原来还有隐藏关
phase_defused
Dump of assembler code for function phase_defused:
0x08048f62 <+ 0 >: push %ebp
0x08048f63 <+ 1 >: mov %esp,%ebp
0x08048f65 <+ 3 >: push %ebx
0x08048f66 <+ 4 >: sub $0x74,%esp
0x08048f69 <+ 7 >: mov % gs: 0x14,%eax
0x08048f6f <+ 13 >: mov %eax,-0x8(%ebp)
0x08048f72 <+ 16 >: xor %eax,%eax
0x08048f74 <+ 18 >: cmpl $0x6,0x804a82c
0x08048f7b <+ 25 >: jne 0x8048fe1 <phase_defused+ 127 >
0x08048f7d <+ 27 >: lea -0x58(%ebp),%ebx
0x08048f80 <+ 30 >: mov %ebx,0xc(%esp)
0x08048f84 <+ 34 >: lea -0x5c(%ebp),%eax
0x08048f87 <+ 37 >: mov %eax,0x8(%esp)
0x08048f8b <+ 41 >: movl $0x804986c,0x4(%esp)
0x08048f93 <+ 49 >: movl $0x804a930,(%esp)
0x08048f9a <+ 56 >: call 0x8048960 <sscanf@plt>
0x08048f9f <+ 61 >: cmp $0x2,%eax
0x08048fa2 <+ 64 >: jne 0x8048fd5 <phase_defused+ 115 >
0x08048fa4 <+ 66 >: movl $0x8049872,0x4(%esp)
0x08048fac <+ 74 >: mov %ebx,(%esp)
0x08048faf <+ 77 >: call 0x8048f00 <strings_not_equal>
0x08048fb4 <+ 82 >: test %eax,%eax
0x08048fb6 <+ 84 >: jne 0x8048fd5 <phase_defused+ 115 >
0x08048fb8 <+ 86 >: movl $0x8049cbc,(%esp)
0x08048fbf <+ 93 >: call 0x8048950 <puts@plt>
0x08048fc4 <+ 98 >: movl $0x8049ce4,(%esp)
0x08048fcb <+ 105 >: call 0x8048950 <puts@plt>
0x08048fd0 <+ 110 >: call 0x8048c52 <secret_phase>
0x08048fd5 <+ 115 >: movl $0x8049d1c,(%esp)
0x08048fdc <+ 122 >: call 0x8048950 <puts@plt>
0x08048fe1 <+ 127 >: mov -0x8(%ebp),%eax
0x08048fe4 <+ 130 >: xor % gs: 0x14,%eax
0x08048feb <+ 137 >: je 0x8048ff2 <phase_defused+ 144 >
0x08048fed <+ 139 >: call 0x8048920 <__stack_chk_fail@plt>
0x08048ff2 <+ 144 >: add $0x74,%esp
0x08048ff5 <+ 147 >: pop %ebx
0x08048ff6 <+ 148 >: pop %ebp
---Type <return> to continue, or q <return> to quit---
0x08048ff7 <+ 149 >: ret
End of assembler dump.
(gdb) x /s 0x8049872
0x8049872: "austinpowers"
(gdb) x /s 0x804986c
0x804986c: "%d %s"
0x804a930 即input变量地址
可见,input可以为 "%d %s"格式,当数字+austinpowers时开启隐藏关卡。
0x08048f74 <+18>: cmpl $0x6,0x804a82c
这行则表明在第6关以后才能进入隐藏关卡
secret_phase
Dump of assembler code for function secret_phase:
0x08048c52 <+ 0 >: push %ebp
0x08048c53 <+ 1 >: mov %esp,%ebp
0x08048c55 <+ 3 >: push %ebx
0x08048c56 <+ 4 >: sub $0x14,%esp
0x08048c59 <+ 7 >: call 0x8049361 <read_line>
0x08048c5e <+ 12 >: movl $0xa,0x8(%esp)
0x08048c66 <+ 20 >: movl $0x0,0x4(%esp)
0x08048c6e <+ 28 >: mov %eax,(%esp)
0x08048c71 <+ 31 >: call 0x8048840 <strtol@plt>
0x08048c76 <+ 36 >: mov %eax,%ebx
0x08048c78 <+ 38 >: lea -0x1(%eax),%eax
0x08048c7b <+ 41 >: cmp $0x3e8,%eax
0x08048c80 <+ 46 >: jbe 0x8048c87 <secret_phase+ 53 >
0x08048c82 <+ 48 >: call 0x8048ff8 <explode_bomb>
0x08048c87 <+ 53 >: mov %ebx,0x4(%esp)
0x08048c8b <+ 57 >: movl $0x804a6b4,(%esp)
0x08048c92 <+ 64 >: call 0x8048c01 <fun7>
0x08048c97 <+ 69 >: cmp $0x7,%eax
0x08048c9a <+ 72 >: je 0x8048ca1 <secret_phase+ 79 >
0x08048c9c <+ 74 >: call 0x8048ff8 <explode_bomb>
0x08048ca1 <+ 79 >: movl $0x80497dc,(%esp)
0x08048ca8 <+ 86 >: call 0x8048950 <puts@plt>
0x08048cad <+ 91 >: call 0x8048f62 <phase_defused>
0x08048cb2 <+ 96 >: add $0x14,%esp
0x08048cb5 <+ 99 >: pop %ebx
0x08048cb6 <+ 100 >: pop %ebp
0x08048cb7 <+ 101 >: ret
End of assembler dump.
(gdb)
secret 读入input,并使用strtol将其转承long int形,并作为fun7的参数
当fun7返回0x7是,通关。
Dump of assembler code for function fun7:
0x08048c01 <+ 0 >: push %ebp
0x08048c02 <+ 1 >: mov %esp,%ebp
0x08048c04 <+ 3 >: push %ebx
0x08048c05 <+ 4 >: sub $0x8,%esp
0x08048c08 <+ 7 >: mov 0x8(%ebp),%ebx
0x08048c0b <+ 10 >: mov 0xc(%ebp),%ecx
0x08048c0e <+ 13 >: mov $0xffffffff,%eax
0x08048c13 <+ 18 >: test %ebx,%ebx
0x08048c15 <+ 20 >: je 0x8048c4c <fun7+ 75 >
0x08048c17 <+ 22 >: mov (%ebx),%edx
0x08048c19 <+ 24 >: cmp %ecx,%edx
0x08048c1b <+ 26 >: jle 0x8048c30 <fun7+ 47 >
0x08048c1d <+ 28 >: mov %ecx,0x4(%esp)
0x08048c21 <+ 32 >: mov 0x4(%ebx),%eax
0x08048c24 <+ 35 >: mov %eax,(%esp)
0x08048c27 <+ 38 >: call 0x8048c01 <fun7>
0x08048c2c <+ 43 >: add %eax,%eax
0x08048c2e <+ 45 >: jmp 0x8048c4c <fun7+ 75 >
0x08048c30 <+ 47 >: mov $0x0,%eax
0x08048c35 <+ 52 >: cmp %ecx,%edx
0x08048c37 <+ 54 >: je 0x8048c4c <fun7+ 75 >
0x08048c39 <+ 56 >: mov %ecx,0x4(%esp)
0x08048c3d <+ 60 >: mov 0x8(%ebx),%eax
0x08048c40 <+ 63 >: mov %eax,(%esp)
0x08048c43 <+ 66 >: call 0x8048c01 <fun7>
0x08048c48 <+ 71 >: lea 0x1(%eax,%eax, 1 ),%eax
0x08048c4c <+ 75 >: add $0x8,%esp
0x08048c4f <+ 78 >: pop %ebx
0x08048c50 <+ 79 >: pop %ebp
0x08048c51 <+ 80 >: ret
参数为void* x, int y
根据x查找y.
int eax = - 1 ;
if ( * x <= y) {
eax = 0 ;
if ( * x == y) {
return eax;
}
else {
eax = fun7( * (x + 8 ), y);
eax += (eax + 1 );
return eax;
}
}
esle{
eax = fun7( * (x + 4 ), y);
eax += eax;
return eax;
}
}
可以看出,fun7是一个二叉查找函数,x的数据结构类似于
struct node {
int value;
struct node *lt;
struct node *gt;
};
我们希望 fun7返回 7, 7/2 == 3...1, 3/2 = 1...1, 1/2 = 0...1,
7, 3, 1, 0...是fun7的返回顺序,gt,gt,gt
(gdb) display *(int*)(*(int*)(*(int*)(*(int *)($ebx+8)+8)+8))
15: *(int*)(*(int*)(*(int*)(*(int *)($ebx+8)+8)+8)) = 1001