>:   je     0x4011ab <phase_6+183>
       0x0000000000401197 <+163>:   mov    (%rsp,%rsi,1),%ecx #ecx = *(rsp + 1 * rsi) = nums[i]
       0x000000000040119a <+166>:   cmp    $0x1,%ecx #ecx <= 1
       0x000000000040119d <+169>:   jle    0x401183 <phase_6+143>
       0x000000000040119f <+171>:   mov    $0x1,%eax #eax = 1
       0x00000000004011a4 <+176>:   mov    $0x6032d0,%edx #edx = *node1
       0x00000000004011a9 <+181>:   jmp    0x401176 <phase_6+130>
       --- --- --- --- --- --- --- --- --- --- --- --- --- ---part3 finish
       0x00000000004011ab <+183>:   mov    0x20(%rsp),%rbx #rbx = rsp + 20 = node
       0x00000000004011b0 <+188>:   lea    0x28(%rsp),%rax #rax = rsp + 20 + 8 = node.next
       0x00000000004011b5 <+193>:   lea    0x50(%rsp),%rsi #rsi = rsp + 50
       0x00000000004011ba <+198>:   mov    %rbx,%rcx #rcx = rbx = node
       0x00000000004011bd <+201>:   mov    (%rax),%rdx #rdx = *(node.next) = node2
       0x00000000004011c0 <+204>:   mov    %rdx,0x8(%rcx) #node.next = node2
       0x00000000004011c4 <+208>:   add    $0x8,%rax #rax += 8
       0x00000000004011c8 <+212>:   cmp    %rsi,%rax #rax == rsi
       0x00000000004011cb <+215>:   je     0x4011d2 <phase_6+222>
       0x00000000004011cd <+217>:   mov    %rdx,%rcx #rcx = rdx
       0x00000000004011d0 <+220>:   jmp    0x4011bd <phase_6+201>
       0x00000000004011d2 <+222>:   movq   $0x0,0x8(%rdx) #*(rdx + 8) = 0
        --- --- --- --- --- --- --- --- --- --- --- --- --- ---part4 finish
       0x00000000004011da <+230>:   mov    $0x5,%ebp #ebp = 5
       0x00000000004011df <+235>:   mov    0x8(%rbx),%rax# rax = *(rbx + 8)
       0x00000000004011e3 <+239>:   mov    (%rax),%eax #eax = *rax
       0x00000000004011e5 <+241>:   cmp    %eax,(%rbx) #*rbx >= eax => *rbx >= *rax => node >= node.next
       0x00000000004011e7 <+243>:   jge    0x4011ee <phase_6+250>
       0x00000000004011e9 <+245>:   callq  0x40143a <explode_bomb>
       0x00000000004011ee <+250>:   mov    0x8(%rbx),%rbx #rbx = *(rbx + 8) #node = node.next
       0x00000000004011f2 <+254>:   sub    $0x1,%ebp #ebp -= 1
       0x00000000004011f5 <+257>:   jne    0x4011df <phase_6+235>
       0x00000000004011f7 <+259>:   add    $0x50,%rsp
       0x00000000004011fb <+263>:   pop    %rbx
       0x00000000004011fc <+264>:   pop    %rbp
       0x00000000004011fd <+265>:   pop    %r12
       0x00000000004011ff <+267>:   pop    %r13
       0x0000000000401201 <+269>:   pop    %r14
       0x0000000000401203 <+271>:   retq
       --- --- --- --- --- --- --- --- --- --- --- --- --- --- part5 finish
    
    

    Part1

    伪代码

    for(i = 0;i ++;i < 6)
    {
        if nums[i] > 6 {
            bomb
        }
        for(j = i + 1;j < 5;j ++) {
            if nums[j] == nums[i] {
                bomb
            }
        }
    }
    

    Part2

    伪代码

    for(i = 0;i ++;i < 6) {
    
     nums[i] = 7 - nums[i]
    
    }
    

    Part3

    node struct
    {
        int sercretVal
        int val
        *node next
    }
    
    for(i = 0;i ++;i < 6) {
        for (i < nums[i]) {
            node = node.next
        }
        rsp + 20 = node
        
    }
    

    part4

    for(i = 0;i < 6;i ++) {
        node[i].next = node[i + 1]
    }
    

    part5

    for(i = 5;i >= 0;i --)
    {
        if node.next.secretVal < node.secretVal {
            bomb
        }
    }
    

    [图片上传失败...(image-81abba-1652353284648)]

    倒推过来答案就是

    4 3 2 1 6 5

    Secret Phase

    phase_defused

    => 0x00000000004015c4 <+0>:     sub    $0x78,%rsp
       0x00000000004015c8 <+4>:     mov    %fs:0x28,%rax
       0x00000000004015d1 <+13>:    mov    %rax,0x68(%rsp)
       0x00000000004015d6 <+18>:    xor    %eax,%eax
       0x00000000004015d8 <+20>:    cmpl   $0x6,0x202181(%rip)        # 0x603760 <num_input_strings>
       0x00000000004015df <+27>:    jne    0x40163f <phase_defused+123>
       0x00000000004015e1 <+29>:    lea    0x10(%rsp),%r8
       0x00000000004015e6 <+34>:    lea    0xc(%rsp),%rcx
       0x00000000004015eb <+39>:    lea    0x8(%rsp),%rdx
       0x00000000004015f0 <+44>:    mov    $0x402619,%esi # x /s => "%d %d %s"
       0x00000000004015f5 <+49>:    mov    $0x603870,%edi 
       0x00000000004015fa <+54>:    callq  0x400bf0 <__isoc99_sscanf@plt>
       0x00000000004015ff <+59>:    cmp    $0x3,%eax #应当读入两个数字一个字符串
       0x0000000000401602 <+62>:    jne    0x401635 <phase_defused+113> #跳出
       0x0000000000401604 <+64>:    mov    $0x402622,%esi # x/s => "DrEvil"
       0x0000000000401609 <+69>:    lea    0x10(%rsp),%rdi #前两个输入必须是数字,所以是在phase_4的地方加上字符串,然后保存到$rdi 和 $esi("DrEvil")比较 
       0x000000000040160e <+74>:    callq  0x401338 <strings_not_equal>
       0x0000000000401613 <+79>:    test   %eax,%eax
       #如果不相等就直接跳出
       0x0000000000401615 <+81>:    jne    0x401635 <phase_defused+113>
       0x0000000000401617 <+83>:    mov    $0x4024f8,%edi
       0x000000000040161c <+88>:    callq  0x400b10 <puts@plt>
       0x0000000000401621 <+93>:    mov    $0x402520,%edi
       0x0000000000401626 <+98>:    callq  0x400b10 <puts@plt>
       0x000000000040162b <+103>:   mov    $0x0,%eax
       0x0000000000401630 <+108>:   callq  0x401242 <secret_phase> #执行秘密阶段
       --
       0x0000000000401635 <+113>:   mov    $0x402558,%edi
       0x000000000040163a <+118>:   callq  0x400b10 <puts@plt>
       0x000000000040163f <+123>:   mov    0x68(%rsp),%rax
       0x0000000000401644 <+128>:   xor    %fs:0x28,%rax
       0x000000000040164d <+137>:   je     0x401654 <phase_defused+144>
       0x000000000040164f <+139>:   callq  0x400b30 <__stack_chk_fail@plt>
       0x0000000000401654 <+144>:   add    $0x78,%rsp
       0x0000000000401658 <+148>:   retq
    

    secret_phase

    => 0x0000000000401242 <+0>:     push   %rbx
       0x0000000000401243 <+1>:     callq  0x40149e <read_line>
       0x0000000000401248 <+6>:     mov    $0xa,%edx #edx = 10
       0x000000000040124d <+11>:    mov    $0x0,%esi #esi = 0
       0x0000000000401252 <+16>:    mov    %rax,%rdi #rdi = rax
       0x0000000000401255 <+19>:    callq  0x400bd0 <strtol@plt> #读取输入的字符串转化为long
       0x000000000040125a <+24>:    mov    %rax,%rbx #rbx = rax
       0x000000000040125d <+27>:    lea    -0x1(%rax),%eax #rax = *(rax - 1)
       0x0000000000401260 <+30>:    cmp    $0x3e8,%eax #eax <= 1000 # input - 1 <= 1000
       0x0000000000401265 <+35>:    jbe    0x40126c <secret_phase+42> 
       0x0000000000401267 <+37>:    callq  0x40143a <explode_bomb>
       0x000000000040126c <+42>:    mov    %ebx,%esi #esi = ebx
       0x000000000040126e <+44>:    mov    $0x6030f0,%edi #传了一个地址,一个输入进去fun7
       0x0000000000401273 <+49>:    callq  0x401204 <fun7>
       0x0000000000401278 <+54>:    cmp    $0x2,%eax #需要fun7返回2
       0x000000000040127b <+57>:    je     0x401282 <secret_phase+64>
       0x000000000040127d <+59>:    callq  0x40143a <explode_bomb>
       0x0000000000401282 <+64>:    mov    $0x402438,%edi
       0x0000000000401287 <+69>:    callq  0x400b10 <puts@plt>
       0x000000000040128c <+74>:    callq  0x4015c4 <phase_defused>
       0x0000000000401291 <+79>:    pop    %rbx
       0x0000000000401292 <+80>:    retq
    

    fun7

    Dump of assembler code for function fun7:
    => 0x0000000000401204 <+0>:     sub    $0x8,%rsp
       0x0000000000401208 <+4>:     test   %rdi,%rdi #rdi
       0x000000000040120b <+7>:     je     0x401238 <fun7+52>
       0x000000000040120d <+9>:     mov    (%rdi),%edx #取出0x6030f0地址的值,是36
       0x000000000040120f <+11>:    cmp    %esi,%edx #input >= edx
       0x0000000000401211 <+13>:    jle    0x401220 <fun7+28>
       0x0000000000401213 <+15>:    mov    0x8(%rdi),%rdi #rdi = *(rdi + 8) #去左边的节点
       0x0000000000401217 <+19>:    callq  0x401204 <fun7> #func7(input,*(rdi + 8))
       0x000000000040121c <+24>:    add    %eax,%eax #eax = 2 * eax
       0x000000000040121e <+26>:    jmp    0x40123d <fun7+57> #return 2 eax
       0x0000000000401220 <+28>:    mov    $0x0,%eax #eax = 0
       0x0000000000401225 <+33>:    cmp    %esi,%edx #edx == esi
       0x0000000000401227 <+35>:    je     0x40123d <fun7+57> #return 0
       0x0000000000401229 <+37>:    mov    0x10(%rdi),%rdi #rdi = *(rdi + 10) #去右边的节点
       0x000000000040122d <+41>:    callq  0x401204 <fun7>
       0x0000000000401232 <+46>:    lea    0x1(%rax,%rax,1),%eax #return eax = 2rax + 1 
       0x0000000000401236 <+50>:    jmp    0x40123d <fun7+57>
       0x0000000000401238 <+52>:    mov    $0xffffffff,%eax 
       0x000000000040123d <+57>:    add    $0x8,%rsp
       0x0000000000401241 <+61>:    retq
    End of assembler dump.
    
    
    image.png

    要返回2,那么就是

    0 -> 2 * 0 + 1 -> 2* 1 = 2

    最后一次返回0,倒数第二次返回2*rax + 1,倒数第一次返回rax

    最后一次返回0则说明必然是树里面的数值

    结果就是这个值必然小于24(第一次),大于8,满足条件的只有0x16(22)

    相关文章

      网友评论

          本文标题:BombLab 下

          本文链接:https://www.haomeiwen.com/subject/nrreurtx.html