隐藏页面特效

CSAPP bomblab phase1

最近学习了CSAPP的第三章并做了一下bomblab 感觉很有意思,接下来整理一下笔记

phase1比较简单主要是熟悉一下gdb的使用

gdb的基本用法

run:启动程序

break *addr:在指定地址打一个断点

step:使程序继续执行

stepi:单步执行

disassemble funcname:得到汇编代码

print (char*) *addr:指定类型输出指定地址的数据

x /x $rsp: 输出栈内存段指定地址的数据

phase1解析

首先执行disassemble main得到main函数的反汇编

   0x0000000000400e14 <+116>:   callq  0x400c20 <exit@plt>
   0x0000000000400e19 <+121>:   callq  0x4013a2 <initialize_bomb>
   0x0000000000400e1e <+126>:   mov    $0x402338,%edi
   0x0000000000400e23 <+131>:   callq  0x400b10 <puts@plt>
   0x0000000000400e28 <+136>:   mov    $0x402378,%edi
   0x0000000000400e2d <+141>:   callq  0x400b10 <puts@plt>
   0x0000000000400e32 <+146>:   callq  0x40149e <read_line>
   0x0000000000400e37 <+151>:   mov    %rax,%rdi
   0x0000000000400e3a <+154>:   callq  0x400ee0 <phase_1>
   0x0000000000400e3f <+159>:   callq  0x4015c4 <phase_defused>
   0x0000000000400e44 <+164>:   mov    $0x4023a8,%edi
   0x0000000000400e49 <+169>:   callq  0x400b10 <puts@plt>
   0x0000000000400e4e <+174>:   callq  0x40149e <read_line>
   0x0000000000400e53 <+179>:   mov    %rax,%rdi
   0x0000000000400e56 <+182>:   callq  0x400efc <phase_2>
   0x0000000000400e5b <+187>:   callq  0x4015c4 <phase_defused>
   0x0000000000400e60 <+192>:   mov    $0x4022ed,%edi
   0x0000000000400e65 <+197>:   callq  0x400b10 <puts@plt>
   0x0000000000400e6a <+202>:   callq  0x40149e <read_line>
   0x0000000000400e6f <+207>:   mov    %rax,%rdi
   0x0000000000400e72 <+210>:   callq  0x400f43 <phase_3>
   0x0000000000400e77 <+215>:   callq  0x4015c4 <phase_defused>
   0x0000000000400e7c <+220>:   mov    $0x40230b,%edi
   0x0000000000400e81 <+225>:   callq  0x400b10 <puts@plt>
   0x0000000000400e86 <+230>:   callq  0x40149e <read_line>
   0x0000000000400e8b <+235>:   mov    %rax,%rdi
   0x0000000000400e8e <+238>:   callq  0x40100c <phase_4>
   0x0000000000400e93 <+243>:   callq  0x4015c4 <phase_defused>
   0x0000000000400e98 <+248>:   mov    $0x4023d8,%edi
   0x0000000000400e9d <+253>:   callq  0x400b10 <puts@plt>
   0x0000000000400ea2 <+258>:   callq  0x40149e <read_line>
   0x0000000000400ea7 <+263>:   mov    %rax,%rdi
   0x0000000000400eaa <+266>:   callq  0x401062 <phase_5>
   0x0000000000400eaf <+271>:   callq  0x4015c4 <phase_defused>
   0x0000000000400eb4 <+276>:   mov    $0x40231a,%edi
   0x0000000000400eb9 <+281>:   callq  0x400b10 <puts@plt>
   0x0000000000400ebe <+286>:   callq  0x40149e <read_line>
   0x0000000000400ec3 <+291>:   mov    %rax,%rdi
   0x0000000000400ec6 <+294>:   callq  0x4010f4 <phase_6>
   0x0000000000400ecb <+299>:   callq  0x4015c4 <phase_defused>

可见有六个阶段的拆除步骤,接下来执行disassemble phase_1

   0x0000000000400ee0 <+0>:     sub    $0x8,%rsp
   0x0000000000400ee4 <+4>:     mov    $0x402400,%esi
   0x0000000000400ee9 <+9>:     callq  0x401338 <strings_not_equal>
   0x0000000000400eee <+14>:    test   %eax,%eax
   0x0000000000400ef0 <+16>:    je     0x400ef7 <phase_1+23>
   0x0000000000400ef2 <+18>:    callq  0x40143a <explode_bomb>
   0x0000000000400ef7 <+23>:    add    $0x8,%rsp
   0x0000000000400efb <+27>:    retq

test eax,eax用于对eax进行and运算,je代表运算结果为0,即eax为0时跳转不引爆炸弹,根据函数名可以推断是需要某个字符串相等。进入strings_not_equal查看

   0x0000000000401338 <+0>:     push   %r12
   0x000000000040133a <+2>:     push   %rbp
   0x000000000040133b <+3>:     push   %rbx
   0x000000000040133c <+4>:     mov    %rdi,%rbx
   0x000000000040133f <+7>:     mov    %rsi,%rbp
   0x0000000000401342 <+10>:    callq  0x40131b <string_length>
   0x0000000000401347 <+15>:    mov    %eax,%r12d
   0x000000000040134a <+18>:    mov    %rbp,%rdi
   0x000000000040134d <+21>:    callq  0x40131b <string_length>
   0x0000000000401352 <+26>:    mov    $0x1,%edx
   0x0000000000401357 <+31>:    cmp    %eax,%r12d
   0x000000000040135a <+34>:    jne    0x40139b <strings_not_equal+99>
   0x000000000040135c <+36>:    movzbl (%rbx),%eax
   0x000000000040135f <+39>:    test   %al,%al
   0x0000000000401361 <+41>:    je     0x401388 <strings_not_equal+80>
   0x0000000000401363 <+43>:    cmp    0x0(%rbp),%al
   0x0000000000401366 <+46>:    je     0x401372 <strings_not_equal+58>
   0x0000000000401368 <+48>:    jmp    0x40138f <strings_not_equal+87>
   0x000000000040136a <+50>:    cmp    0x0(%rbp),%al
   0x000000000040136d <+53>:    nopl   (%rax)
   0x0000000000401370 <+56>:    jne    0x401396 <strings_not_equal+94>
   0x0000000000401372 <+58>:    add    $0x1,%rbx
   0x0000000000401376 <+62>:    add    $0x1,%rbp
   0x000000000040137a <+66>:    movzbl (%rbx),%eax
   0x000000000040137d <+69>:    test   %al,%al
   0x000000000040137f <+71>:    jne    0x40136a <strings_not_equal+50>
   0x0000000000401381 <+73>:    mov    $0x0,%edx
   0x0000000000401386 <+78>:    jmp    0x40139b <strings_not_equal+99>
--Type <RET> for more, q to quit, c to continue without paging--c
   0x0000000000401388 <+80>:    mov    $0x0,%edx #相等返回0结束
   0x000000000040138d <+85>:    jmp    0x40139b <strings_not_equal+99>
   0x000000000040138f <+87>:    mov    $0x1,%edx
   0x0000000000401394 <+92>:    jmp    0x40139b <strings_not_equal+99>
   0x0000000000401396 <+94>:    mov    $0x1,%edx #不相等返回1
   0x000000000040139b <+99>:    mov    %edx,%eax
   0x000000000040139d <+101>:   pop    %rbx
   0x000000000040139e <+102>:   pop    %rbp
   0x000000000040139f <+103>:   pop    %r12
   0x00000000004013a1 <+105>:   retq

rsi中存放的数据是需要比较的字符串的地址(rsi一般用于存放参数),执行命令print (char*) 0x402400得到答案Border relations with Canada have never been better.

 


__EOF__

本文作者秋雨清笛
本文链接https://www.cnblogs.com/PanYuDi/p/15069517.html
关于博主:评论和私信会在第一时间回复。或者直接私信我。
版权声明:本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!
声援博主:如果您觉得文章对您有帮助,可以点击文章右下角推荐一下。您的鼓励是博主的最大动力!
posted @   秋雨清笛  阅读(94)  评论(0编辑  收藏  举报
编辑推荐:
· 开发者必知的日志记录最佳实践
· SQL Server 2025 AI相关能力初探
· Linux系列:如何用 C#调用 C方法造成内存泄露
· AI与.NET技术实操系列(二):开始使用ML.NET
· 记一次.NET内存居高不下排查解决与启示
阅读排行:
· 开源Multi-agent AI智能体框架aevatar.ai,欢迎大家贡献代码
· Manus重磅发布:全球首款通用AI代理技术深度解析与实战指南
· 被坑几百块钱后,我竟然真的恢复了删除的微信聊天记录!
· 没有Manus邀请码?试试免邀请码的MGX或者开源的OpenManus吧
· 园子的第一款AI主题卫衣上架——"HELLO! HOW CAN I ASSIST YOU TODAY
点击右上角即可分享
微信分享提示