先把bomb反汇编得到一堆汇编代码。。
objdump -d bomb > bomb.txt
-d将需要执行的内容生成反汇编代码。
第一关:You are the Diet Coke of evil, just one calorie, not evil enough.
第二关:
08048ba4 <phase_2>:
8048ba4: 55 push %ebp
8048ba5: 89 e5 mov %esp,%ebp
8048ba7: 83 ec 28 sub $0x28,%esp
8048baa: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp)
8048bb1: 8d 45 e0 lea -0x20(%ebp),%eax
8048bb4: 89 44 24 04 mov %eax,0x4(%esp)
8048bb8: 8b 45 08 mov 0x8(%ebp),%eax
8048bbb: 89 04 24 mov %eax,(%esp)
8048bbe: e8 f5 04 00 00 call 80490b8 <read_six_numbers>
8048bc3: c7 45 f8 00 00 00 00 movl $0x0,-0x8(%ebp)
8048bca: eb 27 jmp 8048bf3 <phase_2+0x4f>
8048bcc: 8b 45 f8 mov -0x8(%ebp),%eax
8048bcf: 8b 54 85 e0 mov -0x20(%ebp,%eax,4),%edx
8048bd3: 8b 45 f8 mov -0x8(%ebp),%eax
8048bd6: 83 c0 03 add $0x3,%eax
8048bd9: 8b 44 85 e0 mov -0x20(%ebp,%eax,4),%eax
8048bdd: 39 c2 cmp %eax,%edx
8048bdf: 74 05 je 8048be6 <phase_2+0x42>
8048be1: e8 2c 0b 00 00 call 8049712 <explode_bomb>
8048be6: 8b 45 f8 mov -0x8(%ebp),%eax
8048be9: 8b 44 85 e0 mov -0x20(%ebp,%eax,4),%eax
8048bed: 01 45 fc add %eax,-0x4(%ebp)
8048bf0: ff 45 f8 incl -0x8(%ebp)
8048bf3: 83 7d f8 02 cmpl $0x2,-0x8(%ebp)
8048bf7: 7e d3 jle 8048bcc <phase_2+0x28>
8048bf9: 83 7d fc 00 cmpl $0x0,-0x4(%ebp)
8048bfd: 75 05 jne 8048c04 <phase_2+0x60>
8048bff: e8 0e 0b 00 00 call 8049712 <explode_bomb>
8048c04: c9 leave
8048c05: c3 ret
我拿到的这个炸弹和网上的都不一样。。。所以没有参考也是搞了半天。。
8048bf3: 83 7d f8 02 cmpl $0x2,-0x8(%ebp)
-0x8(%ebp)里的值一开始是0,所以总共循环3次。
8048bcc: 8b 45 f8 mov -0x8(%ebp),%eax
8048bcf: 8b 54 85 e0 mov -0x20(%ebp,%eax,4),%edx
8048bd3: 8b 45 f8 mov -0x8(%ebp),%eax
8048bd6: 83 c0 03 add $0x3,%eax
8048bd9: 8b 44 85 e0 mov -0x20(%ebp,%eax,4),%eax
8048bdd: 39 c2 cmp %eax,%edx
8048bdf: 74 05 je 8048be6 <phase_2+0x42>
这段的意思就是每隔三个比较数组元素是否相等,不相等则爆炸,所以输入6个一样的数即可通过。
花了很长时间的原因是因为没有搞清楚数组的初始值是啥,其实是argv,也就是我输入的命令行参数。
第三关:
</pre><pre name="code" class="plain">08048c06 <phase_3>:
8048c06: 55 push %ebp
8048c07: 89 e5 mov %esp,%ebp
8048c09: 83 ec 38 sub $0x38,%esp
8048c0c: c7 45 f8 00 00 00 00 movl $0x0,-0x8(%ebp)
8048c13: 8d 45 f0 lea -0x10(%ebp),%eax
8048c16: 89 44 24 10 mov %eax,0x10(%esp)
8048c1a: 8d 45 ef lea -0x11(%ebp),%eax
8048c1d: 89 44 24 0c mov %eax,0xc(%esp)
8048c21: 8d 45 f4 lea -0xc(%ebp),%eax
8048c24: 89 44 24 08 mov %eax,0x8(%esp)
8048c28: c7 44 24 04 4a 9a 04 movl $0x8049a4a,0x4(%esp)
8048c2f: 08
8048c30: 8b 45 08 mov 0x8(%ebp),%eax
8048c33: 89 04 24 mov %eax,(%esp)
8048c36: e8 2d fc ff ff call 8048868 <sscanf@plt>
8048c3b: 89 45 f8 mov %eax,-0x8(%ebp)
8048c3e: 83 7d f8 02 cmpl $0x2,-0x8(%ebp)
8048c42: 7f 05 jg 8048c49 <phase_3+0x43>
8048c44: e8 c9 0a 00 00 call 8049712 <explode_bomb>
8048c49: 8b 45 f4 mov -0xc(%ebp),%eax
8048c4c: 89 45 dc mov %eax,-0x24(%ebp)
8048c4f: 83 7d dc 07 cmpl $0x7,-0x24(%ebp)
8048c53: 0f 87 c0 00 00 00 ja 8048d19 <phase_3+0x113>
8048c59: 8b 55 dc mov -0x24(%ebp),%edx
8048c5c: 8b 04 95 54 9a 04 08 mov 0x8049a54(,%edx,4),%eax
8048c63: ff e0 jmp *%eax
8048c65: c6 45 ff 6f movb $0x6f,-0x1(%ebp)
8048c69: 8b 45 f0 mov -0x10(%ebp),%eax
8048c6c: 3d 49 03 00 00 cmp $0x349,%eax
8048c71: 0f 84 ab 00 00 00 je 8048d22 <phase_3+0x11c>
8048c77: e8 96 0a 00 00 call 8049712 <explode_bomb>
8048c7c: e9 a1 00 00 00 jmp 8048d22 <phase_3+0x11c>
8048c81: c6 45 ff 79 movb $0x79,-0x1(%ebp)
8048c85: 8b 45 f0 mov -0x10(%ebp),%eax
8048c88: 3d 2c 02 00 00 cmp $0x22c,%eax
8048c8d: 0f 84 8f 00 00 00 je 8048d22 <phase_3+0x11c>
8048c93: e8 7a 0a 00 00 call 8049712 <explode_bomb>
8048c98: e9 85 00 00 00 jmp 8048d22 <phase_3+0x11c>
8048c9d: c6 45 ff 7a movb $0x7a,-0x1(%ebp)
8048ca1: 8b 45 f0 mov -0x10(%ebp),%eax
8048ca4: 83 f8 73 cmp $0x73,%eax
8048ca7: 74 79 je 8048d22 <phase_3+0x11c>
8048ca9: e8 64 0a 00 00 call 8049712 <explode_bomb>
8048cae: eb 72 jmp 8048d22 <phase_3+0x11c>
8048cb0: c6 45 ff 61 movb $0x61,-0x1(%ebp)
8048cb4: 8b 45 f0 mov -0x10(%ebp),%eax
8048cb7: 3d 40 01 00 00 cmp $0x140,%eax
8048cbc: 74 64 je 8048d22 <phase_3+0x11c>
8048cbe: e8 4f 0a 00 00 call 8049712 <explode_bomb>
8048cc3: eb 5d jmp 8048d22 <phase_3+0x11c>
8048cc5: c6 45 ff 69 movb $0x69,-0x1(%ebp)
8048cc9: 8b 45 f0 mov -0x10(%ebp),%eax
8048ccc: 3d f2 01 00 00 cmp $0x1f2,%eax
8048cd1: 74 4f je 8048d22 <phase_3+0x11c>
8048cd3: e8 3a 0a 00 00 call 8049712 <explode_bomb>
8048cd8: eb 48 jmp 8048d22 <phase_3+0x11c>
8048cda: c6 45 ff 72 movb $0x72,-0x1(%ebp)
8048cde: 8b 45 f0 mov -0x10(%ebp),%eax
8048ce1: 3d 9f 03 00 00 cmp $0x39f,%eax
8048ce6: 74 3a je 8048d22 <phase_3+0x11c>
8048ce8: e8 25 0a 00 00 call 8049712 <explode_bomb>
8048ced: eb 33 jmp 8048d22 <phase_3+0x11c>
8048cef: c6 45 ff 6a movb $0x6a,-0x1(%ebp)
8048cf3: 8b 45 f0 mov -0x10(%ebp),%eax
8048cf6: 3d 2e 02 00 00 cmp $0x22e,%eax
8048cfb: 74 25 je 8048d22 <phase_3+0x11c>
8048cfd: e8 10 0a 00 00 call 8049712 <explode_bomb>
8048d02: eb 1e jmp 8048d22 <phase_3+0x11c>
8048d04: c6 45 ff 62 movb $0x62,-0x1(%ebp)
8048d08: 8b 45 f0 mov -0x10(%ebp),%eax
8048d0b: 3d 52 01 00 00 cmp $0x152,%eax
8048d10: 74 10 je 8048d22 <phase_3+0x11c>
8048d12: e8 fb 09 00 00 call 8049712 <explode_bomb>
8048d17: eb 09 jmp 8048d22 <phase_3+0x11c>
8048d19: c6 45 ff 63 movb $0x63,-0x1(%ebp)
8048d1d: e8 f0 09 00 00 call 8049712 <explode_bomb>
8048d22: 0f b6 45 ef movzbl -0x11(%ebp),%eax
8048d26: 38 45 ff cmp %al,-0x1(%ebp)
8048d29: 74 05 je 8048d30 <phase_3+0x12a>
8048d2b: e8 e2 09 00 00 call 8049712 <explode_bomb>
8048d30: c9 leave
8048d31: c3 ret
重复出现的cmp je 提示我们这是一个switch语句。
8048c13: 8d 45 f0 lea -0x10(%ebp),%eax
8048c16: 89 44 24 10 mov %eax,0x10(%esp)
8048c1a: 8d 45 ef lea -0x11(%ebp),%eax
8048c1d: 89 44 24 0c mov %eax,0xc(%esp)
8048c21: 8d 45 f4 lea -0xc(%ebp),%eax
8048c24: 89 44 24 08 mov %eax,0x8(%esp)
这段呢,是传了三个参数进来,第一个是int,第二个是char,第三个是int。
8048c49: 8b 45 f4 mov -0xc(%ebp),%eax
8048c4c: 89 45 dc mov %eax,-0x24(%ebp)
8048c4f: 83 7d dc 07 cmpl $0x7,-0x24(%ebp)
很明显,比较第一个参数在不在7之间,然后后面根据第一个输入的参数进行跳转。我们只要破解一种输入就行了。
答案:0 o 841
第三关:12
08048d32 <func4>:
8048d32: 55 push %ebp
8048d33: 89 e5 mov %esp,%ebp
8048d35: 53 push %ebx
8048d36: 83 ec 08 sub $0x8,%esp
8048d39: 83 7d 08 01 cmpl $0x1,0x8(%ebp)
8048d3d: 7f 09 jg 8048d48 <func4+0x16>
8048d3f: c7 45 f8 01 00 00 00 movl $0x1,-0x8(%ebp)
8048d46: eb 21 jmp 8048d69 <func4+0x37>
8048d48: 8b 45 08 mov 0x8(%ebp),%eax
8048d4b: 48 dec %eax
8048d4c: 89 04 24 mov %eax,(%esp)
8048d4f: e8 de ff ff ff call 8048d32 <func4>
8048d54: 89 c3 mov %eax,%ebx
8048d56: 8b 45 08 mov 0x8(%ebp),%eax
8048d59: 83 e8 02 sub $0x2,%eax
8048d5c: 89 04 24 mov %eax,(%esp)
8048d5f: e8 ce ff ff ff call 8048d32 <func4>
8048d64: 01 c3 add %eax,%ebx
8048d66: 89 5d f8 mov %ebx,-0x8(%ebp)
8048d69: 8b 45 f8 mov -0x8(%ebp),%eax
8048d6c: 83 c4 08 add $0x8,%esp
8048d6f: 5b pop %ebx
8048d70: 5d pop %ebp
8048d71: c3 ret
fun4函数的作用是计算斐波那契数列。
08048d72 <phase_4>:
8048d72: 55 push %ebp
8048d73: 89 e5 mov %esp,%ebp
8048d75: 83 ec 28 sub $0x28,%esp
8048d78: 8d 45 f4 lea -0xc(%ebp),%eax
8048d7b: 89 44 24 08 mov %eax,0x8(%esp)
8048d7f: c7 44 24 04 74 9a 04 movl $0x8049a74,0x4(%esp)
8048d86: 08
8048d87: 8b 45 08 mov 0x8(%ebp),%eax
8048d8a: 89 04 24 mov %eax,(%esp)
8048d8d: e8 d6 fa ff ff call 8048868 <sscanf@plt>
8048d92: 89 45 fc mov %eax,-0x4(%ebp)
8048d95: 83 7d fc 01 cmpl $0x1,-0x4(%ebp)
8048d99: 75 07 jne 8048da2 <phase_4+0x30>
8048d9b: 8b 45 f4 mov -0xc(%ebp),%eax
8048d9e: 85 c0 test %eax,%eax
8048da0: 7f 05 jg 8048da7 <phase_4+0x35>
8048da2: e8 6b 09 00 00 call 8049712 <explode_bomb>
8048da7: 8b 45 f4 mov -0xc(%ebp),%eax
8048daa: 89 04 24 mov %eax,(%esp)
8048dad: e8 80 ff ff ff call 8048d32 <func4>
8048db2: 89 45 f8 mov %eax,-0x8(%ebp)
8048db5: 81 7d f8 e9 00 00 00 cmpl $0xe9,-0x8(%ebp)
8048dbc: 74 05 je 8048dc3 <phase_4+0x51>
8048dbe: e8 4f 09 00 00 call 8049712 <explode_bomb>
8048dc3: c9 leave
8048dc4: c3 ret
8048d7f: c7 44 24 04 74 9a 04 movl $0x8049a74,0x4(%esp)
传进来一个什么东西放到
0x4(%esp)里也就是第一个参数的位置。打个断点看一下
p (char*) 0x8049a74
显示
$1 = 0x8049a74 "%d"
说明输入是一个整数!
第5关:150;=1