这是一个新问题。我不是要求没有'explode_bomb'运行的答案。我要求澄清/指导一小段代码中发生的事情。
这是我想弄清楚的(下面的[0x8(%ebx)]代码发生了什么)? 不是0x8(%寄存器)意味着它访问存储器地址%寄存器+ 0x8的值?它看起来不像存储在那里的内存地址...... 我知道这是一个模糊的问题。我在psuedoesque代码中将我不理解的行标记为LINEXXX-HexAddress * * 。 [LINEXXX - 是来自ddd的行号 - 它不允许我从ddd复制所以我使用了objdump ...]
非常感谢, 任何小小的提示都表示赞赏。
8048efa: 8b 5c 24 10 mov 0x10(%esp),%ebx
8048efe: 8b 44 24 14 mov 0x14(%esp),%eax
8048f02: 89 43 08 mov %eax,0x8(%ebx)
8048f05: 8b 54 24 18 mov 0x18(%esp),%edx
8048f09: 89 50 08 mov %edx,0x8(%eax)
8048f0c: 8b 44 24 1c mov 0x1c(%esp),%eax
8048f10: 89 42 08 mov %eax,0x8(%edx)
8048f13: 8b 54 24 20 mov 0x20(%esp),%edx
8048f17: 89 50 08 mov %edx,0x8(%eax)
8048f1a: 8b 44 24 24 mov 0x24(%esp),%eax
8048f1e: 89 42 08 mov %eax,0x8(%edx)
8048f21: c7 40 08 00 00 00 00 movl $0x0,0x8(%eax)
8048f28: be 05 00 00 00 mov $0x5,%esi
8048f2d: 8b 43 08 mov 0x8(%ebx),%eax
8048f30: 8b 10 mov (%eax),%edx
8048f32: 39 13 cmp %edx,(%ebx)
8048f34: 7d 05 jge 8048f3b <phase_6+0xca>
8048f36: e8 d3 03 00 00 call 804930e <explode_bomb>
8048f3b: 8b 5b 08 mov 0x8(%ebx),%ebx
8048f3e: 83 ee 01 sub $0x1,%esi
我制作了一些伪代码,以帮助我更好地了解正在发生的事情:
example input-> "6 89 79 69 59 49"
eax = "6 89 79 69 59 49"
stuff
after stuff (read_six_numbers)
eax = 6
0x28(esp,edi*4)
edi=0 -> 6
edi=1 -> 89
edi=2 -> 79
edi=3 -> 69
edi=4 -> 59
edi=5 -> 49
naming this as array[]
----------------
edi=0;
esi=0;
Line31:
eax = array[edi];
eax--;
if((unsigned int)eax > 5) explodebomb();
esi=1+edi;
if(esi==6)goto Line109
ebx=esi;
Line58:
eax=array[ebx];
if(eax == array[esi-1]) explodebomb();
ebx++;
edi=esi;
if(5<=ebx)goto Line58;
else goto Line31;
Line85:
edx = *edx + 8;
eax++;
if(ecx != eax)goto Line85;
Line85:
array2[esi]=edx;
ebx++;
if(6 != ebx) goto Line114;
goto Line137
ebx = 0;
esi=ebx;
ecx=array[ebx];
eax = 1;
edx=0x804c154;
if(1>ecx)goto Line85;
goto Line95;
ebx=array2[0];
eax=array2[1];
LINE145-0x08048f02**** 0x8(ebx)=eax;
edx=array2[2];
LINE152-0x08048f09**** 0x8(eax)=edx;
eax=array2[3];
LINE159-0x08048f10**** 0x8(edx)=eax;
edx=array2[4];
LINE166-0x08048f17**** 0x8(eax)=edx;
eax=array2[5];
LINE173-0x08048f1e**** 0x8(edx)=eax;
LINE176-0x08048f21**** 0x8(eax)=eax;
esi=5;
Line188:
LINE188-0x08048f2d**** eax=0x8(ebx);
edx=(eax);
if(!(edx >= (ebx))) explodebomb();
LINE202-0x08048f3b**** ebx=0x8(ebx);
esi--;
if(edx != (ebx)) goto Line188;
esp+=0x40;
return eax;
汇编代码:
08048e71 <phase_6>:
8048e71: 57 push %edi
8048e72: 56 push %esi
8048e73: 53 push %ebx
8048e74: 83 ec 40 sub $0x40,%esp
8048e77: 8d 44 24 28 lea 0x28(%esp),%eax
8048e7b: 89 44 24 04 mov %eax,0x4(%esp)
8048e7f: 8b 44 24 50 mov 0x50(%esp),%eax
8048e83: 89 04 24 mov %eax,(%esp)
8048e86: e8 ce 05 00 00 call 8049459 <read_six_numbers>
8048e8b: bf 00 00 00 00 mov $0x0,%edi
8048e90: 8b 44 bc 28 mov 0x28(%esp,%edi,4),%eax
8048e94: 83 e8 01 sub $0x1,%eax
8048e97: 83 f8 05 cmp $0x5,%eax
8048e9a: 76 05 jbe 8048ea1 <phase_6+0x30>
8048e9c: e8 6d 04 00 00 call 804930e <explode_bomb>
8048ea1: 8d 77 01 lea 0x1(%edi),%esi
8048ea4: 83 fe 06 cmp $0x6,%esi
8048ea7: 74 35 je 8048ede <phase_6+0x6d>
8048ea9: 89 f3 mov %esi,%ebx
8048eab: 8b 44 9c 28 mov 0x28(%esp,%ebx,4),%eax
8048eaf: 39 44 b4 24 cmp %eax,0x24(%esp,%esi,4)
8048eb3: 75 05 jne 8048eba <phase_6+0x49>
8048eb5: e8 54 04 00 00 call 804930e <explode_bomb>
8048eba: 83 c3 01 add $0x1,%ebx
8048ebd: 89 f7 mov %esi,%edi
8048ebf: 83 fb 05 cmp $0x5,%ebx
8048ec2: 7e e7 jle 8048eab <phase_6+0x3a>
8048ec4: eb ca jmp 8048e90 <phase_6+0x1f>
8048ec6: 8b 52 08 mov 0x8(%edx),%edx
8048ec9: 83 c0 01 add $0x1,%eax
8048ecc: 39 c8 cmp %ecx,%eax
8048ece: 75 f6 jne 8048ec6 <phase_6+0x55>
8048ed0: 89 54 b4 10 mov %edx,0x10(%esp,%esi,4)
8048ed4: 83 c3 01 add $0x1,%ebx
8048ed7: 83 fb 06 cmp $0x6,%ebx
8048eda: 75 07 jne 8048ee3 <phase_6+0x72>
8048edc: eb 1c jmp 8048efa <phase_6+0x89>
8048ede: bb 00 00 00 00 mov $0x0,%ebx
8048ee3: 89 de mov %ebx,%esi
8048ee5: 8b 4c 9c 28 mov 0x28(%esp,%ebx,4),%ecx
8048ee9: b8 01 00 00 00 mov $0x1,%eax
8048eee: ba 54 c1 04 08 mov $0x804c154,%edx
8048ef3: 83 f9 01 cmp $0x1,%ecx
8048ef6: 7f ce jg 8048ec6 <phase_6+0x55>
8048ef8: eb d6 jmp 8048ed0 <phase_6+0x5f>
8048efa: 8b 5c 24 10 mov 0x10(%esp),%ebx
8048efe: 8b 44 24 14 mov 0x14(%esp),%eax
8048f02: 89 43 08 mov %eax,0x8(%ebx)
8048f05: 8b 54 24 18 mov 0x18(%esp),%edx
8048f09: 89 50 08 mov %edx,0x8(%eax)
8048f0c: 8b 44 24 1c mov 0x1c(%esp),%eax
8048f10: 89 42 08 mov %eax,0x8(%edx)
8048f13: 8b 54 24 20 mov 0x20(%esp),%edx
8048f17: 89 50 08 mov %edx,0x8(%eax)
8048f1a: 8b 44 24 24 mov 0x24(%esp),%eax
8048f1e: 89 42 08 mov %eax,0x8(%edx)
8048f21: c7 40 08 00 00 00 00 movl $0x0,0x8(%eax)
8048f28: be 05 00 00 00 mov $0x5,%esi
8048f2d: 8b 43 08 mov 0x8(%ebx),%eax
8048f30: 8b 10 mov (%eax),%edx
8048f32: 39 13 cmp %edx,(%ebx)
8048f34: 7d 05 jge 8048f3b <phase_6+0xca>
8048f36: e8 d3 03 00 00 call 804930e <explode_bomb>
8048f3b: 8b 5b 08 mov 0x8(%ebx),%ebx
8048f3e: 83 ee 01 sub $0x1,%esi
8048f41: 75 ea jne 8048f2d <phase_6+0xbc>
8048f43: 83 c4 40 add $0x40,%esp
8048f46: 5b pop %ebx
8048f47: 5e pop %esi
8048f48: 5f pop %edi
8048f49: c3 ret
答案 0 :(得分:2)
我不想透露太多,但这里有一些提示:
esp+0x10 - esp+0x28)的数组填充了从某些全局数据中获取的指针。此数据似乎从偏移量 0x804c154 开始(请参阅列表中的偏移量0x8048eee)稍后,从列表中的偏移 0x8048efa 开始,引用#1中提到的数组,这是我理解它的方式(这是伪代码...):< / p>
struct s {
int value;
int ??;
struct s * next;
};
// in esp+0x10
struct s *point_arr[6];
point_arr[0]->next = &point_arr[1];
point_arr[1]->next = &point_arr[2];
point_arr[2]->next = &point_arr[3];
point_arr[3]->next = &point_arr[4];
point_arr[4]->next = &point_arr[5];
point_arr[5]->next = NULL;
在此之后,检查(在一个循环中)(point_arr[i]->value > point_arr[i-1]->value)
因此,当你说%ebx中没有存储内存地址时,它就不准确了。内存地址存储在%esp+0x10中,%esp+0x10存储在%ebx中。