Bootstrap

计算机系统基础:bomb炸弹实验

实验因为根据学号生成,和同学的都不一样,只能独立完成,不过很多大佬的博客提供的思路还是非常有参考价值的。

phase1

08048b69 <phase1>:
 8048b69:	55                   	push   %ebp
 8048b6a:	89 e5                	mov    %esp,%ebp
 8048b6c:	83 ec 10             	sub    $0x10,%esp
 8048b6f:	68 e4 9f 04 08       	push   $0x8049fe4
 8048b74:	ff 75 08             	pushl  0x8(%ebp)
 8048b77:	e8 c5 04 00 00       	call   8049041 <stringsnotequal>
 8048b7c:	83 c4 10             	add    $0x10,%esp
 8048b7f:	85 c0                	test   %eax,%eax
 8048b81:	75 02                	jne    8048b85 <phase1+0x1c>
 8048b83:	c9                   	leave  
 8048b84:	c3                   	ret    
 8048b85:	e8 b8 05 00 00       	call   8049142 <explodebomb>
 8048b8a:	eb f7                	jmp    8048b83 <phase1+0x1a>

根据查看反汇编代码可得%eax中存储的是输入的字符串,
可得和用户输入字符串比较的字符串的存储地址0x8049fe4,可用gdb查看这个地址存储的数据内容(gdb) x/s 0x8049fe4
可得结果:Crikey! I have lost my mojo!

phase2:

08048b8c <phase2>:
 8048b8c:	55                   	push   %ebp
 8048b8d:	89 e5                	mov    %esp,%ebp
 8048b8f:	56                   	push   %esi
 8048b90:	53                   	push   %ebx
 8048b91:	83 ec 28             	sub    $0x28,%esp
 8048b94:	8d 45 e0             	lea    -0x20(%ebp),%eax
 8048b97:	50                   	push   %eax
 8048b98:	ff 75 08             	pushl  0x8(%ebp)
 8048b9b:	e8 ca 05 00 00       	call   804916a <readsixnumbers>
 8048ba0:	83 c4 10             	add    $0x10,%esp
 8048ba3:	83 7d e0 00          	cmpl   $0x0,-0x20(%ebp)
 8048ba7:	75 06                	jne    8048baf <phase2+0x23>
 8048ba9:	83 7d e4 01          	cmpl   $0x1,-0x1c(%ebp)
 8048bad:	74 05                	je     8048bb4 <phase2+0x28>
 8048baf:	e8 8e 05 00 00       	call   8049142 <explodebomb>
 8048bb4:	8d 5d e0             	lea    -0x20(%ebp),%ebx
 8048bb7:	8d 75 f0             	lea    -0x10(%ebp),%esi
 8048bba:	eb 07                	jmp    8048bc3 <phase2+0x37>
 8048bbc:	83 c3 04             	add    $0x4,%ebx
 8048bbf:	39 f3                	cmp    %esi,%ebx
 8048bc1:	74 11                	je     8048bd4 <phase2+0x48>
 8048bc3:	8b 43 04             	mov    0x4(%ebx),%eax
 8048bc6:	03 03                	add    (%ebx),%eax
 8048bc8:	39 43 08             	cmp    %eax,0x8(%ebx)
 8048bcb:	74 ef                	je     8048bbc <phase2+0x30>
 8048bcd:	e8 70 05 00 00       	call   8049142 <explodebomb>
 8048bd2:	eb e8                	jmp    8048bbc <phase2+0x30>
 8048bd4:	8d 65 f8             	lea    -0x8(%ebp),%esp
 8048bd7:	5b                   	pop    %ebx
 8048bd8:	5e                   	pop    %esi
 8048bd9:	5d                   	pop    %ebp
 8048bda:	c3                   	ret 

根据调用函数readsixnumbers,查看该函数汇编代码,可得结果为6个数,根据cmpl $0x0,-0x20(%ebp)可知第一个数为0,同理根据cmpl $0x1,-0x1c(%ebp)可得第二个数为1,后面的汇编代码可以看出是一个循环,后一个数为前两个数之和,即斐波那契数列
可得结果:0 1 1 2 3 5

phase3

08048bdb <phase3>:
 8048bdb:	55                   	push   %ebp
 8048bdc:	89 e5                	mov    %esp,%ebp
 8048bde:	83 ec 24             	sub    $0x24,%esp
 8048be1:	8d 45 f0             	lea    -0x10(%ebp),%eax
 8048be4:	50                   	push   %eax
 8048be5:	8d 45 ef             	lea    -0x11(%ebp),%eax
 8048be8:	50                   	push   %eax
 8048be9:	8d 45 f4             	lea    -0xc(%ebp),%eax
 8048bec:	50                   	push   %eax
 8048bed:	68 01 a0 04 08       	push   $0x804a001
 8048bf2:	ff 75 08             	pushl  0x8(%ebp)
 8048bf5:	e8 66 fc ff ff       	call   8048860 <_isoc99sscanf@plt>
 8048bfa:	83 c4 20             	add    $0x20,%esp
 8048bfd:	83 f8 02             	cmp    $0x2,%eax
 8048c00:	7e 14                	jle    8048c16 <phase3+0x3b>
 8048c02:	83 7d f4 07          	cmpl   $0x7,-0xc(%ebp)
 8048c06:	0f 87 f0 00 00 00    	ja     8048cfc <phase3+0x121>
 8048c0c:	8b 45 f4             	mov    -0xc(%ebp),%eax
 8048c0f:	ff 24 85 20 a0 04 08 	jmp    *0x804a020(,%eax,4)
 8048c16:	e8 27 05 00 00       	call   8049142 <explodebomb>
 8048c1b:	eb e5                	jmp    8048c02 <phase3+0x27>
 8048c1d:	b8 74 00 00 00       	mov    $0x74,%eax
 8048c22:	81 7d f0 fb 01 00 00 	cmpl   $0x1fb,-0x10(%ebp)
 8048c29:	0f 84 d7 00 00 00    	je     8048d06 <phase3+0x12b>
 8048c2f:	e8 0e 05 00 00       	call   8049142 <explodebomb>
 8048c34:	b8 74 00 00 00       	mov    $0x74,%eax
 8048c39:	e9 c8 00 00 00       	jmp    8048d06 <phase3+0x12b>
 8048c3e:	b8 6d 00 00 00       	mov    $0x6d,%eax
 8048c43:	81 7d f0 76 02 00 00 	cmpl   $0x276,-0x10(%ebp)
 8048c4a:	0f 84 b6 00 00 00    	je     8048d06 <phase3+0x12b>
 8048c50:	e8 ed 04 00 00       	call   8049142 <explodebomb>
 8048c55:	b8 6d 00 00 00       	mov    $0x6d,%eax
 8048c5a:	e9 a7 00 00 00       	jmp    8048d06 <phase3+0x12b>
 8048c5f:	b8 6e 00 00 00       	mov    $0x6e,%eax
 8048c64:	81 7d f0 48 02 00 00 	cmpl   $0x248,-0x10(%ebp)
 8048c6b:	0f 84 95 00 00 00    	je     8048d06 <phase3+0x12b>
 8048c71:	e8 cc 04 00 00       	call   8049142 <explodebomb>
 8048c76:	b8 6e 00 00 00       	mov    $0x6e,%eax
 8048c7b:	e9 86 00 00 00       	jmp    8048d06 <phase3+0x12b>
 8048c80:	b8 6e 00 00 00       	mov    $0x6e,%eax
 8048c85:	81 7d f0 44 03 00 00 	cmpl   $0x344,-0x10(%ebp)
 8048c8c:	74 78                	je     8048d06 <phase3+0x12b>
 8048c8e:	e8 af 04 00 00       	call   8049142 <explodebomb>
 8048c93:	b8 6e 00 00 00       	mov    $0x6e,%eax
 8048c98:	eb 6c                	jmp    8048d06 <phase3+0x12b>
 8048c9a:	b8 6e 00 00 00       	mov    $0x6e,%eax
 8048c9f:	83 7d f0 58          	cmpl   $0x58,-0x10(%ebp)
 8048ca3:	74 61                	je     8048d06 <phase3+0x12b>
 8048ca5:	e8 98 04 00 00       	call   8049142 <explodebomb>
 8048caa:	b8 6e 00 00 00       	mov    $0x6e,%eax
 8048caf:	eb 55                	jmp    8048d06 <phase3+0x12b>
 8048cb1:	b8 69 00 00 00       	mov    $0x69,%eax
 8048cb6:	81 7d f0 53 02 00 00 	cmpl   $0x253,-0x10(%ebp)
 8048cbd:	74 47                	je     8048d06 <phase3+0x12b>
 8048cbf:	e8 7e 04 00 00       	call   8049142 <explodebomb>
 8048cc4:	b8 69 00 00 00       	mov    $0x69,%eax
 8048cc9:	eb 3b                	jmp    8048d06 <phase3+0x12b>
 8048ccb:	b8 6d 00 00 00       	mov    $0x6d,%eax
 8048cd0:	83 7d f0 52          	cmpl   $0x52,-0x10(%ebp)
 8048cd4:	74 30                	je     8048d06 <phase3+0x12b>
 8048cd6:	e8 67 04 00 00       	call   8049142 <explodebomb>
 8048cdb:	b8 6d 00 00 00       	mov    $0x6d,%eax
 8048ce0:	eb 24                	jmp    8048d06 <phase3+0x12b>
 8048ce2:	b8 75 00 00 00       	mov    $0x75,%eax
 8048ce7:	81 7d f0 21 01 00 00 	cmpl   $0x121,-0x10(%ebp)
 8048cee:	74 16                	je     8048d06 <phase3+0x12b>
 8048cf0:	e8 4d 04 00 00       	call   8049142 <explodebomb>
 8048cf5:	b8 75 00 00 00       	mov    $0x75,%eax
 8048cfa:	eb 0a                	jmp    8048d06 <phase3+0x12b>
 8048cfc:	e8 41 04 00 00       	call   8049142 <explodebomb>
 8048d01:	b8 69 00 00 00       	mov    $0x69,%eax
 8048d06:	38 45 ef             	cmp    %al,-0x11(%ebp)
 8048d09:	74 05                	je     8048d10 <phase3+0x135>
 8048d0b:	e8 32 04 00 00       	call   8049142 <explodebomb>
 8048d10:	c9                   	leave  
 8048d11:	c3                   	ret   

根据push $0x804a001用此行代码查看输入内容:(gdb) x/s 0x804a001,可得0x804a001: “%d %c %d”,所以输入的依次是数字,字符,数字。根据cmpl $0x7,-0xc(%ebp),可得输入的第一个数小于7.假设第一个数为0,输入代码:(gdb) p/x *0x804a001,可得下一条指令地址为8048c1d,对应汇编指令为mov $0x74,所以第二个ascll码为0x74,即字符’t’,下一条汇编语句为%eax cmpl $0x1fb,-0x10(%ebp),所以第三个数为0x1fb,即507
可得结果:0 t 507

phase4:

08048d5d <phase4>:
 8048d5d:	55                   	push   %ebp
 8048d5e:	89 e5                	mov    %esp,%ebp
 8048d60:	83 ec 18             	sub    $0x18,%esp
 8048d63:	8d 45 f4             	lea    -0xc(%ebp),%eax
 8048d66:	50                   	push   %eax
 8048d67:	8d 45 f0             	lea    -0x10(%ebp),%eax
 8048d6a:	50                   	push   %eax
 8048d6b:	68 b7 a1 04 08       	push   $0x804a1b7
 8048d70:	ff 75 08             	pushl  0x8(%ebp)
 8048d73:	e8 e8 fa ff ff       	call   8048860 <_isoc99sscanf@plt>
 8048d78:	83 c4 10             	add    $0x10,%esp
 8048d7b:	83 f8 02             	cmp    $0x2,%eax
 8048d7e:	75 0b                	jne    8048d8b <phase4+0x2e>
 8048d80:	8b 45 f4             	mov    -0xc(%ebp),%eax
 8048d83:	83 e8 02             	sub    $0x2,%eax
 8048d86:	83 f8 02             	cmp    $0x2,%eax
 8048d89:	76 05                	jbe    8048d90 <phase4+0x33>
 8048d8b:	e8 b2 03 00 00       	call   8049142 <explodebomb>
 8048d90:	83 ec 08             	sub    $0x8,%esp
 8048d93:	ff 75 f4             	pushl  -0xc(%ebp)
 8048d96:	6a 08                	push   $0x8
 8048d98:	e8 75 ff ff ff       	call   8048d12 <func4>
 8048d9d:	83 c4 10             	add    $0x10,%esp
 8048da0:	39 45 f0             	cmp    %eax,-0x10(%ebp)
 8048da3:	74 05                	je     8048daa <phase4+0x4d>
 8048da5:	e8 98 03 00 00       	call   8049142 <explodebomb>
 8048daa:	c9                   	leave  
 8048dab:	c3                   	ret  

根据push $0x804a1b7用此行代码:(gdb) x/2s 0x804a1b7,可得0x804a1b7: “%d %d”,再根据
8048d83: 83 e8 02 sub $0x2,%eax
8048d86: 83 f8 02 cmp $0x2,%eax
8048d89: 76 05 jbe 8048d90 <phase4+0x33>
8048d8b: e8 b2 03 00 00 call 8049142
可得第二个数应该为2,3,4中的一个,对于cmp $0x2,%eax用ni和info reg指令进行查看,得到eax为3,所以第二个数为3,同理对cmp %eax,-0x10(%ebp)的操作利用ni和info reg指令查看,得到eax为162,所以第一个数为162
可得结果:3 162

phase5:

08048dac <phase5>:
 8048dac:	55                   	push   %ebp
 8048dad:	89 e5                	mov    %esp,%ebp
 8048daf:	83 ec 18             	sub    $0x18,%esp
 8048db2:	8d 45 f0             	lea    -0x10(%ebp),%eax
 8048db5:	50                   	push   %eax
 8048db6:	8d 45 f4             	lea    -0xc(%ebp),%eax
 8048db9:	50                   	push   %eax
 8048dba:	68 b7 a1 04 08       	push   $0x804a1b7
 8048dbf:	ff 75 08             	pushl  0x8(%ebp)
 8048dc2:	e8 99 fa ff ff       	call   8048860 <_isoc99sscanf@plt>
 8048dc7:	83 c4 10             	add    $0x10,%esp
 8048dca:	83 f8 01             	cmp    $0x1,%eax
 8048dcd:	7e 41                	jle    8048e10 <phase5+0x64>
 8048dcf:	8b 45 f4             	mov    -0xc(%ebp),%eax
 8048dd2:	83 e0 0f             	and    $0xf,%eax
 8048dd5:	89 45 f4             	mov    %eax,-0xc(%ebp)
 8048dd8:	83 f8 0f             	cmp    $0xf,%eax
 8048ddb:	74 2c                	je     8048e09 <phase5+0x5d>
 8048ddd:	b9 00 00 00 00       	mov    $0x0,%ecx
 8048de2:	ba 00 00 00 00       	mov    $0x0,%edx
 8048de7:	83 c2 01             	add    $0x1,%edx
 8048dea:	8b 04 85 40 a0 04 08 	mov    0x804a040(,%eax,4),%eax
 8048df1:	01 c1                	add    %eax,%ecx
 8048df3:	83 f8 0f             	cmp    $0xf,%eax
 8048df6:	75 ef                	jne    8048de7 <phase5+0x3b>
 8048df8:	c7 45 f4 0f 00 00 00 	movl   $0xf,-0xc(%ebp)
 8048dff:	83 fa 0f             	cmp    $0xf,%edx
 8048e02:	75 05                	jne    8048e09 <phase5+0x5d>
 8048e04:	39 4d f0             	cmp    %ecx,-0x10(%ebp)
 8048e07:	74 05                	je     8048e0e <phase5+0x62>
 8048e09:	e8 34 03 00 00       	call   8049142 <explodebomb>
 8048e0e:	c9                   	leave  
 8048e0f:	c3                   	ret    
 8048e10:	e8 2d 03 00 00       	call   8049142 <explodebomb>
 8048e15:	eb b8                	jmp    8048dcf <phase5+0x23>

和上一个实验同理可得输入两个数,根据cmp $0xf,%eax,可得有一个数与0xf进行相与的操作,再根据后面的判断可得输入的数据低四位的值不能是0xf,查看汇编语句可知进行了循环,循环结束后对%edx进行了一次判断,若不等于0xf就爆炸且输入的第二个数与寄存器%ecx的值若不相等也会爆炸,所以第二个数的值等于当前ecx中的值,对循环进行具体分析可得循环进行了15次,循环退出的条件为eax=0xf,eax的初值为15,即输入的第一个数的最低四位的值为5,ecx的值为eax后面14次变化过程中所有数值的和,即115.
可得结果: 21 115

phase6:

08048e17 <phase6>:
 8048e17:	55                   	push   %ebp
 8048e18:	89 e5                	mov    %esp,%ebp
 8048e1a:	56                   	push   %esi
 8048e1b:	53                   	push   %ebx
 8048e1c:	83 ec 38             	sub    $0x38,%esp
 8048e1f:	8d 45 e0             	lea    -0x20(%ebp),%eax
 8048e22:	50                   	push   %eax
 8048e23:	ff 75 08             	pushl  0x8(%ebp)
 8048e26:	e8 3f 03 00 00       	call   804916a <readsixnumbers>
 8048e2b:	83 c4 10             	add    $0x10,%esp
 8048e2e:	be 00 00 00 00       	mov    $0x0,%esi
 8048e33:	8b 44 b5 e0          	mov    -0x20(%ebp,%esi,4),%eax
 8048e37:	83 e8 01             	sub    $0x1,%eax
 8048e3a:	83 f8 05             	cmp    $0x5,%eax
 8048e3d:	77 0c                	ja     8048e4b <phase6+0x34>
 8048e3f:	83 c6 01             	add    $0x1,%esi
 8048e42:	83 fe 06             	cmp    $0x6,%esi
 8048e45:	74 51                	je     8048e98 <phase6+0x81>
 8048e47:	89 f3                	mov    %esi,%ebx
 8048e49:	eb 0f                	jmp    8048e5a <phase6+0x43>
 8048e4b:	e8 f2 02 00 00       	call   8049142 <explodebomb>
 8048e50:	eb ed                	jmp    8048e3f <phase6+0x28>
 8048e52:	83 c3 01             	add    $0x1,%ebx
 8048e55:	83 fb 05             	cmp    $0x5,%ebx
 8048e58:	7f d9                	jg     8048e33 <phase6+0x1c>
 8048e5a:	8b 44 9d e0          	mov    -0x20(%ebp,%ebx,4),%eax
 8048e5e:	39 44 b5 dc          	cmp    %eax,-0x24(%ebp,%esi,4)
 8048e62:	75 ee                	jne    8048e52 <phase6+0x3b>
 8048e64:	e8 d9 02 00 00       	call   8049142 <explodebomb>
 8048e69:	eb e7                	jmp    8048e52 <phase6+0x3b>
 8048e6b:	8b 52 08             	mov    0x8(%edx),%edx
 8048e6e:	83 c0 01             	add    $0x1,%eax
 8048e71:	39 c8                	cmp    %ecx,%eax
 8048e73:	75 f6                	jne    8048e6b <phase6+0x54>
 8048e75:	89 54 b5 c8          	mov    %edx,-0x38(%ebp,%esi,4)
 8048e79:	83 c3 01             	add    $0x1,%ebx
 8048e7c:	83 fb 06             	cmp    $0x6,%ebx
 8048e7f:	74 1e                	je     8048e9f <phase6+0x88>
 8048e81:	89 de                	mov    %ebx,%esi
 8048e83:	8b 4c 9d e0          	mov    -0x20(%ebp,%ebx,4),%ecx
 8048e87:	b8 01 00 00 00       	mov    $0x1,%eax
 8048e8c:	ba 3c c1 04 08       	mov    $0x804c13c,%edx
 8048e91:	83 f9 01             	cmp    $0x1,%ecx
 8048e94:	7f d5                	jg     8048e6b <phase6+0x54>
 8048e96:	eb dd                	jmp    8048e75 <phase6+0x5e>
 8048e98:	bb 00 00 00 00       	mov    $0x0,%ebx
 8048e9d:	eb e2                	jmp    8048e81 <phase6+0x6a>
 8048e9f:	8b 5d c8             	mov    -0x38(%ebp),%ebx
 8048ea2:	8b 45 cc             	mov    -0x34(%ebp),%eax
 8048ea5:	89 43 08             	mov    %eax,0x8(%ebx)
 8048ea8:	8b 55 d0             	mov    -0x30(%ebp),%edx
 8048eab:	89 50 08             	mov    %edx,0x8(%eax)
 8048eae:	8b 45 d4             	mov    -0x2c(%ebp),%eax
 8048eb1:	89 42 08             	mov    %eax,0x8(%edx)
 8048eb4:	8b 55 d8             	mov    -0x28(%ebp),%edx
 8048eb7:	89 50 08             	mov    %edx,0x8(%eax)
 8048eba:	8b 45 dc             	mov    -0x24(%ebp),%eax
 8048ebd:	89 42 08             	mov    %eax,0x8(%edx)
 8048ec0:	c7 40 08 00 00 00 00 	movl   $0x0,0x8(%eax)
 8048ec7:	be 05 00 00 00       	mov    $0x5,%esi
 8048ecc:	eb 08                	jmp    8048ed6 <phase6+0xbf>
 8048ece:	8b 5b 08             	mov    0x8(%ebx),%ebx
 8048ed1:	83 ee 01             	sub    $0x1,%esi
 8048ed4:	74 10                	je     8048ee6 <phase6+0xcf>
 8048ed6:	8b 43 08             	mov    0x8(%ebx),%eax
 8048ed9:	8b 00                	mov    (%eax),%eax
 8048edb:	39 03                	cmp    %eax,(%ebx)
 8048edd:	7e ef                	jle    8048ece <phase6+0xb7>
 8048edf:	e8 5e 02 00 00       	call   8049142 <explodebomb>
 8048ee4:	eb e8                	jmp    8048ece <phase6+0xb7>
 8048ee6:	8d 65 f8             	lea    -0x8(%ebp),%esp
 8048ee9:	5b                   	pop    %ebx
 8048eea:	5e                   	pop    %esi
 8048eeb:	5d                   	pop    %ebp
 8048eec:	c3                   	ret 

根据read six numbers可得答案为6个数字,由sub $0x1,%eax和cmp $0x5,%eax可得输入的六个数在1-6之间。
根据mov $0x804c13c,%edx,调试代码为:
(gdb) x/3x 0x804c13c
(gdb) x/3x 0x804c148
(gdb) x/3x 0x804c154
(gdb) x/3x 0x804c160
(gdb) x/3x 0x804c16c
(gdb) x/3x 0x804c178
可得结果:3 6 4 5 1 2

隐藏实验:
在第四关中phase defused函数中寻找到特殊地址查看可得需在输入第四关答案后再输入一个字符串,而这个字符串就是DrEvil,输入两个数后再输入DrEvil即可触发隐藏关

08048f41 <secretphase>:
 8048f41:	55                   	push   %ebp
 8048f42:	89 e5                	mov    %esp,%ebp
 8048f44:	53                   	push   %ebx
 8048f45:	83 ec 04             	sub    $0x4,%esp
 8048f48:	e8 57 02 00 00       	call   80491a4 <readline>
 8048f4d:	83 ec 04             	sub    $0x4,%esp
 8048f50:	6a 0a                	push   $0xa
 8048f52:	6a 00                	push   $0x0
 8048f54:	50                   	push   %eax
 8048f55:	e8 66 f9 ff ff       	call   80488c0 <strtol@plt>
 8048f5a:	89 c3                	mov    %eax,%ebx
 8048f5c:	8d 40 ff             	lea    -0x1(%eax),%eax
 8048f5f:	83 c4 10             	add    $0x10,%esp
 8048f62:	3d e8 03 00 00       	cmp    $0x3e8,%eax
 8048f67:	77 2f                	ja     8048f98 <secretphase+0x57>
 8048f69:	83 ec 08             	sub    $0x8,%esp
 8048f6c:	53                   	push   %ebx
 8048f6d:	68 88 c0 04 08       	push   $0x804c088
 8048f72:	e8 76 ff ff ff       	call   8048eed <fun7>
 8048f77:	83 c4 10             	add    $0x10,%esp
 8048f7a:	85 c0                	test   %eax,%eax
 8048f7c:	75 21                	jne    8048f9f <secretphase+0x5e>
 8048f7e:	83 ec 0c             	sub    $0xc,%esp
 8048f81:	68 80 a0 04 08       	push   $0x804a080
 8048f86:	e8 85 f8 ff ff       	call   8048810 <puts@plt>
 8048f8b:	e8 25 03 00 00       	call   80492b5 <phasedefused>
 8048f90:	83 c4 10             	add    $0x10,%esp
 8048f93:	8b 5d fc             	mov    -0x4(%ebp),%ebx
 8048f96:	c9                   	leave  
 8048f97:	c3                   	ret    
 8048f98:	e8 a5 01 00 00       	call   8049142 <explodebomb>
 8048f9d:	eb ca                	jmp    8048f69 <secretphase+0x28>
 8048f9f:	e8 9e 01 00 00       	call   8049142 <explodebomb>
 8048fa4:	eb d8                	jmp    8048f7e <secretphase+0x3d>

可以看出调用了fun7函数,查看fun7函数可得这是一个递归函数,该函数会用来对一颗二叉树进行查询,我们需要输入的值就是最后一次查询到的结点储存值,
根据push $0x804c088,调试代码:
(gdb) p/x *0x804c088@3
(gdb) p/x *0x804c094@3
(gdb) p/x *0x804c0c4@3
(gdb) p/x *0x804c0e8@3
可得结果:36

在这里插入图片描述

;