ICS bomblab总结
2024-06-01 00:26:04
bomb ab 主要考察对汇编指令的阅读和理解. 由于不同人拿到的lab炸弹可能不一样,这里只讲我拿到的炸弹。首先拿到lab解压之后, objdumb -d > temp.txt 反汇编,看到main底下有六个phase函数,这个lab要求对每个函数输如特定的数或字符串,使得程序绕过bomb函数最终结束程序.
0000000000400ee0 <phase_1>:400ee0: 48 83 ec 08 sub $0x8,%rsp400ee4: be 00 24 40 00 mov $0x402400,%esi400ee9: e8 4a 04 00 00 callq 401338 <strings_not_equal>400eee: 85 c0 test %eax,%eax400ef0: 74 05 je 400ef7 <phase_1+0x17>400ef2: e8 43 05 00 00 callq 40143a <explode_bomb>400ef7: 48 83 c4 08 add $0x8,%rsp400efb: c3 retq 0000000000400efc <phase_2>:400efc: 55 push %rbp400efd: 53 push %rbx400efe: 48 83 ec 28 sub $0x28,%rsp400f02: 48 89 e6 mov %rsp,%rsi400f05: e8 52 05 00 00 callq 40145c <read_six_numbers>400f0a: 83 3c 24 01 cmpl $0x1,(%rsp)400f0e: 74 20 je 400f30 <phase_2+0x34>400f10: e8 25 05 00 00 callq 40143a <explode_bomb>400f15: eb 19 jmp 400f30 <phase_2+0x34>400f17: 8b 43 fc mov -0x4(%rbx),%eax400f1a: 01 c0 add %eax,%eax400f1c: 39 03 cmp %eax,(%rbx)400f1e: 74 05 je 400f25 <phase_2+0x29>400f20: e8 15 05 00 00 callq 40143a <explode_bomb>400f25: 48 83 c3 04 add $0x4,%rbx400f29: 48 39 eb cmp %rbp,%rbx400f2c: 75 e9 jne 400f17 <phase_2+0x1b>400f2e: eb 0c jmp 400f3c <phase_2+0x40>400f30: 48 8d 5c 24 04 lea 0x4(%rsp),%rbx400f35: 48 8d 6c 24 18 lea 0x18(%rsp),%rbp400f3a: eb db jmp 400f17 <phase_2+0x1b>400f3c: 48 83 c4 28 add $0x28,%rsp400f40: 5b pop %rbx400f41: 5d pop %rbp400f42: c3 retq 0000000000400f43 <phase_3>:400f43: 48 83 ec 18 sub $0x18,%rsp400f47: 48 8d 4c 24 0c lea 0xc(%rsp),%rcx400f4c: 48 8d 54 24 08 lea 0x8(%rsp),%rdx400f51: be cf 25 40 00 mov $0x4025cf,%esi400f56: b8 00 00 00 00 mov $0x0,%eax400f5b: e8 90 fc ff ff callq 400bf0 <__isoc99_sscanf@plt>400f60: 83 f8 01 cmp $0x1,%eax400f63: 7f 05 jg 400f6a <phase_3+0x27>400f65: e8 d0 04 00 00 callq 40143a <explode_bomb>400f6a: 83 7c 24 08 07 cmpl $0x7,0x8(%rsp)400f6f: 77 3c ja 400fad <phase_3+0x6a>400f71: 8b 44 24 08 mov 0x8(%rsp),%eax400f75: ff 24 c5 70 24 40 00 jmpq *0x402470(,%rax,8)400f7c: b8 cf 00 00 00 mov $0xcf,%eax400f81: eb 3b jmp 400fbe <phase_3+0x7b>400f83: b8 c3 02 00 00 mov $0x2c3,%eax400f88: eb 34 jmp 400fbe <phase_3+0x7b>400f8a: b8 00 01 00 00 mov $0x100,%eax400f8f: eb 2d jmp 400fbe <phase_3+0x7b>400f91: b8 85 01 00 00 mov $0x185,%eax400f96: eb 26 jmp 400fbe <phase_3+0x7b>400f98: b8 ce 00 00 00 mov $0xce,%eax400f9d: eb 1f jmp 400fbe <phase_3+0x7b>400f9f: b8 aa 02 00 00 mov $0x2aa,%eax400fa4: eb 18 jmp 400fbe <phase_3+0x7b>400fa6: b8 47 01 00 00 mov $0x147,%eax400fab: eb 11 jmp 400fbe <phase_3+0x7b>400fad: e8 88 04 00 00 callq 40143a <explode_bomb>400fb2: b8 00 00 00 00 mov $0x0,%eax400fb7: eb 05 jmp 400fbe <phase_3+0x7b>400fb9: b8 37 01 00 00 mov $0x137,%eax400fbe: 3b 44 24 0c cmp 0xc(%rsp),%eax400fc2: 74 05 je 400fc9 <phase_3+0x86>400fc4: e8 71 04 00 00 callq 40143a <explode_bomb>400fc9: 48 83 c4 18 add $0x18,%rsp400fcd: c3 retq 000000000040100c <phase_4>:40100c: 48 83 ec 18 sub $0x18,%rsp401010: 48 8d 4c 24 0c lea 0xc(%rsp),%rcx401015: 48 8d 54 24 08 lea 0x8(%rsp),%rdx40101a: be cf 25 40 00 mov $0x4025cf,%esi40101f: b8 00 00 00 00 mov $0x0,%eax401024: e8 c7 fb ff ff callq 400bf0 <__isoc99_sscanf@plt>401029: 83 f8 02 cmp $0x2,%eax40102c: 75 07 jne 401035 <phase_4+0x29>40102e: 83 7c 24 08 0e cmpl $0xe,0x8(%rsp)401033: 76 05 jbe 40103a <phase_4+0x2e>401035: e8 00 04 00 00 callq 40143a <explode_bomb>40103a: ba 0e 00 00 00 mov $0xe,%edx40103f: be 00 00 00 00 mov $0x0,%esi401044: 8b 7c 24 08 mov 0x8(%rsp),%edi401048: e8 81 ff ff ff callq 400fce <func4>40104d: 85 c0 test %eax,%eax40104f: 75 07 jne 401058 <phase_4+0x4c>401051: 83 7c 24 0c 00 cmpl $0x0,0xc(%rsp)401056: 74 05 je 40105d <phase_4+0x51>401058: e8 dd 03 00 00 callq 40143a <explode_bomb>40105d: 48 83 c4 18 add $0x18,%rsp401061: c3 retq
0000000000401062 <phase_5>:401062: 53 push %rbx401063: 48 83 ec 20 sub $0x20,%rsp401067: 48 89 fb mov %rdi,%rbx40106a: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax401071: 00 00 401073: 48 89 44 24 18 mov %rax,0x18(%rsp)401078: 31 c0 xor %eax,%eax40107a: e8 9c 02 00 00 callq 40131b <string_length>40107f: 83 f8 06 cmp $0x6,%eax401082: 74 4e je 4010d2 <phase_5+0x70>401084: e8 b1 03 00 00 callq 40143a <explode_bomb>401089: eb 47 jmp 4010d2 <phase_5+0x70>40108b: 0f b6 0c 03 movzbl (%rbx,%rax,1),%ecx40108f: 88 0c 24 mov %cl,(%rsp)401092: 48 8b 14 24 mov (%rsp),%rdx401096: 83 e2 0f and $0xf,%edx401099: 0f b6 92 b0 24 40 00 movzbl 0x4024b0(%rdx),%edx4010a0: 88 54 04 10 mov %dl,0x10(%rsp,%rax,1)4010a4: 48 83 c0 01 add $0x1,%rax4010a8: 48 83 f8 06 cmp $0x6,%rax4010ac: 75 dd jne 40108b <phase_5+0x29>4010ae: c6 44 24 16 00 movb $0x0,0x16(%rsp)4010b3: be 5e 24 40 00 mov $0x40245e,%esi4010b8: 48 8d 7c 24 10 lea 0x10(%rsp),%rdi4010bd: e8 76 02 00 00 callq 401338 <strings_not_equal>4010c2: 85 c0 test %eax,%eax4010c4: 74 13 je 4010d9 <phase_5+0x77>4010c6: e8 6f 03 00 00 callq 40143a <explode_bomb>4010cb: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)4010d0: eb 07 jmp 4010d9 <phase_5+0x77>4010d2: b8 00 00 00 00 mov $0x0,%eax4010d7: eb b2 jmp 40108b <phase_5+0x29>4010d9: 48 8b 44 24 18 mov 0x18(%rsp),%rax4010de: 64 48 33 04 25 28 00 xor %fs:0x28,%rax4010e5: 00 00 4010e7: 74 05 je 4010ee <phase_5+0x8c>4010e9: e8 42 fa ff ff callq 400b30 <__stack_chk_fail@plt>4010ee: 48 83 c4 20 add $0x20,%rsp4010f2: 5b pop %rbx4010f3: c3 retq 00000000004010f4 <phase_6>:4010f4: 41 56 push %r144010f6: 41 55 push %r134010f8: 41 54 push %r124010fa: 55 push %rbp4010fb: 53 push %rbx4010fc: 48 83 ec 50 sub $0x50,%rsp401100: 49 89 e5 mov %rsp,%r13401103: 48 89 e6 mov %rsp,%rsi401106: e8 51 03 00 00 callq 40145c <read_six_numbers>40110b: 49 89 e6 mov %rsp,%r1440110e: 41 bc 00 00 00 00 mov $0x0,%r12d401114: 4c 89 ed mov %r13,%rbp401117: 41 8b 45 00 mov 0x0(%r13),%eax40111b: 83 e8 01 sub $0x1,%eax40111e: 83 f8 05 cmp $0x5,%eax401121: 76 05 jbe 401128 <phase_6+0x34>401123: e8 12 03 00 00 callq 40143a <explode_bomb>401128: 41 83 c4 01 add $0x1,%r12d40112c: 41 83 fc 06 cmp $0x6,%r12d401130: 74 21 je 401153 <phase_6+0x5f>401132: 44 89 e3 mov %r12d,%ebx401135: 48 63 c3 movslq %ebx,%rax401138: 8b 04 84 mov (%rsp,%rax,4),%eax40113b: 39 45 00 cmp %eax,0x0(%rbp)40113e: 75 05 jne 401145 <phase_6+0x51>401140: e8 f5 02 00 00 callq 40143a <explode_bomb>401145: 83 c3 01 add $0x1,%ebx401148: 83 fb 05 cmp $0x5,%ebx40114b: 7e e8 jle 401135 <phase_6+0x41>40114d: 49 83 c5 04 add $0x4,%r13401151: eb c1 jmp 401114 <phase_6+0x20>401153: 48 8d 74 24 18 lea 0x18(%rsp),%rsi401158: 4c 89 f0 mov %r14,%rax40115b: b9 07 00 00 00 mov $0x7,%ecx401160: 89 ca mov %ecx,%edx401162: 2b 10 sub (%rax),%edx401164: 89 10 mov %edx,(%rax)401166: 48 83 c0 04 add $0x4,%rax40116a: 48 39 f0 cmp %rsi,%rax40116d: 75 f1 jne 401160 <phase_6+0x6c>40116f: be 00 00 00 00 mov $0x0,%esi401174: eb 21 jmp 401197 <phase_6+0xa3>401176: 48 8b 52 08 mov 0x8(%rdx),%rdx 40117a: 83 c0 01 add $0x1,%eax40117d: 39 c8 cmp %ecx,%eax40117f: 75 f5 jne 401176 <phase_6+0x82>401181: eb 05 jmp 401188 <phase_6+0x94>401183: ba d0 32 60 00 mov $0x6032d0,%edx401188: 48 89 54 74 20 mov %rdx,0x20(%rsp,%rsi,2) 40118d: 48 83 c6 04 add $0x4,%rsi401191: 48 83 fe 18 cmp $0x18,%rsi401195: 74 14 je 4011ab <phase_6+0xb7>401197: 8b 0c 34 mov (%rsp,%rsi,1),%ecx40119a: 83 f9 01 cmp $0x1,%ecx40119d: 7e e4 jle 401183 <phase_6+0x8f>40119f: b8 01 00 00 00 mov $0x1,%eax4011a4: ba d0 32 60 00 mov $0x6032d0,%edx4011a9: eb cb jmp 401176 <phase_6+0x82>4011ab: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx4011b0: 48 8d 44 24 28 lea 0x28(%rsp),%rax4011b5: 48 8d 74 24 50 lea 0x50(%rsp),%rsi4011ba: 48 89 d9 mov %rbx,%rcx4011bd: 48 8b 10 mov (%rax),%rdx4011c0: 48 89 51 08 mov %rdx,0x8(%rcx)4011c4: 48 83 c0 08 add $0x8,%rax4011c8: 48 39 f0 cmp %rsi,%rax4011cb: 74 05 je 4011d2 <phase_6+0xde>4011cd: 48 89 d1 mov %rdx,%rcx4011d0: eb eb jmp 4011bd <phase_6+0xc9>4011d2: 48 c7 42 08 00 00 00 movq $0x0,0x8(%rdx)4011d9: 00 4011da: bd 05 00 00 00 mov $0x5,%ebp4011df: 48 8b 43 08 mov 0x8(%rbx),%rax4011e3: 8b 00 mov (%rax),%eax4011e5: 39 03 cmp %eax,(%rbx)4011e7: 7d 05 jge 4011ee <phase_6+0xfa>4011e9: e8 4c 02 00 00 callq 40143a <explode_bomb>4011ee: 48 8b 5b 08 mov 0x8(%rbx),%rbx4011f2: 83 ed 01 sub $0x1,%ebp4011f5: 75 e8 jne 4011df <phase_6+0xeb>4011f7: 48 83 c4 50 add $0x50,%rsp4011fb: 5b pop %rbx4011fc: 5d pop %rbp4011fd: 41 5c pop %r124011ff: 41 5d pop %r13401201: 41 5e pop %r14401203: c3 retq
ICS bomblab总结相关推荐
- Bomblab(ICS课程回课pku)
- 从源代码编译里程碑的 ICS ROM
从源代码编译里程碑的 ICS ROM 操作系统选择 Ubuntu 10.04, 可以用虚拟机: 安装 Android SDK , 并更新: 打开命令行窗口, 输入下面的命令, 准备编译环境: sud ...
- 深入理解卷II ---ICS源代码下载
为什么80%的码农都做不了架构师?>>> http://115.com/folder/fauqpj0t#Android-ICS-SOURCE-CODE 国内被墙了,导致代码下不 ...
- android sco通信,android – startBluetoothSco()在ICS上抛出安全异常(BROADCAST_STICKY)
我有一个由ICS用户发送的堆栈跟踪. 在我的Froyo设备上一切正常,但是当调用AudioManager.startBluetoothSco()时,用户显然获得了Permission Denial - ...
- 【SAP业务模式】之ICS(五):定价配置
本篇博文讲述ICS业务中的定价配置. 1.定义销售订单类型 目录:SPRO-销售与分销-销售-销售凭证-销售凭证抬头-定义销售凭证类型 事务代码:VOV8 2.定义销售订单类型 目录:SPRO-销售与 ...
- 为何终端防护对ICS如此重要
本文讲的是 为何终端防护对ICS如此重要,对工业企业而言,ICS攻击意味着宕机和业务损失.对个人而言,这意味着潜在的安全问题和服务损失.对社会而言,则意味着重大安全问题和生产力损失. 工业控制系统计算 ...
- python日历提醒_如何通过python发送日历邮件(ics)
https://tools.ietf.org/html/rfc2446 方便起见,用代码说话(只是最简单的版本,各种定制需求可以参看rfc,不过很多效果需要客户端的支持,支持的比较好的是outlook ...
- ICS—CERT官网公示匡恩网络新发现四工控漏洞
近日,美国ICS-CERT官网相继公布了由匡恩网络智能安全工业研究院发掘的四个中高危漏洞和漏洞利用验证.匡恩网络率先预警了黑客利用这些漏洞实施网络攻击的风险,从多层面.多维度为工控安全"上保 ...
- Windows ICS 服务无法启动问题解决
防火墙打不开肯定是"windows Firewall"服务没有启动.ICS服务启动不了能够通过下面方法解决: 1.找到本地连接,单击左键--属性--共享--勾选(√)--确定,如以 ...
- ICS SIP Call移植
最近在移植ICS的sip call.现把移植经历分享一下. sip call拨打电话过程跟正常拨打电话过程没什么两样.但是sip call需要有WiFi的支持.并且有sip server可以提供账户. ...
最新文章
- 资料分享:送你一本《数据结构(C#语言版)》电子书!
- 分析了这么多年的福利彩票记录,原来可以用Python这么买彩票!
- bfs理解——hdu6386好题
- java 线程 获取消息_获取java线程中信息
- PostgreSQL 优化器代码概览 1
- EditPlus配置Python环境
- 树莓派入门教程 - 0 - 准备篇 - 0.4 树莓派安装FTP服务器
- 我的世界java内存不足_[菜鸟级]简单解决内存溢出内存不足、卡机问题(可当启动器使用)...
- 开源包管理器Homebrew被曝 RCE,影响 macOS 和 Linux 系统
- 陷阱:在 WebApp 中谨防 Singleton 错误
- (9)Spring框架----AOP的HelloWorld
- python支持多种编程范式吗_理解真格量化的Python编程范式
- cd linux自带系统安装,大神示范win7系统将CDLinux装入硬盘的法子
- Love6 五一无忧无虑假期后的一些随笔和感想
- AOE网:关键路径和关键活动
- 肖仰华谈知识图谱:知识将比数据更重要,得知识者得天下
- elementUi中的el-select/el-input去掉border边框
- pe修复linux驱动,【CTF习题】BrokenDrivers(驱动修复及内核调试)
- Centos服务器上安装Tomcat
- 电脑自带字体包的文件夹位置