双元炸弹 - 第 2 阶段
Binary bomb - phase 2
嘿,我正在研究如何拆除二元炸弹,现在处于第 2 阶段,并试图弄清楚拆除应该如何进行。我已经添加了关于我认为实际发生的事情的评论,但如果我错了请纠正我并帮助我理解这是如何工作的。这是phase_2:
08048763 <phase_2>:
8048763: 55 push %ebp
8048764: 89 e5 mov %esp,%ebp
8048766: 83 ec 28 sub [=10=]x28,%esp
; read 6 numbers
8048769: 8d 45 dc lea -0x24(%ebp),%eax
804876c: 83 c0 14 add [=10=]x14,%eax
804876f: 50 push %eax
8048770: 8d 45 dc lea -0x24(%ebp),%eax
8048773: 83 c0 10 add [=10=]x10,%eax
8048776: 50 push %eax
8048777: 8d 45 dc lea -0x24(%ebp),%eax
804877a: 83 c0 0c add [=10=]xc,%eax
804877d: 50 push %eax
804877e: 8d 45 dc lea -0x24(%ebp),%eax
8048781: 83 c0 08 add [=10=]x8,%eax
8048784: 50 push %eax
8048785: 8d 45 dc lea -0x24(%ebp),%eax
8048788: 83 c0 04 add [=10=]x4,%eax
804878b: 50 push %eax
804878c: 8d 45 dc lea -0x24(%ebp),%eax
804878f: 50 push %eax
8048790: 68 18 94 04 08 push [=10=]x8049418
8048795: ff 75 08 pushl 0x8(%ebp)
; call scanf()
8048798: e8 53 fd ff ff call 80484f0 <sscanf@plt>
804879d: 83 c4 20 add [=10=]x20,%esp
; check if first number is greater than 5
80487a0: 83 f8 05 cmp [=10=]x5,%eax
80487a3: 7f 05 jg 80487aa <phase_2+0x47>
80487a5: e8 ad fe ff ff call 8048657 <explode>
80487aa: 8b 45 dc mov -0x24(%ebp),%eax
; check if the 2nd number is 9 ; jump if equals
80487ad: 83 f8 09 cmp [=10=]x9,%eax
80487b0: 74 05 je 80487b7 <phase_2+0x54>
80487b2: e8 a0 fe ff ff call 8048657 <explode>
80487b7: c7 45 f4 01 00 00 00 movl [=10=]x1,-0xc(%ebp)
; BEGIN LOOP
80487be: eb 22 jmp 80487e2 <phase_2+0x7f>
80487c0: 8b 45 f4 mov -0xc(%ebp),%eax
80487c3: 8b 54 85 dc mov -0x24(%ebp,%eax,4),%edx
80487c7: 8b 45 f4 mov -0xc(%ebp),%eax
80487ca: 83 e8 01 sub [=10=]x1,%eax
80487cd: 8b 44 85 dc mov -0x24(%ebp,%eax,4),%eax
; what is it that gets multiplied here?
80487d1: 0f af 45 f4 imul -0xc(%ebp),%eax
; compare eax with edx but not clear what happens here. jump when equals
80487d5: 39 c2 cmp %eax,%edx
80487d7: 74 05 je 80487de <phase_2+0x7b>
80487d9: e8 79 fe ff ff call 8048657 <explode>
; we add 1 before comparing with 5?
80487de: 83 45 f4 01 addl [=10=]x1,-0xc(%ebp)
; compare jump next if number <= 5
80487e2: 83 7d f4 05 cmpl [=10=]x5,-0xc(%ebp)
80487e6: 7e d8 jle 80487c0 <phase_2+0x5d>
80487e8: 83 ec 0c sub [=10=]xc,%esp
80487eb: 68 2a 94 04 08 push [=10=]x804942a
80487f0: e8 16 fe ff ff call 804860b <say>
80487f5: 83 c4 10 add [=10=]x10,%esp
80487f8: c9 leave
80487f9: c3 ret
它进入循环,第一个数乘以1产生第二个数,第二个数乘以2,产生第三个数等等,直到达到6个数。所以结果是这样的 - 9 9 18 54 216 1080 我还添加了一些评论:
08048763 <phase_2>:
; set up stack frame
8048763: 55 push ebp
8048764: 89 e5 mov ebp,esp
8048766: 83 ec 28 sub esp,0x28
; prepare memory 6 numbers
8048769: 8d 45 dc lea eax,[ebp-0x24]
804876c: 83 c0 14 add eax,0x14
804876f: 50 push eax
8048770: 8d 45 dc lea eax,[ebp-0x24]
8048773: 83 c0 10 add eax,0x10
8048776: 50 push eax
8048777: 8d 45 dc lea eax,[ebp-0x24]
804877a: 83 c0 0c add eax,0xc
804877d: 50 push eax
804877e: 8d 45 dc lea eax,[ebp-0x24]
8048781: 83 c0 08 add eax,0x8
8048784: 50 push eax
8048785: 8d 45 dc lea eax,[ebp-0x24]
8048788: 83 c0 04 add eax,0x4
804878b: 50 push eax
804878c: 8d 45 dc lea eax,[ebp-0x24]
804878f: 50 push eax
8048790: 68 18 94 04 08 push 0x8049418
8048795: ff 75 08 push DWORD PTR [ebp+0x8]
; call scanf()
8048798: e8 53 fd ff ff call 80484f0 <sscanf@plt>
804879d: 83 c4 20 add esp,0x20
; check if there are more than 5 arguments, if not - explode
80487a0: 83 f8 05 cmp eax,0x5
80487a3: 7f 05 jg 80487aa <phase_2+0x47>
80487a5: e8 ad fe ff ff call 8048657 <explode>
80487aa: 8b 45 dc mov eax,DWORD PTR [ebp-0x24]
; check if the 1st number is 9, if it is, goto 80487b7, else explode
80487ad: 83 f8 09 cmp eax,0x9
80487b0: 74 05 je 80487b7 <phase_2+0x54>
80487b2: e8 a0 fe ff ff call 8048657 <explode>
; BEGINNING OF LOOP for(i=1;i<=5;i++)
80487b7: c7 45 f4 01 00 00 00 mov DWORD PTR [ebp-0xc],0x1
80487be: eb 22 jmp 80487e2 <phase_2+0x7f>
; Get loop counter ,store in EDX
80487c0: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487c3: 8b 54 85 dc mov edx,DWORD PTR [ebp+eax*4-0x24]
; again take loop counter minus 1 to EAX
80487c7: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487ca: 83 e8 01 sub eax,0x1
80487cd: 8b 44 85 dc mov eax,DWORD PTR [ebp+eax*4-0x24]
; multiply our number with loop counter minus 1
80487d1: 0f af 45 f4 imul eax,DWORD PTR [ebp-0xc]
; compare number with expected value, goto 80487de if equals
80487d5: 39 c2 cmp edx,eax
80487d7: 74 05 je 80487de <phase_2+0x7b>
80487d9: e8 79 fe ff ff call 8048657 <explode>
; increase loop counter
80487de: 83 45 f4 01 add DWORD PTR [ebp-0xc],0x1
; compare loop counter to 5, jump to start if less that or equal
80487e2: 83 7d f4 05 cmp DWORD PTR [ebp-0xc],0x5
80487e6: 7e d8 jle 80487c0 <phase_2+0x5d>
80487e8: 83 ec 0c sub esp,0xc
; Push defuse message and call "say", leave and return
80487eb: 68 2a 94 04 08 push 0x804942a
80487f0: e8 16 fe ff ff call 804860b <say>
80487f5: 83 c4 10 add esp,0x10
80487f8: c9 leave
80487f9: c3 ret
嘿,我正在研究如何拆除二元炸弹,现在处于第 2 阶段,并试图弄清楚拆除应该如何进行。我已经添加了关于我认为实际发生的事情的评论,但如果我错了请纠正我并帮助我理解这是如何工作的。这是phase_2:
08048763 <phase_2>:
8048763: 55 push %ebp
8048764: 89 e5 mov %esp,%ebp
8048766: 83 ec 28 sub [=10=]x28,%esp
; read 6 numbers
8048769: 8d 45 dc lea -0x24(%ebp),%eax
804876c: 83 c0 14 add [=10=]x14,%eax
804876f: 50 push %eax
8048770: 8d 45 dc lea -0x24(%ebp),%eax
8048773: 83 c0 10 add [=10=]x10,%eax
8048776: 50 push %eax
8048777: 8d 45 dc lea -0x24(%ebp),%eax
804877a: 83 c0 0c add [=10=]xc,%eax
804877d: 50 push %eax
804877e: 8d 45 dc lea -0x24(%ebp),%eax
8048781: 83 c0 08 add [=10=]x8,%eax
8048784: 50 push %eax
8048785: 8d 45 dc lea -0x24(%ebp),%eax
8048788: 83 c0 04 add [=10=]x4,%eax
804878b: 50 push %eax
804878c: 8d 45 dc lea -0x24(%ebp),%eax
804878f: 50 push %eax
8048790: 68 18 94 04 08 push [=10=]x8049418
8048795: ff 75 08 pushl 0x8(%ebp)
; call scanf()
8048798: e8 53 fd ff ff call 80484f0 <sscanf@plt>
804879d: 83 c4 20 add [=10=]x20,%esp
; check if first number is greater than 5
80487a0: 83 f8 05 cmp [=10=]x5,%eax
80487a3: 7f 05 jg 80487aa <phase_2+0x47>
80487a5: e8 ad fe ff ff call 8048657 <explode>
80487aa: 8b 45 dc mov -0x24(%ebp),%eax
; check if the 2nd number is 9 ; jump if equals
80487ad: 83 f8 09 cmp [=10=]x9,%eax
80487b0: 74 05 je 80487b7 <phase_2+0x54>
80487b2: e8 a0 fe ff ff call 8048657 <explode>
80487b7: c7 45 f4 01 00 00 00 movl [=10=]x1,-0xc(%ebp)
; BEGIN LOOP
80487be: eb 22 jmp 80487e2 <phase_2+0x7f>
80487c0: 8b 45 f4 mov -0xc(%ebp),%eax
80487c3: 8b 54 85 dc mov -0x24(%ebp,%eax,4),%edx
80487c7: 8b 45 f4 mov -0xc(%ebp),%eax
80487ca: 83 e8 01 sub [=10=]x1,%eax
80487cd: 8b 44 85 dc mov -0x24(%ebp,%eax,4),%eax
; what is it that gets multiplied here?
80487d1: 0f af 45 f4 imul -0xc(%ebp),%eax
; compare eax with edx but not clear what happens here. jump when equals
80487d5: 39 c2 cmp %eax,%edx
80487d7: 74 05 je 80487de <phase_2+0x7b>
80487d9: e8 79 fe ff ff call 8048657 <explode>
; we add 1 before comparing with 5?
80487de: 83 45 f4 01 addl [=10=]x1,-0xc(%ebp)
; compare jump next if number <= 5
80487e2: 83 7d f4 05 cmpl [=10=]x5,-0xc(%ebp)
80487e6: 7e d8 jle 80487c0 <phase_2+0x5d>
80487e8: 83 ec 0c sub [=10=]xc,%esp
80487eb: 68 2a 94 04 08 push [=10=]x804942a
80487f0: e8 16 fe ff ff call 804860b <say>
80487f5: 83 c4 10 add [=10=]x10,%esp
80487f8: c9 leave
80487f9: c3 ret
它进入循环,第一个数乘以1产生第二个数,第二个数乘以2,产生第三个数等等,直到达到6个数。所以结果是这样的 - 9 9 18 54 216 1080 我还添加了一些评论:
08048763 <phase_2>:
; set up stack frame
8048763: 55 push ebp
8048764: 89 e5 mov ebp,esp
8048766: 83 ec 28 sub esp,0x28
; prepare memory 6 numbers
8048769: 8d 45 dc lea eax,[ebp-0x24]
804876c: 83 c0 14 add eax,0x14
804876f: 50 push eax
8048770: 8d 45 dc lea eax,[ebp-0x24]
8048773: 83 c0 10 add eax,0x10
8048776: 50 push eax
8048777: 8d 45 dc lea eax,[ebp-0x24]
804877a: 83 c0 0c add eax,0xc
804877d: 50 push eax
804877e: 8d 45 dc lea eax,[ebp-0x24]
8048781: 83 c0 08 add eax,0x8
8048784: 50 push eax
8048785: 8d 45 dc lea eax,[ebp-0x24]
8048788: 83 c0 04 add eax,0x4
804878b: 50 push eax
804878c: 8d 45 dc lea eax,[ebp-0x24]
804878f: 50 push eax
8048790: 68 18 94 04 08 push 0x8049418
8048795: ff 75 08 push DWORD PTR [ebp+0x8]
; call scanf()
8048798: e8 53 fd ff ff call 80484f0 <sscanf@plt>
804879d: 83 c4 20 add esp,0x20
; check if there are more than 5 arguments, if not - explode
80487a0: 83 f8 05 cmp eax,0x5
80487a3: 7f 05 jg 80487aa <phase_2+0x47>
80487a5: e8 ad fe ff ff call 8048657 <explode>
80487aa: 8b 45 dc mov eax,DWORD PTR [ebp-0x24]
; check if the 1st number is 9, if it is, goto 80487b7, else explode
80487ad: 83 f8 09 cmp eax,0x9
80487b0: 74 05 je 80487b7 <phase_2+0x54>
80487b2: e8 a0 fe ff ff call 8048657 <explode>
; BEGINNING OF LOOP for(i=1;i<=5;i++)
80487b7: c7 45 f4 01 00 00 00 mov DWORD PTR [ebp-0xc],0x1
80487be: eb 22 jmp 80487e2 <phase_2+0x7f>
; Get loop counter ,store in EDX
80487c0: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487c3: 8b 54 85 dc mov edx,DWORD PTR [ebp+eax*4-0x24]
; again take loop counter minus 1 to EAX
80487c7: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487ca: 83 e8 01 sub eax,0x1
80487cd: 8b 44 85 dc mov eax,DWORD PTR [ebp+eax*4-0x24]
; multiply our number with loop counter minus 1
80487d1: 0f af 45 f4 imul eax,DWORD PTR [ebp-0xc]
; compare number with expected value, goto 80487de if equals
80487d5: 39 c2 cmp edx,eax
80487d7: 74 05 je 80487de <phase_2+0x7b>
80487d9: e8 79 fe ff ff call 8048657 <explode>
; increase loop counter
80487de: 83 45 f4 01 add DWORD PTR [ebp-0xc],0x1
; compare loop counter to 5, jump to start if less that or equal
80487e2: 83 7d f4 05 cmp DWORD PTR [ebp-0xc],0x5
80487e6: 7e d8 jle 80487c0 <phase_2+0x5d>
80487e8: 83 ec 0c sub esp,0xc
; Push defuse message and call "say", leave and return
80487eb: 68 2a 94 04 08 push 0x804942a
80487f0: e8 16 fe ff ff call 804860b <say>
80487f5: 83 c4 10 add esp,0x10
80487f8: c9 leave
80487f9: c3 ret