?
Solved

need help with binary bomb phase_2

Posted on 2009-04-25
20
Medium Priority
?
1,338 Views
Last Modified: 2012-05-06
Hey, I need to diffuse a binary bomb, I'm not an assembly language expert... so I'd appreciate any help =)

080519e5 <phase_2>:
 80519e5:       55                      push   %ebp
 80519e6:       89 e5                   mov    %esp,%ebp
 80519e8:       53                      push   %ebx
 80519e9:       83 ec 2c                sub    $0x2c,%esp
 80519ec:       8d 45 d8                lea    0xffffffd8(%ebp),%eax
 80519ef:       50                      push   %eax
 80519f0:       ff 75 08                pushl  0x8(%ebp)
 80519f3:       e8 5f 03 00 00          call   8051d57 <read_six_numbers>
 80519f8:       bb 01 00 00 00          mov    $0x1,%ebx
 80519fd:       83 c4 10                add    $0x10,%esp
 8051a00:       8b 44 9d d4             mov    0xffffffd4(%ebp,%ebx,4),%eax
 8051a04:       83 c0 05                add    $0x5,%eax
 8051a07:       39 44 9d d8             cmp    %eax,0xffffffd8(%ebp,%ebx,4)
 8051a0b:       74 05                   je     8051a12 <phase_2+0x2d>
 8051a0d:       e8 9a 07 00 00          call   80521ac <explode_bomb>
 8051a12:       43                      inc    %ebx
 8051a13:       83 fb 05                cmp    $0x5,%ebx
 8051a16:       7e e8                   jle    8051a00 <phase_2+0x1b>
 8051a18:       8b 5d fc                mov    0xfffffffc(%ebp),%ebx
 8051a1b:       c9                      leave
 8051a1c:       c3                      ret

08051d57 <read_six_numbers>:
 8051d57:       55                      push   %ebp
 8051d58:       89 e5                   mov    %esp,%ebp
 8051d5a:       83 ec 08                sub    $0x8,%esp
 8051d5d:       8b 55 0c                mov    0xc(%ebp),%edx
 8051d60:       8d 42 14                lea    0x14(%edx),%eax
 8051d63:       50                      push   %eax
 8051d64:       8d 42 10                lea    0x10(%edx),%eax
 8051d67:       50                      push   %eax
 8051d68:       8d 42 0c                lea    0xc(%edx),%eax
 8051d6b:       50                      push   %eax
 8051d6c:       8d 42 08                lea    0x8(%edx),%eax
 8051d6f:       50                      push   %eax
 8051d70:       8d 42 04                lea    0x4(%edx),%eax
 8051d73:       50                      push   %eax
 8051d74:       52                      push   %edx
 8051d75:       68 72 23 05 08          push   $0x8052372
 8051d7a:       ff 75 08                pushl  0x8(%ebp)
 8051d7d:       e8 d6 f7 ff ff          call   8051558 <_PROCEDURE_LINKAGE_TABLE_+0xb0>
 8051d82:       83 c4 20                add    $0x20,%esp
 8051d85:       83 f8 05                cmp    $0x5,%eax
 8051d88:       7f 05                   jg     8051d8f <read_six_numbers+0x38>
 8051d8a:       e8 1d 04 00 00          call   80521ac <explode_bomb>
 8051d8f:       c9                      leave
 8051d90:       c3                      ret


This is what I know about phase 2
080519e5 <phase_2>:
 80519e5:      55                         push   %ebp <------------------------Pushes ebp onto the stack
 80519e6:      89 e5                      mov    %esp,%ebp <-------------------ebp = esp
 80519e8:      53                         push   %ebx <------------------------Pushes ebx onto the stack
 80519e9:      83 ec 2c                   sub    $0x2c,%esp <------------------esp = esp-44
 80519ec:      8d 45 d8                   lea    0xffffffd8(%ebp),%eax <-------load effective address eax = 0xffffffd8(%ebp)?
 80519ef:      50                         push   %eax <------------------------Pushes eax onto the stack
 80519f0:      ff 75 08                   pushl  0x8(%ebp) <-------------------Push ebp onto the stack offset by 8
 80519f3:      e8 5f 03 00 00             call   8051d57 <read_six_numbers> <--Call the function with the parameters already there
 80519f8:      bb 01 00 00 00             mov    $0x1,%ebx <-------------------ebx = 1
 80519fd:      83 c4 10                   add    $0x10,%esp <------------------esp = esp + 10
 8051a00:      8b 44 9d d4                mov    0xffffffd4(%ebp,%ebx,4),%eax<-eax = 0xffffffd4(%ebp,%ebx,4)
 8051a04:      83 c0 05                   add    $0x5,%eax <-------------------eax = eax + 5
 8051a07:      39 44 9d d8                cmp    %eax,0xffffffd8(%ebp,%ebx,4)<-compares eax with that huge offset thing
 8051a0b:      74 05                      je     8051a12 <phase_2+0x2d> <------jumps if the compare works out right
 8051a0d:      e8 9a 07 00 00             call   80521ac <explode_bomb> <------explodes bomb, have to avoid this
 8051a12:      43                         inc    %ebx <------------------------increment ebx by 1?
 8051a13:      83 fb 05                   cmp    $0x5,%ebx <-------------------compare ebx to 5
 8051a16:      7e e8                      jle    8051a00 <phase_2+0x1b> <------jump less than phase 2 + the offset 8051A00
 8051a18:      8b 5d fc                   mov    0xfffffffc(%ebp),%ebx <-------ebx = the huge offset of ebp
 8051a1b:      c9                         leave  <-----------------------------breaks down the current stack frame
 8051a1c:      c3                         ret    <-----------------------------It goes back to the calling code

And this is what I think the C code should look like, not 100% sure its right:

void phase_2(char *input)
{
    int ii;
    int numbers[6];

    read_six_numbers(input, numbers);

    for (ii = 1; ii < 6; ii++) {
        if (numbers[ii] != numbers[ii-1] + 5)
            explode_bomb();
    }
}

I've gotta diffuse 4 more phases after this so I'd appreciate any hints to get this done.  Thanks in advance!!
0
Comment
Question by:errang
  • 11
  • 9
20 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 24239345
0
 

Author Comment

by:errang
ID: 24239461
well... not to sound mouthy or anything... but you didn't give me the answer to #1... and that's not making #2 much easier... lol =(
0
 

Author Comment

by:errang
ID: 24239490
and... phase 2 isn't anything like phase 1... was it?

dunno... guess i'm more of a visual learner, I was never much of a do it yourself guy... =(
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 53

Expert Comment

by:Infinity08
ID: 24239646
>> and... phase 2 isn't anything like phase 1... was it?

In the sense that phase 1 was about finding the right string, and phase 2 is about finding the right 6 integers, they're different. In all other ways, they're pretty much the same. There's only two more concepts added : arithmetic and loops. That's all.


>> but you didn't give me the answer to #1... and that's not making #2 much easier... lol =(

If you understood 100% how phase 1 works, phase 2 shouldn't be difficult at all. But you found the answer to phase 1 by guessing basically - If my memory serves me right, you did a strings on the executable, and tried out the different strings you found until one worked, right ?

Anyway, I assure you phase 2 is not hard ... You just have to concentrate for a while - don't let yourself be distracted by other projects. Don't depend on me for being there at every turn pointing you in the right direction. Investigate things on your own, try out different theories you might have, etc.

Do you keep track of what's on the stack at all times ? If not, that might help you too.
0
 

Author Comment

by:errang
ID: 24242900
>If my memory serves me right, you did a strings on the executable, and tried out the different strings you found until one worked, right ?

Yeah... but I did do it your way before moving onto phase 2.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24243344
So, what's the progress ?
0
 

Author Comment

by:errang
ID: 24243400
pretty much were I was at 12:30 am last night...

>> Anyway, I assure you phase 2 is not hard

I suppose that's what they mean by relativity... what may seem unfathomable to the student, may seem like child's play to the teacher.. lol
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24243452
Could be. But still ...

So, let's continue where we left off then : Which values do the two addresses refer to ? Which two values are being compared ?
0
 

Author Comment

by:errang
ID: 24244131
/sigh... lol

eax refers to the values the user input? It's eax because of the line:

mov    0xffffffd4(%ebp,%ebx,4),%eax

and its getting compared to 0xffffffd8(%ebp,%ebx,4) in line:

cmp    %eax,0xffffffd8(%ebp,%ebx,4)

It needs to pass this compare in order to jump over the explode bomb phase...
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24244926
Yes, but which values do the addresses 0xffffffd4(%ebp,%ebx,4) and 0xffffffd8(%ebp,%ebx,4) refer to ?
0
 

Author Comment

by:errang
ID: 24245628
one of them must refer to user input and one of them must refer to the expected value... i'm not sure which refers to which.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24245796
I already told you that there's no pre-determined array or anything like that.

What's the base address of the array of 6 numbers that the read_six_numbers function filled ?
0
 

Author Comment

by:errang
ID: 24245978
Yeah, I said expected value... I thought you said the value changes depending on what the user typed?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24246072
You lost me. What value are you talking about ?
0
 

Author Comment

by:errang
ID: 24246529
the password... It's dependent on what the user types... Right?

Is the password dependent on the first number the user types?

Is it an arithmetic sequence where each number is +5 of the previous number?
0
 

Author Comment

by:errang
ID: 24247157
Ok... got past phase_2 (FINALLY!!!!)

I got it when a friend of mine told me to pay attention to the add $0x5, %eax line...

Any chance you can help me out with a few more of the phases? lol
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 2000 total points
ID: 24247934
>> Is it an arithmetic sequence where each number is +5 of the previous number?

You're getting there :)


>> Ok... got past phase_2 (FINALLY!!!!)

Good !


>> Any chance you can help me out with a few more of the phases? lol

Sure. Let's keep the different phases separated in separate questions this time though, because the first question was getting to be really long lol.

So, for phase 3 we'd continue here :

        http://www.experts-exchange.com/Programming/Languages/Assembly/Q_24355832.html

ok ?
0
 

Author Comment

by:errang
ID: 24247937
sounds great!

I'll see you there then =)
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24247959
I have to step out for a short while, but then I'll get back to you for phase 3 ... give it a go in the meantime, using the knowledge you gained from solving the first two. See if you can get anywhere. In my experience with this kind of question on EE, once people have solved the first two, the other ones go a lot easier.
0
 

Author Comment

by:errang
ID: 24247964
lol, kk, I just posted what I think it's supposed to be.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will learn how to make Android Gesture Tutorial and give different functionality whenever a user Touch or Scroll android screen.
In real business world data are crucial and sometimes data are shared among different information systems. Hence, an agreeable file transfer protocol need to be established.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Six Sigma Control Plans

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question