准备工作
- 首先去CS:APP的cmu官网下载lab2,得到bomb.tar文件,解压bomb.c 和bomb可执行文件.bomb.c是一个包含了bomb主函数逻辑的c文件,可以得知,有phase_1 - phase_6共六关(还有隐藏关卡),代码内的英文注释迷之幽默.大概说,解疯了不关作者的事.
- 使用objdump生成bomb的反汇编文件bomb.s .使用vim查看,也可gdb调试时使用生成该函数的汇编,推荐后者,因为关于跳转位置更好查看.
objdump -d bomb > bomb.s disas phase_?
开始解题
- phase_1.
(gdb) b read_line Breakpoint 1 at 0x40149e (gdb) disas phase_1 Dump of assembler code for function phase_1: 0x0000000000400ee0 <+0>: sub $0x8,%rsp 0x0000000000400ee4 <+4>: mov $0x402400,%esi 0x0000000000400ee9 <+9>: callq 0x401338 <strings_not_equal> 0x0000000000400eee <+14>: test %eax,%eax 0x0000000000400ef0 <+16>: je 0x400ef7 <phase_1+23> 0x0000000000400ef2 <+18>: callq 0x40143a <explode_bomb> 0x0000000000400ef7 <+23>: add $0x8,%rsp 0x0000000000400efb <+27>: retq End of assembler dump.
在第3行,可见向%esi移入一个立即数,%esi应该作为第4行string_not_equal的参数之一,我们查看0x402400出的内容.发现是一个字符串,这应该就是phase_1的答案了.
(gdb) print /s (char *)0x402400 $3 = 0x402400 "Border relations with Canada have never been better." (gdb) c Continuing. Border relations with Canada have never been better. Phase 1 defused. How about the next one?
-
phase_2
(gdb) disas phase_2 Dump of assembler code for function phase_2: 0x0000000000400efc <+0>: push %rbp 0x0000000000400efd <+1>: push %rbx 0x0000000000400efe <+2>: sub $0x28,%rsp 0x0000000000400f02 <+6>: mov %rsp,%rsi 0x0000000000400f05 <+9>: callq 0x40145c <read_six_numbers> 0x0000000000400f0a <+14>: cmpl $0x1,(%rsp) 0x0000000000400f0e <+18>: je 0x400f30 <phase_2+52> 0x0000000000400f10 <+20>: callq 0x40143a <explode_bomb> 0x0000000000400f15 <+25>: jmp 0x400f30 <phase_2+52> 0x0000000000400f17 <+27>: mov -0x4(%rbx),%eax 0x0000000000400f1a <+30>: add %eax,%eax 0x0000000000400f1c <+32>: cmp %eax,(%rbx) 0x0000000000400f1e <+34>: je 0x400f25 <phase_2+41> 0x0000000000400f20 <+36>: callq 0x40143a <explode_bomb> 0x0000000000400f25 <+41>: add $0x4,%rbx 0x0000000000400f29 <+45>: cmp %rbp,%rbx 0x0000000000400f2c <+48>: jne 0x400f17 <phase_2+27> 0x0000000000400f2e <+50>: jmp 0x400f3c <phase_2+64> 0x0000000000400f30 <+52>: lea 0x4(%rsp),%rbx 0x0000000000400f35 <+57>: lea 0x18(%rsp),%rbp 0x0000000000400f3a <+62>: jmp 0x400f17 <phase_2+27> 0x0000000000400f3c <+64>: add $0x28,%rsp 0x0000000000400f40 <+68>: pop %rbx 0x0000000000400f41 <+69>: pop %rbp 0x0000000000400f42 <+70>: retq End of assembler dump.
第三行发现在栈中开辟了0x28的内存区域.然后将%rsp的值传给%rsi作为参数传给函数read_six_numbers,可以看出应该使用开辟的空闲内存做数组,记数组为r,读取六个数字.将(%rsp)和0x1比较,如果不等,就会爆炸,(%rsp)为数组首地址,故r[0]=1;跳转到+52,将r[1]地址赋给%rbx,将r[6](不存在)地址赋给%rbp,跳到+27,将%eax设为%rbx指向的前一个数,此时为r[0],比较r[1]和2*r[0]是否相等,不等则爆炸.跳转到+41,%rbx+4,比较%rbx和%rbp,不等跳转到+27,重复,等则跳转到+64结束,成功.可以看出,这是一个循环比较.等价于下面的c语言.
for(int *b = &r[1]; b != &r[6]; b++) { if(*b != 2 * *(b - 1)) call bomb; }
答案为1 2 4 8 16 32
Continuing. 1 2 4 8 16 32 That's number 2. Keep going!
- phase_3
0x0000000000400f51 <+14>: mov $0x4025cf,%esi 0x0000000000400f56 <+19>: mov $0x0,%eax 0x0000000000400f5b <+24>: callq 0x400bf0 <__isoc99_sscanf@plt> 0x0000000000400f60 <+29>: cmp $0x1,%eax 0x0000000000400f63 <+32>: jg 0x400f6a <phase_3+39> 0x0000000000400f65 <+34>: callq 0x40143a <explode_bomb>
向%eax移动了一个地址,我们查看,可知又是输入2个整数,且必须是2个整数。
(gdb) x/s 0x4025cf 0x4025cf: "%d %d"
接下来,对输入的第一个数和0x7做了比较,可知输入第一个数必须小于等于7,然后将第一个数赋给%eax.
0x0000000000400f6a <+39>: cmpl $0x7,0x8(%rsp) 0x0000000000400f6f <+44>: ja 0x400fad <phase_3+106> 0x0000000000400f71 <+46>: mov 0x8(%rsp),%eax 0x0000000000400fad <+106>: callq 0x40143a <explode_bomb>
观察下面汇编,可知这是一个switch语句,以第一个数作为跳转key,生成一个值,需要和输入的第二个数相等.
0x0000000000400f75 <+50>: jmpq *0x402470(,%rax,8) 0x0000000000400f7c <+57>: mov $0xcf,%eax 0x0000000000400f81 <+62>: jmp 0x400fbe <phase_3+123> 0x0000000000400f83 <+64>: mov $0x2c3,%eax 0x0000000000400f88 <+69>: jmp 0x400fbe <phase_3+123> 0x0000000000400f8a <+71>: mov $0x100,%eax 0x0000000000400f8f <+76>: jmp 0x400fbe <phase_3+123> 0x0000000000400f91 <+78>: mov $0x185,%eax 0x0000000000400f96 <+83>: jmp 0x400fbe <phase_3+123> 0x0000000000400f98 <+85>: mov $0xce,%eax 0x0000000000400f9d <+90>: jmp 0x400fbe <phase_3+123> 0x0000000000400f9f <+92>: mov $0x2aa,%eax 0x0000000000400fa4 <+97>: jmp 0x400fbe <phase_3+123> 0x0000000000400fa6 <+99>: mov $0x147,%eax 0x0000000000400fab <+104>: jmp 0x400fbe <phase_3+123> 0x0000000000400fbe <+123>: cmp 0xc(%rsp),%eax 0x0000000000400fc2 <+127>: je 0x400fc9 <phase_3+134>
我们根据+50的地址判断跳转到何处.输入0,跳转到+57,解出一组答案:0,0xcf;
0x400f7c <phase_3+57>: 0xb8
0 207 Halfway there!
phase_3完成。
-
phase_4
由代码易知,开始读入了两个int,放在了%rsp+0x8和%rsp+0xc的位置。且第一个数小于等于14.0x000000000040100c <+0>: sub $0x18,%rsp 0x0000000000401010 <+4>: lea 0xc(%rsp),%rcx 0x0000000000401015 <+9>: lea 0x8(%rsp),%rdx 0x000000000040101a <+14>: mov $0x4025cf,%esi 0x000000000040101f <+19>: mov $0x0,%eax 0x0000000000401024 <+24>: callq 0x400bf0 <__isoc99_sscanf@plt> 0x0000000000401029 <+29>: cmp $0x2,%eax 0x000000000040102e <+34>: cmpl $0xe,0x8(%rsp) 0x0000000000401033 <+39>: jbe 0x40103a <phase_4+46>
进入func4,这是一个递归函数,pahse_4需要func4返回0,不然立即爆炸。第1,2参数为我们输入的2个数,第3参数为0xe;
0x0000000000400fce <+0>: sub $0x8,%rsp 0x0000000000400fd2 <+4>: mov %edx,%eax 0x0000000000400fd4 <+6>: sub %esi,%eax 0x0000000000400fd6 <+8>: mov %eax,%ecx 0x0000000000400fd8 <+10>: shr $0x1f,%ecx 0x0000000000400fdb <+13>: add %ecx,%eax 0x0000000000400fdd <+15>: sar %eax 0x0000000000400fdf <+17>: lea (%rax,%rsi,1),%ecx 0x0000000000400fe2 <+20>: cmp %edi,%ecx 0x0000000000400fe4 <+22>: jle 0x400ff2 <func4+36> 0x0000000000400fe6 <+24>: lea -0x1(%rcx),%edx 0x0000000000400fe9 <+27>: callq 0x400fce <func4> 0x0000000000400fee <+32>: add %eax,%eax 0x0000000000400ff0 <+34>: jmp 0x401007 <func4+57> 0x0000000000400ff2 <+36>: mov $0x0,%eax 0x0000000000400ff7 <+41>: cmp %edi,%ecx 0x0000000000400ff9 <+43>: jge 0x401007 <func4+57> 0x0000000000400ffb <+45>: lea 0x1(%rcx),%esi 0x0000000000400ffe <+48>: callq 0x400fce <func4> 0x0000000000401003 <+53>: lea 0x1(%rax,%rax,1),%eax 0x0000000000401007 <+57>: add $0x8,%rsp 0x000000000040100b <+61>: retq
观察代码,令func4为int func4(int a, int b, int c);易知(c - b) >= 0,故(c - b) >>_l 31 = 0,func4等价于下面c代码。
int f(int a, int b, int c) { int tmp = (c - b) / 2 + b; if(tmp <= a) { if(tmp == a) { return 0; } else { return f(a, tmp + 1, c) * 2 + 1; } } else { return f(a, b, tmp - 1) * 2; } }
回到phase_4,可知第二个数必为0;
0x0000000000401051 <+69>: cmpl $0x0,0xc(%rsp)
手动穷举或者利用程序穷举,答案为第一个数可以为0, 1, 3, 7