phase_5代码如下
0x0000000000401062 <+0>: push %rbx
0x0000000000401063 <+1>: sub $0x20,%rsp
0x0000000000401067 <+5>: mov %rdi,%rbx
0x000000000040106a <+8>: mov %fs:0x28,%rax #canary机制
0x0000000000401073 <+17>: mov %rax,0x18(%rsp) #canary机制
0x0000000000401078 <+22>: xor %eax,%eax #eax置0
0x000000000040107a <+24>: callq 0x40131b <string_length>
0x000000000040107f <+29>: cmp $0x6,%eax
0x0000000000401082 <+32>: je 0x4010d2 <phase_5+112> #string的长度要为6
0x0000000000401084 <+34>: callq 0x40143a <explode_bomb>
0x0000000000401089 <+39>: jmp 0x4010d2 <phase_5+112>
0x000000000040108b <+41>: movzbl (%rbx,%rax,1),%ecx #97 怀疑是第一个字符
0x000000000040108f <+45>: mov %cl,(%rsp)
0x0000000000401092 <+48>: mov (%rsp),%rdx #97
0x0000000000401096 <+52>: and $0xf,%edx #1
0x0000000000401099 <+55>: movzbl 0x4024b0(%rdx),%edx#主要应该就是这两部操作
0x4024b0里面的数据是maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?,要从中提取出flyers,因此输入数据提取的后四位要依次是9,15,14,5,6,7,得到答案:ionefg
0x00000000004010a0 <+62>: mov %dl,0x10(%rsp,%rax,1)#将改变后的字符入栈
0x00000000004010a4 <+66>: add $0x1,%rax
0x00000000004010a8 <+70>: cmp $0x6,%rax
0x00000000004010ac <+74>: jne 0x40108b <phase_5+41>#循环六次,rax是计数器
#需要找到的字符是xandf
0x00000000004010ae <+76>: movb $0x0,0x16(%rsp)
0x00000000004010b3 <+81>: mov $0x40245e,%esi #内存里的字符串是flyers
0x00000000004010b8 <+86>: lea 0x10(%rsp),%rdi #输入abcdef出来的是aduier
0x00000000004010bd <+91>: callq 0x401338 <strings_not_equal>
0x00000000004010c2 <+96>: test %eax,%eax
0x00000000004010c4 <+98>: je 0x4010d9 <phase_5+119>
0x00000000004010c6 <+100>: callq 0x40143a <explode_bomb>
0x00000000004010cb <+105>: nopl 0x0(%rax,%rax,1)
0x00000000004010d0 <+110>: jmp 0x4010d9 <phase_5+119>
0x00000000004010d2 <+112>: mov $0x0,%eax
0x00000000004010d7 <+117>: jmp 0x40108b <phase_5+41>
0x00000000004010d9 <+119>: mov 0x18(%rsp),%rax
0x00000000004010de <+124>: xor %fs:0x28,%rax
0x00000000004010e7 <+133>: je 0x4010ee <phase_5+140>
0x00000000004010e9 <+135>: callq 0x400b30 <__stack_chk_fail@plt>
0x00000000004010ee <+140>: add $0x20,%rsp
0x00000000004010f2 <+144>: pop %rbx
0x00000000004010f3 <+145>: retq
首先是canary机制暂时不用管,最主要的操作是41-74的循环,每次对取出的ascii码提取前四位,再通过一个映射转换为另一个字符串,映射后的字符串结果为flyers则不会爆炸