这是一个必须拆除炸弹引信的任务,该炸弹包含 6 个阶段,每个阶段都有 1 个正确的输入才能进入下一阶段。我目前处于 Phase_4,它有一个名为 func4 的递归函数。我已经确定输入是“%d %d”,它是两个整数。但是,即使在每个步骤中获取所有寄存器的信息后,我也无法完全弄清楚 func4 正在做什么。我还发现第二个数字一定是27。
(gdb) disas
Dump of assembler code for function phase_4:
0x000000000040101b <+0>: sub $0x18,%rsp
0x000000000040101f <+4>: lea 0x8(%rsp),%rcx
0x0000000000401024 <+9>: lea 0xc(%rsp),%rdx
0x0000000000401029 <+14>: mov $0x402765,%esi
0x000000000040102e <+19>: mov $0x0,%eax
0x0000000000401033 <+24>: callq 0x400c30 <__isoc99_sscanf@plt>
0x0000000000401038 <+29>: cmp $0x2,%eax
0x000000000040103b <+32>: jne 0x401044 <phase_4+41>
0x000000000040103d <+34>: cmpl $0xe,0xc(%rsp)
0x0000000000401042 <+39>: jbe 0x401049 <phase_4+46>
0x0000000000401044 <+41>: callq 0x40152d <explode_bomb>
0x0000000000401049 <+46>: mov $0xe,%edx
0x000000000040104e <+51>: mov $0x0,%esi
0x0000000000401053 <+56>: mov 0xc(%rsp),%edi
=> 0x0000000000401057 <+60>: callq 0x400fe9 <func4>
0x000000000040105c <+65>: cmp $0x1b,%eax
0x000000000040105f <+68>: jne 0x401068 <phase_4+77>
0x0000000000401061 <+70>: cmpl $0x1b,0x8(%rsp)
0x0000000000401066 <+75>: je 0x40106d <phase_4+82>
0x0000000000401068 <+77>: callq 0x40152d <explode_bomb>
0x000000000040106d <+82>: add $0x18,%rsp
0x0000000000401071 <+86>: retq
Breakpoint 2, 0x0000000000400fe9 in func4 ()
(gdb) disas
Dump of assembler code for function func4:
=> 0x0000000000400fe9 <+0>: push %rbx
0x0000000000400fea <+1>: mov %edx,%eax
0x0000000000400fec <+3>: sub %esi,%eax
0x0000000000400fee <+5>: mov %eax,%ebx
0x0000000000400ff0 <+7>: shr $0x1f,%ebx
0x0000000000400ff3 <+10>: add %eax,%ebx
0x0000000000400ff5 <+12>: sar %ebx
0x0000000000400ff7 <+14>: add %esi,%ebx
0x0000000000400ff9 <+16>: cmp %edi,%ebx
0x0000000000400ffb <+18>: jg 0x401003 <func4+26>
0x0000000000400ffd <+20>: jl 0x40100f <func4+38>
0x0000000000400fff <+22>: mov %ebx,%eax
0x0000000000401001 <+24>: pop %rbx
0x0000000000401002 <+25>: retq
0x0000000000401003 <+26>: lea -0x1(%rbx),%edx
0x0000000000401006 <+29>: callq 0x400fe9 <func4>
0x000000000040100b <+34>: add %eax,%ebx
0x000000000040100d <+36>: jmp 0x400fff <func4+22>
0x000000000040100f <+38>: lea 0x1(%rbx),%esi
0x0000000000401012 <+41>: callq 0x400fe9 <func4>
0x0000000000401017 <+46>: add %eax,%ebx
0x0000000000401019 <+48>: jmp 0x400fff <func4+22>
我找到了答案:9 27