二进制炸弹阶段2,汇编ia32,at& t语法需要帮助理解代码流

时间:2014-11-18 07:11:14

标签: x86 att

我被分配了一个二元炸弹来化解一堂课。我不是在寻找答案,只是关于代码如何工作的一些指导。我已经在纸上描述了它,但我完全不知道在哪里可以找到答案。我相信如果我有其他人的解释来补充我的痕迹,我会更好地理解我可能做错了什么。我能够轻松地破解第1阶段,但显然我在这里遗漏了一些东西,我确信它也有点小......我已经在这个工作了好几个小时了,除非我绝对需要帮助,否则不会在这里

谢谢你的时间!

这是phase_2 

    Dump of assembler code for function phase_2:
0x0000000000400ec9 <phase_2+0>: push   %rbp
0x0000000000400eca <phase_2+1>: mov    %rsp,%rbp
0x0000000000400ecd <phase_2+4>: sub    $0x30,%rsp     #subtracting 30 from rsp
0x0000000000400ed1 <phase_2+8>: mov    %rdi,-0x28(%rbp)    #moving input to -0x28(%rbp)
0x0000000000400ed5 <phase_2+12>:        lea    -0x20(%rbp),%rsi    #address of -0x20(%rbp) to rsi
0x0000000000400ed9 <phase_2+16>:        mov    -0x28(%rbp),%rdi    #moving input to rdi
0x0000000000400edd <phase_2+20>:        callq  0x4013fd <read_six_numbers>    #read input
0x0000000000400ee2 <phase_2+25>:        mov    -0x20(%rbp),%eax     #moving value to eax, i believe the value is 1
0x0000000000400ee5 <phase_2+28>:        test   %eax,%eax
0x0000000000400ee7 <phase_2+30>:        jns    0x400eee <phase_2+37>
0x0000000000400ee9 <phase_2+32>:        callq  0x401997 <explode_bomb>
0x0000000000400eee <phase_2+37>:        movl   $0x1,-0x4(%rbp)     #moving 1 to -0x4(%rbp)
0x0000000000400ef5 <phase_2+44>:        jmp    0x400f1f <phase_2+86>
0x0000000000400ef7 <phase_2+46>:        mov    -0x4(%rbp),%eax     #moving 1 to eax
0x0000000000400efa <phase_2+49>:        cltq
0x0000000000400efc <phase_2+51>:        mov    -0x20(%rbp,%rax,4),%edx     #edx = -0x20(%rbp + %rax * 4) (i think)
0x0000000000400f00 <phase_2+55>:        mov    -0x4(%rbp),%eax     #moving 1 to eax(again?)
0x0000000000400f03 <phase_2+58>:        sub    $0x1,%eax     # subtracting 1 from eax, eax = 0
0x0000000000400f06 <phase_2+61>:        cltq
0x0000000000400f08 <phase_2+63>:        mov    -0x20(%rbp,%rax,4),%eax     #eax = -0x20(%rbp + %rax * 4)
0x0000000000400f0c <phase_2+67>:        add    -0x4(%rbp),%eax     #adding 1 to eax
0x0000000000400f0f <phase_2+70>:        add    $0x1,%eax     #adding 1 to eax
0x0000000000400f12 <phase_2+73>:        cmp    %eax,%edx     #edx - eax
0x0000000000400f14 <phase_2+75>:        je     0x400f1b <phase_2+82>
0x0000000000400f16 <phase_2+77>:        callq  0x401997 <explode_bomb>
0x0000000000400f1b <phase_2+82>:        addl   $0x1,-0x4(%rbp)     # add 1 to -0x4(%rbp)
0x0000000000400f1f <phase_2+86>:        cmpl   $0x5,-0x4(%rbp)     # 5 - 1
0x0000000000400f23 <phase_2+90>:        jle    0x400ef7 <phase_2+46>
0x0000000000400f25 <phase_2+92>:        leaveq
0x0000000000400f26 <phase_2+93>:        retq
End of assembler dump.

如果需要,这里是read_six_numbers:

Dump of assembler code for function read_six_numbers:
0x00000000004013fd <read_six_numbers+0>:        push   %rbp
0x00000000004013fe <read_six_numbers+1>:        mov    %rsp,%rbp
0x0000000000401401 <read_six_numbers+4>:        sub    $0x30,%rsp
0x0000000000401405 <read_six_numbers+8>:        mov    %rdi,-0x18(%rbp)
0x0000000000401409 <read_six_numbers+12>:       mov    %rsi,-0x20(%rbp)
0x000000000040140d <read_six_numbers+16>:       mov    -0x20(%rbp),%rax
0x0000000000401411 <read_six_numbers+20>:       add    $0x14,%rax
0x0000000000401415 <read_six_numbers+24>:       mov    -0x20(%rbp),%rdx
0x0000000000401419 <read_six_numbers+28>:       add    $0x10,%rdx
0x000000000040141d <read_six_numbers+32>:       mov    -0x20(%rbp),%rcx
0x0000000000401421 <read_six_numbers+36>:       add    $0xc,%rcx
0x0000000000401425 <read_six_numbers+40>:       mov    -0x20(%rbp),%rsi
0x0000000000401429 <read_six_numbers+44>:       add    $0x8,%rsi
0x000000000040142d <read_six_numbers+48>:       mov    -0x20(%rbp),%rdi
0x0000000000401431 <read_six_numbers+52>:       add    $0x4,%rdi
0x0000000000401435 <read_six_numbers+56>:       mov    -0x20(%rbp),%r10
0x0000000000401439 <read_six_numbers+60>:       mov    -0x18(%rbp),%r11
0x000000000040143d <read_six_numbers+64>:       mov    %rax,0x8(%rsp)
0x0000000000401442 <read_six_numbers+69>:       mov    %rdx,(%rsp)
0x0000000000401446 <read_six_numbers+73>:       mov    %rcx,%r9
0x0000000000401449 <read_six_numbers+76>:       mov    %rsi,%r8
0x000000000040144c <read_six_numbers+79>:       mov    %rdi,%rcx
0x000000000040144f <read_six_numbers+82>:       mov    %r10,%rdx
0x0000000000401452 <read_six_numbers+85>:       mov    $0x402ca1,%esi
0x0000000000401457 <read_six_numbers+90>:       mov    %r11,%rdi
0x000000000040145a <read_six_numbers+93>:       mov    $0x0,%eax
0x000000000040145f <read_six_numbers+98>:       callq  0x400b70 <sscanf@plt>
0x0000000000401464 <read_six_numbers+103>:      mov    %eax,-0x4(%rbp)
0x0000000000401467 <read_six_numbers+106>:      cmpl   $0x5,-0x4(%rbp)
0x000000000040146b <read_six_numbers+110>:      jg     0x401472 <read_six_numbers+117>
0x000000000040146d <read_six_numbers+112>:      callq  0x401997 <explode_bomb>
0x0000000000401472 <read_six_numbers+117>:      leaveq
0x0000000000401473 <read_six_numbers+118>:      retq
End of assembler dump.

1 个答案:

答案 0 :(得分:1)

read_six_numbers只会检查以确保您导入6个数字。 test%eax%eax将确保第一个数字为0,然后它会迭代多次进行其他比较。执行此分配的方法是设置断点,无论它在哪里调用炸弹,然后在断点之前,检查比较并尝试找出触发炸弹被调用的值。有时,如果您使用正确的软件并查看寄存器中的内容以及它与之比较的内容,您可以查看寄存器。我希望这可以帮助你一点点而不给你答案。我可以尝试回答你的其他问题,因为我刚刚在一个月前的课堂上完成了这项任务。

相关问题
最新问题