CMU_CSAPP_LAB2_BOMBLAB
CSAPP第二章的第一个实验BombLab实验记录。
实验内容主要使用 gdb 、objdump 等指令在终端调试程序,利用反汇编查看各个函数运行的汇编代码,了解各个函数的执行过程。
附gdb指令精简手册:http://csapp.cs.cmu.edu/public/students.html
Phase_1
首先打开终端输入 gdb bomb 进入调试界面。
查看 phase_1 的汇编指令:
(gdb) disas phase_1
Dump of assembler code for function phase_1:
0x0000000000400ee0 <+0>: sub $0x8,%rsp
0x0000000000400ee4 <+4>: mov $0x402400,%esi
0x0000000000400ee9 <+9>: callq 0x401338
0x0000000000400eee <+14>: test %eax,%eax
0x0000000000400ef0 <+16>: je 0x400ef7
0x0000000000400ef2 <+18>: callq 0x40143a
0x0000000000400ef7 <+23>: add $0x8,%rsp
0x0000000000400efb <+27>: retq
End of assembler dump. 函数首先接收户输入的字符串,再将立即数 0x402400 输入到寄存器 esi ,接着调用函数
(gdb) x/s 0x402400
0x402400: "Border relations with Canada have never been better."
通过地址直接查看字符串,这就是我们需要输入的内容!
(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
通过测试!
进一步细致理解函数运行过程:
将函数 phase_1 设置断点,运行程序,随便输入一些内容( "Nice day!" ),程序会停留在进入函数体的过程之前:
(gdb) break phase_1
Breakpoint 1 at 0x400ee0
(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Nice day!
Breakpoint 1, 0x0000000000400ee0 in phase_1 ()
此时查看各个寄存器的数据:
(gdb) info registers
rax 0x603780 6305664
rbx 0x0 0
rcx 0x9 9
rdx 0x1 1
rsi 0x603780 6305664
rdi 0x603780 6305664
rbp 0x402210 0x402210 <__libc_csu_init>
rsp 0x7fffffffdd98 0x7fffffffdd98
r8 0x60467a 6309498
r9 0x7ffff7fe5540 140737354028352
r10 0x3 3
r11 0x7ffff7a14890 140737347930256
r12 0x400c90 4197520
r13 0x7fffffffde80 140737488346752
r14 0x0 0
r15 0x0 0
rip 0x400ee0 0x400ee0
eflags 0x202 [ IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
这是并没有出现 0x402400 。猜测刚刚输入的数据保存地址为 0x603780:
(gdb) x/s 0x603780
0x603780 : "Nice day!"
回到前面的汇编指令,第二条指令将立即数 0x402400 移到寄存器 esi,让程序执行两条汇编指令,再查看寄存器的状态:
(gdb) stepi 2
0x0000000000400ee9 in phase_1 ()
(gdb) i r
rax 0x603780 6305664
rbx 0x0 0
rcx 0x9 9
rdx 0x1 1
rsi 0x402400 4203520
rdi 0x603780 6305664
rbp 0x402210 0x402210 <__libc_csu_init>
rsp 0x7fffffffdd90 0x7fffffffdd90
r8 0x60467a 6309498
r9 0x7ffff7fe5540 140737354028352
r10 0x3 3
r11 0x7ffff7a14890 140737347930256
r12 0x400c90 4197520
r13 0x7fffffffde80 140737488346752
r14 0x0 0
r15 0x0 0
rip 0x400ee9 0x400ee9
eflags 0x206 [ PF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
看到寄存器 esi (即 rsi 的低 32 位)被更新了!
Phase_2
首先查看 Phase_2 的汇编代码:
(gdb) disas phase_2
Dump of assembler code for function phase_2:
=> 0x0000000000400efc <+0>: push %rbp
0x0000000000400efd <+1>: push %rbx
0x0000000000400efe <+2>: sub $0x28,%rsp
0x0000000000400f02 <+6>: mov %rsp,%rsi
0x0000000000400f05 <+9>: callq 0x40145c
0x0000000000400f0a <+14>: cmpl $0x1,(%rsp)
0x0000000000400f0e <+18>: je 0x400f30
0x0000000000400f10 <+20>: callq 0x40143a
0x0000000000400f15 <+25>: jmp 0x400f30
0x0000000000400f17 <+27>: mov -0x4(%rbx),%eax
0x0000000000400f1a <+30>: add %eax,%eax
0x0000000000400f1c <+32>: cmp %eax,(%rbx)
0x0000000000400f1e <+34>: je 0x400f25
0x0000000000400f20 <+36>: callq 0x40143a
0x0000000000400f25 <+41>: add $0x4,%rbx
0x0000000000400f29 <+45>: cmp %rbp,%rbx
0x0000000000400f2c <+48>: jne 0x400f17
0x0000000000400f2e <+50>: jmp 0x400f3c
0x0000000000400f30 <+52>: lea 0x4(%rsp),%rbx
0x0000000000400f35 <+57>: lea 0x18(%rsp),%rbp
0x0000000000400f3a <+62>: jmp 0x400f17
0x0000000000400f3c <+64>: add $0x28,%rsp
0x0000000000400f40 <+68>: pop %rbx
0x0000000000400f41 <+69>: pop %rbp
0x0000000000400f42 <+70>: retq
End of assembler dump.
函数基本栈帧处理后,调用了一个名为
(gdb) disas 0x40145c
Dump of assembler code for function read_six_numbers:
0x000000000040145c <+0>: sub $0x18,%rsp
0x0000000000401460 <+4>: mov %rsi,%rdx
0x0000000000401463 <+7>: lea 0x4(%rsi),%rcx
0x0000000000401467 <+11>: lea 0x14(%rsi),%rax
0x000000000040146b <+15>: mov %rax,0x8(%rsp)
0x0000000000401470 <+20>: lea 0x10(%rsi),%rax
0x0000000000401474 <+24>: mov %rax,(%rsp)
0x0000000000401478 <+28>: lea 0xc(%rsi),%r9
0x000000000040147c <+32>: lea 0x8(%rsi),%r8
0x0000000000401480 <+36>: mov $0x4025c3,%esi
0x0000000000401485 <+41>: mov $0x0,%eax
0x000000000040148a <+46>: callq 0x400bf0 <__isoc99_sscanf@plt>
0x000000000040148f <+51>: cmp $0x5,%eax
0x0000000000401492 <+54>: jg 0x401499
0x0000000000401494 <+56>: callq 0x40143a
0x0000000000401499 <+61>: add $0x18,%rsp
0x000000000040149d <+65>: retq
End of assembler dump. 这里是涉及到调用库函数 scanf 时的一些参数配置,笔者也看不太明白,尝试查看了一下调用 scanf 之前配置的寄存器 esi 的立即寻址的内容:
(gdb) x/s 0x4025c3
0x4025c3: "%d %d %d %d %d %d"
可以看出是逐位读取六个数字。观察寄存器 rsp 在
我们验证一下:在进入指令 cmpl $0x1,(%rsp) 之前设置断点,查看寄存器 rsp 保存的内存地址数据。
(gdb) break *0x0000000000400f0a
Breakpoint 1 at 0x400f0a
(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 3 4 5 6
Breakpoint 1, 0x0000000000400f0a in phase_2 ()
(gdb) i r
rax 0x6 6
rbx 0x0 0
rcx 0x0 0
rdx 0x7fffffffdd74 140737488346484
rsi 0x0 0
rdi 0x7fffffffd6d0 140737488344784
rbp 0x402210 0x402210 <__libc_csu_init>
rsp 0x7fffffffdd60 0x7fffffffdd60
r8 0x0 0
r9 0x0 0
r10 0x7ffff7b82cc0 140737349430464
r11 0x4025d4 4203988
r12 0x400c90 4197520
r13 0x7fffffffde80 140737488346752
r14 0x0 0
r15 0x0 0
rip 0x400f0a 0x400f0a
eflags 0x202 [ IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0 查看 0x7fffffffdd60 地址的内存单元保存的 int 型数据,并查看相邻的五个数据(int 型为 32 位,每次偏移 8 字节):
(gdb) x/d 0x7fffffffdd60
0x7fffffffdd60: 1
(gdb) x/d 0x7fffffffdd64
0x7fffffffdd64: 2
(gdb) x/d 0x7fffffffdd68
0x7fffffffdd68: 3
(gdb) x/d 0x7fffffffdd6c
0x7fffffffdd6c: 4
(gdb) x/d 0x7fffffffdd70
0x7fffffffdd70: 5
(gdb) x/d 0x7fffffffdd74
0x7fffffffdd74: 6
和预期一致!接着读 phase_2 的汇编指令,很容易读出,第一位数必须是 1 ,每一位数(除了第一位)必须是相邻的前一位数的 2 倍,所以我们需要输出的是 1 2 4 8 16 32。
(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2. Keep going!完成!
Phase_3
还是先找到汇编代码:
(gdb) disas phase_3
Dump of assembler code for function phase_3:
0x0000000000400f43 <+0>: sub $0x18,%rsp
0x0000000000400f47 <+4>: lea 0xc(%rsp),%rcx
0x0000000000400f4c <+9>: lea 0x8(%rsp),%rdx
0x0000000000400f51 <+14>: mov $0x4025cf,%esi
0x0000000000400f56 <+19>: mov $0x0,%eax
0x0000000000400f5b <+24>: callq 0x400bf0 <__isoc99_sscanf@plt>
0x0000000000400f60 <+29>: cmp $0x1,%eax
0x0000000000400f63 <+32>: jg 0x400f6a
0x0000000000400f65 <+34>: callq 0x40143a
0x0000000000400f6a <+39>: cmpl $0x7,0x8(%rsp)
0x0000000000400f6f <+44>: ja 0x400fad
0x0000000000400f71 <+46>: mov 0x8(%rsp),%eax
0x0000000000400f75 <+50>: jmpq *0x402470(,%rax,8)
0x0000000000400f7c <+57>: mov $0xcf,%eax
0x0000000000400f81 <+62>: jmp 0x400fbe
0x0000000000400f83 <+64>: mov $0x2c3,%eax
0x0000000000400f88 <+69>: jmp 0x400fbe
0x0000000000400f8a <+71>: mov $0x100,%eax
0x0000000000400f8f <+76>: jmp 0x400fbe
0x0000000000400f91 <+78>: mov $0x185,%eax
0x0000000000400f96 <+83>: jmp 0x400fbe
0x0000000000400f98 <+85>: mov $0xce,%eax
0x0000000000400f9d <+90>: jmp 0x400fbe
0x0000000000400f9f <+92>: mov $0x2aa,%eax
0x0000000000400fa4 <+97>: jmp 0x400fbe
0x0000000000400fa6 <+99>: mov $0x147,%eax
---Type to continue, or q to quit---
0x0000000000400fab <+104>: jmp 0x400fbe
0x0000000000400fad <+106>: callq 0x40143a
0x0000000000400fb2 <+111>: mov $0x0,%eax
0x0000000000400fb7 <+116>: jmp 0x400fbe
0x0000000000400fb9 <+118>: mov $0x137,%eax
0x0000000000400fbe <+123>: cmp 0xc(%rsp),%eax
0x0000000000400fc2 <+127>: je 0x400fc9
0x0000000000400fc4 <+129>: callq 0x40143a
0x0000000000400fc9 <+134>: add $0x18,%rsp
0x0000000000400fcd <+138>: retq
End of assembler dump.
类似之前的方法,先查看调用 scanf 之前配置寄存器 esi 的立即寻址的内容:
(gdb) x/s 0x4025cf
0x4025cf: "%d %d"那么这个函数就是需要读取两个整数了,保存的方式应该也是相同的,可以通过 rsp 做偏址寻址找到,我们尝试一下,断点依旧设置在刚刚结束调用 scanf 函数的位置,输入 1 2 两个数,情况如下:
(gdb) x/d 0x7fffffffdd80
0x7fffffffdd80: 0
(gdb) x/d 0x7fffffffdd84
0x7fffffffdd84: 0
(gdb) x/d 0x7fffffffdd88
0x7fffffffdd88: 1
(gdb) x/d 0x7fffffffdd8c
0x7fffffffdd8c: 2
第一个数值就是 rsp 保存的内存地址,进一步比较,可以归纳出调用 scanf 函数的参数情况:一个计数器(eax),一个指定读取数据格式的字符串(esi),以及指定各个数据存储在栈帧当中的地址(用多个寄存器表示)。
继续阅读汇编代码,可以看到要求输入的第一个数字 x1 <= 7(无符号比较),即 0 <= x1 <=7。然后经过一个根据 x1 的值进行跳转的指令,类似于 C 语言当中的 switch 指令,我们逐个测试一下跳转地址:
That's number 2. Keep going!
0 0
Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f7c in phase_3 ()
eax = 0xcf
That's number 2. Keep going!
1 0
Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400fb9 in phase_3 ()
eax = 0x137
That's number 2. Keep going!
2 0
Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f83 in phase_3 ()
eax = 0x2c3
That's number 2. Keep going!
3 0
Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f8a in phase_3 ()eax = 0x100
That's number 2. Keep going!
4 0
Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f91 in phase_3 ()
eax = 0x185
That's number 2. Keep going!
5 0
Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f98 in phase_3 ()
eax = 0xce
That's number 2. Keep going!
6 0
Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400f9f in phase_3 ()
eax = 0x2aa
That's number 2. Keep going!
7 0
Breakpoint 1, 0x0000000000400f75 in phase_3 ()
(gdb) stepi
0x0000000000400fa6 in phase_3 ()
eax = 0x147
这里有 8 个答案,选取第一个,x1 = 0,x2 = 0xcf = 207,输入:
(gdb) run
Starting program: /home/liuyuan/Downloads/CSAPP/bomb/bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2. Keep going!
0 207
Halfway there!完成!这里笔者曾尝试利用指令 jmpq *0x402470(,%rax,8) ,通过寻址方式计算,得不到结果,最后还是利用逐步调试的方法观察程序的走向,得到了正确的答案。
Plase_4
(gdb) disas phase_4
Dump of assembler code for function phase_4:
0x000000000040100c <+0>: sub $0x18,%rsp
0x0000000000401010 <+4>: lea 0xc(%rsp),%rcx
0x0000000000401015 <+9>: lea 0x8(%rsp),%rdx
0x000000000040101a <+14>: mov $0x4025cf,%esi
0x000000000040101f <+19>: mov $0x0,%eax
0x0000000000401024 <+24>: callq 0x400bf0 <__isoc99_sscanf@plt>
0x0000000000401029 <+29>: cmp $0x2,%eax
0x000000000040102c <+32>: jne 0x401035
0x000000000040102e <+34>: cmpl $0xe,0x8(%rsp)
0x0000000000401033 <+39>: jbe 0x40103a
0x0000000000401035 <+41>: callq 0x40143a
0x000000000040103a <+46>: mov $0xe,%edx
0x000000000040103f <+51>: mov $0x0,%esi
0x0000000000401044 <+56>: mov 0x8(%rsp),%edi
0x0000000000401048 <+60>: callq 0x400fce
0x000000000040104d <+65>: test %eax,%eax
0x000000000040104f <+67>: jne 0x401058
0x0000000000401051 <+69>: cmpl $0x0,0xc(%rsp)
0x0000000000401056 <+74>: je 0x40105d
0x0000000000401058 <+76>: callq 0x40143a
0x000000000040105d <+81>: add $0x18,%rsp
0x0000000000401061 <+85>: retq
End of assembler dump.
经过前面几个实验,读这段汇编程序应该很轻松了,翻译过来就是输入两个整数 x1 、x2,要求 0 <= x1 <= 14,x2 = 0。之后是三个参数 edx = 14, esi = 0,edi = x1 穿给一个函数
(gdb) disas 0x400fce
Dump of assembler code for function func4:
0x0000000000400fce <+0>: sub $0x8,%rsp
0x0000000000400fd2 <+4>: mov %edx,%eax
0x0000000000400fd4 <+6>: sub %esi,%eax
0x0000000000400fd6 <+8>: mov %eax,%ecx
0x0000000000400fd8 <+10>: shr $0x1f,%ecx
0x0000000000400fdb <+13>: add %ecx,%eax
0x0000000000400fdd <+15>: sar %eax
0x0000000000400fdf <+17>: lea (%rax,%rsi,1),%ecx
0x0000000000400fe2 <+20>: cmp %edi,%ecx
0x0000000000400fe4 <+22>: jle 0x400ff2
0x0000000000400fe6 <+24>: lea -0x1(%rcx),%edx
0x0000000000400fe9 <+27>: callq 0x400fce
0x0000000000400fee <+32>: add %eax,%eax
0x0000000000400ff0 <+34>: jmp 0x401007
0x0000000000400ff2 <+36>: mov $0x0,%eax
0x0000000000400ff7 <+41>: cmp %edi,%ecx
0x0000000000400ff9 <+43>: jge 0x401007
0x0000000000400ffb <+45>: lea 0x1(%rcx),%esi
0x0000000000400ffe <+48>: callq 0x400fce
0x0000000000401003 <+53>: lea 0x1(%rax,%rax,1),%eax
0x0000000000401007 <+57>: add $0x8,%rsp
0x000000000040100b <+61>: retq
End of assembler dump.
这段代码我懒得看了,有了前面的经验,我觉得这个实验的目的不是精读汇编,而是利用容易得到的信息结合调试的方法得到结果,直接把这段函数当做黑盒,测试一下即可,这里就不贴过程了,注意好断点就行,直接上结果:
1 0
So you got that one. Try this one.Phase_5
(gdb) disas phase_5
Dump of assembler code for function phase_5:
0x0000000000401062 <+0>: push %rbx
0x0000000000401063 <+1>: sub $0x20,%rsp
0x0000000000401067 <+5>: mov %rdi,%rbx
0x000000000040106a <+8>: mov %fs:0x28,%rax
0x0000000000401073 <+17>: mov %rax,0x18(%rsp)
0x0000000000401078 <+22>: xor %eax,%eax
0x000000000040107a <+24>: callq 0x40131b
0x000000000040107f <+29>: cmp $0x6,%eax
0x0000000000401082 <+32>: je 0x4010d2
0x0000000000401084 <+34>: callq 0x40143a
0x0000000000401089 <+39>: jmp 0x4010d2
0x000000000040108b <+41>: movzbl (%rbx,%rax,1),%ecx
0x000000000040108f <+45>: mov %cl,(%rsp)
0x0000000000401092 <+48>: mov (%rsp),%rdx
0x0000000000401096 <+52>: and $0xf,%edx
0x0000000000401099 <+55>: movzbl 0x4024b0(%rdx),%edx
0x00000000004010a0 <+62>: mov %dl,0x10(%rsp,%rax,1)
0x00000000004010a4 <+66>: add $0x1,%rax
0x00000000004010a8 <+70>: cmp $0x6,%rax
0x00000000004010ac <+74>: jne 0x40108b
0x00000000004010ae <+76>: movb $0x0,0x16(%rsp)
0x00000000004010b3 <+81>: mov $0x40245e,%esi
0x00000000004010b8 <+86>: lea 0x10(%rsp),%rdi
0x00000000004010bd <+91>: callq 0x401338
0x00000000004010c2 <+96>: test %eax,%eax
0x00000000004010c4 <+98>: je 0x4010d9
---Type to continue, or q to quit---return
0x00000000004010c6 <+100>: callq 0x40143a
0x00000000004010cb <+105>: nopl 0x0(%rax,%rax,1)
0x00000000004010d0 <+110>: jmp 0x4010d9
0x00000000004010d2 <+112>: mov $0x0,%eax
0x00000000004010d7 <+117>: jmp 0x40108b
0x00000000004010d9 <+119>: mov 0x18(%rsp),%rax
0x00000000004010de <+124>: xor %fs:0x28,%rax
0x00000000004010e7 <+133>: je 0x4010ee
0x00000000004010e9 <+135>: callq 0x400b30 <__stack_chk_fail@plt>
0x00000000004010ee <+140>: add $0x20,%rsp
0x00000000004010f2 <+144>: pop %rbx
0x00000000004010f3 <+145>: retq
End of assembler dump.
分析:首先由 24 和 29 ,猜测是输入一个长度为 6 的字符串;然后将 eax 置 0,跳转到 41 到 74 的循环,循环了 6 次进栈操作,然后进入 76 到 98 ,补上字符串尾部的 '\0' ,判断前面依次得到的 6 个字符组成的字符串是否与 0x40245e 上保存的字符串相同,相同则通过。
首先看看我们最终要得到的字符串是什么:
(gdb) x/s 0x40245e
0x40245e: "flyers"
再仔细分析 6 个字符的压栈过程(进入之前 eax 已置 0):
0x000000000040108b <+41>: movzbl (%rbx,%rax,1),%ecx
0x000000000040108f <+45>: mov %cl,(%rsp)
0x0000000000401092 <+48>: mov (%rsp),%rdx
0x0000000000401096 <+52>: and $0xf,%edx
0x0000000000401099 <+55>: movzbl 0x4024b0(%rdx),%edx
0x00000000004010a0 <+62>: mov %dl,0x10(%rsp,%rax,1)
0x00000000004010a4 <+66>: add $0x1,%rax
0x00000000004010a8 <+70>: cmp $0x6,%rax
0x00000000004010ac <+74>: jne 0x40108b 分析:rax 其实就是一个计数器,每完成一个字符的进栈就 +1,直至等于 6;rbx 存放的是我们输入的 6 个字符组成的字符串的首地址,rax 在这里又作为索引,依次取其中一个字符,传给 rcx ,又传给 rdx ;rdx 截取其中的低 4 位,又作为索引,找到 0x4024b0 保存的字符串的相应位置的字符,写入栈中 0x10(%rsp) 到 0x15(%rsp) 的位置上。
那么我们看看0x4024b0 保存的字符串是什么:
(gdb) x/s 0x4024b0
0x4024b0 : "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
对应 "flyers" 的索引分别是 +9、+15、+14、+5、+6、+7。二进制数分别为 1001、 1111、 1110 、0101、 0110、 0111,将高 4 位都置为 0110 ,组成的 ascii 码代表字母分别为:i o n e f g,即为我们要输入的字符串:
ionefg
Good work! On to the next...Phase_6
这段汇编代码是真的长,分段贴:
(gdb) disas phase_6
Dump of assembler code for function phase_6:
0x00000000004010f4 <+0>: push %r14
0x00000000004010f6 <+2>: push %r13
0x00000000004010f8 <+4>: push %r12
0x00000000004010fa <+6>: push %rbp
0x00000000004010fb <+7>: push %rbx
0x00000000004010fc <+8>: sub $0x50,%rsp
0x0000000000401100 <+12>: mov %rsp,%r13
0x0000000000401103 <+15>: mov %rsp,%rsi
0x0000000000401106 <+18>: callq 0x40145c
这里对一些寄存器做了数据保存,然后是输入 6 个整数,和第二个实验调用的函数相同。
0x000000000040110b <+23>: mov %rsp,%r14
0x000000000040110e <+26>: mov $0x0,%r12d
0x0000000000401114 <+32>: mov %r13,%rbp
0x0000000000401117 <+35>: mov 0x0(%r13),%eax
0x000000000040111b <+39>: sub $0x1,%eax
0x000000000040111e <+42>: cmp $0x5,%eax
0x0000000000401121 <+45>: jbe 0x401128
0x0000000000401123 <+47>: callq 0x40143a
0x0000000000401128 <+52>: add $0x1,%r12d
0x000000000040112c <+56>: cmp $0x6,%r12d
0x0000000000401130 <+60>: je 0x401153
0x0000000000401132 <+62>: mov %r12d,%ebx
0x0000000000401135 <+65>: movslq %ebx,%rax
0x0000000000401138 <+68>: mov (%rsp,%rax,4),%eax
0x000000000040113b <+71>: cmp %eax,0x0(%rbp)
0x000000000040113e <+74>: jne 0x401145
0x0000000000401140 <+76>: callq 0x40143a
---Type to continue, or q to quit---continue
0x0000000000401145 <+81>: add $0x1,%ebx
0x0000000000401148 <+84>: cmp $0x5,%ebx
0x000000000040114b <+87>: jle 0x401135
0x000000000040114d <+89>: add $0x4,%r13
0x0000000000401151 <+93>: jmp 0x401114
简单说就是要求输入的 6 个整数都大于 0 且小于等于 6,并且 6 个数彼此互不相等。
0x0000000000401158 <+100>: mov %r14,%rax
0x000000000040115b <+103>: mov $0x7,%ecx
0x0000000000401160 <+108>: mov %ecx,%edx
0x0000000000401162 <+110>: sub (%rax),%edx
0x0000000000401164 <+112>: mov %edx,(%rax)
0x0000000000401166 <+114>: add $0x4,%rax
0x000000000040116a <+118>: cmp %rsi,%rax
0x000000000040116d <+121>: jne 0x401160
将原来的 6 个整数分别用 7 减并替换,如原来是 3 则替换为 4。
0x000000000040116f <+123>: mov $0x0,%esi
0x0000000000401174 <+128>: jmp 0x401197
0x0000000000401176 <+130>: mov 0x8(%rdx),%rdx
0x000000000040117a <+134>: add $0x1,%eax
0x000000000040117d <+137>: cmp %ecx,%eax
0x000000000040117f <+139>: jne 0x401176
0x0000000000401181 <+141>: jmp 0x401188
0x0000000000401183 <+143>: mov $0x6032d0,%edx
0x0000000000401188 <+148>: mov %rdx,0x20(%rsp,%rsi,2)
0x000000000040118d <+153>: add $0x4,%rsi
0x0000000000401191 <+157>: cmp $0x18,%rsi
0x0000000000401195 <+161>: je 0x4011ab
0x0000000000401197 <+163>: mov (%rsp,%rsi,1),%ecx
---Type to continue, or q to quit---continue
0x000000000040119a <+166>: cmp $0x1,%ecx
0x000000000040119d <+169>: jle 0x401183
0x000000000040119f <+171>: mov $0x1,%eax
0x00000000004011a4 <+176>: mov $0x6032d0,%edx
0x00000000004011a9 <+181>: jmp 0x401176
这一段是创建了一个链表,直接查看其中立即数直接赋值的地址:
(gdb) x/24w 0x6032d0
0x6032d0 : 0x0000014c 0x00000001 0x006032e0 0x00000000
0x6032e0 : 0x000000a8 0x00000002 0x006032f0 0x00000000
0x6032f0 : 0x0000039c 0x00000003 0x00603300 0x00000000
0x603300 : 0x000002b3 0x00000004 0x00603310 0x00000000
0x603310 : 0x000001dd 0x00000005 0x00603320 0x00000000
0x603320 : 0x000001bb 0x00000006 0x00000000 0x00000000
接着往下看:
0x00000000004011ab <+183>: mov 0x20(%rsp),%rbx
0x00000000004011b0 <+188>: lea 0x28(%rsp),%rax
0x00000000004011b5 <+193>: lea 0x50(%rsp),%rsi
0x00000000004011ba <+198>: mov %rbx,%rcx
0x00000000004011bd <+201>: mov (%rax),%rdx
0x00000000004011c0 <+204>: mov %rdx,0x8(%rcx)
0x00000000004011c4 <+208>: add $0x8,%rax
0x00000000004011c8 <+212>: cmp %rsi,%rax
0x00000000004011cb <+215>: je 0x4011d2
0x00000000004011cd <+217>: mov %rdx,%rcx
0x00000000004011d0 <+220>: jmp 0x4011bd
0x00000000004011d2 <+222>: movq $0x0,0x8(%rdx)
0x00000000004011da <+230>: mov $0x5,%ebp
0x00000000004011df <+235>: mov 0x8(%rbx),%rax
0x00000000004011e3 <+239>: mov (%rax),%eax
0x00000000004011e5 <+241>: cmp %eax,(%rbx)
0x00000000004011e7 <+243>: jge 0x4011ee
0x00000000004011e9 <+245>: callq 0x40143a
0x00000000004011ee <+250>: mov 0x8(%rbx),%rbx
0x00000000004011f2 <+254>: sub $0x1,%ebp
0x00000000004011f5 <+257>: jne 0x4011df 配置链表各个节点的 next 域,将各个节点关联起来,并将链表按照数值部分降序排序,根据第一列的数值降序排序重组链表顺序,得到的第二值顺序是 3 4 5 6 1 2 :
(gdb) x/24w 0x6032d0
0x6032d0 : 0x0000014c 0x00000001 0x006032e0 0x00000000
0x6032e0 : 0x000000a8 0x00000002 0x00000000 0x00000000
0x6032f0 : 0x0000039c 0x00000003 0x00603300 0x00000000
0x603300 : 0x000002b3 0x00000004 0x00603310 0x00000000
0x603310 : 0x000001dd 0x00000005 0x00603320 0x00000000
0x603320 : 0x000001bb 0x00000006 0x006032d0 0x00000000 即我们要输入的值为 4 3 2 1 6 5:
4 3 2 1 6 5
Congratulations! You've defused the bomb!完成,还有隐藏任务,这里就先不做了。