本实验在32位Linux虚拟机中完成(点击查看安装教程)
实验内容
二进制炸弹实际是由C语言源程序生成的可执行目标代码,主程序可参考bomb.c。运行时,会按次序提示用户输入3个不同的字符串。如果输入的字符串有误,炸弹就会“爆炸”,输出一条错误信息。必须通过对可执行程序反汇编和逆向工程判断应该是哪3个数据串,从而拆除“炸弹”。
通过分析对C语言源代码生成的可执行程序进行反汇编得到的汇编代码,在实践中加深对C语言和汇编语言关联的认识。
实验过程和结果
本实验一共有30个bomb文件夹,根据学号计算我要拆26号--bomb26
打开虚拟机开始拆炸弹,设置中开启拖放和复制粘贴
选中要拆的炸弹bomb26文件夹,复制,在虚拟机桌面上右键粘贴进来
在左上角点击,搜索终端(Terminal)打开,进入文件夹
里面有三个文件,查看要拆的炸弹为2、3、6
使用objdump -d bomb > 1.txt将反汇编的内容输出到1.txt文本文档中方便查看
打开1.txt向下找到phase_2开始分析
0804906e <phase_2>:804906e: 53 push %ebx804906f: 83 ec 30 sub $0x30,%esp8049072: 8d 44 24 10 lea 0x10(%esp),%eax8049076: 50 push %eax8049077: ff 74 24 3c pushl 0x3c(%esp)804907b: e8 f2 08 00 00 call 8049972 <read_six_numbers>8049080: 83 c4 10 add $0x10,%esp8049083: 83 7c 24 08 01 cmpl $0x1,0x8(%esp)8049088: 74 0d je 8049097 <phase_2+0x29>804908a: 83 ec 0c sub $0xc,%esp804908d: 6a 02 push $0x2804908f: e8 b9 08 00 00 call 804994d <explode_bomb>8049094: 83 c4 10 add $0x10,%esp8049097: bb 01 00 00 00 mov $0x1,%ebx804909c: 89 d8 mov %ebx,%eax804909e: 83 c3 01 add $0x1,%ebx80490a1: 89 da mov %ebx,%edx80490a3: 0f af 54 84 04 imul 0x4(%esp,%eax,4),%edx80490a8: 39 54 84 08 cmp %edx,0x8(%esp,%eax,4)80490ac: 74 0d je 80490bb <phase_2+0x4d>80490ae: 83 ec 0c sub $0xc,%esp80490b1: 6a 02 push $0x280490b3: e8 95 08 00 00 call 804994d <explode_bomb>80490b8: 83 c4 10 add $0x10,%esp80490bb: 83 fb 06 cmp $0x6,%ebx80490be: 75 dc jne 804909c <phase_2+0x2e>80490c0: 83 c4 28 add $0x28,%esp80490c3: 5b pop %ebx80490c4: c3 ret
通过汇编程序可知<read_six_numbers>要输入六个数字,由下方cmpl $0x1,0x8(%esp)可知第一个数是1,不等于1则爆炸。然后进入循环,由imul 0x4(%esp,%eax,4),%edx和cmp %edx,0x8(%esp,%eax,4) 分析可知要输入的数字为上一个数乘以循环次数,(汇编指令imul 0x4(%esp,%eax,4),%edx与%esp+%eax*4+0x4形式相同,此指令和cmp %edx,0x8(%esp,%eax,4)表示要输入的数为前一个数字*循环次数,相等则继续,否则爆炸,共循环6次)即a[n]=a[n-1]*循环次数(2≤n≤6,a[1]=1),循环次数为%ebx,然后赋值给%edx,循环结束后可得六个数字为1 2 6 24 120 720
输入进行验证,炸弹2拆除成功
继续在1.txt中找到phase_3
080490c5 <phase_3>:80490c5: 83 ec 28 sub $0x28,%esp80490c8: 8d 44 24 14 lea 0x14(%esp),%eax80490cc: 50 push %eax80490cd: 8d 44 24 17 lea 0x17(%esp),%eax80490d1: 50 push %eax80490d2: 8d 44 24 20 lea 0x20(%esp),%eax80490d6: 50 push %eax80490d7: 68 d6 9e 04 08 push $0x8049ed680490dc: ff 74 24 3c pushl 0x3c(%esp)80490e0: e8 6b f8 ff ff call 8048950 <__isoc99_sscanf@plt>80490e5: 83 c4 20 add $0x20,%esp80490e8: 83 f8 02 cmp $0x2,%eax80490eb: 7f 0d jg 80490fa <phase_3+0x35>80490ed: 83 ec 0c sub $0xc,%esp80490f0: 6a 03 push $0x380490f2: e8 56 08 00 00 call 804994d <explode_bomb>80490f7: 83 c4 10 add $0x10,%esp80490fa: 83 7c 24 0c 07 cmpl $0x7,0xc(%esp)80490ff: 0f 87 43 01 00 00 ja 8049248 <phase_3+0x183>8049105: 8b 44 24 0c mov 0xc(%esp),%eax8049109: ff 24 85 e0 9e 04 08 jmp *0x8049ee0(,%eax,4)8049110: b8 77 00 00 00 mov $0x77,%eax8049115: 81 7c 24 08 51 02 00 cmpl $0x251,0x8(%esp)804911c: 00 804911d: 0f 84 37 01 00 00 je 804925a <phase_3+0x195>8049123: 83 ec 0c sub $0xc,%esp8049126: 6a 03 push $0x38049128: e8 20 08 00 00 call 804994d <explode_bomb>804912d: 83 c4 10 add $0x10,%esp8049130: b8 77 00 00 00 mov $0x77,%eax8049135: e9 20 01 00 00 jmp 804925a <phase_3+0x195>804913a: b8 76 00 00 00 mov $0x76,%eax804913f: 81 7c 24 08 b6 01 00 cmpl $0x1b6,0x8(%esp)8049146: 00 8049147: 0f 84 0d 01 00 00 je 804925a <phase_3+0x195>804914d: 83 ec 0c sub $0xc,%esp8049150: 6a 03 push $0x38049152: e8 f6 07 00 00 call 804994d <explode_bomb>8049157: 83 c4 10 add $0x10,%esp804915a: b8 76 00 00 00 mov $0x76,%eax804915f: e9 f6 00 00 00 jmp 804925a <phase_3+0x195>8049164: b8 67 00 00 00 mov $0x67,%eax8049169: 81 7c 24 08 b4 03 00 cmpl $0x3b4,0x8(%esp)8049170: 00 8049171: 0f 84 e3 00 00 00 je 804925a <phase_3+0x195>8049177: 83 ec 0c sub $0xc,%esp804917a: 6a 03 push $0x3804917c: e8 cc 07 00 00 call 804994d <explode_bomb>8049181: 83 c4 10 add $0x10,%esp8049184: b8 67 00 00 00 mov $0x67,%eax8049189: e9 cc 00 00 00 jmp 804925a <phase_3+0x195>804918e: b8 63 00 00 00 mov $0x63,%eax8049193: 81 7c 24 08 87 01 00 cmpl $0x187,0x8(%esp)804919a: 00 804919b: 0f 84 b9 00 00 00 je 804925a <phase_3+0x195>80491a1: 83 ec 0c sub $0xc,%esp80491a4: 6a 03 push $0x380491a6: e8 a2 07 00 00 call 804994d <explode_bomb>80491ab: 83 c4 10 add $0x10,%esp80491ae: b8 63 00 00 00 mov $0x63,%eax80491b3: e9 a2 00 00 00 jmp 804925a <phase_3+0x195>80491b8: b8 64 00 00 00 mov $0x64,%eax80491bd: 81 7c 24 08 46 02 00 cmpl $0x246,0x8(%esp)80491c4: 00 80491c5: 0f 84 8f 00 00 00 je 804925a <phase_3+0x195>80491cb: 83 ec 0c sub $0xc,%esp80491ce: 6a 03 push $0x380491d0: e8 78 07 00 00 call 804994d <explode_bomb>80491d5: 83 c4 10 add $0x10,%esp80491d8: b8 64 00 00 00 mov $0x64,%eax80491dd: eb 7b jmp 804925a <phase_3+0x195>80491df: b8 6c 00 00 00 mov $0x6c,%eax80491e4: 81 7c 24 08 3d 01 00 cmpl $0x13d,0x8(%esp)80491eb: 00 80491ec: 74 6c je 804925a <phase_3+0x195>80491ee: 83 ec 0c sub $0xc,%esp80491f1: 6a 03 push $0x380491f3: e8 55 07 00 00 call 804994d <explode_bomb>80491f8: 83 c4 10 add $0x10,%esp80491fb: b8 6c 00 00 00 mov $0x6c,%eax8049200: eb 58 jmp 804925a <phase_3+0x195>8049202: b8 73 00 00 00 mov $0x73,%eax8049207: 81 7c 24 08 3c 03 00 cmpl $0x33c,0x8(%esp)804920e: 00 804920f: 74 49 je 804925a <phase_3+0x195>8049211: 83 ec 0c sub $0xc,%esp8049214: 6a 03 push $0x38049216: e8 32 07 00 00 call 804994d <explode_bomb>804921b: 83 c4 10 add $0x10,%esp804921e: b8 73 00 00 00 mov $0x73,%eax8049223: eb 35 jmp 804925a <phase_3+0x195>8049225: b8 6b 00 00 00 mov $0x6b,%eax804922a: 81 7c 24 08 97 02 00 cmpl $0x297,0x8(%esp)8049231: 00 8049232: 74 26 je 804925a <phase_3+0x195>8049234: 83 ec 0c sub $0xc,%esp8049237: 6a 03 push $0x38049239: e8 0f 07 00 00 call 804994d <explode_bomb>804923e: 83 c4 10 add $0x10,%esp8049241: b8 6b 00 00 00 mov $0x6b,%eax8049246: eb 12 jmp 804925a <phase_3+0x195>8049248: 83 ec 0c sub $0xc,%esp804924b: 6a 03 push $0x3804924d: e8 fb 06 00 00 call 804994d <explode_bomb>8049252: 83 c4 10 add $0x10,%esp8049255: b8 6b 00 00 00 mov $0x6b,%eax804925a: 3a 44 24 07 cmp 0x7(%esp),%al804925e: 74 0d je 804926d <phase_3+0x1a8>8049260: 83 ec 0c sub $0xc,%esp8049263: 6a 03 push $0x38049265: e8 e3 06 00 00 call 804994d <explode_bomb>804926a: 83 c4 10 add $0x10,%esp804926d: 83 c4 1c add $0x1c,%esp8049270: c3 ret
使用x/s查看0x8049ed6中的内容得知要输入三个数据,一个整数,一个字符,一个整数
由cmpl $0x7,0xc(%esp)可知第一个数字小于7这里取0。然后有jmp *0x8049ee0(,%eax,4),此处为switch语句,查看地址为0x8049110
下方mov $0x77,%eax和cmpl $0x251,0x8(%esp)等于则跳转表示%esp+8的值要等于251H,十进制为593。然后跳转到0x804925a进行 cmp 0x7(%esp),%al表示%esp+7的值等于AL的值则跳转,AL中的值为77H,为’w’的ASCII码。所以要输入的两个数字和一个字符为0 w 593
输入进行验证,炸弹3拆除成功
继续向下找到phase_6
080493b0 <phase_6>:80493b0: 83 ec 10 sub $0x10,%esp80493b3: 6a 0a push $0xa80493b5: 6a 00 push $0x080493b7: ff 74 24 1c pushl 0x1c(%esp)80493bb: e8 f0 f5 ff ff call 80489b0 <strtol@plt>80493c0: a3 74 c1 04 08 mov %eax,0x804c17480493c5: c7 04 24 74 c1 04 08 movl $0x804c174,(%esp)80493cc: e8 88 ff ff ff call 8049359 <fun6>80493d1: 8b 40 08 mov 0x8(%eax),%eax80493d4: 8b 40 08 mov 0x8(%eax),%eax80493d7: 8b 40 08 mov 0x8(%eax),%eax80493da: 8b 40 08 mov 0x8(%eax),%eax80493dd: 83 c4 10 add $0x10,%esp80493e0: 8b 15 74 c1 04 08 mov 0x804c174,%edx80493e6: 39 10 cmp %edx,(%eax)80493e8: 74 0d je 80493f7 <phase_6+0x47>80493ea: 83 ec 0c sub $0xc,%esp80493ed: 6a 06 push $0x680493ef: e8 59 05 00 00 call 804994d <explode_bomb>80493f4: 83 c4 10 add $0x10,%esp80493f7: 83 c4 0c add $0xc,%esp80493fa: c3 ret
还有一个fun6
08049359 <fun6>:8049359: 56 push %esi804935a: 53 push %ebx804935b: 8b 44 24 0c mov 0xc(%esp),%eax804935f: 8b 70 08 mov 0x8(%eax),%esi8049362: c7 40 08 00 00 00 00 movl $0x0,0x8(%eax)8049369: 89 c2 mov %eax,%edx804936b: 85 f6 test %esi,%esi804936d: 75 2c jne 804939b <fun6+0x42>804936f: eb 3c jmp 80493ad <fun6+0x54>8049371: 89 d1 mov %edx,%ecx8049373: 8b 51 08 mov 0x8(%ecx),%edx8049376: 85 d2 test %edx,%edx8049378: 74 08 je 8049382 <fun6+0x29>804937a: 39 1a cmp %ebx,(%edx)804937c: 7f f3 jg 8049371 <fun6+0x18>804937e: eb 02 jmp 8049382 <fun6+0x29>8049380: 89 c1 mov %eax,%ecx8049382: 39 d1 cmp %edx,%ecx8049384: 74 05 je 804938b <fun6+0x32>8049386: 89 71 08 mov %esi,0x8(%ecx)8049389: eb 02 jmp 804938d <fun6+0x34>804938b: 89 f0 mov %esi,%eax804938d: 8b 4e 08 mov 0x8(%esi),%ecx8049390: 89 56 08 mov %edx,0x8(%esi)8049393: 85 c9 test %ecx,%ecx8049395: 74 16 je 80493ad <fun6+0x54>8049397: 89 ce mov %ecx,%esi8049399: 89 c2 mov %eax,%edx804939b: 85 d2 test %edx,%edx804939d: 74 e1 je 8049380 <fun6+0x27>804939f: 8b 1e mov (%esi),%ebx80493a1: 89 c1 mov %eax,%ecx80493a3: 39 1a cmp %ebx,(%edx)80493a5: 7f cc jg 8049373 <fun6+0x1a>80493a7: 89 c2 mov %eax,%edx80493a9: 89 f0 mov %esi,%eax80493ab: eb e0 jmp 804938d <fun6+0x34>80493ad: 5b pop %ebx80493ae: 5e pop %esi80493af: c3 ret
<strtol@plt>输入并读取一行字符,将字符转换为长整型,并规定了长整型的大小。可能是链表结构,头节点为0x804c174,判断输入的数字是否和调用函数fun6返回的值相等,相等则成功拆除,不相等则炸弹爆炸。使用指令查看节点中的内容并继续查看后续节点
由后续4个mov 0x8(%eax),%eax和mov 0x804c174,%edx和cmp %edx,(%eax)可知要输入的值为0x804c1a4中的内容270H,转换成十进制为624
输入进行验证,炸弹6拆除成功
到此为止,2、3、6炸弹全部拆除成功
最后
phase_3中,有多个结果都正确,因为第一个输入的数字不同,跳转到的地址不同,所有的结果如下:
0 w(77H) 593(251H)
1 v(76H) 438(1B6H)
2 g(67H) 948(3B4H)
3 c(63H) 391(187H)
4 d(64H) 582(246H)
5 l(6CH) 317(13DH)
6 s(73H) 828(33CH)
7 k(6BH) 663(297H)
phase_6中,即使没有分析出结果,不知道要输入哪个节点中的内容,还可以一个一个查看,全部试一遍也能找到答案(虽然不建议这样做)