keep moving

来到第五关

gdb bomb 
disas phase_5

0x0000000000401062 <+0>:    push   %rbx
0x0000000000401063 <+1>:    sub    $0x20,%rsp
0x0000000000401067 <+5>:    mov    %rdi,%rbx
0x000000000040106a <+8>:    mov    %fs:0x28,%rax
0x0000000000401073 <+17>:   mov    %rax,0x18(%rsp)
0x0000000000401078 <+22>:   xor    %eax,%eax
0x000000000040107a <+24>:   callq  0x40131b <string_length>
0x000000000040107f <+29>:   cmp    $0x6,%eax
0x0000000000401082 <+32>:   je     0x4010d2 <phase_5+112>
0x0000000000401084 <+34>:   callq  0x40143a <explode_bomb>
0x0000000000401089 <+39>:   jmp    0x4010d2 <phase_5+112>
0x000000000040108b <+41>:   movzbl (%rbx,%rax,1),%ecx
0x000000000040108f <+45>:   mov    %cl,(%rsp)
0x0000000000401092 <+48>:   mov    (%rsp),%rdx
0x0000000000401096 <+52>:   and    $0xf,%edx
0x0000000000401099 <+55>:   movzbl 0x4024b0(%rdx),%edx
0x00000000004010a0 <+62>:   mov    %dl,0x10(%rsp,%rax,1)
0x00000000004010a4 <+66>:   add    $0x1,%rax
0x00000000004010a8 <+70>:   cmp    $0x6,%rax
0x00000000004010ac <+74>:   jne    0x40108b <phase_5+41>
0x00000000004010ae <+76>:   movb   $0x0,0x16(%rsp)
0x00000000004010b3 <+81>:   mov    $0x40245e,%esi
---Type <return> to continue, or q <return> to quit---
0x00000000004010b8 <+86>:   lea    0x10(%rsp),%rdi
0x00000000004010bd <+91>:   callq  0x401338 <strings_not_equal>
0x00000000004010c2 <+96>:   test   %eax,%eax
0x00000000004010c4 <+98>:   je     0x4010d9 <phase_5+119>
0x00000000004010c6 <+100>:  callq  0x40143a <explode_bomb>
0x00000000004010cb <+105>:  nopl   0x0(%rax,%rax,1)
0x00000000004010d0 <+110>:  jmp    0x4010d9 <phase_5+119>
0x00000000004010d2 <+112>:  mov    $0x0,%eax
0x00000000004010d7 <+117>:  jmp    0x40108b <phase_5+41>
0x00000000004010d9 <+119>:  mov    0x18(%rsp),%rax
0x00000000004010de <+124>:  xor    %fs:0x28,%rax
0x00000000004010e7 <+133>:  je     0x4010ee <phase_5+140>
0x00000000004010e9 <+135>:  callq  0x400b30 <__stack_chk_fail@plt>
0x00000000004010ee <+140>:  add    $0x20,%rsp
0x00000000004010f2 <+144>:  pop    %rbx
0x00000000004010f3 <+145>:  retq

第一个参数 input 送到 rbx中

然后栈保护

然后栈保护
简单翻译下这些内容就足够了

char * what = input what :rbx
int n = string_length( input) n : rax
if( n != 6 ){
bomb
}
else{
n =0 ;
char c = waht[0]; c : rcx
char t = c ; t : rdx
t = t&0xf;
t = buff[t];
….
n++;

现在看buff内容因为t的取值在0-f中所以buff我们看16个
后面看见调用了string equal 所以大胆猜测 buff存的是字符串

(gdb) x/16c 0x4024b0
0x4024b0 <array.3449>:  109 'm' 97 'a'  100 'd' 117 'u' 105 'i' 101 'e' 114 'r' 115 's'
0x4024b8 <array.3449+8>:    110 'n' 102 'f' 111 'o' 116 't' 118 'v' 98 'b'  121 'y'108 'l'

然后看送入另外的一个参数

(gdb) x/s 0x40245e
0x40245e:   "flyers"

找到后观察后面内容只要字符串的后4位匹配既可以
我选取9?>EFG

当然别的也可以

这里写图片描述

csapp实验二 ---bomb(第五关)

keep moving

来到第五关

Amazing Magic

猜你喜欢