二进制拆弹之phase_6
先分析一下phase_6的汇编代码:
08048df1 <phase_6>:
8048df1: 56 push %esi
8048df2: 53 push %ebx
8048df3: 83 ec 44 sub $0x44,%esp
8048df6: 8d 44 24 10 lea 0x10(%esp),%eax
8048dfa: 89 44 24 04 mov %eax,0x4(%esp)
8048dfe: 8b 44 24 50 mov 0x50(%esp),%eax
8048e02: 89 04 24 mov %eax,(%esp)
8048e05: e8 72 03 00 00 call 804917c <read_six_numbers>//读六个数字
8048e0a: be 00 00 00 00 mov $0x0,%esi //esi赋值为1
8048e0f: 8b 44 b4 10 mov 0x10(%esp,%esi,4),%eax
8048e13: 83 e8 01 sub $0x1,%eax //eax减一
8048e16: 83 f8 05 cmp $0x5,%eax //之后eax和5比较(原来1-6可输)
8048e19: 76 05 jbe 8048e20 <phase_6+0x2f> //判断输入小于等于5
8048e1b: e8 35 03 00 00 call 8049155 <explode_bomb>
8048e20: 83 c6 01 add $0x1,%esi //esi加1
8048e23: 83 fe 06 cmp $0x6,%esi //esi和6比较
8048e26: 74 1b je 8048e43 <phase_6+0x52> //不等于6则跳到e43
8048e28: 89 f3 mov %esi,%ebx //ebx=esi
8048e2a: 8b 44 9c 10 mov 0x10(%esp,%ebx,4),%eax
//eax=0x10(%esp,%ebx,4)
8048e2e: 39 44 b4 0c cmp %eax,0xc(%esp,%esi,4) //进行比较
8048e32: 75 05 jne 8048e39 <phase_6+0x48> //不等于跳转
8048e34: e8 1c 03 00 00 call 8049155 <explode_bomb>
8048e39: 83 c3 01 add $0x1,%ebx //ebx加1
8048e3c: 83 fb 05 cmp $0x5,%ebx //和5进行比较
8048e3f: 7e e9 jle 8048e2a <phase_6+0x39> //小于或者等于跳转
8048e41: eb cc jmp 8048e0f <phase_6+0x1e>
8048e43: 8d 44 24 10 lea 0x10(%esp),%eax
8048e47: 8d 5c 24 28 lea 0x28(%esp),%ebx
8048e4b: b9 07 00 00 00 mov $0x7,%ecx
8048e50: 89 ca mov %ecx,%edx
8048e52: 2b 10 sub (%eax),%edx
8048e54: 89 10 mov %edx,(%eax)
8048e56: 83 c0 04 add $0x4,%eax
8048e59: 39 d8 cmp %ebx,%eax
8048e5b: 75 f3 jne 8048e50 <phase_6+0x5f>
8048e5d: bb 00 00 00 00 mov $0x0,%ebx
8048e62: eb 1d jmp 8048e81 <phase_6+0x90>
8048e64: 8b 52 08 mov 0x8(%edx),%edx
8048e67: 83 c0 01 add $0x1,%eax
8048e6a: 39 c8 cmp %ecx,%eax
8048e6c: 75 f6 jne 8048e64 <phase_6+0x73>
8048e6e: eb 05 jmp 8048e75 <phase_6+0x84>
8048e70: ba 3c c1 04 08 mov $0x804c13c,%edx //edx=$0x804c13c
8048e75: 89 54 b4 28 mov %edx,0x28(%esp,%esi,4)
//edx=0x28(%esp,%esi,4)
8048e79: 83 c3 01 add $0x1,%ebx //ebx+1
8048e7c: 83 fb 06 cmp $0x6,%ebx //ebx和6比较
8048e7f: 74 17 je 8048e98 <phase_6+0xa7> //等于跳转
8048e81: 89 de mov %ebx,%esi //esi=ebx
8048e83: 8b 4c 9c 10 mov 0x10(%esp,%ebx,4),%ecx
//0x10(%esp,%ebx,4)=ecx
8048e87: 83 f9 01 cmp $0x1,%ecx //ecx与1比较
8048e8a: 7e e4 jle 8048e70 <phase_6+0x7f> //小于等于1则跳转
8048e8c: b8 01 00 00 00 mov $0x1,%eax
8048e91: ba 3c c1 04 08 mov $0x804c13c,%edx
8048e96: eb cc jmp 8048e64 <phase_6+0x73>
8048e98: 8b 5c 24 28 mov 0x28(%esp),%ebx //%ebx=0x28(%esp)
8048e9c: 8d 44 24 2c lea 0x2c(%esp),%eax //%eax地址指向0x2c(%esp)
8048ea0: 8d 74 24 40 lea 0x40(%esp),%esi //%esi地址指向0x40(%esp)
8048ea4: 89 d9 mov %ebx,%ecx //ecx=ebx
8048ea6: 8b 10 mov (%eax),%edx //edx=(%eax)
8048ea8: 89 51 08 mov %edx,0x8(%ecx) //0x8(%ecx)=edx
8048eab: 83 c0 04 add $0x4,%eax //eax+4
8048eae: 39 f0 cmp %esi,%eax //比较esi和eax
8048eb4: eb f0 jmp 8048ea6 <phase_6+0xb5>
8048eb6: c7 42 08 00 00 00 00 movl $0x0,0x8(%edx) //0x8(%edx)=0
8048ebd: be 05 00 00 00 mov $0x5,%esi //esi=5
8048ec2: 8b 43 08 mov 0x8(%ebx),%eax //eax=0x8(%ebx)
8048ec5: 8b 00 mov (%eax),%eax //eax=(%eax)
8048ec7: 39 03 cmp %eax,(%ebx) // 比较%eax,(%ebx)
8048ec9: 7d 05 jge 8048ed0 <phase_6+0xdf> //前者大于等于后者则跳转
8048ecb: e8 85 02 00 00 call 8049155 <explode_bomb>
8048ed0: 8b 5b 08 mov 0x8(%ebx),%ebx //ebx=0x8(%ebx)
8048ed3: 83 ee 01 sub $0x1,%esi //esi减1
8048ed6: 75 ea jne 8048ec2 <phase_6+0xd1> //不相等跳转
8048ed8: 83 c4 44 add $0x44,%esp
8048edb: 5b pop %ebx
8048edc: 5e pop %esi
8048edd: c3 ret
对这个程序进行了简单的分析,里面很多跳转语句,做一个总结归纳。
汇编语言之跳转命令
-
je :jump if equal
前面等于后面时跳转
-
jne:jump if not equal
前面不等于后面时跳转
-
jle:jump if not less or equal
前面小于等于后面时跳转
-
jge :jump if not greater or equal
前面大于等于后面时跳转