汇编指令
跳转指令:
跳转指令分三类:
一、无条件跳转: JMP;
二、根据 CX、ECX 寄存器的值跳转: JCXZ(CX 为 0 则跳转)、JECXZ(ECX 为 0 则跳转);
三、根据 EFLAGS 寄存器的标志位跳转。 根据标志位跳转的指令:
JE: 等于则跳转
JNE: 不等于则跳转
JZ: 为 0 则跳转
JNZ: 不为 0 则跳转
JS: 为负则跳转
JNS: 不为负则跳转
JC: 进位则跳转
JNC: 不进位则跳转
JO: 溢出则跳转
JNO: 不溢出则跳转
JA: 无符号大于则跳转
JNA: 无符号不大于则跳转
JAE: 无符号大于等于则跳转
JNAE: 无符号不大于等于则跳转
JG: 有符号大于则跳转
JNG: 有符号不大于则跳转
JGE: 有符号大于等于则跳转
JNGE: 有符号不大于等于则跳转
JB: 无符号小于则跳转
JNB: 无符号不小于则跳转
JBE: 无符号小于等于则跳转
JNBE: 无符号不小于等于则跳转
JL: 有符号小于则跳转
JNL: 有符号不小于则跳转
JLE: 有符号小于等于则跳转
JNLE: 有符号不小于等于则跳转
JP: 奇偶位置位则跳转
JNP: 奇偶位清除则跳转
JPE: 奇偶位相等则跳转
JPO: 奇偶位不等则跳转
跳转相关的标志位:
| 11 | 10 | 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 |
|---|---|---|---|---|---|---|---|---|---|---|---|
| OF | DF | IF | TF | SF | ZF | AF | PF | CF | |||
| 溢出 | 符号 | 零 | 未用 | 辅助 | 未用 | 奇偶 | 未用 | 进位 |
题目分析:
08048c0a <phase_3>:
8048c0a: 83 ec 3c sub $0x3c,%esp
8048c0d: 8d 44 24 2c lea 0x2c(%esp),%eax
8048c11: 89 44 24 10 mov %eax,0x10(%esp)
8048c15: 8d 44 24 27 lea 0x27(%esp),%eax
8048c19: 89 44 24 0c mov %eax,0xc(%esp)
8048c1d: 8d 44 24 28 lea 0x28(%esp),%eax
8048c21: 89 44 24 08 mov %eax,0x8(%esp)
8048c25: c7 44 24 04 5a a2 04 movl $0x804a25a,0x4(%esp)
8048c2c: 08
8048c2d: 8b 44 24 40 mov 0x40(%esp),%eax
8048c31: 89 04 24 mov %eax,(%esp)
8048c34: e8 27 fc ff ff call 8048860 <__isoc99_sscanf@plt> //调用输入函数
8048c39: 83 f8 02 cmp $0x2,%eax
8048c3c: 7f 05 jg 8048c43 <phase_3+0x39> 至少输入三个数
8048c3e: e8 a2 05 00 00 call 80491e5 <explode_bomb>
8048c43: 83 7c 24 28 07 cmpl $0x7,0x28(%esp) //第一个数不能大于7
8048c48: 0f 87 fc 00 00 00 ja 8048d4a <phase_3+0x140> //无符号大于跳转 炸弹
8048c4e: 8b 44 24 28 mov 0x28(%esp),%eax
8048c52: ff 24 85 80 a2 04 08 jmp *0x804a280(,%eax,4) //该处为switch结构开始
8048c59: b8 79 00 00 00 mov $0x79,%eax
8048c5e: 81 7c 24 2c e5 00 00 cmpl $0xe5,0x2c(%esp) //e5 switch判断 229
8048c65: 00
8048c66: 0f 84 e8 00 00 00 je 8048d54 <phase_3+0x14a>
8048c6c: e8 74 05 00 00 call 80491e5 <explode_bomb>
8048c71: b8 79 00 00 00 mov $0x79,%eax
8048c76: e9 d9 00 00 00 jmp 8048d54 <phase_3+0x14a>
8048c7b: b8 76 00 00 00 mov $0x76,%eax
8048c80: 81 7c 24 2c 7f 03 00 cmpl $0x37f,0x2c(%esp)
8048c87: 00
8048c88: 0f 84 c6 00 00 00 je 8048d54 <phase_3+0x14a>
8048c8e: e8 52 05 00 00 call 80491e5 <explode_bomb>
8048c93: b8 76 00 00 00 mov $0x76,%eax
8048c98: e9 b7 00 00 00 jmp 8048d54 <phase_3+0x14a>
8048c9d: b8 78 00 00 00 mov $0x78,%eax
8048ca2: 81 7c 24 2c e4 03 00 cmpl $0x3e4,0x2c(%esp)
8048ca9: 00
8048caa: 0f 84 a4 00 00 00 je 8048d54 <phase_3+0x14a>
8048cb0: e8 30 05 00 00 call 80491e5 <explode_bomb>
8048cb5: b8 78 00 00 00 mov $0x78,%eax
8048cba: e9 95 00 00 00 jmp 8048d54 <phase_3+0x14a>
8048cbf: b8 76 00 00 00 mov $0x76,%eax
8048cc4: 81 7c 24 2c 73 03 00 cmpl $0x373,0x2c(%esp)
8048ccb: 00
8048ccc: 0f 84 82 00 00 00 je 8048d54 <phase_3+0x14a>
8048cd2: e8 0e 05 00 00 call 80491e5 <explode_bomb>
8048cd7: b8 76 00 00 00 mov $0x76,%eax
8048cdc: eb 76 jmp 8048d54 <phase_3+0x14a>
8048cde: b8 77 00 00 00 mov $0x77,%eax
8048ce3: 81 7c 24 2c 1d 01 00 cmpl $0x11d,0x2c(%esp)
8048cea: 00
8048ceb: 74 67 je 8048d54 <phase_3+0x14a>
8048ced: e8 f3 04 00 00 call 80491e5 <explode_bomb>
8048cf2: b8 77 00 00 00 mov $0x77,%eax
8048cf7: eb 5b jmp 8048d54 <phase_3+0x14a>
8048cf9: b8 72 00 00 00 mov $0x72,%eax
8048cfe: 81 7c 24 2c c6 00 00 cmpl $0xc6,0x2c(%esp)
8048d05: 00
8048d06: 74 4c je 8048d54 <phase_3+0x14a>
8048d08: e8 d8 04 00 00 call 80491e5 <explode_bomb>
8048d0d: b8 72 00 00 00 mov $0x72,%eax
8048d12: eb 40 jmp 8048d54 <phase_3+0x14a>
8048d14: b8 6f 00 00 00 mov $0x6f,%eax
8048d19: 81 7c 24 2c 9e 02 00 cmpl $0x29e,0x2c(%esp)
8048d20: 00
8048d21: 74 31 je 8048d54 <phase_3+0x14a>
8048d23: e8 bd 04 00 00 call 80491e5 <explode_bomb>
8048d28: b8 6f 00 00 00 mov $0x6f,%eax
8048d2d: eb 25 jmp 8048d54 <phase_3+0x14a>
8048d2f: b8 6b 00 00 00 mov $0x6b,%eax
8048d34: 81 7c 24 2c e3 01 00 cmpl $0x1e3,0x2c(%esp)
8048d3b: 00
8048d3c: 74 16 je 8048d54 <phase_3+0x14a>
8048d3e: e8 a2 04 00 00 call 80491e5 <explode_bomb>
8048d43: b8 6b 00 00 00 mov $0x6b,%eax
8048d48: eb 0a jmp 8048d54 <phase_3+0x14a>
8048d4a: e8 96 04 00 00 call 80491e5 <explode_bomb>
8048d4f: b8 67 00 00 00 mov $0x67,%eax
8048d54: 3a 44 24 27 cmp 0x27(%esp),%al
8048d58: 74 05 je 8048d5f <phase_3+0x155>
8048d5a: e8 86 04 00 00 call 80491e5 <explode_bomb>
8048d5f: 83 c4 3c add $0x3c,%esp
8048d62: c3 ret
1.调用gdb调试器查看0x804a25a地址中放的是%d %c %d,可知输入的是数字、字符、数字。
8048c25: c7 44 24 04 5a a2 04 movl $0x804a25a,0x4(%esp)
2.此处判断至少输入三个字符。
38048c39: 83 f8 02 cmp $0x2,%eax
8048c3c: 7f 05 jg 8048c43 <phase_3+0x39>
3.如果第一个输入大于7,就跳转8048d4a,但8048d4a放的是一个引爆炸弹函数,所以第一个输入不能大于7,0到7之间。
` 8048c43: 83 7c 24 28 07 cmpl $0x7,0x28(%esp) `
8048c48: 0f 87 fc 00 00 00 ja 8048d4a <phase_3+0x140>
4.0x804a280(,%eax,4),此处为一个switch结构,该地址存放的是8个跳转地址。
` 8048c52: ff 24 85 80 a2 04 08 ijmp *0x804a280(,%eax,4) `
5.根据switch结构,这里拿第一个输入0举例,即第一个条件语句。
8048c59: b8 79 00 00 00 mov $0x79,%eax 可知第二个数为0x79,但第二个数为字符型,所以0x79,转换为十进制为121,ASCII码转换为字符y。
8048c5e: 81 7c 24 2c e5 00 00 cmpl $0xe5,0x2c(%esp)
8048c65: 00
8048c66: 0f 84 e8 00 00 00 je 8048d54 <phase_3+0x14a> 进行判断第三个数为0xe5,转换为十进制为229。跳出switch语句。
` 8048c6c: e8 74 05 00 00 call 80491e5
总结: 所以根据分析输入应该是0,y,229。 同理根据switch结构,还可以有其他的答案。
结果验证:
-
查看
0x804a25a存放的东西
-
查看
0x804a280各个跳转地址
-
输入结果
