[英]Rookie Assembly Bomb Defusal cmp Operator
I'm new to assembly and really have no idea what is going on. 我是组装的新手,真的不知道发生了什么。
I'm trying to complete a homework assignment in which we have to defuse a bomb by finding out the correct input to five phases of a program. 我正在尝试完成一项家庭作业,其中我们必须通过找到程序五个阶段的正确输入来化解炸弹。
I've tried looking online for the answer to my question but I really have no idea what to search to find the answer I'm looking for. 我尝试过在网上寻找问题的答案,但我真的不知道要搜索什么才能找到所需的答案。
I believe I understand everything in the code below from <+0>
to <+35>
. 我相信我理解下面的代码中从<+0>
到<+35>
。 At <+40>
the cmp operator is called to compare the $0x2
, and what is stored in the %eax
register. 在<+40>
,调用cmp运算符比较$0x2
和存储在%eax
寄存器中的内容。 At the time of the comparison I believe %eax
is still storing a function call to scanf (correct me if I'm wrong). %eax
比较时,我相信%eax
仍在存储对scanf的函数调用(如果我错了,请更正我)。
Through use of gdb I do know that the scanf function was called as follows: scanf("%d %d", &x, &y);
通过使用gdb,我确实知道scanf函数的调用方式如下: scanf("%d %d", &x, &y);
So what exactly is $0x2
referring to in this case (is it just the value 2?) and what is happening when comparing the two items? 那么在这种情况下, $0x2
到底指的是什么(仅仅是值2?),比较这两项时会发生什么?
I believe this is GAS Syntax. 我相信这是GAS语法。
0x0804870a <+0>: sub $0x2c,%esp
0x0804870d <+3>: lea 0x1c(%esp),%eax
0x08048711 <+7>: mov %eax,0xc(%esp)
0x08048715 <+11>: lea 0x18(%esp),%eax
0x08048719 <+15>: mov %eax,0x8(%esp)
0x0804871d <+19>: movl $0x8048baa,0x4(%esp)
0x08048725 <+27>: mov 0x804b040,%eax
0x0804872a <+32>: mov %eax,(%esp)
0x0804872d <+35>: call 0x8048480 <__isoc99_fscanf@plt>
0x08048732 <+40>: cmp $0x2,%eax
0x08048735 <+43>: je 0x8048743 <phase_1_of_5+57>
0x08048737 <+45>: movl $0x1,(%esp)
0x0804873e <+52>: call 0x80486ef <explode>
0x08048743 <+57>: mov 0x18(%esp),%eax
0x08048747 <+61>: mov %eax,%edx
0x08048749 <+63>: shl $0x5,%edx
0x0804874c <+66>: add %edx,%eax
0x0804874e <+68>: cmp 0x1c(%esp),%eax
0x08048752 <+72>: je 0x8048760 <phase_1_of_5+86>
0x08048754 <+74>: movl $0x1,(%esp)
0x0804875b <+81>: call 0x80486ef <explode>
0x08048760 <+86>: add $0x2c,%esp
0x08048763 <+89>: ret
Common confusion with the JE and related instructions. 与JE和相关说明的常见混淆。 I would recommend getting a debugger to visualize what the code is doing. 我建议您使用调试器来可视化代码在做什么。
cmp is internally subtracting but really its checking if eax == 2. If eax == 2 JE (JUMP IF EQUAL) it jumps so EIP register (the next instruction executed) becomes 0x08048743 (the memory address of "phase_1_of_5+57"). cmp在内部进行减法运算,但实际上是在检查eax ==2。如果eax == 2 JE(JUMP IF EQUAL),它会跳转,因此EIP寄存器(执行的下一条指令)变为0x08048743(“ phase_1_of_5 + 57”的内存地址)。 If eax != 2, it steps over JE ignoring it. 如果eax!= 2,则跳过JE忽略它。
SPOILER DO NOT READ THIS UNTIL YOU PRACTISE YOURSELF AND GET STUCK AGAIN: 踩踏者直到您实践并再次陷入困境之前,都不要阅读本手册:
So we look at http://www.tutorialspoint.com/c_standard_library/c_function_fscanf.htm . 因此,我们看一下http://www.tutorialspoint.com/c_standard_library/c_function_fscanf.htm 。 What fscanf does. fscanf会做什么。 We see that a return value of 2 means it expects 2 terms of input. 我们看到返回值为2表示它期望输入2个条件。 Now we assume we enter two terms and now we follow the JE. 现在我们假设我们输入两个术语,现在我们遵循JE。
We see (this is why you need a debugger, to visualize this) 我们看到了(这就是为什么您需要调试器才能对此进行可视化)
mov 0x18(%esp),%eax
...
cmp 0x1c(%esp),%eax
0x18 == 6th value on the stack
0x1c == 7th value on the stack
safe to assume these are the two input terms.
0x08048743 <+57>: mov 0x18(%esp),%eax
0x08048747 <+61>: mov %eax,%edx
0x08048749 <+63>: shl $0x5,%edx
0x0804874c <+66>: add %edx,%eax
Here we can assume the way to defuse the bomb is to enter the left shift by 5 of the first term, added to the first term. 在这里,我们可以假设化解炸弹的方法是将第一项的左移乘以第一项的5。 To the second term. 到第二学期。
So 0 0 should defuse it. 因此0 0应该对其进行化解。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.