我正在x86装配中的二元炸弹实验室工作,并且版本很高。我正在研究这一阶段,我可以看到代码的最后一部分,但我不能理解最后几行中发生的事情。我现在正在春假,所以我不能去学校,我想知道我是否可以在这里得到任何帮助。谢谢。
好的,所以我开始运行我的程序并输入我的3个输入。
[bomb46]$ gdb bomb
GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
(gdb) b phase_5
Breakpoint 1 at 0x8048da4
(gdb) r answers.txt
Welcome to my fiendish little bomb. You have 9 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2. Keep going!
One step closer.
So you got that one. Try this one.
7 0 696
我接下来将介绍设置的初始化并扫描输入
Breakpoint 1, 0x08048da4 in phase_5 ()
Missing separate debuginfos, use: debuginfo-install glibc-2.17-106.el7_2.8.i686
(gdb) until *0x08048dd6
0x08048dd6 in phase_5 ()
(gdb) disas
Dump of assembler code for function phase_5:
0x08048da4 <+0>: sub $0x3c,%esp
0x08048da7 <+3>: lea 0x2c(%esp),%eax
0x08048dab <+7>: mov %eax,0x10(%esp)
0x08048daf <+11>: lea 0x27(%esp),%eax
0x08048db3 <+15>: mov %eax,0xc(%esp)
0x08048db7 <+19>: lea 0x28(%esp),%eax
0x08048dbb <+23>: mov %eax,0x8(%esp)
0x08048dbf <+27>: movl $0x804a54c,0x4(%esp)
0x08048dc7 <+35>: mov 0x40(%esp),%eax
0x08048dcb <+39>: mov %eax,(%esp)
0x08048dce <+42>: call 0x8048900 <__isoc99_sscanf@plt>
0x08048dd3 <+47>: cmp $0x2,%eax
=> 0x08048dd6 <+50>: jg 0x8048ddd <phase_5+57>
0x08048dd8 <+52>: call 0x8049515 <explode_bomb>
0x08048ddd <+57>: cmpl $0x7,0x28(%esp)
0x08048de2 <+62>: ja 0x8048ee1 <phase_5+317>
0x08048de8 <+68>: mov 0x28(%esp),%eax
0x08048dec <+72>: jmp *0x804a5a0(,%eax,4)
0x08048df3 <+79>: mov $0x67,%eax
0x08048df8 <+84>: cmpl $0x2c5,0x2c(%esp)
0x08048e00 <+92>: je 0x8048eeb <phase_5+327>
0x08048e06 <+98>: call 0x8049515 <explode_bomb>
0x08048e0b <+103>: mov $0x67,%eax
0x08048e10 <+108>: jmp 0x8048eeb <phase_5+327>
0x08048e15 <+113>: mov $0x73,%eax
0x08048e1a <+118>: cmpl $0x78,0x2c(%esp)
---Type <return> to continue, or q <return> to quit---q
Quit
然后我点击跳转并点击下一组说明只是检查第一个输入数字是否为7或更少。
(gdb) ni
0x08048ddd in phase_5 ()
(gdb) disas
Dump of assembler code for function phase_5:
0x08048da4 <+0>: sub $0x3c,%esp
0x08048da7 <+3>: lea 0x2c(%esp),%eax
0x08048dab <+7>: mov %eax,0x10(%esp)
0x08048daf <+11>: lea 0x27(%esp),%eax
0x08048db3 <+15>: mov %eax,0xc(%esp)
0x08048db7 <+19>: lea 0x28(%esp),%eax
0x08048dbb <+23>: mov %eax,0x8(%esp)
0x08048dbf <+27>: movl $0x804a54c,0x4(%esp)
0x08048dc7 <+35>: mov 0x40(%esp),%eax
0x08048dcb <+39>: mov %eax,(%esp)
0x08048dce <+42>: call 0x8048900 <__isoc99_sscanf@plt>
0x08048dd3 <+47>: cmp $0x2,%eax
0x08048dd6 <+50>: jg 0x8048ddd <phase_5+57>
0x08048dd8 <+52>: call 0x8049515 <explode_bomb>
=> 0x08048ddd <+57>: cmpl $0x7,0x28(%esp)
0x08048de2 <+62>: ja 0x8048ee1 <phase_5+317>
0x08048de8 <+68>: mov 0x28(%esp),%eax
0x08048dec <+72>: jmp *0x804a5a0(,%eax,4)
0x08048df3 <+79>: mov $0x67,%eax
0x08048df8 <+84>: cmpl $0x2c5,0x2c(%esp)
0x08048e00 <+92>: je 0x8048eeb <phase_5+327>
0x08048e06 <+98>: call 0x8049515 <explode_bomb>
0x08048e0b <+103>: mov $0x67,%eax
0x08048e10 <+108>: jmp 0x8048eeb <phase_5+327>
0x08048e15 <+113>: mov $0x73,%eax
0x08048e1a <+118>: cmpl $0x78,0x2c(%esp)
---Type <return> to continue, or q <return> to quit---q
Quit
然后继续直到下一次跳跃,这将移动eax,然后跳转到一组指令,具体取决于我的第一次输入。
(gdb) ni
0x08048de2 in phase_5 ()
(gdb) ni
0x08048de8 in phase_5 ()
(gdb) disas
Dump of assembler code for function phase_5:
0x08048da4 <+0>: sub $0x3c,%esp
0x08048da7 <+3>: lea 0x2c(%esp),%eax
0x08048dab <+7>: mov %eax,0x10(%esp)
0x08048daf <+11>: lea 0x27(%esp),%eax
0x08048db3 <+15>: mov %eax,0xc(%esp)
0x08048db7 <+19>: lea 0x28(%esp),%eax
0x08048dbb <+23>: mov %eax,0x8(%esp)
0x08048dbf <+27>: movl $0x804a54c,0x4(%esp)
0x08048dc7 <+35>: mov 0x40(%esp),%eax
0x08048dcb <+39>: mov %eax,(%esp)
0x08048dce <+42>: call 0x8048900 <__isoc99_sscanf@plt>
0x08048dd3 <+47>: cmp $0x2,%eax
0x08048dd6 <+50>: jg 0x8048ddd <phase_5+57>
0x08048dd8 <+52>: call 0x8049515 <explode_bomb>
0x08048ddd <+57>: cmpl $0x7,0x28(%esp)
0x08048de2 <+62>: ja 0x8048ee1 <phase_5+317>
=> 0x08048de8 <+68>: mov 0x28(%esp),%eax
0x08048dec <+72>: jmp *0x804a5a0(,%eax,4)
0x08048df3 <+79>: mov $0x67,%eax
0x08048df8 <+84>: cmpl $0x2c5,0x2c(%esp)
0x08048e00 <+92>: je 0x8048eeb <phase_5+327>
0x08048e06 <+98>: call 0x8049515 <explode_bomb>
0x08048e0b <+103>: mov $0x67,%eax
0x08048e10 <+108>: jmp 0x8048eeb <phase_5+327>
0x08048e15 <+113>: mov $0x73,%eax
0x08048e1a <+118>: cmpl $0x78,0x2c(%esp)
---Type <return> to continue, or q <return> to quit---q
Quit
我执行接下来的2条指令并点击跳转,这会将我带到一个比较数字0x2b8(696)和第3条输入696的设置。
(gdb) ni
0x08048dec in phase_5 ()
(gdb) ni
0x08048ec6 in phase_5 ()
(gdb) disas
Dump of assembler code for function phase_5:
0x08048da4 <+0>: sub $0x3c,%esp
0x08048da7 <+3>: lea 0x2c(%esp),%eax
0x08048dab <+7>: mov %eax,0x10(%esp)
0x08048daf <+11>: lea 0x27(%esp),%eax
0x08048db3 <+15>: mov %eax,0xc(%esp)
0x08048db7 <+19>: lea 0x28(%esp),%eax
0x08048dbb <+23>: mov %eax,0x8(%esp)
0x08048dbf <+27>: movl $0x804a54c,0x4(%esp)
0x08048dc7 <+35>: mov 0x40(%esp),%eax
0x08048dcb <+39>: mov %eax,(%esp)
0x08048dce <+42>: call 0x8048900 <__isoc99_sscanf@plt>
0x08048dd3 <+47>: cmp $0x2,%eax
0x08048dd6 <+50>: jg 0x8048ddd <phase_5+57>
0x08048dd8 <+52>: call 0x8049515 <explode_bomb>
0x08048ddd <+57>: cmpl $0x7,0x28(%esp)
0x08048de2 <+62>: ja 0x8048ee1 <phase_5+317>
0x08048de8 <+68>: mov 0x28(%esp),%eax
0x08048dec <+72>: jmp *0x804a5a0(,%eax,4)
0x08048df3 <+79>: mov $0x67,%eax
0x08048df8 <+84>: cmpl $0x2c5,0x2c(%esp)
0x08048e00 <+92>: je 0x8048eeb <phase_5+327>
0x08048e06 <+98>: call 0x8049515 <explode_bomb>
0x08048e0b <+103>: mov $0x67,%eax
0x08048e10 <+108>: jmp 0x8048eeb <phase_5+327>
0x08048e15 <+113>: mov $0x73,%eax
0x08048e1a <+118>: cmpl $0x78,0x2c(%esp)
---Type <return> to continue, or q <return> to quit---
0x08048e1f <+123>: je 0x8048eeb <phase_5+327>
0x08048e25 <+129>: call 0x8049515 <explode_bomb>
0x08048e2a <+134>: mov $0x73,%eax
0x08048e2f <+139>: jmp 0x8048eeb <phase_5+327>
0x08048e34 <+144>: mov $0x64,%eax
0x08048e39 <+149>: cmpl $0x1fd,0x2c(%esp)
0x08048e41 <+157>: je 0x8048eeb <phase_5+327>
0x08048e47 <+163>: call 0x8049515 <explode_bomb>
0x08048e4c <+168>: mov $0x64,%eax
0x08048e51 <+173>: jmp 0x8048eeb <phase_5+327>
0x08048e56 <+178>: mov $0x66,%eax
0x08048e5b <+183>: cmpl $0x363,0x2c(%esp)
0x08048e63 <+191>: je 0x8048eeb <phase_5+327>
0x08048e69 <+197>: call 0x8049515 <explode_bomb>
0x08048e6e <+202>: mov $0x66,%eax
0x08048e73 <+207>: jmp 0x8048eeb <phase_5+327>
0x08048e75 <+209>: mov $0x70,%eax
0x08048e7a <+214>: cmpl $0x161,0x2c(%esp)
0x08048e82 <+222>: je 0x8048eeb <phase_5+327>
0x08048e84 <+224>: call 0x8049515 <explode_bomb>
0x08048e89 <+229>: mov $0x70,%eax
0x08048e8e <+234>: jmp 0x8048eeb <phase_5+327>
0x08048e90 <+236>: mov $0x6f,%eax
0x08048e95 <+241>: cmpl $0x329,0x2c(%esp)
0x08048e9d <+249>: je 0x8048eeb <phase_5+327>
0x08048e9f <+251>: call 0x8049515 <explode_bomb>
0x08048ea4 <+256>: mov $0x6f,%eax
---Type <return> to continue, or q <return> to quit---
0x08048ea9 <+261>: jmp 0x8048eeb <phase_5+327>
0x08048eab <+263>: mov $0x64,%eax
0x08048eb0 <+268>: cmpl $0x273,0x2c(%esp)
0x08048eb8 <+276>: je 0x8048eeb <phase_5+327>
0x08048eba <+278>: call 0x8049515 <explode_bomb>
0x08048ebf <+283>: mov $0x64,%eax
0x08048ec4 <+288>: jmp 0x8048eeb <phase_5+327>
=> 0x08048ec6 <+290>: mov $0x62,%eax
0x08048ecb <+295>: cmpl $0x2b8,0x2c(%esp)
0x08048ed3 <+303>: je 0x8048eeb <phase_5+327>
0x08048ed5 <+305>: call 0x8049515 <explode_bomb>
0x08048eda <+310>: mov $0x62,%eax
0x08048edf <+315>: jmp 0x8048eeb <phase_5+327>
0x08048ee1 <+317>: call 0x8049515 <explode_bomb>
0x08048ee6 <+322>: mov $0x67,%eax
0x08048eeb <+327>: cmp 0x27(%esp),%al
0x08048eef <+331>: je 0x8048ef6 <phase_5+338>
0x08048ef1 <+333>: call 0x8049515 <explode_bomb>
0x08048ef6 <+338>: add $0x3c,%esp
0x08048ef9 <+341>: ret
End of assembler dump.
我终于完成了这些说明并转到我的最后一套说明。
(gdb) ni
0x08048ecb in phase_5 ()
(gdb) ni
0x08048ed3 in phase_5 ()
(gdb) ni
0x08048eeb in phase_5 ()
(gdb) disas
Dump of assembler code for function phase_5:
0x08048da4 <+0>: sub $0x3c,%esp
0x08048da7 <+3>: lea 0x2c(%esp),%eax
0x08048dab <+7>: mov %eax,0x10(%esp)
0x08048daf <+11>: lea 0x27(%esp),%eax
0x08048db3 <+15>: mov %eax,0xc(%esp)
0x08048db7 <+19>: lea 0x28(%esp),%eax
0x08048dbb <+23>: mov %eax,0x8(%esp)
0x08048dbf <+27>: movl $0x804a54c,0x4(%esp)
0x08048dc7 <+35>: mov 0x40(%esp),%eax
0x08048dcb <+39>: mov %eax,(%esp)
0x08048dce <+42>: call 0x8048900 <__isoc99_sscanf@plt>
0x08048dd3 <+47>: cmp $0x2,%eax
0x08048dd6 <+50>: jg 0x8048ddd <phase_5+57>
0x08048dd8 <+52>: call 0x8049515 <explode_bomb>
0x08048ddd <+57>: cmpl $0x7,0x28(%esp)
0x08048de2 <+62>: ja 0x8048ee1 <phase_5+317>
0x08048de8 <+68>: mov 0x28(%esp),%eax
0x08048dec <+72>: jmp *0x804a5a0(,%eax,4)
0x08048df3 <+79>: mov $0x67,%eax
0x08048df8 <+84>: cmpl $0x2c5,0x2c(%esp)
0x08048e00 <+92>: je 0x8048eeb <phase_5+327>
0x08048e06 <+98>: call 0x8049515 <explode_bomb>
0x08048e0b <+103>: mov $0x67,%eax
0x08048e10 <+108>: jmp 0x8048eeb <phase_5+327>
0x08048e15 <+113>: mov $0x73,%eax
0x08048e1a <+118>: cmpl $0x78,0x2c(%esp)
---Type <return> to continue, or q <return> to quit---
0x08048e1f <+123>: je 0x8048eeb <phase_5+327>
0x08048e25 <+129>: call 0x8049515 <explode_bomb>
0x08048e2a <+134>: mov $0x73,%eax
0x08048e2f <+139>: jmp 0x8048eeb <phase_5+327>
0x08048e34 <+144>: mov $0x64,%eax
0x08048e39 <+149>: cmpl $0x1fd,0x2c(%esp)
0x08048e41 <+157>: je 0x8048eeb <phase_5+327>
0x08048e47 <+163>: call 0x8049515 <explode_bomb>
0x08048e4c <+168>: mov $0x64,%eax
0x08048e51 <+173>: jmp 0x8048eeb <phase_5+327>
0x08048e56 <+178>: mov $0x66,%eax
0x08048e5b <+183>: cmpl $0x363,0x2c(%esp)
0x08048e63 <+191>: je 0x8048eeb <phase_5+327>
0x08048e69 <+197>: call 0x8049515 <explode_bomb>
0x08048e6e <+202>: mov $0x66,%eax
0x08048e73 <+207>: jmp 0x8048eeb <phase_5+327>
0x08048e75 <+209>: mov $0x70,%eax
0x08048e7a <+214>: cmpl $0x161,0x2c(%esp)
0x08048e82 <+222>: je 0x8048eeb <phase_5+327>
0x08048e84 <+224>: call 0x8049515 <explode_bomb>
0x08048e89 <+229>: mov $0x70,%eax
0x08048e8e <+234>: jmp 0x8048eeb <phase_5+327>
0x08048e90 <+236>: mov $0x6f,%eax
0x08048e95 <+241>: cmpl $0x329,0x2c(%esp)
0x08048e9d <+249>: je 0x8048eeb <phase_5+327>
0x08048e9f <+251>: call 0x8049515 <explode_bomb>
0x08048ea4 <+256>: mov $0x6f,%eax
---Type <return> to continue, or q <return> to quit---
0x08048ea9 <+261>: jmp 0x8048eeb <phase_5+327>
0x08048eab <+263>: mov $0x64,%eax
0x08048eb0 <+268>: cmpl $0x273,0x2c(%esp)
0x08048eb8 <+276>: je 0x8048eeb <phase_5+327>
0x08048eba <+278>: call 0x8049515 <explode_bomb>
0x08048ebf <+283>: mov $0x64,%eax
0x08048ec4 <+288>: jmp 0x8048eeb <phase_5+327>
0x08048ec6 <+290>: mov $0x62,%eax
0x08048ecb <+295>: cmpl $0x2b8,0x2c(%esp)
0x08048ed3 <+303>: je 0x8048eeb <phase_5+327>
0x08048ed5 <+305>: call 0x8049515 <explode_bomb>
0x08048eda <+310>: mov $0x62,%eax
0x08048edf <+315>: jmp 0x8048eeb <phase_5+327>
0x08048ee1 <+317>: call 0x8049515 <explode_bomb>
0x08048ee6 <+322>: mov $0x67,%eax
=> 0x08048eeb <+327>: cmp 0x27(%esp),%al
0x08048eef <+331>: je 0x8048ef6 <phase_5+338>
0x08048ef1 <+333>: call 0x8049515 <explode_bomb>
0x08048ef6 <+338>: add $0x3c,%esp
0x08048ef9 <+341>: ret
End of assembler dump.
这里正在做一个最后的比较,我打印出了值,但这是我真的不明白它发生了什么,我相信我得到了大部分,但我似乎无法得到这个。我注意到,第一个输入数字越高,%al就越低,并且我已经改变了第二个输入数字,但它只能变得如此之高,所以我试图使第二个输入50但它会在它到达之前爆炸。< /强>
(gdb) x/d $esp+0x27
0xffffce97: 1840
(gdb) x/b $esp+0x27
0xffffce97: 48
(gdb) x/d $esp+0x27
0xffffce97: 48
(gdb) p $al
$1 = 98
我终于运行了最后的命令,但我知道它不起作用,它最终会爆炸炸弹。
(gdb) ni
0x08048eef in phase_5 ()
(gdb) ni
0x08048ef1 in phase_5 ()
(gdb) disas
Dump of assembler code for function phase_5:
0x08048da4 <+0>: sub $0x3c,%esp
0x08048da7 <+3>: lea 0x2c(%esp),%eax
0x08048dab <+7>: mov %eax,0x10(%esp)
0x08048daf <+11>: lea 0x27(%esp),%eax
0x08048db3 <+15>: mov %eax,0xc(%esp)
0x08048db7 <+19>: lea 0x28(%esp),%eax
0x08048dbb <+23>: mov %eax,0x8(%esp)
0x08048dbf <+27>: movl $0x804a54c,0x4(%esp)
0x08048dc7 <+35>: mov 0x40(%esp),%eax
0x08048dcb <+39>: mov %eax,(%esp)
0x08048dce <+42>: call 0x8048900 <__isoc99_sscanf@plt>
0x08048dd3 <+47>: cmp $0x2,%eax
0x08048dd6 <+50>: jg 0x8048ddd <phase_5+57>
0x08048dd8 <+52>: call 0x8049515 <explode_bomb>
0x08048ddd <+57>: cmpl $0x7,0x28(%esp)
0x08048de2 <+62>: ja 0x8048ee1 <phase_5+317>
0x08048de8 <+68>: mov 0x28(%esp),%eax
0x08048dec <+72>: jmp *0x804a5a0(,%eax,4)
0x08048df3 <+79>: mov $0x67,%eax
0x08048df8 <+84>: cmpl $0x2c5,0x2c(%esp)
0x08048e00 <+92>: je 0x8048eeb <phase_5+327>
0x08048e06 <+98>: call 0x8049515 <explode_bomb>
0x08048e0b <+103>: mov $0x67,%eax
0x08048e10 <+108>: jmp 0x8048eeb <phase_5+327>
0x08048e15 <+113>: mov $0x73,%eax
0x08048e1a <+118>: cmpl $0x78,0x2c(%esp)
---Type <return> to continue, or q <return> to quit---
0x08048e1f <+123>: je 0x8048eeb <phase_5+327>
0x08048e25 <+129>: call 0x8049515 <explode_bomb>
0x08048e2a <+134>: mov $0x73,%eax
0x08048e2f <+139>: jmp 0x8048eeb <phase_5+327>
0x08048e34 <+144>: mov $0x64,%eax
0x08048e39 <+149>: cmpl $0x1fd,0x2c(%esp)
0x08048e41 <+157>: je 0x8048eeb <phase_5+327>
0x08048e47 <+163>: call 0x8049515 <explode_bomb>
0x08048e4c <+168>: mov $0x64,%eax
0x08048e51 <+173>: jmp 0x8048eeb <phase_5+327>
0x08048e56 <+178>: mov $0x66,%eax
0x08048e5b <+183>: cmpl $0x363,0x2c(%esp)
0x08048e63 <+191>: je 0x8048eeb <phase_5+327>
0x08048e69 <+197>: call 0x8049515 <explode_bomb>
0x08048e6e <+202>: mov $0x66,%eax
0x08048e73 <+207>: jmp 0x8048eeb <phase_5+327>
0x08048e75 <+209>: mov $0x70,%eax
0x08048e7a <+214>: cmpl $0x161,0x2c(%esp)
0x08048e82 <+222>: je 0x8048eeb <phase_5+327>
0x08048e84 <+224>: call 0x8049515 <explode_bomb>
0x08048e89 <+229>: mov $0x70,%eax
0x08048e8e <+234>: jmp 0x8048eeb <phase_5+327>
0x08048e90 <+236>: mov $0x6f,%eax
0x08048e95 <+241>: cmpl $0x329,0x2c(%esp)
0x08048e9d <+249>: je 0x8048eeb <phase_5+327>
0x08048e9f <+251>: call 0x8049515 <explode_bomb>
0x08048ea4 <+256>: mov $0x6f,%eax
---Type <return> to continue, or q <return> to quit---
0x08048ea9 <+261>: jmp 0x8048eeb <phase_5+327>
0x08048eab <+263>: mov $0x64,%eax
0x08048eb0 <+268>: cmpl $0x273,0x2c(%esp)
0x08048eb8 <+276>: je 0x8048eeb <phase_5+327>
0x08048eba <+278>: call 0x8049515 <explode_bomb>
0x08048ebf <+283>: mov $0x64,%eax
0x08048ec4 <+288>: jmp 0x8048eeb <phase_5+327>
0x08048ec6 <+290>: mov $0x62,%eax
0x08048ecb <+295>: cmpl $0x2b8,0x2c(%esp)
0x08048ed3 <+303>: je 0x8048eeb <phase_5+327>
0x08048ed5 <+305>: call 0x8049515 <explode_bomb>
0x08048eda <+310>: mov $0x62,%eax
0x08048edf <+315>: jmp 0x8048eeb <phase_5+327>
0x08048ee1 <+317>: call 0x8049515 <explode_bomb>
0x08048ee6 <+322>: mov $0x67,%eax
0x08048eeb <+327>: cmp 0x27(%esp),%al
0x08048eef <+331>: je 0x8048ef6 <phase_5+338>
=> 0x08048ef1 <+333>: call 0x8049515 <explode_bomb>
0x08048ef6 <+338>: add $0x3c,%esp
0x08048ef9 <+341>: ret
End of assembler dump.
(gdb) q
A debugging session is active.
Inferior 1 [process 18264] will be killed.
Quit anyway? (y or n) y
我想知道我是否能得到任何帮助,也许我错过了什么,没有意识到,或者没有完全理解,我不知道该做什么。