Bomb Lab: Phase 4

Assembly

00000000004015a9 <phase_4>:
b0:
  4015a9:	48 83 ec 18          	sub    $0x18,%rsp
  4015ad:	48 8d 4c 24 08       	lea    0x8(%rsp),%rcx
  4015b2:	48 8d 54 24 0c       	lea    0xc(%rsp),%rdx
  4015b7:	48 8d 35 77 1e 00 00 	lea    0x1e77(%rip),%rsi        # 403435 <array.3354+0x255>
  4015be:	b8 00 00 00 00       	mov    $0x0,%eax
  4015c3:	e8 68 fb ff ff       	callq  401130 <__isoc99_sscanf@plt>
  4015c8:	83 f8 02             	cmp    $0x2,%eax
  4015cb:	75 0c                	jne    4015d9 <phase_4+0x30>
  4015cd:	8b 44 24 08          	mov    0x8(%rsp),%eax
  4015d1:	83 e8 02             	sub    $0x2,%eax
  4015d4:	83 f8 02             	cmp    $0x2,%eax
  4015d7:	76 05                	jbe    4015de <phase_4+0x35>
b1:
  4015d9:	e8 7e 05 00 00       	callq  401b5c <explode_bomb>
b2:
  4015de:	8b 74 24 08          	mov    0x8(%rsp),%esi
  4015e2:	bf 09 00 00 00       	mov    $0x9,%edi
  4015e7:	e8 85 ff ff ff       	callq  401571 <func4>
  4015ec:	3b 44 24 0c          	cmp    0xc(%rsp),%eax
  4015f0:	74 05                	je     4015f7 <phase_4+0x4e>
  4015f2:	e8 65 05 00 00       	callq  401b5c <explode_bomb>
b3:
  4015f7:	48 83 c4 18          	add    $0x18,%rsp
  4015fb:	c3                   	retq

Hack

(gdb) x/s 0x403435
0x403435:       "%d %d"

翻译为 C

void phase_4(char* rdi) {
b0:
  int rsp[6];
  rcx = rsp + 2;
  rdx = rsp + 3;
  rsi = "%d %d";
  rax = 0;  // 32-bit
  rax = __isoc99_sscanf(rdi, rsi, rdx, rcx);
  if (rax != 2)  // 32-bit
    goto b1;
  rax = rsp[2];  // 32-bit
  rax -= 2;
  if (rax <= 2)  // 32-bit
    goto b2;
b1:
  explode_bomb();
b2:
  rsi = rsp[2];  // 32-bit
  rdi = 9;       // 32-bit
  rax = fun4();
  if (rax == rsp[3])  // 32-bit
    goto b3;
  explode_bomb();
b3:
  return;
}

Optimize

void phase_4(char* rdi) {
b0:
  int rsp[6];
  int rax = 0;
  rax = __isoc99_sscanf(rdi, "%d %d", rsp + 3, rsp + 2);
  if (rax != 2) goto b1;
  if (rsp[2] - 2 <= 2) // unsigned
    goto b2;
b1:
  explode_bomb();
b2:
  rax = func4(9, rsp[2]);
  if (rax == rsp[3]) goto b3;
  explode_bomb();
b3:
  return;
}

Hack

输入 x, y, 只需满足 func4(9, y) == x 即可. 注意到运行过程中存在无符号比较, 稳妥的做法是令 0 <= y - 2 <= 2, 不妨取 y = 2.

(gdb) disassemble
Dump of assembler code for function phase_4:
   0x00000000004015a9 <+0>:     sub    $0x18,%rsp
   0x00000000004015ad <+4>:     lea    0x8(%rsp),%rcx
   0x00000000004015b2 <+9>:     lea    0xc(%rsp),%rdx
   0x00000000004015b7 <+14>:    lea    0x1e77(%rip),%rsi        # 0x403435
   0x00000000004015be <+21>:    mov    $0x0,%eax
   0x00000000004015c3 <+26>:    callq  0x401130 <__isoc99_sscanf@plt>
   0x00000000004015c8 <+31>:    cmp    $0x2,%eax
   0x00000000004015cb <+34>:    jne    0x4015d9 <phase_4+48>
   0x00000000004015cd <+36>:    mov    0x8(%rsp),%eax
   0x00000000004015d1 <+40>:    sub    $0x2,%eax
   0x00000000004015d4 <+43>:    cmp    $0x2,%eax
   0x00000000004015d7 <+46>:    jbe    0x4015de <phase_4+53>
   0x00000000004015d9 <+48>:    callq  0x401b5c <explode_bomb>
   0x00000000004015de <+53>:    mov    0x8(%rsp),%esi
   0x00000000004015e2 <+57>:    mov    $0x9,%edi
   0x00000000004015e7 <+62>:    callq  0x401571 <func4>
=> 0x00000000004015ec <+67>:    cmp    0xc(%rsp),%eax
   0x00000000004015f0 <+71>:    je     0x4015f7 <phase_4+78>
   0x00000000004015f2 <+73>:    callq  0x401b5c <explode_bomb>
   0x00000000004015f7 <+78>:    add    $0x18,%rsp
   0x00000000004015fb <+82>:    retq
End of assembler dump.
(gdb) info registers eax
eax            0xb0     176

Solution

176 2