CSAPP Lab2--Defusing a Binary Bomb

最新推荐文章于 2025-02-12 18:02:55 发布

原创

最新推荐文章于 2025-02-12 18:02:55 发布 · 3.3k 阅读

3 ·

CC 4.0 BY-SA版权

文章标签：

#csapp #x86 #gdb

实验材料：http://download.youkuaiyun.com/detail/u010560443/9458899
GDB教程：
http://heather.cs.ucdavis.edu/~matloff/UnixAndC/CLanguage/Debug.html
http://www.gnu.org/software/gdb/
x86手册：https://sourceware.org/binutils/docs/as/

phase_2

//read_line读取到的字符串地址在ebp+8处
//答案：1 6 11 16 21 26
//要求：read_six_numbers拆分字符串为六个数字并存到phase_2但局部数组中，
//phase_2+51处要求数组中后一个元素必须比前一个元素大5
Dump of assembler code for function phase_2:
   0x08048ba4 <+0>: push   %ebp   
   0x08048ba5 <+1>: mov    %esp,%ebp
   0x08048ba7 <+3>: sub    $0x28,%esp  #esp=esp-40
   0x08048baa <+6>: lea    -0x1c(%ebp),%eax #eax=ebp-28
   0x08048bad <+9>: mov    %eax,0x4(%esp)  ##arg2 of read_six_numbers
   0x08048bb1 <+13>:    mov    0x8(%ebp),%eax  #eax=*(ebp+8) input string addr
   0x08048bb4 <+16>:    mov    %eax,(%esp)  #arg1=input string addr
   0x08048bb7 <+19>:    call   0x8048fcc <read_six_numbers>
   0x08048bbc <+24>:    movl   $0x1,-0x4(%ebp)   #local i=1
   0x08048bc3 <+31>:    jmp    0x8048be3 <phase_2+63>   
   0x08048bc5 <+33>:    mov    -0x4(%ebp),%eax   #eax=i
   0x08048bc8 <+36>:    mov    -0x1c(%ebp,%eax,4),%edx  #edx=a[1]
   0x08048bcc <+40>:    mov    -0x4(%ebp),%eax #eax=i
   0x08048bcf <+43>:    dec    %eax #eax=eax-1
   0x08048bd0 <+44>:    mov    -0x1c(%ebp,%eax,4),%eax #eax=a[0]
   0x08048bd4 <+48>:    add    $0x5,%eax  #eax=a[0]+5
   0x08048bd7 <+51>:    cmp    %eax,%edx   #if(a[1]==a[0]+5)
   0x08048bd9 <+53>:    je     0x8048be0 <phase_2+60> 
   0x08048bdb <+55>:    call   0x8049626 <explode_bomb>
   0x08048be0 <+60>:    incl   -0x4(%ebp)    # i++
   0x08048be3 <+63>:    cmpl   $0x5,-0x4(%ebp)  # i<=5
   0x08048be7 <+67>:    jle    0x8048bc5 <phase_2+33>
   0x08048be9 <+69>:    leave  
   0x08048bea <+70>:    ret  

Dump of assembler code for function read_six_numbers:
   0x08048fcc <+0>: push   %ebp
   0x08048fcd <+1>: mov    %esp,%ebp
   0x08048fcf <+3>: push   %esi  
   0x08048fd0 <+4>: push   %ebx 
   0x08048fd1 <+5>: sub    $0x30,%esp #esp=esp-30 
   0x08048fd4 <+8>: mov    0xc(%ebp),%eax #local  eax= *(ebp+12)= a
   0x08048fd7 <+11>:    add    $0x14,%eax    # &a[5] of int a[6]
   0x08048fda <+14>:    mov    0xc(%ebp),%edx
   0x08048fdd <+17>:    add    $0x10,%edx
   0x08048fe0 <+20>:    mov    0xc(%ebp),%ecx
   0x08048fe3 <+23>:    add    $0xc,%ecx
   0x08048fe6 <+26>:    mov    0xc(%ebp),%ebx
   0x08048fe9 <+29>:    add    $0x8,%ebx
   0x08048fec <+32>:    mov    0xc(%ebp),%esi
   0x08048fef <+35>:    add    $0x4,%esi    # &a[1]
   0x08048ff2 <+38>:    mov    %eax,0x1c(%esp)  #   arg8
   0x08048ff6 <+42>:    mov    %edx,0x18(%esp)  #   7
   0x08048ffa <+46>:    mov    %ecx,0x14(%esp)  #   6
   0x08048ffe <+50>:    mov    %ebx,0x10(%esp)  #   5
   0x08049002 <+54>:    mov    %esi,0xc(%esp)   #   4 = &a[1] 
   0x08049006 <+58>:    mov    0xc(%ebp),%eax  #eax= *(ebp+12) 
   0x08049009 <+61>:    mov    %eax,0x8(%esp)  # arg3= &a[0] 
   0x0804900d <+65>:    movl   $0x8049c45,0x4(%esp)  #arg2=format string
   0x08049015 <+73>:    mov    0x8(%ebp),%eax  #input string addr
   0x08049018 <+76>:    mov    %eax,(%esp)   #arg1=input string
   0x0804901b <+79>:    call   0x8048868 <sscanf@plt>
   0x08049020 <+84>:    mov    %eax,-0xc(%ebp)  # eax= return value of sscanf (strin