Centurion89
asked on
Binary Bomb - Phase_5 - Assembly
Hi everyone,
It's the classic binary bomb lab, and I'm completely stuck on phase 5. Here's what I got:
It's the classic binary bomb lab, and I'm completely stuck on phase 5. Here's what I got:
08048ca7 <phase_5>:
8048ca7: 55 push %ebp
8048ca8: 89 e5 mov %esp,%ebp
8048caa: 53 push %ebx
8048cab: 83 ec 20 sub $0x20,%esp
8048cae: 8b 5d 08 mov 0x8(%ebp),%ebx
8048cb1: 53 push %ebx//send to function
8048cb2: e8 4c 02 00 00 call 8048f03 <string_length>
8048cb7: 83 c4 10 add $0x10,%esp//%esp+10
8048cba: 83 f8 06 cmp $0x6,%eax //needs a string of 6 chars
8048cbd: 74 05 je 8048cc4 <phase_5+0x1d> //if 6, jump
8048cbf: e8 1c 07 00 00 call 80493e0 <explode_bomb>//explode if !=6
8048cc4: ba 01 00 00 00 mov $0x1,%edx //%edx=1
8048cc9: 8d 4d f5 lea -0xb(%ebp),%ecx //??
8048ccc: 0f be 44 13 ff movsbl -0x1(%ebx,%edx,1),%eax //??
8048cd1: 83 e0 0f and $0xf,%eax // %eax & 15
8048cd4: 8a 80 c0 a5 04 08 mov 0x804a5c0(%eax),%al
//I'm confused here. x/s 0x804a5c0 brings up <array.2916>: "isrveawhobpnutfg5\003"
//This shows up again in the <strings_not_equal> function.
8048cda: 88 44 0a ff mov %al,-0x1(%edx,%ecx,1) //??
8048cde: 42 inc %edx //loop counter? goes up to 7
8048cdf: 83 fa 07 cmp $0x7,%edx //when edx=7, goto 8048ce4
8048ce2: 75 e8 jne 8048ccc <phase_5+0x25>//if edx<7, loop
8048ce4: c6 45 fb 00 movb $0x0,-0x5(%ebp) //%ebp=0
8048ce8: 83 ec 08 sub $0x8,%esp //%esp-8
8048ceb: 68 c6 96 04 08 push $0x80496c6 // x/s of this is "saints"
8048cf0: 51 push %ecx
8048cf1: e8 2d 02 00 00 call 8048f23 <strings_not_equal>
//This is where we look at the strings not equal function, but before, look at my comments for the rest of phase_5 to make sure i'm right
8048cf6: 83 c4 10 add $0x10,%esp
8048cf9: 85 c0 test %eax,%eax
//I thought they would always be equal, but from what I've read, %eax must be 0 which is very important...
8048cfb: 74 05 je 8048d02 <phase_5+0x5b>
//if %eax=0,skip the explode and done.
8048cfd: e8 de 06 00 00 call 80493e0 <explode_bomb>
8048d02: 8b 5d fc mov -0x4(%ebp),%ebx
8048d05: c9 leave
8048d06: c3 ret
08048f23 <strings_not_equal>:
8048f23: 55 push %ebp
8048f24: 89 e5 mov %esp,%ebp // %ebp = %esp
8048f26: 57 push %edi
8048f27: 56 push %esi
8048f28: 53 push %ebx
8048f29: 8b 75 08 mov 0x8(%ebp),%esi
8048f2c: 8b 7d 0c mov 0xc(%ebp),%edi
8048f2f: 56 push %esi
8048f30: e8 ce ff ff ff call 8048f03 <string_length>
8048f35: 89 c3 mov %eax,%ebx //ebx contains our string
8048f37: 57 push %edi
8048f38: e8 c6 ff ff ff call 8048f03 <string_length>
8048f3d: 83 c4 08 add $0x8,%esp
8048f40: 39 c3 cmp %eax,%ebx //are both strings 6?
8048f42: 75 14 jne 8048f58 <strings_not_equal+0x35>
8048f44: eb 20 jmp 8048f66 <strings_not_equal+0x43>
8048f46: 8a 42 01 mov 0x1(%edx),%al
8048f49: 41 inc %ecx
8048f4a: 42 inc %edx
8048f4b: 38 c3 cmp %al,%bl
8048f4d: 75 09 jne 8048f58 <strings_not_equal+0x35>
8048f4f: 8a 59 01 mov 0x1(%ecx),%bl
8048f52: 84 db test %bl,%bl
8048f54: 75 f0 jne 8048f46 <strings_not_equal+0x23>
8048f56: eb 07 jmp 8048f5f <strings_not_equal+0x3c>
8048f58: b8 01 00 00 00 mov $0x1,%eax
8048f5d: eb 17 jmp 8048f76 <strings_not_equal+0x53>
8048f5f: b8 00 00 00 00 mov $0x0,%eax
8048f64: eb 10 jmp 8048f76 <strings_not_equal+0x53>
8048f66: 8a 06 mov (%esi),%al
8048f68: 84 c0 test %al,%al
8048f6a: 74 f3 je 8048f5f <strings_not_equal+0x3c>
8048f6c: 3a 07 cmp (%edi),%al
8048f6e: 75 e8 jne 8048f58 <strings_not_equal+0x35>
8048f70: 89 f1 mov %esi,%ecx
8048f72: 89 fa mov %edi,%edx
8048f74: eb d9 jmp 8048f4f <strings_not_equal+0x2c>
8048f76: 8d 65 f4 lea -0xc(%ebp),%esp
8048f79: 5b pop %ebx
8048f7a: 5e pop %esi
8048f7b: 5f pop %edi
8048f7c: c9 leave
8048f7d: c3 ret
//Basically, I understand that this function needs to return 0 in order for me to be able to leave phase_5 safely. I think I've spent a few too many hours staring at this to think straight about it anymore. Any help is greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Got it! I think I did it the slow way, but I got it. Thanks for all your help infinity, you are quite an asset on these boards.
>> I know that what it does is take the dec. ASCII value of each character in the entered string, and then AND it with 15.
Correct.
>> From what I gather, the word that it needs to match after all this looping is "saints".
Correct.
>> There is also an array that contains every letter of the word saints. I'm thinking what I have to do is find the characters that will give numbers that correspond to the location in the array after they have been ANDed with 15 to create the word saints.
Sounds like you got it :)
You can see this as a simple kind of encryption. The input string will be decrypted by the code to the string "saints". Your job is simply to find an input string that would decrypt to "saints". And then you can enter that input string.
>> I'm having a bit of trouble understanding what the deal with %al is. For example:
>> 8048cd4: 8a 80 c0 a5 04 08 mov 0x804a5c0(%eax),%al
%al is the low-order byte of %eax.
%eax is a 32 bit register.
%ax is the lowest 16 bits of the %eax register.
%al is the lowest 8 bits of %ax.
%ah is the highest 8 bits of %ax.
Something like :
31 ....... 23 ....... 15 ....... 7 ....... 0
\_%ah_/\_%al_/
\____%ax____/
\__________%eax__________/
>> Something is being moved into %al here, correct?
Yes. And to know what that something is, you have to refer to the addressing modes I mentioned earlier.
>> When I do a x/s of %al, it always comes up void in each step. Why is that?
You can just show the eax register.
>> I can't believe how much time I've spent on just this phase compared to the rest of them.
Spending more time on it, means that you're learning more. And that's the entire point :)
You're doing fine btw.
Correct.
>> From what I gather, the word that it needs to match after all this looping is "saints".
Correct.
>> There is also an array that contains every letter of the word saints. I'm thinking what I have to do is find the characters that will give numbers that correspond to the location in the array after they have been ANDed with 15 to create the word saints.
Sounds like you got it :)
You can see this as a simple kind of encryption. The input string will be decrypted by the code to the string "saints". Your job is simply to find an input string that would decrypt to "saints". And then you can enter that input string.
>> I'm having a bit of trouble understanding what the deal with %al is. For example:
>> 8048cd4: 8a 80 c0 a5 04 08 mov 0x804a5c0(%eax),%al
%al is the low-order byte of %eax.
%eax is a 32 bit register.
%ax is the lowest 16 bits of the %eax register.
%al is the lowest 8 bits of %ax.
%ah is the highest 8 bits of %ax.
Something like :
31 ....... 23 ....... 15 ....... 7 ....... 0
\_%ah_/\_%al_/
\____%ax____/
\__________%eax__________/
>> Something is being moved into %al here, correct?
Yes. And to know what that something is, you have to refer to the addressing modes I mentioned earlier.
>> When I do a x/s of %al, it always comes up void in each step. Why is that?
You can just show the eax register.
>> I can't believe how much time I've spent on just this phase compared to the rest of them.
Spending more time on it, means that you're learning more. And that's the entire point :)
You're doing fine btw.
ASKER
I'm having a bit of trouble understanding what the deal with %al is. For example:
8048cd4: 8a 80 c0 a5 04 08 mov 0x804a5c0(%eax),%al
Something is being moved into %al here, correct? When I do a x/s of %al, it always comes up void in each step. Why is that?
Let me know if I'm at least closer. I can't believe how much time I've spent on just this phase compared to the rest of them.