Pre
关于运行环境:
采用 Jetbrains 的 Gateway 连接 物理机(win10)上的 Ubuntu 虚拟机(通过 Hyper-V 管理);
IDE 是 CLion ,虚拟机上面安装了 gcc 相应环境以及 ssh 相关环境。
关于asm文件位置:
objdump -d bomb > bomb.txt关于运行已知答案:
./bomb ans.txt答案汇总:
phase_1:
type: char*
val: I can see Russia from my house!
phase_2:
type: nums(6 int)
val: 1 2 4 8 16 32
phase_3:
type: "%d %d"
val:
- 0 93
- 1 379
- 2 798
- 3 763
- 4 442
- 5 668
- 6 975
phase_4:
type:
- "%d %d" # normal
- "%d %d %s" # secret phase
val:
- 24 2
- 36 3
- 48 4
phase_5:
type: "%d %d"
val: 5 115
phase_6:
type: num(6 int)
val: 3 1 2 5 4 6
secret_phase:
type: int
val: 22Episode_01
08048b90 <phase_1>:
8048b90: 83 ec 1c sub $0x1c,%esp
8048b93: c7 44 24 04 44 a1 04 movl $0x804a144,0x4(%esp) # 数据存储
8048b9a: 08
8048b9b: 8b 44 24 20 mov 0x20(%esp),%eax
8048b9f: 89 04 24 mov %eax,(%esp) # 比较
8048ba2: e8 63 04 00 00 call 804900a <strings_not_equal>
8048ba7: 85 c0 test %eax,%eax
8048ba9: 74 05 je 8048bb0 <phase_1+0x20>
8048bab: e8 65 05 00 00 call 8049115 <explode_bomb>
8048bb0: 83 c4 1c add $0x1c,%esp
8048bb3: c3 ret 开头可以知道将 0x804a144 存进了 %esp 里面
根据后面知道要比较的就是这个 %esp
所以直接查看 0x8048a144 即可
0x804a144 "I can see Russia from my house!"输入即可
Episode_02
8048bb4: 56 push %esi
8048bb5: 53 push %ebx
8048bb6: 83 ec 34 sub $0x34,%esp
8048bb9: 8d 44 24 18 lea 0x18(%esp),%eax
8048bbd: 89 44 24 04 mov %eax,0x4(%esp)
8048bc1: 8b 44 24 40 mov 0x40(%esp),%eax
8048bc5: 89 04 24 mov %eax,(%esp)
8048bc8: e8 6f 05 00 00 call 804913c <read_six_numbers> # 输入六个数字
8048bcd: 83 7c 24 18 01 cmpl $0x1,0x18(%esp) # 第一个数字是1
8048bd2: 74 1e je 8048bf2 <phase_2+0x3e>
8048bd4: e8 3c 05 00 00 call 8049115 <explode_bomb>
8048bd9: eb 17 jmp 8048bf2 <phase_2+0x3e>
8048bdb: 8b 43 fc mov -0x4(%ebx),%eax
8048bde: 01 c0 add %eax,%eax # eax翻倍
8048be0: 39 03 cmp %eax,(%ebx)
8048be2: 74 05 je 8048be9 <phase_2+0x35>
8048be4: e8 2c 05 00 00 call 8049115 <explode_bomb>
8048be9: 83 c3 04 add $0x4,%ebx
8048bec: 39 f3 cmp %esi,%ebx
8048bee: 75 eb jne 8048bdb <phase_2+0x27>
8048bf0: eb 0a jmp 8048bfc <phase_2+0x48>
8048bf2: 8d 5c 24 1c lea 0x1c(%esp),%ebx
8048bf6: 8d 74 24 30 lea 0x30(%esp),%esi
8048bfa: eb df jmp 8048bdb <phase_2+0x27>
8048bfc: 83 c4 34 add $0x34,%esp
8048bff: 5b pop %ebx
8048c00: 5e pop %esi
8048c01: c3 ret 根据 read_six_numbers 可知需要输入的是6个数字
根据 8048bcd 可知第一个需要输入的数字是 1 $0x1,0x18(%esp)
根据8048bde可知,对eax翻倍,猜测6个数字就是直接翻倍
即可推出是1 2 4 8 16 32
Episode_03
08048c02 <phase_3>:
8048c02: 83 ec 2c sub $0x2c,%esp
8048c05: 8d 44 24 1c lea 0x1c(%esp),%eax
8048c09: 89 44 24 0c mov %eax,0xc(%esp)
8048c0d: 8d 44 24 18 lea 0x18(%esp),%eax
8048c11: 89 44 24 08 mov %eax,0x8(%esp)
8048c15: c7 44 24 04 0f a3 04 movl $0x804a30f,0x4(%esp) # "%d %d"
8048c1c: 08
8048c1d: 8b 44 24 30 mov 0x30(%esp),%eax
8048c21: 89 04 24 mov %eax,(%esp)
8048c24: e8 37 fc ff ff call 8048860 <__isoc99_sscanf@plt>
8048c29: 83 f8 01 cmp $0x1,%eax
8048c2c: 7f 05 jg 8048c33 <phase_3+0x31>
8048c2e: e8 e2 04 00 00 call 8049115 <explode_bomb>
8048c33: 83 7c 24 18 07 cmpl $0x7,0x18(%esp)
8048c38: 77 3c ja 8048c76 <phase_3+0x74>
8048c3a: 8b 44 24 18 mov 0x18(%esp),%eax
8048c3e: ff 24 85 a0 a1 04 08 jmp *0x804a1a0(,%eax,4)
8048c45: b8 5d 00 00 00 mov $0x5d,%eax
8048c4a: eb 3b jmp 8048c87 <phase_3+0x85>
8048c4c: b8 f2 01 00 00 mov $0x1f2,%eax
8048c51: eb 34 jmp 8048c87 <phase_3+0x85>
8048c53: b8 fb 02 00 00 mov $0x2fb,%eax
8048c58: eb 2d jmp 8048c87 <phase_3+0x85>
8048c5a: b8 ba 01 00 00 mov $0x1ba,%eax
8048c5f: eb 26 jmp 8048c87 <phase_3+0x85>
8048c61: b8 3f 03 00 00 mov $0x33f,%eax
8048c66: eb 1f jmp 8048c87 <phase_3+0x85>
8048c68: b8 b0 02 00 00 mov $0x2b0,%eax
8048c6d: eb 18 jmp 8048c87 <phase_3+0x85>
8048c6f: b8 cf 03 00 00 mov $0x3cf,%eax
8048c74: eb 11 jmp 8048c87 <phase_3+0x85>
8048c76: e8 9a 04 00 00 call 8049115 <explode_bomb>
8048c7b: b8 00 00 00 00 mov $0x0,%eax
8048c80: eb 05 jmp 8048c87 <phase_3+0x85>
8048c82: b8 7b 01 00 00 mov $0x17b,%eax
8048c87: 3b 44 24 1c cmp 0x1c(%esp),%eax # 比较 esp跟eax
8048c8b: 74 05 je 8048c92 <phase_3+0x90>
8048c8d: e8 83 04 00 00 call 8049115 <explode_bomb>
8048c92: 83 c4 2c add $0x2c,%esp
8048c95: c3 ret 可见格式化存储在804830f内,查看得到"%d %d",可知要输入两个数字
后面跟着一堆的jmp、mov等,猜想是switch之类的语句
由8048c33的比较知道,输入的第一个数字不能大于7,只能在{0,1,2,3,4,5,6}中取。
然后统一跳转到8048c87的cmp 0x1c(%esp),%eax
个人就一个个试第一个数字,第二个数字随意,在0x8040c87处打个断点看eax就行
个人探索出来的结果是:
0 93
1 379
2 498
3 763
4 442
5 668
6 975当然,可以注意到,jmp前mov正是对于eax的赋值,因此也可以直接根据汇编找到对应值:
0:
val: $0x5d
val(10): 93
1:
val: $0x1f2
val(10): 379
2:
val: $0x2fb
val(10): 498
3:
val: $0x1ba
val(10): 763
4:
val: $0x33f
val(10): 442
5:
val: $0x2b0
val(10): 668
6:
val: $0x3cf
val(10): 9756个都是符合题意的输入,任选一个输入即可。
Episode_04
08048ce0 <phase_4>:
8048ce0: 83 ec 2c sub $0x2c,%esp
8048ce3: 8d 44 24 18 lea 0x18(%esp),%eax
8048ce7: 89 44 24 0c mov %eax,0xc(%esp)
8048ceb: 8d 44 24 1c lea 0x1c(%esp),%eax
8048cef: 89 44 24 08 mov %eax,0x8(%esp)
8048cf3: c7 44 24 04 0f a3 04 movl $0x804a30f,0x4(%esp)
8048cfa: 08
8048cfb: 8b 44 24 30 mov 0x30(%esp),%eax
8048cff: 89 04 24 mov %eax,(%esp)
8048d02: e8 59 fb ff ff call 8048860 <__isoc99_sscanf@plt>
8048d07: 83 f8 02 cmp $0x2,%eax
8048d0a: 75 0c jne 8048d18 <phase_4+0x38> #jump no Equals
8048d0c: 8b 44 24 18 mov 0x18(%esp),%eax
8048d10: 83 e8 02 sub $0x2,%eax # eax-2
8048d13: 83 f8 02 cmp $0x2,%eax
8048d16: 76 05 jbe 8048d1d <phase_4+0x3d> #2<=eax?jump:;
8048d18: e8 f8 03 00 00 call 8049115 <explode_bomb>
8048d1d: 8b 44 24 18 mov 0x18(%esp),%eax
8048d21: 89 44 24 04 mov %eax,0x4(%esp)
8048d25: c7 04 24 05 00 00 00 movl $0x5,(%esp)
8048d2c: e8 65 ff ff ff call 8048c96 <func4>
8048d31: 3b 44 24 1c cmp 0x1c(%esp),%eax
8048d35: 74 05 je 8048d3c <phase_4+0x5c>
8048d37: e8 d9 03 00 00 call 8049115 <explode_bomb>
8048d3c: 83 c4 2c add $0x2c,%esp
8048d3f: 90 nop
8048d40: c3 ret 同样先查看格式化代码804a30f得到"%d %d",可知还是输入两个整数。
由8048d13处的比较可知一开始输入的第二个数的范围为{2,3,4}。
注意到里面用了一个func4的函数,该函数反汇编如下:
08048c96 <func4>:
8048c96: 57 push %edi
8048c97: 56 push %esi
8048c98: 53 push %ebx
8048c99: 83 ec 10 sub $0x10,%esp
8048c9c: 8b 5c 24 20 mov 0x20(%esp),%ebx
8048ca0: 8b 74 24 24 mov 0x24(%esp),%esi
8048ca4: 85 db test %ebx,%ebx
8048ca6: 7e 2c jle 8048cd4 <func4+0x3e>
8048ca8: 89 f0 mov %esi,%eax
8048caa: 83 fb 01 cmp $0x1,%ebx
8048cad: 74 2a je 8048cd9 <func4+0x43>
8048caf: 89 74 24 04 mov %esi,0x4(%esp)
8048cb3: 8d 43 ff lea -0x1(%ebx),%eax
8048cb6: 89 04 24 mov %eax,(%esp)
8048cb9: e8 d8 ff ff ff call 8048c96 <func4>
8048cbe: 8d 3c 30 lea (%eax,%esi,1),%edi
8048cc1: 89 74 24 04 mov %esi,0x4(%esp)
8048cc5: 83 eb 02 sub $0x2,%ebx
8048cc8: 89 1c 24 mov %ebx,(%esp)
8048ccb: e8 c6 ff ff ff call 8048c96 <func4>
8048cd0: 01 f8 add %edi,%eax
8048cd2: eb 05 jmp 8048cd9 <func4+0x43>
8048cd4: b8 00 00 00 00 mov $0x0,%eax
8048cd9: 83 c4 10 add $0x10,%esp
8048cdc: 5b pop %ebx
8048cdd: 5e pop %esi
8048cde: 5f pop %edi
8048cdf: c3 ret 可以看到函数对于自身的多次调用,转化成 C 如下:
int func4(int x,int y){
int iVar1;
int iVar2;
if(x<1){
y=0;
}
else if(x!=1){
iVar1= func4(x-1,y);
iVar2= func4(x-2,y);
y=iVar2+iVar1+y;
}
return y;
}可以看到仅变化y值。
由8048d35可知要让eax与esp相等,而esp经过func4的处理,我们可以直接在8048d35处打个断点然后看eax的值。
最后试出来的结果是:
24 2
36 3
48 4三个任选一个即可。
当然,根据这里我们也可以尝试出第二个数字的范围是
{2,3,4}
Episode_05
08048d41 <phase_5>:
8048d41: 83 ec 2c sub $0x2c,%esp
8048d44: 8d 44 24 1c lea 0x1c(%esp),%eax
8048d48: 89 44 24 0c mov %eax,0xc(%esp)
8048d4c: 8d 44 24 18 lea 0x18(%esp),%eax
8048d50: 89 44 24 08 mov %eax,0x8(%esp)
8048d54: c7 44 24 04 0f a3 04 movl $0x804a30f,0x4(%esp) # "%d %d"
8048d5b: 08
8048d5c: 8b 44 24 30 mov 0x30(%esp),%eax
8048d60: 89 04 24 mov %eax,(%esp)
8048d63: e8 f8 fa ff ff call 8048860 <__isoc99_sscanf@plt>
8048d68: 83 f8 01 cmp $0x1,%eax
8048d6b: 7f 05 jg 8048d72 <phase_5+0x31>
8048d6d: e8 a3 03 00 00 call 8049115 <explode_bomb>
8048d72: 8b 44 24 18 mov 0x18(%esp),%eax
8048d76: 83 e0 0f and $0xf,%eax
8048d79: 89 44 24 18 mov %eax,0x18(%esp)
8048d7d: 83 f8 0f cmp $0xf,%eax
8048d80: 74 2a je 8048dac <phase_5+0x6b>
8048d82: b9 00 00 00 00 mov $0x0,%ecx
8048d87: ba 00 00 00 00 mov $0x0,%edx
8048d8c: 83 c2 01 add $0x1,%edx
8048d8f: 8b 04 85 c0 a1 04 08 mov 0x804a1c0(,%eax,4),%eax
8048d96: 01 c1 add %eax,%ecx
8048d98: 83 f8 0f cmp $0xf,%eax
8048d9b: 75 ef jne 8048d8c <phase_5+0x4b>
8048d9d: 89 44 24 18 mov %eax,0x18(%esp)
8048da1: 83 fa 0f cmp $0xf,%edx
8048da4: 75 06 jne 8048dac <phase_5+0x6b>
8048da6: 3b 4c 24 1c cmp 0x1c(%esp),%ecx
8048daa: 74 05 je 8048db1 <phase_5+0x70>
8048dac: e8 64 03 00 00 call 8049115 <explode_bomb>
8048db1: 83 c4 2c add $0x2c,%esp
8048db4: c3 ret 根据8048d54查看得到"%d %d"可知依旧是输入两个数字。
注意到8048d8f的地址,查看得到 0x804a1c0处存储的数组。
(gdb) x/16wd 0x804a1c0
0x804a1c0 <array.3141>: 10 2 14 7
0x804a1d0 <array.3141+16>: 8 12 15 11
0x804a1e0 <array.3141+32>: 0 4 1 13
0x804a1f0 <array.3141+48>: 3 9 6 5可以看到是一个数组{10,2,14,7,8,12,15,11,0,4,1,13,3,9,6,5}
后面的代码比较繁琐,大意就是通过i=a[i]来查找数字,然后查15次,输入的两个数,第一个是开始的数字,第二个是求和,因为数组一共16个数字,总和120,所以我们倒推 a[15]=5 即可知道开始的数字为5,总和为120-5=115。
Episode_06
08048db5 <phase_6>:
8048db5: 56 push %esi
8048db6: 53 push %ebx
8048db7: 83 ec 44 sub $0x44,%esp
8048dba: 8d 44 24 10 lea 0x10(%esp),%eax
8048dbe: 89 44 24 04 mov %eax,0x4(%esp)
8048dc2: 8b 44 24 50 mov 0x50(%esp),%eax
8048dc6: 89 04 24 mov %eax,(%esp)
8048dc9: e8 6e 03 00 00 call 804913c <read_six_numbers>
8048dce: be 00 00 00 00 mov $0x0,%esi
8048dd3: 8b 44 b4 10 mov 0x10(%esp,%esi,4),%eax
8048dd7: 83 e8 01 sub $0x1,%eax
8048dda: 83 f8 05 cmp $0x5,%eax
8048ddd: 76 05 jbe 8048de4 <phase_6+0x2f>
8048ddf: e8 31 03 00 00 call 8049115 <explode_bomb>
8048de4: 83 c6 01 add $0x1,%esi
8048de7: 83 fe 06 cmp $0x6,%esi
8048dea: 74 1b je 8048e07 <phase_6+0x52>
8048dec: 89 f3 mov %esi,%ebx
8048dee: 8b 44 9c 10 mov 0x10(%esp,%ebx,4),%eax
8048df2: 39 44 b4 0c cmp %eax,0xc(%esp,%esi,4)
8048df6: 75 05 jne 8048dfd <phase_6+0x48>
8048df8: e8 18 03 00 00 call 8049115 <explode_bomb>
8048dfd: 83 c3 01 add $0x1,%ebx
8048e00: 83 fb 05 cmp $0x5,%ebx
8048e03: 7e e9 jle 8048dee <phase_6+0x39>
8048e05: eb cc jmp 8048dd3 <phase_6+0x1e>
8048e07: 8d 44 24 10 lea 0x10(%esp),%eax
8048e0b: 8d 5c 24 28 lea 0x28(%esp),%ebx
8048e0f: b9 07 00 00 00 mov $0x7,%ecx
8048e14: 89 ca mov %ecx,%edx
8048e16: 2b 10 sub (%eax),%edx
8048e18: 89 10 mov %edx,(%eax)
8048e1a: 83 c0 04 add $0x4,%eax
8048e1d: 39 d8 cmp %ebx,%eax
8048e1f: 75 f3 jne 8048e14 <phase_6+0x5f>
8048e21: bb 00 00 00 00 mov $0x0,%ebx
8048e26: eb 1d jmp 8048e45 <phase_6+0x90>
8048e28: 8b 52 08 mov 0x8(%edx),%edx
8048e2b: 83 c0 01 add $0x1,%eax
8048e2e: 39 c8 cmp %ecx,%eax
8048e30: 75 f6 jne 8048e28 <phase_6+0x73>
8048e32: eb 05 jmp 8048e39 <phase_6+0x84>
8048e34: ba 3c c1 04 08 mov $0x804c13c,%edx
8048e39: 89 54 b4 28 mov %edx,0x28(%esp,%esi,4)
8048e3d: 83 c3 01 add $0x1,%ebx
8048e40: 83 fb 06 cmp $0x6,%ebx
8048e43: 74 17 je 8048e5c <phase_6+0xa7>
8048e45: 89 de mov %ebx,%esi
8048e47: 8b 4c 9c 10 mov 0x10(%esp,%ebx,4),%ecx
8048e4b: 83 f9 01 cmp $0x1,%ecx
8048e4e: 7e e4 jle 8048e34 <phase_6+0x7f>
8048e50: b8 01 00 00 00 mov $0x1,%eax
8048e55: ba 3c c1 04 08 mov $0x804c13c,%edx # 第一个指针
8048e5a: eb cc jmp 8048e28 <phase_6+0x73>
8048e5c: 8b 5c 24 28 mov 0x28(%esp),%ebx
8048e60: 8d 44 24 2c lea 0x2c(%esp),%eax
8048e64: 8d 74 24 40 lea 0x40(%esp),%esi
8048e68: 89 d9 mov %ebx,%ecx
8048e6a: 8b 10 mov (%eax),%edx
8048e6c: 89 51 08 mov %edx,0x8(%ecx)
8048e6f: 83 c0 04 add $0x4,%eax
8048e72: 39 f0 cmp %esi,%eax
8048e74: 74 04 je 8048e7a <phase_6+0xc5>
8048e76: 89 d1 mov %edx,%ecx
8048e78: eb f0 jmp 8048e6a <phase_6+0xb5>
8048e7a: c7 42 08 00 00 00 00 movl $0x0,0x8(%edx)
8048e81: be 05 00 00 00 mov $0x5,%esi
8048e86: 8b 43 08 mov 0x8(%ebx),%eax
8048e89: 8b 00 mov (%eax),%eax
8048e8b: 39 03 cmp %eax,(%ebx)
8048e8d: 7d 05 jge 8048e94 <phase_6+0xdf>
8048e8f: e8 81 02 00 00 call 8049115 <explode_bomb>
8048e94: 8b 5b 08 mov 0x8(%ebx),%ebx
8048e97: 83 ee 01 sub $0x1,%esi
8048e9a: 75 ea jne 8048e86 <phase_6+0xd1>
8048e9c: 83 c4 44 add $0x44,%esp
8048e9f: 5b pop %ebx
8048ea0: 5e pop %esi
8048ea1: c3 ret 查看节点
(gdb) x/18 0x804c13c
0x804c13c <node1>: 0x00000107 0x00000001 0x0804c148 0x0000014b
0x804c14c <node2+4>: 0x00000002 0x0804c154 0x0000010a 0x00000003
0x804c15c <node3+8>: 0x0804c160 0x000003b3 0x00000004 0x0804c16c
0x804c16c <node5>: 0x000002af 0x00000005 0x0804c178 0x000002f2
0x804c17c <node6+4>: 0x00000006 0x00000000因为这里的 node 其实只占了24个字节,所以转换如下:
0x804c13c <node1>: 0x00000107 0x00000001 0x0804c148
0x804c148 <node2>: 0x0000014b 0x00000002 0x0804c154
0x804c154 <node3>: 0x0000010a 0x00000003 0x0804c160
0x804c160 <node4>: 0x000003b3 0x00000004 0x0804c16c
0x804c16c <node5>: 0x000002af 0x00000005 0x0804c178
0x804c178 <node6>: 0x000002f2 0x00000006 0x00000000这是链表里面 6 个节点的信息,不难注意到分别是存储的值、节点编号、下个节点的地址。
0x00000107 -node1 263
0x0000014b -node2 331
0x0000010a -node3 266
0x000003b3 -node4 947
0x000002af -node5 687
0x000002f2 -node6 754按照从大到小排列:4 6 5 2 3 1。
注意到以下代码:
8048e0b: 8d 5c 24 28 lea 0x28(%esp),%ebx
8048e0f: b9 07 00 00 00 mov $0x7,%ecx
8048e14: 89 ca mov %ecx,%edx
8048e16: 2b 10 sub (%eax),%edx
8048e18: 89 10 mov %edx,(%eax)
8048e1a: 83 c0 04 add $0x4,%eax
8048e1d: 39 d8 cmp %ebx,%eax
8048e1f: 75 f3 jne 8048e14 <phase_6+0x5f>作用是用 7 减去数组中的值并替换原来的值,也就是角标进行了替换:a[1]->a[7-1]=a[6]
考虑7减去,调整输入为:3 1 2 5 4 6,即为正解。
Episode_07
08048ef3 <secret_phase>:
8048ef3: 53 push %ebx
8048ef4: 83 ec 18 sub $0x18,%esp
8048ef7: e8 90 02 00 00 call 804918c <read_line>
8048efc: c7 44 24 08 0a 00 00 movl $0xa,0x8(%esp)
8048f03: 00
8048f04: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
8048f0b: 00
8048f0c: 89 04 24 mov %eax,(%esp)
8048f0f: e8 bc f9 ff ff call 80488d0 <strtol@plt>
8048f14: 89 c3 mov %eax,%ebx
8048f16: 8d 40 ff lea -0x1(%eax),%eax
8048f19: 3d e8 03 00 00 cmp $0x3e8,%eax
8048f1e: 76 05 jbe 8048f25 <secret_phase+0x32>
8048f20: e8 f0 01 00 00 call 8049115 <explode_bomb>
8048f25: 89 5c 24 04 mov %ebx,0x4(%esp)
8048f29: c7 04 24 88 c0 04 08 movl $0x804c088,(%esp)
8048f30: e8 6d ff ff ff call 8048ea2 <fun7>
8048f35: 83 f8 02 cmp $0x2,%eax
8048f38: 74 05 je 8048f3f <secret_phase+0x4c>
8048f3a: e8 d6 01 00 00 call 8049115 <explode_bomb>
8048f3f: c7 04 24 64 a1 04 08 movl $0x804a164,(%esp)
8048f46: e8 a5 f8 ff ff call 80487f0 <puts@plt>
8048f4b: e8 36 03 00 00 call 8049286 <phase_defused>
8048f50: 83 c4 18 add $0x18,%esp
8048f53: 5b pop %ebx
8048f54: c3 ret
8048f55: 66 90 xchg %ax,%ax
8048f57: 66 90 xchg %ax,%ax
8048f59: 66 90 xchg %ax,%ax
8048f5b: 66 90 xchg %ax,%ax
8048f5d: 66 90 xchg %ax,%ax
8048f5f: 90 nop进入方式:第四关本来答案后面加上DrEvil即可。
注意到8048f30用到了func7,这边把func7汇编代码贴上:
08048ea2 <fun7>:
8048ea2: 53 push %ebx
8048ea3: 83 ec 18 sub $0x18,%esp
8048ea6: 8b 54 24 20 mov 0x20(%esp),%edx
8048eaa: 8b 4c 24 24 mov 0x24(%esp),%ecx
8048eae: 85 d2 test %edx,%edx
8048eb0: 74 37 je 8048ee9 <fun7+0x47>
8048eb2: 8b 1a mov (%edx),%ebx
8048eb4: 39 cb cmp %ecx,%ebx
8048eb6: 7e 13 jle 8048ecb <fun7+0x29>
8048eb8: 89 4c 24 04 mov %ecx,0x4(%esp)
8048ebc: 8b 42 04 mov 0x4(%edx),%eax
8048ebf: 89 04 24 mov %eax,(%esp)
8048ec2: e8 db ff ff ff call 8048ea2 <fun7>
8048ec7: 01 c0 add %eax,%eax
8048ec9: eb 23 jmp 8048eee <fun7+0x4c>
8048ecb: b8 00 00 00 00 mov $0x0,%eax
8048ed0: 39 cb cmp %ecx,%ebx
8048ed2: 74 1a je 8048eee <fun7+0x4c>
8048ed4: 89 4c 24 04 mov %ecx,0x4(%esp)
8048ed8: 8b 42 08 mov 0x8(%edx),%eax
8048edb: 89 04 24 mov %eax,(%esp)
8048ede: e8 bf ff ff ff call 8048ea2 <fun7>
8048ee3: 8d 44 00 01 lea 0x1(%eax,%eax,1),%eax
8048ee7: eb 05 jmp 8048eee <fun7+0x4c>
8048ee9: b8 ff ff ff ff mov $0xffffffff,%eax
8048eee: 83 c4 18 add $0x18,%esp
8048ef1: 5b pop %ebx
8048ef2: c3 ret 同样注意到8048f4b处用到了phase_defused,汇编代码同样贴上:
08049286 <phase_defused>:
8049286: 81 ec 8c 00 00 00 sub $0x8c,%esp
804928c: 65 a1 14 00 00 00 mov %gs:0x14,%eax
8049292: 89 44 24 7c mov %eax,0x7c(%esp)
8049296: 31 c0 xor %eax,%eax
8049298: 83 3d c8 c3 04 08 06 cmpl $0x6,0x804c3c8
804929f: 75 72 jne 8049313 <phase_defused+0x8d>
80492a1: 8d 44 24 2c lea 0x2c(%esp),%eax
80492a5: 89 44 24 10 mov %eax,0x10(%esp)
80492a9: 8d 44 24 28 lea 0x28(%esp),%eax
80492ad: 89 44 24 0c mov %eax,0xc(%esp)
80492b1: 8d 44 24 24 lea 0x24(%esp),%eax
80492b5: 89 44 24 08 mov %eax,0x8(%esp)
80492b9: c7 44 24 04 69 a3 04 movl $0x804a369,0x4(%esp)
80492c0: 08
80492c1: c7 04 24 d0 c4 04 08 movl $0x804c4d0,(%esp)
80492c8: e8 93 f5 ff ff call 8048860 <__isoc99_sscanf@plt>
80492cd: 83 f8 03 cmp $0x3,%eax
80492d0: 75 35 jne 8049307 <phase_defused+0x81>
80492d2: c7 44 24 04 72 a3 04 movl $0x804a372,0x4(%esp) # 字符串 DrEvil
80492d9: 08
80492da: 8d 44 24 2c lea 0x2c(%esp),%eax
80492de: 89 04 24 mov %eax,(%esp)
80492e1: e8 24 fd ff ff call 804900a <strings_not_equal>
80492e6: 85 c0 test %eax,%eax
80492e8: 75 1d jne 8049307 <phase_defused+0x81>
80492ea: c7 04 24 38 a2 04 08 movl $0x804a238,(%esp)
80492f1: e8 fa f4 ff ff call 80487f0 <puts@plt>
80492f6: c7 04 24 60 a2 04 08 movl $0x804a260,(%esp)
80492fd: e8 ee f4 ff ff call 80487f0 <puts@plt>
8049302: e8 ec fb ff ff call 8048ef3 <secret_phase>
8049307: c7 04 24 98 a2 04 08 movl $0x804a298,(%esp)
804930e: e8 dd f4 ff ff call 80487f0 <puts@plt>
8049313: 8b 44 24 7c mov 0x7c(%esp),%eax
8049317: 65 33 05 14 00 00 00 xor %gs:0x14,%eax
804931e: 74 05 je 8049325 <phase_defused+0x9f>
8049320: e8 9b f4 ff ff call 80487c0 <__stack_chk_fail@plt>
8049325: 81 c4 8c 00 00 00 add $0x8c,%esp
804932b: c3 ret
804932c: 66 90 xchg %ax,%ax
804932e: 66 90 xchg %ax,%axEnd
这边把所有答案输入 ans.txt看看:
可以看到是都解决了的。
评论
ValineWaline