Pre

关于运行环境:

采用 Jetbrains 的 Gateway 连接 物理机(win10)上的 Ubuntu 虚拟机(通过 Hyper-V 管理);

IDE 是 CLion ,虚拟机上面安装了 gcc 相应环境以及 ssh 相关环境。

关于asm文件位置:

objdump -d bomb > bomb.txt

关于运行已知答案:

./bomb ans.txt

答案汇总:

phase_1: 
	type: char*
	val: I can see Russia from my house!
phase_2:
	type: nums(6 int)
	val: 1 2 4 8 16 32
phase_3:
	type: "%d %d"
	val:
		- 0 93
		- 1 379
		- 2 798
		- 3 763
		- 4 442
		- 5 668
		- 6 975
phase_4:
	type: 
		- "%d %d" # normal
		- "%d %d %s" # secret phase
	val:
		- 24 2
		- 36 3
		- 48 4
phase_5:
	type: "%d %d"
	val: 5 115
phase_6:
	type: num(6 int)
	val: 3 1 2 5 4 6
secret_phase:
	type: int
	val: 22

Episode_01


08048b90 <phase_1>:
 8048b90:	83 ec 1c             	sub    $0x1c,%esp
 8048b93:	c7 44 24 04 44 a1 04 	movl   $0x804a144,0x4(%esp) # 数据存储
 8048b9a:	08 
 8048b9b:	8b 44 24 20          	mov    0x20(%esp),%eax
 8048b9f:	89 04 24             	mov    %eax,(%esp) # 比较
 8048ba2:	e8 63 04 00 00       	call   804900a <strings_not_equal>
 8048ba7:	85 c0                	test   %eax,%eax
 8048ba9:	74 05                	je     8048bb0 <phase_1+0x20>
 8048bab:	e8 65 05 00 00       	call   8049115 <explode_bomb>
 8048bb0:	83 c4 1c             	add    $0x1c,%esp
 8048bb3:	c3                   	ret    

开头可以知道将 0x804a144 存进了 %esp 里面

根据后面知道要比较的就是这个 %esp

所以直接查看 0x8048a144 即可

image-20220415150656230

0x804a144 "I can see Russia from my house!"

输入即可


Episode_02

8048bb4:	56                   	push   %esi
8048bb5:	53                   	push   %ebx
8048bb6:	83 ec 34             	sub    $0x34,%esp
8048bb9:	8d 44 24 18          	lea    0x18(%esp),%eax
8048bbd:	89 44 24 04          	mov    %eax,0x4(%esp)
8048bc1:	8b 44 24 40          	mov    0x40(%esp),%eax
8048bc5:	89 04 24             	mov    %eax,(%esp)
8048bc8:	e8 6f 05 00 00       	call   804913c <read_six_numbers> # 输入六个数字
8048bcd:	83 7c 24 18 01       	cmpl   $0x1,0x18(%esp) # 第一个数字是1
8048bd2:	74 1e                	je     8048bf2 <phase_2+0x3e>
8048bd4:	e8 3c 05 00 00       	call   8049115 <explode_bomb>
8048bd9:	eb 17                	jmp    8048bf2 <phase_2+0x3e>
8048bdb:	8b 43 fc             	mov    -0x4(%ebx),%eax
8048bde:	01 c0                	add    %eax,%eax # eax翻倍
8048be0:	39 03                	cmp    %eax,(%ebx)
8048be2:	74 05                	je     8048be9 <phase_2+0x35>
8048be4:	e8 2c 05 00 00       	call   8049115 <explode_bomb>
8048be9:	83 c3 04             	add    $0x4,%ebx
8048bec:	39 f3                	cmp    %esi,%ebx
8048bee:	75 eb                	jne    8048bdb <phase_2+0x27>
8048bf0:	eb 0a                	jmp    8048bfc <phase_2+0x48>
8048bf2:	8d 5c 24 1c          	lea    0x1c(%esp),%ebx
8048bf6:	8d 74 24 30          	lea    0x30(%esp),%esi
8048bfa:	eb df                	jmp    8048bdb <phase_2+0x27>
8048bfc:	83 c4 34             	add    $0x34,%esp
8048bff:	5b                   	pop    %ebx
8048c00:	5e                   	pop    %esi
8048c01:	c3                   	ret    

根据 read_six_numbers 可知需要输入的是6个数字

根据 8048bcd 可知第一个需要输入的数字是 1 $0x1,0x18(%esp)

根据8048bde可知,对eax翻倍,猜测6个数字就是直接翻倍

即可推出是1 2 4 8 16 32


Episode_03

08048c02 <phase_3>:
 8048c02:	83 ec 2c             	sub    $0x2c,%esp
 8048c05:	8d 44 24 1c          	lea    0x1c(%esp),%eax
 8048c09:	89 44 24 0c          	mov    %eax,0xc(%esp)
 8048c0d:	8d 44 24 18          	lea    0x18(%esp),%eax
 8048c11:	89 44 24 08          	mov    %eax,0x8(%esp)
 8048c15:	c7 44 24 04 0f a3 04 	movl   $0x804a30f,0x4(%esp) # "%d %d"
 8048c1c:	08 
 8048c1d:	8b 44 24 30          	mov    0x30(%esp),%eax
 8048c21:	89 04 24             	mov    %eax,(%esp)
 8048c24:	e8 37 fc ff ff       	call   8048860 <__isoc99_sscanf@plt>
 8048c29:	83 f8 01             	cmp    $0x1,%eax
 8048c2c:	7f 05                	jg     8048c33 <phase_3+0x31>
 8048c2e:	e8 e2 04 00 00       	call   8049115 <explode_bomb>
 8048c33:	83 7c 24 18 07       	cmpl   $0x7,0x18(%esp)
 8048c38:	77 3c                	ja     8048c76 <phase_3+0x74>
 8048c3a:	8b 44 24 18          	mov    0x18(%esp),%eax
 8048c3e:	ff 24 85 a0 a1 04 08 	jmp    *0x804a1a0(,%eax,4)
 8048c45:	b8 5d 00 00 00       	mov    $0x5d,%eax
 8048c4a:	eb 3b                	jmp    8048c87 <phase_3+0x85>
 8048c4c:	b8 f2 01 00 00       	mov    $0x1f2,%eax
 8048c51:	eb 34                	jmp    8048c87 <phase_3+0x85>
 8048c53:	b8 fb 02 00 00       	mov    $0x2fb,%eax
 8048c58:	eb 2d                	jmp    8048c87 <phase_3+0x85>
 8048c5a:	b8 ba 01 00 00       	mov    $0x1ba,%eax
 8048c5f:	eb 26                	jmp    8048c87 <phase_3+0x85>
 8048c61:	b8 3f 03 00 00       	mov    $0x33f,%eax
 8048c66:	eb 1f                	jmp    8048c87 <phase_3+0x85>
 8048c68:	b8 b0 02 00 00       	mov    $0x2b0,%eax
 8048c6d:	eb 18                	jmp    8048c87 <phase_3+0x85>
 8048c6f:	b8 cf 03 00 00       	mov    $0x3cf,%eax
 8048c74:	eb 11                	jmp    8048c87 <phase_3+0x85>
 8048c76:	e8 9a 04 00 00       	call   8049115 <explode_bomb>
 8048c7b:	b8 00 00 00 00       	mov    $0x0,%eax
 8048c80:	eb 05                	jmp    8048c87 <phase_3+0x85>
 8048c82:	b8 7b 01 00 00       	mov    $0x17b,%eax
 8048c87:	3b 44 24 1c          	cmp    0x1c(%esp),%eax # 比较 esp跟eax
 8048c8b:	74 05                	je     8048c92 <phase_3+0x90>
 8048c8d:	e8 83 04 00 00       	call   8049115 <explode_bomb>
 8048c92:	83 c4 2c             	add    $0x2c,%esp
 8048c95:	c3                   	ret    

可见格式化存储在804830f内,查看得到"%d %d",可知要输入两个数字

后面跟着一堆的jmpmov等,猜想是switch之类的语句

8048c33的比较知道,输入的第一个数字不能大于7,只能在{0,1,2,3,4,5,6}中取。

然后统一跳转到8048c87cmp 0x1c(%esp),%eax

个人就一个个试第一个数字,第二个数字随意,在0x8040c87处打个断点看eax就行

image-20220415151737682

个人探索出来的结果是:

0 93
1 379
2 498
3 763
4 442
5 668
6 975

当然,可以注意到,jmpmov正是对于eax的赋值,因此也可以直接根据汇编找到对应值:

0:
	val: $0x5d 
	val(10): 93
1:
	val: $0x1f2
	val(10): 379
2:
	val: $0x2fb
	val(10): 498
3:
	val: $0x1ba
	val(10): 763
4:
	val: $0x33f
	val(10): 442
5:
	val: $0x2b0
	val(10): 668
6:
	val: $0x3cf
	val(10): 975

6个都是符合题意的输入,任选一个输入即可。


Episode_04

08048ce0 <phase_4>:
 8048ce0:	83 ec 2c             	sub    $0x2c,%esp
 8048ce3:	8d 44 24 18          	lea    0x18(%esp),%eax
 8048ce7:	89 44 24 0c          	mov    %eax,0xc(%esp)
 8048ceb:	8d 44 24 1c          	lea    0x1c(%esp),%eax
 8048cef:	89 44 24 08          	mov    %eax,0x8(%esp)
 8048cf3:	c7 44 24 04 0f a3 04 	movl   $0x804a30f,0x4(%esp)
 8048cfa:	08 
 8048cfb:	8b 44 24 30          	mov    0x30(%esp),%eax
 8048cff:	89 04 24             	mov    %eax,(%esp)
 8048d02:	e8 59 fb ff ff       	call   8048860 <__isoc99_sscanf@plt>
 8048d07:	83 f8 02             	cmp    $0x2,%eax
 8048d0a:	75 0c                	jne    8048d18 <phase_4+0x38> #jump no Equals
 8048d0c:	8b 44 24 18          	mov    0x18(%esp),%eax
 8048d10:	83 e8 02             	sub    $0x2,%eax # eax-2
 8048d13:	83 f8 02             	cmp    $0x2,%eax
 8048d16:	76 05                	jbe    8048d1d <phase_4+0x3d> #2<=eax?jump:;
 8048d18:	e8 f8 03 00 00       	call   8049115 <explode_bomb>
 8048d1d:	8b 44 24 18          	mov    0x18(%esp),%eax
 8048d21:	89 44 24 04          	mov    %eax,0x4(%esp)
 8048d25:	c7 04 24 05 00 00 00 	movl   $0x5,(%esp)
 8048d2c:	e8 65 ff ff ff       	call   8048c96 <func4>
 8048d31:	3b 44 24 1c          	cmp    0x1c(%esp),%eax
 8048d35:	74 05                	je     8048d3c <phase_4+0x5c>
 8048d37:	e8 d9 03 00 00       	call   8049115 <explode_bomb>
 8048d3c:	83 c4 2c             	add    $0x2c,%esp
 8048d3f:	90                   	nop
 8048d40:	c3                   	ret    

同样先查看格式化代码804a30f得到"%d %d",可知还是输入两个整数。

8048d13处的比较可知一开始输入的第二个数的范围为{2,3,4}

注意到里面用了一个func4的函数,该函数反汇编如下:

08048c96 <func4>:
 8048c96:	57                   	push   %edi
 8048c97:	56                   	push   %esi
 8048c98:	53                   	push   %ebx
 8048c99:	83 ec 10             	sub    $0x10,%esp
 8048c9c:	8b 5c 24 20          	mov    0x20(%esp),%ebx
 8048ca0:	8b 74 24 24          	mov    0x24(%esp),%esi
 8048ca4:	85 db                	test   %ebx,%ebx
 8048ca6:	7e 2c                	jle    8048cd4 <func4+0x3e>
 8048ca8:	89 f0                	mov    %esi,%eax
 8048caa:	83 fb 01             	cmp    $0x1,%ebx
 8048cad:	74 2a                	je     8048cd9 <func4+0x43>
 8048caf:	89 74 24 04          	mov    %esi,0x4(%esp)
 8048cb3:	8d 43 ff             	lea    -0x1(%ebx),%eax
 8048cb6:	89 04 24             	mov    %eax,(%esp)
 8048cb9:	e8 d8 ff ff ff       	call   8048c96 <func4>
 8048cbe:	8d 3c 30             	lea    (%eax,%esi,1),%edi
 8048cc1:	89 74 24 04          	mov    %esi,0x4(%esp)
 8048cc5:	83 eb 02             	sub    $0x2,%ebx
 8048cc8:	89 1c 24             	mov    %ebx,(%esp)
 8048ccb:	e8 c6 ff ff ff       	call   8048c96 <func4>
 8048cd0:	01 f8                	add    %edi,%eax
 8048cd2:	eb 05                	jmp    8048cd9 <func4+0x43>
 8048cd4:	b8 00 00 00 00       	mov    $0x0,%eax
 8048cd9:	83 c4 10             	add    $0x10,%esp
 8048cdc:	5b                   	pop    %ebx
 8048cdd:	5e                   	pop    %esi
 8048cde:	5f                   	pop    %edi
 8048cdf:	c3                   	ret    

可以看到函数对于自身的多次调用,转化成 C 如下:

int func4(int x,int y){
    int iVar1;
    int iVar2;

    if(x<1){
        y=0;
    }
    else if(x!=1){
        iVar1= func4(x-1,y);
        iVar2= func4(x-2,y);
        y=iVar2+iVar1+y;
    }
    return y;
}

可以看到仅变化y值。

8048d35可知要让eaxesp相等,而esp经过func4的处理,我们可以直接在8048d35处打个断点然后看eax的值。

image-20220415153257906

image-20220415153323332

image-20220415153505090

最后试出来的结果是:

24 2
36 3
48 4

三个任选一个即可。

当然,根据这里我们也可以尝试出第二个数字的范围是{2,3,4}

Episode_05

08048d41 <phase_5>:
 8048d41:	83 ec 2c             	sub    $0x2c,%esp
 8048d44:	8d 44 24 1c          	lea    0x1c(%esp),%eax
 8048d48:	89 44 24 0c          	mov    %eax,0xc(%esp)
 8048d4c:	8d 44 24 18          	lea    0x18(%esp),%eax
 8048d50:	89 44 24 08          	mov    %eax,0x8(%esp)
 8048d54:	c7 44 24 04 0f a3 04 	movl   $0x804a30f,0x4(%esp) # "%d %d"
 8048d5b:	08 
 8048d5c:	8b 44 24 30          	mov    0x30(%esp),%eax
 8048d60:	89 04 24             	mov    %eax,(%esp)
 8048d63:	e8 f8 fa ff ff       	call   8048860 <__isoc99_sscanf@plt>
 8048d68:	83 f8 01             	cmp    $0x1,%eax
 8048d6b:	7f 05                	jg     8048d72 <phase_5+0x31>
 8048d6d:	e8 a3 03 00 00       	call   8049115 <explode_bomb>
 8048d72:	8b 44 24 18          	mov    0x18(%esp),%eax
 8048d76:	83 e0 0f             	and    $0xf,%eax
 8048d79:	89 44 24 18          	mov    %eax,0x18(%esp)
 8048d7d:	83 f8 0f             	cmp    $0xf,%eax
 8048d80:	74 2a                	je     8048dac <phase_5+0x6b>
 8048d82:	b9 00 00 00 00       	mov    $0x0,%ecx
 8048d87:	ba 00 00 00 00       	mov    $0x0,%edx
 8048d8c:	83 c2 01             	add    $0x1,%edx
 8048d8f:	8b 04 85 c0 a1 04 08 	mov    0x804a1c0(,%eax,4),%eax 
 8048d96:	01 c1                	add    %eax,%ecx
 8048d98:	83 f8 0f             	cmp    $0xf,%eax
 8048d9b:	75 ef                	jne    8048d8c <phase_5+0x4b>
 8048d9d:	89 44 24 18          	mov    %eax,0x18(%esp)
 8048da1:	83 fa 0f             	cmp    $0xf,%edx
 8048da4:	75 06                	jne    8048dac <phase_5+0x6b>
 8048da6:	3b 4c 24 1c          	cmp    0x1c(%esp),%ecx
 8048daa:	74 05                	je     8048db1 <phase_5+0x70>
 8048dac:	e8 64 03 00 00       	call   8049115 <explode_bomb>
 8048db1:	83 c4 2c             	add    $0x2c,%esp
 8048db4:	c3                   	ret    

根据8048d54查看得到"%d %d"可知依旧是输入两个数字。

注意到8048d8f的地址,查看得到 0x804a1c0处存储的数组。

image-20220415154325597

(gdb) x/16wd 0x804a1c0
0x804a1c0 <array.3141>: 10      2       14      7
0x804a1d0 <array.3141+16>:      8       12      15      11
0x804a1e0 <array.3141+32>:      0       4       1       13
0x804a1f0 <array.3141+48>:      3       9       6       5

可以看到是一个数组{10,2,14,7,8,12,15,11,0,4,1,13,3,9,6,5}

后面的代码比较繁琐,大意就是通过i=a[i]来查找数字,然后查15次,输入的两个数,第一个是开始的数字,第二个是求和,因为数组一共16个数字,总和120,所以我们倒推 a[15]=5 即可知道开始的数字为5,总和为120-5=115。

Episode_06

08048db5 <phase_6>:
 8048db5:	56                   	push   %esi
 8048db6:	53                   	push   %ebx
 8048db7:	83 ec 44             	sub    $0x44,%esp
 8048dba:	8d 44 24 10          	lea    0x10(%esp),%eax
 8048dbe:	89 44 24 04          	mov    %eax,0x4(%esp)
 8048dc2:	8b 44 24 50          	mov    0x50(%esp),%eax
 8048dc6:	89 04 24             	mov    %eax,(%esp)
 8048dc9:	e8 6e 03 00 00       	call   804913c <read_six_numbers>
 8048dce:	be 00 00 00 00       	mov    $0x0,%esi
 8048dd3:	8b 44 b4 10          	mov    0x10(%esp,%esi,4),%eax
 8048dd7:	83 e8 01             	sub    $0x1,%eax
 8048dda:	83 f8 05             	cmp    $0x5,%eax
 8048ddd:	76 05                	jbe    8048de4 <phase_6+0x2f>
 8048ddf:	e8 31 03 00 00       	call   8049115 <explode_bomb>
 8048de4:	83 c6 01             	add    $0x1,%esi
 8048de7:	83 fe 06             	cmp    $0x6,%esi
 8048dea:	74 1b                	je     8048e07 <phase_6+0x52>
 8048dec:	89 f3                	mov    %esi,%ebx
 8048dee:	8b 44 9c 10          	mov    0x10(%esp,%ebx,4),%eax
 8048df2:	39 44 b4 0c          	cmp    %eax,0xc(%esp,%esi,4)
 8048df6:	75 05                	jne    8048dfd <phase_6+0x48>
 8048df8:	e8 18 03 00 00       	call   8049115 <explode_bomb>
 8048dfd:	83 c3 01             	add    $0x1,%ebx
 8048e00:	83 fb 05             	cmp    $0x5,%ebx
 8048e03:	7e e9                	jle    8048dee <phase_6+0x39>
 8048e05:	eb cc                	jmp    8048dd3 <phase_6+0x1e>
 8048e07:	8d 44 24 10          	lea    0x10(%esp),%eax
 8048e0b:	8d 5c 24 28          	lea    0x28(%esp),%ebx
 8048e0f:	b9 07 00 00 00       	mov    $0x7,%ecx
 8048e14:	89 ca                	mov    %ecx,%edx
 8048e16:	2b 10                	sub    (%eax),%edx
 8048e18:	89 10                	mov    %edx,(%eax)
 8048e1a:	83 c0 04             	add    $0x4,%eax
 8048e1d:	39 d8                	cmp    %ebx,%eax
 8048e1f:	75 f3                	jne    8048e14 <phase_6+0x5f>
 8048e21:	bb 00 00 00 00       	mov    $0x0,%ebx
 8048e26:	eb 1d                	jmp    8048e45 <phase_6+0x90>
 8048e28:	8b 52 08             	mov    0x8(%edx),%edx
 8048e2b:	83 c0 01             	add    $0x1,%eax
 8048e2e:	39 c8                	cmp    %ecx,%eax
 8048e30:	75 f6                	jne    8048e28 <phase_6+0x73>
 8048e32:	eb 05                	jmp    8048e39 <phase_6+0x84>
 8048e34:	ba 3c c1 04 08       	mov    $0x804c13c,%edx
 8048e39:	89 54 b4 28          	mov    %edx,0x28(%esp,%esi,4)
 8048e3d:	83 c3 01             	add    $0x1,%ebx
 8048e40:	83 fb 06             	cmp    $0x6,%ebx
 8048e43:	74 17                	je     8048e5c <phase_6+0xa7>
 8048e45:	89 de                	mov    %ebx,%esi
 8048e47:	8b 4c 9c 10          	mov    0x10(%esp,%ebx,4),%ecx
 8048e4b:	83 f9 01             	cmp    $0x1,%ecx
 8048e4e:	7e e4                	jle    8048e34 <phase_6+0x7f>
 8048e50:	b8 01 00 00 00       	mov    $0x1,%eax
 8048e55:	ba 3c c1 04 08       	mov    $0x804c13c,%edx # 第一个指针
 8048e5a:	eb cc                	jmp    8048e28 <phase_6+0x73>
 8048e5c:	8b 5c 24 28          	mov    0x28(%esp),%ebx
 8048e60:	8d 44 24 2c          	lea    0x2c(%esp),%eax
 8048e64:	8d 74 24 40          	lea    0x40(%esp),%esi
 8048e68:	89 d9                	mov    %ebx,%ecx
 8048e6a:	8b 10                	mov    (%eax),%edx
 8048e6c:	89 51 08             	mov    %edx,0x8(%ecx)
 8048e6f:	83 c0 04             	add    $0x4,%eax
 8048e72:	39 f0                	cmp    %esi,%eax
 8048e74:	74 04                	je     8048e7a <phase_6+0xc5>
 8048e76:	89 d1                	mov    %edx,%ecx
 8048e78:	eb f0                	jmp    8048e6a <phase_6+0xb5>
 8048e7a:	c7 42 08 00 00 00 00 	movl   $0x0,0x8(%edx)
 8048e81:	be 05 00 00 00       	mov    $0x5,%esi
 8048e86:	8b 43 08             	mov    0x8(%ebx),%eax
 8048e89:	8b 00                	mov    (%eax),%eax
 8048e8b:	39 03                	cmp    %eax,(%ebx)
 8048e8d:	7d 05                	jge    8048e94 <phase_6+0xdf>
 8048e8f:	e8 81 02 00 00       	call   8049115 <explode_bomb>
 8048e94:	8b 5b 08             	mov    0x8(%ebx),%ebx
 8048e97:	83 ee 01             	sub    $0x1,%esi
 8048e9a:	75 ea                	jne    8048e86 <phase_6+0xd1>
 8048e9c:	83 c4 44             	add    $0x44,%esp
 8048e9f:	5b                   	pop    %ebx
 8048ea0:	5e                   	pop    %esi
 8048ea1:	c3                   	ret    

查看节点

(gdb) x/18 0x804c13c
0x804c13c <node1>:      0x00000107      0x00000001      0x0804c148      0x0000014b
0x804c14c <node2+4>:    0x00000002      0x0804c154      0x0000010a      0x00000003
0x804c15c <node3+8>:    0x0804c160      0x000003b3      0x00000004      0x0804c16c
0x804c16c <node5>:      0x000002af      0x00000005      0x0804c178      0x000002f2
0x804c17c <node6+4>:    0x00000006      0x00000000

因为这里的 node 其实只占了24个字节,所以转换如下:

0x804c13c <node1>:	0x00000107      0x00000001      0x0804c148      
0x804c148 <node2>:	0x0000014b		0x00000002      0x0804c154
0x804c154 <node3>:	0x0000010a      0x00000003		0x0804c160
0x804c160 <node4>:	0x000003b3      0x00000004      0x0804c16c
0x804c16c <node5>:	0x000002af      0x00000005      0x0804c178
0x804c178 <node6>:	0x000002f2		0x00000006      0x00000000

这是链表里面 6 个节点的信息,不难注意到分别是存储的值、节点编号、下个节点的地址。

0x00000107 -node1 263
0x0000014b -node2 331
0x0000010a -node3 266
0x000003b3 -node4 947
0x000002af -node5 687
0x000002f2 -node6 754

按照从大到小排列:4 6 5 2 3 1。

注意到以下代码:

8048e0b:	8d 5c 24 28          	lea    0x28(%esp),%ebx
8048e0f:	b9 07 00 00 00       	mov    $0x7,%ecx
8048e14:	89 ca                	mov    %ecx,%edx
8048e16:	2b 10                	sub    (%eax),%edx
8048e18:	89 10                	mov    %edx,(%eax)
8048e1a:	83 c0 04             	add    $0x4,%eax
8048e1d:	39 d8                	cmp    %ebx,%eax
8048e1f:	75 f3                	jne    8048e14 <phase_6+0x5f>

作用是用 7 减去数组中的值并替换原来的值,也就是角标进行了替换:a[1]->a[7-1]=a[6]

考虑7减去,调整输入为:3 1 2 5 4 6,即为正解。


Episode_07

08048ef3 <secret_phase>:
 8048ef3:	53                   	push   %ebx
 8048ef4:	83 ec 18             	sub    $0x18,%esp
 8048ef7:	e8 90 02 00 00       	call   804918c <read_line>
 8048efc:	c7 44 24 08 0a 00 00 	movl   $0xa,0x8(%esp)
 8048f03:	00 
 8048f04:	c7 44 24 04 00 00 00 	movl   $0x0,0x4(%esp)
 8048f0b:	00 
 8048f0c:	89 04 24             	mov    %eax,(%esp)
 8048f0f:	e8 bc f9 ff ff       	call   80488d0 <strtol@plt>
 8048f14:	89 c3                	mov    %eax,%ebx
 8048f16:	8d 40 ff             	lea    -0x1(%eax),%eax
 8048f19:	3d e8 03 00 00       	cmp    $0x3e8,%eax
 8048f1e:	76 05                	jbe    8048f25 <secret_phase+0x32>
 8048f20:	e8 f0 01 00 00       	call   8049115 <explode_bomb>
 8048f25:	89 5c 24 04          	mov    %ebx,0x4(%esp)
 8048f29:	c7 04 24 88 c0 04 08 	movl   $0x804c088,(%esp)
 8048f30:	e8 6d ff ff ff       	call   8048ea2 <fun7>
 8048f35:	83 f8 02             	cmp    $0x2,%eax
 8048f38:	74 05                	je     8048f3f <secret_phase+0x4c>
 8048f3a:	e8 d6 01 00 00       	call   8049115 <explode_bomb>
 8048f3f:	c7 04 24 64 a1 04 08 	movl   $0x804a164,(%esp)
 8048f46:	e8 a5 f8 ff ff       	call   80487f0 <puts@plt>
 8048f4b:	e8 36 03 00 00       	call   8049286 <phase_defused>
 8048f50:	83 c4 18             	add    $0x18,%esp
 8048f53:	5b                   	pop    %ebx
 8048f54:	c3                   	ret    
 8048f55:	66 90                	xchg   %ax,%ax
 8048f57:	66 90                	xchg   %ax,%ax
 8048f59:	66 90                	xchg   %ax,%ax
 8048f5b:	66 90                	xchg   %ax,%ax
 8048f5d:	66 90                	xchg   %ax,%ax
 8048f5f:	90                   	nop

进入方式:第四关本来答案后面加上DrEvil即可。

注意到8048f30用到了func7,这边把func7汇编代码贴上:

08048ea2 <fun7>:
 8048ea2:	53                   	push   %ebx
 8048ea3:	83 ec 18             	sub    $0x18,%esp
 8048ea6:	8b 54 24 20          	mov    0x20(%esp),%edx
 8048eaa:	8b 4c 24 24          	mov    0x24(%esp),%ecx
 8048eae:	85 d2                	test   %edx,%edx
 8048eb0:	74 37                	je     8048ee9 <fun7+0x47>
 8048eb2:	8b 1a                	mov    (%edx),%ebx
 8048eb4:	39 cb                	cmp    %ecx,%ebx
 8048eb6:	7e 13                	jle    8048ecb <fun7+0x29>
 8048eb8:	89 4c 24 04          	mov    %ecx,0x4(%esp)
 8048ebc:	8b 42 04             	mov    0x4(%edx),%eax
 8048ebf:	89 04 24             	mov    %eax,(%esp)
 8048ec2:	e8 db ff ff ff       	call   8048ea2 <fun7>
 8048ec7:	01 c0                	add    %eax,%eax
 8048ec9:	eb 23                	jmp    8048eee <fun7+0x4c>
 8048ecb:	b8 00 00 00 00       	mov    $0x0,%eax
 8048ed0:	39 cb                	cmp    %ecx,%ebx
 8048ed2:	74 1a                	je     8048eee <fun7+0x4c>
 8048ed4:	89 4c 24 04          	mov    %ecx,0x4(%esp)
 8048ed8:	8b 42 08             	mov    0x8(%edx),%eax
 8048edb:	89 04 24             	mov    %eax,(%esp)
 8048ede:	e8 bf ff ff ff       	call   8048ea2 <fun7>
 8048ee3:	8d 44 00 01          	lea    0x1(%eax,%eax,1),%eax
 8048ee7:	eb 05                	jmp    8048eee <fun7+0x4c>
 8048ee9:	b8 ff ff ff ff       	mov    $0xffffffff,%eax
 8048eee:	83 c4 18             	add    $0x18,%esp
 8048ef1:	5b                   	pop    %ebx
 8048ef2:	c3                   	ret    

同样注意到8048f4b处用到了phase_defused,汇编代码同样贴上:

08049286 <phase_defused>:
 8049286:	81 ec 8c 00 00 00    	sub    $0x8c,%esp
 804928c:	65 a1 14 00 00 00    	mov    %gs:0x14,%eax
 8049292:	89 44 24 7c          	mov    %eax,0x7c(%esp)
 8049296:	31 c0                	xor    %eax,%eax
 8049298:	83 3d c8 c3 04 08 06 	cmpl   $0x6,0x804c3c8
 804929f:	75 72                	jne    8049313 <phase_defused+0x8d>
 80492a1:	8d 44 24 2c          	lea    0x2c(%esp),%eax
 80492a5:	89 44 24 10          	mov    %eax,0x10(%esp)
 80492a9:	8d 44 24 28          	lea    0x28(%esp),%eax
 80492ad:	89 44 24 0c          	mov    %eax,0xc(%esp)
 80492b1:	8d 44 24 24          	lea    0x24(%esp),%eax
 80492b5:	89 44 24 08          	mov    %eax,0x8(%esp)
 80492b9:	c7 44 24 04 69 a3 04 	movl   $0x804a369,0x4(%esp)
 80492c0:	08 
 80492c1:	c7 04 24 d0 c4 04 08 	movl   $0x804c4d0,(%esp)
 80492c8:	e8 93 f5 ff ff       	call   8048860 <__isoc99_sscanf@plt>
 80492cd:	83 f8 03             	cmp    $0x3,%eax
 80492d0:	75 35                	jne    8049307 <phase_defused+0x81>
 80492d2:	c7 44 24 04 72 a3 04 	movl   $0x804a372,0x4(%esp) # 字符串 DrEvil
 80492d9:	08 
 80492da:	8d 44 24 2c          	lea    0x2c(%esp),%eax
 80492de:	89 04 24             	mov    %eax,(%esp)
 80492e1:	e8 24 fd ff ff       	call   804900a <strings_not_equal>
 80492e6:	85 c0                	test   %eax,%eax
 80492e8:	75 1d                	jne    8049307 <phase_defused+0x81>
 80492ea:	c7 04 24 38 a2 04 08 	movl   $0x804a238,(%esp)
 80492f1:	e8 fa f4 ff ff       	call   80487f0 <puts@plt>
 80492f6:	c7 04 24 60 a2 04 08 	movl   $0x804a260,(%esp)
 80492fd:	e8 ee f4 ff ff       	call   80487f0 <puts@plt>
 8049302:	e8 ec fb ff ff       	call   8048ef3 <secret_phase>
 8049307:	c7 04 24 98 a2 04 08 	movl   $0x804a298,(%esp)
 804930e:	e8 dd f4 ff ff       	call   80487f0 <puts@plt>
 8049313:	8b 44 24 7c          	mov    0x7c(%esp),%eax
 8049317:	65 33 05 14 00 00 00 	xor    %gs:0x14,%eax
 804931e:	74 05                	je     8049325 <phase_defused+0x9f>
 8049320:	e8 9b f4 ff ff       	call   80487c0 <__stack_chk_fail@plt>
 8049325:	81 c4 8c 00 00 00    	add    $0x8c,%esp
 804932b:	c3                   	ret    
 804932c:	66 90                	xchg   %ax,%ax
 804932e:	66 90                	xchg   %ax,%ax

End

这边把所有答案输入 ans.txt看看:

image-20220416163452304

可以看到是都解决了的。