阳江 网站开发/黄山seo公司

介绍：http://csapp.cs.cmu.edu/3e/bomblab.pdf

工具：gdb

gdb手册：http://csapp.cs.cmu.edu/2e/docs/gdbnotes-x86-64.pdf

phase_1

反汇编phase_1函数。

(gdb) disas phase_1
Dump of assembler code for function phase_1:0x0000000000400ee0 <+0>: 	sub    $0x8,%rsp 0x0000000000400ee4 <+4>: 	mov    $0x402400,%esi0x0000000000400ee9 <+9>: 	callq  0x401338 <strings_not_equal>0x0000000000400eee <+14>:	test   %eax,%eax0x0000000000400ef0 <+16>:	je     0x400ef7 <phase_1+23>0x0000000000400ef2 <+18>:	callq  0x40143a <explode_bomb>0x0000000000400ef7 <+23>:	add    $0x8,%rsp0x0000000000400efb <+27>:	retq   
End of assembler dump.

反汇编phase_1函数，input变量作为第一个参数%rdi，立即数$0x402400作为第二个参数%rsi，调用strings_not_equal字符串比较函数，返回值在%rax中。如果等于0跳转到后续代码；否则调用explode_bomb引爆炸弹。

因为输入是字符串，进行字符串比较所以参数1和参数2都是地址，所以%rdi=$0x402400是待比较字符串的地址，查看该地址指向的字符串便是答案。

(gdb) b phase_1
Breakpoint 1 at 0x400ee0
(gdb) b explode_bomb
Breakpoint 2 at 0x40143a
(gdb) r
Starting program: /media/psf/Home/csapp-lab/Bomb-Lab/bomb-handout/bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
helloBreakpoint 1, 0x0000000000400ee0 in phase_1 ()
(gdb) stepi
0x0000000000400ee4 in phase_1 ()
(gdb) stepi
0x0000000000400ee9 in phase_1 ()
(gdb) x/s 0x402400
0x402400:	"Border relations with Canada have never been better."

第一个字符串：Border relations with Canada have never been better.

phase_2

反汇编phase_2函数。

(gdb) disas phase_2
Dump of assembler code for function phase_2:0x0000000000400efc <+0>: 	push   %rbp0x0000000000400efd <+1>: 	push   %rbx0x0000000000400efe <+2>: 	sub    $0x28,%rsp 0x0000000000400f02 <+6>: 	mov    %rsp,%rsi 0x0000000000400f05 <+9>: 	callq  0x40145c <read_six_numbers>0x0000000000400f0a <+14>:	cmpl   $0x1,(%rsp)0x0000000000400f0e <+18>:	je     0x400f30 <phase_2+52>0x0000000000400f10 <+20>:	callq  0x40143a <explode_bomb>0x0000000000400f15 <+25>:	jmp    0x400f30 <phase_2+52>0x0000000000400f17 <+27>:	mov    -0x4(%rbx),%eax0x0000000000400f1a <+30>:	add    %eax,%eax0x0000000000400f1c <+32>:	cmp    %eax,(%rbx)0x0000000000400f1e <+34>:	je     0x400f25 <phase_2+41>0x0000000000400f20 <+36>:	callq  0x40143a <explode_bomb>0x0000000000400f25 <+41>:	add    $0x4,%rbx0x0000000000400f29 <+45>:	cmp    %rbp,%rbx0x0000000000400f2c <+48>:	jne    0x400f17 <phase_2+27>0x0000000000400f2e <+50>:	jmp    0x400f3c <phase_2+64>0x0000000000400f30 <+52>:	lea    0x4(%rsp),%rbx0x0000000000400f35 <+57>:	lea    0x18(%rsp),%rbp0x0000000000400f3a <+62>:	jmp    0x400f17 <phase_2+27>0x0000000000400f3c <+64>:	add    $0x28,%rsp0x0000000000400f40 <+68>:	pop    %rbx0x0000000000400f41 <+69>:	pop    %rbp0x0000000000400f42 <+70>:	retq   
End of assembler dump.

分配40个字节的空间，调用read_six_nubmers函数，第一个参数%rdi输入字符串地址，第二个参数%rsi栈顶指针。读取6个整数保存在临时分配的栈空间，与1比较，不相等炸弹爆炸，所以第一个整数是1；跳转到<+52>，%rbx=%rsp+4（第二个数的地址），%rbp=%rsp+24(第六个数后的地址)，跳转到<+27>，%eax=第一个数，%eax=%eax*2，%eax与%rbx的内存引用比较，也就是第一个数的2倍和第二个数比较，如果不相等炸弹爆炸，可推测第二个数为2；后续类推，每一个数是前一个数的两倍。可以得到1-6个数分别是1、2、4、8、16、32。

但是我们不知道将输入字符串是如何转为相应数，接着看read_six_numbers函数。%rdx=%rsi=之前的栈顶指针%rsp，%rcx=之前的栈顶指针%rsp+4，%rax=之前的栈顶指针%rsp+20，%rax存储到新分配的%rsp+8的位置，%rax=之前的栈顶指针%rsp+16，%rax存储到新分配的%rsp的位置，%r9=之前的栈顶指针%rsp+12，%r8=之前的栈顶指针%rsp+8，%esi=0x4025c3，%rax=0，调用sscanf函数，第一个参数%rdi是字符串地址，第二个参数%rsi是格式化字符串，第三个参数%rdx是第一个数地址，第四个参数%rcx是第二个数地址，第五个参数%r8是第三个数地址，第六个参数%r9是第四个数地址，后续使用栈空间存放参数，对应之前两个新写入的栈空间。

(gdb) disas read_six_numbers
Dump of assembler code for function read_six_numbers:0x000000000040145c <+0>: 	sub    $0x18,%rsp0x0000000000401460 <+4>: 	mov    %rsi,%rdx0x0000000000401463 <+7>: 	lea    0x4(%rsi),%rcx0x0000000000401467 <+11>:	lea    0x14(%rsi),%rax0x000000000040146b <+15>:	mov    %rax,0x8(%rsp)0x0000000000401470 <+20>:	lea    0x10(%rsi),%rax0x0000000000401474 <+24>:	mov    %rax,(%rsp)0x0000000000401478 <+28>:	lea    0xc(%rsi),%r90x000000000040147c <+32>:	lea    0x8(%rsi),%r80x0000000000401480 <+36>:	mov    $0x4025c3,%esi0x0000000000401485 <+41>:	mov    $0x0,%eax0x000000000040148a <+46>:	callq  0x400bf0 <__isoc99_sscanf@plt>0x000000000040148f <+51>:	cmp    $0x5,%eax0x0000000000401492 <+54>:	jg     0x401499 <read_six_numbers+61>0x0000000000401494 <+56>:	callq  0x40143a <explode_bomb>0x0000000000401499 <+61>:	add    $0x18,%rsp0x000000000040149d <+65>:	retq   
End of assembler dump.

在sscanf函数设置断点，查看0x4025c3的格式化字符串，便可以知道字符串储存6个整数的格式。

(gdb) b *0x000000000040148a
Breakpoint 1 at 0x40148a
(gdb) r
Starting program: /media/psf/Home/csapp-lab/Bomb-Lab/bomb-handout/bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
helloBreakpoint 1, 0x000000000040148a in read_six_numbers ()
(gdb) x/s 0x4025c3
0x4025c3:	"%d %d %d %d %d %d"

第二个字符串：1 2 4 8 16 32

phase_3

反汇编phase_3函数。

(gdb) disas phase_3
Dump of assembler code for function phase_3:0x0000000000400f43 <+0>: 	sub    $0x18,%rsp0x0000000000400f47 <+4>: 	lea    0xc(%rsp),%rcx0x0000000000400f4c <+9>: 	lea    0x8(%rsp),%rdx0x0000000000400f51 <+14>:	mov    $0x4025cf,%esi0x0000000000400f56 <+19>:	mov    $0x0,%eax0x0000000000400f5b <+24>:	callq  0x400bf0 <__isoc99_sscanf@plt>0x0000000000400f60 <+29>:	cmp    $0x1,%eax0x0000000000400f63 <+32>:	jg     0x400f6a <phase_3+39>0x0000000000400f65 <+34>:	callq  0x40143a <explode_bomb>0x0000000000400f6a <+39>:	cmpl   $0x7,0x8(%rsp)0x0000000000400f6f <+44>:	ja     0x400fad <phase_3+106>0x0000000000400f71 <+46>:	mov    0x8(%rsp),%eax0x0000000000400f75 <+50>:	jmpq   *0x402470(,%rax,8)0x0000000000400f7c <+57>:	mov    $0xcf,%eax0x0000000000400f81 <+62>:	jmp    0x400fbe <phase_3+123>0x0000000000400f83 <+64>:	mov    $0x2c3,%eax0x0000000000400f88 <+69>:	jmp    0x400fbe <phase_3+123>0x0000000000400f8a <+71>:	mov    $0x100,%eax0x0000000000400f8f <+76>:	jmp    0x400fbe <phase_3+123>0x0000000000400f91 <+78>:	mov    $0x185,%eax0x0000000000400f96 <+83>:	jmp    0x400fbe <phase_3+123>0x0000000000400f98 <+85>:	mov    $0xce,%eax0x0000000000400f9d <+90>:	jmp    0x400fbe <phase_3+123>0x0000000000400f9f <+92>:	mov    $0x2aa,%eax0x0000000000400fa4 <+97>:	jmp    0x400fbe <phase_3+123>0x0000000000400fa6 <+99>:	mov    $0x147,%eax0x0000000000400fab <+104>:	jmp    0x400fbe <phase_3+123>0x0000000000400fad <+106>:	callq  0x40143a <explode_bomb>0x0000000000400fb2 <+111>:	mov    $0x0,%eax0x0000000000400fb7 <+116>:	jmp    0x400fbe <phase_3+123>0x0000000000400fb9 <+118>:	mov    $0x137,%eax0x0000000000400fbe <+123>:	cmp    0xc(%rsp),%eax0x0000000000400fc2 <+127>:	je     0x400fc9 <phase_3+134>0x0000000000400fc4 <+129>:	callq  0x40143a <explode_bomb>0x0000000000400fc9 <+134>:	add    $0x18,%rsp0x0000000000400fcd <+138>:	retq   
End of assembler dump.

查看sscanf的格式字符串，可以得到是字符串是两个整数。

(gdb) b *0x0000000000400f5b
Breakpoint 1 at 0x400f5b
(gdb) r
Starting program: /media/psf/Home/csapp-lab/Bomb-Lab/bomb-handout/bomb 
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Border relations with Canada have never been better.
Phase 1 defused. How about the next one?
1 2 4 8 16 32
That's number 2.  Keep going!
helloBreakpoint 1, 0x0000000000400f5b in phase_3 ()
(gdb) x/s 0x4025cf
0x4025cf:	"%d %d"

从字符串中读取两个数后，将第一个数存在%rax中，第一个数小于7否则炸弹爆炸，执行间接跳转指令，跳转位置是0x402470(0,%rax,8)内存指向的位置，观察发现应该是根据第一个数的大小，跳转到后续的每一个小分支代码。

查看0x402470地址的8个四字空间，分别对应后面的跳转位置。例如第二个，0x402470(0,1,8)=0x402478内存指向的位置是0x0000000000400fb9<+118>，执行跳转将第二个数与0x147进行比较，不相等引爆炸弹，则第一个数是1时，第二个数是0x147。

(gdb) x/8gx 0x402470
0x402470:	0x0000000000400f7c	0x0000000000400fb9
0x402480:	0x0000000000400f83	0x0000000000400f8a
0x402490:	0x0000000000400f91	0x0000000000400f98
0x4024a0:	0x0000000000400f9f	0x0000000000400fa6

我们可以推出，满足的8个答案。

0 0xcf = 0 207

1 0x137 = 1 311

2 0x2c3 = 2 707

3 0x100 = 3 256

4 0x185 = 4 389

5 0xce = 5 206

6 0x2aa = 6 682

7 0x147 = 7 327

第三个字符串是：1 311

phase_4

反汇编phase_4函数。

(gdb) disas phase_4
Dump of assembler code for function phase_4:0x000000000040100c <+0>: 	sub    $0x18,%rsp0x0000000000401010 <+4>: 	lea    0xc(%rsp),%rcx0x0000000000401015 <+9>: 	lea    0x8(%rsp),%rdx0x000000000040101a <+14>:	mov    $0x4025cf,%esi0x000000000040101f <+19>:	mov    $0x0,%eax0x0000000000401024 <+24>:	callq  0x400bf0 <__isoc99_sscanf@plt>0x0000000000401029 <+29>:	cmp    $0x2,%eax0x000000000040102c <+32>:	jne    0x401035 <phase_4+41>0x000000000040102e <+34>:	cmpl   $0xe,0x8(%rsp)0x0000000000401033 <+39>:	jbe    0x40103a <phase_4+46>0x0000000000401035 <+41>:	callq  0x40143a <explode_bomb>0x000000000040103a <+46>:	mov    $0xe,%edx0x000000000040103f <+51>:	mov    $0x0,%esi0x0000000000401044 <+56>:	mov    0x8(%rsp),%edi0x0000000000401048 <+60>:	callq  0x400fce <func4>0x000000000040104d <+65>:	test   %eax,%eax0x000000000040104f <+67>:	jne    0x401058 <phase_4+76>0x0000000000401051 <+69>:	cmpl   $0x0,0xc(%rsp)0x0000000000401056 <+74>:	je     0x40105d <phase_4+81>0x0000000000401058 <+76>:	callq  0x40143a <explode_bomb>0x000000000040105d <+81>:	add    $0x18,%rsp0x0000000000401061 <+85>:	retq   
End of assembler dump.

根据0x4025cf执行的字符串，输入两个整数，我们设为a和b。调用func4(a, 0, 14)，调用后检测返回值，如果非0爆炸炸弹，所以函数返回值必须为0。后续的代码表示第二个数b为0.

反汇编func4函数。

(gdb) disas func4
Dump of assembler code for function func4:0x0000000000400fce <+0>: 	sub    $0x8,%rsp0x0000000000400fd2 <+4>: 	mov    %edx,%eax0x0000000000400fd4 <+6>: 	sub    %esi,%eax0x0000000000400fd6 <+8>: 	mov    %eax,%ecx0x0000000000400fd8 <+10>:	shr    $0x1f,%ecx0x0000000000400fdb <+13>:	add    %ecx,%eax0x0000000000400fdd <+15>:	sar    %eax0x0000000000400fdf <+17>:	lea    (%rax,%rsi,1),%ecx0x0000000000400fe2 <+20>:	cmp    %edi,%ecx0x0000000000400fe4 <+22>:	jle    0x400ff2 <func4+36>0x0000000000400fe6 <+24>:	lea    -0x1(%rcx),%edx0x0000000000400fe9 <+27>:	callq  0x400fce <func4>0x0000000000400fee <+32>:	add    %eax,%eax0x0000000000400ff0 <+34>:	jmp    0x401007 <func4+57>0x0000000000400ff2 <+36>:	mov    $0x0,%eax0x0000000000400ff7 <+41>:	cmp    %edi,%ecx0x0000000000400ff9 <+43>:	jge    0x401007 <func4+57>0x0000000000400ffb <+45>:	lea    0x1(%rcx),%esi0x0000000000400ffe <+48>:	callq  0x400fce <func4>0x0000000000401003 <+53>:	lea    0x1(%rax,%rax,1),%eax0x0000000000401007 <+57>:	add    $0x8,%rsp0x000000000040100b <+61>:	retq   
End of assembler dump.

将汇编代码翻译成c代码，由于代码逻辑性很低我也花了很久才翻译出来。

int func4(int x, int y, int z) {// x in %rdi, y in %rsi, z in %rdx, return in %raxint ret = z - y;ret = (ret + ret >> 31) >> 1;int k = ret + y;if (x = k) {ret = 0;} else if (x > k) {ret = func4(x, k + 1, z);ret = 2 * ret + 1;} else { // case: x < kret = func4(x, y, k - 1);ret = 2 * ret;}return ret;
}

根据之前的要求返回值为0，只有在x=k和x<k的情况下满足，在func4(a, 0, 14)中，x=7满足；在func4(a, 0, 6)中，x=3满足；在func4(a, 0, 2)中，x=1`满足。

故答案为7 0、3 0、1 0。

第四个字符串是3 0

phase_5

反汇编phase_5函数。

(gdb) disas phase_5
Dump of assembler code for function phase_5:0x0000000000401062 <+0>: 	push   %rbx0x0000000000401063 <+1>: 	sub    $0x20,%rsp0x0000000000401067 <+5>: 	mov    %rdi,%rbx0x000000000040106a <+8>: 	mov    %fs:0x28,%rax0x0000000000401073 <+17>:	mov    %rax,0x18(%rsp)0x0000000000401078 <+22>:	xor    %eax,%eax0x000000000040107a <+24>:	callq  0x40131b <string_length>0x000000000040107f <+29>:	cmp    $0x6,%eax0x0000000000401082 <+32>:	je     0x4010d2 <phase_5+112>0x0000000000401084 <+34>:	callq  0x40143a <explode_bomb>0x0000000000401089 <+39>:	jmp    0x4010d2 <phase_5+112>0x000000000040108b <+41>:	movzbl (%rbx,%rax,1),%ecx0x000000000040108f <+45>:	mov    %cl,(%rsp)0x0000000000401092 <+48>:	mov    (%rsp),%rdx0x0000000000401096 <+52>:	and    $0xf,%edx0x0000000000401099 <+55>:	movzbl 0x4024b0(%rdx),%edx0x00000000004010a0 <+62>:	mov    %dl,0x10(%rsp,%rax,1)0x00000000004010a4 <+66>:	add    $0x1,%rax0x00000000004010a8 <+70>:	cmp    $0x6,%rax0x00000000004010ac <+74>:	jne    0x40108b <phase_5+41>0x00000000004010ae <+76>:	movb   $0x0,0x16(%rsp)0x00000000004010b3 <+81>:	mov    $0x40245e,%esi0x00000000004010b8 <+86>:	lea    0x10(%rsp),%rdi0x00000000004010bd <+91>:	callq  0x401338 <strings_not_equal>0x00000000004010c2 <+96>:	test   %eax,%eax0x00000000004010c4 <+98>:	je     0x4010d9 <phase_5+119>0x00000000004010c6 <+100>:	callq  0x40143a <explode_bomb>0x00000000004010cb <+105>:	nopl   0x0(%rax,%rax,1)0x00000000004010d0 <+110>:	jmp    0x4010d9 <phase_5+119>0x00000000004010d2 <+112>:	mov    $0x0,%eax0x00000000004010d7 <+117>:	jmp    0x40108b <phase_5+41>0x00000000004010d9 <+119>:	mov    0x18(%rsp),%rax0x00000000004010de <+124>:	xor    %fs:0x28,%rax0x00000000004010e7 <+133>:	je     0x4010ee <phase_5+140>0x00000000004010e9 <+135>:	callq  0x400b30 <__stack_chk_fail@plt>0x00000000004010ee <+140>:	add    $0x20,%rsp0x00000000004010f2 <+144>:	pop    %rbx0x00000000004010f3 <+145>:	retq   
End of assembler dump.

在调用string_length函数之后，检查返回值是否为6，可以判断输入的字符串长度为6。后续跳转到<+41>，将字符串的第n个字符赋给%ecx，将%ecx最低位取出赋给%edx，%ed&0xf只需要最后4位比特，将0x4024b0地址开始的某个字节赋给%edx，最后存入栈空间中，循环6次也就是根据输入字符串的每个字节，决定从0x4024b0后的某个地址读取字节写入栈空间，最后进行strings_not_equal字符串比较函数，第二个字符串的地址是0x40245e。

检查地址0x40245e指向的字符串。

(gdb) x/s 0x40245e
0x40245e:	"flyers"

检查地址0x4024b0附近的内容。

(gdb) x/b 0x4024b0
0x4024b0 <array.3449>:	"maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"

发现想要的flyers字符在其中，找到其位置。循环中的%edx分别是9 15 14 5 6 7。

因为输入的字符串，使用的ascii编码，我们需要利用最后4位构造字符。可以在此基础上+48 = 0011xxxx构成可显示字符。有多种满足的答案，这只是其中一种还可以+64等。

通过查表可以得到答案。

57	63	62	53	54	55
9	？	>	5	6	7

第五个字符串是：9?>567

phase_6

反汇编phase_6函数。

(gdb) disas phase_6
Dump of assembler code for function phase_6:0x00000000004010f4 <+0>: 	push   %r140x00000000004010f6 <+2>: 	push   %r130x00000000004010f8 <+4>: 	push   %r120x00000000004010fa <+6>: 	push   %rbp0x00000000004010fb <+7>: 	push   %rbx0x00000000004010fc <+8>: 	sub    $0x50,%rsp0x0000000000401100 <+12>:	mov    %rsp,%r130x0000000000401103 <+15>:	mov    %rsp,%rsi0x0000000000401106 <+18>:	callq  0x40145c <read_six_numbers>0x000000000040110b <+23>:	mov    %rsp,%r140x000000000040110e <+26>:	mov    $0x0,%r12d0x0000000000401114 <+32>:	mov    %r13,%rbp0x0000000000401117 <+35>:	mov    0x0(%r13),%eax0x000000000040111b <+39>:	sub    $0x1,%eax0x000000000040111e <+42>:	cmp    $0x5,%eax0x0000000000401121 <+45>:	jbe    0x401128 <phase_6+52>0x0000000000401123 <+47>:	callq  0x40143a <explode_bomb>0x0000000000401128 <+52>:	add    $0x1,%r12d0x000000000040112c <+56>:	cmp    $0x6,%r12d0x0000000000401130 <+60>:	je     0x401153 <phase_6+95>0x0000000000401132 <+62>:	mov    %r12d,%ebx0x0000000000401135 <+65>:	movslq %ebx,%rax0x0000000000401138 <+68>:	mov    (%rsp,%rax,4),%eax0x000000000040113b <+71>:	cmp    %eax,0x0(%rbp)0x000000000040113e <+74>:	jne    0x401145 <phase_6+81>0x0000000000401140 <+76>:	callq  0x40143a <explode_bomb>0x0000000000401145 <+81>:	add    $0x1,%ebx0x0000000000401148 <+84>:	cmp    $0x5,%ebx0x000000000040114b <+87>:	jle    0x401135 <phase_6+65>0x000000000040114d <+89>:	add    $0x4,%r130x0000000000401151 <+93>:	jmp    0x401114 <phase_6+32>0x0000000000401153 <+95>:	lea    0x18(%rsp),%rsi0x0000000000401158 <+100>:	mov    %r14,%rax0x000000000040115b <+103>:	mov    $0x7,%ecx0x0000000000401160 <+108>:	mov    %ecx,%edx0x0000000000401162 <+110>:	sub    (%rax),%edx0x0000000000401164 <+112>:	mov    %edx,(%rax)0x0000000000401166 <+114>:	add    $0x4,%rax0x000000000040116a <+118>:	cmp    %rsi,%rax0x000000000040116d <+121>:	jne    0x401160 <phase_6+108>0x000000000040116f <+123>:	mov    $0x0,%esi0x0000000000401174 <+128>:	jmp    0x401197 <phase_6+163>0x0000000000401176 <+130>:	mov    0x8(%rdx),%rdx0x000000000040117a <+134>:	add    $0x1,%eax0x000000000040117d <+137>:	cmp    %ecx,%eax0x000000000040117f <+139>:	jne    0x401176 <phase_6+130>0x0000000000401181 <+141>:	jmp    0x401188 <phase_6+148>0x0000000000401183 <+143>:	mov    $0x6032d0,%edx0x0000000000401188 <+148>:	mov    %rdx,0x20(%rsp,%rsi,2)0x000000000040118d <+153>:	add    $0x4,%rsi0x0000000000401191 <+157>:	cmp    $0x18,%rsi0x0000000000401195 <+161>:	je     0x4011ab <phase_6+183>0x0000000000401197 <+163>:	mov    (%rsp,%rsi,1),%ecx0x000000000040119a <+166>:	cmp    $0x1,%ecx0x000000000040119d <+169>:	jle    0x401183 <phase_6+143>0x000000000040119f <+171>:	mov    $0x1,%eax0x00000000004011a4 <+176>:	mov    $0x6032d0,%edx0x00000000004011a9 <+181>:	jmp    0x401176 <phase_6+130>0x00000000004011ab <+183>:	mov    0x20(%rsp),%rbx0x00000000004011b0 <+188>:	lea    0x28(%rsp),%rax0x00000000004011b5 <+193>:	lea    0x50(%rsp),%rsi0x00000000004011ba <+198>:	mov    %rbx,%rcx0x00000000004011bd <+201>:	mov    (%rax),%rdx0x00000000004011c0 <+204>:	mov    %rdx,0x8(%rcx)0x00000000004011c4 <+208>:	add    $0x8,%rax0x00000000004011c8 <+212>:	cmp    %rsi,%rax0x00000000004011cb <+215>:	je     0x4011d2 <phase_6+222>0x00000000004011cd <+217>:	mov    %rdx,%rcx0x00000000004011d0 <+220>:	jmp    0x4011bd <phase_6+201>0x00000000004011d2 <+222>:	movq   $0x0,0x8(%rdx)0x00000000004011da <+230>:	mov    $0x5,%ebp0x00000000004011df <+235>:	mov    0x8(%rbx),%rax0x00000000004011e3 <+239>:	mov    (%rax),%eax0x00000000004011e5 <+241>:	cmp    %eax,(%rbx)0x00000000004011e7 <+243>:	jge    0x4011ee <phase_6+250>0x00000000004011e9 <+245>:	callq  0x40143a <explode_bomb>0x00000000004011ee <+250>:	mov    0x8(%rbx),%rbx0x00000000004011f2 <+254>:	sub    $0x1,%ebp0x00000000004011f5 <+257>:	jne    0x4011df <phase_6+235>0x00000000004011f7 <+259>:	add    $0x50,%rsp0x00000000004011fb <+263>:	pop    %rbx0x00000000004011fc <+264>:	pop    %rbp0x00000000004011fd <+265>:	pop    %r120x00000000004011ff <+267>:	pop    %r130x0000000000401201 <+269>:	pop    %r140x0000000000401203 <+271>:	retq   
End of assembler dump.

最后一个关卡的汇编代码非常长，需要耐心解读。

汇编程序的逻辑是：

1. 从字符串中读取6个数存储在栈空间
2. 每个整数x大于0小于等于6，且互不相等
3. 每个整数进行一次x = 7 - x处理
4. 根据x的值存储一个结点的地址
5. 将6个结点重新链起来
6. 链表是数据域递减顺序

(gdb) x/24wx 0x6032d0
0x6032d0 <node1>:	0x0000014c	0x00000001	0x006032e0	0x00000000
0x6032e0 <node2>:	0x000000a8	0x00000002	0x006032f0	0x00000000
0x6032f0 <node3>:	0x0000039c	0x00000003	0x00603300	0x00000000
0x603300 <node4>:	0x000002b3	0x00000004	0x00603310	0x00000000
0x603310 <node5>:	0x000001dd	0x00000005	0x00603320	0x00000000
0x603320 <node6>:	0x000001bb	0x00000006	0x00000000	0x00000000

最终的顺序是3 4 5 6 1 2，还原顺序就是4 3 2 1 6 5。

第六个字符串是：4 3 2 1 6 5

总结

该lab还是花了不少时间去阅读汇编代码，在各种跳转中有些眩晕。通过使用gdb调试工具，查看反汇编代码，分析汇编代码和内存分布来找到解题答案。加强了对汇编语言的理解，寄存器的使用，栈空间的使用等。