二元炸弹 - 第 2 阶段

【问题标题】:Binary bomb - phase 2二元炸弹 - 第 2 阶段
【发布时间】:2016-09-05 15:52:40
【问题描述】:

嘿,我正在拆除一个二元炸弹,现在处于第 2 阶段,并试图弄清楚应该如何进行拆除。我已经添加了关于我认为实际发生的事情的 cmets,但如果我错了,请纠正我并帮助我理解这是如何工作的。这是阶段_2:

08048763 <phase_2>:
 8048763:   55                      push   %ebp
 8048764:   89 e5                   mov    %esp,%ebp
 8048766:   83 ec 28                sub    $0x28,%esp
 ; read 6 numbers
 8048769:   8d 45 dc                lea    -0x24(%ebp),%eax
 804876c:   83 c0 14                add    $0x14,%eax
 804876f:   50                      push   %eax
 8048770:   8d 45 dc                lea    -0x24(%ebp),%eax
 8048773:   83 c0 10                add    $0x10,%eax
 8048776:   50                      push   %eax
 8048777:   8d 45 dc                lea    -0x24(%ebp),%eax
 804877a:   83 c0 0c                add    $0xc,%eax
 804877d:   50                      push   %eax
 804877e:   8d 45 dc                lea    -0x24(%ebp),%eax
 8048781:   83 c0 08                add    $0x8,%eax
 8048784:   50                      push   %eax
 8048785:   8d 45 dc                lea    -0x24(%ebp),%eax
 8048788:   83 c0 04                add    $0x4,%eax
 804878b:   50                      push   %eax
 804878c:   8d 45 dc                lea    -0x24(%ebp),%eax
 804878f:   50                      push   %eax
 8048790:   68 18 94 04 08          push   $0x8049418
 8048795:   ff 75 08                pushl  0x8(%ebp)

 ; call scanf()
 8048798:   e8 53 fd ff ff          call   80484f0 <sscanf@plt>
 804879d:   83 c4 20                add    $0x20,%esp
 ; check if first number is greater than 5
 80487a0:   83 f8 05                cmp    $0x5,%eax
 80487a3:   7f 05                   jg     80487aa <phase_2+0x47>
 80487a5:   e8 ad fe ff ff          call   8048657 <explode>
 80487aa:   8b 45 dc                mov    -0x24(%ebp),%eax
 ; check if the 2nd number is 9 ; jump if equals
 80487ad:   83 f8 09                cmp    $0x9,%eax
 80487b0:   74 05                   je     80487b7 <phase_2+0x54>
 80487b2:   e8 a0 fe ff ff          call   8048657 <explode>
 80487b7:   c7 45 f4 01 00 00 00    movl   $0x1,-0xc(%ebp)

 ; BEGIN LOOP 
 80487be:   eb 22                   jmp    80487e2 <phase_2+0x7f>
 80487c0:   8b 45 f4                mov    -0xc(%ebp),%eax
 80487c3:   8b 54 85 dc             mov    -0x24(%ebp,%eax,4),%edx
 80487c7:   8b 45 f4                mov    -0xc(%ebp),%eax
 80487ca:   83 e8 01                sub    $0x1,%eax
 80487cd:   8b 44 85 dc             mov    -0x24(%ebp,%eax,4),%eax
 ; what is it that gets multiplied here?
 80487d1:   0f af 45 f4             imul   -0xc(%ebp),%eax
 ; compare eax with edx but not clear what happens here. jump when equals
 80487d5:   39 c2                   cmp    %eax,%edx
 80487d7:   74 05                   je     80487de <phase_2+0x7b>
 80487d9:   e8 79 fe ff ff          call   8048657 <explode>
 ; we add 1 before comparing with 5?
 80487de:   83 45 f4 01             addl   $0x1,-0xc(%ebp)
 ; compare jump next if number <= 5
 80487e2:   83 7d f4 05             cmpl   $0x5,-0xc(%ebp)
 80487e6:   7e d8                   jle    80487c0 <phase_2+0x5d>
 80487e8:   83 ec 0c                sub    $0xc,%esp
 80487eb:   68 2a 94 04 08          push   $0x804942a
 80487f0:   e8 16 fe ff ff          call   804860b <say>
 80487f5:   83 c4 10                add    $0x10,%esp
 80487f8:   c9                      leave  
 80487f9:   c3                      ret

【问题讨论】:

  • eax 乘以[ebp-0xC](= 内存地址ebp-0xC 的值)并与edx 进行比较,如果它们不一样,炸弹就会爆炸。再往下,循环计数器递增,然后与 5 进行比较 - 循环继续,直到递增后的值达到 6(使用jle,因此它基本上检查 C 术语中的 ++i &lt;= 5 是否)
  • 这已经解决了,没关系。
  • 那么请将您的解决方案作为答案发布并接受它,以便其他人也可以从中受益。

标签: assembly x86 gdb reverse-engineering


【解决方案1】:

它进入循环并将第一个数字乘以 1 产生第二个数字,第二个数字与 2 相乘,产生第三个数字,依此类推,直到达到 6 个数字。所以结果是这样的 - 9 9 18 54 216 1080 我还添加了一些 cmets:

08048763 <phase_2>:
 ; set up stack frame
 8048763:   55                      push   ebp
 8048764:   89 e5                   mov    ebp,esp
 8048766:   83 ec 28                sub    esp,0x28

 ; prepare memory 6 numbers
 8048769:   8d 45 dc                lea    eax,[ebp-0x24]
 804876c:   83 c0 14                add    eax,0x14
 804876f:   50                      push   eax
 8048770:   8d 45 dc                lea    eax,[ebp-0x24]
 8048773:   83 c0 10                add    eax,0x10
 8048776:   50                      push   eax
 8048777:   8d 45 dc                lea    eax,[ebp-0x24]
 804877a:   83 c0 0c                add    eax,0xc
 804877d:   50                      push   eax
 804877e:   8d 45 dc                lea    eax,[ebp-0x24]
 8048781:   83 c0 08                add    eax,0x8
 8048784:   50                      push   eax
 8048785:   8d 45 dc                lea    eax,[ebp-0x24]
 8048788:   83 c0 04                add    eax,0x4
 804878b:   50                      push   eax
 804878c:   8d 45 dc                lea    eax,[ebp-0x24]
 804878f:   50                      push   eax
 8048790:   68 18 94 04 08          push   0x8049418
 8048795:   ff 75 08                push   DWORD PTR [ebp+0x8]

 ; call scanf()
 8048798:   e8 53 fd ff ff          call   80484f0 <sscanf@plt>
 804879d:   83 c4 20                add    esp,0x20

 ; check if there are more than 5 arguments, if not - explode
 80487a0:   83 f8 05                cmp    eax,0x5
 80487a3:   7f 05                   jg     80487aa <phase_2+0x47>
 80487a5:   e8 ad fe ff ff          call   8048657 <explode>
 80487aa:   8b 45 dc                mov    eax,DWORD PTR [ebp-0x24]

 ; check if the 1st number is 9, if it is, goto 80487b7, else explode
 80487ad:   83 f8 09                cmp    eax,0x9
 80487b0:   74 05                   je     80487b7 <phase_2+0x54>
 80487b2:   e8 a0 fe ff ff          call   8048657 <explode>

 ; BEGINNING OF LOOP for(i=1;i<=5;i++)
 80487b7:   c7 45 f4 01 00 00 00    mov    DWORD PTR [ebp-0xc],0x1 
 80487be:   eb 22                   jmp    80487e2 <phase_2+0x7f>

 ; Get loop counter ,store in EDX
 80487c0:   8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]
 80487c3:   8b 54 85 dc             mov    edx,DWORD PTR [ebp+eax*4-0x24]

 ; again take loop counter minus 1 to EAX
 80487c7:   8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]
 80487ca:   83 e8 01                sub    eax,0x1
 80487cd:   8b 44 85 dc             mov    eax,DWORD PTR [ebp+eax*4-0x24]

 ; multiply our number with loop counter minus 1
 80487d1:   0f af 45 f4             imul   eax,DWORD PTR [ebp-0xc]

 ; compare number with expected value, goto 80487de if equals
 80487d5:   39 c2                   cmp    edx,eax
 80487d7:   74 05                   je     80487de <phase_2+0x7b>
 80487d9:   e8 79 fe ff ff          call   8048657 <explode>

 ; increase loop counter
 80487de:   83 45 f4 01             add    DWORD PTR [ebp-0xc],0x1

 ; compare loop counter to 5, jump to start if less that or equal
 80487e2:   83 7d f4 05             cmp    DWORD PTR [ebp-0xc],0x5
 80487e6:   7e d8                   jle    80487c0 <phase_2+0x5d>
 80487e8:   83 ec 0c                sub    esp,0xc

 ; Push defuse message and call "say", leave and return
 80487eb:   68 2a 94 04 08          push   0x804942a
 80487f0:   e8 16 fe ff ff          call   804860b <say>
 80487f5:   83 c4 10                add    esp,0x10
 80487f8:   c9                      leave  
 80487f9:   c3                      ret

【讨论】:

    猜你喜欢
    • 2013-11-07
    • 2016-08-13
    • 2020-06-04
    • 2018-04-02
    • 1970-01-01
    • 2016-08-17
    • 2016-02-11
    • 2014-04-06
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode