BombLab 下
2022-05-12 本文已影响0人
早睡使人快乐
Phase3
(gdb) disas
Dump of assembler code for function phase_3:
0x0000000000400f43 <+0>: sub $0x18,%rsp
0x0000000000400f47 <+4>: lea 0xc(%rsp),%rcx
0x0000000000400f4c <+9>: lea 0x8(%rsp),%rdx
0x0000000000400f51 <+14>: mov $0x4025cf,%esi
0x0000000000400f56 <+19>: mov $0x0,%eax
//scanf这个函数需要传入格式字符串,应该是$0x4025cf这个地址的模板字符串
//打印出来看到是"%d %d"
//所以输入是两个数字
0x0000000000400f5b <+24>: callq 0x400bf0 <__isoc99_sscanf@plt>
//比较scanf的返回值如果返回值小于1直接爆炸
//scanf的返回值一般是读入的数字的数量,我们输入两个数字应该就ok了
0x0000000000400f60 <+29>: cmp $0x1,%eax
0x0000000000400f63 <+32>: jg 0x400f6a <phase_3+39>
0x0000000000400f65 <+34>: callq 0x40143a <explode_bomb>
//比较读入的第一个数字,如果大于7则爆炸
0x0000000000400f6a <+39>: cmpl $0x7,0x8(%rsp)
=> 0x0000000000400f6f <+44>: ja 0x400fad <phase_3+106>
0x0000000000400f71 <+46>: mov 0x8(%rsp),%eax
//这里是关键
//swithc语句构建了一个跳转表,这是一个类似数组的东西
//所以我们要看下0x402470这个位置的东西
//跳转的地址就是 0x402470[%rax] 跳转到%rax这个索引的地方
0x0000000000400f75 <+50>: jmpq *0x402470(,%rax,8)
0x0000000000400f7c <+57>: mov $0xcf,%eax
0x0000000000400f81 <+62>: jmp 0x400fbe <phase_3+123>
0x0000000000400f83 <+64>: mov $0x2c3,%eax
0x0000000000400f88 <+69>: jmp 0x400fbe <phase_3+123>
0x0000000000400f8a <+71>: mov $0x100,%eax
0x0000000000400f8f <+76>: jmp 0x400fbe <phase_3+123>
0x0000000000400f91 <+78>: mov $0x185,%eax
0x0000000000400f96 <+83>: jmp 0x400fbe <phase_3+123>
0x0000000000400f98 <+85>: mov $0xce,%eax
0x0000000000400f9d <+90>: jmp 0x400fbe <phase_3+123>
0x0000000000400f9f <+92>: mov $0x2aa,%eax
0x0000000000400fa4 <+97>: jmp 0x400fbe <phase_3+123>
0x0000000000400fa6 <+99>: mov $0x147,%eax
0x0000000000400fab <+104>: jmp 0x400fbe <phase_3+123>
0x0000000000400fad <+106>: callq 0x40143a <explode_bomb>
0x0000000000400fb2 <+111>: mov $0x0,%eax
0x0000000000400fb7 <+116>: jmp 0x400fbe <phase_3+123>
0x0000000000400fb9 <+118>: mov $0x137,%eax
0x0000000000400fbe <+123>: cmp 0xc(%rsp),%eax
0x0000000000400fc2 <+127>: je 0x400fc9 <phase_3+134>
0x0000000000400fc4 <+129>: callq 0x40143a <explode_bomb>
0x0000000000400fc9 <+134>: add $0x18,%rsp
0x0000000000400fcd <+138>: retq
(gdb) x /32xb 0x402470
//打印出来了可以看到如果x = 1则跳转到 b9这个位置,这里比较了第二个参数 0xc(%rsp) 的值和0x137
//10进制就是311,这就是答案
0x402470: 0x7c 0x0f 0x40 0x00 0x00 0x00 0x00 0x00
0x402478: 0xb9 0x0f 0x40 0x00 0x00 0x00 0x00 0x00
0x402480: 0x83 0x0f 0x40 0x00 0x00 0x00 0x00 0x00
0x402488: 0x8a 0x0f 0x40 0x00 0x00 0x00 0x00 0x00
(gdb) continue
[Inferior 1 (process 4665) exited with code 010]
(gdb) r answers.txt
Starting program: /home/going/workspace/csappLab/bomb/bomb answers.txt
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2. Keep going!
1 311
Breakpoint 3, 0x0000000000400f43 in phase_3 ()
(gdb) continue
Continuing.
Halfway there!
Phase 4
(gdb) disas
Dump of assembler code for function phase_4:
0x000000000040100c <+0>: sub $0x18,%rsp
0x0000000000401010 <+4>: lea 0xc(%rsp),%rcx
0x0000000000401015 <+9>: lea 0x8(%rsp),%rdx
//到这里都很熟悉,读取输入的两个数,然后传给scanf
0x000000000040101a <+14>: mov $0x4025cf,%esi
0x000000000040101f <+19>: mov $0x0,%eax
0x0000000000401024 <+24>: callq 0x400bf0 <__isoc99_sscanf@plt>
//如果没有两个数就爆炸
0x0000000000401029 <+29>: cmp $0x2,%eax
0x000000000040102c <+32>: jne 0x401035 <phase_4+41>
0x000000000040102e <+34>: cmpl $0xe,0x8(%rsp)
0x0000000000401033 <+39>: jbe 0x40103a <phase_4+46>
0x0000000000401035 <+41>: callq 0x40143a <explode_bomb>
0x000000000040103a <+46>: mov $0xe,%edx
0x000000000040103f <+51>: mov $0x0,%esi
0x0000000000401044 <+56>: mov 0x8(%rsp),%edi
//给func传入三个参数 0xe 0x0 还有输入的第一个值
=> 0x0000000000401048 <+60>: callq 0x400fce <func4>
//如果结果不是0就直接爆炸
0x000000000040104d <+65>: test %eax,%eax
0x000000000040104f <+67>: jne 0x401058 <phase_4+76>
//如果第二个参数不是0就直接爆炸
0x0000000000401051 <+69>: cmpl $0x0,0xc(%rsp)
0x0000000000401056 <+74>: je 0x40105d <phase_4+81>
0x0000000000401058 <+76>: callq 0x40143a <explode_bomb>
0x000000000040105d <+81>: add $0x18,%rsp
0x0000000000401061 <+85>: retq
End of assembler dump.
(gdb) disas
Dump of assembler code for function func4:
=> 0x0000000000400fce <+0>: sub $0x8,%rsp
0x0000000000400fd2 <+4>: mov %edx,%eax
0x0000000000400fd4 <+6>: sub %esi,%eax
0x0000000000400fd6 <+8>: mov %eax,%ecx
0x0000000000400fd8 <+10>: shr $0x1f,%ecx
0x0000000000400fdb <+13>: add %ecx,%eax
0x0000000000400fdd <+15>: sar %eax
0x0000000000400fdf <+17>: lea (%rax,%rsi,1),%ecx
0x0000000000400fe2 <+20>: cmp %edi,%ecx
0x0000000000400fe4 <+22>: jle 0x400ff2 <func4+36>
0x0000000000400fe6 <+24>: lea -0x1(%rcx),%edx
0x0000000000400fe9 <+27>: callq 0x400fce <func4>
0x0000000000400fee <+32>: add %eax,%eax
0x0000000000400ff0 <+34>: jmp 0x401007 <func4+57>
0x0000000000400ff2 <+36>: mov $0x0,%eax
0x0000000000400ff7 <+41>: cmp %edi,%ecx
0x0000000000400ff9 <+43>: jge 0x401007 <func4+57>
0x0000000000400ffb <+45>: lea 0x1(%rcx),%esi
0x0000000000400ffe <+48>: callq 0x400fce <func4>
0x0000000000401003 <+53>: lea 0x1(%rax,%rax,1),%eax
0x0000000000401007 <+57>: add $0x8,%rsp
0x000000000040100b <+61>: retq
(gdb) continue
//第二个参数必然是0,第一个参数随便输入了个1进去,居然过了.....
Continuing.
So you got that one. Try this one.
虽然蒙对了但是还是要看下func4的代码
反向出来func4的c语言代码
int fun(int a1, int a2, int x){
int b = (a1 - a2) >> 31;
int result = ((a1-a2) + b) >> 1;
b = result + a2;
if(b == x) return 0;
if(b < x) {
result = fun(a1, b + 1, x);
return result * 2 + 1;
}else{
result = fun(b - 1, a2, x);
return result * 2;
}
}
a1,a2的初始值分别是0xe,0x0
Phase5
0x0000000000401062 <+0>: push %rbx
0x0000000000401063 <+1>: sub $0x20,%rsp
0x0000000000401067 <+5>: mov %rdi,%rbx
0x000000000040106a <+8>: mov %fs:0x28,%rax
0x0000000000401073 <+17>: mov %rax,0x18(%rsp)
0x0000000000401078 <+22>: xor %eax,%eax
0x000000000040107a <+24>: callq 0x40131b <string_length>
0x000000000040107f <+29>: cmp $0x6,%eax
//如果输入的字符串长度不是6就爆炸
0x0000000000401082 <+32>: je 0x4010d2 <phase_5+112>
0x0000000000401084 <+34>: callq 0x40143a <explode_bomb>
0x0000000000401089 <+39>: jmp 0x4010d2 <phase_5+112>
//这里开启了一个循环
//这里%rbx指向了我们输入的第一个字符的地址
//%rax被不断的累加1所以是不断的往下读我们输入的字符(1字节)
0x000000000040108b <+41>: movzbl (%rbx,%rax,1),%ecx
0x000000000040108f <+45>: mov %cl,(%rsp)
//%cl -> %rdx
0x0000000000401092 <+48>: mov (%rsp),%rdx
//把%edx和0xf与一下,即保留后四位最大为16
0x0000000000401096 <+52>: and $0xf,%edx
//用与出来的这个数字作为索引去读0x4024b0这个位置的字符串
0x0000000000401099 <+55>: movzbl 0x4024b0(%rdx),%edx
//把用这个索引读出来的字节放到%rsp + 0x10这个位置,这就是我们新的字符串
0x00000000004010a0 <+62>: mov %dl,0x10(%rsp,%rax,1)
//for i = 0;i < 6;i ++
0x00000000004010a4 <+66>: add $0x1,%rax
0x00000000004010a8 <+70>: cmp $0x6,%rax
0x00000000004010ac <+74>: jne 0x40108b <phase_5+41>
//准备参数,从0x40245e这个地址和$rsp + 10 这个地址开始比较两个字符串,如果不相等就引爆
0x00000000004010ae <+76>: movb $0x0,0x16(%rsp)
0x00000000004010b3 <+81>: mov $0x40245e,%esi
0x00000000004010b8 <+86>: lea 0x10(%rsp),%rdi
0x00000000004010bd <+91>: callq 0x401338 <strings_not_equal>
0x00000000004010c2 <+96>: test %eax,%eax
0x00000000004010c4 <+98>: je 0x4010d9 <phase_5+119>
0x00000000004010c6 <+100>: callq 0x40143a <explode_bomb>
0x00000000004010cb <+105>: nopl 0x0(%rax,%rax,1)
0x00000000004010d0 <+110>: jmp 0x4010d9 <phase_5+119>
0x00000000004010d2 <+112>: mov $0x0,%eax
0x00000000004010d7 <+117>: jmp 0x40108b <phase_5+41>
0x00000000004010d9 <+119>: mov 0x18(%rsp),%rax
0x00000000004010de <+124>: xor %fs:0x28,%rax
0x00000000004010e7 <+133>: je 0x4010ee <phase_5+140>
0x00000000004010e9 <+135>: callq 0x400b30 <__stack_chk_fail@plt>
0x00000000004010ee <+140>: add $0x20,%rsp
0x00000000004010f2 <+144>: pop %rbx
0x00000000004010f3 <+145>: retq
Phase6
Phase 6
=> 0x00000000004010f4 <+0>: push %r14
0x00000000004010f6 <+2>: push %r13
0x00000000004010f8 <+4>: push %r12
0x00000000004010fa <+6>: push %rbp
0x00000000004010fb <+7>: push %rbx
0x00000000004010fc <+8>: sub $0x50,%rsp #预留空间
0x0000000000401100 <+12>: mov %rsp,%r13 #r13 = rsp
0x0000000000401103 <+15>: mov %rsp,%rsi #rsi = rsp
0x0000000000401106 <+18>: callq 0x40145c <read_six_numbers>
0x000000000040110b <+23>: mov %rsp,%r14 #r14 = r13 = rsp
0x000000000040110e <+26>: mov $0x0,%r12d #r12d = 0
0x0000000000401114 <+32>: mov %r13,%rbp #rbp = r13
0x0000000000401117 <+35>: mov 0x0(%r13),%eax #*(r13 + 0) -> eax eax = nums[0]
0x000000000040111b <+39>: sub $0x1,%eax # eax - 1
0x000000000040111e <+42>: cmp $0x5,%eax # if eax - 1 > 5 blow up
0x0000000000401121 <+45>: jbe 0x401128 <phase_6+52>
0x0000000000401123 <+47>: callq 0x40143a <explode_bomb>
0x0000000000401128 <+52>: add $0x1,%r12d #r12d++
0x000000000040112c <+56>: cmp $0x6,%r12d #r12d < 6
0x0000000000401130 <+60>: je 0x401153 <phase_6+95>
0x0000000000401132 <+62>: mov %r12d,%ebx #ebx = r12d
0x0000000000401135 <+65>: movslq %ebx,%rax #rax = ebx = r12d
0x0000000000401138 <+68>: mov (%rsp,%rax,4),%eax #eax = *(rsp + 4 * rax) #int是4字节
0x000000000040113b <+71>: cmp %eax,0x0(%rbp) #*(rbp + 0) != eax ? => nums[i] != nums[j] #第一次
0x000000000040113e <+74>: jne 0x401145 <phase_6+81>
0x0000000000401140 <+76>: callq 0x40143a <explode_bomb>
0x0000000000401145 <+81>: add $0x1,%ebx #j ++
0x0000000000401148 <+84>: cmp $0x5,%ebx #j < 5
0x000000000040114b <+87>: jle 0x401135 <phase_6+65>
0x000000000040114d <+89>: add $0x4,%r13 #r13 = rbp = nums[i + 1]
0x0000000000401151 <+93>: jmp 0x401114 <phase_6+32>
---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----part1 finish
0x0000000000401153 <+95>: lea 0x18(%rsp),%rsi # rsi = *(rsp + 18)
0x0000000000401158 <+100>: mov %r14,%rax #rax = r14
0x000000000040115b <+103>: mov $0x7,%ecx #ecx = 7
0x0000000000401160 <+108>: mov %ecx,%edx #edx = exc = 7
0x0000000000401162 <+110>: sub (%rax),%edx #edx = edx - *(rax) = 7 - *eax
0x0000000000401164 <+112>: mov %edx,(%rax) #*(rax) = edx
0x0000000000401166 <+114>: add $0x4,%rax # rax = rax + 4
0x000000000040116a <+118>: cmp %rsi,%rax # rax != rsi
0x000000000040116d <+121>: jne 0x401160 <phase_6+108>
---- ---- ---- ---- ---- ---- ---- ---- ---- ---- ----part2 finish
0x000000000040116f <+123>: mov $0x0,%esi # esi = 0
0x0000000000401174 <+128>: jmp 0x401197 <phase_6+163>
0x0000000000401176 <+130>: mov 0x8(%rdx),%rdx # rdx = *(rdx + 8) #node = node.next
0x000000000040117a <+134>: add $0x1,%eax # eax ++
0x000000000040117d <+137>: cmp %ecx,%eax # ecx != eax
0x000000000040117f <+139>: jne 0x401176 <phase_6+130>
0x0000000000401181 <+141>: jmp 0x401188 <phase_6+148>
0x0000000000401183 <+143>: mov $0x6032d0,%edx #edx = *node1
0x0000000000401188 <+148>: mov %rdx,0x20(%rsp,%rsi,2) #rsp + 20 = rdx #新开辟的空间
0x000000000040118d <+153>: add $0x4,%rsi #rsi += 4
0x0000000000401191 <+157>: cmp $0x18,%rsi #rsi == 18
0x0000000000401195 <+161>: je 0x4011ab <phase_6+183>
0x0000000000401197 <+163>: mov (%rsp,%rsi,1),%ecx #ecx = *(rsp + 1 * rsi) = nums[i]
0x000000000040119a <+166>: cmp $0x1,%ecx #ecx <= 1
0x000000000040119d <+169>: jle 0x401183 <phase_6+143>
0x000000000040119f <+171>: mov $0x1,%eax #eax = 1
0x00000000004011a4 <+176>: mov $0x6032d0,%edx #edx = *node1
0x00000000004011a9 <+181>: jmp 0x401176 <phase_6+130>
--- --- --- --- --- --- --- --- --- --- --- --- --- ---part3 finish
0x00000000004011ab <+183>: mov 0x20(%rsp),%rbx #rbx = rsp + 20 = node
0x00000000004011b0 <+188>: lea 0x28(%rsp),%rax #rax = rsp + 20 + 8 = node.next
0x00000000004011b5 <+193>: lea 0x50(%rsp),%rsi #rsi = rsp + 50
0x00000000004011ba <+198>: mov %rbx,%rcx #rcx = rbx = node
0x00000000004011bd <+201>: mov (%rax),%rdx #rdx = *(node.next) = node2
0x00000000004011c0 <+204>: mov %rdx,0x8(%rcx) #node.next = node2
0x00000000004011c4 <+208>: add $0x8,%rax #rax += 8
0x00000000004011c8 <+212>: cmp %rsi,%rax #rax == rsi
0x00000000004011cb <+215>: je 0x4011d2 <phase_6+222>
0x00000000004011cd <+217>: mov %rdx,%rcx #rcx = rdx
0x00000000004011d0 <+220>: jmp 0x4011bd <phase_6+201>
0x00000000004011d2 <+222>: movq $0x0,0x8(%rdx) #*(rdx + 8) = 0
--- --- --- --- --- --- --- --- --- --- --- --- --- ---part4 finish
0x00000000004011da <+230>: mov $0x5,%ebp #ebp = 5
0x00000000004011df <+235>: mov 0x8(%rbx),%rax# rax = *(rbx + 8)
0x00000000004011e3 <+239>: mov (%rax),%eax #eax = *rax
0x00000000004011e5 <+241>: cmp %eax,(%rbx) #*rbx >= eax => *rbx >= *rax => node >= node.next
0x00000000004011e7 <+243>: jge 0x4011ee <phase_6+250>
0x00000000004011e9 <+245>: callq 0x40143a <explode_bomb>
0x00000000004011ee <+250>: mov 0x8(%rbx),%rbx #rbx = *(rbx + 8) #node = node.next
0x00000000004011f2 <+254>: sub $0x1,%ebp #ebp -= 1
0x00000000004011f5 <+257>: jne 0x4011df <phase_6+235>
0x00000000004011f7 <+259>: add $0x50,%rsp
0x00000000004011fb <+263>: pop %rbx
0x00000000004011fc <+264>: pop %rbp
0x00000000004011fd <+265>: pop %r12
0x00000000004011ff <+267>: pop %r13
0x0000000000401201 <+269>: pop %r14
0x0000000000401203 <+271>: retq
--- --- --- --- --- --- --- --- --- --- --- --- --- --- part5 finish
Part1
伪代码
for(i = 0;i ++;i < 6)
{
if nums[i] > 6 {
bomb
}
for(j = i + 1;j < 5;j ++) {
if nums[j] == nums[i] {
bomb
}
}
}
Part2
伪代码
for(i = 0;i ++;i < 6) {
nums[i] = 7 - nums[i]
}
Part3
node struct
{
int sercretVal
int val
*node next
}
for(i = 0;i ++;i < 6) {
for (i < nums[i]) {
node = node.next
}
rsp + 20 = node
}
part4
for(i = 0;i < 6;i ++) {
node[i].next = node[i + 1]
}
part5
for(i = 5;i >= 0;i --)
{
if node.next.secretVal < node.secretVal {
bomb
}
}
[图片上传失败...(image-81abba-1652353284648)]
倒推过来答案就是
4 3 2 1 6 5
Secret Phase
phase_defused
=> 0x00000000004015c4 <+0>: sub $0x78,%rsp
0x00000000004015c8 <+4>: mov %fs:0x28,%rax
0x00000000004015d1 <+13>: mov %rax,0x68(%rsp)
0x00000000004015d6 <+18>: xor %eax,%eax
0x00000000004015d8 <+20>: cmpl $0x6,0x202181(%rip) # 0x603760 <num_input_strings>
0x00000000004015df <+27>: jne 0x40163f <phase_defused+123>
0x00000000004015e1 <+29>: lea 0x10(%rsp),%r8
0x00000000004015e6 <+34>: lea 0xc(%rsp),%rcx
0x00000000004015eb <+39>: lea 0x8(%rsp),%rdx
0x00000000004015f0 <+44>: mov $0x402619,%esi # x /s => "%d %d %s"
0x00000000004015f5 <+49>: mov $0x603870,%edi
0x00000000004015fa <+54>: callq 0x400bf0 <__isoc99_sscanf@plt>
0x00000000004015ff <+59>: cmp $0x3,%eax #应当读入两个数字一个字符串
0x0000000000401602 <+62>: jne 0x401635 <phase_defused+113> #跳出
0x0000000000401604 <+64>: mov $0x402622,%esi # x/s => "DrEvil"
0x0000000000401609 <+69>: lea 0x10(%rsp),%rdi #前两个输入必须是数字,所以是在phase_4的地方加上字符串,然后保存到$rdi 和 $esi("DrEvil")比较
0x000000000040160e <+74>: callq 0x401338 <strings_not_equal>
0x0000000000401613 <+79>: test %eax,%eax
#如果不相等就直接跳出
0x0000000000401615 <+81>: jne 0x401635 <phase_defused+113>
0x0000000000401617 <+83>: mov $0x4024f8,%edi
0x000000000040161c <+88>: callq 0x400b10 <puts@plt>
0x0000000000401621 <+93>: mov $0x402520,%edi
0x0000000000401626 <+98>: callq 0x400b10 <puts@plt>
0x000000000040162b <+103>: mov $0x0,%eax
0x0000000000401630 <+108>: callq 0x401242 <secret_phase> #执行秘密阶段
--
0x0000000000401635 <+113>: mov $0x402558,%edi
0x000000000040163a <+118>: callq 0x400b10 <puts@plt>
0x000000000040163f <+123>: mov 0x68(%rsp),%rax
0x0000000000401644 <+128>: xor %fs:0x28,%rax
0x000000000040164d <+137>: je 0x401654 <phase_defused+144>
0x000000000040164f <+139>: callq 0x400b30 <__stack_chk_fail@plt>
0x0000000000401654 <+144>: add $0x78,%rsp
0x0000000000401658 <+148>: retq
secret_phase
=> 0x0000000000401242 <+0>: push %rbx
0x0000000000401243 <+1>: callq 0x40149e <read_line>
0x0000000000401248 <+6>: mov $0xa,%edx #edx = 10
0x000000000040124d <+11>: mov $0x0,%esi #esi = 0
0x0000000000401252 <+16>: mov %rax,%rdi #rdi = rax
0x0000000000401255 <+19>: callq 0x400bd0 <strtol@plt> #读取输入的字符串转化为long
0x000000000040125a <+24>: mov %rax,%rbx #rbx = rax
0x000000000040125d <+27>: lea -0x1(%rax),%eax #rax = *(rax - 1)
0x0000000000401260 <+30>: cmp $0x3e8,%eax #eax <= 1000 # input - 1 <= 1000
0x0000000000401265 <+35>: jbe 0x40126c <secret_phase+42>
0x0000000000401267 <+37>: callq 0x40143a <explode_bomb>
0x000000000040126c <+42>: mov %ebx,%esi #esi = ebx
0x000000000040126e <+44>: mov $0x6030f0,%edi #传了一个地址,一个输入进去fun7
0x0000000000401273 <+49>: callq 0x401204 <fun7>
0x0000000000401278 <+54>: cmp $0x2,%eax #需要fun7返回2
0x000000000040127b <+57>: je 0x401282 <secret_phase+64>
0x000000000040127d <+59>: callq 0x40143a <explode_bomb>
0x0000000000401282 <+64>: mov $0x402438,%edi
0x0000000000401287 <+69>: callq 0x400b10 <puts@plt>
0x000000000040128c <+74>: callq 0x4015c4 <phase_defused>
0x0000000000401291 <+79>: pop %rbx
0x0000000000401292 <+80>: retq
fun7
Dump of assembler code for function fun7:
=> 0x0000000000401204 <+0>: sub $0x8,%rsp
0x0000000000401208 <+4>: test %rdi,%rdi #rdi
0x000000000040120b <+7>: je 0x401238 <fun7+52>
0x000000000040120d <+9>: mov (%rdi),%edx #取出0x6030f0地址的值,是36
0x000000000040120f <+11>: cmp %esi,%edx #input >= edx
0x0000000000401211 <+13>: jle 0x401220 <fun7+28>
0x0000000000401213 <+15>: mov 0x8(%rdi),%rdi #rdi = *(rdi + 8) #去左边的节点
0x0000000000401217 <+19>: callq 0x401204 <fun7> #func7(input,*(rdi + 8))
0x000000000040121c <+24>: add %eax,%eax #eax = 2 * eax
0x000000000040121e <+26>: jmp 0x40123d <fun7+57> #return 2 eax
0x0000000000401220 <+28>: mov $0x0,%eax #eax = 0
0x0000000000401225 <+33>: cmp %esi,%edx #edx == esi
0x0000000000401227 <+35>: je 0x40123d <fun7+57> #return 0
0x0000000000401229 <+37>: mov 0x10(%rdi),%rdi #rdi = *(rdi + 10) #去右边的节点
0x000000000040122d <+41>: callq 0x401204 <fun7>
0x0000000000401232 <+46>: lea 0x1(%rax,%rax,1),%eax #return eax = 2rax + 1
0x0000000000401236 <+50>: jmp 0x40123d <fun7+57>
0x0000000000401238 <+52>: mov $0xffffffff,%eax
0x000000000040123d <+57>: add $0x8,%rsp
0x0000000000401241 <+61>: retq
End of assembler dump.
image.png
要返回2,那么就是
0 -> 2 * 0 + 1 -> 2* 1 = 2
最后一次返回0,倒数第二次返回2*rax + 1,倒数第一次返回rax
最后一次返回0则说明必然是树里面的数值
结果就是这个值必然小于24(第一次),大于8,满足条件的只有0x16(22)