当前位置: 动力学知识库 > 问答 > 编程问答 >

assembly - Binary Bomb phase 3 stuck

问题描述:

I am honestly very confused on this due to my bomb phase 3 not looking like any of my classmates or the example given to me by my professor. Any help would be greatly appreciated. I have a copy of my recent terminal for use and ill put the

I have been trying my hand at this for the better part of 5 hours, I've gotten far enough to know that %d %d is the layout requested, and that its asking for 2 numbers with i believe one of them being negative. Due to the comparison statement and jg here

 0x08048fbb <+39>: cmp $0x1,%eax

0x08048fbe <+42>: jg 0x8048fc5 <phase_3+49>

Also that its calling for another comparison of the same value which i think is the first here

 0x08048fc5 <+49>: cmpl $0x7,-0xc(%ebp)

0x08048fc9 <+53>: ja 0x8049032 <phase_3+158>

What is throwing me off is all the add and subtract right off the bat and in general all the adding and subtracting that is crammed into the bottom.

Where would i find the values that actually work with these statements at the endor should i just add up the numbers i see. At this point i don't even know if its staring at me in the face. All the comparisons are as followed

 0x08048fbb <+39>: cmp $0x1,%eax

0x08048fbe <+42>: jg 0x8048fc5

 0x08048fc5 <+49>: cmpl $0x7,-0xc(%ebp)

0x08048fc9 <+53>: ja 0x8049032 <phase_3+158>

0x0804903c <+168>: cmpl $0x5,-0xc(%ebp)

0x08049040 <+172>: jg 0x8049047 <phase_3+179>

But its all mush at the moment I need a new set of eyes on this problem. If its out there any help would be greatly appreciated.

That's number 2. Keep going!

0 1

Breakpoint 1, 0x08048f9a in phase_3 ()

(gdb) disas

Dump of assembler code for function phase_3:

0x08048f94 <+0>: push %ebp

0x08048f95 <+1>: mov %esp,%ebp

0x08048f97 <+3>: sub $0x28,%esp

=> 0x08048f9a <+6>: lea -0x10(%ebp),%eax

0x08048f9d <+9>: mov %eax,0xc(%esp)

0x08048fa1 <+13>: lea -0xc(%ebp),%eax

0x08048fa4 <+16>: mov %eax,0x8(%esp)

0x08048fa8 <+20>: movl $0x804a58c,0x4(%esp)

0x08048fb0 <+28>: mov 0x8(%ebp),%eax

0x08048fb3 <+31>: mov %eax,(%esp)

0x08048fb6 <+34>: call 0x8048894 <[email protected]>

0x08048fbb <+39>: cmp $0x1,%eax

0x08048fbe <+42>: jg 0x8048fc5 <phase_3+49>

0x08048fc0 <+44>: call 0x8049321 <explode_bomb>

0x08048fc5 <+49>: cmpl $0x7,-0xc(%ebp)

0x08048fc9 <+53>: ja 0x8049032 <phase_3+158>

0x08048fcb <+55>: mov -0xc(%ebp),%eax

0x08048fce <+58>: xchg %ax,%ax

0x08048fd0 <+60>: jmp *0x804a4c0(,%eax,4)

0x08048fd7 <+67>: mov $0x0,%eax

0x08048fdc <+72>: lea 0x0(%esi,%eiz,1),%esi

0x08048fe0 <+76>: jmp 0x804902d <phase_3+153>

0x08048fe2 <+78>: mov $0x0,%eax

0x08048fe7 <+83>: jmp 0x804902a <phase_3+150>

0x08048fe9 <+85>: mov $0x0,%eax

0x08048fee <+90>: xchg %ax,%ax

0x08048ff0 <+92>: jmp 0x8049027 <phase_3+147>

0x08048ff2 <+94>: mov $0x0,%eax

0x08048ff7 <+99>: jmp 0x8049024 <phase_3+144>

0x08048ff9 <+101>: mov $0x0,%eax

0x08048ffe <+106>: xchg %ax,%ax

0x08049000 <+108>: jmp 0x8049021 <phase_3+141>

0x08049002 <+110>: mov $0x0,%eax

0x08049007 <+115>: jmp 0x804901c <phase_3+136>

0x08049009 <+117>: mov $0x30d,%eax

0x0804900e <+122>: xchg %ax,%ax

0x08049010 <+124>: jmp 0x8049017 <phase_3+131>

0x08049012 <+126>: mov $0x0,%eax

0x08049017 <+131>: sub $0x264,%eax

0x0804901c <+136>: add $0x3b8,%eax

0x08049021 <+141>: sub $0x49,%eax

0x08049024 <+144>: add $0x49,%eax

0x08049027 <+147>: sub $0x49,%eax

0x0804902a <+150>: add $0x49,%eax

0x0804902d <+153>: sub $0x49,%eax

0x08049030 <+156>: jmp 0x804903c <phase_3+168>

0x08049032 <+158>: call 0x8049321 <explode_bomb>

0x08049037 <+163>: mov $0x0,%eax

0x0804903c <+168>: cmpl $0x5,-0xc(%ebp)

0x08049040 <+172>: jg 0x8049047 <phase_3+179>

0x08049042 <+174>: cmp -0x10(%ebp),%eax

0x08049045 <+177>: je 0x804904c <phase_3+184>

0x08049047 <+179>: call 0x8049321 <explode_bomb>

0x0804904c <+184>: leave

0x0804904d <+185>: lea 0x0(%esi),%esi

0x08049050 <+188>: ret

End of assembler dump.

(gdb)

网友答案:

The first comparison you have mentioned (the one at +39) is comparing %eax which holds the return value from sscanf. As such it's just testing how many arguments could be converted. This code requires 2, thus that code is doing if (sscanf() > 1) goto ok; explode_bomb();

The comparison at +49 is checking the first number, it does if ((unsigned)x > 7) explode_bomb(); I hope that's obvious.

Next, at +60, you have the single most important instruction in this piece of code: jmp *0x804a4c0(,%eax,4). That is a jump through a jump table. It will take you to different locations depending on the value in %eax, which at that point is holding your first input. We know the input is between 0 and 7 so you have 8 entries in that table. You should be able to examine them with x/8a 0x804a4c0. It's a fair guess that they are various addresses in the following code block and the flow rejoins at +163. This pattern is commonly used by compilers to implement a switch statement.

Line +168 further restricts the first number to between 0 and 5, and line +174 compares the second number to the current value of %eax and explodes the bomb on mismatch. What this tells us is that the valid inputs form 6 pairs. We can pick an arbitrary first number, follow through the jump table and see what value will be placed in %eax and input that as second number.

分享给朋友:
您可能感兴趣的文章:
随机阅读: