实验二 BinaryBomb实验
源代码
/***************************************************************************
* Dr. Evil's Insidious Bomb, Version 1.1
* Copyright 2011, Dr. Evil Incorporated. All rights reserved.
*
* LICENSE:
*
* Dr. Evil Incorporated (the PERPETRATOR) hereby grants you (the
* VICTIM) explicit permission to use this bomb (the BOMB). This is a
* time limited license, which expires on the death of the VICTIM.
* The PERPETRATOR takes no responsibility for damage, frustration,
* insanity, bug-eyes, carpal-tunnel syndrome, loss of sleep, or other
* harm to the VICTIM. Unless the PERPETRATOR wants to take credit,
* that is. The VICTIM may not distribute this bomb source code to
* any enemies of the PERPETRATOR. No VICTIM may debug,
* reverse-engineer, run "strings" on, decompile, decrypt, or use any
* other technique to gain knowledge of and defuse the BOMB. BOMB
* proof clothing may not be worn when handling this program. The
* PERPETRATOR will not apologize for the PERPETRATOR's poor sense of
* humor. This license is null and void where the BOMB is prohibited
* by law.
***************************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include "support.h"
#include "phases.h"
/*
* Note to self: Remember to erase this file so my victims will have no
* idea what is going on, and so they will all blow up in a
* spectaculary fiendish explosion. -- Dr. Evil
*/
FILE *infile;
int main(int argc, char *argv[])
{
char *input;
/* Note to self: remember to port this bomb to Windows and put a
* fantastic GUI on it. */
/* When run with no arguments, the bomb reads its input lines
* from standard input. */
if (argc == 1) {
infile = stdin;
}
/* When run with one argument <file>, the bomb reads from <file>
* until EOF, and then switches to standard input. Thus, as you
* defuse each phase, you can add its defusing string to <file> and
* avoid having to retype it. */
else if (argc == 2) {
if (!(infile = fopen(argv[1], "r"))) {
printf("%s: Error: Couldn't open %s\n", argv[0], argv[1]);
exit(8);
}
}
/* You can't call the bomb with more than 1 command line argument. */
else {
printf("Usage: %s [<input_file>]\n", argv[0]);
exit(8);
}
/* Do all sorts of secret stuff that makes the bomb harder to defuse. */
initialize_bomb();
printf("Welcome to my fiendish little bomb. You have 7 phases with\n");
printf("which to blow yourself up. Have a nice day!\n");
/* Warm up phase! */
input = read_line(); /* Get input */
if( phase_0(input) ) { /* Run the phase */
phase_defused(); /* Drat! They figured it out! */
printf("Well done! You seem to have warmed up!\n");
}
/* Hmm... Six phases must be more secure than one phase! */
input = read_line(); /* Get input */
if( phase_1(input) ) { /* Run the phase */
phase_defused(); /* Drat! They figured it out! Let me know how they did it. */
printf("Phase 1 defused. How about the next one?\n");
}
/* The second phase is harder. No one will ever figure out
* how to defuse this... */
input = read_line();
if( phase_2(input) ) {
phase_defused();
printf("That's number 2. Keep going!\n");
}
/* I guess this is too easy so far. Some more complex code will
* confuse people. */
input = read_line();
if( phase_3(input) ) {
phase_defused();
printf("Halfway there!\n");
}
/* Oh yeah? Well, how good is your math? Try on this saucy problem! */
input = read_line();
if( phase_4(input) ) {
phase_defused();
printf("So you got that one. Try this one.\n");
}
/* Round and 'round in memory we go, where we stop, the bomb blows! */
input = read_line();
if( phase_5(input) ) {
phase_defused();
printf("Good work! On to the next...\n");
}
/* This phase will never be used, since no one will get past the
* earlier ones. But just in case, make this one extra hard. */
input = read_line();
if( phase_6(input) ) {
phase_defused();
}
/* Wow, they got it! But isn't something... missing? Perhaps
* something they overlooked? Mua ha ha ha ha! */
return 0;
}
反汇编得到的东西太长了,不放。就长下面那样。
一、实验目的
1.增强对程序的机器级表示、汇编语言、调试器和逆向工程等方面原理与技能的掌握。
2. 掌握使用gdb调试器和objdump来反汇编炸弹的可执行文件,并单步跟踪调试每一阶段的机器代码,从中理解每一汇编语言代码的行为或作用,进而设法“推断”出拆除炸弹所需的目标字符串。
3. 需要拆除尽可能多的炸弹。
二、实验仪器设备/实验环境
1.Linux操作系统—32位debian
2. gdb调试器和objdump反汇编指令
3. 笔记本
三、实验内容及步骤
一个“binary bombs”(二进制炸弹,下文将简称为炸弹)是一个Linux可执行C程序,包含了7个阶段(phase1~phase6)。炸弹运行的每个阶段要求你输入一个特定的字符串,若你的输入符合程序预期的输入,该阶段的炸弹就被“拆除”,否则炸弹“爆炸”并打印输出 "BOOM!!!"字样。实验的目标是拆除尽可能多的炸弹层次。
每个炸弹阶段考察了机器级语言程序的一个不同方面,难度逐级递增:
- 阶段0:字符串比较
- 阶段1:浮点表示
- 阶段2:循环
- 阶段3:条件/分支
- 阶段4:递归调用和栈
- 阶段5:指针
- 阶段6:链表/指针/结构
- 隐藏阶段:只有在阶段4的拆解字符串后再附加一特定字符串后才会出现(作为最后一个阶段)
另外还有一个隐藏阶段,但只有了解了程序的所有阶段后并找到位置附加一特定字符串后才会出现此隐藏阶段。
为了完成二进制炸弹拆除任务,需要使用gdb调试器和objdump来反汇编炸弹的可执行文件,并单步跟踪调试每一阶段的机器代码,从中理解每一汇编语言代码的行为或作用,进而设法“推断”出拆除炸弹所需的目标字符串。这可能需要在每一阶段的开始代码前和引爆炸弹的函数前设置断点,以便于调试。
题目会根据具体情况有所不同,每位学生拿到的bomb都会有差异,所以以下过程只作为示例提供基本参考。
3.1 阶段0:字符串比较
- 任务描述:通过phase_0的反汇编代码找出要输入的字符串。
- 实验设计:利用gdb结合断点来动态地分析。
- 实验过程:
观察phase_0的反汇编代码,如图2.1所示:
发现在调用strings_not_equal对比字符串之前,有一个地址作为参考字符串地址被送入了堆栈,该地址就是正确字符串的首址,于是可以在phase_0处下个断点,运行至此处后,用x命令查看字符串(前提是地址输入正确,如输入地址不是字符串首地址,则不会出现以下效果)。具体地址,请根据思考判断。2.2所示:
“Pipelining improves throughput.”就是所需字符串。重新执行该程序,直接输入该字符串,观察结果。如图2.3所示:
图2.3
- 实验结果:如图2.3所示,阶段一拆弹成功!
阶段一很简单,当初的找出字符串首地址就可以了,没有什么大的难点。
*****************************************************************************************************************************
1.硬件环境:笔记本电脑
2.软件环境:Debian10 32位
3.虚拟机
对bomb.c文件先进行反汇编,反汇编语言为:
objdump -d bomb > bomb.txt,反汇编文件打开后如下所示:(bomb为文件名称,任意修改)
3.1 阶段0:字符串比较
这一行中我们看到 push $0x804a1dc,这里可以得到提示。
在观察后我们输入x/2s $0x804a1dc得到一串字符
08049477 <phase_0>:
8049477: 55 push %ebp
8049478: 89 e5 mov %esp,%ebp
804947a: 83 ec 08 sub $0x8,%esp
804947d: 83 ec 08 sub $0x8,%esp
8049480: 68 dc a1 04 08 push $0x804a1dc
这一行存着的内容为:Linux aims toward POSIX and SUS compliance.
再执行该行程序得到如下结果:
<phase_0>处语句接受正确
3.2阶段1:浮点表示
任务描述:通过phase_1的反汇编代码推断第二阶段要输入的数据
phase_1代码如下所示:
实验设计:利用gdb结合断点来动态地分析
实验过程:
观察phase_1的前一部分反汇编代码,如图2.4所示:
先运行文件:
观察反汇编代码得到:
代码中时通过cmp比较的无条件指令,即比较过程可通过GDB查看调试的比较过程。
80494fa: 39 c2 cmp %eax,%edx
比较eax和edx中的内容是否相等。而我在运行中特意输入两个随意数字
让他在eax寄存器中能够与而读写寄存器进行比较:
如上图所示,当运行到比较语句时,eax的值与edx的值都出来了。于是我们就找到了第一个数字:1103320656
第二个数子同样是运行后输入两个数字,只是第一个我们知道了是1103320656 第二个还是随机输入。
然后继续运行并观察调试结果。
最后得到第二个数字为:1895825408
结果成功,炸弹phase_1拆除成功。
3.3 阶段2:循环
- 任务描述:该阶段要求输入满足程序所期望顺序和取值的一个数字序列
- 实验设计:利用gdb结合断点来动态地分析
- 实验步骤:
1)对本阶段函数的反汇编结果进行总体分析
2)分析程序中对输入数字序列的期望取值
3)相应地构造输入数字序列
红框中push06进入esp-40指向的位置进入read_n_numbers
在read_n_numbers的汇编指令中,通过gdb调试,发现一直有eax与他进行比较,而且eax中并未发现我们输入的数字:
0x10(%ebp)这个位置就在0xbffff1a8中,且数值也是6,猜测我们需要输入的数字很可能是6个。
我们再观看phase_2中的反汇编代码,得到
我们输入的数字需要和0x19(25D)还有0x32(50D)进行比较,在输入的头两个数字我们就用25 50 3 4 5 6进行输入,通过GDB查看调用过程的数字变化,得到25
和50输入后就能避免直接执行<explode_bomb>
那么前两个数字是对的,再观察不断生成的
调试过程即使不清楚算法,但指令会用前面的数字继续算出我们需要的数字:
于是就发现这个新出的数字就得到62 。这样不断重复,我们就得到了
25 50 62 87 118 161
输入后得到结果正确:
3.4 阶段3:条件/分支
1. 任务描述:该阶段要求输入包含特定数字以满足switch条件分支处理的字符串
2. 实验设计:利用gdb结合断点来动态地分析
3. 实验步骤:
1)对本阶段函数的反汇编结果进行总体分析
2)分析程序中对输入字符串的解析和处理
3)相应构造输入字符串
本题回看汇编指令:
得到地址:push $0x804a208
我们可以查看试试是否会有提示:
显然,这里的提示是让我们输入两个整型。通过调试也发现过程会检测是否输入了两个数字,否则直接bomb。
在进入程序后,发现里面存在数值加减比较,一开始,我输入了12 999两个数字
在GDB 调试过程中发现,eax得到我的第一个值12后会sub 0x3,就是12-3=9
想法符合调试过程,但执行后就进行比较, 然后符合条件就会跳转
80495e4: 83 e8 03 sub $0x3,%eax
80495e7: 83 f8 09 cmp $0x9,%eax
80495ea: 77 63 ja 804964f <phase_3+0xb2>
这里的判断是eax>9就会跳转到804964f,
也就是说会直接爆炸。因此输入的初始值必须为大于12的值,这里刚好符合。
执行完第一个数字后到第二个,观察得到此时有一个数字0x34dH=845D传送进ebp-0xc中,我们记下先,继续执行。
在继续执行过程中,他再一次将我们的第二个值放在eax中,然后和ebp-0xc中的值0x34dH=845D进行比较,而那个值与我们输入的999与之不等,然后就会爆炸.
于是我们推断我们的第二个数值就是845.
在输入两个数字后发现正确。
3.5 阶段4:递归调用和栈
- 任务描述:该阶段要求输入包含特定数字以满足递归函数处理的字符串
- 实验设计:利用gdb结合断点来动态地分析
- 实验步骤:
- 对本阶段函数的反汇编结果进行总体分析
- 分析程序中的递归调用处理逻辑、终止条件与返回值
3)相应构造输入字符串
本体再次观察相应的汇编指令,查找可能存在的提示,在
上图中使用 push $0x804a208所给地址获取提示,这里也是输入两个整型数字。
再观察可得:
进一步确认信息得到:第一个输入的数字必须大于9,且输入的数量一定为2,这也确认了提示有效,那么我们可以用两个数字的条件开始调试,先输入数字10 123 。
在运行过程,他会调用递归函数fun_4,在递归中,如果过直接finish递归函数,则会通过一系列运算得到返回值265,尽管没有准确知道计算过程,在回到phase_4中继续运行时,会发现在出现比较指令,就是用你输入的第二个数进行比较,
如果两个数字一样,则结束phase_4,因此我们果断结束运行,直接输入10 265发现输入的值是正确并且可用的。(同时答案根据fun_4里面的输入不同算得结果是不唯一的,可以根据输入的第一个数字可以算出第二个数字是多少,但第一个必须大于9,且不等于9)。
然后通过进一步调试,结合相应汇编语言观察计算过程,可以得到以下规律:
输入后计算过程都是向下取整。
输入不同的答案只要符合以上计算规则就能通过。
3.6 阶段5:指针
- 任务描述:该阶段使用输入字符串中字符作为数组索引进行计算,要求输入字符串满足计算结果要求
- 实验设计:利用gdb结合断点来动态地分析
- 实验步骤:
- 对本阶段函数的反汇编结果进行总体分析
- 分析针对输入字符串的处理过程
- 相应构造输入字符串
为了方便得到题目提示,还是照常进行x/20d 地址,发现里面有一组数组:
他们的元素和下标都如下表:
10 | 2 | 14 | 7 | 8 |
0 | 1 | 2 | 3 | 4 |
12 | 15 | 11 | 0 | 4 |
5 | 6 | 7 | 8 | 9 |
1 | 13 | 3 | 9 | 6 |
10 | 11 | 12 | 13 | 14 |
5 |
15 |
然后观察得到
我们需要的数字数量为两个,并且在多次调试中发现程序会根据输入的第一个数字进行循环并且计数,直到第11(cmpl $0xb,-0xc(%ebp))次为止,而循到下一个元素则是把本次下标对应的元素作为下一个下标使用,同时必须要走到元素15的数字(下标为6)进行比较,然后结束,那么倒着推断,循环11次,可以推断出是从下标11开始:
那么第一个数字则重新输入后,进程可以正常跳转到je 80497b3 <phase_5+0x85>而不是call 8049e10 <explode_bomb>
最后通过调试发现,他是要求把那11个下标对应的元素相加,就是本体需要的答案了,得到13+9+4+8+0+10+1+2+14+6+15= 82
输入结果 11 82得到反馈正确
3.7 阶段6:链表/指针/结构
- 任务描述:该阶段要求输入一串数字用以调整一个链表中各结构的顺序,使其满足特定顺序要求
- 实验设计:利用gdb结合断点来动态地分析
- 实验步骤:
- 对本阶段函数的反汇编结果进行总体分析
- 分析程序的链表处理逻辑和内置链表数据进行分析
3)相应构造输入数串
本题同样在前面的地址中可以寻找提示:
080497ba <phase_6>:
80497ba: 55 push %ebp
80497bb: 89 e5 mov %esp,%ebp
80497bd: 83 ec 48 sub $0x48,%esp
80497c0: c7 45 e8 48 c1 04 08 movl $0x804c148,-0x18(%ebp)/地址内容先为7
注意到<node1>这里是一个节点,也就是说还有<node2,3,4,5,6>可以在后面的调试中找到这些节点的地址。
80497c7: 83 ec 08 sub $0x8,%esp
80497ca: 8d 45 d0 lea -0x30(%ebp),%eax
80497cd: 50 push %eax
80497ce: ff 75 08 pushl 0x8(%ebp)
80497d1: e8 b9 02 00 00 call 8049a8f <read_six_numbers>//提示输入六个数字
80497d6: 83 c4 10 add $0x10,%esp
80497d9: 85 c0 test %eax,%eax
80497db: 75 0a jne 80497e7 <phase_6+0x2d>
80497dd: b8 00 00 00 00 mov $0x0,%eax
80497e2: e9 37 01 00 00 jmp 804991e <phase_6+0x164>
80497e7: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
80497ee: eb 60 jmp 8049850 <phase_6+0x96>
①创建需要的内存,具体存储形式在read_six_number中查找。
///
80497f0: 8b 45 f0 mov -0x10(%ebp),%eax
80497f3: 8b 44 85 d0 mov -0x30(%ebp,%eax,4),%eax
80497f7: 85 c0 test %eax,%eax
80497f9: 7e 0c jle 8049807 <phase_6+0x4d>
80497fb: 8b 45 f0 mov -0x10(%ebp),%eax
80497fe: 8b 44 85 d0 mov -0x30(%ebp,%eax,4),%eax
8049802: 83 f8 06 cmp $0x6,%eax//输入大小必须(eax<=6)
8049805: 7e 0f jle 8049816 <phase_6+0x5c>
8049807: e8 04 06 00 00 call 8049e10 <explode_bomb>
804980c: b8 00 00 00 00 mov $0x0,%eax
8049811: e9 08 01 00 00 jmp 804991e <phase_6+0x164>
8049816: 8b 45 f0 mov -0x10(%ebp),%eax
8049819: 83 c0 01 add $0x1,%eax
804981c: 89 45 ec mov %eax,-0x14(%ebp)
804981f: eb 25 jmp 8049846 <phase_6+0x8c>
8049821: 8b 45 f0 mov -0x10(%ebp),%eax
8049824: 8b 54 85 d0 mov -0x30(%ebp,%eax,4),%edx
8049828: 8b 45 ec mov -0x14(%ebp),%eax
804982b: 8b 44 85 d0 mov -0x30(%ebp,%eax,4),%eax
804982f: 39 c2 cmp %eax,%edx
8049831: 75 0f jne 8049842 <phase_6+0x88>//循环比较是否六个数字有重复
8049833: e8 d8 05 00 00 call 8049e10 <explode_bomb>
8049838: b8 00 00 00 00 mov $0x0,%eax/最终检测为false直接返回0
804983d: e9 dc 00 00 00 jmp 804991e <phase_6+0x164>
8049842: 83 45 ec 01 addl $0x1,-0x14(%ebp)
8049846: 83 7d ec 05 cmpl $0x5,-0x14(%ebp)
804984a: 7e d5 jle 8049821 <phase_6+0x67>//循环比较是否六个数字有重复
②调试过程为循环比较数字是否有重复出现,意味着不能有相同的数字,了解后可以直接跳过这段到下一段。
//
804984c: 83 45 f0 01 addl $0x1,-0x10(%ebp)
8049850: 83 7d f0 05 cmpl $0x5,-0x10(%ebp)
8049854: 7e 9a jle 80497f0 <phase_6+0x36>
8049856: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
804985d: eb 36 jmp 8049895 <phase_6+0xdb>
804985f: 8b 45 e8 mov -0x18(%ebp),%eax
8049862: 89 45 f4 mov %eax,-0xc(%ebp)
8049865: c7 45 ec 01 00 00 00 movl $0x1,-0x14(%ebp)
804986c: eb 0d jmp 804987b <phase_6+0xc1>
804986e: 8b 45 f4 mov -0xc(%ebp),%eax
8049871: 8b 40 08 mov 0x8(%eax),%eax
8049874: 89 45 f4 mov %eax,-0xc(%ebp)
8049877: 83 45 ec 01 addl $0x1,-0x14(%ebp)
804987b: 8b 45 f0 mov -0x10(%ebp),%eax
804987e: 8b 44 85 d0 mov -0x30(%ebp,%eax,4),%eax
8049882: 39 45 ec cmp %eax,-0x14(%ebp)
8049885: 7c e7 jl 804986e <phase_6+0xb4>这个比较不重要
8049887: 8b 45 f0 mov -0x10(%ebp),%eax
804988a: 8b 55 f4 mov -0xc(%ebp),%edx
804988d: 89 54 85 b8 mov %edx,-0x48(%ebp,%eax,4)
8049891: 83 45 f0 01 addl $0x1,-0x10(%ebp)
8049895: 83 7d f0 05 cmpl $0x5,-0x10(%ebp)//重复完0-5就是6次
8049899: 7e c4 jle 804985f <phase_6+0xa5>
804989b: 8b 45 b8 mov -0x48(%ebp),%eax
804989e: 89 45 e8 mov %eax,-0x18(%ebp)
80498a1: 8b 45 e8 mov -0x18(%ebp),%eax
80498a4: 89 45 f4 mov %eax,-0xc(%ebp)
80498a7: c7 45 f0 01 00 00 00 movl $0x1,-0x10(%ebp)
80498ae: eb 1a jmp 80498ca <phase_6+0x110>
80498b0: 8b 45 f0 mov -0x10(%ebp),%eax
80498b3: 8b 54 85 b8 mov -0x48(%ebp,%eax,4),%edx
x/30wx 0xbffff1c8
80498b7: 8b 45 f4 mov -0xc(%ebp),%eax
80498ba: 89 50 08 mov %edx,0x8(%eax)
80498bd: 8b 45 f4 mov -0xc(%ebp),%eax
80498c0: 8b 40 08 mov 0x8(%eax),%eax
80498c3: 89 45 f4 mov %eax,-0xc(%ebp)
80498c6: 83 45 f0 01 addl $0x1,-0x10(%ebp)
80498ca: 83 7d f0 05 cmpl $0x5,-0x10(%ebp)//不断加1,就是循环到5,也就是一共进行6次。
80498ce: 7e e0 jle 80498b0 <phase_6+0xf6>
80498d0: 8b 45 f4 mov -0xc(%ebp),%eax
80498d3: c7 40 08 00 00 00 00 movl $0x0,0x8(%eax)
80498da: 8b 45 e8 mov -0x18(%ebp),%eax
80498dd: 89 45 f4 mov %eax,-0xc(%ebp)
80498e0: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
80498e7: eb 2a jmp 8049913 <phase_6+0x159>
//
80498e9: 8b 45 f4 mov -0xc(%ebp),%eax
80498ec: 8b 10 mov (%eax),%edx
80498ee: 8b 45 f4 mov -0xc(%ebp),%eax
80498f1: 8b 40 08 mov 0x8(%eax),%eax
80498f4: 8b 00 mov (%eax),%eax
80498f6: 39 c2 cmp %eax,%edx
80498f8: 7d 0c jge 8049906 <phase_6+0x14c>
80498fa: e8 11 05 00 00 call 8049e10 <explode_bomb>
80498ff: b8 00 00 00 00 mov $0x0,%eax
8049904: eb 18 jmp 804991e <phase_6+0x164>
8049906: 8b 45 f4 mov -0xc(%ebp),%eax
8049909: 8b 40 08 mov 0x8(%eax),%eax
804990c: 89 45 f4 mov %eax,-0xc(%ebp)
804990f: 83 45 f0 01 addl $0x1,-0x10(%ebp)
8049913: 83 7d f0 04 cmpl $0x4,-0x10(%ebp)
调试过程发现比较方式为:
Eax EDX
C118<node5>=3 |
大于 |
c10c<node6> = 8 |
C124<node4>=2 | ||
C130<node3>=1 | ||
C13c<node2>=6 | ||
C148<node1>=7 |
Eax EDX
C124<node4>=2 |
大于 |
C118<node5>=3 |
C130<node3>=1 | ||
C13c<node2>=6× | ||
C148<node1>=7× | ||
|
当C118<node5>=3大于C13c<node2>=6不符合时,就直接 call 8049e10 <explode_bomb>
EAX的进入凡是是从节点的<node6>顺序排到<node1>,因为我一开始输入的测试值是6 5 4 3 2 1。
当我尝试随意输入 1 3 5 6 4 2时,edx中也能按照我的顺序对应node的编号轮流放进edx中。此时我们可以确定,这是一个比较,并且是从大到小排序。
④这里的功能也是不断将链表中的内容放进edx中,然后进行比较。在比较过程,发现他是将链表中的节点对应内容轮流放进EBX。
8049917: 7e d0 jle 80498e9 <phase_6+0x12f>
8049919: b8 01 00 00 00 mov $0x1,%eax///到这一步就是成功了
804991e: c9 leave
804991f: c3 ret
通过gdb调试,我们用对eax中的链表地址应地址找到查找链表节点所对应的值。
根据节点的大小,进行排序,可以得到:6 1 2 5 4 3,输入结果正确。
至此,炸弹全部拆除
在pahse中有函数跳转语句,需要用finish跳转出来一些不需要查看的函数,类似于
80494ca: e8 01 fc ff ff call 80490d0 <__isoc99_sscanf@plt>
Finish然后才能继续运行下一句。
*************************************************************************************************************************************************
灵活使用gdb很重要。
用layout split可以查看进行的汇编语句
再使用layout regs可以查看寄存器的状态。
再继续输入si执行下一步
只截取需要查看的函数,可以在虚拟机里面进行反汇编得到全部。
/**************************************************************************/
08049477 <phase_0>:
8049477: 55 push %ebp
8049478: 89 e5 mov %esp,%ebp
804947a: 83 ec 08 sub $0x8,%esp
804947d: 83 ec 08 sub $0x8,%esp
8049480: 68 dc a1 04 08 push $0x804a1dc
8049485: ff 75 08 pushl 0x8(%ebp)
8049488: e8 1b 07 00 00 call 8049ba8 <strings_not_equal>
804948d: 83 c4 10 add $0x10,%esp
8049490: 85 c0 test %eax,%eax
8049492: 74 0c je 80494a0 <phase_0+0x29>
8049494: e8 77 09 00 00 call 8049e10 <explode_bomb>
8049499: b8 00 00 00 00 mov $0x0,%eax
804949e: eb 05 jmp 80494a5 <phase_0+0x2e>
80494a0: b8 01 00 00 00 mov $0x1,%eax
80494a5: c9 leave
80494a6: c3 ret
/***********************************************************************************/
080494a7 <phase_1>:
80494a7: 55 push %ebp
80494a8: 89 e5 mov %esp,%ebp
80494aa: 83 ec 28 sub $0x28,%esp
80494ad: c7 45 f4 e2 a0 ac 26 movl $0x26aca0e2,-0xc(%ebp)
80494b4: db 45 f4 fildl -0xc(%ebp)
80494b7: dd 5d e8 fstpl -0x18(%ebp)
80494ba: 8d 45 e0 lea -0x20(%ebp),%eax
80494bd: 50 push %eax
80494be: 8d 45 e4 lea -0x1c(%ebp),%eax
80494c1: 50 push %eax
80494c2: 68 08 a2 04 08 push $0x804a208
80494c7: ff 75 08 pushl 0x8(%ebp)
80494ca: e8 01 fc ff ff call 80490d0 <__isoc99_sscanf@plt>
80494cf: 83 c4 10 add $0x10,%esp
80494d2: 83 f8 02 cmp $0x2,%eax
80494d5: 74 0c je 80494e3 <phase_1+0x3c>
80494d7: e8 34 09 00 00 call 8049e10 <explode_bomb>
80494dc: b8 00 00 00 00 mov $0x0,%eax
80494e1: eb 2c jmp 804950f <phase_1+0x68>
80494e3: 8d 45 e8 lea -0x18(%ebp),%eax
80494e6: 83 c0 04 add $0x4,%eax
80494e9: 8b 10 mov (%eax),%edx
80494eb: 8b 45 e4 mov -0x1c(%ebp),%eax
80494ee: 39 c2 cmp %eax,%edx
80494f0: 75 0c jne 80494fe <phase_1+0x57>
80494f2: 8d 45 e8 lea -0x18(%ebp),%eax
80494f5: 8b 10 mov (%eax),%edx
80494f7: 8b 45 e0 mov -0x20(%ebp),%eax
80494fa: 39 c2 cmp %eax,%edx
80494fc: 74 0c je 804950a <phase_1+0x63>
80494fe: e8 0d 09 00 00 call 8049e10 <explode_bomb>
8049503: b8 00 00 00 00 mov $0x0,%eax
8049508: eb 05 jmp 804950f <phase_1+0x68>
804950a: b8 01 00 00 00 mov $0x1,%eax
804950f: c9 leave
8049510: c3 ret
/***********************************************************************************/
08049511 <phase_2>:
8049511: 55 push %ebp
8049512: 89 e5 mov %esp,%ebp
8049514: 83 ec 28 sub $0x28,%esp
8049517: 83 ec 04 sub $0x4,%esp
804951a: 6a 06 push $0x6
804951c: 8d 45 dc lea -0x24(%ebp),%eax
804951f: 50 push %eax
8049520: ff 75 08 pushl 0x8(%ebp)
8049523: e8 c6 05 00 00 call 8049aee <read_n_numbers>
8049528: 83 c4 10 add $0x10,%esp
804952b: 85 c0 test %eax,%eax
804952d: 75 07 jne 8049536 <phase_2+0x25>
804952f: b8 00 00 00 00 mov $0x0,%eax
8049534: eb 65 jmp 804959b <phase_2+0x8a>
8049536: 8b 45 dc mov -0x24(%ebp),%eax
8049539: 83 f8 19 cmp $0x19,%eax
804953c: 75 08 jne 8049546 <phase_2+0x35>
804953e: 8b 45 e0 mov -0x20(%ebp),%eax
8049541: 83 f8 32 cmp $0x32,%eax
8049544: 74 0c je 8049552 <phase_2+0x41>
8049546: e8 c5 08 00 00 call 8049e10 <explode_bomb>
804954b: b8 00 00 00 00 mov $0x0,%eax
8049550: eb 49 jmp 804959b <phase_2+0x8a>
8049552: c7 45 f4 02 00 00 00 movl $0x2,-0xc(%ebp)
8049559: eb 35 jmp 8049590 <phase_2+0x7f>
804955b: 8b 45 f4 mov -0xc(%ebp),%eax
804955e: 8b 44 85 dc mov -0x24(%ebp,%eax,4),%eax
8049562: 8b 55 f4 mov -0xc(%ebp),%edx
8049565: 83 ea 02 sub $0x2,%edx
8049568: 8b 54 95 dc mov -0x24(%ebp,%edx,4),%edx
804956c: 89 d1 mov %edx,%ecx
804956e: d1 f9 sar %ecx
8049570: 8b 55 f4 mov -0xc(%ebp),%edx
8049573: 83 ea 01 sub $0x1,%edx
8049576: 8b 54 95 dc mov -0x24(%ebp,%edx,4),%edx
804957a: 01 ca add %ecx,%edx
804957c: 39 d0 cmp %edx,%eax
804957e: 74 0c je 804958c <phase_2+0x7b>
8049580: e8 8b 08 00 00 call 8049e10 <explode_bomb>
8049585: b8 00 00 00 00 mov $0x0,%eax
804958a: eb 0f jmp 804959b <phase_2+0x8a>
804958c: 83 45 f4 01 addl $0x1,-0xc(%ebp)
8049590: 83 7d f4 05 cmpl $0x5,-0xc(%ebp)
8049594: 7e c5 jle 804955b <phase_2+0x4a>
8049596: b8 01 00 00 00 mov $0x1,%eax
804959b: c9 leave
804959c: c3 ret
/***********************************************************************************/
0804959d <phase_3>:
804959d: 55 push %ebp
804959e: 89 e5 mov %esp,%ebp
80495a0: 83 ec 18 sub $0x18,%esp
80495a3: c7 45 f4 00 00 00 00 movl $0x0,-0xc(%ebp)
80495aa: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
80495b1: 8d 45 e8 lea -0x18(%ebp),%eax
80495b4: 50 push %eax
80495b5: 8d 45 ec lea -0x14(%ebp),%eax
80495b8: 50 push %eax
80495b9: 68 08 a2 04 08 push $0x804a208
80495be: ff 75 08 pushl 0x8(%ebp)
80495c1: e8 0a fb ff ff call 80490d0 <__isoc99_sscanf@plt>
80495c6: 83 c4 10 add $0x10,%esp
80495c9: 89 45 f0 mov %eax,-0x10(%ebp)
80495cc: 83 7d f0 01 cmpl $0x1,-0x10(%ebp)
80495d0: 7f 0f jg 80495e1 <phase_3+0x44>
80495d2: e8 39 08 00 00 call 8049e10 <explode_bomb>
80495d7: b8 00 00 00 00 mov $0x0,%eax
80495dc: e9 93 00 00 00 jmp 8049674 <phase_3+0xd7>
80495e1: 8b 45 ec mov -0x14(%ebp),%eax
80495e4: 83 e8 03 sub $0x3,%eax
80495e7: 83 f8 09 cmp $0x9,%eax
80495ea: 77 63 ja 804964f <phase_3+0xb2>
80495ec: 8b 04 85 10 a2 04 08 mov 0x804a210(,%eax,4),%eax
80495f3: ff e0 jmp *%eax
80495f5: c7 45 f4 3b 01 00 00 movl $0x13b,-0xc(%ebp)
80495fc: eb 5d jmp 804965b <phase_3+0xbe>
80495fe: c7 45 f4 3b 01 00 00 movl $0x13b,-0xc(%ebp)
8049605: eb 54 jmp 804965b <phase_3+0xbe>
8049607: c7 45 f4 4d 03 00 00 movl $0x34d,-0xc(%ebp)
804960e: eb 4b jmp 804965b <phase_3+0xbe>
8049610: c7 45 f4 3b 01 00 00 movl $0x13b,-0xc(%ebp)
8049617: eb 42 jmp 804965b <phase_3+0xbe>
8049619: c7 45 f4 4d 03 00 00 movl $0x34d,-0xc(%ebp)
8049620: eb 39 jmp 804965b <phase_3+0xbe>
8049622: c7 45 f4 3b 01 00 00 movl $0x13b,-0xc(%ebp)
8049629: eb 30 jmp 804965b <phase_3+0xbe>
804962b: c7 45 f4 4d 03 00 00 movl $0x34d,-0xc(%ebp)
8049632: eb 27 jmp 804965b <phase_3+0xbe>
8049634: c7 45 f4 4d 03 00 00 movl $0x34d,-0xc(%ebp)
804963b: eb 1e jmp 804965b <phase_3+0xbe>
804963d: c7 45 f4 3b 01 00 00 movl $0x13b,-0xc(%ebp)
8049644: eb 15 jmp 804965b <phase_3+0xbe>
8049646: c7 45 f4 4d 03 00 00 movl $0x34d,-0xc(%ebp)
804964d: eb 0c jmp 804965b <phase_3+0xbe>
804964f: e8 bc 07 00 00 call 8049e10 <explode_bomb>
8049654: b8 00 00 00 00 mov $0x0,%eax
8049659: eb 19 jmp 8049674 <phase_3+0xd7>
804965b: 8b 45 e8 mov -0x18(%ebp),%eax
804965e: 39 45 f4 cmp %eax,-0xc(%ebp)
8049661: 74 0c je 804966f <phase_3+0xd2>
8049663: e8 a8 07 00 00 call 8049e10 <explode_bomb>
8049668: b8 00 00 00 00 mov $0x0,%eax
804966d: eb 05 jmp 8049674 <phase_3+0xd7>
804966f: b8 01 00 00 00 mov $0x1,%eax
8049674: c9 leave
8049675: c3 ret
/***********************************************************************************/
08049676 <func4>:
8049676: 55 push %ebp
8049677: 89 e5 mov %esp,%ebp
8049679: 53 push %ebx
804967a: 83 ec 04 sub $0x4,%esp
804967d: 83 7d 08 00 cmpl $0x0,0x8(%ebp)
8049681: 7f 07 jg 804968a <func4+0x14>
8049683: b8 03 00 00 00 mov $0x3,%eax
8049688: eb 37 jmp 80496c1 <func4+0x4b>
804968a: 83 7d 08 01 cmpl $0x1,0x8(%ebp)
804968e: 75 07 jne 8049697 <func4+0x21>
8049690: b8 14 00 00 00 mov $0x14,%eax
8049695: eb 2a jmp 80496c1 <func4+0x4b>
8049697: 8b 45 08 mov 0x8(%ebp),%eax
804969a: 83 e8 01 sub $0x1,%eax
804969d: 83 ec 0c sub $0xc,%esp
80496a0: 50 push %eax
80496a1: e8 d0 ff ff ff call 8049676 <func4>
80496a6: 83 c4 10 add $0x10,%esp
80496a9: 89 c3 mov %eax,%ebx
80496ab: 8b 45 08 mov 0x8(%ebp),%eax
80496ae: 83 e8 02 sub $0x2,%eax
80496b1: 83 ec 0c sub $0xc,%esp
80496b4: 50 push %eax
80496b5: e8 bc ff ff ff call 8049676 <func4>
80496ba: 83 c4 10 add $0x10,%esp
80496bd: d1 f8 sar %eax
80496bf: 01 d8 add %ebx,%eax
80496c1: 8b 5d fc mov -0x4(%ebp),%ebx
80496c4: c9 leave
80496c5: c3 ret
/***********************************************************************************/
080496c6 <phase_4>:
80496c6: 55 push %ebp
80496c7: 89 e5 mov %esp,%ebp
80496c9: 83 ec 18 sub $0x18,%esp
80496cc: 8d 45 e8 lea -0x18(%ebp),%eax
80496cf: 50 push %eax
80496d0: 8d 45 ec lea -0x14(%ebp),%eax
80496d3: 50 push %eax
80496d4: 68 08 a2 04 08 push $0x804a208
80496d9: ff 75 08 pushl 0x8(%ebp)
80496dc: e8 ef f9 ff ff call 80490d0 <__isoc99_sscanf@plt>
80496e1: 83 c4 10 add $0x10,%esp
80496e4: 89 45 f4 mov %eax,-0xc(%ebp)
80496e7: 83 7d f4 02 cmpl $0x2,-0xc(%ebp)
80496eb: 75 08 jne 80496f5 <phase_4+0x2f>
80496ed: 8b 45 ec mov -0x14(%ebp),%eax
80496f0: 83 f8 09 cmp $0x9,%eax
80496f3: 7f 0c jg 8049701 <phase_4+0x3b>
80496f5: e8 16 07 00 00 call 8049e10 <explode_bomb>
80496fa: b8 00 00 00 00 mov $0x0,%eax
80496ff: eb 2b jmp 804972c <phase_4+0x66>
8049701: 8b 45 ec mov -0x14(%ebp),%eax
8049704: 83 ec 0c sub $0xc,%esp
8049707: 50 push %eax
8049708: e8 69 ff ff ff call 8049676 <func4>
804970d: 83 c4 10 add $0x10,%esp
8049710: 89 45 f0 mov %eax,-0x10(%ebp)
8049713: 8b 45 e8 mov -0x18(%ebp),%eax
8049716: 39 45 f0 cmp %eax,-0x10(%ebp)
8049719: 74 0c je 8049727 <phase_4+0x61>
804971b: e8 f0 06 00 00 call 8049e10 <explode_bomb>
8049720: b8 00 00 00 00 mov $0x0,%eax
8049725: eb 05 jmp 804972c <phase_4+0x66>
8049727: b8 01 00 00 00 mov $0x1,%eax
804972c: c9 leave
804972d: c3 ret
/***********************************************************************************/
0804972e <phase_5>:
804972e: 55 push %ebp
804972f: 89 e5 mov %esp,%ebp
8049731: 83 ec 28 sub $0x28,%esp
8049734: 8d 45 e4 lea -0x1c(%ebp),%eax
8049737: 50 push %eax
8049738: 8d 45 e8 lea -0x18(%ebp),%eax
804973b: 50 push %eax
804973c: 68 08 a2 04 08 push $0x804a208
8049741: ff 75 08 pushl 0x8(%ebp)
8049744: e8 87 f9 ff ff call 80490d0 <__isoc99_sscanf@plt>
8049749: 83 c4 10 add $0x10,%esp
804974c: 89 45 ec mov %eax,-0x14(%ebp)
804974f: 83 7d ec 01 cmpl $0x1,-0x14(%ebp)
8049753: 7f 0c jg 8049761 <phase_5+0x33>
8049755: e8 b6 06 00 00 call 8049e10 <explode_bomb>
804975a: b8 00 00 00 00 mov $0x0,%eax
804975f: eb 57 jmp 80497b8 <phase_5+0x8a>
8049761: 8b 45 e8 mov -0x18(%ebp),%eax
8049764: 83 e0 0f and $0xf,%eax
8049767: 89 45 e8 mov %eax,-0x18(%ebp)
804976a: c7 45 f4 00 00 00 00 movl $0x0,-0xc(%ebp)
8049771: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
8049778: eb 17 jmp 8049791 <phase_5+0x63>
804977a: 83 45 f4 01 addl $0x1,-0xc(%ebp)
804977e: 8b 45 e8 mov -0x18(%ebp),%eax
8049781: 8b 04 85 20 c2 04 08 mov 0x804c220(,%eax,4),%eax
8049788: 89 45 e8 mov %eax,-0x18(%ebp)
804978b: 8b 45 e8 mov -0x18(%ebp),%eax
804978e: 01 45 f0 add %eax,-0x10(%ebp)
8049791: 8b 45 e8 mov -0x18(%ebp),%eax
8049794: 83 f8 0f cmp $0xf,%eax
8049797: 75 e1 jne 804977a <phase_5+0x4c>
8049799: 83 7d f4 0b cmpl $0xb,-0xc(%ebp)
804979d: 75 08 jne 80497a7 <phase_5+0x79>
804979f: 8b 45 e4 mov -0x1c(%ebp),%eax
80497a2: 39 45 f0 cmp %eax,-0x10(%ebp)
80497a5: 74 0c je 80497b3 <phase_5+0x85>
80497a7: e8 64 06 00 00 call 8049e10 <explode_bomb>
80497ac: b8 00 00 00 00 mov $0x0,%eax
80497b1: eb 05 jmp 80497b8 <phase_5+0x8a>
80497b3: b8 01 00 00 00 mov $0x1,%eax
80497b8: c9 leave
80497b9: c3 ret
/***********************************************************************************/
080497ba <phase_6>:
80497ba: 55 push %ebp
80497bb: 89 e5 mov %esp,%ebp
80497bd: 83 ec 48 sub $0x48,%esp
80497c0: c7 45 e8 48 c1 04 08 movl $0x804c148,-0x18(%ebp)
80497c7: 83 ec 08 sub $0x8,%esp
80497ca: 8d 45 d0 lea -0x30(%ebp),%eax
80497cd: 50 push %eax
80497ce: ff 75 08 pushl 0x8(%ebp)
80497d1: e8 b9 02 00 00 call 8049a8f <read_six_numbers>
80497d6: 83 c4 10 add $0x10,%esp
80497d9: 85 c0 test %eax,%eax
80497db: 75 0a jne 80497e7 <phase_6+0x2d>
80497dd: b8 00 00 00 00 mov $0x0,%eax
80497e2: e9 37 01 00 00 jmp 804991e <phase_6+0x164>
80497e7: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
80497ee: eb 60 jmp 8049850 <phase_6+0x96>
80497f0: 8b 45 f0 mov -0x10(%ebp),%eax
80497f3: 8b 44 85 d0 mov -0x30(%ebp,%eax,4),%eax
80497f7: 85 c0 test %eax,%eax
80497f9: 7e 0c jle 8049807 <phase_6+0x4d>
80497fb: 8b 45 f0 mov -0x10(%ebp),%eax
80497fe: 8b 44 85 d0 mov -0x30(%ebp,%eax,4),%eax
8049802: 83 f8 06 cmp $0x6,%eax
8049805: 7e 0f jle 8049816 <phase_6+0x5c>
8049807: e8 04 06 00 00 call 8049e10 <explode_bomb>
804980c: b8 00 00 00 00 mov $0x0,%eax
8049811: e9 08 01 00 00 jmp 804991e <phase_6+0x164>
8049816: 8b 45 f0 mov -0x10(%ebp),%eax
8049819: 83 c0 01 add $0x1,%eax
804981c: 89 45 ec mov %eax,-0x14(%ebp)
804981f: eb 25 jmp 8049846 <phase_6+0x8c>
8049821: 8b 45 f0 mov -0x10(%ebp),%eax
8049824: 8b 54 85 d0 mov -0x30(%ebp,%eax,4),%edx
8049828: 8b 45 ec mov -0x14(%ebp),%eax
804982b: 8b 44 85 d0 mov -0x30(%ebp,%eax,4),%eax
804982f: 39 c2 cmp %eax,%edx
8049831: 75 0f jne 8049842 <phase_6+0x88>
8049833: e8 d8 05 00 00 call 8049e10 <explode_bomb>
8049838: b8 00 00 00 00 mov $0x0,%eax
804983d: e9 dc 00 00 00 jmp 804991e <phase_6+0x164>
8049842: 83 45 ec 01 addl $0x1,-0x14(%ebp)
8049846: 83 7d ec 05 cmpl $0x5,-0x14(%ebp)
804984a: 7e d5 jle 8049821 <phase_6+0x67>
804984c: 83 45 f0 01 addl $0x1,-0x10(%ebp)
8049850: 83 7d f0 05 cmpl $0x5,-0x10(%ebp)
8049854: 7e 9a jle 80497f0 <phase_6+0x36>
8049856: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
804985d: eb 36 jmp 8049895 <phase_6+0xdb>
804985f: 8b 45 e8 mov -0x18(%ebp),%eax
8049862: 89 45 f4 mov %eax,-0xc(%ebp)
8049865: c7 45 ec 01 00 00 00 movl $0x1,-0x14(%ebp)
804986c: eb 0d jmp 804987b <phase_6+0xc1>
804986e: 8b 45 f4 mov -0xc(%ebp),%eax
8049871: 8b 40 08 mov 0x8(%eax),%eax
8049874: 89 45 f4 mov %eax,-0xc(%ebp)
8049877: 83 45 ec 01 addl $0x1,-0x14(%ebp)
804987b: 8b 45 f0 mov -0x10(%ebp),%eax
804987e: 8b 44 85 d0 mov -0x30(%ebp,%eax,4),%eax
8049882: 39 45 ec cmp %eax,-0x14(%ebp)
8049885: 7c e7 jl 804986e <phase_6+0xb4>
8049887: 8b 45 f0 mov -0x10(%ebp),%eax
804988a: 8b 55 f4 mov -0xc(%ebp),%edx
804988d: 89 54 85 b8 mov %edx,-0x48(%ebp,%eax,4)
8049891: 83 45 f0 01 addl $0x1,-0x10(%ebp)
8049895: 83 7d f0 05 cmpl $0x5,-0x10(%ebp)
8049899: 7e c4 jle 804985f <phase_6+0xa5>
804989b: 8b 45 b8 mov -0x48(%ebp),%eax
804989e: 89 45 e8 mov %eax,-0x18(%ebp)
80498a1: 8b 45 e8 mov -0x18(%ebp),%eax
80498a4: 89 45 f4 mov %eax,-0xc(%ebp)
80498a7: c7 45 f0 01 00 00 00 movl $0x1,-0x10(%ebp)
80498ae: eb 1a jmp 80498ca <phase_6+0x110>
80498b0: 8b 45 f0 mov -0x10(%ebp),%eax
80498b3: 8b 54 85 b8 mov -0x48(%ebp,%eax,4),%edx
80498b7: 8b 45 f4 mov -0xc(%ebp),%eax
80498ba: 89 50 08 mov %edx,0x8(%eax)
80498bd: 8b 45 f4 mov -0xc(%ebp),%eax
80498c0: 8b 40 08 mov 0x8(%eax),%eax
80498c3: 89 45 f4 mov %eax,-0xc(%ebp)
80498c6: 83 45 f0 01 addl $0x1,-0x10(%ebp)
80498ca: 83 7d f0 05 cmpl $0x5,-0x10(%ebp)
80498ce: 7e e0 jle 80498b0 <phase_6+0xf6>
80498d0: 8b 45 f4 mov -0xc(%ebp),%eax
80498d3: c7 40 08 00 00 00 00 movl $0x0,0x8(%eax)
80498da: 8b 45 e8 mov -0x18(%ebp),%eax
80498dd: 89 45 f4 mov %eax,-0xc(%ebp)
80498e0: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
80498e7: eb 2a jmp 8049913 <phase_6+0x159>
80498e9: 8b 45 f4 mov -0xc(%ebp),%eax
80498ec: 8b 10 mov (%eax),%edx
80498ee: 8b 45 f4 mov -0xc(%ebp),%eax
80498f1: 8b 40 08 mov 0x8(%eax),%eax
80498f4: 8b 00 mov (%eax),%eax
80498f6: 39 c2 cmp %eax,%edx
80498f8: 7d 0c jge 8049906 <phase_6+0x14c>
80498fa: e8 11 05 00 00 call 8049e10 <explode_bomb>
80498ff: b8 00 00 00 00 mov $0x0,%eax
8049904: eb 18 jmp 804991e <phase_6+0x164>
8049906: 8b 45 f4 mov -0xc(%ebp),%eax
8049909: 8b 40 08 mov 0x8(%eax),%eax
804990c: 89 45 f4 mov %eax,-0xc(%ebp)
804990f: 83 45 f0 01 addl $0x1,-0x10(%ebp)
8049913: 83 7d f0 04 cmpl $0x4,-0x10(%ebp)
8049917: 7e d0 jle 80498e9 <phase_6+0x12f>
8049919: b8 01 00 00 00 mov $0x1,%eax
804991e: c9 leave
804991f: c3 ret
/***********************************************************************************/
08049a8f <read_six_numbers>:
8049a8f: 55 push %ebp
8049a90: 89 e5 mov %esp,%ebp
8049a92: 56 push %esi
8049a93: 53 push %ebx
8049a94: 83 ec 10 sub $0x10,%esp
8049a97: 8b 45 0c mov 0xc(%ebp),%eax
8049a9a: 8d 70 14 lea 0x14(%eax),%esi
8049a9d: 8b 45 0c mov 0xc(%ebp),%eax
8049aa0: 8d 58 10 lea 0x10(%eax),%ebx
8049aa3: 8b 45 0c mov 0xc(%ebp),%eax
8049aa6: 8d 48 0c lea 0xc(%eax),%ecx
8049aa9: 8b 45 0c mov 0xc(%ebp),%eax
8049aac: 8d 50 08 lea 0x8(%eax),%edx
8049aaf: 8b 45 0c mov 0xc(%ebp),%eax
8049ab2: 83 c0 04 add $0x4,%eax
8049ab5: 56 push %esi
8049ab6: 53 push %ebx
8049ab7: 51 push %ecx
8049ab8: 52 push %edx
8049ab9: 50 push %eax
8049aba: ff 75 0c pushl 0xc(%ebp)
8049abd: 68 b9 a2 04 08 push $0x804a2b9
8049ac2: ff 75 08 pushl 0x8(%ebp)
8049ac5: e8 06 f6 ff ff call 80490d0 <__isoc99_sscanf@plt>
8049aca: 83 c4 20 add $0x20,%esp
8049acd: 89 45 f4 mov %eax,-0xc(%ebp)
8049ad0: 83 7d f4 05 cmpl $0x5,-0xc(%ebp)
8049ad4: 7f 0c jg 8049ae2 <read_six_numbers+0x53>
8049ad6: e8 35 03 00 00 call 8049e10 <explode_bomb>
8049adb: b8 00 00 00 00 mov $0x0,%eax
8049ae0: eb 05 jmp 8049ae7 <read_six_numbers+0x58>
8049ae2: b8 01 00 00 00 mov $0x1,%eax
8049ae7: 8d 65 f8 lea -0x8(%ebp),%esp
8049aea: 5b pop %ebx
8049aeb: 5e pop %esi
8049aec: 5d pop %ebp
8049aed: c3 ret
/***********************************************************************************/
08049aee <read_n_numbers>:
8049aee: 55 push %ebp
8049aef: 89 e5 mov %esp,%ebp
8049af1: 83 ec 18 sub $0x18,%esp
8049af4: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp)
8049afb: eb 70 jmp 8049b6d <read_n_numbers+0x7f>
8049afd: 83 7d f0 00 cmpl $0x0,-0x10(%ebp)
8049b01: 75 18 jne 8049b1b <read_n_numbers+0x2d>
8049b03: 83 ec 08 sub $0x8,%esp
8049b06: 68 cb a2 04 08 push $0x804a2cb
8049b0b: ff 75 08 pushl 0x8(%ebp)
8049b0e: e8 dd f5 ff ff call 80490f0 <strtok@plt>
8049b13: 83 c4 10 add $0x10,%esp
8049b16: 89 45 f4 mov %eax,-0xc(%ebp)
8049b19: eb 15 jmp 8049b30 <read_n_numbers+0x42>
8049b1b: 83 ec 08 sub $0x8,%esp
8049b1e: 68 cb a2 04 08 push $0x804a2cb
8049b23: 6a 00 push $0x0
8049b25: e8 c6 f5 ff ff call 80490f0 <strtok@plt>
8049b2a: 83 c4 10 add $0x10,%esp
8049b2d: 89 45 f4 mov %eax,-0xc(%ebp)
8049b30: 83 7d f4 00 cmpl $0x0,-0xc(%ebp)
8049b34: 74 27 je 8049b5d <read_n_numbers+0x6f>
8049b36: 8b 45 f0 mov -0x10(%ebp),%eax
8049b39: 8d 14 85 00 00 00 00 lea 0x0(,%eax,4),%edx
8049b40: 8b 45 0c mov 0xc(%ebp),%eax
8049b43: 01 d0 add %edx,%eax
8049b45: 83 ec 04 sub $0x4,%esp
8049b48: 50 push %eax
8049b49: 68 cf a2 04 08 push $0x804a2cf
8049b4e: ff 75 f4 pushl -0xc(%ebp)
8049b51: e8 7a f5 ff ff call 80490d0 <__isoc99_sscanf@plt>
8049b56: 83 c4 10 add $0x10,%esp
8049b59: 85 c0 test %eax,%eax
8049b5b: 7f 0c jg 8049b69 <read_n_numbers+0x7b>
8049b5d: e8 ae 02 00 00 call 8049e10 <explode_bomb>
8049b62: b8 00 00 00 00 mov $0x0,%eax
8049b67: eb 11 jmp 8049b7a <read_n_numbers+0x8c>
8049b69: 83 45 f0 01 addl $0x1,-0x10(%ebp)
8049b6d: 8b 45 f0 mov -0x10(%ebp),%eax
8049b70: 3b 45 10 cmp 0x10(%ebp),%eax
8049b73: 7c 88 jl 8049afd <read_n_numbers+0xf>
8049b75: b8 01 00 00 00 mov $0x1,%eax
8049b7a: c9 leave
8049b7b: c3 ret
/***********************************************************************************/