Binary Bomb - Phase_5 - Assembly

Hi everyone,

It's the classic binary bomb lab, and I'm completely stuck on phase 5. Here's what I got:


08048ca7 <phase_5>:
 8048ca7:       55                      push   %ebp
 8048ca8:       89 e5                   mov    %esp,%ebp
 8048caa:       53                      push   %ebx
 8048cab:       83 ec 20                sub    $0x20,%esp
 8048cae:       8b 5d 08                mov    0x8(%ebp),%ebx
 8048cb1:       53                      push   %ebx//send to function
 8048cb2:       e8 4c 02 00 00          call   8048f03 <string_length>
 8048cb7:       83 c4 10                add    $0x10,%esp//%esp+10
 8048cba:       83 f8 06                cmp    $0x6,%eax //needs a string of 6 chars
 8048cbd:       74 05                   je     8048cc4 <phase_5+0x1d> //if 6, jump
 8048cbf:       e8 1c 07 00 00          call   80493e0 <explode_bomb>//explode if !=6
 8048cc4:       ba 01 00 00 00          mov    $0x1,%edx //%edx=1
 8048cc9:       8d 4d f5                lea    -0xb(%ebp),%ecx //??
 8048ccc:       0f be 44 13 ff          movsbl -0x1(%ebx,%edx,1),%eax //??
 8048cd1:       83 e0 0f                and    $0xf,%eax // %eax & 15
 8048cd4:       8a 80 c0 a5 04 08       mov    0x804a5c0(%eax),%al 
//I'm confused here. x/s 0x804a5c0 brings up <array.2916>:  "isrveawhobpnutfg5\003"
//This shows up again in the <strings_not_equal> function.
 8048cda:       88 44 0a ff             mov    %al,-0x1(%edx,%ecx,1) //??
 8048cde:       42                      inc    %edx //loop counter? goes up to 7
 8048cdf:       83 fa 07                cmp    $0x7,%edx //when edx=7, goto 8048ce4
 8048ce2:       75 e8                   jne    8048ccc <phase_5+0x25>//if edx<7, loop
 8048ce4:       c6 45 fb 00             movb   $0x0,-0x5(%ebp) //%ebp=0
 8048ce8:       83 ec 08                sub    $0x8,%esp //%esp-8
 8048ceb:       68 c6 96 04 08          push   $0x80496c6 // x/s of this is "saints"
 8048cf0:       51                      push   %ecx
 8048cf1:       e8 2d 02 00 00          call   8048f23 <strings_not_equal>
//This is where we look at the strings not equal function, but before, look at my comments for the rest of phase_5 to make sure i'm right
 8048cf6:       83 c4 10                add    $0x10,%esp
 8048cf9:       85 c0                   test   %eax,%eax
//I thought they would always be equal, but from what I've read, %eax must be 0 which is very important...
 8048cfb:       74 05                   je     8048d02 <phase_5+0x5b> 
//if %eax=0,skip the explode and done. 
 8048cfd:       e8 de 06 00 00          call   80493e0 <explode_bomb>
 8048d02:       8b 5d fc                mov    -0x4(%ebp),%ebx
 8048d05:       c9                      leave
 8048d06:       c3                      ret
 
 
08048f23 <strings_not_equal>:
 8048f23:       55                      push   %ebp
 8048f24:       89 e5                   mov    %esp,%ebp // %ebp = %esp
 8048f26:       57                      push   %edi
 8048f27:       56                      push   %esi
 8048f28:       53                      push   %ebx
 8048f29:       8b 75 08                mov    0x8(%ebp),%esi
 8048f2c:       8b 7d 0c                mov    0xc(%ebp),%edi
 8048f2f:       56                      push   %esi
 8048f30:       e8 ce ff ff ff          call   8048f03 <string_length>
 8048f35:       89 c3                   mov    %eax,%ebx //ebx contains our string
 8048f37:       57                      push   %edi
 8048f38:       e8 c6 ff ff ff          call   8048f03 <string_length>
 8048f3d:       83 c4 08                add    $0x8,%esp
 8048f40:       39 c3                   cmp    %eax,%ebx //are both strings 6?
 8048f42:       75 14                   jne    8048f58 <strings_not_equal+0x35>
 8048f44:       eb 20                   jmp    8048f66 <strings_not_equal+0x43>
 8048f46:       8a 42 01                mov    0x1(%edx),%al
 8048f49:       41                      inc    %ecx
 8048f4a:       42                      inc    %edx
 8048f4b:       38 c3                   cmp    %al,%bl
 8048f4d:       75 09                   jne    8048f58 <strings_not_equal+0x35>
 8048f4f:       8a 59 01                mov    0x1(%ecx),%bl
 8048f52:       84 db                   test   %bl,%bl
 8048f54:       75 f0                   jne    8048f46 <strings_not_equal+0x23>
 8048f56:       eb 07                   jmp    8048f5f <strings_not_equal+0x3c>
 8048f58:       b8 01 00 00 00          mov    $0x1,%eax
 8048f5d:       eb 17                   jmp    8048f76 <strings_not_equal+0x53>
 8048f5f:       b8 00 00 00 00          mov    $0x0,%eax
 8048f64:       eb 10                   jmp    8048f76 <strings_not_equal+0x53>
 8048f66:       8a 06                   mov    (%esi),%al
 8048f68:       84 c0                   test   %al,%al
 8048f6a:       74 f3                   je     8048f5f <strings_not_equal+0x3c>
 8048f6c:       3a 07                   cmp    (%edi),%al
 8048f6e:       75 e8                   jne    8048f58 <strings_not_equal+0x35>
 8048f70:       89 f1                   mov    %esi,%ecx
 8048f72:       89 fa                   mov    %edi,%edx
 8048f74:       eb d9                   jmp    8048f4f <strings_not_equal+0x2c>
 8048f76:       8d 65 f4                lea    -0xc(%ebp),%esp
 8048f79:       5b                      pop    %ebx
 8048f7a:       5e                      pop    %esi
 8048f7b:       5f                      pop    %edi
 8048f7c:       c9                      leave
 8048f7d:       c3                      ret
//Basically, I understand that this function needs to return 0 in order for me to be able to leave phase_5 safely. I think I've spent a few too many hours staring at this to think straight about it anymore. Any help is greatly appreciated.

Open in new window

Centurion89Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Infinity08Commented:
>>  8048cba:       83 f8 06                cmp    $0x6,%eax //needs a string of 6 chars

That's right.


>>  8048cc9:       8d 4d f5                lea    -0xb(%ebp),%ecx //??

lea is the load effective address instruction.

        lea     offset(base), dest

basically does this :

        dest = base + offset


>>  8048ccc:       0f be 44 13 ff          movsbl -0x1(%ebx,%edx,1),%eax //??

movsbl copies one signed byte to a signed double word (keeping the same value by extending the sign). In this case, a double word is 32 bits wide.


>> //I'm confused here. x/s 0x804a5c0 brings up <array.2916>:  "isrveawhobpnutfg5\003"

That's simply a string literal. You can get a certain character from that string literal by indexing it just like a normal array.


>>  8048cda:       88 44 0a ff             mov    %al,-0x1(%edx,%ecx,1) //??

When you see something with ()'s, it means that an address is calculated, and the value at that address is returned. Here's how it happens :

        (base)                                 -> calculates : base
        offset(base)                        -> calculates : base + offset
        offset(base, index, scale)   -> calculates : (base + (index * scale)) + offset


>>  8048cde:       42                      inc    %edx //loop counter? goes up to 7

That's a loop counter indeed. How many times does it loop ? Keep in mind the value that %edx was initialized to.


>>  8048ce4:       c6 45 fb 00             movb   $0x0,-0x5(%ebp) //%ebp=0

It's not %ebp that is set to 0. See the explanation on addressing modes a bit earlier.


>>  8048cf9:       85 c0                   test   %eax,%eax
>> //I thought they would always be equal, but from what I've read, %eax must be 0 which is very important...

Correct. What test actually does is take the binary AND of its two operands. When the same value is passed twice, like in this case, the test becomes a simple check for 0.


>> //Basically, I understand that this function needs to return 0 in order for me to be able to leave phase_5 safely. I think I've spent a few too many hours staring at this to think straight about it anymore. Any help is greatly appreciated.

Don't look too far. What's the name of the function ? Now, what do you think it would do ? Once you know what to look for, it's easy to verify that what you think it does is correct.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Centurion89Author Commented:
OK, I now have a better understanding of what the loop does after a little more examination. However, I still don't fully understand a few parts. I know that what it does is take the dec. ASCII value of each character in the entered string, and then AND it with 15. From what I gather, the word that it needs to match after all this looping is "saints". There is also an array that contains every letter of the word saints. I'm thinking what I have to do is find the characters that will give numbers that correspond to the location in the array after they have been ANDed with 15 to create the word saints.

I'm having a bit of trouble understanding what the deal with %al is. For example:
8048cd4:       8a 80 c0 a5 04 08       mov    0x804a5c0(%eax),%al

Something is being moved into %al here, correct? When I do a x/s of %al, it always comes up void in each step. Why is that?

Let me know if I'm at least closer. I can't believe how much time I've spent on just this phase compared to the rest of them.
0
Centurion89Author Commented:
Got it! I think I did it the slow way, but I got it. Thanks for all your help infinity, you are quite an asset on these boards.
0
Infinity08Commented:
>> I know that what it does is take the dec. ASCII value of each character in the entered string, and then AND it with 15.

Correct.


>> From what I gather, the word that it needs to match after all this looping is "saints".

Correct.


>> There is also an array that contains every letter of the word saints. I'm thinking what I have to do is find the characters that will give numbers that correspond to the location in the array after they have been ANDed with 15 to create the word saints.

Sounds like you got it :)

You can see this as a simple kind of encryption. The input string will be decrypted by the code to the string "saints". Your job is simply to find an input string that would decrypt to "saints". And then you can enter that input string.


>> I'm having a bit of trouble understanding what the deal with %al is. For example:
>> 8048cd4:       8a 80 c0 a5 04 08       mov    0x804a5c0(%eax),%al

%al is the low-order byte of %eax.

%eax is a 32 bit register.
%ax is the lowest 16 bits of the %eax register.
%al is the lowest 8 bits of %ax.
%ah is the highest 8 bits of %ax.

Something like :

        31 ....... 23 ....... 15 ....... 7 ....... 0
                                 \_%ah_/\_%al_/
                                  \____%ax____/
        \__________%eax__________/


>> Something is being moved into %al here, correct?

Yes. And to know what that something is, you have to refer to the addressing modes I mentioned earlier.


>> When I do a x/s of %al, it always comes up void in each step. Why is that?

You can just show the eax register.


>> I can't believe how much time I've spent on just this phase compared to the rest of them.

Spending more time on it, means that you're learning more. And that's the entire point :)
You're doing fine btw.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Assembly

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.