ardxwe

CSer

0%

CS15-213labs-bomb-lab

发表于 更新于

关于课程

这门课程围绕 CSAPP 展开。

书本相关的所有信息,你可以在 这里 找到。

你可以在 Bilibili 或者 YouTube 查看所有的课程视频,Bilibili附带中文字幕。

建议看完相应的章节然后去做相应的实验。大名鼎鼎的 CSAPP 的作者即是这门课程的讲师。你可以在 这里 找到实验相关的所有内容。

这门课程的实验代码可以在我的 Github 找到我的所有解答及相关资料。本次实验相关代码在 ./bomb 文件夹下。

bomb lab

文档

点击 这里, 然后点击标红处 Self-Study Handout 即可下载此次实验对应的文档。

解压之后文件夹对应目录:

1
2
3
4
5
6
7
➜  下载 tree bomb       
bomb
├── bomb
├── bomb.c
└── README

0 directories, 3 files
  • bomb: 可执行文件
  • bomb.c: 对应的部分 C 代码
  • README: 本次实验的简单说明

内容

bomb目标代码文件运行时提示用户输入6个不同字符串,其中任意一个不正确炸弹会爆炸,也就意味着实验的失败。我们需要通过逆向工程来拆除炸弹,需要使用 gdb 和 objdump 。

环境

Linux, 请不要使用 Windows :)

过程

分析

执行 bomb 程序

1
2
3
4
➜  bomb git:(master) ./bomb          
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!

一切正常。查看 bomb.c 程序:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/***************************************************************************
 * Dr. Evil's Insidious Bomb, Version 1.1
 * Copyright 2011, Dr. Evil Incorporated. All rights reserved.
 *
 * LICENSE:
 *
 * Dr. Evil Incorporated (the PERPETRATOR) hereby grants you (the
 * VICTIM) explicit permission to use this bomb (the BOMB).  This is a
 * time limited license, which expires on the death of the VICTIM.
 * The PERPETRATOR takes no responsibility for damage, frustration,
 * insanity, bug-eyes, carpal-tunnel syndrome, loss of sleep, or other
 * harm to the VICTIM.  Unless the PERPETRATOR wants to take credit,
 * that is.  The VICTIM may not distribute this bomb source code to
 * any enemies of the PERPETRATOR.  No VICTIM may debug,
 * reverse-engineer, run "strings" on, decompile, decrypt, or use any
 * other technique to gain knowledge of and defuse the BOMB.  BOMB
 * proof clothing may not be worn when handling this program.  The
 * PERPETRATOR will not apologize for the PERPETRATOR's poor sense of
 * humor.  This license is null and void where the BOMB is prohibited
 * by law.
 ***************************************************************************/

#include <stdio.h>
#include <stdlib.h>
#include "support.h"
#include "phases.h"

/* 
 * Note to self: Remember to erase this file so my victims will have no
 * idea what is going on, and so they will all blow up in a
 * spectaculary fiendish explosion. -- Dr. Evil 
 */

FILE *infile;

int main(int argc, char *argv[])
{
    char *input;

    /* Note to self: remember to port this bomb to Windows and put a 
     * fantastic GUI on it. */

    /* When run with no arguments, the bomb reads its input lines 
     * from standard input. */
    if (argc == 1) {  
    infile = stdin;
    } 

    /* When run with one argument <file>, the bomb reads from <file> 
     * until EOF, and then switches to standard input. Thus, as you 
     * defuse each phase, you can add its defusing string to <file> and
     * avoid having to retype it. */
    else if (argc == 2) {
    if (!(infile = fopen(argv[1], "r"))) {
        printf("%s: Error: Couldn't open %s\n", argv[0], argv[1]);
        exit(8);
    }
    }

    /* You can't call the bomb with more than 1 command line argument. */
    else {
    printf("Usage: %s [<input_file>]\n", argv[0]);
    exit(8);
    }

    /* Do all sorts of secret stuff that makes the bomb harder to defuse. */
    initialize_bomb();

    printf("Welcome to my fiendish little bomb. You have 6 phases with\n");
    printf("which to blow yourself up. Have a nice day!\n");

    /* Hmm...  Six phases must be more secure than one phase! */
    input = read_line();             /* Get input                   */
    phase_1(input);                  /* Run the phase               */
    phase_defused();                 /* Drat!  They figured it out!
                      * Let me know how they did it. */
    printf("Phase 1 defused. How about the next one?\n");

    /* The second phase is harder.  No one will ever figure out
     * how to defuse this... */
    input = read_line();
    phase_2(input);
    phase_defused();
    printf("That's number 2.  Keep going!\n");

    /* I guess this is too easy so far.  Some more complex code will
     * confuse people. */
    input = read_line();
    phase_3(input);
    phase_defused();
    printf("Halfway there!\n");

    /* Oh yeah?  Well, how good is your math?  Try on this saucy problem! */
    input = read_line();
    phase_4(input);
    phase_defused();
    printf("So you got that one.  Try this one.\n");
    
    /* Round and 'round in memory we go, where we stop, the bomb blows! */
    input = read_line();
    phase_5(input);
    phase_defused();
    printf("Good work!  On to the next...\n");

    /* This phase will never be used, since no one will get past the
     * earlier ones.  But just in case, make this one extra hard. */
    input = read_line();
    phase_6(input);
    phase_defused();

    /* Wow, they got it!  But isn't something... missing?  Perhaps
     * something they overlooked?  Mua ha ha ha ha! */
    
    return 0;
}

由 45-64行可知, bomb程序可以通过标准输入和文件执行, 指定相应的文件在第二个参数。使用我已经破解的结果文件运行。

1
2
3
4
5
6
7
8
9
➜  bomb git:(master) ./bomb ./result
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2.  Keep going!
Halfway there!
So you got that one.  Try this one.
Good work!  On to the next...
Congratulations! You've defused the bomb!

没有任何问题。毫无疑问,首先反汇编。

1
➜  bomb git:(master) ✗ objdump -d bomb > assemblycode

查看 main 处代码段。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
0000000000400da0 <main>:
  400da0:    53                       push   %rbx
  400da1:    83 ff 01                 cmp    $0x1,%edi
  400da4:    75 10                    jne    400db6 <main+0x16>
  400da6:    48 8b 05 9b 29 20 00     mov    0x20299b(%rip),%rax        # 603748 <stdin@@GLIBC_2.2.5>
  400dad:    48 89 05 b4 29 20 00     mov    %rax,0x2029b4(%rip)        # 603768 <infile>
  400db4:    eb 63                    jmp    400e19 <main+0x79>
  400db6:    48 89 f3                 mov    %rsi,%rbx
  400db9:    83 ff 02                 cmp    $0x2,%edi
  400dbc:    75 3a                    jne    400df8 <main+0x58>
  400dbe:    48 8b 7e 08              mov    0x8(%rsi),%rdi
  400dc2:    be b4 22 40 00           mov    $0x4022b4,%esi
  400dc7:    e8 44 fe ff ff           callq  400c10 <fopen@plt>
  400dcc:    48 89 05 95 29 20 00     mov    %rax,0x202995(%rip)        # 603768 <infile>
  400dd3:    48 85 c0                 test   %rax,%rax
  400dd6:    75 41                    jne    400e19 <main+0x79>
  400dd8:    48 8b 4b 08              mov    0x8(%rbx),%rcx
  400ddc:    48 8b 13                 mov    (%rbx),%rdx
  400ddf:    be b6 22 40 00           mov    $0x4022b6,%esi
  400de4:    bf 01 00 00 00           mov    $0x1,%edi
  400de9:    e8 12 fe ff ff           callq  400c00 <__printf_chk@plt>
  400dee:    bf 08 00 00 00           mov    $0x8,%edi
  400df3:    e8 28 fe ff ff           callq  400c20 <exit@plt>
  400df8:    48 8b 16                 mov    (%rsi),%rdx
  400dfb:    be d3 22 40 00           mov    $0x4022d3,%esi
  400e00:    bf 01 00 00 00           mov    $0x1,%edi
  400e05:    b8 00 00 00 00           mov    $0x0,%eax
  400e0a:    e8 f1 fd ff ff           callq  400c00 <__printf_chk@plt>
  400e0f:    bf 08 00 00 00           mov    $0x8,%edi
  400e14:    e8 07 fe ff ff           callq  400c20 <exit@plt>
  400e19:    e8 84 05 00 00           callq  4013a2 <initialize_bomb>
  400e1e:    bf 38 23 40 00           mov    $0x402338,%edi
  400e23:    e8 e8 fc ff ff           callq  400b10 <puts@plt>
  400e28:    bf 78 23 40 00           mov    $0x402378,%edi
  400e2d:    e8 de fc ff ff           callq  400b10 <puts@plt>
  400e32:    e8 67 06 00 00           callq  40149e <read_line>
  400e37:    48 89 c7                 mov    %rax,%rdi
  400e3a:    e8 a1 00 00 00           callq  400ee0 <phase_1>
  400e3f:    e8 80 07 00 00           callq  4015c4 <phase_defused>
  400e44:    bf a8 23 40 00           mov    $0x4023a8,%edi
  400e49:    e8 c2 fc ff ff           callq  400b10 <puts@plt>
  400e4e:    e8 4b 06 00 00           callq  40149e <read_line>
  400e53:    48 89 c7                 mov    %rax,%rdi
  400e56:    e8 a1 00 00 00           callq  400efc <phase_2>
  400e5b:    e8 64 07 00 00           callq  4015c4 <phase_defused>
  400e60:    bf ed 22 40 00           mov    $0x4022ed,%edi
  400e65:    e8 a6 fc ff ff           callq  400b10 <puts@plt>
  400e6a:    e8 2f 06 00 00           callq  40149e <read_line>
  400e6f:    48 89 c7                 mov    %rax,%rdi
  400e72:    e8 cc 00 00 00           callq  400f43 <phase_3>
  400e77:    e8 48 07 00 00           callq  4015c4 <phase_defused>
  400e7c:    bf 0b 23 40 00           mov    $0x40230b,%edi
  400e81:    e8 8a fc ff ff           callq  400b10 <puts@plt>
  400e86:    e8 13 06 00 00           callq  40149e <read_line>
  400e8b:    48 89 c7                 mov    %rax,%rdi
  400e8e:    e8 79 01 00 00           callq  40100c <phase_4>
  400e93:    e8 2c 07 00 00           callq  4015c4 <phase_defused>
  400e98:    bf d8 23 40 00           mov    $0x4023d8,%edi
  400e9d:    e8 6e fc ff ff           callq  400b10 <puts@plt>
  400ea2:    e8 f7 05 00 00           callq  40149e <read_line>
  400ea7:    48 89 c7                 mov    %rax,%rdi
  400eaa:    e8 b3 01 00 00           callq  401062 <phase_5>
  400eaf:    e8 10 07 00 00           callq  4015c4 <phase_defused>
  400eb4:    bf 1a 23 40 00           mov    $0x40231a,%edi
  400eb9:    e8 52 fc ff ff           callq  400b10 <puts@plt>
  400ebe:    e8 db 05 00 00           callq  40149e <read_line>
  400ec3:    48 89 c7                 mov    %rax,%rdi
  400ec6:    e8 29 02 00 00           callq  4010f4 <phase_6>
  400ecb:    e8 f4 06 00 00           callq  4015c4 <phase_defused>
  400ed0:    b8 00 00 00 00           mov    $0x0,%eax
  400ed5:    5b                       pop    %rbx
  400ed6:    c3                       retq   
  400ed7:    90                       nop
  400ed8:    90                       nop
  400ed9:    90                       nop
  400eda:    90                       nop
  400edb:    90                       nop
  400edc:    90                       nop
  400edd:    90                       nop
  400ede:    90                       nop
  400edf:    90                       nop

第一个短语

查看 bomb.c 第73行可知: readline 函数返回指向输入的第一个字符的指针。

查看 main 函数第36-38行。

1
2
3
400e32:    e8 67 06 00 00           callq  40149e <read_line>
400e37:    48 89 c7                 mov    %rax,%rdi
400e3a:    e8 a1 00 00 00           callq  400ee0 <phase_1>
  • 1 调用 read_line 函数
  • 2 read_line 函数返回结果存在 rax 寄存器, 将其移入 rdi 寄存器,作为之后函数的第一个参数。
  • 3 调用 phase_1 函数。

输入的字符指针作为第一个参数,一切都是那么的自然。根据38行指定的地址,查看 phase_1 函数汇编代码。

1
2
3
4
5
6
7
8
9
0000000000400ee0 <phase_1>:
  400ee0:    48 83 ec 08              sub    $0x8,%rsp
  400ee4:    be 00 24 40 00           mov    $0x402400,%esi
  400ee9:    e8 4a 04 00 00           callq  401338 <strings_not_equal>
  400eee:    85 c0                    test   %eax,%eax
  400ef0:    74 05                    je     400ef7 <phase_1+0x17>
  400ef2:    e8 43 05 00 00           callq  40143a <explode_bomb>
  400ef7:    48 83 c4 08              add    $0x8,%rsp
  400efb:    c3                       retq

查看2-3行。

  • 2 内存地址 0x402400 移入 esi寄存器
  • 3 调用 strings_not_equal 函数,此时 rdi 为 input

从 strings_not_equal 函数名称和它所对应的两个参数可以知道:
input 应该和对应内存位置字符串相等。

我们使用 gdb 查看对应内存位置字符串:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
➜  bomb git:(master) gdb bomb
GNU gdb (Ubuntu 9.1-0ubuntu1) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bomb...
(gdb) p (char*)0x402400
$1 = 0x402400 "Border relations with Canada have never been better."
(gdb)

尝试运行 bomb 程序输入对应字符串试试:

1
2
3
4
5
6
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?

是的,我们成功了!

第四行之后的汇编代码主要是:如果函数返回0,成功返回。不是0,调用 explode_bomb 函数,代表着我们的输入失败了。

第二个短语

查看 main 函数第 42-44 行。

1
2
3
400e4e:    e8 4b 06 00 00           callq  40149e <read_line>
400e53:    48 89 c7                 mov    %rax,%rdi
400e56:    e8 a1 00 00 00           callq  400efc <phase_2>

和第一个方式相同,不再赘述。

查看对应位置 phase_2 汇编代码。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
0000000000400efc <phase_2>:
  400efc:    55                       push   %rbp
  400efd:    53                       push   %rbx
  400efe:    48 83 ec 28              sub    $0x28,%rsp
  400f02:    48 89 e6                 mov    %rsp,%rsi
  400f05:    e8 52 05 00 00           callq  40145c <read_six_numbers>
  400f0a:    83 3c 24 01              cmpl   $0x1,(%rsp)
  400f0e:    74 20                    je     400f30 <phase_2+0x34>
  400f10:    e8 25 05 00 00           callq  40143a <explode_bomb>
  400f15:    eb 19                    jmp    400f30 <phase_2+0x34>
  400f17:    8b 43 fc                 mov    -0x4(%rbx),%eax
  400f1a:    01 c0                    add    %eax,%eax
  400f1c:    39 03                    cmp    %eax,(%rbx)
  400f1e:    74 05                    je     400f25 <phase_2+0x29>
  400f20:    e8 15 05 00 00           callq  40143a <explode_bomb>
  400f25:    48 83 c3 04              add    $0x4,%rbx
  400f29:    48 39 eb                 cmp    %rbp,%rbx
  400f2c:    75 e9                    jne    400f17 <phase_2+0x1b>
  400f2e:    eb 0c                    jmp    400f3c <phase_2+0x40>
  400f30:    48 8d 5c 24 04           lea    0x4(%rsp),%rbx
  400f35:    48 8d 6c 24 18           lea    0x18(%rsp),%rbp
  400f3a:    eb db                    jmp    400f17 <phase_2+0x1b>
  400f3c:    48 83 c4 28              add    $0x28,%rsp
  400f40:    5b                       pop    %rbx
  400f41:    5d                       pop    %rbp
  400f42:    c3                       retq
  • 3-6: 将6个数字读到栈上。
  • 7-9: 第一个数字不为1, 炸弹爆炸, 为1,跳到20行
  • 10-26:检查每个数字是否为上个数字的2倍,不是则炸弹爆炸。

所以答案应该是: 1 2 4 8 16 32

1
2
3
4
5
6
7
8
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!

第三个短语

查看 main 函数48-50行。

1
2
3
400e6a:    e8 2f 06 00 00           callq  40149e <read_line>
400e6f:    48 89 c7                 mov    %rax,%rdi
400e72:    e8 cc 00 00 00           callq  400f43 <phase_3>

查看对应位置的 phase_3 代码段:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
0000000000400f43 <phase_3>:
  400f43:    48 83 ec 18              sub    $0x18,%rsp
  400f47:    48 8d 4c 24 0c           lea    0xc(%rsp),%rcx
  400f4c:    48 8d 54 24 08           lea    0x8(%rsp),%rdx
  400f51:    be cf 25 40 00           mov    $0x4025cf,%esi
  400f56:    b8 00 00 00 00           mov    $0x0,%eax
  400f5b:    e8 90 fc ff ff           callq  400bf0 <__isoc99_sscanf@plt>
  400f60:    83 f8 01                 cmp    $0x1,%eax
  400f63:    7f 05                    jg     400f6a <phase_3+0x27>
  400f65:    e8 d0 04 00 00           callq  40143a <explode_bomb>
  400f6a:    83 7c 24 08 07           cmpl   $0x7,0x8(%rsp)
  400f6f:    77 3c                    ja     400fad <phase_3+0x6a>
  400f71:    8b 44 24 08              mov    0x8(%rsp),%eax
  400f75:    ff 24 c5 70 24 40 00     jmpq   *0x402470(,%rax,8)
  400f7c:    b8 cf 00 00 00           mov    $0xcf,%eax
  400f81:    eb 3b                    jmp    400fbe <phase_3+0x7b>
  400f83:    b8 c3 02 00 00           mov    $0x2c3,%eax
  400f88:    eb 34                    jmp    400fbe <phase_3+0x7b>
  400f8a:    b8 00 01 00 00           mov    $0x100,%eax
  400f8f:    eb 2d                    jmp    400fbe <phase_3+0x7b>
  400f91:    b8 85 01 00 00           mov    $0x185,%eax
  400f96:    eb 26                    jmp    400fbe <phase_3+0x7b>
  400f98:    b8 ce 00 00 00           mov    $0xce,%eax
  400f9d:    eb 1f                    jmp    400fbe <phase_3+0x7b>
  400f9f:    b8 aa 02 00 00           mov    $0x2aa,%eax
  400fa4:    eb 18                    jmp    400fbe <phase_3+0x7b>
  400fa6:    b8 47 01 00 00           mov    $0x147,%eax
  400fab:    eb 11                    jmp    400fbe <phase_3+0x7b>
  400fad:    e8 88 04 00 00           callq  40143a <explode_bomb>
  400fb2:    b8 00 00 00 00           mov    $0x0,%eax
  400fb7:    eb 05                    jmp    400fbe <phase_3+0x7b>
  400fb9:    b8 37 01 00 00           mov    $0x137,%eax
  400fbe:    3b 44 24 0c              cmp    0xc(%rsp),%eax
  400fc2:    74 05                    je     400fc9 <phase_3+0x86>
  400fc4:    e8 71 04 00 00           callq  40143a <explode_bomb>
  400fc9:    48 83 c4 18              add    $0x18,%rsp
  400fcd:    c3                       retq

gdb 打印第5行内存内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
➜  bomb git:(master) gdb bomb
GNU gdb (Ubuntu 9.1-0ubuntu1) 9.1
Copyright (C) 2020 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bomb...
(gdb) p (char*)0x4025cf
$1 = 0x4025cf "%d %d"
(gdb)
  • 7-10: 输入最少为两个整数
  • 11-37: 第一个数 <= 7, 第二个数由第一个数所计算出来的内存位置所决定

由第14行可知:跳转地址为 0x402470 + (第一个数 * 8) 地址所对应的值

gdb 查看 0x402470 附近100个字节的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
(gdb) x/100x 0x402470
0x402470:    0x00400f7c    0x00000000    0x00400fb9    0x00000000
0x402480:    0x00400f83    0x00000000    0x00400f8a    0x00000000
0x402490:    0x00400f91    0x00000000    0x00400f98    0x00000000
0x4024a0:    0x00400f9f    0x00000000    0x00400fa6    0x00000000
0x4024b0 <array.3449>:    0x7564616d    0x73726569    0x746f666e    0x6c796276
0x4024c0:    0x79206f53    0x7420756f    0x6b6e6968    0x756f7920
0x4024d0:    0x6e616320    0x6f747320    0x68742070    0x6f622065
0x4024e0:    0x7720626d    0x20687469    0x6c727463    0x202c632d
0x4024f0:    0x79206f64    0x003f756f    0x73727543    0x202c7365
0x402500:    0x27756f79    0x66206576    0x646e756f    0x65687420
0x402510:    0x63657320    0x20746572    0x73616870    0x00002165
0x402520:    0x20747542    0x646e6966    0x20676e69    0x61207469
0x402530:    0x7320646e    0x69766c6f    0x6920676e    0x72612074
0x402540:    0x75712065    0x20657469    0x66666964    0x6e657265
0x402550:    0x2e2e2e74    0x00000000    0x676e6f43    0x75746172
0x402560:    0x6974616c    0x21736e6f    0x756f5920    0x20657627
0x402570:    0x75666564    0x20646573    0x20656874    0x626d6f62
0x402580:    0x65570021    0x2e2e6c6c    0x4b4f002e    0x2d3a202e
0x402590:    0x6e490029    0x696c6176    0x68702064    0x25657361
0x4025a0:    0x0a000a73    0x4d4f4f42    0x00212121    0x20656854
0x4025b0:    0x626d6f62    0x73616820    0x6f6c6220    0x75206e77
0x4025c0:    0x25002e70    0x64252064    0x20642520    0x25206425
0x4025d0:    0x64252064    0x72724500    0x203a726f    0x6d657250
0x4025e0:    0x72757461    0x4f452065    0x6e6f2046    0x64747320
0x4025f0:    0x47006e69    0x45444152    0x4d4f425f    0x72450042
(gdb)

可以得到两个数字的 8 个组合。
(0, 207) (1, 311) (2, 707) (3, 256) (4, 389) (5, 206) (6, 682) (7, 327)

输入这八个数字,都正确:

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
0 207
Halfway there!

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
1 311
Halfway there!

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
2 707
Halfway there!

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb         
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
3 256
Halfway there!

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
4 389 
Halfway there!

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32 
That's number 2.  Keep going!
5 206
Halfway there!

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32 
That's number 2.  Keep going!
6 682
Halfway there!

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
7 327
Halfway there!

正如之前所分析的,在这两个数字之后加入任意内容都不影响我们第三个短语的成功

1
2
3
4
5
6
7
8
9
10
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
7 327 ardxwe 158
Halfway there!

一切都是那么的自然

第四个短语

查看 main 函数 54-56 行:

1
2
3
400e86:    e8 13 06 00 00           callq  40149e <read_line>
400e8b:    48 89 c7                 mov    %rax,%rdi
400e8e:    e8 79 01 00 00           callq  40100c <phase_4>

输入字符的指针传递给 phase_4 作为第一个参数,查看 phase_4 对应位置汇编代码。由于这里 phase_4 调用了 func4 函数,因此将 func4 一并贴出。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
0000000000400fce <func4>:
  400fce:    48 83 ec 08              sub    $0x8,%rsp
  400fd2:    89 d0                    mov    %edx,%eax
  400fd4:    29 f0                    sub    %esi,%eax
  400fd6:    89 c1                    mov    %eax,%ecx
  400fd8:    c1 e9 1f                 shr    $0x1f,%ecx
  400fdb:    01 c8                    add    %ecx,%eax
  400fdd:    d1 f8                    sar    %eax
  400fdf:    8d 0c 30                 lea    (%rax,%rsi,1),%ecx
  400fe2:    39 f9                    cmp    %edi,%ecx
  400fe4:    7e 0c                    jle    400ff2 <func4+0x24>
  400fe6:    8d 51 ff                 lea    -0x1(%rcx),%edx
  400fe9:    e8 e0 ff ff ff           callq  400fce <func4>
  400fee:    01 c0                    add    %eax,%eax
  400ff0:    eb 15                    jmp    401007 <func4+0x39>
  400ff2:    b8 00 00 00 00           mov    $0x0,%eax
  400ff7:    39 f9                    cmp    %edi,%ecx
  400ff9:    7d 0c                    jge    401007 <func4+0x39>
  400ffb:    8d 71 01                 lea    0x1(%rcx),%esi
  400ffe:    e8 cb ff ff ff           callq  400fce <func4>
  401003:    8d 44 00 01              lea    0x1(%rax,%rax,1),%eax
  401007:    48 83 c4 08              add    $0x8,%rsp
  40100b:    c3                       retq   

000000000040100c <phase_4>:
  40100c:    48 83 ec 18              sub    $0x18,%rsp
  401010:    48 8d 4c 24 0c           lea    0xc(%rsp),%rcx
  401015:    48 8d 54 24 08           lea    0x8(%rsp),%rdx
  40101a:    be cf 25 40 00           mov    $0x4025cf,%esi
  40101f:    b8 00 00 00 00           mov    $0x0,%eax
  401024:    e8 c7 fb ff ff           callq  400bf0 <__isoc99_sscanf@plt>
  401029:    83 f8 02                 cmp    $0x2,%eax
  40102c:    75 07                    jne    401035 <phase_4+0x29>
  40102e:    83 7c 24 08 0e           cmpl   $0xe,0x8(%rsp)
  401033:    76 05                    jbe    40103a <phase_4+0x2e>
  401035:    e8 00 04 00 00           callq  40143a <explode_bomb>
  40103a:    ba 0e 00 00 00           mov    $0xe,%edx
  40103f:    be 00 00 00 00           mov    $0x0,%esi
  401044:    8b 7c 24 08              mov    0x8(%rsp),%edi
  401048:    e8 81 ff ff ff           callq  400fce <func4>
  40104d:    85 c0                    test   %eax,%eax
  40104f:    75 07                    jne    401058 <phase_4+0x4c>
  401051:    83 7c 24 0c 00           cmpl   $0x0,0xc(%rsp)
  401056:    74 05                    je     40105d <phase_4+0x51>
  401058:    e8 dd 03 00 00           callq  40143a <explode_bomb>
  40105d:    48 83 c4 18              add    $0x18,%rsp
  401061:    c3                       retq
  • 29-33: 需要两个参数, 至于参数具体格式, 可以通过查看 esi 寄存器存储的内存地址内容
1
2
(gdb) p (char*)0x4025cf
$2 = 0x4025cf "%d %d"

显然,刚好需要两个整数。

  • 34-47:第一个参数 <= 15,调用 func4的返回值应该是0,第二个数字是0

仔细分析 func4, 15 >> 1 == 7,如果输入是7,刚好满足 jle 和 jge 的条件, 而且 rax = 0, 满足题意,故答案为(7, 0)

1
2
3
4
5
6
7
8
9
10
11
12
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
0 207 
Halfway there!
7 0
So you got that one.  Try this one.

第五个短语

查看 main 函数第 60-62 行:

1
2
3
400ea2:    e8 f7 05 00 00           callq  40149e <read_line>
400ea7:    48 89 c7                 mov    %rax,%rdi
400eaa:    e8 b3 01 00 00           callq  401062 <phase_5>

查看 phase_5 对应汇编代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
0000000000401062 <phase_5>:
  401062:    53                       push   %rbx
  401063:    48 83 ec 20              sub    $0x20,%rsp
  401067:    48 89 fb                 mov    %rdi,%rbx
  40106a:    64 48 8b 04 25 28 00     mov    %fs:0x28,%rax
  401071:    00 00 
  401073:    48 89 44 24 18           mov    %rax,0x18(%rsp)
  401078:    31 c0                    xor    %eax,%eax
  40107a:    e8 9c 02 00 00           callq  40131b <string_length>
  40107f:    83 f8 06                 cmp    $0x6,%eax
  401082:    74 4e                    je     4010d2 <phase_5+0x70>
  401084:    e8 b1 03 00 00           callq  40143a <explode_bomb>
  401089:    eb 47                    jmp    4010d2 <phase_5+0x70>
  40108b:    0f b6 0c 03              movzbl (%rbx,%rax,1),%ecx
  40108f:    88 0c 24                 mov    %cl,(%rsp)
  401092:    48 8b 14 24              mov    (%rsp),%rdx
  401096:    83 e2 0f                 and    $0xf,%edx
  401099:    0f b6 92 b0 24 40 00     movzbl 0x4024b0(%rdx),%edx
  4010a0:    88 54 04 10              mov    %dl,0x10(%rsp,%rax,1)
  4010a4:    48 83 c0 01              add    $0x1,%rax
  4010a8:    48 83 f8 06              cmp    $0x6,%rax
  4010ac:    75 dd                    jne    40108b <phase_5+0x29>
  4010ae:    c6 44 24 16 00           movb   $0x0,0x16(%rsp)
  4010b3:    be 5e 24 40 00           mov    $0x40245e,%esi
  4010b8:    48 8d 7c 24 10           lea    0x10(%rsp),%rdi
  4010bd:    e8 76 02 00 00           callq  401338 <strings_not_equal>
  4010c2:    85 c0                    test   %eax,%eax
  4010c4:    74 13                    je     4010d9 <phase_5+0x77>
  4010c6:    e8 6f 03 00 00           callq  40143a <explode_bomb>
  4010cb:    0f 1f 44 00 00           nopl   0x0(%rax,%rax,1)
  4010d0:    eb 07                    jmp    4010d9 <phase_5+0x77>
  4010d2:    b8 00 00 00 00           mov    $0x0,%eax
  4010d7:    eb b2                    jmp    40108b <phase_5+0x29>
  4010d9:    48 8b 44 24 18           mov    0x18(%rsp),%rax
  4010de:    64 48 33 04 25 28 00     xor    %fs:0x28,%rax
  4010e5:    00 00 
  4010e7:    74 05                    je     4010ee <phase_5+0x8c>
  4010e9:    e8 42 fa ff ff           callq  400b30 <__stack_chk_fail@plt>
  4010ee:    48 83 c4 20              add    $0x20,%rsp
  4010f2:    5b                       pop    %rbx
  4010f3:    c3                       retq
  • 9-10: 字符串长度为6
  • 13-41: 每个字符对应字节后四位作为偏移,以 0x4024b0 作为基地址,最终和 0x40245e 内存地址做比较。
    使用 gdb 查看相应内存地址内容:
1
2
(gdb) p (char*)0x40245e
$1 = 0x40245e "flyers"
1
2
(gdb) p (char*)0x4024b0
$2 = 0x4024b0 <array> "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"

为了得到 flyers, 需要的偏移地址为 9fe567,理论上 ASCII 码可打印字符均可。

故答案为 9?>567 或者 y_^UVW 等等 只要满足最后四位要求即可。

1
2
3
4
5
6
7
8
9
10
11
12
13
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
7 327
Halfway there!
7 0
So you got that one.  Try this one.
9?>567
Good work!  On to the next...
1
2
3
4
5
6
7
8
9
10
11
12
13
➜  bomb git:(master) ./bomb         
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
7 327
Halfway there!
7 0
So you got that one.  Try this one.
y_^UVW
Good work!  On to the next...

我们成功了!

第六个短语

查看 main 函数第 66-68 行

1
2
3
400ebe:    e8 db 05 00 00           callq  40149e <read_line>
400ec3:    48 89 c7                 mov    %rax,%rdi
400ec6:    e8 29 02 00 00           callq  4010f4 <phase_6>

查看内存地址 0x4010f4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
00000000004010f4 <phase_6>:
  4010f4:    41 56                    push   %r14
  4010f6:    41 55                    push   %r13
  4010f8:    41 54                    push   %r12
  4010fa:    55                       push   %rbp
  4010fb:    53                       push   %rbx
  4010fc:    48 83 ec 50              sub    $0x50,%rsp
  401100:    49 89 e5                 mov    %rsp,%r13
  401103:    48 89 e6                 mov    %rsp,%rsi
  401106:    e8 51 03 00 00           callq  40145c <read_six_numbers>
  40110b:    49 89 e6                 mov    %rsp,%r14
  40110e:    41 bc 00 00 00 00        mov    $0x0,%r12d
  401114:    4c 89 ed                 mov    %r13,%rbp
  401117:    41 8b 45 00              mov    0x0(%r13),%eax
  40111b:    83 e8 01                 sub    $0x1,%eax
  40111e:    83 f8 05                 cmp    $0x5,%eax
  401121:    76 05                    jbe    401128 <phase_6+0x34>
  401123:    e8 12 03 00 00           callq  40143a <explode_bomb>
  401128:    41 83 c4 01              add    $0x1,%r12d
  40112c:    41 83 fc 06              cmp    $0x6,%r12d
  401130:    74 21                    je     401153 <phase_6+0x5f>
  401132:    44 89 e3                 mov    %r12d,%ebx
  401135:    48 63 c3                 movslq %ebx,%rax
  401138:    8b 04 84                 mov    (%rsp,%rax,4),%eax
  40113b:    39 45 00                 cmp    %eax,0x0(%rbp)
  40113e:    75 05                    jne    401145 <phase_6+0x51>
  401140:    e8 f5 02 00 00           callq  40143a <explode_bomb>
  401145:    83 c3 01                 add    $0x1,%ebx
  401148:    83 fb 05                 cmp    $0x5,%ebx
  40114b:    7e e8                    jle    401135 <phase_6+0x41>
  40114d:    49 83 c5 04              add    $0x4,%r13
  401151:    eb c1                    jmp    401114 <phase_6+0x20>
  401153:    48 8d 74 24 18           lea    0x18(%rsp),%rsi
  401158:    4c 89 f0                 mov    %r14,%rax
  40115b:    b9 07 00 00 00           mov    $0x7,%ecx
  401160:    89 ca                    mov    %ecx,%edx
  401162:    2b 10                    sub    (%rax),%edx
  401164:    89 10                    mov    %edx,(%rax)
  401166:    48 83 c0 04              add    $0x4,%rax
  40116a:    48 39 f0                 cmp    %rsi,%rax
  40116d:    75 f1                    jne    401160 <phase_6+0x6c>
  40116f:    be 00 00 00 00           mov    $0x0,%esi
  401174:    eb 21                    jmp    401197 <phase_6+0xa3>
  401176:    48 8b 52 08              mov    0x8(%rdx),%rdx
  40117a:    83 c0 01                 add    $0x1,%eax
  40117d:    39 c8                    cmp    %ecx,%eax
  40117f:    75 f5                    jne    401176 <phase_6+0x82>
  401181:    eb 05                    jmp    401188 <phase_6+0x94>
  401183:    ba d0 32 60 00           mov    $0x6032d0,%edx
  401188:    48 89 54 74 20           mov    %rdx,0x20(%rsp,%rsi,2)
  40118d:    48 83 c6 04              add    $0x4,%rsi
  401191:    48 83 fe 18              cmp    $0x18,%rsi
  401195:    74 14                    je     4011ab <phase_6+0xb7>
  401197:    8b 0c 34                 mov    (%rsp,%rsi,1),%ecx
  40119a:    83 f9 01                 cmp    $0x1,%ecx
  40119d:    7e e4                    jle    401183 <phase_6+0x8f>
  40119f:    b8 01 00 00 00           mov    $0x1,%eax
  4011a4:    ba d0 32 60 00           mov    $0x6032d0,%edx
  4011a9:    eb cb                    jmp    401176 <phase_6+0x82>
  4011ab:    48 8b 5c 24 20           mov    0x20(%rsp),%rbx
  4011b0:    48 8d 44 24 28           lea    0x28(%rsp),%rax
  4011b5:    48 8d 74 24 50           lea    0x50(%rsp),%rsi
  4011ba:    48 89 d9                 mov    %rbx,%rcx
  4011bd:    48 8b 10                 mov    (%rax),%rdx
  4011c0:    48 89 51 08              mov    %rdx,0x8(%rcx)
  4011c4:    48 83 c0 08              add    $0x8,%rax
  4011c8:    48 39 f0                 cmp    %rsi,%rax
  4011cb:    74 05                    je     4011d2 <phase_6+0xde>
  4011cd:    48 89 d1                 mov    %rdx,%rcx
  4011d0:    eb eb                    jmp    4011bd <phase_6+0xc9>
  4011d2:    48 c7 42 08 00 00 00     movq   $0x0,0x8(%rdx)
  4011d9:    00 
  4011da:    bd 05 00 00 00           mov    $0x5,%ebp
  4011df:    48 8b 43 08              mov    0x8(%rbx),%rax
  4011e3:    8b 00                    mov    (%rax),%eax
  4011e5:    39 03                    cmp    %eax,(%rbx)
  4011e7:    7d 05                    jge    4011ee <phase_6+0xfa>
  4011e9:    e8 4c 02 00 00           callq  40143a <explode_bomb>
  4011ee:    48 8b 5b 08              mov    0x8(%rbx),%rbx
  4011f2:    83 ed 01                 sub    $0x1,%ebp
  4011f5:    75 e8                    jne    4011df <phase_6+0xeb>
  4011f7:    48 83 c4 50              add    $0x50,%rsp
  4011fb:    5b                       pop    %rbx
  4011fc:    5d                       pop    %rbp
  4011fd:    41 5c                    pop    %r12
  4011ff:    41 5d                    pop    %r13
  401201:    41 5e                    pop    %r14
  401203:    c3                       retq

或许看到如此冗长的汇编代码你会感到茫然,其实没有什么难度,多点耐心就好。

主要表达的是:

  • 共有六个数字,每个数字 <= 6
  • 每个数字执行固定操作 取反 + 7
  • 用操作后的数字作为取址次数,0x6032d0作为基地址,按顺序将对应内存位置 + 8 的内容存储到堆栈。
  • 按顺序,堆栈处所存储地址对应的数字应该是递减的

查看 0x6032d0 内存内容:

1
2
3
4
5
6
7
(gdb) x/100x 0x6032d0
0x6032d0 <node1>:    0x0000014c    0x00000001    0x006032e0    0x00000000
0x6032e0 <node2>:    0x000000a8    0x00000002    0x006032f0    0x00000000
0x6032f0 <node3>:    0x0000039c    0x00000003    0x00603300    0x00000000
0x603300 <node4>:    0x000002b3    0x00000004    0x00603310    0x00000000
0x603310 <node5>:    0x000001dd    0x00000005    0x00603320    0x00000000
0x603320 <node6>:    0x000001bb    0x00000006    0x00000000    0x00000000

对应内存地址内容从小到大排列应该是 0x6032f0 0x603300 0x603310 0x603320 0x6032d0 0x6032e0
循环次数应该是 2 3 4 5 0 1,注意到 main 函数第57行:

1
40119f:    b8 01 00 00 00           mov    $0x1,%eax

比较时 eax 初始值为1,每操作一次,然后比较。所以,实际的值应该为 3 4 5 6 1 2,又因为一开始对数字进行取反加7的操作,所以本来的6个数字应该是 4 3 2 1 6 5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
➜  bomb git:(master) ./bomb
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
7 327
Halfway there!
7 0
So you got that one.  Try this one.
9?>567
Good work!  On to the next...
4 3 2 1 6 5
Congratulations! You've defused the bomb!

全文完

任何建议或者疑问你可以发我邮件: ardxwe@gmail.com