二元炸弹第4阶段

时间:2015-01-31 09:52:23

标签: assembly x86 reverse-engineering

我正在进行二元炸弹任务,一切都很顺利,直到我到达第四阶段。我已经被困在它上面几天了。到目前为止,我知道这个阶段正在寻找两个数字。我从x / s 0x804a5bf行+20知道这个。我真正感到困惑的是它何时需要func4。它看起来像一个递归,但我不知道它在做什么。我还认为我必须检查+6和+13行,但我不知道如何。我是gdb和汇编代码的新手,所有这些都变得非常难以理解。

Dump of assembler code for function phase_4:
0x08048ccb <+0>:    push   %ebp
0x08048ccc <+1>:    mov    %esp,%ebp
0x08048cce <+3>:    sub    $0x28,%esp
0x08048cd1 <+6>:    lea    -0x10(%ebp),%eax
0x08048cd4 <+9>:    mov    %eax,0xc(%esp)
0x08048cd8 <+13>:   lea    -0xc(%ebp),%eax
0x08048cdb <+16>:   mov    %eax,0x8(%esp)
0x08048cdf <+20>:   movl   $0x804a5bf,0x4(%esp)
0x08048ce7 <+28>:   mov    0x8(%ebp),%eax
0x08048cea <+31>:   mov    %eax,(%esp)
0x08048ced <+34>:   call   0x8048860 <__isoc99_sscanf@plt>
0x08048cf2 <+39>:   cmp    $0x2,%eax
0x08048cf5 <+42>:   jne    0x8048d02 <phase_4+55>
0x08048cf7 <+44>:   mov    -0x10(%ebp),%eax
0x08048cfa <+47>:   sub    $0x2,%eax
0x08048cfd <+50>:   cmp    $0x2,%eax
0x08048d00 <+53>:   jbe    0x8048d07 <phase_4+60>
0x08048d02 <+55>:   call   0x80491a6 <explode_bomb>
0x08048d07 <+60>:   mov    -0x10(%ebp),%eax
0x08048d0a <+63>:   mov    %eax,0x4(%esp)
0x08048d0e <+67>:   movl   $0x8,(%esp)
0x08048d15 <+74>:   call   0x8048c7f <func4>
0x08048d1a <+79>:   cmp    -0xc(%ebp),%eax
0x08048d1d <+82>:   je     0x8048d24 <phase_4+89>
0x08048d1f <+84>:   call   0x80491a6 <explode_bomb>
0x08048d24 <+89>:   leave  
0x08048d25 <+90>:   ret    

End of assembler dump.

This is the func4 code dump
0x08048c7f <+0>:    push   %ebp
0x08048c80 <+1>:    mov    %esp,%ebp
0x08048c82 <+3>:    push   %edi
0x08048c83 <+4>:    push   %esi
0x08048c84 <+5>:    push   %ebx
0x08048c85 <+6>:    sub    $0x1c,%esp
0x08048c88 <+9>:    mov    0x8(%ebp),%ebx
0x08048c8b <+12>:   mov    0xc(%ebp),%esi
0x08048c8e <+15>:   test   %ebx,%ebx
0x08048c90 <+17>:   jle    0x8048cbe <func4+63>
0x08048c92 <+19>:   mov    %esi,%eax
0x08048c94 <+21>:   cmp    $0x1,%ebx
0x08048c97 <+24>:   je     0x8048cc3 <func4+68>
0x08048c99 <+26>:   mov    %esi,0x4(%esp)
0x08048c9d <+30>:   lea    -0x1(%ebx),%eax
0x08048ca0 <+33>:   mov    %eax,(%esp)
0x08048ca3 <+36>:   call   0x8048c7f <func4>
0x08048ca8 <+41>:   lea    (%eax,%esi,1),%edi
0x08048cab <+44>:   mov    %esi,0x4(%esp)
0x08048caf <+48>:   sub    $0x2,%ebx
0x08048cb2 <+51>:   mov    %ebx,(%esp)
0x08048cb5 <+54>:   call   0x8048c7f <func4>
0x08048cba <+59>:   add    %edi,%eax
0x08048cbc <+61>:   jmp    0x8048cc3 <func4+68>
0x08048cbe <+63>:   mov    $0x0,%eax
0x08048cc3 <+68>:   add    $0x1c,%esp
0x08048cc6 <+71>:   pop    %ebx
0x08048cc7 <+72>:   pop    %esi
0x08048cc8 <+73>:   pop    %edi
0x08048cc9 <+74>:   pop    %ebp
0x08048cca <+75>:   ret    

0 个答案:

没有答案