1

所以我对这整个逆向工程很陌生。我一直在研究 IOLI 破解挑战,它有 10 个关卡,我用radare2 解决了其中的3 个。但是我现在被困在第 4 个,而且我不明白的寄存器发生了一些事情。

    [0x080484da]> pdf @ main
|           ;-- main:
/ (fcn) sym.main 128
|   sym.main ();
|           ; var int local_ch @ ebp-0xc
|           ; var int local_8h @ ebp-0x8
|           ; var int local_4h @ ebp-0x4
|           ; var int local_4h_2 @ esp+0x4
|           ; DATA XREF from 0x08048377 (entry0)
|           0x08048498      55             push ebp
|           0x08048499      89e5           mov ebp, esp
|           0x0804849b      83ec18         sub esp, 0x18
|           0x0804849e      83e4f0         and esp, 0xfffffff0
|           0x080484a1      b800000000     mov eax, 0
|           0x080484a6      83c00f         add eax, 0xf
|           0x080484a9      83c00f         add eax, 0xf
|           0x080484ac      c1e804         shr eax, 4
|           0x080484af      c1e004         shl eax, 4
|           0x080484b2      29c4           sub esp, eax
|           0x080484b4      c70424108604.  mov dword [esp], str.IOLI_Crackme_Level_0x03 ; [0x8048610:4]=0x494c4f49 ; "IOLI Crackme Level 0x03\n"
|           0x080484bb      e890feffff     call sym.imp.printf         ; int printf(const char *format)
|           0x080484c0      c70424298604.  mov dword [esp], str.Password: ; [0x8048629:4]=0x73736150 ; "Password: "
|           0x080484c7      e884feffff     call sym.imp.printf         ; int printf(const char *format)
|           0x080484cc      8d45fc         lea eax, [local_4h]
|           0x080484cf      89442404       mov dword [local_4h_2], eax
|           0x080484d3      c70424348604.  mov dword [esp], 0x8048634  ; [0x8048634:4]=0x6425
|           0x080484da b    e851feffff     call sym.imp.scanf          ; int scanf(const char *format)
|           0x080484df      c745f85a0000.  mov dword [local_8h], 0x5a  ; 'Z' ; 90
|           0x080484e6      c745f4ec0100.  mov dword [local_ch], 0x1ec ; edx
|           0x080484ed      8b55f4         mov edx, dword [local_ch]
|           0x080484f0      8d45f8         lea eax, [local_8h]
|           0x080484f3 b    0110           add dword [eax], edx
|           ;-- eip:
|           0x080484f5 b    8b45f8         mov eax, dword [local_8h]
|           0x080484f8      0faf45f8       imul eax, dword [local_8h]
|           0x080484fc      8945f4         mov dword [local_ch], eax
|           0x080484ff      8b45f4         mov eax, dword [local_ch]
|           0x08048502      89442404       mov dword [local_4h_2], eax
|           0x08048506      8b45fc         mov eax, dword [local_4h]
|           0x08048509      890424         mov dword [esp], eax
|           0x0804850c      e85dffffff     call sym.test
|           0x08048511      b800000000     mov eax, 0
|           0x08048516      c9             leave
\           0x08048517      c3             ret
[0x080484da]> dr
eax = 0xff8c6bb0
ebx = 0x00000000
ecx = 0x00000000
edx = 0x000001ec
esi = 0xf7f14000
edi = 0x00000000
esp = 0xff8c6b90
ebp = 0xff8c6bb8
eip = 0x080484f5
eflags = 0x00000212
oeax = 0xffffffff
[0x080484da]>

在调试器模式下,我在第三个断点 (0x080484f5) 处转储了寄存器值,到目前为止,程序已经创建了一些变量,这些变量在前一行的 add 中使用。据我所知,程序应该将 90 和 492 加在一起并将值存储在 eax 中。但是当我转储寄存器时,值是 0xff8c6bb0。我似乎无法弄清楚为什么寄存器值与反汇编所说的不匹配。如果有人能告诉我我做错了什么,将不胜感激

4

0 回答 0