实验因为根据学号生成,和同学的都不一样,只能独立完成,不过很多大佬的博客提供的思路还是非常有参考价值的。
phase1
08048b69 <phase1>:
8048b69: 55 push %ebp
8048b6a: 89 e5 mov %esp,%ebp
8048b6c: 83 ec 10 sub $0x10,%esp
8048b6f: 68 e4 9f 04 08 push $0x8049fe4
8048b74: ff 75 08 pushl 0x8(%ebp)
8048b77: e8 c5 04 00 00 call 8049041 <stringsnotequal>
8048b7c: 83 c4 10 add $0x10,%esp
8048b7f: 85 c0 test %eax,%eax
8048b81: 75 02 jne 8048b85 <phase1+0x1c>
8048b83: c9 leave
8048b84: c3 ret
8048b85: e8 b8 05 00 00 call 8049142 <explodebomb>
8048b8a: eb f7 jmp 8048b83 <phase1+0x1a>
根据查看反汇编代码可得%eax中存储的是输入的字符串,
可得和用户输入字符串比较的字符串的存储地址0x8049fe4,可用gdb查看这个地址存储的数据内容(gdb) x/s 0x8049fe4
可得结果:Crikey! I have lost my mojo!
phase2:
08048b8c <phase2>:
8048b8c: 55 push %ebp
8048b8d: 89 e5 mov %esp,%ebp
8048b8f: 56 push %esi
8048b90: 53 push %ebx
8048b91: 83 ec 28 sub $0x28,%esp
8048b94: 8d 45 e0 lea -0x20(%ebp),%eax
8048b97: 50 push %eax
8048b98: ff 75 08 pushl 0x8(%ebp)
8048b9b: e8 ca 05 00 00 call 804916a <readsixnumbers>
8048ba0: 83 c4 10 add $0x10,%esp
8048ba3: 83 7d e0 00 cmpl $0x0,-0x20(%ebp)
8048ba7: 75 06 jne 8048baf <phase2+0x23>
8048ba9: 83 7d e4 01 cmpl $0x1,-0x1c(%ebp)
8048bad: 74 05 je 8048bb4 <phase2+0x28>
8048baf: e8 8e 05 00 00 call 8049142 <explodebomb>
8048bb4: 8d 5d e0 lea -0x20(%ebp),%ebx
8048bb7: 8d 75 f0 lea -0x10(%ebp),%esi
8048bba: eb 07 jmp 8048bc3 <phase2+0x37>
8048bbc: 83 c3 04 add $0x4,%ebx
8048bbf: 39 f3 cmp %esi,%ebx
8048bc1: 74 11 je 8048bd4 <phase2+0x48>
8048bc3: 8b 43 04 mov 0x4(%ebx),%eax
8048bc6: 03 03 add (%ebx),%eax
8048bc8: 39 43 08 cmp %eax,0x8(%ebx)
8048bcb: 74 ef je 8048bbc <phase2+0x30>
8048bcd: e8 70 05 00 00 call 8049142 <explodebomb>
8048bd2: eb e8 jmp 8048bbc <phase2+0x30>
8048bd4: 8d 65 f8 lea -0x8(%ebp),%esp
8048bd7: 5b pop %ebx
8048bd8: 5e pop %esi
8048bd9: 5d pop %ebp
8048bda: c3 ret
根据调用函数readsixnumbers,查看该函数汇编代码,可得结果为6个数,根据cmpl $0x0,-0x20(%ebp)可知第一个数为0,同理根据cmpl $0x1,-0x1c(%ebp)可得第二个数为1,后面的汇编代码可以看出是一个循环,后一个数为前两个数之和,即斐波那契数列
可得结果:0 1 1 2 3 5
phase3
08048bdb <phase3>:
8048bdb: 55 push %ebp
8048bdc: 89 e5 mov %esp,%ebp
8048bde: 83 ec 24 sub $0x24,%esp
8048be1: 8d 45 f0 lea -0x10(%ebp),%eax
8048be4: 50 push %eax
8048be5: 8d 45 ef lea -0x11(%ebp),%eax
8048be8: 50 push %eax
8048be9: 8d 45 f4 lea -0xc(%ebp),%eax
8048bec: 50 push %eax
8048bed: 68 01 a0 04 08 push $0x804a001
8048bf2: ff 75 08 pushl 0x8(%ebp)
8048bf5: e8 66 fc ff ff call 8048860 <_isoc99sscanf@plt>
8048bfa: 83 c4 20 add $0x20,%esp
8048bfd: 83 f8 02 cmp $0x2,%eax
8048c00: 7e 14 jle 8048c16 <phase3+0x3b>
8048c02: 83 7d f4 07 cmpl $0x7,-0xc(%ebp)
8048c06: 0f 87 f0 00 00 00 ja 8048cfc <phase3+0x121>
8048c0c: 8b 45 f4 mov -0xc(%ebp),%eax
8048c0f: ff 24 85 20 a0 04 08 jmp *0x804a020(,%eax,4)
8048c16: e8 27 05 00 00 call 8049142 <explodebomb>
8048c1b: eb e5 jmp 8048c02 <phase3+0x27>
8048c1d: b8 74 00 00 00 mov $0x74,%eax
8048c22: 81 7d f0 fb 01 00 00 cmpl $0x1fb,-0x10(%ebp)
8048c29: 0f 84 d7 00 00 00 je 8048d06 <phase3+0x12b>
8048c2f: e8 0e 05 00 00 call 8049142 <explodebomb>
8048c34: b8 74 00 00 00 mov $0x74,%eax
8048c39: e9 c8 00 00 00 jmp 8048d06 <phase3+0x12b>
8048c3e: b8 6d 00 00 00 mov $0x6d,%eax
8048c43: 81 7d f0 76 02 00 00 cmpl $0x276,-0x10(%ebp)
8048c4a: 0f 84 b6 00 00 00 je 8048d06 <phase3+0x12b>
8048c50: e8 ed 04 00 00 call 8049142 <explodebomb>
8048c55: b8 6d 00 00 00 mov $0x6d,%eax
8048c5a: e9 a7 00 00 00 jmp 8048d06 <phase3+0x12b>
8048c5f: b8 6e 00 00 00 mov $0x6e,%eax
8048c64: 81 7d f0 48 02 00 00 cmpl $0x248,-0x10(%ebp)
8048c6b: 0f 84 95 00 00 00 je 8048d06 <phase3+0x12b>
8048c71: e8 cc 04 00 00 call 8049142 <explodebomb>
8048c76: b8 6e 00 00 00 mov $0x6e,%eax
8048c7b: e9 86 00 00 00 jmp 8048d06 <phase3+0x12b>
8048c80: b8 6e 00 00 00 mov $0x6e,%eax
8048c85: 81 7d f0 44 03 00 00 cmpl $0x344,-0x10(%ebp)
8048c8c: 74 78 je 8048d06 <phase3+0x12b>
8048c8e: e8 af 04 00 00 call 8049142 <explodebomb>
8048c93: b8 6e 00 00 00 mov $0x6e,%eax
8048c98: eb 6c jmp 8048d06 <phase3+0x12b>
8048c9a: b8 6e 00 00 00 mov $0x6e,%eax
8048c9f: 83 7d f0 58 cmpl $0x58,-0x10(%ebp)
8048ca3: 74 61 je 8048d06 <phase3+0x12b>
8048ca5: e8 98 04 00 00 call 8049142 <explodebomb>
8048caa: b8 6e 00 00 00 mov $0x6e,%eax
8048caf: eb 55 jmp 8048d06 <phase3+0x12b>
8048cb1: b8 69 00 00 00 mov $0x69,%eax
8048cb6: 81 7d f0 53 02 00 00 cmpl $0x253,-0x10(%ebp)
8048cbd: 74 47 je 8048d06 <phase3+0x12b>
8048cbf: e8 7e 04 00 00 call 8049142 <explodebomb>
8048cc4: b8 69 00 00 00 mov $0x69,%eax
8048cc9: eb 3b jmp 8048d06 <phase3+0x12b>
8048ccb: b8 6d 00 00 00 mov $0x6d,%eax
8048cd0: 83 7d f0 52 cmpl $0x52,-0x10(%ebp)
8048cd4: 74 30 je 8048d06 <phase3+0x12b>
8048cd6: e8 67 04 00 00 call 8049142 <explodebomb>
8048cdb: b8 6d 00 00 00 mov $0x6d,%eax
8048ce0: eb 24 jmp 8048d06 <phase3+0x12b>
8048ce2: b8 75 00 00 00 mov $0x75,%eax
8048ce7: 81 7d f0 21 01 00 00 cmpl $0x121,-0x10(%ebp)
8048cee: 74 16 je 8048d06 <phase3+0x12b>
8048cf0: e8 4d 04 00 00 call 8049142 <explodebomb>
8048cf5: b8 75 00 00 00 mov $0x75,%eax
8048cfa: eb 0a jmp 8048d06 <phase3+0x12b>
8048cfc: e8 41 04 00 00 call 8049142 <explodebomb>
8048d01: b8 69 00 00 00 mov $0x69,%eax
8048d06: 38 45 ef cmp %al,-0x11(%ebp)
8048d09: 74 05 je 8048d10 <phase3+0x135>
8048d0b: e8 32 04 00 00 call 8049142 <explodebomb>
8048d10: c9 leave
8048d11: c3 ret
根据push $0x804a001用此行代码查看输入内容:(gdb) x/s 0x804a001,可得0x804a001: “%d %c %d”,所以输入的依次是数字,字符,数字。根据cmpl $0x7,-0xc(%ebp),可得输入的第一个数小于7.假设第一个数为0,输入代码:(gdb) p/x *0x804a001,可得下一条指令地址为8048c1d,对应汇编指令为mov $0x74,所以第二个ascll码为0x74,即字符’t’,下一条汇编语句为%eax cmpl $0x1fb,-0x10(%ebp),所以第三个数为0x1fb,即507
可得结果:0 t 507
phase4:
08048d5d <phase4>:
8048d5d: 55 push %ebp
8048d5e: 89 e5 mov %esp,%ebp
8048d60: 83 ec 18 sub $0x18,%esp
8048d63: 8d 45 f4 lea -0xc(%ebp),%eax
8048d66: 50 push %eax
8048d67: 8d 45 f0 lea -0x10(%ebp),%eax
8048d6a: 50 push %eax
8048d6b: 68 b7 a1 04 08 push $0x804a1b7
8048d70: ff 75 08 pushl 0x8(%ebp)
8048d73: e8 e8 fa ff ff call 8048860 <_isoc99sscanf@plt>
8048d78: 83 c4 10 add $0x10,%esp
8048d7b: 83 f8 02 cmp $0x2,%eax
8048d7e: 75 0b jne 8048d8b <phase4+0x2e>
8048d80: 8b 45 f4 mov -0xc(%ebp),%eax
8048d83: 83 e8 02 sub $0x2,%eax
8048d86: 83 f8 02 cmp $0x2,%eax
8048d89: 76 05 jbe 8048d90 <phase4+0x33>
8048d8b: e8 b2 03 00 00 call 8049142 <explodebomb>
8048d90: 83 ec 08 sub $0x8,%esp
8048d93: ff 75 f4 pushl -0xc(%ebp)
8048d96: 6a 08 push $0x8
8048d98: e8 75 ff ff ff call 8048d12 <func4>
8048d9d: 83 c4 10 add $0x10,%esp
8048da0: 39 45 f0 cmp %eax,-0x10(%ebp)
8048da3: 74 05 je 8048daa <phase4+0x4d>
8048da5: e8 98 03 00 00 call 8049142 <explodebomb>
8048daa: c9 leave
8048dab: c3 ret
根据push $0x804a1b7用此行代码:(gdb) x/2s 0x804a1b7,可得0x804a1b7: “%d %d”,再根据
8048d83: 83 e8 02 sub $0x2,%eax
8048d86: 83 f8 02 cmp $0x2,%eax
8048d89: 76 05 jbe 8048d90 <phase4+0x33>
8048d8b: e8 b2 03 00 00 call 8049142
可得第二个数应该为2,3,4中的一个,对于cmp $0x2,%eax用ni和info reg指令进行查看,得到eax为3,所以第二个数为3,同理对cmp %eax,-0x10(%ebp)的操作利用ni和info reg指令查看,得到eax为162,所以第一个数为162
可得结果:3 162
phase5:
08048dac <phase5>:
8048dac: 55 push %ebp
8048dad: 89 e5 mov %esp,%ebp
8048daf: 83 ec 18 sub $0x18,%esp
8048db2: 8d 45 f0 lea -0x10(%ebp),%eax
8048db5: 50 push %eax
8048db6: 8d 45 f4 lea -0xc(%ebp),%eax
8048db9: 50 push %eax
8048dba: 68 b7 a1 04 08 push $0x804a1b7
8048dbf: ff 75 08 pushl 0x8(%ebp)
8048dc2: e8 99 fa ff ff call 8048860 <_isoc99sscanf@plt>
8048dc7: 83 c4 10 add $0x10,%esp
8048dca: 83 f8 01 cmp $0x1,%eax
8048dcd: 7e 41 jle 8048e10 <phase5+0x64>
8048dcf: 8b 45 f4 mov -0xc(%ebp),%eax
8048dd2: 83 e0 0f and $0xf,%eax
8048dd5: 89 45 f4 mov %eax,-0xc(%ebp)
8048dd8: 83 f8 0f cmp $0xf,%eax
8048ddb: 74 2c je 8048e09 <phase5+0x5d>
8048ddd: b9 00 00 00 00 mov $0x0,%ecx
8048de2: ba 00 00 00 00 mov $0x0,%edx
8048de7: 83 c2 01 add $0x1,%edx
8048dea: 8b 04 85 40 a0 04 08 mov 0x804a040(,%eax,4),%eax
8048df1: 01 c1 add %eax,%ecx
8048df3: 83 f8 0f cmp $0xf,%eax
8048df6: 75 ef jne 8048de7 <phase5+0x3b>
8048df8: c7 45 f4 0f 00 00 00 movl $0xf,-0xc(%ebp)
8048dff: 83 fa 0f cmp $0xf,%edx
8048e02: 75 05 jne 8048e09 <phase5+0x5d>
8048e04: 39 4d f0 cmp %ecx,-0x10(%ebp)
8048e07: 74 05 je 8048e0e <phase5+0x62>
8048e09: e8 34 03 00 00 call 8049142 <explodebomb>
8048e0e: c9 leave
8048e0f: c3 ret
8048e10: e8 2d 03 00 00 call 8049142 <explodebomb>
8048e15: eb b8 jmp 8048dcf <phase5+0x23>
和上一个实验同理可得输入两个数,根据cmp $0xf,%eax,可得有一个数与0xf进行相与的操作,再根据后面的判断可得输入的数据低四位的值不能是0xf,查看汇编语句可知进行了循环,循环结束后对%edx进行了一次判断,若不等于0xf就爆炸且输入的第二个数与寄存器%ecx的值若不相等也会爆炸,所以第二个数的值等于当前ecx中的值,对循环进行具体分析可得循环进行了15次,循环退出的条件为eax=0xf,eax的初值为15,即输入的第一个数的最低四位的值为5,ecx的值为eax后面14次变化过程中所有数值的和,即115.
可得结果: 21 115
phase6:
08048e17 <phase6>:
8048e17: 55 push %ebp
8048e18: 89 e5 mov %esp,%ebp
8048e1a: 56 push %esi
8048e1b: 53 push %ebx
8048e1c: 83 ec 38 sub $0x38,%esp
8048e1f: 8d 45 e0 lea -0x20(%ebp),%eax
8048e22: 50 push %eax
8048e23: ff 75 08 pushl 0x8(%ebp)
8048e26: e8 3f 03 00 00 call 804916a <readsixnumbers>
8048e2b: 83 c4 10 add $0x10,%esp
8048e2e: be 00 00 00 00 mov $0x0,%esi
8048e33: 8b 44 b5 e0 mov -0x20(%ebp,%esi,4),%eax
8048e37: 83 e8 01 sub $0x1,%eax
8048e3a: 83 f8 05 cmp $0x5,%eax
8048e3d: 77 0c ja 8048e4b <phase6+0x34>
8048e3f: 83 c6 01 add $0x1,%esi
8048e42: 83 fe 06 cmp $0x6,%esi
8048e45: 74 51 je 8048e98 <phase6+0x81>
8048e47: 89 f3 mov %esi,%ebx
8048e49: eb 0f jmp 8048e5a <phase6+0x43>
8048e4b: e8 f2 02 00 00 call 8049142 <explodebomb>
8048e50: eb ed jmp 8048e3f <phase6+0x28>
8048e52: 83 c3 01 add $0x1,%ebx
8048e55: 83 fb 05 cmp $0x5,%ebx
8048e58: 7f d9 jg 8048e33 <phase6+0x1c>
8048e5a: 8b 44 9d e0 mov -0x20(%ebp,%ebx,4),%eax
8048e5e: 39 44 b5 dc cmp %eax,-0x24(%ebp,%esi,4)
8048e62: 75 ee jne 8048e52 <phase6+0x3b>
8048e64: e8 d9 02 00 00 call 8049142 <explodebomb>
8048e69: eb e7 jmp 8048e52 <phase6+0x3b>
8048e6b: 8b 52 08 mov 0x8(%edx),%edx
8048e6e: 83 c0 01 add $0x1,%eax
8048e71: 39 c8 cmp %ecx,%eax
8048e73: 75 f6 jne 8048e6b <phase6+0x54>
8048e75: 89 54 b5 c8 mov %edx,-0x38(%ebp,%esi,4)
8048e79: 83 c3 01 add $0x1,%ebx
8048e7c: 83 fb 06 cmp $0x6,%ebx
8048e7f: 74 1e je 8048e9f <phase6+0x88>
8048e81: 89 de mov %ebx,%esi
8048e83: 8b 4c 9d e0 mov -0x20(%ebp,%ebx,4),%ecx
8048e87: b8 01 00 00 00 mov $0x1,%eax
8048e8c: ba 3c c1 04 08 mov $0x804c13c,%edx
8048e91: 83 f9 01 cmp $0x1,%ecx
8048e94: 7f d5 jg 8048e6b <phase6+0x54>
8048e96: eb dd jmp 8048e75 <phase6+0x5e>
8048e98: bb 00 00 00 00 mov $0x0,%ebx
8048e9d: eb e2 jmp 8048e81 <phase6+0x6a>
8048e9f: 8b 5d c8 mov -0x38(%ebp),%ebx
8048ea2: 8b 45 cc mov -0x34(%ebp),%eax
8048ea5: 89 43 08 mov %eax,0x8(%ebx)
8048ea8: 8b 55 d0 mov -0x30(%ebp),%edx
8048eab: 89 50 08 mov %edx,0x8(%eax)
8048eae: 8b 45 d4 mov -0x2c(%ebp),%eax
8048eb1: 89 42 08 mov %eax,0x8(%edx)
8048eb4: 8b 55 d8 mov -0x28(%ebp),%edx
8048eb7: 89 50 08 mov %edx,0x8(%eax)
8048eba: 8b 45 dc mov -0x24(%ebp),%eax
8048ebd: 89 42 08 mov %eax,0x8(%edx)
8048ec0: c7 40 08 00 00 00 00 movl $0x0,0x8(%eax)
8048ec7: be 05 00 00 00 mov $0x5,%esi
8048ecc: eb 08 jmp 8048ed6 <phase6+0xbf>
8048ece: 8b 5b 08 mov 0x8(%ebx),%ebx
8048ed1: 83 ee 01 sub $0x1,%esi
8048ed4: 74 10 je 8048ee6 <phase6+0xcf>
8048ed6: 8b 43 08 mov 0x8(%ebx),%eax
8048ed9: 8b 00 mov (%eax),%eax
8048edb: 39 03 cmp %eax,(%ebx)
8048edd: 7e ef jle 8048ece <phase6+0xb7>
8048edf: e8 5e 02 00 00 call 8049142 <explodebomb>
8048ee4: eb e8 jmp 8048ece <phase6+0xb7>
8048ee6: 8d 65 f8 lea -0x8(%ebp),%esp
8048ee9: 5b pop %ebx
8048eea: 5e pop %esi
8048eeb: 5d pop %ebp
8048eec: c3 ret
根据read six numbers可得答案为6个数字,由sub $0x1,%eax和cmp $0x5,%eax可得输入的六个数在1-6之间。
根据mov $0x804c13c,%edx,调试代码为:
(gdb) x/3x 0x804c13c
(gdb) x/3x 0x804c148
(gdb) x/3x 0x804c154
(gdb) x/3x 0x804c160
(gdb) x/3x 0x804c16c
(gdb) x/3x 0x804c178
可得结果:3 6 4 5 1 2
隐藏实验:
在第四关中phase defused函数中寻找到特殊地址查看可得需在输入第四关答案后再输入一个字符串,而这个字符串就是DrEvil,输入两个数后再输入DrEvil即可触发隐藏关
08048f41 <secretphase>:
8048f41: 55 push %ebp
8048f42: 89 e5 mov %esp,%ebp
8048f44: 53 push %ebx
8048f45: 83 ec 04 sub $0x4,%esp
8048f48: e8 57 02 00 00 call 80491a4 <readline>
8048f4d: 83 ec 04 sub $0x4,%esp
8048f50: 6a 0a push $0xa
8048f52: 6a 00 push $0x0
8048f54: 50 push %eax
8048f55: e8 66 f9 ff ff call 80488c0 <strtol@plt>
8048f5a: 89 c3 mov %eax,%ebx
8048f5c: 8d 40 ff lea -0x1(%eax),%eax
8048f5f: 83 c4 10 add $0x10,%esp
8048f62: 3d e8 03 00 00 cmp $0x3e8,%eax
8048f67: 77 2f ja 8048f98 <secretphase+0x57>
8048f69: 83 ec 08 sub $0x8,%esp
8048f6c: 53 push %ebx
8048f6d: 68 88 c0 04 08 push $0x804c088
8048f72: e8 76 ff ff ff call 8048eed <fun7>
8048f77: 83 c4 10 add $0x10,%esp
8048f7a: 85 c0 test %eax,%eax
8048f7c: 75 21 jne 8048f9f <secretphase+0x5e>
8048f7e: 83 ec 0c sub $0xc,%esp
8048f81: 68 80 a0 04 08 push $0x804a080
8048f86: e8 85 f8 ff ff call 8048810 <puts@plt>
8048f8b: e8 25 03 00 00 call 80492b5 <phasedefused>
8048f90: 83 c4 10 add $0x10,%esp
8048f93: 8b 5d fc mov -0x4(%ebp),%ebx
8048f96: c9 leave
8048f97: c3 ret
8048f98: e8 a5 01 00 00 call 8049142 <explodebomb>
8048f9d: eb ca jmp 8048f69 <secretphase+0x28>
8048f9f: e8 9e 01 00 00 call 8049142 <explodebomb>
8048fa4: eb d8 jmp 8048f7e <secretphase+0x3d>
可以看出调用了fun7函数,查看fun7函数可得这是一个递归函数,该函数会用来对一颗二叉树进行查询,我们需要输入的值就是最后一次查询到的结点储存值,
根据push $0x804c088,调试代码:
(gdb) p/x *0x804c088@3
(gdb) p/x *0x804c094@3
(gdb) p/x *0x804c0c4@3
(gdb) p/x *0x804c0e8@3
可得结果:36