我正在一个家庭作业项目中,涉及一个用已编译的c编写的“炸弹”,我必须对其进行逆向工程,以得出5个字符串,这些字符串将使炸弹的五个“阶段”中的每个阶段都解除武装。我现在停留在第3阶段,试图转换gdb为该功能生成的程序集(我相信是x86,AT&T语法)。到目前为止,我能够弄清楚的是,它正在尝试将六个数字组成的字符串作为用户输入,并根据某些标准对其进行判断,但这就是我丢失它的地方。该函数如下所示(旁边是我尝试的伪代码翻译)。
0x08048816 <phase_3+0>: push %ebp
0x08048817 <phase_3+1>: mov %esp,%ebp
0x08048819 <phase_3+3>: push %edi
0x0804881a <phase_3+4>: push %ebx
0x0804881b <phase_3+5>: sub $0x30,%esp
0x0804881e <phase_3+8>: lea -0x24(%ebp),%eax
0x08048821 <phase_3+11>: mov %eax,0x4(%esp)
0x08048825 <phase_3+15>: mov 0x8(%ebp),%eax
0x08048828 <phase_3+18>: mov %eax,(%esp)
0x0804882b <phase_3+21>: call 0x8048d2c <read_six_numbers>
0x08048830 <phase_3+26>: mov -0x24(%ebp),%eax eax = p1
0x08048833 <phase_3+29>: cmp $0x1,%eax if eax != 1
0x08048836 <phase_3+32>: je 0x804883d <phase_3+39> explode bomb
0x08048838 <phase_3+34>: call 0x8048fec <explode_bomb> else
0x0804883d <phase_3+39>: movl $0x1,-0xc(%ebp) ebp[-12] = 1
0x08048844 <phase_3+46>: jmp 0x804888a <phase_3+116> while ebp[-12] < 5 {
0x08048846 <phase_3+48>: mov -0xc(%ebp),%eax eax = ebp[-12]
0x08048849 <phase_3+51>: mov -0x24(%ebp,%eax,4),%eax {magic}
0x0804884d <phase_3+55>: mov %eax,%ebx ebx = eax
0x0804884f <phase_3+57>: mov -0xc(%ebp),%eax eax = ebp[-12]
0x08048852 <phase_3+60>: sub $0x1,%eax eax -= 1
0x08048855 <phase_3+63>: mov -0x24(%ebp,%eax,4),%eax {magic}
0x08048859 <phase_3+67>: mov %eax,%edx edx = eax
0x0804885b <phase_3+69>: mov 0x804a6d8,%eax eax = 0x804a6d8
0x08048860 <phase_3+74>: mov $0xffffffff,%ecx ecx = 255
0x08048865 <phase_3+79>: mov %eax,-0x2c(%ebp) ebp[-12] = eax
0x08048868 <phase_3+82>: mov $0x0,%eax eax = 0
0x0804886d <phase_3+87>: cld
0x0804886e <phase_3+88>: mov -0x2c(%ebp),%edi edi = ebp[-12]
0x08048871 <phase_3+91>: repnz scas %es:(%edi),%al {deep magic}
0x08048873 <phase_3+93>: mov %ecx,%eax eax = ecx
0x08048875 <phase_3+95>: not %eax eax = -eax
0x08048877 <phase_3+97>: sub $0x1,%eax eax -= 1
0x0804887a <phase_3+100>: imul %edx,%eax eax *= edx
0x0804887d <phase_3+103>: cmp %eax,%ebx if (eax != ebx)
0x0804887f <phase_3+105>: je 0x8048886 <phase_3+112> explode_bomb
0x08048881 <phase_3+107>: call 0x8048fec <explode_bomb> else
0x08048886 <phase_3+112>: addl $0x1,-0xc(%ebp) ebp[-12] += 1
0x0804888a <phase_3+116>: cmpl $0x5,-0xc(%ebp)
0x0804888e <phase_3+120>: jle 0x8048846 <phase_3+48> }
0x08048890 <phase_3+122>: add $0x30,%esp
0x08048893 <phase_3+125>: pop %ebx
0x08048894 <phase_3+126>: pop %edi
0x08048895 <phase_3+127>: pop %ebp
0x08048896 <phase_3+128>: ret
我至少对大多数事情有一点信心(尽管不是很多)。我绝对确定的错误行是当前标记为“魔术”的三行-phase_3 + 51,phase_3 + 63和phase_3 + 91(两 strip 有奇怪语法和repnz的mov行)。我没有看到太多语法,也无法弄清楚要使用哪些搜索词来查找它们。
我对此有任何一般性(和/或严厉的)批评吗?我明显不在哪里?显然,由于这是家庭作业,因此我不需要别人给我答案。我只想知道我的解释是否总体上合理(这三行意味着我不知所措)。
非常感谢您的帮助!
*编辑***
read_six_numbers函数的分解如下:
0x08048d2c <read_six_numbers+0>: push %ebp
0x08048d2d <read_six_numbers+1>: mov %esp,%ebp
0x08048d2f <read_six_numbers+3>: push %esi
0x08048d30 <read_six_numbers+4>: push %ebx
0x08048d31 <read_six_numbers+5>: sub $0x30,%esp
0x08048d34 <read_six_numbers+8>: mov 0xc(%ebp),%eax
0x08048d37 <read_six_numbers+11>: add $0x14,%eax
0x08048d3a <read_six_numbers+14>: mov 0xc(%ebp),%edx
0x08048d3d <read_six_numbers+17>: add $0x10,%edx
0x08048d40 <read_six_numbers+20>: mov 0xc(%ebp),%ecx
0x08048d43 <read_six_numbers+23>: add $0xc,%ecx
0x08048d46 <read_six_numbers+26>: mov 0xc(%ebp),%ebx
0x08048d49 <read_six_numbers+29>: add $0x8,%ebx
0x08048d4c <read_six_numbers+32>: mov 0xc(%ebp),%esi
0x08048d4f <read_six_numbers+35>: add $0x4,%esi
0x08048d52 <read_six_numbers+38>: mov %eax,0x1c(%esp)
0x08048d56 <read_six_numbers+42>: mov %edx,0x18(%esp)
0x08048d5a <read_six_numbers+46>: mov %ecx,0x14(%esp)
0x08048d5e <read_six_numbers+50>: mov %ebx,0x10(%esp)
0x08048d62 <read_six_numbers+54>: mov %esi,0xc(%esp)
0x08048d66 <read_six_numbers+58>: mov 0xc(%ebp),%eax
0x08048d69 <read_six_numbers+61>: mov %eax,0x8(%esp)
0x08048d6d <read_six_numbers+65>: movl $0x804965d,0x4(%esp)
0x08048d75 <read_six_numbers+73>: mov 0x8(%ebp),%eax
0x08048d78 <read_six_numbers+76>: mov %eax,(%esp)
0x08048d7b <read_six_numbers+79>: call 0x80485a4 <sscanf@plt>
0x08048d80 <read_six_numbers+84>: mov %eax,-0xc(%ebp)
0x08048d83 <read_six_numbers+87>: cmpl $0x5,-0xc(%ebp)
0x08048d87 <read_six_numbers+91>: jg 0x8048d8e <read_six_numbers+98>
0x08048d89 <read_six_numbers+93>: call 0x8048fec <explode_bomb>
0x08048d8e <read_six_numbers+98>: add $0x30,%esp
0x08048d91 <read_six_numbers+101>: pop %ebx
0x08048d92 <read_six_numbers+102>: pop %esi
0x08048d93 <read_six_numbers+103>: pop %ebp
0x08048d94 <read_six_numbers+104>: ret
最佳答案
mov -0x24(%ebp,%eax,4),%eax
上面的指令正在访问数组的元素。在x86中,这称为Scalet,Index,Base的
SIB寻址。还有一个“偏移”组件。数组基于由基址寄存器(此处为EBP)确定的地址加上偏移量(使用帧指针时,包括数组的局部变量将作为距帧指针的偏移量进行寻址)。元素编号在索引寄存器中(此处为EAX)。每个元素的大小由Scale(此处为4)确定。mov 0x804a6d8,%eax
mov $0xffffffff,%ecx
mov %eax,-0x2c(%ebp)
mov $0x0,%eax
cld
mov -0x2c(%ebp),%edi
repnz scas %es:(%edi),%al
mov %ecx,%eax
not %eax
sub $0x1,%eax
这只是
strlen(0x805a6d8)。 ES:EDI指向要在0x804a6d8处扫描的字符串(比较引用字节)。 AL包含要扫描的字符:0-ASCII NUL。 cld设置扫描方向:升序(std将使扫描降序)。 ECX初始化为~0 = -1:所有位1。repnz重复执行scas(SCAN STRING)指令,将ECX递减,而ECX不为零(由于ECX足够大,可以防止这种情况发生),并且扫描不成功(NZ,而扫描(在字符串和引用AL之间进行比较)未设置零标记。之后,ECX包含-1-(steps in the scan)。 NOT生成该(steps in the scan)。 SUB生成该(steps in the scan) - 1 = (length of string not including the terminating NUL)。在http://www.int80h.org/strlen/上也有解释。关于c - 将程序集转换为伪代码,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/13097596/