PS:小菜鸡解题过程中参考了其他一些博主的解答……
前期准备
-
打开Ubuntu,用 cd /mnt/… 切换目录,
输入 tar -xvf bombs.tar.gz 解压压缩包,之后切换目录,进入bombs文件夹中查看文件。
-
输入:objdump -d bomb_107 > bomb_asm.txt 将其反汇编而后重定向至bomb_asm.txt文件;
再输入: cat bomb_asm.txt | more 可查看其汇编代码,从而分析推导答案。 -
输入: gdb -v 检验是否安装gdb;
若无,则安装,输入: apt-get install gdb ;
(小菜鸡安装时提示说不行,便按提示先输入: sudo su 进入root身份,再 apt-get update 更新,最后 apt install gdb 即可。) -
安装完成gdb后,可输入: gdb ./文件名 进行调试。
会出现如下界面:
bomb解题
<phase_1>
0000000000400ead <phase_1>:
400ead: 48 83 ec 08 sub $0x8,%rsp
400eb1: be 2c 24 40 00 mov $0x40242c,%esi
400eb6: e8 f1 04 00 00 callq 4013ac <strings_not_equal>
400ebb: 85 c0 test %eax,%eax
400ebd: 74 05 je 400ec4 <phase_1+0x17>
400ebf: e8 e7 05 00 00 callq 4014ab <explode_bomb>
400ec4: 48 83 c4 08 add $0x8,%rsp
400ec8: c3 retq
- 输入: gdb ./bomb_107 对bomb_107进行调试。
- 输入: b phase_1 (b 也可写作 break ,为其缩写),在此处设置断点。
- 如上图第2行代码所示,查找一下 地址0x40242c 中的数据,
输入: x/s 0x40242c , 得到结果: "Wow! Brazil is big." 。 - 输入:r , 试用得出的结果运行;
输入:c , 查看结果并继续。
<phase_2>
0000000000400ec9 <phase_2>:
400ec9: 55 push %rbp
400eca: 53 push %rbx
400ecb: 48 83 ec 28 sub $0x28,%rsp
400ecf: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
400ed6: 00 00
400ed8: 48 89 44 24 18 mov %rax,0x18(%rsp)
400edd: 31 c0 xor %eax,%eax
400edf: 48 89 e6 mov %rsp,%rsi //将%rsp的值存入%rsi
400ee2: e8 e6 05 00 00 callq 4014cd <read_six_numbers> //调用函数,读入6个数
400ee7: 83 3c 24 01 cmpl $0x1,(%rsp) //将该数和1比较
400eeb: 74 05 je 400ef2 <phase_2+0x29> //等于,跳转,否则爆炸
400eed: e8 b9 05 00 00 callq 4014ab <explode_bomb>
400ef2: 48 89 e3 mov %rsp,%rbx //将%rsp的值存入%rbx
400ef5: 48 8d 6c 24 14 lea 0x14(%rsp),%rbp
400efa: 8b 03 mov (%rbx),%eax //将地址(%rbx)存的值存入寄存器%eax
400efc: 01 c0 add %eax,%eax // eax=2*eax
400efe: 39 43 04 cmp %eax,0x4(%rbx)
400f01: 74 05 je 400f08 <phase_2+0x3f>
400f03: e8 a3 05 00 00 callq 4014ab <explode_bomb>
400f08: 48 83 c3 04 add $0x4,%rbx
400f0c: 48 39 eb cmp %rbp,%rbx //将%rbx存的值和%rbp存的值做比较
400f0f: 75 e9 jne 400efa <phase_2+0x31>
400f11: 48 8b 44 24 18 mov 0x18(%rsp),%rax
400f16: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
400f1d: 00 00
400f1f: 74 05 je 400f26 <phase_2+0x5d>
400f21: e8 fa fb ff ff callq 400b20 <__stack_chk_fail@plt>
400f26: 48 83 c4 28 add $0x28,%rsp
400f2a: 5b pop %rbx
400f2b: 5d pop %rbp
400f2c: c3 retq
查看寄存器值: info r (即 i r)
答案:“1 2 4 8 16 32”
<phase_3>
0000000000400f2d <phase_3>:
400f2d: 48 83 ec 28 sub $0x28,%rsp
400f31: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
400f38: 00 00
400f3a: 48 89 44 24 18 mov %rax,0x18(%rsp)
400f3f: 31 c0 xor %eax,%eax
400f41: 4c 8d 44 24 14 lea 0x14(%rsp),%r8
400f46: 48 8d 4c 24 0f lea 0xf(%rsp),%rcx
400f4b: 48 8d 54 24 10 lea 0x10(%rsp),%rdx
400f50: be 40 24 40 00 mov $0x402440,%esi
400f55: e8 86 fc ff ff callq 400be0 <__isoc99_sscanf@plt>
400f5a: 83 f8 02 cmp $0x2,%eax
400f5d: 7f 05 jg 400f64 <phase_3+0x37>
400f5f: e8 47 05 00 00 callq 4014ab <explode_bomb>
400f64: 83 7c 24 10 07 cmpl $0x7,0x10(%rsp) //第2个数和7比,若大,则爆炸
400f69: 0f 87 f5 00 00 00 ja 401064 <phase_3+0x137>
400f6f: 8b 44 24 10 mov 0x10(%rsp),%eax //将第二个数移到eax中
400f73: ff 24 c5 60 24 40 00 jmpq *0x402460(,%rax,8)
400f7a: b8 6e 00 00 00 mov $0x6e,%eax
400f7f: 81 7c 24 14 86 00 00 cmpl $0x86,0x14(%rsp) //与0x86比较,不相等则爆炸
400f86: 00
400f87: 0f 84 e1 00 00 00 je 40106e <phase_3+0x141>
400f8d: e8 19 05 00 00 callq 4014ab <explode_bomb>
400f92: b8 6e 00 00 00 mov $0x6e,%eax
400f97: e9 d2 00 00 00 jmpq 40106e <phase_3+0x141>
400f9c: b8 67 00 00 00 mov $0x67,%eax
400fa1: 81 7c 24 14 75 01 00 cmpl $0x175,0x14(%rsp)
400fa8: 00
400fa9: 0f 84 bf 00 00 00 je 40106e <phase_3+0x141>
400faf: e8 f7 04 00 00 callq 4014ab <explode_bomb>
400fb4: b8 67 00 00 00 mov $0x67,%eax
400fb9: e9 b0 00 00 00 jmpq 40106e <phase_3+0x141>
400fbe: b8 76 00 00 00 mov $0x76,%eax
400fc3: 81 7c 24 14 fd 01 00 cmpl $0x1fd,0x14(%rsp)
400fca: 00
400fcb: 0f 84 9d 00 00 00 je 40106e <phase_3+0x141>
400fd1: e8 d5 04 00 00 callq 4014ab <explode_bomb>
400fd6: b8 76 00 00 00 mov $0x76,%eax
400fdb: e9 8e 00 00 00 jmpq 40106e <phase_3+0x141>
400fe0: b8 69 00 00 00 mov $0x69,%eax
400fe5: 81 7c 24 14 38 01 00 cmpl $0x138,0x14(%rsp)
400fec: 00
400fed: 74 7f je 40106e <phase_3+0x141>
400fef: e8 b7 04 00 00 callq 4014ab <explode_bomb>
400ff4: b8 69 00 00 00 mov $0x69,%eax
400ff9: eb 73 jmp 40106e <phase_3+0x141>
400ffb: b8 77 00 00 00 mov $0x77,%eax
401000: 83 7c 24 14 6e cmpl $0x6e,0x14(%rsp)
401005: 74 67 je 40106e <phase_3+0x141>
401007: e8 9f 04 00 00 callq 4014ab <explode_bomb>
40100c: b8 77 00 00 00 mov $0x77,%eax
401011: eb 5b jmp 40106e <phase_3+0x141>
401013: b8 6d 00 00 00 mov $0x6d,%eax
401018: 81 7c 24 14 81 00 00 cmpl $0x81,0x14(%rsp)
40101f: 00
401020: 74 4c je 40106e <phase_3+0x141>
401022: e8 84 04 00 00 callq 4014ab <explode_bomb>
401027: b8 6d 00 00 00 mov $0x6d,%eax
40102c: eb 40 jmp 40106e <phase_3+0x141>
40102e: b8 78 00 00 00 mov $0x78,%eax
401033: 81 7c 24 14 ca 00 00 cmpl $0xca,0x14(%rsp)
40103a: 00
40103b: 74 31 je 40106e <phase_3+0x141>
40103d: e8 69 04 00 00 callq 4014ab <explode_bomb>
401042: b8 78 00 00 00 mov $0x78,%eax
401047: eb 25 jmp 40106e <phase_3+0x141>
401049: b8 71 00 00 00 mov $0x71,%eax
40104e: 81 7c 24 14 1a 02 00 cmpl $0x21a,0x14(%rsp)
401055: 00
401056: 74 16 je 40106e <phase_3+0x141>
401058: e8 4e 04 00 00 callq 4014ab <explode_bomb>
40105d: b8 71 00 00 00 mov $0x71,%eax
401062: eb 0a jmp 40106e <phase_3+0x141>
401064: e8 42 04 00 00 callq 4014ab <explode_bomb>
401069: b8 63 00 00 00 mov $0x63,%eax
40106e: 3a 44 24 0f cmp 0xf(%rsp),%al //不相等则爆炸
401072: 74 05 je 401079 <phase_3+0x14c>
401074: e8 32 04 00 00 callq 4014ab <explode_bomb>
401079: 48 8b 44 24 18 mov 0x18(%rsp),%rax
40107e: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
401085: 00 00
401087: 74 05 je 40108e <phase_3+0x161>
401089: e8 92 fa ff ff callq 400b20 <__stack_chk_fail@plt>
40108e: 48 83 c4 28 add $0x28,%rsp
401092: c3 retq
- 根据 400f50 处的代码查一下 0x402440 存储处的字符串,得“%d %c %d” , 说明要输入:数字,字符,数字。
- 通看一遍 phase_3 代码,推出:
0x10(%rsp) 中存的是第一个数的值,
0x14(%rsp) 中存第二个数的值,
而字符则存在 0xf(%rsp) 中。 - 因此,对第一个数有:它小于等于7
400f64: 83 7c 24 10 07 cmpl $0x7,0x10(%rsp) 。
对第二个数:
400f73: ff 24 c5 60 24 40 00 jmpq *0x402460(,%rax,8)
gdb 查看*0x402460地址,发现是下一行400f7a,故之后它的跳转地址在400f7a基础上加上 8·%rax 的值。gdb 依次查找一下地址,发现只有地址 0x400f7a 和 0x400f92 满足要求,即 第一个数为 0 或 3 。
当第一个数为0时:第二个数为 0x86 ,即 134。
400f7a: b8 6e 00 00 00 mov $0x6e,%eax
400f7f: 81 7c 24 14 86 00 00 cmpl $0x86,0x14(%rsp)
当第一个数为3时:第二个数为 0x6e ,即 110。
400f92: b8 6e 00 00 00 mov $0x6e,%eax
最后看字符:其值等于 0x6e , 转化过来就是 n 。
401069: b8 63 00 00 00 mov $0x63,%eax
40106e: 3a 44 24 0f cmp 0xf(%rsp),%al
401072: 74 05 je 401079 <phase_3+0x14c>
401074: e8 32 04 00 00 callq 4014ab <explode_bomb>
- 答案:“0 n 134” 或 “3 n 110”
<phase_4>
00000000004010c6 <phase_4>:
4010c6: 48 83 ec 18 sub $0x18,%rsp
4010ca: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
4010d1: 00 00
4010d3: 48 89 44 24 08 mov %rax,0x8(%rsp)
4010d8: 31 c0 xor %eax,%eax
4010da: 48 8d 4c 24 04 lea 0x4(%rsp),%rcx
4010df: 48 89 e2 mov %rsp,%rdx
4010e2: be 17 26 40 00 mov $0x402617,%esi
4010e7: e8 f4 fa ff ff callq 400be0 <__isoc99_sscanf@plt>
4010ec: 83 f8 02 cmp $0x2,%eax //此处%eax值必须为2
4010ef: 75 06 jne 4010f7 <phase_4+0x31>
4010f1: 83 3c 24 0e cmpl $0xe,(%rsp)
4010f5: 76 05 jbe 4010fc <phase_4+0x36>
4010f7: e8 af 03 00 00 callq 4014ab <explode_bomb>
4010fc: ba 0e 00 00 00 mov $0xe,%edx
401101: be 00 00 00 00 mov $0x0,%esi
401106: 8b 3c 24 mov (%rsp),%edi
401109: e8 85 ff ff ff callq 401093 <func4>
40110e: 83 f8 23 cmp $0x23,%eax //%eax值必须为0x23,否则爆炸
401111: 75 07 jne 40111a <phase_4+0x54>
401113: 83 7c 24 04 23 cmpl $0x23,0x4(%rsp)
401118: 74 05 je 40111f <phase_4+0x59>
40111a: e8 8c 03 00 00 callq 4014ab <explode_bomb>
40111f: 48 8b 44 24 08 mov 0x8(%rsp),%rax
401124: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
40112b: 00 00
40112d: 74 05 je 401134 <phase_4+0x6e>
40112f: e8 ec f9 ff ff callq 400b20 <__stack_chk_fail@plt>
401134: 48 83 c4 18 add $0x18,%rsp
401138: c3 retq
0000000000401093 <func4>:
401093: 53 push %rbx
401094: 89 d0 mov %edx,%eax
401096: 29 f0 sub %esi,%eax
401098: 89 c3 mov %eax,%ebx
40109a: c1 eb 1f shr $0x1f,%ebx
40109d: 01 d8 add %ebx,%eax
40109f: d1 f8 sar %eax
4010a1: 8d 1c 30 lea (%rax,%rsi,1),%ebx
4010a4: 39 fb cmp %edi,%ebx
4010a6: 7e 0c jle 4010b4 <func4+0x21>
4010a8: 8d 53 ff lea -0x1(%rbx),%edx
4010ab: e8 e3 ff ff ff callq 401093 <func4>
4010b0: 01 d8 add %ebx,%eax
4010b2: eb 10 jmp 4010c4 <func4+0x31>
4010b4: 89 d8 mov %ebx,%eax
4010b6: 39 fb cmp %edi,%ebx
4010b8: 7d 0a jge 4010c4 <func4+0x31>
4010ba: 8d 73 01 lea 0x1(%rbx),%esi
4010bd: e8 d1 ff ff ff callq 401093 <func4>
4010c2: 01 d8 add %ebx,%eax
4010c4: 5b pop %rbx
4010c5: c3 retq
- 查看 0x402617 处的字符串,可知应输入2个数字。
- 首先,推出第一个数在 (%rsp) 中,第二个数在 0x4(%rsp) 中。
4010f1: 83 3c 24 0e cmpl $0xe,(%rsp)
4010f5: 76 05 jbe 4010fc <phase_4+0x36>
4010f7: e8 af 03 00 00 callq 4014ab <explode_bomb>
由上述代码知,第一个数必须小于等于 0xe。
401113: 83 7c 24 04 23 cmpl $0x23,0x4(%rsp)
401118: 74 05 je 40111f <phase_4+0x59>
40111a: e8 8c 03 00 00 callq 4014ab <explode_bomb>
而由此知,第二个数必须为 0x23 ,即35。
接下来,小菜鸡耍了个小聪明(因为实在不想看 函数func4 里的东西),在0~14中gdb找第一个数的值(毕竟有范围,运气好的话没几下就找到了),最终得到结果 8。
- 答案:“8 35”。
<phase_5>
0000000000401139 <phase_5>:
401139: 53 push %rbx
40113a: 48 89 fb mov %rdi,%rbx
40113d: e8 4c 02 00 00 callq 40138e <string_length>
401142: 83 f8 06 cmp $0x6,%eax
401145: 74 05 je 40114c <phase_5+0x13>
401147: e8 5f 03 00 00 callq 4014ab <explode_bomb>
40114c: 48 89 d8 mov %rbx,%rax
40114f: 48 8d 7b 06 lea 0x6(%rbx),%rdi
401153: b9 00 00 00 00 mov $0x0,%ecx
401158: 0f b6 10 movzbl (%rax),%edx
40115b: 83 e2 0f and $0xf,%edx
40115e: 03 0c 95 a0 24 40 00 add 0x4024a0(,%rdx,4),%ecx
401165: 48 83 c0 01 add $0x1,%rax
401169: 48 39 f8 cmp %rdi,%rax
40116c: 75 ea jne 401158 <phase_5+0x1f>
40116e: 83 f9 2c cmp $0x2c,%ecx
401171: 74 05 je 401178 <phase_5+0x3f>
401173: e8 33 03 00 00 callq 4014ab <explode_bomb>
401178: 5b pop %rbx
401179: c3 retq
- 该题要求输入一个长度为6的字符串,并用循环对其中的每一位字符进行操作,使最终 %ecx 的值等于 0x2c ,即44。
- 由下述代码,联系到检测地址 0x4024a0 的值,而 %ecx 值为地址 (0x4024a0+4*%rdx)的值,故尝试 %rdx 值为 0~f 时 %ecx 的取值。
40115e: 03 0c 95 a0 24 40 00 add 0x4024a0(,%rdx,4),%ecx
由gdb的结果可看出,3+4+7+14+5+11=44, 故%rdx 为7~12。
- 回看之前步骤,要求对%rdx取低4位,故对照ASCII码表(百度一搜就搜到了),将相同低4位对应,就可得到结果。
40115b: 83 e2 0f and $0xf,%edx
- 答案:“789:;<” or “GHIJKL” or " WXYZ[\ " or “ghijkl” ……
(其实只要每一行对应就好, 789jkl 这样混搭的答案也是正确的。)
<phase_6>
000000000040117a <phase_6>:
40117a: 41 55 push %r13
40117c: 41 54 push %r12
40117e: 55 push %rbp
40117f: 53 push %rbx
401180: 48 83 ec 68 sub $0x68,%rsp
401184: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
40118b: 00 00
40118d: 48 89 44 24 58 mov %rax,0x58(%rsp)
401192: 31 c0 xor %eax,%eax
401194: 48 89 e6 mov %rsp,%rsi
//输入数字必须小于等于6
401197: e8 31 03 00 00 callq 4014cd <read_six_numbers>
40119c: 49 89 e4 mov %rsp,%r12
40119f: 41 bd 00 00 00 00 mov $0x0,%r13d
4011a5: 4c 89 e5 mov %r12,%rbp
4011a8: 41 8b 04 24 mov (%r12),%eax
4011ac: 83 e8 01 sub $0x1,%eax
4011af: 83 f8 05 cmp $0x5,%eax
4011b2: 76 05 jbe 4011b9 <phase_6+0x3f>
4011b4: e8 f2 02 00 00 callq 4014ab <explode_bomb>
//该段在不断循环比较,确保所有输入数字不相等才继续
4011b9: 41 83 c5 01 add $0x1,%r13d
4011bd: 41 83 fd 06 cmp $0x6,%r13d
4011c1: 74 3d je 401200 <phase_6+0x86>
4011c3: 44 89 eb mov %r13d,%ebx
4011c6: 48 63 c3 movslq %ebx,%rax
4011c9: 8b 04 84 mov (%rsp,%rax,4),%eax
4011cc: 39 45 00 cmp %eax,0x0(%rbp)
4011cf: 75 05 jne 4011d6 <phase_6+0x5c>
4011d1: e8 d5 02 00 00 callq 4014ab <explode_bomb>
4011d6: 83 c3 01 add $0x1,%ebx
4011d9: 83 fb 05 cmp $0x5,%ebx
4011dc: 7e e8 jle 4011c6 <phase_6+0x4c>
4011de: 49 83 c4 04 add $0x4,%r12
4011e2: eb c1 jmp 4011a5 <phase_6+0x2b>
// L1:
4011e4: 48 8b 52 08 mov 0x8(%rdx),%rdx
4011e8: 83 c0 01 add $0x1,%eax
4011eb: 39 c8 cmp %ecx,%eax
4011ed: 75 f5 jne 4011e4 <phase_6+0x6a>
// L2:
4011ef: 48 89 54 74 20 mov %rdx,0x20(%rsp,%rsi,2)
4011f4: 48 83 c6 04 add $0x4,%rsi
4011f8: 48 83 fe 18 cmp $0x18,%rsi
4011fc: 75 07 jne 401205 <phase_6+0x8b>
4011fe: eb 19 jmp 401219 <phase_6+0x9f>
401200: be 00 00 00 00 mov $0x0,%esi
401205: 8b 0c 34 mov (%rsp,%rsi,1),%ecx
401208: b8 01 00 00 00 mov $0x1,%eax
40120d: ba f0 32 60 00 mov $0x6032f0,%edx
401212: 83 f9 01 cmp $0x1,%ecx
401215: 7f cd jg 4011e4 <phase_6+0x6a> // 跳到L1处
401217: eb d6 jmp 4011ef <phase_6+0x75> // 跳到L2处
401219: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx
40121e: 48 8d 44 24 20 lea 0x20(%rsp),%rax
401223: 48 8d 74 24 48 lea 0x48(%rsp),%rsi
401228: 48 89 d9 mov %rbx,%rcx
40122b: 48 8b 50 08 mov 0x8(%rax),%rdx
40122f: 48 89 51 08 mov %rdx,0x8(%rcx)
401233: 48 83 c0 08 add $0x8,%rax
401237: 48 89 d1 mov %rdx,%rcx
40123a: 48 39 f0 cmp %rsi,%rax
40123d: 75 ec jne 40122b <phase_6+0xb1>
40123f: 48 c7 42 08 00 00 00 movq $0x0,0x8(%rdx)
401246: 00
401247: bd 05 00 00 00 mov $0x5,%ebp
40124c: 48 8b 43 08 mov 0x8(%rbx),%rax
401250: 8b 00 mov (%rax),%eax
401252: 39 03 cmp %eax,(%rbx)
401254: 7e 05 jle 40125b <phase_6+0xe1> //要求数递增
401256: e8 50 02 00 00 callq 4014ab <explode_bomb>
40125b: 48 8b 5b 08 mov 0x8(%rbx),%rbx
40125f: 83 ed 01 sub $0x1,%ebp
401262: 75 e8 jne 40124c <phase_6+0xd2>
401264: 48 8b 44 24 58 mov 0x58(%rsp),%rax
401269: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
401270: 00 00
401272: 74 05 je 401279 <phase_6+0xff>
401274: e8 a7 f8 ff ff callq 400b20 <__stack_chk_fail@plt>
401279: 48 83 c4 68 add $0x68,%rsp
40127d: 5b pop %rbx
40127e: 5d pop %rbp
40127f: 41 5c pop %r12
401281: 41 5d pop %r13
401283: c3 retq
- 首先,先看看代码中唯一一个需要我们自行查找的地址(0x6032f0)所含的东西,如下图所示,分别为16进制和10进制的形式。
- 我大致将代码分了几段,分别要求: 输入的数字小于等于6、 输入的数字互不相等、最终的数据要递增。因此,结合地址 0x6032f0 中的数据,知 984 > 709 > 487 > 324 > 278 > 138。故答案为:“2 3 4 5 6 1”。
<secret_phase>
- 在 <phase_defused> 中,能发现有这样几行代码:
401668: e8 73 f5 ff ff callq 400be0 <__isoc99_sscanf@plt>
40166d: 83 f8 03 cmp $0x3,%eax
401670: 75 31 jne 4016a3 <phase_defused+0x71>
401672: be 6a 26 40 00 mov $0x40266a,%esi
401677: 48 8d 7c 24 10 lea 0x10(%rsp),%rdi
40167c: e8 2b fd ff ff callq 4013ac <strings_not_equal>
401681: 85 c0 test %eax,%eax
401683: 75 1e jne 4016a3 <phase_defused+0x71>
401685: bf 40 25 40 00 mov $0x402540,%edi
40168a: e8 71 f4 ff ff callq 400b00 <puts@plt>
40168f: bf 68 25 40 00 mov $0x402568,%edi
401694: e8 67 f4 ff ff callq 400b00 <puts@plt>
401699: b8 00 00 00 00 mov $0x0,%eax
40169e: e8 1f fc ff ff callq 4012c2 <secret_phase>
得知可以触发隐藏bomb,于是,查找地址 0x40266a 里的字符串,得:
- 接下来,只需要在输phase_4 的答案时 加上 “DrEvil” 即可触发secret bomb。
00000000004012c2 <secret_phase>:
4012c2: 53 push %rbx
4012c3: e8 44 02 00 00 callq 40150c <read_line>
4012c8: ba 0a 00 00 00 mov $0xa,%edx
4012cd: be 00 00 00 00 mov $0x0,%esi
4012d2: 48 89 c7 mov %rax,%rdi
4012d5: e8 e6 f8 ff ff callq 400bc0 <strtol@plt>
4012da: 48 89 c3 mov %rax,%rbx
4012dd: 8d 40 ff lea -0x1(%rax),%eax
4012e0: 3d e8 03 00 00 cmp $0x3e8,%eax
4012e5: 76 05 jbe 4012ec <secret_phase+0x2a>
4012e7: e8 bf 01 00 00 callq 4014ab <explode_bomb>
4012ec: 89 de mov %ebx,%esi
4012ee: bf 10 31 60 00 mov $0x603110,%edi
4012f3: e8 8c ff ff ff callq 401284 <fun7>
4012f8: 83 f8 01 cmp $0x1,%eax
4012fb: 74 05 je 401302 <secret_phase+0x40>
4012fd: e8 a9 01 00 00 callq 4014ab <explode_bomb>
401302: bf e0 24 40 00 mov $0x4024e0,%edi
401307: e8 f4 f7 ff ff callq 400b00 <puts@plt>
40130c: e8 21 03 00 00 callq 401632 <phase_defused>
401311: 5b pop %rbx
401312: c3 retq
0000000000401284 <fun7>:
401284: 48 83 ec 08 sub $0x8,%rsp
401288: 48 85 ff test %rdi,%rdi
40128b: 74 2b je 4012b8 <fun7+0x34>
40128d: 8b 17 mov (%rdi),%edx
40128f: 39 f2 cmp %esi,%edx
401291: 7e 0d jle 4012a0 <fun7+0x1c>
401293: 48 8b 7f 08 mov 0x8(%rdi),%rdi
401297: e8 e8 ff ff ff callq 401284 <fun7>
40129c: 01 c0 add %eax,%eax
40129e: eb 1d jmp 4012bd <fun7+0x39>
4012a0: b8 00 00 00 00 mov $0x0,%eax
4012a5: 39 f2 cmp %esi,%edx
4012a7: 74 14 je 4012bd <fun7+0x39>
4012a9: 48 8b 7f 10 mov 0x10(%rdi),%rdi
4012ad: e8 d2 ff ff ff callq 401284 <fun7>
4012b2: 8d 44 00 01 lea 0x1(%rax,%rax,1),%eax
4012b6: eb 05 jmp 4012bd <fun7+0x39>
4012b8: b8 ff ff ff ff mov $0xffffffff,%eax
4012bd: 48 83 c4 08 add $0x8,%rsp
4012c1: c3 retq
炸弹小菜鸡就先不拆了,老命要紧,还得去赶赶明天要交的作业~