所以我注释了我认为它在每条指令旁边的含义,并且在每条指令旁边放了一个(?),我不确定/不确定它是否具有该功能。可能有很多我不确定的东西比我标记的多,但它们大多是同一类型的指令。
0x0000000000401251 <+0>: sub $0x8,%rsp
0x0000000000401255 <+4>: cmp $0x1,%rdi #compare num of inputs (?)
0x0000000000401259 <+8>: jg 0x40126c <phase_3+27> #blow up if not >1
0x000000000040125b <+10>: callq 0x401c01 <bomb_ignition>
0x0000000000401260 <+15>: mov $0xffffffffffffffff,%rax
0x0000000000401267 <+22>: jmpq 0x40136c <phase_3+283>
0x000000000040126c <+27>: lea 0x16(%rdi),%rax #rax = rdi[22] (?)
0x0000000000401270 <+31>: sub $0x4b,%rsi #rsi -= 75
0x0000000000401274 <+35>: cmp $0x2b,%rsi #rsi == 43
0x0000000000401278 <+39>: ja 0x40133a <phase_3+233> bomb_ignition #rsi>43 -> blow up (?)
0x000000000040127e <+45>: jmpq *0x4027b0(,%rsi,8) # (?)
0x0000000000401285 <+52>: mov %rdi,%rax #rax = rdi
0x0000000000401288 <+55>: neg %rax #rax = -rax (flip bits)
0x000000000040128b <+58>: sub $0x7,%rax #rax -= 7
0x000000000040128f <+62>: lea 0x14(%rax,%rax,2),%rdi #rdi = rax*3+20
0x0000000000401294 <+67>: jmpq 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401299 <+72>: sar %rax #rax /= 2
0x000000000040129c <+75>: mov %rax,%rdi #rdi = rax
0x000000000040129f <+78>: jmpq 0x401351 <phase_3+256 #goto <256>/ compare rdi == 120
0x00000000004012a4 <+83>: lea 0x0(,%rax,8),%rdi #rdi = rax+8
0x00000000004012ac <+91>: jmpq 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012b1 <+96>: sar $0x2,%rax #rax /= 4
0x00000000004012b5 <+100>: mov %rax,%rdi #rdi = rax
0x00000000004012b8 <+103>: jmpq 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012bd <+108>: callq 0x401c01 <bomb_ignition> #bomb_ignition
0x00000000004012c2 <+113>: mov $0xfffffffffffffffe,%rax
0x00000000004012c9 <+120>: jmpq 0x40136c <phase_3+283> #exit (2 bomb explosions in a row?)
0x00000000004012ce <+125>: callq 0x401c01 <bomb_ignition> #bomb_ignition
0x00000000004012d3 <+130>: mov $0xfffffffffffffffd,%rax
0x00000000004012da <+137>: jmpq 0x40136c <phase_3+283> #exit
0x00000000004012df <+142>: lea (%rax,%rax,1),%rdi #rdi = rax*2
0x00000000004012e3 <+146>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012e5 <+148>: lea 0x0(,%rax,4),%rdi #rdi = rax*4
0x00000000004012ed <+156>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012ef <+158>: lea (%rax,%rax,8),%rdi #rdi = rax*9
0x00000000004012f3 <+162>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012f5 <+164>: lea 0xb(,%rax,4),%rax #rax = rax*4+11
0x00000000004012fd <+172>: sub $0xb,%rax #rax -= 11
0x0000000000401301 <+176>: add $0x15,%rax #rax += 21
0x0000000000401305 <+180>: lea 0x14(%rax,%rax,4),%rdi #rdi = rax*5
0x000000000040130a <+185>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x000000000040130c <+187>: lea 0xb(%rax,%rax,1),%rdi #rdi = rax*2+11
0x0000000000401311 <+192>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401313 <+194>: lea 0x13(,%rax,8),%rdi #rdi = rax*8+19
0x000000000040131b <+202>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x000000000040131d <+204>: lea (%rax,%rax,4),%rdi #rdi = rax*5
0x0000000000401321 <+208>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401323 <+210>: add $0x24,%rdi #rdi += 36
0x0000000000401327 <+214>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401329 <+216>: mov $0x11,%edi #edi = 17
0x000000000040132e <+221>: sub %rax,%rdi #rdi -= rax
0x0000000000401331 <+224>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401333 <+226>: lea 0x15(%rax,%rax,8),%rdi #rdi = rax*9+21
0x0000000000401338 <+231>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x000000000040133a <+233>: callq 0x401c01 <bomb_ignition> #bomb
0x000000000040133f <+238>: mov $0xffffffffffffffff,%rax
0x0000000000401346 <+245>: jmp 0x40136c <phase_3+283> #exit
0x0000000000401348 <+247>: lea (%rax,%rax,2),%rax #rax = rax*3
0x000000000040134c <+251>: lea 0x8(%rax,%rax,4),%rdi #rdi = rax*5+8
0x0000000000401351 <+256>: cmp $0x78,%rdi #rdi == 120
0x0000000000401355 <+260>: sete %al
0x0000000000401358 <+263>: movzbl %al,%eax
0x000000000040135b <+266>: cmp %rdx,%rdi #rdi == rdx
0x000000000040135e <+269>: je 0x40136c <phase_3+283> #exit if rdi == rdx
0x0000000000401360 <+271>: callq 0x401c01 <bomb_ignition>
0x0000000000401365 <+276>: mov $0xffffffffffffffff,%rax
0x000000000040136c <+283>: add $0x8,%rsp
0x0000000000401370 <+287>: retq
我认为它需要2个输入。 rax然后成为rdi第22个索引处的项目。这是我已经不确定的地方,因为我认为rdi是输入数量。另外,我不确定lea是如何运作的。然后它在rsi上进行一些数学运算,如果它大于43,则为blow up。所以rsi应该是118,快速数学。虽然它可以是小于118的任何数字吗?看起来减去75将使它小于43?无论如何。然后是jmpq。这又是我不确定的地方。这是一个查找表,对吗?所以我放入gdb并获得以下内容:
(gdb) x/8a 0x4027b0
0x4027b0: 0x4012bd <phase_3+108> 0x401299 <phase_3+72>
0x4027c0: 0x40133a <phase_3+233> 0x40130c <phase_3+187>
0x4027d0: 0x4012df <phase_3+142> 0x401333 <phase_3+226>
0x4027e0: 0x401301 <phase_3+176> 0x4012df <phase_3+142>
所以第8个是<phase_3+142>。那么这只是跳到那个位置吗?并跳过它之间的一切?我希望并假设如此,因为如果你不这样做会有很多计算。我在gdb查看了正确的内容吗?如果是,则转到<+142>,将rdi更改为rax*2。这就是lea的作用,我是否正确地假设了该指令正在做什么?然后它立即跳转到<+256>,将rdi与120进行比较。然后rdx也应该相同。
所以正在使用后缀,rdx = rdi = 120。然后是rdi = rax*2,所以rax = 60.但是,rax = rdi[22],再次假设lea正在做什么。但如果rdi是输入数量,它怎么能有22个字符?然后假设它不是输入数量,第22个字符怎么可能是2位数?
根据前一阶段(如果您愿意,可以查看我的历史记录),我认为%rdi包含输入数量。我可能错了。以下是bomb.c
k = sscanf(input, "%d %d", &a, &b);
status = phase_3(k, a, b);
phase_defused(status);
基于此,我假设&a和&b是输入,分别是寄存器%rsi和%rdx。我试过118 120,但它爆炸了。