0x00000000004013d9 <+0>: sub $0x2c8,%rsp #reserve 0x2c8 in stack
0x00000000004013e0 <+7>: mov %rdi,%rsi #rsi = rdi
0x00000000004013e3 <+10>: movw $0x6cb,0x42(%rsp) #stack pointer + 0x42 = 0x6cb
0x00000000004013ea <+17>: movw $0xcc26,0x50(%rsp) # "
0x00000000004013f1 <+24>: movw $0x8a1,0x44(%rsp) # "
0x00000000004013f8 <+31>: movb $0x7,0x40(%rsp) # "
0x00000000004013fd <+36>: movl $0x12fad68e,0x3c(%rsp) # "
0x0000000000401405 <+44>: movq $0x0,0x48(%rsp) #same as above with corresponding values
0x000000000040140e <+53>: lea 0x30(%rsp),%rdi #rdi = value at 0x30 in stack
0x0000000000401413 <+58>: callq 0x400ca0 <[email protected]> #string copy
0x0000000000401418 <+63>: movzbl 0x40(%rsp),%eax #eax = value at 0x40 in stack
0x000000000040141d <+68>: cmp $0x57,%al #compare lower 8 bits of eax to 0x57
0x000000000040141f <+70>: je 0x401426 <phase_4+77> #continue if same
0x0000000000401421 <+72>: callq 0x401bbe <bomb_ignition>
0x0000000000401426 <+77>: movzwl 0x50(%rsp),%eax #eax = value at 0x50 in stack
0x000000000040142b <+82>: cmp $0xcc26,%ax #compare lower 16 bits of eax to 0xcc26
0x000000000040142f <+86>: je 0x401436 <phase_4+93> #continue if same
0x0000000000401431 <+88>: callq 0x401bbe <bomb_ignition>
0x0000000000401436 <+93>: mov 0x48(%rsp),%rax #rax = value at 0x48 in stack
0x000000000040143b <+98>: test %rax,%rax #rax = rax & rax
0x000000000040143e <+101>: je 0x401445 <phase_4+108> #continue if same
0x0000000000401440 <+103>: callq 0x401bbe <bomb_ignition>
0x0000000000401445 <+108>: movzwl 0x42(%rsp),%eax #eax = value at 0x42 in stack
0x000000000040144a <+113>: cmp $0x425b,%ax #compare lower 16 bits of eax to 0x425b
0x000000000040144e <+117>: je 0x401455 <phase_4+124> #continue if same
0x0000000000401450 <+119>: callq 0x401bbe <bomb_ignition>
0x0000000000401455 <+124>: movzwl 0x44(%rsp),%edx #edx = value at 0x44 in stack
0x000000000040145a <+129>: mov 0x3c(%rsp),%eax #eax = value at 0x3c in stack
0x000000000040145e <+133>: shl $0x5,%eax #eax *= 32
0x0000000000401461 <+136>: movswl %dx,%edx #edx = lower 16 bits of rdx
0x0000000000401464 <+139>: xor %edx,%eax #eax ^= edx
0x0000000000401466 <+141>: cmp $0x2e8ee3c5,%eax #compare eax a 0x2e8ee3c5
0x000000000040146b <+146>: sete %al
0x000000000040146e <+149>: movzbl %al,%eax
0x0000000000401471 <+152>: add $0x2c8,%rsp
0x0000000000401478 <+159>: retq
伊夫註釋什麼,我認爲它做它旁邊,但我不能想出大局。
我的猜測是需要輸入並將其與堆棧中的內容進行比較?我不確定strcpy
和它複製到的位置。我猜它的rax/eax
寄存器。因爲它然後將堆棧中的值與該值進行比較。但是,我仍然不確定如何確定輸入應該是什麼。我嘗試將其中的一些值mov
s放入堆棧中,例如0x6cb
,0x8a1
和0x7
,並轉換爲hex和ascii轉換器,但是它們生成的值字符不能作爲輸入,因爲有些是emojis和stuff。提示「dr evil」給出的是「隨流,緩衝區溢出」,所以我確定它的緩衝區溢出。
我很感激任何幫助。謝謝。
「我不確定strcpy和它複製到的位置」。你應該看看agner的[調用約定](http://www.agner.org/optimize/calling_conventions.pdf)doc。第7部分有一個表格,顯示了各種操作系統的參數使用哪些寄存器。 –
另請注意,它檢查的一些值已經在堆棧上,有些需要用不同的值覆蓋。 – Jester