0

这是一个硬件问题。我不是在要求没有'explode_bomb'曾经运行过的答案。我要求对一小段代码中发生的事情进行澄清/指导。

这就是我想要弄清楚的(下面的 [0x8(%ebx)] 代码发生了什么)?0x8(%register) 不是指访问内存地址%register+0x8处的值吗?它看起来不像内存地址被存储在那里......我知道这是一个模糊的问题。我在伪代码中将我不理解的行标记为 LINEXXX-HexAddress* *。[LINEXXX - 是来自 ddd 的行号-它不允许我从 ddd 复制,所以我使用了 objdump...]

非常感谢,任何小技巧都值得赞赏。

8048efa:    8b 5c 24 10             mov    0x10(%esp),%ebx
8048efe:    8b 44 24 14             mov    0x14(%esp),%eax
8048f02:    89 43 08                mov    %eax,0x8(%ebx)
8048f05:    8b 54 24 18             mov    0x18(%esp),%edx
8048f09:    89 50 08                mov    %edx,0x8(%eax)
8048f0c:    8b 44 24 1c             mov    0x1c(%esp),%eax
8048f10:    89 42 08                mov    %eax,0x8(%edx)
8048f13:    8b 54 24 20             mov    0x20(%esp),%edx
8048f17:    89 50 08                mov    %edx,0x8(%eax)
8048f1a:    8b 44 24 24             mov    0x24(%esp),%eax
8048f1e:    89 42 08                mov    %eax,0x8(%edx)
8048f21:    c7 40 08 00 00 00 00    movl   $0x0,0x8(%eax)
8048f28:    be 05 00 00 00          mov    $0x5,%esi
8048f2d:    8b 43 08                mov    0x8(%ebx),%eax
8048f30:    8b 10                   mov    (%eax),%edx
8048f32:    39 13                   cmp    %edx,(%ebx)
8048f34:    7d 05                   jge    8048f3b <phase_6+0xca>
8048f36:    e8 d3 03 00 00          call   804930e <explode_bomb>
8048f3b:    8b 5b 08                mov    0x8(%ebx),%ebx
8048f3e:    83 ee 01                sub    $0x1,%esi

我编写了一些伪代码来帮助我更好地了解正在发生的事情:

example input-> "6 89 79 69 59 49"
eax = "6 89 79 69 59 49"
stuff
after stuff (read_six_numbers)
eax = 6
0x28(esp,edi*4)
edi=0 -> 6
edi=1 -> 89
edi=2 -> 79
edi=3 -> 69
edi=4 -> 59
edi=5 -> 49

naming this as array[]
----------------
edi=0;
esi=0;
Line31:
eax = array[edi];
eax--;
if((unsigned int)eax > 5) explodebomb();
esi=1+edi;
if(esi==6)goto Line109
ebx=esi;
Line58:
eax=array[ebx];
if(eax == array[esi-1]) explodebomb();
ebx++;
edi=esi;
if(5<=ebx)goto Line58;
else goto Line31;
Line85:
edx = *edx + 8;
eax++;
if(ecx != eax)goto Line85;
Line85:
array2[esi]=edx;
ebx++;
if(6 != ebx) goto Line114;
goto Line137
ebx = 0;
esi=ebx;
ecx=array[ebx];
eax = 1;
edx=0x804c154;
if(1>ecx)goto Line85;
goto Line95;
ebx=array2[0];
eax=array2[1];
LINE145-0x08048f02**** 0x8(ebx)=eax;
edx=array2[2];
LINE152-0x08048f09**** 0x8(eax)=edx;
eax=array2[3];
LINE159-0x08048f10**** 0x8(edx)=eax;
edx=array2[4];
LINE166-0x08048f17**** 0x8(eax)=edx;
eax=array2[5];
LINE173-0x08048f1e**** 0x8(edx)=eax;
LINE176-0x08048f21**** 0x8(eax)=eax;
esi=5;
Line188:
LINE188-0x08048f2d**** eax=0x8(ebx);
edx=(eax);
if(!(edx >= (ebx))) explodebomb();
LINE202-0x08048f3b**** ebx=0x8(ebx);
esi--;
if(edx != (ebx)) goto Line188;
esp+=0x40;
return eax;

汇编代码:

08048e71 <phase_6>:
8048e71:    57                      push   %edi
8048e72:    56                      push   %esi
8048e73:    53                      push   %ebx
8048e74:    83 ec 40                sub    $0x40,%esp
8048e77:    8d 44 24 28             lea    0x28(%esp),%eax
8048e7b:    89 44 24 04             mov    %eax,0x4(%esp)
8048e7f:    8b 44 24 50             mov    0x50(%esp),%eax
8048e83:    89 04 24                mov    %eax,(%esp)
8048e86:    e8 ce 05 00 00          call   8049459 <read_six_numbers>
8048e8b:    bf 00 00 00 00          mov    $0x0,%edi
8048e90:    8b 44 bc 28             mov    0x28(%esp,%edi,4),%eax
8048e94:    83 e8 01                sub    $0x1,%eax
8048e97:    83 f8 05                cmp    $0x5,%eax
8048e9a:    76 05                   jbe    8048ea1 <phase_6+0x30>
8048e9c:    e8 6d 04 00 00          call   804930e <explode_bomb>
8048ea1:    8d 77 01                lea    0x1(%edi),%esi
8048ea4:    83 fe 06                cmp    $0x6,%esi
8048ea7:    74 35                   je     8048ede <phase_6+0x6d>
8048ea9:    89 f3                   mov    %esi,%ebx
8048eab:    8b 44 9c 28             mov    0x28(%esp,%ebx,4),%eax
8048eaf:    39 44 b4 24             cmp    %eax,0x24(%esp,%esi,4)
8048eb3:    75 05                   jne    8048eba <phase_6+0x49>
8048eb5:    e8 54 04 00 00          call   804930e <explode_bomb>
8048eba:    83 c3 01                add    $0x1,%ebx
8048ebd:    89 f7                   mov    %esi,%edi
8048ebf:    83 fb 05                cmp    $0x5,%ebx
8048ec2:    7e e7                   jle    8048eab <phase_6+0x3a>
8048ec4:    eb ca                   jmp    8048e90 <phase_6+0x1f>
8048ec6:    8b 52 08                mov    0x8(%edx),%edx
8048ec9:    83 c0 01                add    $0x1,%eax
8048ecc:    39 c8                   cmp    %ecx,%eax
8048ece:    75 f6                   jne    8048ec6 <phase_6+0x55>
8048ed0:    89 54 b4 10             mov    %edx,0x10(%esp,%esi,4)
8048ed4:    83 c3 01                add    $0x1,%ebx
8048ed7:    83 fb 06                cmp    $0x6,%ebx
8048eda:    75 07                   jne    8048ee3 <phase_6+0x72>
8048edc:    eb 1c                   jmp    8048efa <phase_6+0x89>
8048ede:    bb 00 00 00 00          mov    $0x0,%ebx
8048ee3:    89 de                   mov    %ebx,%esi
8048ee5:    8b 4c 9c 28             mov    0x28(%esp,%ebx,4),%ecx
8048ee9:    b8 01 00 00 00          mov    $0x1,%eax
8048eee:    ba 54 c1 04 08          mov    $0x804c154,%edx
8048ef3:    83 f9 01                cmp    $0x1,%ecx
8048ef6:    7f ce                   jg     8048ec6 <phase_6+0x55>
8048ef8:    eb d6                   jmp    8048ed0 <phase_6+0x5f>
8048efa:    8b 5c 24 10             mov    0x10(%esp),%ebx
8048efe:    8b 44 24 14             mov    0x14(%esp),%eax
8048f02:    89 43 08                mov    %eax,0x8(%ebx)
8048f05:    8b 54 24 18             mov    0x18(%esp),%edx
8048f09:    89 50 08                mov    %edx,0x8(%eax)
8048f0c:    8b 44 24 1c             mov    0x1c(%esp),%eax
8048f10:    89 42 08                mov    %eax,0x8(%edx)
8048f13:    8b 54 24 20             mov    0x20(%esp),%edx
8048f17:    89 50 08                mov    %edx,0x8(%eax)
8048f1a:    8b 44 24 24             mov    0x24(%esp),%eax
8048f1e:    89 42 08                mov    %eax,0x8(%edx)
8048f21:    c7 40 08 00 00 00 00    movl   $0x0,0x8(%eax)
8048f28:    be 05 00 00 00          mov    $0x5,%esi
8048f2d:    8b 43 08                mov    0x8(%ebx),%eax
8048f30:    8b 10                   mov    (%eax),%edx
8048f32:    39 13                   cmp    %edx,(%ebx)
8048f34:    7d 05                   jge    8048f3b <phase_6+0xca>
8048f36:    e8 d3 03 00 00          call   804930e <explode_bomb>
8048f3b:    8b 5b 08                mov    0x8(%ebx),%ebx
8048f3e:    83 ee 01                sub    $0x1,%esi
8048f41:    75 ea                   jne    8048f2d <phase_6+0xbc>
8048f43:    83 c4 40                add    $0x40,%esp
8048f46:    5b                      pop    %ebx
8048f47:    5e                      pop    %esi
8048f48:    5f                      pop    %edi
8048f49:    c3                      ret
4

1 回答 1

2

我不想透露太多,但这里有一些提示:

  1. 在地址 0x8048ec6 到 0x8048ef8 的代码中,一个由六个指针 ( esp+0x10- esp+0x28) 组成的数组填充了从一些全局数据中获取的指针。此数据似乎从偏移量0x804c154开始(请参阅列表中的偏移量 0x8048eee)

  2. 稍后,从您的清单中的偏移量0x8048efa开始,引用#1 中提到的数组,这就是我的理解(这是伪代码......):

    struct s { 
    int value; 
    int ??;
    struct s * next;
};
// in esp+0x10
struct s *point_arr[6];
point_arr[0]->next = &point_arr[1];
point_arr[1]->next = &point_arr[2];
point_arr[2]->next = &point_arr[3];
point_arr[3]->next = &point_arr[4];
point_arr[4]->next = &point_arr[5];
point_arr[5]->next = NULL;

  3. 在此之后,有一个检查(在循环中) ( point_arr[i]->value > point_arr[i-1]->value)

因此,当您说没有内存地址存储在 %ebx 中时,它是不准确的。内存地址存储在%esp+0x10%esp+0x10存储在%ebx.

于 2013-04-01T21:38:37.720 回答