當前位置：首頁 > 编程资源 > 编程问答 >内容正文

编程问答

CSAPP实验二进制炸弹

發布時間：2025/3/21 编程问答 31 豆豆

生活随笔收集整理的這篇文章主要介紹了 CSAPP实验二进制炸弹小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

文章目錄

bomb
- 第一關
- 第二關
- 第三關
- - 注意
- 第四關
- - fun4
- 第五關
- 第六關

bomb

運行了一下bomb，知道一共有6個關卡，這里我們運行gdb來進行調試

第一關

寄存器名稱作用

rax	存儲返回值
rbx	存儲函數調用參數
rcx	存儲參數
rdx	存儲參數
rsi	存儲參數
rdi	存儲參數
rbp	存儲調用函數的地址
rsp	棧寄存器
r8	存儲參數
r9	存儲參數

提權然后進行gdb調試，緊接著下一個斷點在第一關這個函數這，函數名的話，cpp文件里有，

break phase_1

然后進行run，緊著著進行disas查看相應的匯編代碼，這里也可以用disas phase_1，因為已經斷下來了，有沒有函數名都一樣。然后查看這里

0x0000000000400ee0 <+0>: sub $0x8,%rsp0x0000000000400ee4 <+4>: mov $0x402400,%esi0x0000000000400ee9 <+9>: callq 0x401338 <strings_not_equal>0x0000000000400eee <+14>: test %eax,%eax0x0000000000400ef0 <+16>: je 0x400ef7 <phase_1+23>0x0000000000400ef2 <+18>: callq 0x40143a <explode_bomb>0x0000000000400ef7 <+23>: add $0x8,%rsp0x0000000000400efb <+27>: retq

進行stepi，單步步入，緊接著查看一番寄存器的一系列信息，因為下一步調用函數就是為了判斷輸入字符串與提供字符串是否相符
用info registers指令后發現這種形式不是我們想要的。。。

然后進行x /s $rdi ，x /s $rsi

查看到這個Border relations with Canada have never been better.，然后進行輸入

第一關過了

第二關

break phase_2

然后進行run，緊接著把第一關的answer輸入一下，看到了第二關的匯編代碼如下：

0x0000000000400efc <+0>: push %rbp0x0000000000400efd <+1>: push %rbx0x0000000000400efe <+2>: sub $0x28,%rsp0x0000000000400f02 <+6>: mov %rsp,%rsi => 0x0000000000400f05 <+9>: callq 0x40145c <read_six_numbers>0x0000000000400f0a <+14>: cmpl $0x1,(%rsp)0x0000000000400f0e <+18>: je 0x400f30 <phase_2+52>0x0000000000400f10 <+20>: callq 0x40143a <explode_bomb>0x0000000000400f15 <+25>: jmp 0x400f30 <phase_2+52>0x0000000000400f17 <+27>: mov -0x4(%rbx),%eax0x0000000000400f1a <+30>: add %eax,%eax0x0000000000400f1c <+32>: cmp %eax,(%rbx)0x0000000000400f1e <+34>: je 0x400f25 <phase_2+41>0x0000000000400f20 <+36>: callq 0x40143a <explode_bomb>0x0000000000400f25 <+41>: add $0x4,%rbx0x0000000000400f29 <+45>: cmp %rbp,%rbx0x0000000000400f2c <+48>: jne 0x400f17 <phase_2+27>0x0000000000400f2e <+50>: jmp 0x400f3c <phase_2+64>0x0000000000400f30 <+52>: lea 0x4(%rsp),%rbx0x0000000000400f35 <+57>: lea 0x18(%rsp),%rbp0x0000000000400f3a <+62>: jmp 0x400f17 <phase_2+27>0x0000000000400f3c <+64>: add $0x28,%rsp ---Type <return> to continue, or q <return> to quit---0x0000000000400f40 <+68>: pop %rbx0x0000000000400f41 <+69>: pop %rbp0x0000000000400f42 <+70>: retq

當前指在read_six_numbers這里，把輸入數據讀出，緊接著進行一波判斷：

0x0000000000400f0a <+14>: cmpl $0x1,(%rsp)0x0000000000400f0e <+18>: je 0x400f30 <phase_2+52>0x0000000000400f10 <+20>: callq 0x40143a <explode_bomb>0x0000000000400f15 <+25>: jmp 0x400f30 <phase_2+52>0x0000000000400f17 <+27>: mov -0x4(%rbx),%eax0x0000000000400f1a <+30>: add %eax,%eax0x0000000000400f1c <+32>: cmp %eax,(%rbx)0x0000000000400f1e <+34>: je 0x400f25 <phase_2+41>0x0000000000400f20 <+36>: callq 0x40143a <explode_bomb>0x0000000000400f25 <+41>: add $0x4,%rbx0x0000000000400f29 <+45>: cmp %rbp,%rbx0x0000000000400f2c <+48>: jne 0x400f17 <phase_2+27>0x0000000000400f2e <+50>: jmp 0x400f3c <phase_2+64>0x0000000000400f30 <+52>: lea 0x4(%rsp),%rbx0x0000000000400f35 <+57>: lea 0x18(%rsp),%rbp0x0000000000400f3a <+62>: jmp 0x400f17 <phase_2+27>0x0000000000400f3c <+64>: add $0x28,%rsp0x0000000000400f40 <+68>: pop %rbx0x0000000000400f41 <+69>: pop %rbp0x0000000000400f42 <+70>: retq

這行代碼cmpl $0x1,(%rsp)說明第一個值是1，起始如下圖：

有的題做出來是斐波那契數列，但我的這個題是前面的2倍，核心代碼在這

add %eax,%eax

根據0x0000000000400f29 <+45>: cmp %rbp,%rbx代碼判斷是否輸入結束，當然也可以進入0x40145c那個函數查看

查看這里

6個%d，當然可以直接看函數名里面有個six（方法很多，道理一樣）

答案為1 2 4 8 16 32

第三關

help x Examine memory: x/FMT ADDRESS. ADDRESS is an expression for the memory address to examine. FMT is a repeat count followed by a format letter and a size letter. Format letters are o(octal), x(hex), d(decimal), u(unsigned decimal),t(binary), f(float), a(address), i(instruction), c(char), s(string)and z(hex, zero padded on the left). Size letters are b(byte), h(halfword), w(word), g(giant, 8 bytes). The specified number of objects of the specified size are printed according to the format.Defaults for format and size letters are those previously used. Default count is 1. Default address is following last thing printed with this command or "print".

利用上面的調試手段，調試第三關：

0x0000000000400f43 <+0>: sub $0x18,%rsp0x0000000000400f47 <+4>: lea 0xc(%rsp),%rcx0x0000000000400f4c <+9>: lea 0x8(%rsp),%rdx0x0000000000400f51 <+14>: mov $0x4025cf,%esi0x0000000000400f56 <+19>: mov $0x0,%eax0x0000000000400f5b <+24>: callq 0x400bf0 <__isoc99_sscanf@plt>0x0000000000400f60 <+29>: cmp $0x1,%eax0x0000000000400f63 <+32>: jg 0x400f6a <phase_3+39>0x0000000000400f65 <+34>: callq 0x40143a <explode_bomb>0x0000000000400f6a <+39>: cmpl $0x7,0x8(%rsp)0x0000000000400f6f <+44>: ja 0x400fad <phase_3+106>0x0000000000400f71 <+46>: mov 0x8(%rsp),%eax0x0000000000400f75 <+50>: jmpq *0x402470(,%rax,8)0x0000000000400f7c <+57>: mov $0xcf,%eax0x0000000000400f81 <+62>: jmp 0x400fbe <phase_3+123>0x0000000000400f83 <+64>: mov $0x2c3,%eax0x0000000000400f88 <+69>: jmp 0x400fbe <phase_3+123>0x0000000000400f8a <+71>: mov $0x100,%eax0x0000000000400f8f <+76>: jmp 0x400fbe <phase_3+123>0x0000000000400f91 <+78>: mov $0x185,%eax0x0000000000400f96 <+83>: jmp 0x400fbe <phase_3+123>0x0000000000400f98 <+85>: mov $0xce,%eax0x0000000000400f9d <+90>: jmp 0x400fbe <phase_3+123>0x0000000000400f9f <+92>: mov $0x2aa,%eax0x0000000000400fa4 <+97>: jmp 0x400fbe <phase_3+123>0x0000000000400fa6 <+99>: mov $0x147,%eax0x0000000000400fab <+104>: jmp 0x400fbe <phase_3+123>0x0000000000400fad <+106>: callq 0x40143a <explode_bomb>0x0000000000400fb2 <+111>: mov $0x0,%eax0x0000000000400fb7 <+116>: jmp 0x400fbe <phase_3+123>0x0000000000400fb9 <+118>: mov $0x137,%eax0x0000000000400fbe <+123>: cmp 0xc(%rsp),%eax0x0000000000400fc2 <+127>: je 0x400fc9 <phase_3+134>0x0000000000400fc4 <+129>: callq 0x40143a <explode_bomb>0x0000000000400fc9 <+134>: add $0x18,%rsp0x0000000000400fcd <+138>: retq

從這里看出，需要輸入的是兩個整型。
這行的話，判斷的是輸入的參數的個數：如果不大于1的話，那么直接退出

注意

這里提醒一下，步過那個scanf函數用ni，步入是stepi，后面可以接數字（步數）

cmp $0x1,%eax

然后這行判斷的是第一個參數：

cmpl $0x7,0x8(%rsp

如果大于7的話，那么直接結束代碼。緊接著下面這行代碼是：

jmpq *0x402470(,%rax,8)

需要計算的，計算方法如下：

符號作用

r1	獲取寄存器存儲的內容
$Imm	立即數，或者說直接使用展示的數據
Imm	內存中對應的Imm地址里面的內容
(r1)	根據寄存器里面存儲的內容作為地址
Imm(r1)	根據寄存器里面存儲的內容加上Imm作為地址
(r1,r2)	兩個寄存器的內容相加作為地址
Imm(r1,r2)	Imm+r1+r2 內容相加，作為地址
(,r1,4)	r1的內容乘以4，作為地址
Imm(,r1,4)	Imm+r1*4，作為地址
(r1,r2,4)	r1+r2*4，作為地址
Imm(r1,r2,4)	Imm+r1+r2*4，作為地址

這里的計算方法就是0x402470+rax*8，調試一下rax內容是多少

當執行到這里的時候，利用這個命令 x /d $rax

rax的值等于7，然后就可以計算0x402470+56，轉換為16進制后0x38，最后得出等于0x4024a8，因為前面有個*號，所以是取內容，接下來執行代碼

x /gx 0x4024a8

所以的話，它會跳轉到0x400fa6

0x0000000000400fa6 <+99>: mov $0x147,%eax0x0000000000400fab <+104>: jmp 0x400fbe <phase_3+123>0x0000000000400fad <+106>: callq 0x40143a <explode_bomb>0x0000000000400fb2 <+111>: mov $0x0,%eax0x0000000000400fb7 <+116>: jmp 0x400fbe <phase_3+123>0x0000000000400fb9 <+118>: mov $0x137,%eax0x0000000000400fbe <+123>: cmp 0xc(%rsp),%eax

然后就可以查到第二個數是0x147，轉為十進制為327，所以這兩個數為7 327

第四關

0x000000000040100c <+0>: sub $0x18,%rsp0x0000000000401010 <+4>: lea 0xc(%rsp),%rcx0x0000000000401015 <+9>: lea 0x8(%rsp),%rdx0x000000000040101a <+14>: mov $0x4025cf,%esi0x000000000040101f <+19>: mov $0x0,%eax0x0000000000401024 <+24>: callq 0x400bf0 <__isoc99_sscanf@plt>0x0000000000401029 <+29>: cmp $0x2,%eax0x000000000040102c <+32>: jne 0x401035 <phase_4+41>0x000000000040102e <+34>: cmpl $0xe,0x8(%rsp)0x0000000000401033 <+39>: jbe 0x40103a <phase_4+46>0x0000000000401035 <+41>: callq 0x40143a <explode_bomb>0x000000000040103a <+46>: mov $0xe,%edx0x000000000040103f <+51>: mov $0x0,%esi0x0000000000401044 <+56>: mov 0x8(%rsp),%edi0x0000000000401048 <+60>: callq 0x400fce <func4>0x000000000040104d <+65>: test %eax,%eax0x000000000040104f <+67>: jne 0x401058 <phase_4+76>0x0000000000401051 <+69>: cmpl $0x0,0xc(%rsp)0x0000000000401056 <+74>: je 0x40105d <phase_4+81>0x0000000000401058 <+76>: callq 0x40143a <explode_bomb>0x000000000040105d <+81>: add $0x18,%rsp0x0000000000401061 <+85>: retq

查看0x4025cf所表示的字符為：

所以我們的輸入依然為兩個數字

0x0000000000401029 <+29>: cmp $0x2,%eax

這里的話也就是判斷輸入參數的個數是否為2（必須為2，否則沒法下一步了），然后這兩行代碼

0x000000000040102e <+34>: cmpl $0xe,0x8(%rsp)0x0000000000401033 <+39>: jbe 0x40103a <phase_4+46>

上面肯定是判斷作用，然后下面jbe(jump below equal),也就是判斷是否小于等于e，符合的話就跳轉，然后

0x0000000000401051 <+69>: cmpl $0x0,0xc(%rsp)0x0000000000401056 <+74>: je 0x40105d <phase_4+81>

這個是判斷第二個參數，必須為0，至于第一個參數還得看

0x0000000000401048 <+60>: callq 0x400fce <func4>

傳進去的三個參數如下：

0x000000000040103a <+46>: mov $0xe,%edx0x000000000040103f <+51>: mov $0x0,%esi0x0000000000401044 <+56>: mov 0x8(%rsp),%edi

edx里面存放著14，esi里面存放著0，rsp+8（也就是第一個參數）放在edi中，這類我輸入的第一個參數是十進制10.

fun4

這個func4函數代碼

Dump of assembler code for function func4: => 0x0000000000400fce <+0>: sub $0x8,%rsp0x0000000000400fd2 <+4>: mov %edx,%eax0x0000000000400fd4 <+6>: sub %esi,%eax0x0000000000400fd6 <+8>: mov %eax,%ecx0x0000000000400fd8 <+10>: shr $0x1f,%ecx0x0000000000400fdb <+13>: add %ecx,%eax0x0000000000400fdd <+15>: sar %eax0x0000000000400fdf <+17>: lea (%rax,%rsi,1),%ecx0x0000000000400fe2 <+20>: cmp %edi,%ecx0x0000000000400fe4 <+22>: jle 0x400ff2 <func4+36>0x0000000000400fe6 <+24>: lea -0x1(%rcx),%edx0x0000000000400fe9 <+27>: callq 0x400fce <func4>0x0000000000400fee <+32>: add %eax,%eax0x0000000000400ff0 <+34>: jmp 0x401007 <func4+57>0x0000000000400ff2 <+36>: mov $0x0,%eax0x0000000000400ff7 <+41>: cmp %edi,%ecx0x0000000000400ff9 <+43>: jge 0x401007 <func4+57>0x0000000000400ffb <+45>: lea 0x1(%rcx),%esi0x0000000000400ffe <+48>: callq 0x400fce <func4>0x0000000000401003 <+53>: lea 0x1(%rax,%rax,1),%eax0x0000000000401007 <+57>: add $0x8,%rsp0x000000000040100b <+61>: retq

shr代表邏輯右移。

0x0000000000400fd2 <+4>: mov %edx,%eax0x0000000000400fd4 <+6>: sub %esi,%eax0x0000000000400fd6 <+8>: mov %eax,%ecx

edx原先存放14，esi存放0，經過這里之后，ecx里面存放14

0x0000000000400fd8 <+10>: shr $0x1f,%ecx

ecx右移0x1f，也就是右移31位，此時ecx即為0

0x0000000000400fdb <+13>: add %ecx,%eax0x0000000000400fdd <+15>: sar %eax

sar右邊參數只有一個，因為默認參數為1，14右移1位，即1110右移一位，變成111，此時eax成為7

0x0000000000400fdf <+17>: lea (%rax,%rsi,1),%ecx

rax+rsi賦值給ecx，(%rax,%rsi,1)格式為rax+rsi*1

0x0000000000400fe2 <+20>: cmp %edi,%ecx0x0000000000400fe4 <+22>: jle 0x400ff2 <func4+36>0x0000000000400fe6 <+24>: lea -0x1(%rcx),%edx0x0000000000400fe9 <+27>: callq 0x400fce <func4>0x0000000000400fee <+32>: add %eax,%eax0x0000000000400ff0 <+34>: jmp 0x401007 <func4+57>0x0000000000400ff2 <+36>: mov $0x0,%eax0x0000000000400ff7 <+41>: cmp %edi,%ecx0x0000000000400ff9 <+43>: jge 0x401007 <func4+57>

此時用ecx和edi做比較，jle（jump less equal）小于等于，rsp+8（也就是第一個參數）放在edi中，ecx為rax+rsi（7+0），符合之后跳轉到

0x0000000000400ff2 <+36>: mov $0x0,%eax0x0000000000400ff7 <+41>: cmp %edi,%ecx0x0000000000400ff9 <+43>: jge 0x401007 <func4+57>

jge（jump greater equal）符合小于等于之后來判斷大于等于，也就是必須使ecx和edi相等，ecx算出來等于7，所以第四關答案為 7 0

這里還牽扯了遞歸調用，轉為c++代碼：

int func4(int a,int b,int in){ int x=(a-b)/2+b; if(x>in){ x=2*func4(x-1,b,in) } else { if(x==in)return x; x=2*func4(a,x+1,in)+1 }}

第五關

依然照常斷下來：

Dump of assembler code for function phase_5: => 0x0000000000401062 <+0>: push %rbx0x0000000000401063 <+1>: sub $0x20,%rsp0x0000000000401067 <+5>: mov %rdi,%rbx0x000000000040106a <+8>: mov %fs:0x28,%rax0x0000000000401073 <+17>: mov %rax,0x18(%rsp)0x0000000000401078 <+22>: xor %eax,%eax0x000000000040107a <+24>: callq 0x40131b <string_length>0x000000000040107f <+29>: cmp $0x6,%eax0x0000000000401082 <+32>: je 0x4010d2 <phase_5+112>0x0000000000401084 <+34>: callq 0x40143a <explode_bomb>0x0000000000401089 <+39>: jmp 0x4010d2 <phase_5+112>0x000000000040108b <+41>: movzbl (%rbx,%rax,1),%ecx0x000000000040108f <+45>: mov %cl,(%rsp)0x0000000000401092 <+48>: mov (%rsp),%rdx0x0000000000401096 <+52>: and $0xf,%edx0x0000000000401099 <+55>: movzbl 0x4024b0(%rdx),%edx0x00000000004010a0 <+62>: mov %dl,0x10(%rsp,%rax,1)0x00000000004010a4 <+66>: add $0x1,%rax0x00000000004010a8 <+70>: cmp $0x6,%rax0x00000000004010ac <+74>: jne 0x40108b <phase_5+41>0x00000000004010ae <+76>: movb $0x0,0x16(%rsp)0x00000000004010b3 <+81>: mov $0x40245e,%esi0x00000000004010b8 <+86>: lea 0x10(%rsp),%rdi0x00000000004010bd <+91>: callq 0x401338 <strings_not_equal>0x00000000004010c2 <+96>: test %eax,%eax0x00000000004010c4 <+98>: je 0x4010d9 <phase_5+119>0x00000000004010c6 <+100>: callq 0x40143a <explode_bomb>0x00000000004010cb <+105>: nopl 0x0(%rax,%rax,1)0x00000000004010d0 <+110>: jmp 0x4010d9 <phase_5+119>0x00000000004010d2 <+112>: mov $0x0,%eax0x00000000004010d7 <+117>: jmp 0x40108b <phase_5+41>0x00000000004010d9 <+119>: mov 0x18(%rsp),%rax0x00000000004010de <+124>: xor %fs:0x28,%rax0x00000000004010e7 <+133>: je 0x4010ee <phase_5+140>0x00000000004010e9 <+135>: callq 0x400b30 <__stack_chk_fail@plt>0x00000000004010ee <+140>: add $0x20,%rsp0x00000000004010f2 <+144>: pop %rbx0x00000000004010f3 <+145>: retq

102 121 114 108 101 115

x /16b 0x4024b0

maduiersnfotvbylSo
（注意，因為只能用低四位，所以看著辦）
所以低四位湊出來之后為9 15 14 5 6 7只需要低四位符合這些的字符串輸入就行（也就是低四位是1001 1111 1110 0101 0110 0111）

這里我輸入的是9 15 14 5 6 7 ionuvw

第六關

0x00000000004010f4 <+0>: push %r140x00000000004010f6 <+2>: push %r130x00000000004010f8 <+4>: push %r120x00000000004010fa <+6>: push %rbp0x00000000004010fb <+7>: push %rbx0x00000000004010fc <+8>: sub $0x50,%rsp0x0000000000401100 <+12>: mov %rsp,%r130x0000000000401103 <+15>: mov %rsp,%rsi0x0000000000401106 <+18>: callq 0x40145c <read_six_numbers>0x000000000040110b <+23>: mov %rsp,%r140x000000000040110e <+26>: mov $0x0,%r12d0x0000000000401114 <+32>: mov %r13,%rbp0x0000000000401117 <+35>: mov 0x0(%r13),%eax0x000000000040111b <+39>: sub $0x1,%eax0x000000000040111e <+42>: cmp $0x5,%eax0x0000000000401121 <+45>: jbe 0x401128 <phase_6+52>0x0000000000401123 <+47>: callq 0x40143a <explode_bomb>0x0000000000401128 <+52>: add $0x1,%r12d0x000000000040112c <+56>: cmp $0x6,%r12d0x0000000000401130 <+60>: je 0x401153 <phase_6+95>0x0000000000401132 <+62>: mov %r12d,%ebx0x0000000000401135 <+65>: movslq %ebx,%rax0x0000000000401138 <+68>: mov (%rsp,%rax,4),%eax0x000000000040113b <+71>: cmp %eax,0x0(%rbp)0x000000000040113e <+74>: jne 0x401145 <phase_6+81>0x0000000000401140 <+76>: callq 0x40143a <explode_bomb>0x0000000000401145 <+81>: add $0x1,%ebx0x0000000000401148 <+84>: cmp $0x5,%ebx0x000000000040114b <+87>: jle 0x401135 <phase_6+65>0x000000000040114d <+89>: add $0x4,%r130x0000000000401151 <+93>: jmp 0x401114 <phase_6+32>0x0000000000401153 <+95>: lea 0x18(%rsp),%rsi0x0000000000401158 <+100>: mov %r14,%rax0x000000000040115b <+103>: mov $0x7,%ecx0x0000000000401160 <+108>: mov %ecx,%edx0x0000000000401162 <+110>: sub (%rax),%edx0x0000000000401164 <+112>: mov %edx,(%rax)0x0000000000401166 <+114>: add $0x4,%rax0x000000000040116a <+118>: cmp %rsi,%rax0x000000000040116d <+121>: jne 0x401160 <phase_6+108>0x000000000040116f <+123>: mov $0x0,%esi0x0000000000401174 <+128>: jmp 0x401197 <phase_6+163>0x0000000000401176 <+130>: mov 0x8(%rdx),%rdx0x000000000040117a <+134>: add $0x1,%eax0x000000000040117d <+137>: cmp %ecx,%eax0x000000000040117f <+139>: jne 0x401176 <phase_6+130>0x0000000000401181 <+141>: jmp 0x401188 <phase_6+148>0x0000000000401183 <+143>: mov $0x6032d0,%edx0x0000000000401188 <+148>: mov %rdx,0x20(%rsp,%rsi,2)0x000000000040118d <+153>: add $0x4,%rsi0x0000000000401191 <+157>: cmp $0x18,%rsi0x0000000000401195 <+161>: je 0x4011ab <phase_6+183>0x0000000000401197 <+163>: mov (%rsp,%rsi,1),%ecx0x000000000040119a <+166>: cmp $0x1,%ecx0x000000000040119d <+169>: jle 0x401183 <phase_6+143>0x000000000040119f <+171>: mov $0x1,%eax0x00000000004011a4 <+176>: mov $0x6032d0,%edx0x00000000004011a9 <+181>: jmp 0x401176 <phase_6+130>0x00000000004011ab <+183>: mov 0x20(%rsp),%rbx0x00000000004011b0 <+188>: lea 0x28(%rsp),%rax0x00000000004011b5 <+193>: lea 0x50(%rsp),%rsi0x00000000004011ba <+198>: mov %rbx,%rcx0x00000000004011bd <+201>: mov (%rax),%rdx0x00000000004011c0 <+204>: mov %rdx,0x8(%rcx)0x00000000004011c4 <+208>: add $0x8,%rax0x00000000004011c8 <+212>: cmp %rsi,%rax0x00000000004011cb <+215>: je 0x4011d2 <phase_6+222>0x00000000004011cd <+217>: mov %rdx,%rcx0x00000000004011d0 <+220>: jmp 0x4011bd <phase_6+201>0x00000000004011d2 <+222>: movq $0x0,0x8(%rdx)0x00000000004011da <+230>: mov $0x5,%ebp0x00000000004011df <+235>: mov 0x8(%rbx),%rax0x00000000004011e3 <+239>: mov (%rax),%eax0x00000000004011e5 <+241>: cmp %eax,(%rbx)0x00000000004011e7 <+243>: jge 0x4011ee <phase_6+250>0x00000000004011e9 <+245>: callq 0x40143a <explode_bomb>0x00000000004011ee <+250>: mov 0x8(%rbx),%rbx0x00000000004011f2 <+254>: sub $0x1,%ebp0x00000000004011f5 <+257>: jne 0x4011df <phase_6+235>0x00000000004011f7 <+259>: add $0x50,%rsp0x00000000004011fb <+263>: pop %rbx0x00000000004011fc <+264>: pop %rbp0x00000000004011fd <+265>: pop %r120x00000000004011ff <+267>: pop %r130x0000000000401201 <+269>: pop %r140x0000000000401203 <+271>: retq

總結

以上是生活随笔為你收集整理的CSAPP实验二进制炸弹的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。

炸弹
CSAPP

上一篇： Ubuntu安装apt出现报错如何操作（
下一篇： Ubuntu报错记录（Could not