Bomb LAB

南京航空航天大学计算机组成原理课程实验二Bomb LAB

各阶段考察关键

每个炸弹阶段考察机器级语言程序不同方面,难度递增
阶段1:字符串比较
阶段2:循环
阶段3:条件/分支:含switch语句
阶段4:递归调用和栈
阶段5:指针
阶段6:链表/指针/结构
隐藏阶段,第4阶段的之后附加一特定字符串后才会出现

phase_1

1
2
3
4
5
6
7
8
9
10
11
12
0x08048b30 <+0>:     push   %ebp
0x08048b31 <+1>: mov %esp,%ebp
0x08048b33 <+3>: sub $0x10,%esp
0x08048b36 <+6>: push $0x804a03c
0x08048b3b <+11>: pushl 0x8(%ebp)
0x08048b3e <+14>: call 0x8048fdd <strings_not_equal>
0x08048b43 <+19>: add $0x10,%esp
0x08048b46 <+22>: test %eax,%eax
0x08048b48 <+24>: je 0x8048b4f <phase_1+31>
0x08048b4a <+26>: call 0x80490e0 <explode_bomb>
0x08048b4f <+31>: leave
0x08048b50 <+32>: ret

注意到strings_not_equal说明要字符串比较,使用gdb输入x/s 0x804a03c得到结果

phase_2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
0x08048b51 <+0>:	push   %ebp
0x08048b52 <+1>: mov %esp,%ebp
0x08048b54 <+3>: push %esi
0x08048b55 <+4>: push %ebx
0x08048b56 <+5>: sub $0x28,%esp
0x08048b59 <+8>: mov %gs:0x14,%eax
0x08048b5f <+14>: mov %eax,-0xc(%ebp)
0x08048b62 <+17>: xor %eax,%eax
0x08048b64 <+19>: lea -0x24(%ebp),%eax
0x08048b67 <+22>: push %eax
0x08048b68 <+23>: pushl 0x8(%ebp)
0x08048b6b <+26>: call 0x8049108 <read_six_numbers>
0x08048b70 <+31>: add $0x10,%esp
0x08048b73 <+34>: cmpl $0x0,-0x24(%ebp)
0x08048b77 <+38>: jne 0x8048b7f <phase_2+46>
0x08048b79 <+40>: cmpl $0x1,-0x20(%ebp)
0x08048b7d <+44>: je 0x8048b84 <phase_2+51>
0x08048b7f <+46>: call 0x80490e0 <explode_bomb>
0x08048b84 <+51>: lea -0x24(%ebp),%ebx
0x08048b87 <+54>: lea -0x14(%ebp),%esi
0x08048b8a <+57>: mov 0x4(%ebx),%eax
0x08048b8d <+60>: add (%ebx),%eax
0x08048b8f <+62>: cmp %eax,0x8(%ebx)
0x08048b92 <+65>: je 0x8048b99 <phase_2+72>
0x08048b94 <+67>: call 0x80490e0 <explode_bomb>
0x08048b99 <+72>: add $0x4,%ebx
0x08048b9c <+75>: cmp %esi,%ebx
0x08048b9e <+77>: jne 0x8048b8a <phase_2+57>
0x08048ba0 <+79>: mov -0xc(%ebp),%eax
0x08048ba3 <+82>: xor %gs:0x14,%eax
0x08048baa <+89>: je 0x8048bb1 <phase_2+96>
0x08048bac <+91>: call 0x8048790 <__stack_chk_fail@plt>
0x08048bb1 <+96>: lea -0x8(%ebp),%esp
0x08048bb4 <+99>: pop %ebx
0x08048bb5 <+100>: pop %esi
0x08048bb6 <+101>: pop %ebp
0x08048bb7 <+102>: ret

注意到read_six_numbers说明要读入六个数字
前两个数为0和1
Ebp-24是输入的第一个数,ebp-14是输入的最后一个数
注意到phase_2+0x39说明要循环比较,当esi=ebx时循环终止
重点是395-397行,知道数列递推规律是an=a(n-1)+a(n-2)
得到结果为0 1 1 2 3 5

phase_3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
0x08048bb8 <+0>:	    push   %ebp
0x08048bb9 <+1>: mov %esp,%ebp
0x08048bbb <+3>: sub $0x18,%esp
0x08048bbe <+6>: mov %gs:0x14,%eax
0x08048bc4 <+12>: mov %eax,-0xc(%ebp)
0x08048bc7 <+15>: xor %eax,%eax
0x08048bc9 <+17>: lea -0x10(%ebp),%eax
0x08048bcc <+20>: push %eax
0x08048bcd <+21>: lea -0x14(%ebp),%eax
0x08048bd0 <+24>: push %eax
0x08048bd1 <+25>: push $0x804a1db
0x08048bd6 <+30>: pushl 0x8(%ebp)
0x08048bd9 <+33>: call 0x8048810 <__isoc99_sscanf@plt>
0x08048bde <+38>: add $0x10,%esp
0x08048be1 <+41>: cmp $0x1,%eax
0x08048be4 <+44>: jg 0x8048beb <phase_3+51>
0x08048be6 <+46>: call 0x80490e0 <explode_bomb>
0x08048beb <+51>: cmpl $0x7,-0x14(%ebp)
0x08048bef <+55>: ja 0x8048c2c <phase_3+116>
0x08048bf1 <+57>: mov -0x14(%ebp),%eax
0x08048bf4 <+60>: jmp *0x804a09c(,%eax,4)
0x08048bfb <+67>: mov $0x23c,%eax
0x08048c00 <+72>: jmp 0x8048c3d <phase_3+133>
0x08048c02 <+74>: mov $0x143,%eax
0x08048c07 <+79>: jmp 0x8048c3d <phase_3+133>
0x08048c09 <+81>: mov $0x298,%eax
0x08048c0e <+86>: jmp 0x8048c3d <phase_3+133>
0x08048c10 <+88>: mov $0x30d,%eax
0x08048c15 <+93>: jmp 0x8048c3d <phase_3+133>
0x08048c17 <+95>: mov $0xbb,%eax
0x08048c1c <+100>: jmp 0x8048c3d <phase_3+133>
0x08048c1e <+102>: mov $0xe7,%eax
0x08048c23 <+107>: jmp 0x8048c3d <phase_3+133>
0x08048c25 <+109>: mov $0x242,%eax
0x08048c2a <+114>: jmp 0x8048c3d <phase_3+133>
0x08048c2c <+116>: call 0x80490e0 <explode_bomb>
0x08048c31 <+121>: mov $0x0,%eax
0x08048c36 <+126>: jmp 0x8048c3d <phase_3+133>
0x08048c38 <+128>: mov $0x1a1,%eax
0x08048c3d <+133>: cmp -0x10(%ebp),%eax
0x08048c40 <+136>: je 0x8048c47 <phase_3+143>
0x08048c42 <+138>: call 0x80490e0 <explode_bomb>
0x08048c47 <+143>: mov -0xc(%ebp),%eax
0x08048c4a <+146>: xor %gs:0x14,%eax
0x08048c51 <+153>: je 0x8048c58 <phase_3+160>
0x08048c53 <+155>: call 0x8048790 <__stack_chk_fail@plt>
0x08048c58 <+160>: leave
0x08048c59 <+161>: ret

注意到426行调用到标准输入,424行地址0x804a1db表示输入格式

以及428 429行说明输入两个十进制数字
Ebp-14是输入的第一个数地址,ebp-10是输入第二个数地址
由431 432知第一个数为0-7
之后跳转到0x804a09c+4*eax
选择其中一条分支,由435行得知分支1对应0x23C,即十进制572

附IDA图示

phase_4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
func4:
0x08048c5a <+0>: push %ebp
0x08048c5b <+1>: mov %esp,%ebp
0x08048c5d <+3>: push %edi
0x08048c5e <+4>: push %esi
0x08048c5f <+5>: push %ebx
0x08048c60 <+6>: sub $0xc,%esp
0x08048c63 <+9>: mov 0x8(%ebp),%ebx
0x08048c66 <+12>: mov 0xc(%ebp),%edi
0x08048c69 <+15>: test %ebx,%ebx
0x08048c6b <+17>: jle 0x8048c98 <func4+62>
0x08048c6d <+19>: mov %edi,%eax
0x08048c6f <+21>: cmp $0x1,%ebx
0x08048c72 <+24>: je 0x8048c9d <func4+67>
0x08048c74 <+26>: sub $0x8,%esp
0x08048c77 <+29>: push %edi
0x08048c78 <+30>: lea -0x1(%ebx),%eax
0x08048c7b <+33>: push %eax
0x08048c7c <+34>: call 0x8048c5a <func4>
0x08048c81 <+39>: add $0x8,%esp
0x08048c84 <+42>: lea (%edi,%eax,1),%esi
0x08048c87 <+45>: push %edi
0x08048c88 <+46>: sub $0x2,%ebx
0x08048c8b <+49>: push %ebx
0x08048c8c <+50>: call 0x8048c5a <func4>
0x08048c91 <+55>: add $0x10,%esp
0x08048c94 <+58>: add %esi,%eax
0x08048c96 <+60>: jmp 0x8048c9d <func4+67>
0x08048c98 <+62>: mov $0x0,%eax
0x08048c9d <+67>: lea -0xc(%ebp),%esp
0x08048ca0 <+70>: pop %ebx
0x08048ca1 <+71>: pop %esi
0x08048ca2 <+72>: pop %edi
0x08048ca3 <+73>: pop %ebp
0x08048ca4 <+74>: ret

phase_4:
0x08048ca5 <+0>: push %ebp
0x08048ca6 <+1>: mov %esp,%ebp
0x08048ca8 <+3>: sub $0x18,%esp
0x08048cab <+6>: mov %gs:0x14,%eax
0x08048cb1 <+12>: mov %eax,-0xc(%ebp)
0x08048cb4 <+15>: xor %eax,%eax
0x08048cb6 <+17>: lea -0x14(%ebp),%eax
0x08048cb9 <+20>: push %eax
0x08048cba <+21>: lea -0x10(%ebp),%eax
0x08048cbd <+24>: push %eax
0x08048cbe <+25>: push $0x804a1db
0x08048cc3 <+30>: pushl 0x8(%ebp)
0x08048cc6 <+33>: call 0x8048810 <__isoc99_sscanf@plt>
0x08048ccb <+38>: add $0x10,%esp
0x08048cce <+41>: cmp $0x2,%eax
0x08048cd1 <+44>: jne 0x8048cde <phase_4+57>
0x08048cd3 <+46>: mov -0x14(%ebp),%eax
0x08048cd6 <+49>: sub $0x2,%eax
0x08048cd9 <+52>: cmp $0x2,%eax
0x08048cdc <+55>: jbe 0x8048ce3 <phase_4+62>
0x08048cde <+57>: call 0x80490e0 <explode_bomb>
0x08048ce3 <+62>: sub $0x8,%esp
0x08048ce6 <+65>: pushl -0x14(%ebp)
0x08048ce9 <+68>: push $0x9
0x08048ceb <+70>: call 0x8048c5a <func4>
0x08048cf0 <+75>: add $0x10,%esp
0x08048cf3 <+78>: cmp -0x10(%ebp),%eax
0x08048cf6 <+81>: je 0x8048cfd <phase_4+88>
0x08048cf8 <+83>: call 0x80490e0 <explode_bomb>
0x08048cfd <+88>: mov -0xc(%ebp),%eax
0x08048d00 <+91>: xor %gs:0x14,%eax
0x08048d07 <+98>: je 0x8048d0e <phase_4+105>
0x08048d09 <+100>: call 0x8048790 <__stack_chk_fail@plt>
0x08048d0e <+105>: leave
0x08048d0f <+106>: ret

同样输入格式是两个十进制数
ebp-10是第一个数,ebp-14是第二个数
由516-519行知第二个数不大于4
由522和523行知以第二个数与9作为参数调用递归函数
由526行知第一个数为递归调用后eax的值

用IDA分析递归函数

edi是第一个参数,ebx是第二个参数,最终计算得出的eax与第一个数比较
f5一键转c语言

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
int __cdecl func4(int a1, int a2)
{
int result; // eax@2
int v3; // esi@3

if ( a1 <= 0 )
{
result = 0;
}
else
{
result = a2;
if ( a1 != 1 )
{
v3 = a2 + func4(a1 - 1, a2);
result = v3 + func4(a1 - 2, a2);
}
}
return result;
}

另法:shell脚本爆破

1
2
3
4
5
6
7
8
9
#!/bin/bash
for j in `seq 0 5`; do
for i in `seq 0 500`; do
echo "$i $j" >> solution.txt
./bomb solution.txt
sed -i '4d' solution.txt
echo "i=$i j=$j">>out.txt
done
done

运行脚本,将输出重定位到out.txt文件

用gdb扫一下答案正确时的打印语句

然后到out.txt文件搜索该语句

找到几组答案:
176 2
264 3
352 4

phase_5

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
0x08048d10 <+0>: 	push   %ebp
0x08048d11 <+1>: mov %esp,%ebp
0x08048d13 <+3>: push %ebx
0x08048d14 <+4>: sub $0x20,%esp
0x08048d17 <+7>: mov 0x8(%ebp),%ebx
0x08048d1a <+10>: mov %gs:0x14,%eax
0x08048d20 <+16>: mov %eax,-0xc(%ebp)
0x08048d23 <+19>: xor %eax,%eax
0x08048d25 <+21>: push %ebx
0x08048d26 <+22>: call 0x8048fbb <string_length>
0x08048d2b <+27>: add $0x10,%esp
0x08048d2e <+30>: cmp $0x6,%eax
0x08048d31 <+33>: je 0x8048d38 <phase_5+40>
0x08048d33 <+35>: call 0x80490e0 <explode_bomb>
0x08048d38 <+40>: mov $0x0,%eax
0x08048d3d <+45>: movzbl (%ebx,%eax,1),%edx
0x08048d41 <+49>: and $0xf,%edx
0x08048d44 <+52>: movzbl 0x804a0bc(%edx),%edx
0x08048d4b <+59>: mov %dl,-0x13(%ebp,%eax,1)
0x08048d4f <+63>: add $0x1,%eax
0x08048d52 <+66>: cmp $0x6,%eax
0x08048d55 <+69>: jne 0x8048d3d <phase_5+45>
0x08048d57 <+71>: movb $0x0,-0xd(%ebp)
0x08048d5b <+75>: sub $0x8,%esp
0x08048d5e <+78>: push $0x804a092
0x08048d63 <+83>: lea -0x13(%ebp),%eax
0x08048d66 <+86>: push %eax
0x08048d67 <+87>: call 0x8048fdd <strings_not_equal>
0x08048d6c <+92>: add $0x10,%esp
0x08048d6f <+95>: test %eax,%eax
0x08048d71 <+97>: je 0x8048d78 <phase_5+104>
0x08048d73 <+99>: call 0x80490e0 <explode_bomb>
0x08048d78 <+104>: mov -0xc(%ebp),%eax
0x08048d7b <+107>: xor %gs:0x14,%eax
0x08048d82 <+114>: je 0x8048d89 <phase_5+121>
0x08048d84 <+116>: call 0x8048790 <__stack_chk_fail@plt>
0x08048d89 <+121>: mov -0x4(%ebp),%ebx
0x08048d8c <+124>: leave
0x08048d8d <+125>: ret

由546-549行知要求输入6个字符
由552-558行知以输入字符ASCII码的低4位作为索引取数,eax为循环的累加计数器
扫描0x804a0bc处的内存发现是包含16个元素的数组

扫描0x804a092处是一个字符串

每个字符索引值为9 15 14 5 6 7十六进制为:
1001 1111 1110 0101 0110 0111

对应上表找出符合要求的一种答案ionevw

phase_6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
   0x08048d8e <+0>: 	push   %ebp
0x08048d8f <+1>: mov %esp,%ebp
0x08048d91 <+3>: push %esi
0x08048d92 <+4>: push %ebx
0x08048d93 <+5>: sub $0x48,%esp
0x08048d96 <+8>: mov %gs:0x14,%eax
0x08048d9c <+14>: mov %eax,-0xc(%ebp)
0x08048d9f <+17>: xor %eax,%eax
0x08048da1 <+19>: lea -0x3c(%ebp),%eax
0x08048da4 <+22>: push %eax
0x08048da5 <+23>: pushl 0x8(%ebp)
0x08048da8 <+26>: call 0x8049108 <read_six_numbers>
0x08048dad <+31>: add $0x10,%esp
0x08048db0 <+34>: mov $0x0,%esi
0x08048db5 <+39>: mov -0x3c(%ebp,%esi,4),%eax
0x08048db9 <+43>: sub $0x1,%eax
0x08048dbc <+46>: cmp $0x5,%eax
0x08048dbf <+49>: jbe 0x8048dc6 <phase_6+56>
0x08048dc1 <+51>: call 0x80490e0 <explode_bomb>
0x08048dc6 <+56>: add $0x1,%esi
0x08048dc9 <+59>: cmp $0x6,%esi
0x08048dcc <+62>: je 0x8048de9 <phase_6+91>
0x08048dce <+64>: mov %esi,%ebx
0x08048dd0 <+66>: mov -0x3c(%ebp,%ebx,4),%eax
0x08048dd4 <+70>: cmp %eax,-0x40(%ebp,%esi,4)
0x08048dd8 <+74>: jne 0x8048ddf <phase_6+81>
0x08048dda <+76>: call 0x80490e0 <explode_bomb>
0x08048ddf <+81>: add $0x1,%ebx
0x08048de2 <+84>: cmp $0x5,%ebx
0x08048de5 <+87>: jle 0x8048dd0 <phase_6+66>
0x08048de7 <+89>: jmp 0x8048db5 <phase_6+39>
0x08048de9 <+91>: lea -0x3c(%ebp),%eax
0x08048dec <+94>: lea -0x24(%ebp),%ebx
0x08048def <+97>: mov $0x7,%ecx
0x08048df4 <+102>: mov %ecx,%edx
0x08048df6 <+104>: sub (%eax),%edx
0x08048df8 <+106>: mov %edx,(%eax)
0x08048dfa <+108>: add $0x4,%eax
0x08048dfd <+111>: cmp %eax,%ebx
0x08048dff <+113>: jne 0x8048df4 <phase_6+102>
0x08048e01 <+115>: mov $0x0,%ebx
0x08048e06 <+120>: jmp 0x8048e1e <phase_6+144>
0x08048e08 <+122>: mov 0x8(%edx),%edx
0x08048e0b <+125>: add $0x1,%eax
0x08048e0e <+128>: cmp %ecx,%eax
0x08048e10 <+130>: jne 0x8048e08 <phase_6+122>
0x08048e12 <+132>: mov %edx,-0x24(%ebp,%esi,4)
0x08048e16 <+136>: add $0x1,%ebx
0x08048e19 <+139>: cmp $0x6,%ebx
0x08048e1c <+142>: je 0x8048e35 <phase_6+167>
0x08048e1e <+144>: mov %ebx,%esi
0x08048e20 <+146>: mov -0x3c(%ebp,%ebx,4),%ecx
0x08048e24 <+150>: mov $0x1,%eax
0x08048e29 <+155>: mov $0x804c13c,%edx
0x08048e2e <+160>: cmp $0x1,%ecx
0x08048e31 <+163>: jg 0x8048e08 <phase_6+122>
0x08048e33 <+165>: jmp 0x8048e12 <phase_6+132>
---Type <return> to continue, or q <return> to quit---
0x08048e35 <+167>: mov -0x24(%ebp),%ebx
0x08048e38 <+170>: lea -0x24(%ebp),%eax
0x08048e3b <+173>: lea -0x10(%ebp),%esi
0x08048e3e <+176>: mov %ebx,%ecx
0x08048e40 <+178>: mov 0x4(%eax),%edx
0x08048e43 <+181>: mov %edx,0x8(%ecx)
0x08048e46 <+184>: add $0x4,%eax
0x08048e49 <+187>: mov %edx,%ecx
0x08048e4b <+189>: cmp %eax,%esi
0x08048e4d <+191>: jne 0x8048e40 <phase_6+178>
0x08048e4f <+193>: movl $0x0,0x8(%edx)
0x08048e56 <+200>: mov $0x5,%esi
0x08048e5b <+205>: mov 0x8(%ebx),%eax
0x08048e5e <+208>: mov (%eax),%eax
0x08048e60 <+210>: cmp %eax,(%ebx)
0x08048e62 <+212>: jge 0x8048e69 <phase_6+219>
0x08048e64 <+214>: call 0x80490e0 <explode_bomb>
0x08048e69 <+219>: mov 0x8(%ebx),%ebx
0x08048e6c <+222>: sub $0x1,%esi
0x08048e6f <+225>: jne 0x8048e5b <phase_6+205>
0x08048e71 <+227>: mov -0xc(%ebp),%eax
0x08048e74 <+230>: xor %gs:0x14,%eax
0x08048e7b <+237>: je 0x8048e82 <phase_6+244>
0x08048e7d <+239>: call 0x8048790 <__stack_chk_fail@plt>
0x08048e82 <+244>: lea -0x8(%ebp),%esp
0x08048e85 <+247>: pop %ebx
0x08048e86 <+248>: pop %esi
0x08048e87 <+249>: pop %ebp
0x08048e88 <+250>: ret

注意到一个特殊地址,扫描得到链表信息

看一下链表操作,输入符合要求一个1-6的不重复排列即可

另法,shell脚本爆破,最笨也就6^6种情况233具体方法同上

secret_phase

查看phase_defused发现一个特殊的地址

Gdb扫过后得知是输入格式

只有第四题有类似输入格式
于是尝试在第四题答案后加上DrEvil

进入隐藏关卡

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
0x08048edb <+0>: 	push   %ebp
0x08048edc <+1>: mov %esp,%ebp
0x08048ede <+3>: push %ebx
0x08048edf <+4>: sub $0x4,%esp
0x08048ee2 <+7>: call 0x8049142 <read_line>
0x08048ee7 <+12>: sub $0x4,%esp
0x08048eea <+15>: push $0xa
0x08048eec <+17>: push $0x0
0x08048eee <+19>: push %eax
0x08048eef <+20>: call 0x8048880 <strtol@plt>
0x08048ef4 <+25>: mov %eax,%ebx
0x08048ef6 <+27>: lea -0x1(%eax),%eax
0x08048ef9 <+30>: add $0x10,%esp
0x08048efc <+33>: cmp $0x3e8,%eax
0x08048f01 <+38>: jbe 0x8048f08 <secret_phase+45>
0x08048f03 <+40>: call 0x80490e0 <explode_bomb>
0x08048f08 <+45>: sub $0x8,%esp
0x08048f0b <+48>: push %ebx
0x08048f0c <+49>: push $0x804c088
0x08048f11 <+54>: call 0x8048e89 <fun7>
0x08048f16 <+59>: add $0x10,%esp
0x08048f19 <+62>: cmp $0x2,%eax
0x08048f1c <+65>: je 0x8048f23 <secret_phase+72>
0x08048f1e <+67>: call 0x80490e0 <explode_bomb>
0x08048f23 <+72>: sub $0xc,%esp
0x08048f26 <+75>: push $0x804a06c
0x08048f2b <+80>: call 0x80487c0 <puts@plt>
0x08048f30 <+85>: call 0x8049245 <phase_defused>
0x08048f35 <+90>: add $0x10,%esp
0x08048f38 <+93>: mov -0x4(%ebp),%ebx
0x08048f3b <+96>: leave
0x08048f3c <+97>: ret

由711 713行得知要求输入一个数,该数减一必须小于等于1000,然后将其作为参数调用func7函数,返回值必须等于2
IDA f5大法

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
int secret_phase()
{
const char *v0; // eax@1
int v1; // ecx@1
__int32 v2; // ebx@1
int v3; // ecx@3

v0 = (const char *)read_line();
v2 = strtol(v0, 0, 10);
if ( (unsigned int)(v2 - 1) > 0x3E8 )
explode_bomb(v1);
if ( fun7(&n1, v2) != 2 )
explode_bomb(v3);
puts("Wow! You've defused the secret stage!");
return phase_defused();
}

注意到679行func7的第一个参数是一个地址
扫描得二叉树信息


根据递归规律得出两组答案
20 22
通关截图

×

纯属好玩

扫码支持
扫码打赏,你说多少就多少

打开支付宝扫一扫,即可进行扫码打赏哦

文章目录
  1. 1. 各阶段考察关键
  2. 2. phase_1
  3. 3. phase_2
  4. 4. phase_3
  5. 5. phase_4
  6. 6. phase_5
  7. 7. phase_6
  8. 8. secret_phase