作为我正在学习的一个大型项目的一部分,我需要破译大量的程序集。要判断这一点,我需要通过调试代码找到“炸弹”不同“阶段”的答案。目标是不引爆炸弹。
Dump of assembler code for function phase_2: 0x000000000000160b <+0>: endbr64 0x000000000000160f <+4>: push %rbp 0x0000000000001610 <+5>: push %rbx 0x0000000000001611 <+6>: sub $0x28,%rsp 0x0000000000001615 <+10>: mov %fs:0x28,%rax 0x000000000000161e <+19>: mov %rax,0x18(%rsp) 0x0000000000001623 <+24>: xor %eax,%eax 0x0000000000001625 <+26>: mov %rsp,%rsi 0x0000000000001628 <+29>: callq 0x1eea <read_six_numbers> 0x000000000000162d <+34>: cmpl $0x1,(%rsp) 0x0000000000001631 <+38>: jne 0x163d <phase_2+50> //more code in here that isn't relevant I don't think 0x000000000000163d <+50>: callq 0x1ea8 <explode_bomb> //more code after this that isn't relevant to my question
看完之后,我决定需要查看read_six_numbers中的内容,如下所示:
Dump of assembler code for function read_six_numbers: 0x0000000000001eea <+0>: endbr64 0x0000000000001eee <+4>: sub $0x8,%rsp 0x0000000000001ef2 <+8>: mov %rsi,%rdx 0x0000000000001ef5 <+11>: lea 0x4(%rsi),%rcx 0x0000000000001ef9 <+15>: lea 0x14(%rsi),%rax 0x0000000000001efd <+19>: push %rax 0x0000000000001efe <+20>: lea 0x10(%rsi),%rax 0x0000000000001f02 <+24>: push %rax 0x0000000000001f03 <+25>: lea 0xc(%rsi),%r9 0x0000000000001f07 <+29>: lea 0x8(%rsi),%r8 0x0000000000001f0b <+33>: lea 0x14f7(%rip),%rsi # 0x3409 0x0000000000001f12 <+40>: mov $0x0,%eax 0x0000000000001f17 <+45>: callq 0x12f0 <__isoc99_sscanf@plt> 0x0000000000001f1c <+50>: add $0x10,%rsp 0x0000000000001f20 <+54>: cmp $0x5,%eax 0x0000000000001f23 <+57>: jle 0x1f2a <read_six_numbers+64> 0x0000000000001f25 <+59>: add $0x8,%rsp 0x0000000000001f29 <+63>: retq 0x0000000000001f2a <+64>: callq 0x1ea8 <explode_bomb> End of assembler dump.
这导致我想知道0x3409中的内容,如下所示。
0x00003400 6c6f776e 2075702e 00256420 25642025 lown up..%d %d % 0x00003410 64202564 20256420 25640045 72726f72 d %d %d %d.Error
所有不同阶段的答案应该都是字符串。所以我想我的答案应该是存储在不同%d
中的六个数字。然而,当我在gdb中键入print 0x3409
时,我得到了13321,这是0x3409的十进制数,而不是实际存储在内存中的值。那么我应该输入什么来获取%d
的实际值?