CSAPP bomb lab4
Phase4 Assembler code:
000000000040100c <phase_4>:
40100c: 48 83 ec 18 sub $0x18,%rsp #rsp-=0x18
401010: 48 8d 4c 24 0c lea 0xc(%rsp),%rcx #rcx=rsp+0xc
401015: 48 8d 54 24 08 lea 0x8(%rsp),%rdx #rdx=rsp+0x8
40101a: be cf 25 40 00 mov $0x4025cf,%esi #rsi=0x4025cf
40101f: b8 00 00 00 00 mov $0x0,%eax #eax=0
401024: e8 c7 fb ff ff callq 400bF0 <__isoc99_sscanf@plt> # query (GDB)x/1s 0x4025cfHave to"%d %d", sosscanftwointInteger of type, number1X of the data stored in0x8RSP (%), the first2Y is stored in0xc(%rsp)
401029: 83 f8 02 cmp $0x2,%eax
40102c: 75 07 jne 401035 <phase_4+0x29> #if(rax! =2)->bomb()
40102e: 83 7c 24 08 0e cmpl $0xe.0x8(%rsp) #else
401033: 76 05 jbe 40103a <phase_4+0x2e> #if(0 =<x<=0xe)->{40103a}
401035: e8 00 04 00 00 callq 40143a <explode_bomb> #else bomb()
40103a: ba 0e 00 00 00 mov $0xe,%edx #edx=0xe
40103f: be 00 00 00 00 mov $0x0,%esi #esi=0
401044: 8b 7c 24 08 mov 0x8(%rsp),%edi #edi=x
401048: e8 81 ff ff ff callq 400fce <func4>
40104d: 85 c0 test %eax,%eax
40104f: 75 07 jne 401058 <phase_4+0x4c> #if(Return value! =0)->bomb()
401051: 83 7c 24 0c 00 cmpl $0x0.0xc(%rsp) #else
401056: 74 05 je 40105d <phase_4+0x51> #if(y! =0)->bomb()
401058: e8 dd 03 00 00 callq 40143a <explode_bomb> #else
40105d: 48 83 c4 18 add $0x18, % RSP # - > successCopy the code
Phase_4 ideas:
Call func4 (ssACNF (Input,”%d %d”,&x,&y), must be successfully entered into &x and &y, must make x>=0 && x<= 0xE, and then set parameters 1:edi=x, 2: ESI =0, 3:edx=0xe to call func4. The return value must be 0 and y must be 0. Therefore, the value of y is determined to be 0, and the value of x is between 0 and 0xe. The exact feasible solution needs to be analyzed by Func4 ().
The C code is written as:
void func4(char *input)
{
int y;
int x;
if (sscanf(input,"%d %d",&x,&y)! =2)
bomb();
if (x<0 || x>0xe)
bomb();
int result=func4(x,0.0xe,&y);
if(y! =0|| result! =0)
bomb();
return;
}
Copy the code
Now all that remains is to enter the func4 function for analysis:
0000000000400fce <func4>:
// func4(a=x,b=0,c=0xe)
// a,b,c are stored in rdi, Rsi, RDX respectively
400fce: 48 83 ec 08 sub $0x8,%rsp #rsp-=8
400fd2: 89 d0 mov %edx,%eax #rax=0xe
400fd4: 29 f0 sub %esi,%eax #rax-=b
400fd6: 89 c1 mov %eax,%ecx ###rcx=rax
400fd8: c1 e9 1f shr $0x1f,%ecx
400fdb: 01 c8 add %ecx,%eax #rax+=rax>>0x1f
400fdd: d1 f8 sar %eax #rax= rax/2
400fdf: 8d 0c 30 lea (%rax,%rsi,1),%ecx #rcx=rax+rsi
400fe2: 39 f9 cmp %edi,%ecx
400fe4: 7e 0c jle 400ff2 <func4+0x24> #if(rcx<=rdi)->{400ff2}
400fe6: 8d 51 ff lea -0x1(%rcx),%edx #rax=rcx-1
400fe9: e8 e0 ff ff ff callq 400fce <func4> #callq <func4>
400fee: 01 c0 add %eax,%eax
400ff0: eb 15 jmp 401007 <func4+0x39>
400ff2: b8 00 00 00 00 mov $0x0,%eax #rax=0
400ff7: 39 f9 cmp %edi,%ecx
400ff9: 7d 0c jge 401007 <func4+0x39> #if(rcx>=rdi)->{401007}
400ffb: 8d 71 01 lea 0x1(%rcx),%esi #else rsi=rcx+1
400ffe: e8 cb ff ff ff callq 400fce <func4> #callq <func4>
401003: 8d 44 00 01 lea 0x1(%rax,%rax,1),%eax #rax=2*rax+1
401007: 48 83 c4 08 add $0x8,%rsp #rsp+=8
40100b: c3 retq #return rax
Copy the code
Analyze its logic and convert the logic of func4 assembly code into C code:
int func4(a,b,c)
{
int mid=c-b;
mid=(mid>>31+mid)/2+b;
if (mid<a)
return 2*func4(a+mid+1,c)+1;
else if (mid>a)
return 2*func4(a,b,mid- 1);
else
return 0;
}
Func4 (x,0,14)
Func4 is first passed into func4 with mid value 7, so if x=7, return 0 directly
// Other answers are hard to see, can be programmed to test, do not repeat here
Copy the code
Thus, one of the solutions is “7 0”.==