當(dāng)前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

CSAPP实验二进制炸弹

發(fā)布時間：2025/3/21 编程问答 34 豆豆

生活随笔收集整理的這篇文章主要介紹了 CSAPP实验二进制炸弹小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

文章目錄

bomb
- 第一關(guān)
- 第二關(guān)
- 第三關(guān)
- - 注意
- 第四關(guān)
- - fun4
- 第五關(guān)
- 第六關(guān)

bomb

運(yùn)行了一下bomb，知道一共有6個關(guān)卡，這里我們運(yùn)行g(shù)db來進(jìn)行調(diào)試

第一關(guān)

寄存器名稱作用

rax	存儲返回值
rbx	存儲函數(shù)調(diào)用參數(shù)
rcx	存儲參數(shù)
rdx	存儲參數(shù)
rsi	存儲參數(shù)
rdi	存儲參數(shù)
rbp	存儲調(diào)用函數(shù)的地址
rsp	棧寄存器
r8	存儲參數(shù)
r9	存儲參數(shù)

提權(quán)然后進(jìn)行g(shù)db調(diào)試，緊接著下一個斷點(diǎn)在第一關(guān)這個函數(shù)這，函數(shù)名的話，cpp文件里有，

break phase_1

然后進(jìn)行run，緊著著進(jìn)行disas查看相應(yīng)的匯編代碼，這里也可以用disas phase_1，因為已經(jīng)斷下來了，有沒有函數(shù)名都一樣。然后查看這里

0x0000000000400ee0 <+0>: sub $0x8,%rsp0x0000000000400ee4 <+4>: mov $0x402400,%esi0x0000000000400ee9 <+9>: callq 0x401338 <strings_not_equal>0x0000000000400eee <+14>: test %eax,%eax0x0000000000400ef0 <+16>: je 0x400ef7 <phase_1+23>0x0000000000400ef2 <+18>: callq 0x40143a <explode_bomb>0x0000000000400ef7 <+23>: add $0x8,%rsp0x0000000000400efb <+27>: retq

進(jìn)行stepi，單步步入，緊接著查看一番寄存器的一系列信息，因為下一步調(diào)用函數(shù)就是為了判斷輸入字符串與提供字符串是否相符
用info registers指令后發(fā)現(xiàn)這種形式不是我們想要的。。。

然后進(jìn)行x /s $rdi ，x /s $rsi

查看到這個Border relations with Canada have never been better.，然后進(jìn)行輸入

第一關(guān)過了

第二關(guān)

break phase_2

然后進(jìn)行run，緊接著把第一關(guān)的answer輸入一下，看到了第二關(guān)的匯編代碼如下：

0x0000000000400efc <+0>: push %rbp0x0000000000400efd <+1>: push %rbx0x0000000000400efe <+2>: sub $0x28,%rsp0x0000000000400f02 <+6>: mov %rsp,%rsi => 0x0000000000400f05 <+9>: callq 0x40145c <read_six_numbers>0x0000000000400f0a <+14>: cmpl $0x1,(%rsp)0x0000000000400f0e <+18>: je 0x400f30 <phase_2+52>0x0000000000400f10 <+20>: callq 0x40143a <explode_bomb>0x0000000000400f15 <+25>: jmp 0x400f30 <phase_2+52>0x0000000000400f17 <+27>: mov -0x4(%rbx),%eax0x0000000000400f1a <+30>: add %eax,%eax0x0000000000400f1c <+32>: cmp %eax,(%rbx)0x0000000000400f1e <+34>: je 0x400f25 <phase_2+41>0x0000000000400f20 <+36>: callq 0x40143a <explode_bomb>0x0000000000400f25 <+41>: add $0x4,%rbx0x0000000000400f29 <+45>: cmp %rbp,%rbx0x0000000000400f2c <+48>: jne 0x400f17 <phase_2+27>0x0000000000400f2e <+50>: jmp 0x400f3c <phase_2+64>0x0000000000400f30 <+52>: lea 0x4(%rsp),%rbx0x0000000000400f35 <+57>: lea 0x18(%rsp),%rbp0x0000000000400f3a <+62>: jmp 0x400f17 <phase_2+27>0x0000000000400f3c <+64>: add $0x28,%rsp ---Type <return> to continue, or q <return> to quit---0x0000000000400f40 <+68>: pop %rbx0x0000000000400f41 <+69>: pop %rbp0x0000000000400f42 <+70>: retq

當(dāng)前指在read_six_numbers這里，把輸入數(shù)據(jù)讀出，緊接著進(jìn)行一波判斷：

0x0000000000400f0a <+14>: cmpl $0x1,(%rsp)0x0000000000400f0e <+18>: je 0x400f30 <phase_2+52>0x0000000000400f10 <+20>: callq 0x40143a <explode_bomb>0x0000000000400f15 <+25>: jmp 0x400f30 <phase_2+52>0x0000000000400f17 <+27>: mov -0x4(%rbx),%eax0x0000000000400f1a <+30>: add %eax,%eax0x0000000000400f1c <+32>: cmp %eax,(%rbx)0x0000000000400f1e <+34>: je 0x400f25 <phase_2+41>0x0000000000400f20 <+36>: callq 0x40143a <explode_bomb>0x0000000000400f25 <+41>: add $0x4,%rbx0x0000000000400f29 <+45>: cmp %rbp,%rbx0x0000000000400f2c <+48>: jne 0x400f17 <phase_2+27>0x0000000000400f2e <+50>: jmp 0x400f3c <phase_2+64>0x0000000000400f30 <+52>: lea 0x4(%rsp),%rbx0x0000000000400f35 <+57>: lea 0x18(%rsp),%rbp0x0000000000400f3a <+62>: jmp 0x400f17 <phase_2+27>0x0000000000400f3c <+64>: add $0x28,%rsp0x0000000000400f40 <+68>: pop %rbx0x0000000000400f41 <+69>: pop %rbp0x0000000000400f42 <+70>: retq

這行代碼cmpl $0x1,(%rsp)說明第一個值是1，起始如下圖：

有的題做出來是斐波那契數(shù)列，但我的這個題是前面的2倍，核心代碼在這

add %eax,%eax

根據(jù)0x0000000000400f29 <+45>: cmp %rbp,%rbx代碼判斷是否輸入結(jié)束，當(dāng)然也可以進(jìn)入0x40145c那個函數(shù)查看

查看這里

6個%d，當(dāng)然可以直接看函數(shù)名里面有個six（方法很多，道理一樣）

答案為1 2 4 8 16 32

第三關(guān)

help x Examine memory: x/FMT ADDRESS. ADDRESS is an expression for the memory address to examine. FMT is a repeat count followed by a format letter and a size letter. Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal),t(binary), f(float), a(address), i(instruction), c(char), s(string)and z(hex, zero padded on the left). Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes). The specified number of objects of the specified size are printed according to the format.Defaults for format and size letters are those previously used. Default count is 1. Default address is following last thing printed with this command or "print".

利用上面的調(diào)試手段，調(diào)試第三關(guān)：

0x0000000000400f43 <+0>: sub $0x18,%rsp0x0000000000400f47 <+4>: lea 0xc(%rsp),%rcx0x0000000000400f4c <+9>: lea 0x8(%rsp),%rdx0x0000000000400f51 <+14>: mov $0x4025cf,%esi0x0000000000400f56 <+19>: mov $0x0,%eax0x0000000000400f5b <+24>: callq 0x400bf0 <__isoc99_sscanf@plt>0x0000000000400f60 <+29>: cmp $0x1,%eax0x0000000000400f63 <+32>: jg 0x400f6a <phase_3+39>0x0000000000400f65 <+34>: callq 0x40143a <explode_bomb>0x0000000000400f6a <+39>: cmpl $0x7,0x8(%rsp)0x0000000000400f6f <+44>: ja 0x400fad <phase_3+106>0x0000000000400f71 <+46>: mov 0x8(%rsp),%eax0x0000000000400f75 <+50>: jmpq *0x402470(,%rax,8)0x0000000000400f7c <+57>: mov $0xcf,%eax0x0000000000400f81 <+62>: jmp 0x400fbe <phase_3+123>0x0000000000400f83 <+64>: mov $0x2c3,%eax0x0000000000400f88 <+69>: jmp 0x400fbe <phase_3+123>0x0000000000400f8a <+71>: mov $0x100,%eax0x0000000000400f8f <+76>: jmp 0x400fbe <phase_3+123>0x0000000000400f91 <+78>: mov $0x185,%eax0x0000000000400f96 <+83>: jmp 0x400fbe <phase_3+123>0x0000000000400f98 <+85>: mov $0xce,%eax0x0000000000400f9d <+90>: jmp 0x400fbe <phase_3+123>0x0000000000400f9f <+92>: mov $0x2aa,%eax0x0000000000400fa4 <+97>: jmp 0x400fbe <phase_3+123>0x0000000000400fa6 <+99>: mov $0x147,%eax0x0000000000400fab <+104>: jmp 0x400fbe <phase_3+123>0x0000000000400fad <+106>: callq 0x40143a <explode_bomb>0x0000000000400fb2 <+111>: mov $0x0,%eax0x0000000000400fb7 <+116>: jmp 0x400fbe <phase_3+123>0x0000000000400fb9 <+118>: mov $0x137,%eax0x0000000000400fbe <+123>: cmp 0xc(%rsp),%eax0x0000000000400fc2 <+127>: je 0x400fc9 <phase_3+134>0x0000000000400fc4 <+129>: callq 0x40143a <explode_bomb>0x0000000000400fc9 <+134>: add $0x18,%rsp0x0000000000400fcd <+138>: retq

從這里看出，需要輸入的是兩個整型。
這行的話，判斷的是輸入的參數(shù)的個數(shù)：如果不大于1的話，那么直接退出

注意

這里提醒一下，步過那個scanf函數(shù)用ni，步入是stepi，后面可以接數(shù)字（步數(shù)）

cmp $0x1,%eax

然后這行判斷的是第一個參數(shù)：

cmpl $0x7,0x8(%rsp

如果大于7的話，那么直接結(jié)束代碼。緊接著下面這行代碼是：

jmpq *0x402470(,%rax,8)

需要計算的，計算方法如下：

符號作用

r1	獲取寄存器存儲的內(nèi)容
$Imm	立即數(shù)，或者說直接使用展示的數(shù)據(jù)
Imm	內(nèi)存中對應(yīng)的Imm地址里面的內(nèi)容
(r1)	根據(jù)寄存器里面存儲的內(nèi)容作為地址
Imm(r1)	根據(jù)寄存器里面存儲的內(nèi)容加上Imm作為地址
(r1,r2)	兩個寄存器的內(nèi)容相加作為地址
Imm(r1,r2)	Imm+r1+r2 內(nèi)容相加，作為地址
(,r1,4)	r1的內(nèi)容乘以4，作為地址
Imm(,r1,4)	Imm+r1*4，作為地址
(r1,r2,4)	r1+r2*4，作為地址
Imm(r1,r2,4)	Imm+r1+r2*4，作為地址

這里的計算方法就是0x402470+rax*8，調(diào)試一下rax內(nèi)容是多少

當(dāng)執(zhí)行到這里的時候，利用這個命令 x /d $rax

rax的值等于7，然后就可以計算0x402470+56，轉(zhuǎn)換為16進(jìn)制后0x38，最后得出等于0x4024a8，因為前面有個*號，所以是取內(nèi)容，接下來執(zhí)行代碼

x /gx 0x4024a8

所以的話，它會跳轉(zhuǎn)到0x400fa6

0x0000000000400fa6 <+99>: mov $0x147,%eax0x0000000000400fab <+104>: jmp 0x400fbe <phase_3+123>0x0000000000400fad <+106>: callq 0x40143a <explode_bomb>0x0000000000400fb2 <+111>: mov $0x0,%eax0x0000000000400fb7 <+116>: jmp 0x400fbe <phase_3+123>0x0000000000400fb9 <+118>: mov $0x137,%eax0x0000000000400fbe <+123>: cmp 0xc(%rsp),%eax

然后就可以查到第二個數(shù)是0x147，轉(zhuǎn)為十進(jìn)制為327，所以這兩個數(shù)為7 327

第四關(guān)

0x000000000040100c <+0>: sub $0x18,%rsp0x0000000000401010 <+4>: lea 0xc(%rsp),%rcx0x0000000000401015 <+9>: lea 0x8(%rsp),%rdx0x000000000040101a <+14>: mov $0x4025cf,%esi0x000000000040101f <+19>: mov $0x0,%eax0x0000000000401024 <+24>: callq 0x400bf0 <__isoc99_sscanf@plt>0x0000000000401029 <+29>: cmp $0x2,%eax0x000000000040102c <+32>: jne 0x401035 <phase_4+41>0x000000000040102e <+34>: cmpl $0xe,0x8(%rsp)0x0000000000401033 <+39>: jbe 0x40103a <phase_4+46>0x0000000000401035 <+41>: callq 0x40143a <explode_bomb>0x000000000040103a <+46>: mov $0xe,%edx0x000000000040103f <+51>: mov $0x0,%esi0x0000000000401044 <+56>: mov 0x8(%rsp),%edi0x0000000000401048 <+60>: callq 0x400fce <func4>0x000000000040104d <+65>: test %eax,%eax0x000000000040104f <+67>: jne 0x401058 <phase_4+76>0x0000000000401051 <+69>: cmpl $0x0,0xc(%rsp)0x0000000000401056 <+74>: je 0x40105d <phase_4+81>0x0000000000401058 <+76>: callq 0x40143a <explode_bomb>0x000000000040105d <+81>: add $0x18,%rsp0x0000000000401061 <+85>: retq

查看0x4025cf所表示的字符為：

所以我們的輸入依然為兩個數(shù)字

0x0000000000401029 <+29>: cmp $0x2,%eax

這里的話也就是判斷輸入?yún)?shù)的個數(shù)是否為2（必須為2，否則沒法下一步了），然后這兩行代碼

0x000000000040102e <+34>: cmpl $0xe,0x8(%rsp)0x0000000000401033 <+39>: jbe 0x40103a <phase_4+46>

上面肯定是判斷作用，然后下面jbe(jump below equal),也就是判斷是否小于等于e，符合的話就跳轉(zhuǎn)，然后

0x0000000000401051 <+69>: cmpl $0x0,0xc(%rsp)0x0000000000401056 <+74>: je 0x40105d <phase_4+81>

這個是判斷第二個參數(shù)，必須為0，至于第一個參數(shù)還得看

0x0000000000401048 <+60>: callq 0x400fce <func4>

傳進(jìn)去的三個參數(shù)如下：

0x000000000040103a <+46>: mov $0xe,%edx0x000000000040103f <+51>: mov $0x0,%esi0x0000000000401044 <+56>: mov 0x8(%rsp),%edi

edx里面存放著14，esi里面存放著0，rsp+8（也就是第一個參數(shù)）放在edi中，這類我輸入的第一個參數(shù)是十進(jìn)制10.

fun4

這個func4函數(shù)代碼

Dump of assembler code for function func4: => 0x0000000000400fce <+0>: sub $0x8,%rsp0x0000000000400fd2 <+4>: mov %edx,%eax0x0000000000400fd4 <+6>: sub %esi,%eax0x0000000000400fd6 <+8>: mov %eax,%ecx0x0000000000400fd8 <+10>: shr $0x1f,%ecx0x0000000000400fdb <+13>: add %ecx,%eax0x0000000000400fdd <+15>: sar %eax0x0000000000400fdf <+17>: lea (%rax,%rsi,1),%ecx0x0000000000400fe2 <+20>: cmp %edi,%ecx0x0000000000400fe4 <+22>: jle 0x400ff2 <func4+36>0x0000000000400fe6 <+24>: lea -0x1(%rcx),%edx0x0000000000400fe9 <+27>: callq 0x400fce <func4>0x0000000000400fee <+32>: add %eax,%eax0x0000000000400ff0 <+34>: jmp 0x401007 <func4+57>0x0000000000400ff2 <+36>: mov $0x0,%eax0x0000000000400ff7 <+41>: cmp %edi,%ecx0x0000000000400ff9 <+43>: jge 0x401007 <func4+57>0x0000000000400ffb <+45>: lea 0x1(%rcx),%esi0x0000000000400ffe <+48>: callq 0x400fce <func4>0x0000000000401003 <+53>: lea 0x1(%rax,%rax,1),%eax0x0000000000401007 <+57>: add $0x8,%rsp0x000000000040100b <+61>: retq

shr代表邏輯右移。

0x0000000000400fd2 <+4>: mov %edx,%eax0x0000000000400fd4 <+6>: sub %esi,%eax0x0000000000400fd6 <+8>: mov %eax,%ecx

edx原先存放14，esi存放0，經(jīng)過這里之后，ecx里面存放14

0x0000000000400fd8 <+10>: shr $0x1f,%ecx

ecx右移0x1f，也就是右移31位，此時ecx即為0

0x0000000000400fdb <+13>: add %ecx,%eax0x0000000000400fdd <+15>: sar %eax

sar右邊參數(shù)只有一個，因為默認(rèn)參數(shù)為1，14右移1位，即1110右移一位，變成111，此時eax成為7

0x0000000000400fdf <+17>: lea (%rax,%rsi,1),%ecx

rax+rsi賦值給ecx，(%rax,%rsi,1)格式為rax+rsi*1

0x0000000000400fe2 <+20>: cmp %edi,%ecx0x0000000000400fe4 <+22>: jle 0x400ff2 <func4+36>0x0000000000400fe6 <+24>: lea -0x1(%rcx),%edx0x0000000000400fe9 <+27>: callq 0x400fce <func4>0x0000000000400fee <+32>: add %eax,%eax0x0000000000400ff0 <+34>: jmp 0x401007 <func4+57>0x0000000000400ff2 <+36>: mov $0x0,%eax0x0000000000400ff7 <+41>: cmp %edi,%ecx0x0000000000400ff9 <+43>: jge 0x401007 <func4+57>

此時用ecx和edi做比較，jle（jump less equal）小于等于，rsp+8（也就是第一個參數(shù)）放在edi中，ecx為rax+rsi（7+0），符合之后跳轉(zhuǎn)到

0x0000000000400ff2 <+36>: mov $0x0,%eax0x0000000000400ff7 <+41>: cmp %edi,%ecx0x0000000000400ff9 <+43>: jge 0x401007 <func4+57>

jge（jump greater equal）符合小于等于之后來判斷大于等于，也就是必須使ecx和edi相等，ecx算出來等于7，所以第四關(guān)答案為 7 0

這里還牽扯了遞歸調(diào)用，轉(zhuǎn)為c++代碼：

int func4(int a,int b,int in){ int x=(a-b)/2+b; if(x>in){ x=2*func4(x-1,b,in) } else { if(x==in)return x; x=2*func4(a,x+1,in)+1 }}

第五關(guān)

依然照常斷下來：

Dump of assembler code for function phase_5: => 0x0000000000401062 <+0>: push %rbx0x0000000000401063 <+1>: sub $0x20,%rsp0x0000000000401067 <+5>: mov %rdi,%rbx0x000000000040106a <+8>: mov %fs:0x28,%rax0x0000000000401073 <+17>: mov %rax,0x18(%rsp)0x0000000000401078 <+22>: xor %eax,%eax0x000000000040107a <+24>: callq 0x40131b <string_length>0x000000000040107f <+29>: cmp $0x6,%eax0x0000000000401082 <+32>: je 0x4010d2 <phase_5+112>0x0000000000401084 <+34>: callq 0x40143a <explode_bomb>0x0000000000401089 <+39>: jmp 0x4010d2 <phase_5+112>0x000000000040108b <+41>: movzbl (%rbx,%rax,1),%ecx0x000000000040108f <+45>: mov %cl,(%rsp)0x0000000000401092 <+48>: mov (%rsp),%rdx0x0000000000401096 <+52>: and $0xf,%edx0x0000000000401099 <+55>: movzbl 0x4024b0(%rdx),%edx0x00000000004010a0 <+62>: mov %dl,0x10(%rsp,%rax,1)0x00000000004010a4 <+66>: add $0x1,%rax0x00000000004010a8 <+70>: cmp $0x6,%rax0x00000000004010ac <+74>: jne 0x40108b <phase_5+41>0x00000000004010ae <+76>: movb $0x0,0x16(%rsp)0x00000000004010b3 <+81>: mov $0x40245e,%esi0x00000000004010b8 <+86>: lea 0x10(%rsp),%rdi0x00000000004010bd <+91>: callq 0x401338 <strings_not_equal>0x00000000004010c2 <+96>: test %eax,%eax0x00000000004010c4 <+98>: je 0x4010d9 <phase_5+119>0x00000000004010c6 <+100>: callq 0x40143a <explode_bomb>0x00000000004010cb <+105>: nopl 0x0(%rax,%rax,1)0x00000000004010d0 <+110>: jmp 0x4010d9 <phase_5+119>0x00000000004010d2 <+112>: mov $0x0,%eax0x00000000004010d7 <+117>: jmp 0x40108b <phase_5+41>0x00000000004010d9 <+119>: mov 0x18(%rsp),%rax0x00000000004010de <+124>: xor %fs:0x28,%rax0x00000000004010e7 <+133>: je 0x4010ee <phase_5+140>0x00000000004010e9 <+135>: callq 0x400b30 <__stack_chk_fail@plt>0x00000000004010ee <+140>: add $0x20,%rsp0x00000000004010f2 <+144>: pop %rbx0x00000000004010f3 <+145>: retq

102 121 114 108 101 115

x /16b 0x4024b0

maduiersnfotvbylSo
（注意，因為只能用低四位，所以看著辦）
所以低四位湊出來之后為9 15 14 5 6 7只需要低四位符合這些的字符串輸入就行（也就是低四位是1001 1111 1110 0101 0110 0111）

這里我輸入的是9 15 14 5 6 7 ionuvw

第六關(guān)

0x00000000004010f4 <+0>: push %r140x00000000004010f6 <+2>: push %r130x00000000004010f8 <+4>: push %r120x00000000004010fa <+6>: push %rbp0x00000000004010fb <+7>: push %rbx0x00000000004010fc <+8>: sub $0x50,%rsp0x0000000000401100 <+12>: mov %rsp,%r130x0000000000401103 <+15>: mov %rsp,%rsi0x0000000000401106 <+18>: callq 0x40145c <read_six_numbers>0x000000000040110b <+23>: mov %rsp,%r140x000000000040110e <+26>: mov $0x0,%r12d0x0000000000401114 <+32>: mov %r13,%rbp0x0000000000401117 <+35>: mov 0x0(%r13),%eax0x000000000040111b <+39>: sub $0x1,%eax0x000000000040111e <+42>: cmp $0x5,%eax0x0000000000401121 <+45>: jbe 0x401128 <phase_6+52>0x0000000000401123 <+47>: callq 0x40143a <explode_bomb>0x0000000000401128 <+52>: add $0x1,%r12d0x000000000040112c <+56>: cmp $0x6,%r12d0x0000000000401130 <+60>: je 0x401153 <phase_6+95>0x0000000000401132 <+62>: mov %r12d,%ebx0x0000000000401135 <+65>: movslq %ebx,%rax0x0000000000401138 <+68>: mov (%rsp,%rax,4),%eax0x000000000040113b <+71>: cmp %eax,0x0(%rbp)0x000000000040113e <+74>: jne 0x401145 <phase_6+81>0x0000000000401140 <+76>: callq 0x40143a <explode_bomb>0x0000000000401145 <+81>: add $0x1,%ebx0x0000000000401148 <+84>: cmp $0x5,%ebx0x000000000040114b <+87>: jle 0x401135 <phase_6+65>0x000000000040114d <+89>: add $0x4,%r130x0000000000401151 <+93>: jmp 0x401114 <phase_6+32>0x0000000000401153 <+95>: lea 0x18(%rsp),%rsi0x0000000000401158 <+100>: mov %r14,%rax0x000000000040115b <+103>: mov $0x7,%ecx0x0000000000401160 <+108>: mov %ecx,%edx0x0000000000401162 <+110>: sub (%rax),%edx0x0000000000401164 <+112>: mov %edx,(%rax)0x0000000000401166 <+114>: add $0x4,%rax0x000000000040116a <+118>: cmp %rsi,%rax0x000000000040116d <+121>: jne 0x401160 <phase_6+108>0x000000000040116f <+123>: mov $0x0,%esi0x0000000000401174 <+128>: jmp 0x401197 <phase_6+163>0x0000000000401176 <+130>: mov 0x8(%rdx),%rdx0x000000000040117a <+134>: add $0x1,%eax0x000000000040117d <+137>: cmp %ecx,%eax0x000000000040117f <+139>: jne 0x401176 <phase_6+130>0x0000000000401181 <+141>: jmp 0x401188 <phase_6+148>0x0000000000401183 <+143>: mov $0x6032d0,%edx0x0000000000401188 <+148>: mov %rdx,0x20(%rsp,%rsi,2)0x000000000040118d <+153>: add $0x4,%rsi0x0000000000401191 <+157>: cmp $0x18,%rsi0x0000000000401195 <+161>: je 0x4011ab <phase_6+183>0x0000000000401197 <+163>: mov (%rsp,%rsi,1),%ecx0x000000000040119a <+166>: cmp $0x1,%ecx0x000000000040119d <+169>: jle 0x401183 <phase_6+143>0x000000000040119f <+171>: mov $0x1,%eax0x00000000004011a4 <+176>: mov $0x6032d0,%edx0x00000000004011a9 <+181>: jmp 0x401176 <phase_6+130>0x00000000004011ab <+183>: mov 0x20(%rsp),%rbx0x00000000004011b0 <+188>: lea 0x28(%rsp),%rax0x00000000004011b5 <+193>: lea 0x50(%rsp),%rsi0x00000000004011ba <+198>: mov %rbx,%rcx0x00000000004011bd <+201>: mov (%rax),%rdx0x00000000004011c0 <+204>: mov %rdx,0x8(%rcx)0x00000000004011c4 <+208>: add $0x8,%rax0x00000000004011c8 <+212>: cmp %rsi,%rax0x00000000004011cb <+215>: je 0x4011d2 <phase_6+222>0x00000000004011cd <+217>: mov %rdx,%rcx0x00000000004011d0 <+220>: jmp 0x4011bd <phase_6+201>0x00000000004011d2 <+222>: movq $0x0,0x8(%rdx)0x00000000004011da <+230>: mov $0x5,%ebp0x00000000004011df <+235>: mov 0x8(%rbx),%rax0x00000000004011e3 <+239>: mov (%rax),%eax0x00000000004011e5 <+241>: cmp %eax,(%rbx)0x00000000004011e7 <+243>: jge 0x4011ee <phase_6+250>0x00000000004011e9 <+245>: callq 0x40143a <explode_bomb>0x00000000004011ee <+250>: mov 0x8(%rbx),%rbx0x00000000004011f2 <+254>: sub $0x1,%ebp0x00000000004011f5 <+257>: jne 0x4011df <phase_6+235>0x00000000004011f7 <+259>: add $0x50,%rsp0x00000000004011fb <+263>: pop %rbx0x00000000004011fc <+264>: pop %rbp0x00000000004011fd <+265>: pop %r120x00000000004011ff <+267>: pop %r130x0000000000401201 <+269>: pop %r140x0000000000401203 <+271>: retq

總結(jié)

以上是生活随笔為你收集整理的CSAPP实验二进制炸弹的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。

炸弹
CSAPP

上一篇： Ubuntu安装apt出现报错如何操作（
下一篇：镇江职业技能大赛