二元炸弹(第4阶段)%d%d

时间:2017-10-20 20:07:52

标签: c assembly x86-64 reverse-engineering

我有二进制阶段没有返回所需的结果,即12.有任何建议吗?

第4阶段

    Dump of assembler code for function phase_4:
   0x000000000040100b <+0>:     sub    $0x18,%rsp
   0x000000000040100f <+4>:     lea    0x8(%rsp),%rcx
   0x0000000000401014 <+9>:     lea    0xc(%rsp),%rdx
   0x0000000000401019 <+14>:    mov    $0x40278d,%esi
   0x000000000040101e <+19>:    mov    $0x0,%eax
   0x0000000000401023 <+24>:    callq  0x400b90 <__isoc99_sscanf@plt>
   0x0000000000401028 <+29>:    cmp    $0x2,%eax
=> 0x000000000040102b <+32>:    je     0x401054 <phase_4+73> 
   0x000000000040102d <+34>:    callq  0x401538 <explode_bomb>
   0x0000000000401032 <+39>:    mov    $0xe,%edx 
   0x0000000000401037 <+44>:    mov    $0x0,%esi 
   0x000000000040103c <+49>:    mov    0xc(%rsp),%edi 
   0x0000000000401040 <+53>:    callq  0x400fd7 <func4> 
   0x0000000000401045 <+58>:    cmp    $0x12,%eax 
   0x0000000000401048 <+61>:    je     0x40105d <phase_4+82>
   0x000000000040104a <+63>:    callq  0x401538 <explode_bomb>
   0x000000000040104f <+68>:    add    $0x18,%rsp
   0x0000000000401053 <+72>:    retq   
   0x0000000000401054 <+73>:    cmpl   $0xe,0xc(%rsp)
   0x0000000000401059 <+78>:    jbe    0x401032 <phase_4+39>
   0x000000000040105b <+80>:    jmp    0x40102d <phase_4+34>
   0x000000000040105d <+82>:    cmpl   $0x12,0x8(%rsp)
   0x0000000000401062 <+87>:    jne    0x40104a <phase_4+63>
   0x0000000000401064 <+89>:    jmp    0x40104f <phase_4+68>
End of assembler dump.

func4如下:

Dump of assembler code for function func4:
=> 0x0000000000400fd7 <+0>:     push   %rbx         
   0x0000000000400fd8 <+1>:     mov    %edx,%eax    
   0x0000000000400fda <+3>:     sub    %esi,%eax    
   0x0000000000400fdc <+5>:     mov    %eax,%ebx   
   0x0000000000400fde <+7>:     shr    $0x1f,%ebx
   0x0000000000400fe1 <+10>:    add    %eax,%ebx    
   0x0000000000400fe3 <+12>:    sar    %ebx 
   0x0000000000400fe5 <+14>:    add    %esi,%ebx    
   0x0000000000400fe7 <+16>:    cmp    %edi,%ebx    
   0x0000000000400fe9 <+18>:    jg     0x400ff3 <func4+28>
   0x0000000000400feb <+20>:    cmp    %edi,%ebx     
   0x0000000000400fed <+22>:    jl     0x400fff <func4+40> 
   0x0000000000400fef <+24>:    mov    %ebx,%eax
   0x0000000000400ff1 <+26>:    pop    %rbx
   0x0000000000400ff2 <+27>:    retq   
   0x0000000000400ff3 <+28>:    lea    -0x1(%rbx),%edx  
   0x0000000000400ff6 <+31>:    callq  0x400fd7 <func4>
   0x0000000000400ffb <+36>:    add    %eax,%ebx
   0x0000000000400ffd <+38>:    jmp    0x400fef <func4+24>
   0x0000000000400fff <+40>:    lea    0x1(%rbx),%esi
   0x0000000000401002 <+43>:    callq  0x400fd7 <func4>
   0x0000000000401007 <+48>:    add    %eax,%ebx    
   0x0000000000401009 <+50>:    jmp    0x400fef <func4+24>
End of assembler dump.

我编写了一个测试C程序,我相信它等同于func4的汇编代码。

#include <stdio.h>

int main()
{

    int i=0;
    for(int i=0;i<15;i++)
    {
    int z=func4(i,0,14);
    printf("in main program: For input %d -> %d\n",i,z);
    }
    return 0;
}

int func4(int x, int low, int high) {
   int mid = (low + high) / 2;

   if (x == mid) {
      return (mid);
   } else if (x < mid) {
       int w=mid+func4(x, low, mid - 1);
      return w;
   } else {
       int p=mid+func4(x, mid + 1, high);
      return p;
   }
}

该程序返回OUTPUT,如下所示:

in main program: For input 0 -> 11                                                                                             
in main program: For input 1 -> 11                                                                                             
in main program: For input 2 -> 13                                                                                             
in main program: For input 3 -> 10                                                                                             
in main program: For input 4 -> 19                                                                                             
in main program: For input 5 -> 15                                                                                             
in main program: For input 6 -> 21                                                                                             
in main program: For input 7 -> 7                                                                                              
in main program: For input 8 -> 35                                                                                             
in main program: For input 9 -> 27                                                                                             
in main program: For input 10 -> 37
in main program: For input 11 -> 18                                                                                           
in main program: For input 12 -> 43                                                                                           
in main program: For input 13 -> 31                                                                                           
in main program: For input 14 -> 45

我发现该函数将采用两个参数,第二个参数应为12.但我不会从func4返回值12。

有什么建议吗?

1 个答案:

答案 0 :(得分:2)

汇编代码实际上期望来自0x12的值func4(18而不是12):

0x0000000000401040 <+53>:    callq  0x400fd7 <func4> 
0x0000000000401045 <+58>:    cmp    $0x12,%eax              <- Compare result to 0x12
0x0000000000401048 <+61>:    je     0x40105d <phase_4+82>
0x000000000040104a <+63>:    callq  0x401538 <explode_bomb>

我没有查看func4的C翻译是否正确,但假设它正确,func4(11, 0, 14)看起来就像你想要的那样。