当前位置: 文江博客话题详情

解码和理解汇编代码

发布于 2025-01-04 04:39:39 字数 2167 浏览 1 评论 0原文

所以有一点背景。我是 c 和汇编代码的初学者,我们有一个“炸弹”分配(用 c 编写),它调用需要某些密码的方法,但代码不可见,我需要通过查看汇编代码来确定正确的密码。

该代码表明此方法的密码是 6 个数字,该密码作为“输入”传递到方法阶段 2(我试图避免触发)。

我感到困惑的部分是从+64跳到+42。这似乎是一个循环,但我不确定每次传递如何影响堆栈。如果最后两个数字相同,看起来循环就会退出,并且它与加和减 4 有关,但我不确定如何遍历地址。 如果任何人都可以翻译到底发生了什么,或者如果我需要查看任何特定的寄存器/位置,这将有很大帮助。还有 4 个阶段,每个阶段都应该更复杂,所以我想更好地理解如何阅读这些阶段。

另外,如果有人拥有带有汇编代码关键字的良好资源(例如可打印的表格),这也会很有帮助,而且如果 32 位和 64 位寄存器之间存在任何差异,我需要担心寄存器名称以外的问题。 。

    82          phase_2(input);
(gdb) disas phase_2
Dump of assembler code for function phase_2:
0x000000000040106b <phase_2+0>: push   %rbp
0x000000000040106c <phase_2+1>: push   %rbx
0x000000000040106d <phase_2+2>: sub    $0x28,%rsp
0x0000000000401071 <phase_2+6>: mov    %rsp,%rsi
0x0000000000401074 <phase_2+9>: callq  0x401457 <read_six_numbers>
0x0000000000401079 <phase_2+14>:        cmpl   $0x0,(%rsp)
0x000000000040107d <phase_2+18>:        jne    0x401086     <phase_2+27>
0x000000000040107f <phase_2+20>:        cmpl   $0x1,0x4(%rsp)
0x0000000000401084 <phase_2+25>:        je     0x40108b <phase_2+32>
0x0000000000401086 <phase_2+27>:        callq  0x401421 <explode_bomb>
0x000000000040108b <phase_2+32>:        lea    0x8(%rsp),%rbx
0x0000000000401090 <phase_2+37>:        lea    0x18(%rsp),%rbp
0x0000000000401095 <phase_2+42>:        mov    -0x8(%rbx),%eax
0x0000000000401098 <phase_2+45>:        add    -0x4(%rbx),%eax
0x000000000040109b <phase_2+48>:        cmp    %eax,(%rbx)
0x000000000040109d <phase_2+50>:        je     0x4010a4 <phase_2+57>
0x000000000040109f <phase_2+52>:        callq  0x401421 <explode_bomb>
0x00000000004010a4 <phase_2+57>:        add    $0x4,%rbx
0x00000000004010a8 <phase_2+61>:        cmp    %rbp,%rbx
0x00000000004010ab <phase_2+64>:        jne    0x401095 <phase_2+42>
0x00000000004010ad <phase_2+66>:        add    $0x28,%rsp
0x00000000004010b1 <phase_2+70>:        pop    %rbx
0x00000000004010b2 <phase_2+71>:        pop    %rbp
0x00000000004010b3 <phase_2+72>:        retq
原文

So a little background. I am a beginner with c and assembly code, we have an "bomb" assignment (written in c)which calls methods that require certain passwords, but the code is not visible and I need to determine the correct password by looking at the assembly code.

The code indicates the password for this method is 6 numbers, which is passed as "input" to method phase 2 (I am trying to avoid triggering ).

The part I am getting confused on is is jumping from +64 to +42. It seems to be a loop but I am unsure how the stack is affected with each pass. It looks like the loop exits if the last two numbers are the same, and it has something to do with adding and subtracting 4 but I am unsure how the addresses are traversed.
If anyone can translate what exactly is going on, or if i need to look in any particular registers/locations it would help greatly. There are 4 more phases which are each supposed to be more complex so I want to get a good understanding in how to approach reading these.

Also if anyone has a good resource (like a printable table) with assembly code keywords that would be helpful too, and also if there are any differences between 32-bit and 64-bit registers i need to worry about other than the register names..

    82          phase_2(input);
(gdb) disas phase_2
Dump of assembler code for function phase_2:
0x000000000040106b <phase_2+0>: push   %rbp
0x000000000040106c <phase_2+1>: push   %rbx
0x000000000040106d <phase_2+2>: sub    $0x28,%rsp
0x0000000000401071 <phase_2+6>: mov    %rsp,%rsi
0x0000000000401074 <phase_2+9>: callq  0x401457 <read_six_numbers>
0x0000000000401079 <phase_2+14>:        cmpl   $0x0,(%rsp)
0x000000000040107d <phase_2+18>:        jne    0x401086     <phase_2+27>
0x000000000040107f <phase_2+20>:        cmpl   $0x1,0x4(%rsp)
0x0000000000401084 <phase_2+25>:        je     0x40108b <phase_2+32>
0x0000000000401086 <phase_2+27>:        callq  0x401421 <explode_bomb>
0x000000000040108b <phase_2+32>:        lea    0x8(%rsp),%rbx
0x0000000000401090 <phase_2+37>:        lea    0x18(%rsp),%rbp
0x0000000000401095 <phase_2+42>:        mov    -0x8(%rbx),%eax
0x0000000000401098 <phase_2+45>:        add    -0x4(%rbx),%eax
0x000000000040109b <phase_2+48>:        cmp    %eax,(%rbx)
0x000000000040109d <phase_2+50>:        je     0x4010a4 <phase_2+57>
0x000000000040109f <phase_2+52>:        callq  0x401421 <explode_bomb>
0x00000000004010a4 <phase_2+57>:        add    $0x4,%rbx
0x00000000004010a8 <phase_2+61>:        cmp    %rbp,%rbx
0x00000000004010ab <phase_2+64>:        jne    0x401095 <phase_2+42>
0x00000000004010ad <phase_2+66>:        add    $0x28,%rsp
0x00000000004010b1 <phase_2+70>:        pop    %rbx
0x00000000004010b2 <phase_2+71>:        pop    %rbp
0x00000000004010b3 <phase_2+72>:        retq

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

时光是把杀猪刀 2025-01-11 04:39:39

这是阶段 2 的 C 等效形式:

int t[6];
read_six_numbers (t);
if ((t[0] != 0) || (t[1] != 1)) {
    explode_bomb();
}

for (int i = 2; i < 6; i++) {
        if (t[i] != t[i - 2] + t[i - 1]) {
            explode_bomb();
    }
}

所以密码是 0, 1, 1, 2, 3, 5。

我是如何做到这一点的?通过逐渐用 C 替换程序集。

您会注意到堆栈指针 (rsp) 永远不会改变。您可以将堆栈视为 32 位数字的数组 t。也就是说,每次移动 4 个字节,就会移动到下一个元素。即 0(%rsp), 4(%rsp), ... 相当于 t[0], t[1], ...

我将向您展示您遇到麻烦的位的可能的逐步转换:

                lea    0x8(%rsp),%rbx
                lea    0x18(%rsp),%rbp
<phase_2+42>:   mov    -0x8(%rbx),%eax
                add    -0x4(%rbx),%eax
                cmp    %eax,(%rbx)
                je     <phase_2+57>
                callq  explode_bomb
<phase_2+57>:   add    $0x4,%rbx
                cmp    %rbp,%rbx
                jne    phase_2+42
------------------------------------------------------
                    rbx = rsp + 8;
                    rbp = rsp + 24;
<phase_2+42>:       eax = [rbx - 8];
                    eax += [rbx - 4];
                    if (eax == [rbx]) goto <phase_2+57>;
                    explode_bomb();
<phase_2+57>:       rbx += 4;
                    if (rbx != rbp) goto phase_2+42;
------------------------------------------------------
rbx = rsp + 8;
rbp = rsp + 24;
do {
    eax = [rbx - 8] + [rbx - 4];
        if (eax != [rbx]) {
        explode_bomb();
    }
        rbx += 4;
} while (rbx != rbp);
------------------------------------------------------
rbx = 8;
do {
    eax = [rsp + rbx - 8] + [rsp + rbx - 4];
        if (eax != [rsp + rbx]) {
        explode_bomb();
    }
        rbx += 4;
} while (rbx < 24);
------------------------------------------------------
i = 2;
do {
    eax = t[i - 2] + t[i - 1];
        if (eax != t[i]) {
        explode_bomb();
    }
        i += 1;
} while (i < 6);
------------------------------------------------------
for (int i = 2; i < 6; i++) {
    if (t[i] != t[i - 2] + t[i - 1]) {
            explode_bomb();
        }
}

如果如果您花时间了解这些转换,您将能够转换并理解任何组件。

Here is a C equivalent of phase2:

int t[6];
read_six_numbers (t);
if ((t[0] != 0) || (t[1] != 1)) {
    explode_bomb();
}

for (int i = 2; i < 6; i++) {
        if (t[i] != t[i - 2] + t[i - 1]) {
            explode_bomb();
    }
}

So the password is 0, 1, 1, 2, 3, 5.

How did I do this ? By gradually replacing the assembly with C.

You'll note that the stack pointer (rsp) never changes. You can see the stack as an array t of 32 bits numbers. That is each time you move by 4 bytes you move to the next element. i.e. 0(%rsp), 4(%rsp), ... are equivalent to t[0], t[1], ...

I'll show you a possible gradual transformation of the bit you have trouble with:

                lea    0x8(%rsp),%rbx
                lea    0x18(%rsp),%rbp
<phase_2+42>:   mov    -0x8(%rbx),%eax
                add    -0x4(%rbx),%eax
                cmp    %eax,(%rbx)
                je     <phase_2+57>
                callq  explode_bomb
<phase_2+57>:   add    $0x4,%rbx
                cmp    %rbp,%rbx
                jne    phase_2+42
------------------------------------------------------
                    rbx = rsp + 8;
                    rbp = rsp + 24;
<phase_2+42>:       eax = [rbx - 8];
                    eax += [rbx - 4];
                    if (eax == [rbx]) goto <phase_2+57>;
                    explode_bomb();
<phase_2+57>:       rbx += 4;
                    if (rbx != rbp) goto phase_2+42;
------------------------------------------------------
rbx = rsp + 8;
rbp = rsp + 24;
do {
    eax = [rbx - 8] + [rbx - 4];
        if (eax != [rbx]) {
        explode_bomb();
    }
        rbx += 4;
} while (rbx != rbp);
------------------------------------------------------
rbx = 8;
do {
    eax = [rsp + rbx - 8] + [rsp + rbx - 4];
        if (eax != [rsp + rbx]) {
        explode_bomb();
    }
        rbx += 4;
} while (rbx < 24);
------------------------------------------------------
i = 2;
do {
    eax = t[i - 2] + t[i - 1];
        if (eax != t[i]) {
        explode_bomb();
    }
        i += 1;
} while (i < 6);
------------------------------------------------------
for (int i = 2; i < 6; i++) {
    if (t[i] != t[i - 2] + t[i - 1]) {
            explode_bomb();
        }
}

If you take the time to understand these transformations you'll be able to transform and understand any piece of assembly.

回复 原文
~没有更多了~

关于作者

绾颜

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

尘曦

文章 0 评论 0

在梵高的星空下

文章 0 评论 0

善良天后

文章 0 评论 0

韬韬不绝

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

不美如何

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文