Defuse the bomb(3)
原来还有隐藏关
phase_defused
(gdb) disass phase_defused
Dump of assembler code for function phase_defused:
0x08048f62 <+0>: push %ebp
0x08048f63 <+1>: mov %esp,%ebp
0x08048f65 <+3>: push %ebx
0x08048f66 <+4>: sub $0x74,%esp
0x08048f69 <+7>: mov %gs:0x14,%eax
0x08048f6f <+13>: mov %eax,-0x8(%ebp)
0x08048f72 <+16>: xor %eax,%eax
0x08048f74 <+18>: cmpl $0x6,0x804a82c
0x08048f7b <+25>: jne 0x8048fe1 <phase_defused+127>
0x08048f7d <+27>: lea -0x58(%ebp),%ebx
0x08048f80 <+30>: mov %ebx,0xc(%esp)
0x08048f84 <+34>: lea -0x5c(%ebp),%eax
0x08048f87 <+37>: mov %eax,0x8(%esp)
0x08048f8b <+41>: movl $0x804986c,0x4(%esp)
0x08048f93 <+49>: movl $0x804a930,(%esp)
0x08048f9a <+56>: call 0x8048960 <sscanf@plt>
0x08048f9f <+61>: cmp $0x2,%eax
0x08048fa2 <+64>: jne 0x8048fd5 <phase_defused+115>
0x08048fa4 <+66>: movl $0x8049872,0x4(%esp)
0x08048fac <+74>: mov %ebx,(%esp)
0x08048faf <+77>: call 0x8048f00 <strings_not_equal>
0x08048fb4 <+82>: test %eax,%eax
0x08048fb6 <+84>: jne 0x8048fd5 <phase_defused+115>
0x08048fb8 <+86>: movl $0x8049cbc,(%esp)
0x08048fbf <+93>: call 0x8048950 <puts@plt>
0x08048fc4 <+98>: movl $0x8049ce4,(%esp)
0x08048fcb <+105>: call 0x8048950 <puts@plt>
0x08048fd0 <+110>: call 0x8048c52 <secret_phase>
0x08048fd5 <+115>: movl $0x8049d1c,(%esp)
0x08048fdc <+122>: call 0x8048950 <puts@plt>
0x08048fe1 <+127>: mov -0x8(%ebp),%eax
0x08048fe4 <+130>: xor %gs:0x14,%eax
0x08048feb <+137>: je 0x8048ff2 <phase_defused+144>
0x08048fed <+139>: call 0x8048920 <__stack_chk_fail@plt>
0x08048ff2 <+144>: add $0x74,%esp
0x08048ff5 <+147>: pop %ebx
0x08048ff6 <+148>: pop %ebp
---Type <return> to continue, or q <return> to quit---
0x08048ff7 <+149>: ret
End of assembler dump.
Dump of assembler code for function phase_defused:
0x08048f62 <+0>: push %ebp
0x08048f63 <+1>: mov %esp,%ebp
0x08048f65 <+3>: push %ebx
0x08048f66 <+4>: sub $0x74,%esp
0x08048f69 <+7>: mov %gs:0x14,%eax
0x08048f6f <+13>: mov %eax,-0x8(%ebp)
0x08048f72 <+16>: xor %eax,%eax
0x08048f74 <+18>: cmpl $0x6,0x804a82c
0x08048f7b <+25>: jne 0x8048fe1 <phase_defused+127>
0x08048f7d <+27>: lea -0x58(%ebp),%ebx
0x08048f80 <+30>: mov %ebx,0xc(%esp)
0x08048f84 <+34>: lea -0x5c(%ebp),%eax
0x08048f87 <+37>: mov %eax,0x8(%esp)
0x08048f8b <+41>: movl $0x804986c,0x4(%esp)
0x08048f93 <+49>: movl $0x804a930,(%esp)
0x08048f9a <+56>: call 0x8048960 <sscanf@plt>
0x08048f9f <+61>: cmp $0x2,%eax
0x08048fa2 <+64>: jne 0x8048fd5 <phase_defused+115>
0x08048fa4 <+66>: movl $0x8049872,0x4(%esp)
0x08048fac <+74>: mov %ebx,(%esp)
0x08048faf <+77>: call 0x8048f00 <strings_not_equal>
0x08048fb4 <+82>: test %eax,%eax
0x08048fb6 <+84>: jne 0x8048fd5 <phase_defused+115>
0x08048fb8 <+86>: movl $0x8049cbc,(%esp)
0x08048fbf <+93>: call 0x8048950 <puts@plt>
0x08048fc4 <+98>: movl $0x8049ce4,(%esp)
0x08048fcb <+105>: call 0x8048950 <puts@plt>
0x08048fd0 <+110>: call 0x8048c52 <secret_phase>
0x08048fd5 <+115>: movl $0x8049d1c,(%esp)
0x08048fdc <+122>: call 0x8048950 <puts@plt>
0x08048fe1 <+127>: mov -0x8(%ebp),%eax
0x08048fe4 <+130>: xor %gs:0x14,%eax
0x08048feb <+137>: je 0x8048ff2 <phase_defused+144>
0x08048fed <+139>: call 0x8048920 <__stack_chk_fail@plt>
0x08048ff2 <+144>: add $0x74,%esp
0x08048ff5 <+147>: pop %ebx
0x08048ff6 <+148>: pop %ebp
---Type <return> to continue, or q <return> to quit---
0x08048ff7 <+149>: ret
End of assembler dump.
(gdb) x /s 0x8049872
0x8049872: "austinpowers"
(gdb) x /s 0x804986c
0x804986c: "%d %s"
0x804a930 即input变量地址
可见,input可以为 "%d %s"格式,当数字+austinpowers时开启隐藏关卡。
0x08048f74 <+18>: cmpl $0x6,0x804a82c
这行则表明在第6关以后才能进入隐藏关卡
secret_phase
(gdb) disass secret_phase
Dump of assembler code for function secret_phase:
0x08048c52 <+0>: push %ebp
0x08048c53 <+1>: mov %esp,%ebp
0x08048c55 <+3>: push %ebx
0x08048c56 <+4>: sub $0x14,%esp
0x08048c59 <+7>: call 0x8049361 <read_line>
0x08048c5e <+12>: movl $0xa,0x8(%esp)
0x08048c66 <+20>: movl $0x0,0x4(%esp)
0x08048c6e <+28>: mov %eax,(%esp)
0x08048c71 <+31>: call 0x8048840 <strtol@plt>
0x08048c76 <+36>: mov %eax,%ebx
0x08048c78 <+38>: lea -0x1(%eax),%eax
0x08048c7b <+41>: cmp $0x3e8,%eax
0x08048c80 <+46>: jbe 0x8048c87 <secret_phase+53>
0x08048c82 <+48>: call 0x8048ff8 <explode_bomb>
0x08048c87 <+53>: mov %ebx,0x4(%esp)
0x08048c8b <+57>: movl $0x804a6b4,(%esp)
0x08048c92 <+64>: call 0x8048c01 <fun7>
0x08048c97 <+69>: cmp $0x7,%eax
0x08048c9a <+72>: je 0x8048ca1 <secret_phase+79>
0x08048c9c <+74>: call 0x8048ff8 <explode_bomb>
0x08048ca1 <+79>: movl $0x80497dc,(%esp)
0x08048ca8 <+86>: call 0x8048950 <puts@plt>
0x08048cad <+91>: call 0x8048f62 <phase_defused>
0x08048cb2 <+96>: add $0x14,%esp
0x08048cb5 <+99>: pop %ebx
0x08048cb6 <+100>: pop %ebp
0x08048cb7 <+101>: ret
End of assembler dump.
(gdb)
Dump of assembler code for function secret_phase:
0x08048c52 <+0>: push %ebp
0x08048c53 <+1>: mov %esp,%ebp
0x08048c55 <+3>: push %ebx
0x08048c56 <+4>: sub $0x14,%esp
0x08048c59 <+7>: call 0x8049361 <read_line>
0x08048c5e <+12>: movl $0xa,0x8(%esp)
0x08048c66 <+20>: movl $0x0,0x4(%esp)
0x08048c6e <+28>: mov %eax,(%esp)
0x08048c71 <+31>: call 0x8048840 <strtol@plt>
0x08048c76 <+36>: mov %eax,%ebx
0x08048c78 <+38>: lea -0x1(%eax),%eax
0x08048c7b <+41>: cmp $0x3e8,%eax
0x08048c80 <+46>: jbe 0x8048c87 <secret_phase+53>
0x08048c82 <+48>: call 0x8048ff8 <explode_bomb>
0x08048c87 <+53>: mov %ebx,0x4(%esp)
0x08048c8b <+57>: movl $0x804a6b4,(%esp)
0x08048c92 <+64>: call 0x8048c01 <fun7>
0x08048c97 <+69>: cmp $0x7,%eax
0x08048c9a <+72>: je 0x8048ca1 <secret_phase+79>
0x08048c9c <+74>: call 0x8048ff8 <explode_bomb>
0x08048ca1 <+79>: movl $0x80497dc,(%esp)
0x08048ca8 <+86>: call 0x8048950 <puts@plt>
0x08048cad <+91>: call 0x8048f62 <phase_defused>
0x08048cb2 <+96>: add $0x14,%esp
0x08048cb5 <+99>: pop %ebx
0x08048cb6 <+100>: pop %ebp
0x08048cb7 <+101>: ret
End of assembler dump.
(gdb)
secret 读入input,并使用strtol将其转承long int形,并作为fun7的参数
当fun7返回0x7是,通关。
fun7
(gdb) disass fun7
Dump of assembler code for function fun7:
0x08048c01 <+0>: push %ebp
0x08048c02 <+1>: mov %esp,%ebp
0x08048c04 <+3>: push %ebx
0x08048c05 <+4>: sub $0x8,%esp
0x08048c08 <+7>: mov 0x8(%ebp),%ebx
0x08048c0b <+10>: mov 0xc(%ebp),%ecx
0x08048c0e <+13>: mov $0xffffffff,%eax
0x08048c13 <+18>: test %ebx,%ebx
0x08048c15 <+20>: je 0x8048c4c <fun7+75>
0x08048c17 <+22>: mov (%ebx),%edx
0x08048c19 <+24>: cmp %ecx,%edx
0x08048c1b <+26>: jle 0x8048c30 <fun7+47>
0x08048c1d <+28>: mov %ecx,0x4(%esp)
0x08048c21 <+32>: mov 0x4(%ebx),%eax
0x08048c24 <+35>: mov %eax,(%esp)
0x08048c27 <+38>: call 0x8048c01 <fun7>
0x08048c2c <+43>: add %eax,%eax
0x08048c2e <+45>: jmp 0x8048c4c <fun7+75>
0x08048c30 <+47>: mov $0x0,%eax
0x08048c35 <+52>: cmp %ecx,%edx
0x08048c37 <+54>: je 0x8048c4c <fun7+75>
0x08048c39 <+56>: mov %ecx,0x4(%esp)
0x08048c3d <+60>: mov 0x8(%ebx),%eax
0x08048c40 <+63>: mov %eax,(%esp)
0x08048c43 <+66>: call 0x8048c01 <fun7>
0x08048c48 <+71>: lea 0x1(%eax,%eax,1),%eax
0x08048c4c <+75>: add $0x8,%esp
0x08048c4f <+78>: pop %ebx
0x08048c50 <+79>: pop %ebp
0x08048c51 <+80>: ret
Dump of assembler code for function fun7:
0x08048c01 <+0>: push %ebp
0x08048c02 <+1>: mov %esp,%ebp
0x08048c04 <+3>: push %ebx
0x08048c05 <+4>: sub $0x8,%esp
0x08048c08 <+7>: mov 0x8(%ebp),%ebx
0x08048c0b <+10>: mov 0xc(%ebp),%ecx
0x08048c0e <+13>: mov $0xffffffff,%eax
0x08048c13 <+18>: test %ebx,%ebx
0x08048c15 <+20>: je 0x8048c4c <fun7+75>
0x08048c17 <+22>: mov (%ebx),%edx
0x08048c19 <+24>: cmp %ecx,%edx
0x08048c1b <+26>: jle 0x8048c30 <fun7+47>
0x08048c1d <+28>: mov %ecx,0x4(%esp)
0x08048c21 <+32>: mov 0x4(%ebx),%eax
0x08048c24 <+35>: mov %eax,(%esp)
0x08048c27 <+38>: call 0x8048c01 <fun7>
0x08048c2c <+43>: add %eax,%eax
0x08048c2e <+45>: jmp 0x8048c4c <fun7+75>
0x08048c30 <+47>: mov $0x0,%eax
0x08048c35 <+52>: cmp %ecx,%edx
0x08048c37 <+54>: je 0x8048c4c <fun7+75>
0x08048c39 <+56>: mov %ecx,0x4(%esp)
0x08048c3d <+60>: mov 0x8(%ebx),%eax
0x08048c40 <+63>: mov %eax,(%esp)
0x08048c43 <+66>: call 0x8048c01 <fun7>
0x08048c48 <+71>: lea 0x1(%eax,%eax,1),%eax
0x08048c4c <+75>: add $0x8,%esp
0x08048c4f <+78>: pop %ebx
0x08048c50 <+79>: pop %ebp
0x08048c51 <+80>: ret
参数为void* x, int y
根据x查找y.
fun7
fun7(void *x, int y) {
int eax = -1;
if(*x <= y) {
eax = 0;
if(*x == y) {
return eax;
}
else {
eax = fun7(*(x+8), y);
eax += (eax + 1);
return eax;
}
}
esle{
eax = fun7(*(x+4), y);
eax += eax;
return eax;
}
}
int eax = -1;
if(*x <= y) {
eax = 0;
if(*x == y) {
return eax;
}
else {
eax = fun7(*(x+8), y);
eax += (eax + 1);
return eax;
}
}
esle{
eax = fun7(*(x+4), y);
eax += eax;
return eax;
}
}
可以看出,fun7是一个二叉查找函数,x的数据结构类似于
struct node {
int value;
struct node *lt;
struct node *gt;
};
我们希望 fun7返回 7, 7/2 == 3...1, 3/2 = 1...1, 1/2 = 0...1,
7, 3, 1, 0...是fun7的返回顺序,gt,gt,gt
(gdb) display *(int*)(*(int*)(*(int*)(*(int *)($ebx+8)+8)+8))
15: *(int*)(*(int*)(*(int*)(*(int *)($ebx+8)+8)+8)) = 1001
因此,输入为1001