[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
05/08/2009 at 11:36AM PDT, ID: 24393400
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.6

Diffusing A Binary Bomb

Asked by braker15 in Assembly Programming Language, C Programming Language, C++ Programming Language

I am having trouble with this bomb.  I know i need to feed it six numbers

when   eax = *(esi + ebx * 4 - 8) + 5;

how can this be true?
eax = *(esi + ebx * 4 - 4)

I did some math incrementing ebx and found the equations are always 1 different from each other:
eax = *(esi + ebx * 4 - 8) + 5;
2 = 8 - 8 = 0 + 5 = 5  (2 would be ebx here)
      - 4  = 4    = 4
3 = 12 - 8 = 4 + 5 = 9 (3 would be ebx here)
       - 4 = 8     = 8
4 = 16 - 8 = 8 + 5 = 13 (4 would be ebx here)
    16 - 4 = 12    = 12




        /* unknown */ void  ebx;
      /* unknown */ void  esi;
      /* unknown */ void  Vfffffff8;

    Vfffffff8 = ebp - 0x20;
    *esp = A8;
    read_six_numbers();
    ebx = 2;
    esi = ebp - 0x20;
    do {
        eax = *(esi + ebx * 4 - 8) + 5;
        if(*(esi + ebx * 4 - 4) != eax) {
            eax = explode_bomb();
        }
        ebx = ebx + 1;
    } while(ebx != 7);
}

Could someone push me in the right direction?  

I have IDA Pro, and Recstudio... but i don't know how to assign values to the variables and take the loops for a "test run".

also i don't understand how to figure out ebp?

thank you! 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:

Here is the ASM representation:
 Address  Mnemonic                                 SP In  SP Out  SP offs  Intermediate Representation
08048dc0: push ebp                                     0      60      0   (save)ebp
08048dc1: mov ebp,esp                                                 4   ebp = esp
08048dc3: push esi                                                    4   (save)esi
08048dc4: push ebx                                                    8   (save)ebx
08048dc5: sub esp,byte +0x30                                         12   esp = esp - 0x30
08048dc8: lea eax,[ebp-0x20]                                         60   eax = ebp - 0x20
08048dcb: mov [esp+0x4],eax                                          60   *(esp + 4) = eax
08048dcf: mov eax,[ebp+0x8]                                          60   eax = *(ebp + 8)
08048dd2: mov [esp],eax                                              60   *esp = eax
08048dd5: call 0x8049393                                             60   eax = read_six_numbers()
08048dda: mov ebx,0x2                                                60   ebx = 2
08048ddf: lea esi,[ebp-0x20]                                         60   esi = ebp - 0x20
08048de2: mov eax,[esi+ebx*4-0x8]                     60      60     60   eax = *(esi + ebx * 4 - 8)
08048de6: add eax,byte +0x5                                          60   eax = eax + 5
08048de9: cmp [esi+ebx*4-0x4],eax                                    60   *(esi + ebx * 4 - 4) :: eax
08048ded: jz 0x8048df4                                               60   == ? L08048df4 : 
08048def: call 0x8049351                              60      60     60   eax = explode_bomb()
08048df4: add ebx,byte +0x1                           60      60     60   ebx = ebx + 1
08048df7: cmp ebx,byte +0x7                                          60   ebx :: 7
08048dfa: jnz 0x8048de2                                              60   != ? 0x8048de2 : 
08048dfc: add esp,byte +0x30                          60       0     60   esp = esp + 0x30
08048dff: pop ebx                                                    12   (restore)ebx
08048e00: pop esi                                                     8   (restore)esi
08048e01: pop ebp                                                     4   (restore)ebp
08048e02: ret                                                         0   return
 
 
And the code converted to C (using RecStudio):
 
/*	Procedure: 0x08048DC0 - 0x08048E02
 *	Argument size: 4
 *	Local size: 0
 *	Save regs size: 48
 *	Called by:
 *		main()
 */
 
phase_2(A8)
/* unknown */ void  A8;
{
	/* unknown */ void  ebx;
	/* unknown */ void  esi;
	/* unknown */ void  Vfffffff8;
 
    Vfffffff8 = ebp - 0x20;
    *esp = A8;
    read_six_numbers();
    ebx = 2;
    esi = ebp - 0x20;
    do {
        eax = *(esi + ebx * 4 - 8) + 5;
        if(*(esi + ebx * 4 - 4) != eax) {
            eax = explode_bomb();
        }
        ebx = ebx + 1;
    } while(ebx != 7);
}
 
 
--------
read_six_numbers(A8, Ac)
/* unknown */ void  A8;
/* unknown */ void  Ac;
{
	/* unknown */ void  V0;
	/* unknown */ void  V4;
	/* unknown */ void  V8;
	/* unknown */ void  Vc;
	/* unknown */ void  V10;
	/* unknown */ void  V14;
	/* unknown */ void  V18;
 
    V18 = Ac + 0x14;
    V14 = Ac + 0x10;
    V10 = Ac + 0xc;
    Vc = Ac + 8;
    V8 = Ac + 4;
    V4 = Ac;
    V0 = "%d %d %d %d %d %d";
    *esp = A8;
    eax = L080489D4();
    if(eax <= 5) {
        eax = explode_bomb();
    }
}
----------------
/*	Procedure: 0x080489D4 - 0x080489E3
 *	Argument size: 0
 *	Local size: 0
 *	Save regs size: 0
 *	Called by:
 *		phase_5()
 *		phase_4()
 *		phase_3()
 *		phase_defused()
 *		read_six_numbers()
 */
 
L080489d4()
{
 
    goto ( *L0804a16c);
    (save)0xf0;
    goto L080487E4;
}
--------------------
/*	Procedure: 0x080487E4 - 0x080487F3
 *	Argument size: 0
 *	Local size: 0
 *	Save regs size: 0
 */
 
L080487e4()
{
 
    (save)M0804a0ec;
    goto ( *L0804a0f0);
    *eax = *eax + al;
    *eax = *eax + al;
}
[+][-]05/09/09 01:03 AM, ID: 24342788

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Assembly Programming Language, C Programming Language, C++ Programming Language
Sign Up Now!
Solution Provided By: Infinity08
Participating Experts: 1
Solution Grade: A
 
 
[+][-]05/11/09 10:38 PM, ID: 24361452

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05/12/09 12:56 AM, ID: 24362057

Assisted solutions are selected by the member who asked the question as a comment that contributed to their question's solution.

Start your 30-day free trial to view this Assisted Solution or ask the Experts your question.

 
[+][-]05/13/09 05:36 PM, ID: 24380893

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05/13/09 06:08 PM, ID: 24381018

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05/13/09 06:25 PM, ID: 24381093

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05/13/09 11:17 PM, ID: 24382104

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091028-EE-VQP-86 - Hierarchy / EE_QW_3_20080625