Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Binary Bomb - Phase_5 - Assembly

Posted on 2008-11-03
4
Medium Priority
?
3,685 Views
Last Modified: 2012-05-05
Hi everyone,

It's the classic binary bomb lab, and I'm completely stuck on phase 5. Here's what I got:


08048ca7 <phase_5>:
 8048ca7:       55                      push   %ebp
 8048ca8:       89 e5                   mov    %esp,%ebp
 8048caa:       53                      push   %ebx
 8048cab:       83 ec 20                sub    $0x20,%esp
 8048cae:       8b 5d 08                mov    0x8(%ebp),%ebx
 8048cb1:       53                      push   %ebx//send to function
 8048cb2:       e8 4c 02 00 00          call   8048f03 <string_length>
 8048cb7:       83 c4 10                add    $0x10,%esp//%esp+10
 8048cba:       83 f8 06                cmp    $0x6,%eax //needs a string of 6 chars
 8048cbd:       74 05                   je     8048cc4 <phase_5+0x1d> //if 6, jump
 8048cbf:       e8 1c 07 00 00          call   80493e0 <explode_bomb>//explode if !=6
 8048cc4:       ba 01 00 00 00          mov    $0x1,%edx //%edx=1
 8048cc9:       8d 4d f5                lea    -0xb(%ebp),%ecx //??
 8048ccc:       0f be 44 13 ff          movsbl -0x1(%ebx,%edx,1),%eax //??
 8048cd1:       83 e0 0f                and    $0xf,%eax // %eax & 15
 8048cd4:       8a 80 c0 a5 04 08       mov    0x804a5c0(%eax),%al 
//I'm confused here. x/s 0x804a5c0 brings up <array.2916>:  "isrveawhobpnutfg5\003"
//This shows up again in the <strings_not_equal> function.
 8048cda:       88 44 0a ff             mov    %al,-0x1(%edx,%ecx,1) //??
 8048cde:       42                      inc    %edx //loop counter? goes up to 7
 8048cdf:       83 fa 07                cmp    $0x7,%edx //when edx=7, goto 8048ce4
 8048ce2:       75 e8                   jne    8048ccc <phase_5+0x25>//if edx<7, loop
 8048ce4:       c6 45 fb 00             movb   $0x0,-0x5(%ebp) //%ebp=0
 8048ce8:       83 ec 08                sub    $0x8,%esp //%esp-8
 8048ceb:       68 c6 96 04 08          push   $0x80496c6 // x/s of this is "saints"
 8048cf0:       51                      push   %ecx
 8048cf1:       e8 2d 02 00 00          call   8048f23 <strings_not_equal>
//This is where we look at the strings not equal function, but before, look at my comments for the rest of phase_5 to make sure i'm right
 8048cf6:       83 c4 10                add    $0x10,%esp
 8048cf9:       85 c0                   test   %eax,%eax
//I thought they would always be equal, but from what I've read, %eax must be 0 which is very important...
 8048cfb:       74 05                   je     8048d02 <phase_5+0x5b> 
//if %eax=0,skip the explode and done. 
 8048cfd:       e8 de 06 00 00          call   80493e0 <explode_bomb>
 8048d02:       8b 5d fc                mov    -0x4(%ebp),%ebx
 8048d05:       c9                      leave
 8048d06:       c3                      ret
 
 
08048f23 <strings_not_equal>:
 8048f23:       55                      push   %ebp
 8048f24:       89 e5                   mov    %esp,%ebp // %ebp = %esp
 8048f26:       57                      push   %edi
 8048f27:       56                      push   %esi
 8048f28:       53                      push   %ebx
 8048f29:       8b 75 08                mov    0x8(%ebp),%esi
 8048f2c:       8b 7d 0c                mov    0xc(%ebp),%edi
 8048f2f:       56                      push   %esi
 8048f30:       e8 ce ff ff ff          call   8048f03 <string_length>
 8048f35:       89 c3                   mov    %eax,%ebx //ebx contains our string
 8048f37:       57                      push   %edi
 8048f38:       e8 c6 ff ff ff          call   8048f03 <string_length>
 8048f3d:       83 c4 08                add    $0x8,%esp
 8048f40:       39 c3                   cmp    %eax,%ebx //are both strings 6?
 8048f42:       75 14                   jne    8048f58 <strings_not_equal+0x35>
 8048f44:       eb 20                   jmp    8048f66 <strings_not_equal+0x43>
 8048f46:       8a 42 01                mov    0x1(%edx),%al
 8048f49:       41                      inc    %ecx
 8048f4a:       42                      inc    %edx
 8048f4b:       38 c3                   cmp    %al,%bl
 8048f4d:       75 09                   jne    8048f58 <strings_not_equal+0x35>
 8048f4f:       8a 59 01                mov    0x1(%ecx),%bl
 8048f52:       84 db                   test   %bl,%bl
 8048f54:       75 f0                   jne    8048f46 <strings_not_equal+0x23>
 8048f56:       eb 07                   jmp    8048f5f <strings_not_equal+0x3c>
 8048f58:       b8 01 00 00 00          mov    $0x1,%eax
 8048f5d:       eb 17                   jmp    8048f76 <strings_not_equal+0x53>
 8048f5f:       b8 00 00 00 00          mov    $0x0,%eax
 8048f64:       eb 10                   jmp    8048f76 <strings_not_equal+0x53>
 8048f66:       8a 06                   mov    (%esi),%al
 8048f68:       84 c0                   test   %al,%al
 8048f6a:       74 f3                   je     8048f5f <strings_not_equal+0x3c>
 8048f6c:       3a 07                   cmp    (%edi),%al
 8048f6e:       75 e8                   jne    8048f58 <strings_not_equal+0x35>
 8048f70:       89 f1                   mov    %esi,%ecx
 8048f72:       89 fa                   mov    %edi,%edx
 8048f74:       eb d9                   jmp    8048f4f <strings_not_equal+0x2c>
 8048f76:       8d 65 f4                lea    -0xc(%ebp),%esp
 8048f79:       5b                      pop    %ebx
 8048f7a:       5e                      pop    %esi
 8048f7b:       5f                      pop    %edi
 8048f7c:       c9                      leave
 8048f7d:       c3                      ret
//Basically, I understand that this function needs to return 0 in order for me to be able to leave phase_5 safely. I think I've spent a few too many hours staring at this to think straight about it anymore. Any help is greatly appreciated.

Open in new window

0
Comment
Question by:Centurion89
  • 2
  • 2
4 Comments
 
LVL 53

Accepted Solution

by:
Infinity08 earned 1200 total points
ID: 22874407
>>  8048cba:       83 f8 06                cmp    $0x6,%eax //needs a string of 6 chars

That's right.


>>  8048cc9:       8d 4d f5                lea    -0xb(%ebp),%ecx //??

lea is the load effective address instruction.

        lea     offset(base), dest

basically does this :

        dest = base + offset


>>  8048ccc:       0f be 44 13 ff          movsbl -0x1(%ebx,%edx,1),%eax //??

movsbl copies one signed byte to a signed double word (keeping the same value by extending the sign). In this case, a double word is 32 bits wide.


>> //I'm confused here. x/s 0x804a5c0 brings up <array.2916>:  "isrveawhobpnutfg5\003"

That's simply a string literal. You can get a certain character from that string literal by indexing it just like a normal array.


>>  8048cda:       88 44 0a ff             mov    %al,-0x1(%edx,%ecx,1) //??

When you see something with ()'s, it means that an address is calculated, and the value at that address is returned. Here's how it happens :

        (base)                                 -> calculates : base
        offset(base)                        -> calculates : base + offset
        offset(base, index, scale)   -> calculates : (base + (index * scale)) + offset


>>  8048cde:       42                      inc    %edx //loop counter? goes up to 7

That's a loop counter indeed. How many times does it loop ? Keep in mind the value that %edx was initialized to.


>>  8048ce4:       c6 45 fb 00             movb   $0x0,-0x5(%ebp) //%ebp=0

It's not %ebp that is set to 0. See the explanation on addressing modes a bit earlier.


>>  8048cf9:       85 c0                   test   %eax,%eax
>> //I thought they would always be equal, but from what I've read, %eax must be 0 which is very important...

Correct. What test actually does is take the binary AND of its two operands. When the same value is passed twice, like in this case, the test becomes a simple check for 0.


>> //Basically, I understand that this function needs to return 0 in order for me to be able to leave phase_5 safely. I think I've spent a few too many hours staring at this to think straight about it anymore. Any help is greatly appreciated.

Don't look too far. What's the name of the function ? Now, what do you think it would do ? Once you know what to look for, it's easy to verify that what you think it does is correct.
0
 

Author Comment

by:Centurion89
ID: 22882783
OK, I now have a better understanding of what the loop does after a little more examination. However, I still don't fully understand a few parts. I know that what it does is take the dec. ASCII value of each character in the entered string, and then AND it with 15. From what I gather, the word that it needs to match after all this looping is "saints". There is also an array that contains every letter of the word saints. I'm thinking what I have to do is find the characters that will give numbers that correspond to the location in the array after they have been ANDed with 15 to create the word saints.

I'm having a bit of trouble understanding what the deal with %al is. For example:
8048cd4:       8a 80 c0 a5 04 08       mov    0x804a5c0(%eax),%al

Something is being moved into %al here, correct? When I do a x/s of %al, it always comes up void in each step. Why is that?

Let me know if I'm at least closer. I can't believe how much time I've spent on just this phase compared to the rest of them.
0
 

Author Closing Comment

by:Centurion89
ID: 31512991
Got it! I think I did it the slow way, but I got it. Thanks for all your help infinity, you are quite an asset on these boards.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 22884288
>> I know that what it does is take the dec. ASCII value of each character in the entered string, and then AND it with 15.

Correct.


>> From what I gather, the word that it needs to match after all this looping is "saints".

Correct.


>> There is also an array that contains every letter of the word saints. I'm thinking what I have to do is find the characters that will give numbers that correspond to the location in the array after they have been ANDed with 15 to create the word saints.

Sounds like you got it :)

You can see this as a simple kind of encryption. The input string will be decrypted by the code to the string "saints". Your job is simply to find an input string that would decrypt to "saints". And then you can enter that input string.


>> I'm having a bit of trouble understanding what the deal with %al is. For example:
>> 8048cd4:       8a 80 c0 a5 04 08       mov    0x804a5c0(%eax),%al

%al is the low-order byte of %eax.

%eax is a 32 bit register.
%ax is the lowest 16 bits of the %eax register.
%al is the lowest 8 bits of %ax.
%ah is the highest 8 bits of %ax.

Something like :

        31 ....... 23 ....... 15 ....... 7 ....... 0
                                 \_%ah_/\_%al_/
                                  \____%ax____/
        \__________%eax__________/


>> Something is being moved into %al here, correct?

Yes. And to know what that something is, you have to refer to the addressing modes I mentioned earlier.


>> When I do a x/s of %al, it always comes up void in each step. Why is that?

You can just show the eax register.


>> I can't believe how much time I've spent on just this phase compared to the rest of them.

Spending more time on it, means that you're learning more. And that's the entire point :)
You're doing fine btw.
0

Featured Post

[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Choosing the right mix of apps is very much necessary for CPAs for making the most of the latest technology through which they can boost their growth.
Conducting a customer service survey used to be as straightforward as sending a template email out using checkboxes and numerical rating systems to measure satisfaction.
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question