txthrizzle
asked on
binary bomb phase_3 stuck..
I'm stuck and don't know a good place to start.. on diffusing the 3rd phase.. we got through 1-2 ok.. but im just blah on where to go from here.. i set a breakpoint before explode_bomb.. and i disassembled the phase_3.. but dont know where to go from here...
any help on direction on where to start would be great.. also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!
any help on direction on where to start would be great.. also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!
0x08048de4 <phase_3+0>: push %ebp
0x08048de5 <phase_3+1>: mov %esp,%ebp
0x08048de7 <phase_3+3>: sub $0x28,%esp
0x08048dea <phase_3+6>: lea -0x8(%ebp),%eax
0x08048ded <phase_3+9>: mov %eax,0xc(%esp)
0x08048df1 <phase_3+13>: lea -0x4(%ebp),%eax
0x08048df4 <phase_3+16>: mov %eax,0x8(%esp)
0x08048df8 <phase_3+20>: movl $0x8049ba5,0x4(%esp)
0x08048e00 <phase_3+28>: mov 0x8(%ebp),%eax
0x08048e03 <phase_3+31>: mov %eax,(%esp)
0x08048e06 <phase_3+34>: call 0x80489d4 <sscanf@plt>
0x08048e0b <phase_3+39>: cmp $0x1,%eax
0x08048e0e <phase_3+42>: jg 0x8048e15 <phase_3+49>
0x08048e10 <phase_3+44>: call 0x8049301 <explode_bomb>
0x08048e15 <phase_3+49>: cmpl $0x7,-0x4(%ebp)
0x08048e19 <phase_3+53>: ja 0x8048e8a <phase_3+166>
0x08048e1b <phase_3+55>: mov -0x4(%ebp),%eax
0x08048e1e <phase_3+58>: xchg %ax,%ax
0x08048e20 <phase_3+60>: jmp *0x80499c0(,%eax,4)
0x08048e27 <phase_3+67>: mov $0x0,%eax
0x08048e2c <phase_3+72>: lea 0x0(%esi,%eiz,1),%esi
0x08048e30 <phase_3+76>: jmp 0x8048e83 <phase_3+159>
---Type <return> to continue, or q <return> to quit---
0x08048e32 <phase_3+78>: mov $0x0,%eax
0x08048e37 <phase_3+83>: jmp 0x8048e7e <phase_3+154>
0x08048e39 <phase_3+85>: mov $0x0,%eax
0x08048e3e <phase_3+90>: xchg %ax,%ax
0x08048e40 <phase_3+92>: jmp 0x8048e79 <phase_3+149>
0x08048e42 <phase_3+94>: mov $0x0,%eax
0x08048e47 <phase_3+99>: jmp 0x8048e76 <phase_3+146>
0x08048e49 <phase_3+101>: mov $0x0,%eax
0x08048e4e <phase_3+106>: xchg %ax,%ax
0x08048e50 <phase_3+108>: jmp 0x8048e71 <phase_3+141>
0x08048e52 <phase_3+110>: mov $0x0,%eax
0x08048e57 <phase_3+115>: jmp 0x8048e6c <phase_3+136>
0x08048e59 <phase_3+117>: mov $0x1a3,%eax
0x08048e5e <phase_3+122>: xchg %ax,%ax
0x08048e60 <phase_3+124>: jmp 0x8048e67 <phase_3+131>
0x08048e62 <phase_3+126>: mov $0x0,%eax
0x08048e67 <phase_3+131>: sub $0x2a2,%eax
0x08048e6c <phase_3+136>: add $0x39f,%eax
0x08048e71 <phase_3+141>: sub $0x95,%eax
0x08048e76 <phase_3+146>: add $0x39,%eax
0x08048e79 <phase_3+149>: sub $0x169,%eax
0x08048e7e <phase_3+154>: add $0x169,%eax
0x08048e83 <phase_3+159>: sub $0x128,%eax
---Type <return> to continue, or q <return> to quit---
0x08048e88 <phase_3+164>: jmp 0x8048e94 <phase_3+176>
0x08048e8a <phase_3+166>: call 0x8049301 <explode_bomb>
0x08048e8f <phase_3+171>: mov $0x0,%eax
0x08048e94 <phase_3+176>: cmpl $0x5,-0x4(%ebp)
0x08048e98 <phase_3+180>: jg 0x8048e9f <phase_3+187>
0x08048e9a <phase_3+182>: cmp -0x8(%ebp),%eax
0x08048e9d <phase_3+185>: je 0x8048ea5 <phase_3+193>
0x08048e9f <phase_3+187>: nop
0x08048ea0 <phase_3+188>: call 0x8049301 <explode_bomb>
0x08048ea5 <phase_3+193>: leave
0x08048ea6 <phase_3+194>: ret
End of assembler dump.
>> any help on direction on where to start would be great..
First figure out what is happening. What kind of input does the code expect ? (check the sscanf call) What does it do with that input. For which input will the bomb not explode ?
>> also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!
You can always use this code table :
http://www.jegerlehner.ch/intel/
which is a nice overview of the x86 instructions.
First figure out what is happening. What kind of input does the code expect ? (check the sscanf call) What does it do with that input. For which input will the bomb not explode ?
>> also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!
You can always use this code table :
http://www.jegerlehner.ch/intel/
which is a nice overview of the x86 instructions.
Hm... I'm no expert... and I'm sure Infinity will correct me if I'm wrong...
If I may put in my 2 cents... I think the answer is in these 2 lines:
0x08048e15 <phase_3+49>: cmpl $0x7,-0x4(%ebp)
0x08048e83 <phase_3+159>: sub $0x128,%eax
If I may put in my 2 cents... I think the answer is in these 2 lines:
0x08048e15 <phase_3+49>: cmpl $0x7,-0x4(%ebp)
0x08048e83 <phase_3+159>: sub $0x128,%eax
errang, do you mean that the other instructions are irrelevant ? The answer can be found by understanding ALL of the code, not just a few instructions. There is something very specific that is happening, and you need to figure out what. Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
>> Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
Thats easy for you to say :)
BTW, I'm following this and hoping to learn more about these bombs. I find them fascinating:)
Thats easy for you to say :)
BTW, I'm following this and hoping to learn more about these bombs. I find them fascinating:)
>> >> Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
>> Thats easy for you to say :)
I did say "Once you've figured it out" ;) The figuring out part is not necessarily easy ... But once you have, the correct input data is obvious.
>> Thats easy for you to say :)
I did say "Once you've figured it out" ;) The figuring out part is not necessarily easy ... But once you have, the correct input data is obvious.
>>errang, do you mean that the other instructions are irrelevant ? The answer can be found by understanding ALL of the code, not just a few instructions. There is something very specific that is happening, and you need to figure out what. Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
True... lol, I'm just trying out my hand to see if I really did learn what I was supposed to learn from doing it , that's all =)
True... lol, I'm just trying out my hand to see if I really did learn what I was supposed to learn from doing it , that's all =)
ASKER
I started making my way down and figured out that the input required is %d %d.
I'm lost from whre to go from now..
I'm lost from whre to go from now..
(gdb) b *0x08048e0b
Breakpoint 3 at 0x8048e0b
(gdb) c
Continuing.
Breakpoint 3, 0x08048e0b in phase_3 ()
(gdb) x/a $ebp+8
0xbffff820: 0x804a920 <input_strings+160>
(gdb) x/s 0x804a920
0x804a920 <input_strings+160>: "3 6"
(gdb) x/s 0x8049ba5
0x8049ba5: "%d %d"
(gdb) x/d $ebp-4
0xbffff814: 3
(gdb) x/c $ebp-5
0xbffff813: 0 '\0'
(gdb) x/d $ebp-0xc
0xbffff80c: 108
(gdb) b *0x08048e20
Breakpoint 4 at 0x8048e20
(gdb) c
Continuing.
Breakpoint 4, 0x08048e20 in phase_3 ()
(gdb) x/8x 0x80499c0
0x80499c0: 0x59 0x8e 0x04 0x08 0x62 0x8e 0x04 0x08
(gdb) x/8a 0x80499c0
0x80499c0: 0x8048e59 <phase_3+117> 0x8048e62 <phase_3+126> 0x8048e52 <phase_3+110> 0x8048e49 <phase_3+101>
0x80499d0: 0x8048e42 <phase_3+94> 0x8048e39 <phase_3+85> 0x8048e32 <phase_3+78> 0x8048e27 <phase_3+67>
(gdb) si
0x08048e49 in phase_3 ()
you should try writing down what each instruction means in C.. that's what infinity told me when he was helping me out =)
>> and figured out that the input required is %d %d.
Good :) Do you see where these two integer values are placed in memory ? (on the stack)
I see that in your gdb session you found one of them ... Where's the other one ?
Good :) Do you see where these two integer values are placed in memory ? (on the stack)
I see that in your gdb session you found one of them ... Where's the other one ?
ASKER
0x4 and 0x8?? are those where they are found??
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
completed the phase!! thanks everyone for the help!!!
ASKER