BombLab 下

2022-05-12  本文已影响0人  早睡使人快乐

Phase3

(gdb) disas
Dump of assembler code for function phase_3:
   0x0000000000400f43 <+0>:     sub    $0x18,%rsp
   0x0000000000400f47 <+4>:     lea    0xc(%rsp),%rcx
   0x0000000000400f4c <+9>:     lea    0x8(%rsp),%rdx
   0x0000000000400f51 <+14>:    mov    $0x4025cf,%esi
   0x0000000000400f56 <+19>:    mov    $0x0,%eax
   //scanf这个函数需要传入格式字符串,应该是$0x4025cf这个地址的模板字符串
   //打印出来看到是"%d %d"
   //所以输入是两个数字
   0x0000000000400f5b <+24>:    callq  0x400bf0 <__isoc99_sscanf@plt>
   //比较scanf的返回值如果返回值小于1直接爆炸
   //scanf的返回值一般是读入的数字的数量,我们输入两个数字应该就ok了
   0x0000000000400f60 <+29>:    cmp    $0x1,%eax
   0x0000000000400f63 <+32>:    jg     0x400f6a <phase_3+39>
   0x0000000000400f65 <+34>:    callq  0x40143a <explode_bomb>
   //比较读入的第一个数字,如果大于7则爆炸
   0x0000000000400f6a <+39>:    cmpl   $0x7,0x8(%rsp)
=> 0x0000000000400f6f <+44>:    ja     0x400fad <phase_3+106>
   0x0000000000400f71 <+46>:    mov    0x8(%rsp),%eax
   //这里是关键
   //swithc语句构建了一个跳转表,这是一个类似数组的东西
   //所以我们要看下0x402470这个位置的东西
   //跳转的地址就是 0x402470[%rax] 跳转到%rax这个索引的地方
   0x0000000000400f75 <+50>:    jmpq   *0x402470(,%rax,8)
   0x0000000000400f7c <+57>:    mov    $0xcf,%eax
   0x0000000000400f81 <+62>:    jmp    0x400fbe <phase_3+123>
   0x0000000000400f83 <+64>:    mov    $0x2c3,%eax
   0x0000000000400f88 <+69>:    jmp    0x400fbe <phase_3+123>
   0x0000000000400f8a <+71>:    mov    $0x100,%eax
   0x0000000000400f8f <+76>:    jmp    0x400fbe <phase_3+123>
   0x0000000000400f91 <+78>:    mov    $0x185,%eax
   0x0000000000400f96 <+83>:    jmp    0x400fbe <phase_3+123>
   0x0000000000400f98 <+85>:    mov    $0xce,%eax
   0x0000000000400f9d <+90>:    jmp    0x400fbe <phase_3+123>
   0x0000000000400f9f <+92>:    mov    $0x2aa,%eax
   0x0000000000400fa4 <+97>:    jmp    0x400fbe <phase_3+123>
   0x0000000000400fa6 <+99>:    mov    $0x147,%eax
   0x0000000000400fab <+104>:   jmp    0x400fbe <phase_3+123>
   0x0000000000400fad <+106>:   callq  0x40143a <explode_bomb>
   0x0000000000400fb2 <+111>:   mov    $0x0,%eax
   0x0000000000400fb7 <+116>:   jmp    0x400fbe <phase_3+123>
   0x0000000000400fb9 <+118>:   mov    $0x137,%eax
   0x0000000000400fbe <+123>:   cmp    0xc(%rsp),%eax
   0x0000000000400fc2 <+127>:   je     0x400fc9 <phase_3+134>
   0x0000000000400fc4 <+129>:   callq  0x40143a <explode_bomb>
   0x0000000000400fc9 <+134>:   add    $0x18,%rsp
   0x0000000000400fcd <+138>:   retq
(gdb) x /32xb 0x402470
//打印出来了可以看到如果x = 1则跳转到 b9这个位置,这里比较了第二个参数 0xc(%rsp) 的值和0x137
//10进制就是311,这就是答案
0x402470:       0x7c    0x0f    0x40    0x00    0x00    0x00    0x00    0x00
0x402478:       0xb9    0x0f    0x40    0x00    0x00    0x00    0x00    0x00
0x402480:       0x83    0x0f    0x40    0x00    0x00    0x00    0x00    0x00
0x402488:       0x8a    0x0f    0x40    0x00    0x00    0x00    0x00    0x00
(gdb) continue

[Inferior 1 (process 4665) exited with code 010]
(gdb) r answers.txt
Starting program: /home/going/workspace/csappLab/bomb/bomb answers.txt
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2.  Keep going!
1 311

Breakpoint 3, 0x0000000000400f43 in phase_3 ()
(gdb) continue
Continuing.
Halfway there!

Phase 4

(gdb) disas
Dump of assembler code for function phase_4:
   0x000000000040100c <+0>:     sub    $0x18,%rsp
   0x0000000000401010 <+4>:     lea    0xc(%rsp),%rcx
   0x0000000000401015 <+9>:     lea    0x8(%rsp),%rdx
   //到这里都很熟悉,读取输入的两个数,然后传给scanf
   0x000000000040101a <+14>:    mov    $0x4025cf,%esi
   0x000000000040101f <+19>:    mov    $0x0,%eax
   0x0000000000401024 <+24>:    callq  0x400bf0 <__isoc99_sscanf@plt>
   //如果没有两个数就爆炸
   0x0000000000401029 <+29>:    cmp    $0x2,%eax
   0x000000000040102c <+32>:    jne    0x401035 <phase_4+41>
   0x000000000040102e <+34>:    cmpl   $0xe,0x8(%rsp)
   0x0000000000401033 <+39>:    jbe    0x40103a <phase_4+46>
   0x0000000000401035 <+41>:    callq  0x40143a <explode_bomb>
   0x000000000040103a <+46>:    mov    $0xe,%edx
   0x000000000040103f <+51>:    mov    $0x0,%esi
   0x0000000000401044 <+56>:    mov    0x8(%rsp),%edi
   //给func传入三个参数 0xe 0x0 还有输入的第一个值
=> 0x0000000000401048 <+60>:    callq  0x400fce <func4>
   //如果结果不是0就直接爆炸
   0x000000000040104d <+65>:    test   %eax,%eax
   0x000000000040104f <+67>:    jne    0x401058 <phase_4+76>
   //如果第二个参数不是0就直接爆炸
   0x0000000000401051 <+69>:    cmpl   $0x0,0xc(%rsp)
   0x0000000000401056 <+74>:    je     0x40105d <phase_4+81>
   0x0000000000401058 <+76>:    callq  0x40143a <explode_bomb>
   0x000000000040105d <+81>:    add    $0x18,%rsp
   0x0000000000401061 <+85>:    retq
End of assembler dump.
(gdb) disas
Dump of assembler code for function func4:
=> 0x0000000000400fce <+0>:     sub    $0x8,%rsp
   0x0000000000400fd2 <+4>:     mov    %edx,%eax
   0x0000000000400fd4 <+6>:     sub    %esi,%eax
   0x0000000000400fd6 <+8>:     mov    %eax,%ecx
   0x0000000000400fd8 <+10>:    shr    $0x1f,%ecx
   0x0000000000400fdb <+13>:    add    %ecx,%eax
   0x0000000000400fdd <+15>:    sar    %eax
   0x0000000000400fdf <+17>:    lea    (%rax,%rsi,1),%ecx
   0x0000000000400fe2 <+20>:    cmp    %edi,%ecx
   0x0000000000400fe4 <+22>:    jle    0x400ff2 <func4+36>
   0x0000000000400fe6 <+24>:    lea    -0x1(%rcx),%edx
   0x0000000000400fe9 <+27>:    callq  0x400fce <func4>
   0x0000000000400fee <+32>:    add    %eax,%eax
   0x0000000000400ff0 <+34>:    jmp    0x401007 <func4+57>
   0x0000000000400ff2 <+36>:    mov    $0x0,%eax
   0x0000000000400ff7 <+41>:    cmp    %edi,%ecx
   0x0000000000400ff9 <+43>:    jge    0x401007 <func4+57>
   0x0000000000400ffb <+45>:    lea    0x1(%rcx),%esi
   0x0000000000400ffe <+48>:    callq  0x400fce <func4>
   0x0000000000401003 <+53>:    lea    0x1(%rax,%rax,1),%eax
   0x0000000000401007 <+57>:    add    $0x8,%rsp
   0x000000000040100b <+61>:    retq
(gdb) continue
//第二个参数必然是0,第一个参数随便输入了个1进去,居然过了.....
Continuing.
So you got that one.  Try this one.

虽然蒙对了但是还是要看下func4的代码

反向出来func4的c语言代码

int fun(int a1, int a2, int x){
    int b = (a1 - a2) >> 31;
    int result = ((a1-a2) + b) >> 1;
    b = result + a2;
    if(b == x) return 0;
    if(b < x) {
        result = fun(a1, b + 1, x);
        return result * 2 + 1;
    }else{
        result = fun(b - 1, a2, x);
        return result * 2;
    }
}

a1,a2的初始值分别是0xe,0x0

Phase5

  0x0000000000401062 <+0>:     push   %rbx
  0x0000000000401063 <+1>:     sub    $0x20,%rsp
  0x0000000000401067 <+5>:     mov    %rdi,%rbx
  0x000000000040106a <+8>:     mov    %fs:0x28,%rax
  0x0000000000401073 <+17>:    mov    %rax,0x18(%rsp)
  0x0000000000401078 <+22>:    xor    %eax,%eax
  0x000000000040107a <+24>:    callq  0x40131b <string_length>
  0x000000000040107f <+29>:    cmp    $0x6,%eax
  //如果输入的字符串长度不是6就爆炸
  0x0000000000401082 <+32>:    je     0x4010d2 <phase_5+112>
  0x0000000000401084 <+34>:    callq  0x40143a <explode_bomb>
  0x0000000000401089 <+39>:    jmp    0x4010d2 <phase_5+112>
  //这里开启了一个循环
  //这里%rbx指向了我们输入的第一个字符的地址
  //%rax被不断的累加1所以是不断的往下读我们输入的字符(1字节)
  0x000000000040108b <+41>:    movzbl (%rbx,%rax,1),%ecx
  0x000000000040108f <+45>:    mov    %cl,(%rsp)
  //%cl -> %rdx
  0x0000000000401092 <+48>:    mov    (%rsp),%rdx
  //把%edx和0xf与一下,即保留后四位最大为16
  0x0000000000401096 <+52>:    and    $0xf,%edx
  //用与出来的这个数字作为索引去读0x4024b0这个位置的字符串
  0x0000000000401099 <+55>:    movzbl 0x4024b0(%rdx),%edx
  //把用这个索引读出来的字节放到%rsp + 0x10这个位置,这就是我们新的字符串
  0x00000000004010a0 <+62>:    mov    %dl,0x10(%rsp,%rax,1)
  //for i = 0;i < 6;i ++
  0x00000000004010a4 <+66>:    add    $0x1,%rax
  0x00000000004010a8 <+70>:    cmp    $0x6,%rax
  0x00000000004010ac <+74>:    jne    0x40108b <phase_5+41>
  
  //准备参数,从0x40245e这个地址和$rsp + 10 这个地址开始比较两个字符串,如果不相等就引爆
  0x00000000004010ae <+76>:    movb   $0x0,0x16(%rsp)
  0x00000000004010b3 <+81>:    mov    $0x40245e,%esi
  0x00000000004010b8 <+86>:    lea    0x10(%rsp),%rdi
  0x00000000004010bd <+91>:    callq  0x401338 <strings_not_equal>
  0x00000000004010c2 <+96>:    test   %eax,%eax
  0x00000000004010c4 <+98>:    je     0x4010d9 <phase_5+119>
  0x00000000004010c6 <+100>:   callq  0x40143a <explode_bomb>
  0x00000000004010cb <+105>:   nopl   0x0(%rax,%rax,1)
  0x00000000004010d0 <+110>:   jmp    0x4010d9 <phase_5+119>
  0x00000000004010d2 <+112>:   mov    $0x0,%eax
  0x00000000004010d7 <+117>:   jmp    0x40108b <phase_5+41>
  0x00000000004010d9 <+119>:   mov    0x18(%rsp),%rax
  0x00000000004010de <+124>:   xor    %fs:0x28,%rax
  0x00000000004010e7 <+133>:   je     0x4010ee <phase_5+140>
  0x00000000004010e9 <+135>:   callq  0x400b30 <__stack_chk_fail@plt>
  0x00000000004010ee <+140>:   add    $0x20,%rsp
  0x00000000004010f2 <+144>:   pop    %rbx
  0x00000000004010f3 <+145>:   retq

Phase6

Phase 6

=> 0x00000000004010f4 <+0>:     push   %r14
   0x00000000004010f6 <+2>:     push   %r13
   0x00000000004010f8 <+4>:     push   %r12
   0x00000000004010fa <+6>:     push   %rbp
   0x00000000004010fb <+7>:     push   %rbx
   0x00000000004010fc <+8>:     sub    $0x50,%rsp #预留空间
   0x0000000000401100 <+12>:    mov    %rsp,%r13 #r13 = rsp
   0x0000000000401103 <+15>:    mov    %rsp,%rsi #rsi = rsp
   0x0000000000401106 <+18>:    callq  0x40145c <read_six_numbers>
   0x000000000040110b <+23>:    mov    %rsp,%r14 #r14 = r13 = rsp
   0x000000000040110e <+26>:    mov    $0x0,%r12d #r12d = 0
   0x0000000000401114 <+32>:    mov    %r13,%rbp #rbp = r13
   0x0000000000401117 <+35>:    mov    0x0(%r13),%eax #*(r13 + 0) -> eax eax = nums[0]
   0x000000000040111b <+39>:    sub    $0x1,%eax # eax - 1
   0x000000000040111e <+42>:    cmp    $0x5,%eax # if eax - 1 > 5 blow up
   0x0000000000401121 <+45>:    jbe    0x401128 <phase_6+52>
   0x0000000000401123 <+47>:    callq  0x40143a <explode_bomb>
   0x0000000000401128 <+52>:    add    $0x1,%r12d #r12d++
   0x000000000040112c <+56>:    cmp    $0x6,%r12d #r12d < 6
   0x0000000000401130 <+60>:    je     0x401153 <phase_6+95>
   0x0000000000401132 <+62>:    mov    %r12d,%ebx #ebx = r12d 
   0x0000000000401135 <+65>:    movslq %ebx,%rax #rax = ebx = r12d
   0x0000000000401138 <+68>:    mov    (%rsp,%rax,4),%eax #eax = *(rsp + 4 * rax) #int是4字节
   0x000000000040113b <+71>:    cmp    %eax,0x0(%rbp) #*(rbp + 0) != eax ? => nums[i] != nums[j] #第一次
   0x000000000040113e <+74>:    jne    0x401145 <phase_6+81>
   0x0000000000401140 <+76>:    callq  0x40143a <explode_bomb>
   0x0000000000401145 <+81>:    add    $0x1,%ebx #j ++
   0x0000000000401148 <+84>:    cmp    $0x5,%ebx #j < 5
   0x000000000040114b <+87>:    jle    0x401135 <phase_6+65>
   0x000000000040114d <+89>:    add    $0x4,%r13 #r13 = rbp = nums[i + 1]
   0x0000000000401151 <+93>:    jmp    0x401114 <phase_6+32>
   
  ---- ---- ----  ---- ---- ----  ---- ---- ----  ---- ---- ----part1 finish
   0x0000000000401153 <+95>:    lea    0x18(%rsp),%rsi # rsi = *(rsp + 18)  
   0x0000000000401158 <+100>:   mov    %r14,%rax #rax = r14
   0x000000000040115b <+103>:   mov    $0x7,%ecx #ecx = 7
   0x0000000000401160 <+108>:   mov    %ecx,%edx #edx = exc = 7
   0x0000000000401162 <+110>:   sub    (%rax),%edx #edx = edx - *(rax) = 7 - *eax
   0x0000000000401164 <+112>:   mov    %edx,(%rax) #*(rax) = edx
   0x0000000000401166 <+114>:   add    $0x4,%rax # rax = rax + 4
   0x000000000040116a <+118>:   cmp    %rsi,%rax # rax != rsi
   0x000000000040116d <+121>:   jne    0x401160 <phase_6+108>
    ---- ----  ---- ---- ----  ---- ---- ----  ---- ---- ----part2 finish
   0x000000000040116f <+123>:   mov    $0x0,%esi # esi = 0
   0x0000000000401174 <+128>:   jmp    0x401197 <phase_6+163>
   0x0000000000401176 <+130>:   mov    0x8(%rdx),%rdx # rdx = *(rdx + 8) #node = node.next
   0x000000000040117a <+134>:   add    $0x1,%eax # eax ++
   0x000000000040117d <+137>:   cmp    %ecx,%eax # ecx != eax
   0x000000000040117f <+139>:   jne    0x401176 <phase_6+130>
   0x0000000000401181 <+141>:   jmp    0x401188 <phase_6+148>
   0x0000000000401183 <+143>:   mov    $0x6032d0,%edx #edx = *node1
   0x0000000000401188 <+148>:   mov    %rdx,0x20(%rsp,%rsi,2) #rsp + 20 = rdx #新开辟的空间
   0x000000000040118d <+153>:   add    $0x4,%rsi  #rsi += 4
   0x0000000000401191 <+157>:   cmp    $0x18,%rsi #rsi == 18
   0x0000000000401195 <+161>:   je     0x4011ab <phase_6+183>
   0x0000000000401197 <+163>:   mov    (%rsp,%rsi,1),%ecx #ecx = *(rsp + 1 * rsi) = nums[i]
   0x000000000040119a <+166>:   cmp    $0x1,%ecx #ecx <= 1
   0x000000000040119d <+169>:   jle    0x401183 <phase_6+143>
   0x000000000040119f <+171>:   mov    $0x1,%eax #eax = 1
   0x00000000004011a4 <+176>:   mov    $0x6032d0,%edx #edx = *node1
   0x00000000004011a9 <+181>:   jmp    0x401176 <phase_6+130>
   --- --- --- --- --- --- --- --- --- --- --- --- --- ---part3 finish
   0x00000000004011ab <+183>:   mov    0x20(%rsp),%rbx #rbx = rsp + 20 = node
   0x00000000004011b0 <+188>:   lea    0x28(%rsp),%rax #rax = rsp + 20 + 8 = node.next
   0x00000000004011b5 <+193>:   lea    0x50(%rsp),%rsi #rsi = rsp + 50
   0x00000000004011ba <+198>:   mov    %rbx,%rcx #rcx = rbx = node
   0x00000000004011bd <+201>:   mov    (%rax),%rdx #rdx = *(node.next) = node2
   0x00000000004011c0 <+204>:   mov    %rdx,0x8(%rcx) #node.next = node2
   0x00000000004011c4 <+208>:   add    $0x8,%rax #rax += 8
   0x00000000004011c8 <+212>:   cmp    %rsi,%rax #rax == rsi
   0x00000000004011cb <+215>:   je     0x4011d2 <phase_6+222>
   0x00000000004011cd <+217>:   mov    %rdx,%rcx #rcx = rdx
   0x00000000004011d0 <+220>:   jmp    0x4011bd <phase_6+201>
   0x00000000004011d2 <+222>:   movq   $0x0,0x8(%rdx) #*(rdx + 8) = 0
    --- --- --- --- --- --- --- --- --- --- --- --- --- ---part4 finish
   0x00000000004011da <+230>:   mov    $0x5,%ebp #ebp = 5
   0x00000000004011df <+235>:   mov    0x8(%rbx),%rax# rax = *(rbx + 8)
   0x00000000004011e3 <+239>:   mov    (%rax),%eax #eax = *rax
   0x00000000004011e5 <+241>:   cmp    %eax,(%rbx) #*rbx >= eax => *rbx >= *rax => node >= node.next
   0x00000000004011e7 <+243>:   jge    0x4011ee <phase_6+250>
   0x00000000004011e9 <+245>:   callq  0x40143a <explode_bomb>
   0x00000000004011ee <+250>:   mov    0x8(%rbx),%rbx #rbx = *(rbx + 8) #node = node.next
   0x00000000004011f2 <+254>:   sub    $0x1,%ebp #ebp -= 1
   0x00000000004011f5 <+257>:   jne    0x4011df <phase_6+235>
   0x00000000004011f7 <+259>:   add    $0x50,%rsp
   0x00000000004011fb <+263>:   pop    %rbx
   0x00000000004011fc <+264>:   pop    %rbp
   0x00000000004011fd <+265>:   pop    %r12
   0x00000000004011ff <+267>:   pop    %r13
   0x0000000000401201 <+269>:   pop    %r14
   0x0000000000401203 <+271>:   retq
   --- --- --- --- --- --- --- --- --- --- --- --- --- --- part5 finish

Part1

伪代码

for(i = 0;i ++;i < 6)
{
    if nums[i] > 6 {
        bomb
    }
    for(j = i + 1;j < 5;j ++) {
        if nums[j] == nums[i] {
            bomb
        }
    }
}

Part2

伪代码

for(i = 0;i ++;i < 6) {

 nums[i] = 7 - nums[i]

}

Part3

node struct
{
    int sercretVal
    int val
    *node next
}
for(i = 0;i ++;i < 6) {
    for (i < nums[i]) {
        node = node.next
    }
    rsp + 20 = node
    
}

part4

for(i = 0;i < 6;i ++) {
    node[i].next = node[i + 1]
}

part5

for(i = 5;i >= 0;i --)
{
    if node.next.secretVal < node.secretVal {
        bomb
    }
}

[图片上传失败...(image-81abba-1652353284648)]

倒推过来答案就是

4 3 2 1 6 5

Secret Phase

phase_defused

=> 0x00000000004015c4 <+0>:     sub    $0x78,%rsp
   0x00000000004015c8 <+4>:     mov    %fs:0x28,%rax
   0x00000000004015d1 <+13>:    mov    %rax,0x68(%rsp)
   0x00000000004015d6 <+18>:    xor    %eax,%eax
   0x00000000004015d8 <+20>:    cmpl   $0x6,0x202181(%rip)        # 0x603760 <num_input_strings>
   0x00000000004015df <+27>:    jne    0x40163f <phase_defused+123>
   0x00000000004015e1 <+29>:    lea    0x10(%rsp),%r8
   0x00000000004015e6 <+34>:    lea    0xc(%rsp),%rcx
   0x00000000004015eb <+39>:    lea    0x8(%rsp),%rdx
   0x00000000004015f0 <+44>:    mov    $0x402619,%esi # x /s => "%d %d %s"
   0x00000000004015f5 <+49>:    mov    $0x603870,%edi 
   0x00000000004015fa <+54>:    callq  0x400bf0 <__isoc99_sscanf@plt>
   0x00000000004015ff <+59>:    cmp    $0x3,%eax #应当读入两个数字一个字符串
   0x0000000000401602 <+62>:    jne    0x401635 <phase_defused+113> #跳出
   0x0000000000401604 <+64>:    mov    $0x402622,%esi # x/s => "DrEvil"
   0x0000000000401609 <+69>:    lea    0x10(%rsp),%rdi #前两个输入必须是数字,所以是在phase_4的地方加上字符串,然后保存到$rdi 和 $esi("DrEvil")比较 
   0x000000000040160e <+74>:    callq  0x401338 <strings_not_equal>
   0x0000000000401613 <+79>:    test   %eax,%eax
   #如果不相等就直接跳出
   0x0000000000401615 <+81>:    jne    0x401635 <phase_defused+113>
   0x0000000000401617 <+83>:    mov    $0x4024f8,%edi
   0x000000000040161c <+88>:    callq  0x400b10 <puts@plt>
   0x0000000000401621 <+93>:    mov    $0x402520,%edi
   0x0000000000401626 <+98>:    callq  0x400b10 <puts@plt>
   0x000000000040162b <+103>:   mov    $0x0,%eax
   0x0000000000401630 <+108>:   callq  0x401242 <secret_phase> #执行秘密阶段
   --
   0x0000000000401635 <+113>:   mov    $0x402558,%edi
   0x000000000040163a <+118>:   callq  0x400b10 <puts@plt>
   0x000000000040163f <+123>:   mov    0x68(%rsp),%rax
   0x0000000000401644 <+128>:   xor    %fs:0x28,%rax
   0x000000000040164d <+137>:   je     0x401654 <phase_defused+144>
   0x000000000040164f <+139>:   callq  0x400b30 <__stack_chk_fail@plt>
   0x0000000000401654 <+144>:   add    $0x78,%rsp
   0x0000000000401658 <+148>:   retq

secret_phase

=> 0x0000000000401242 <+0>:     push   %rbx
   0x0000000000401243 <+1>:     callq  0x40149e <read_line>
   0x0000000000401248 <+6>:     mov    $0xa,%edx #edx = 10
   0x000000000040124d <+11>:    mov    $0x0,%esi #esi = 0
   0x0000000000401252 <+16>:    mov    %rax,%rdi #rdi = rax
   0x0000000000401255 <+19>:    callq  0x400bd0 <strtol@plt> #读取输入的字符串转化为long
   0x000000000040125a <+24>:    mov    %rax,%rbx #rbx = rax
   0x000000000040125d <+27>:    lea    -0x1(%rax),%eax #rax = *(rax - 1)
   0x0000000000401260 <+30>:    cmp    $0x3e8,%eax #eax <= 1000 # input - 1 <= 1000
   0x0000000000401265 <+35>:    jbe    0x40126c <secret_phase+42> 
   0x0000000000401267 <+37>:    callq  0x40143a <explode_bomb>
   0x000000000040126c <+42>:    mov    %ebx,%esi #esi = ebx
   0x000000000040126e <+44>:    mov    $0x6030f0,%edi #传了一个地址,一个输入进去fun7
   0x0000000000401273 <+49>:    callq  0x401204 <fun7>
   0x0000000000401278 <+54>:    cmp    $0x2,%eax #需要fun7返回2
   0x000000000040127b <+57>:    je     0x401282 <secret_phase+64>
   0x000000000040127d <+59>:    callq  0x40143a <explode_bomb>
   0x0000000000401282 <+64>:    mov    $0x402438,%edi
   0x0000000000401287 <+69>:    callq  0x400b10 <puts@plt>
   0x000000000040128c <+74>:    callq  0x4015c4 <phase_defused>
   0x0000000000401291 <+79>:    pop    %rbx
   0x0000000000401292 <+80>:    retq

fun7

Dump of assembler code for function fun7:
=> 0x0000000000401204 <+0>:     sub    $0x8,%rsp
   0x0000000000401208 <+4>:     test   %rdi,%rdi #rdi
   0x000000000040120b <+7>:     je     0x401238 <fun7+52>
   0x000000000040120d <+9>:     mov    (%rdi),%edx #取出0x6030f0地址的值,是36
   0x000000000040120f <+11>:    cmp    %esi,%edx #input >= edx
   0x0000000000401211 <+13>:    jle    0x401220 <fun7+28>
   0x0000000000401213 <+15>:    mov    0x8(%rdi),%rdi #rdi = *(rdi + 8) #去左边的节点
   0x0000000000401217 <+19>:    callq  0x401204 <fun7> #func7(input,*(rdi + 8))
   0x000000000040121c <+24>:    add    %eax,%eax #eax = 2 * eax
   0x000000000040121e <+26>:    jmp    0x40123d <fun7+57> #return 2 eax
   0x0000000000401220 <+28>:    mov    $0x0,%eax #eax = 0
   0x0000000000401225 <+33>:    cmp    %esi,%edx #edx == esi
   0x0000000000401227 <+35>:    je     0x40123d <fun7+57> #return 0
   0x0000000000401229 <+37>:    mov    0x10(%rdi),%rdi #rdi = *(rdi + 10) #去右边的节点
   0x000000000040122d <+41>:    callq  0x401204 <fun7>
   0x0000000000401232 <+46>:    lea    0x1(%rax,%rax,1),%eax #return eax = 2rax + 1 
   0x0000000000401236 <+50>:    jmp    0x40123d <fun7+57>
   0x0000000000401238 <+52>:    mov    $0xffffffff,%eax 
   0x000000000040123d <+57>:    add    $0x8,%rsp
   0x0000000000401241 <+61>:    retq
End of assembler dump.

image.png

要返回2,那么就是

0 -> 2 * 0 + 1 -> 2* 1 = 2

最后一次返回0,倒数第二次返回2*rax + 1,倒数第一次返回rax

最后一次返回0则说明必然是树里面的数值

结果就是这个值必然小于24(第一次),大于8,满足条件的只有0x16(22)

上一篇下一篇

猜你喜欢

热点阅读