问题
Can somebody please explain to me what exactly these functions do? I have a breakpoint set at<+35> as indicated by the arrow, and this is where I get lost. So far, all I've figured out was that this phase takes a string with a length of 6. But I don't exactly know what is going on in the movsbl and movzbl functions. I'm not expecting an answer, but some insight would be greatly appreciated.
Please don't bash me if this question was answered before or redirecting me to another similar question. I've look at all of those and I still don't understand what's going on here.
Dump of assembler code for function phase_5:
0x08048edc <+0>: push %ebp
0x08048edd <+1>: mov %esp,%ebp
0x08048edf <+3>: push %edi
0x08048ee0 <+4>: push %esi
0x08048ee1 <+5>: push %ebx
0x08048ee2 <+6>: sub $0x2c,%esp
0x08048ee5 <+9>: mov 0x8(%ebp),%eax
0x08048ee8 <+12>: mov %eax,(%esp)
0x08048eeb <+15>: call 0x80490a0 <string_length>
0x08048ef0 <+20>: cmp $0x6,%eax
0x08048ef3 <+23>: je 0x8048efa <phase_5+30>
0x08048ef5 <+25>: call 0x8049341 <explode_bomb>
0x08048efa <+30>: mov $0x0,%eax
=> 0x08048eff <+35>: lea -0x1f(%ebp),%ecx
0x08048f02 <+38>: mov $0x804a4e0,%edx
0x08048f07 <+43>: mov 0x8(%ebp),%ebx
0x08048f0a <+46>: movsbl (%ebx,%eax,1),%esi
0x08048f0e <+50>: and $0xf,%esi
0x08048f11 <+53>: movzbl (%edx,%esi,1),%esi
0x08048f15 <+57>: mov %esi,%ebx
0x08048f17 <+59>: mov %bl,(%ecx,%eax,1)
0x08048f1a <+62>: add $0x1,%eax
0x08048f1d <+65>: cmp $0x6,%eax
0x08048f20 <+68>: jne 0x8048f07 <phase_5+43>
0x08048f22 <+70>: movb $0x0,-0x19(%ebp)
0x08048f26 <+74>: movl $0x804a4b7,0x4(%esp)
0x08048f2e <+82>: lea -0x1f(%ebp),%eax
0x08048f31 <+85>: mov %eax,(%esp)
0x08048f34 <+88>: call 0x80490bb <strings_not_equal>
0x08048f39 <+93>: test %eax,%eax
0x08048f3b <+95>: je 0x8048f42 <phase_5+102>
0x08048f3d <+97>: call 0x8049341 <explode_bomb>
0x08048f42 <+102>: add $0x2c,%esp
0x08048f45 <+105>: pop %ebx
0x08048f46 <+106>: pop %esi
0x08048f47 <+107>: pop %edi
0x08048f48 <+108>: pop %ebp
0x08048f49 <+109>: ret
End of assembler dump.
回答1:
This is a decompilation of the function.
/**
* + 8: arg0
* + 4: Return Address
* EBP 0: Old EBP
* - 4: Saved EDI
* - 8: Saved ESI
* -12: Saved EBX
*
* -25: NUL character
* -31: Beginning of 6-char string
*
* ESP+4 = -52: argument 1 for callees
* ESP+0 = -56: argument 0 for callees
*/
u8 GBL0[16] = {,,,,,,,,,,,,,,,};/* ADDRESS 0x804a4e0 */
u8 GBL1[] = {,,,,,,'\0'}; /* ADDRESS 0x804a4b7 */
phase_5(i8* arg0){
i8 PAD0[12];/* ADDRESS EBP-0x18 */
u8 LOC0[7]; /* ADDRESS EBP-0x1f */
i8 PAD1[25];/* ADDRESS EBP-0x38 = ESP+0 */
/* The range [EBP-56, EBP-48) corresponds to
the range [ESP+0, ESP+8) and is used to
place arguments for function calls. */
register int eax;/* In EAX */
if(string_length(arg0) != 6){
explode_bomb();
}
for(eax=0;eax<6;eax++){
LOC0[eax] = GBL0[arg0[eax] & 0xF];
}
LOC0[6] = '\0';/* ADDRESS EBP-0x19 */
if(eax = strings_not_equal(LOC0, GBL1)){
explode_bomb();
}
return eax;/* Maybe? */
}
Essentially, it does not explode the bomb if and only if the argument is a 6-character "string" that is successfully substitution-decyphered into a 6-character string equal to some password.
回答2:
movzbw: byte (8-bit) to word (16-bit)
movzwl: word (16-bit) to long (32-bit)
movzbl: byte (8-bit) to long (32-bit)
来源:https://stackoverflow.com/questions/22032475/bomb-lab-phase-5-6-char-string-substitution-lookup-table-strings-not-equal