Solved

binary bomb phase_3 stuck..

Posted on 2009-05-13
14
2,114 Views
Last Modified: 2012-05-06
I'm stuck and don't know a good place to start.. on diffusing the 3rd phase.. we got through 1-2 ok.. but im just blah on where to go from here.. i set a breakpoint before explode_bomb.. and i disassembled the phase_3.. but dont know where to go from here...

any help on direction on where to start would be great.. also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!
0x08048de4 <phase_3+0>: push   %ebp

0x08048de5 <phase_3+1>: mov    %esp,%ebp

0x08048de7 <phase_3+3>: sub    $0x28,%esp

0x08048dea <phase_3+6>: lea    -0x8(%ebp),%eax

0x08048ded <phase_3+9>: mov    %eax,0xc(%esp)

0x08048df1 <phase_3+13>:        lea    -0x4(%ebp),%eax

0x08048df4 <phase_3+16>:        mov    %eax,0x8(%esp)

0x08048df8 <phase_3+20>:        movl   $0x8049ba5,0x4(%esp)

0x08048e00 <phase_3+28>:        mov    0x8(%ebp),%eax

0x08048e03 <phase_3+31>:        mov    %eax,(%esp)

0x08048e06 <phase_3+34>:        call   0x80489d4 <sscanf@plt>

0x08048e0b <phase_3+39>:        cmp    $0x1,%eax

0x08048e0e <phase_3+42>:        jg     0x8048e15 <phase_3+49>

0x08048e10 <phase_3+44>:        call   0x8049301 <explode_bomb>

0x08048e15 <phase_3+49>:        cmpl   $0x7,-0x4(%ebp)

0x08048e19 <phase_3+53>:        ja     0x8048e8a <phase_3+166>

0x08048e1b <phase_3+55>:        mov    -0x4(%ebp),%eax

0x08048e1e <phase_3+58>:        xchg   %ax,%ax

0x08048e20 <phase_3+60>:        jmp    *0x80499c0(,%eax,4)

0x08048e27 <phase_3+67>:        mov    $0x0,%eax

0x08048e2c <phase_3+72>:        lea    0x0(%esi,%eiz,1),%esi

0x08048e30 <phase_3+76>:        jmp    0x8048e83 <phase_3+159>

---Type <return> to continue, or q <return> to quit---

0x08048e32 <phase_3+78>:        mov    $0x0,%eax

0x08048e37 <phase_3+83>:        jmp    0x8048e7e <phase_3+154>

0x08048e39 <phase_3+85>:        mov    $0x0,%eax

0x08048e3e <phase_3+90>:        xchg   %ax,%ax

0x08048e40 <phase_3+92>:        jmp    0x8048e79 <phase_3+149>

0x08048e42 <phase_3+94>:        mov    $0x0,%eax

0x08048e47 <phase_3+99>:        jmp    0x8048e76 <phase_3+146>

0x08048e49 <phase_3+101>:       mov    $0x0,%eax

0x08048e4e <phase_3+106>:       xchg   %ax,%ax

0x08048e50 <phase_3+108>:       jmp    0x8048e71 <phase_3+141>

0x08048e52 <phase_3+110>:       mov    $0x0,%eax

0x08048e57 <phase_3+115>:       jmp    0x8048e6c <phase_3+136>

0x08048e59 <phase_3+117>:       mov    $0x1a3,%eax

0x08048e5e <phase_3+122>:       xchg   %ax,%ax

0x08048e60 <phase_3+124>:       jmp    0x8048e67 <phase_3+131>

0x08048e62 <phase_3+126>:       mov    $0x0,%eax

0x08048e67 <phase_3+131>:       sub    $0x2a2,%eax

0x08048e6c <phase_3+136>:       add    $0x39f,%eax

0x08048e71 <phase_3+141>:       sub    $0x95,%eax

0x08048e76 <phase_3+146>:       add    $0x39,%eax

0x08048e79 <phase_3+149>:       sub    $0x169,%eax

0x08048e7e <phase_3+154>:       add    $0x169,%eax

0x08048e83 <phase_3+159>:       sub    $0x128,%eax

---Type <return> to continue, or q <return> to quit---

0x08048e88 <phase_3+164>:       jmp    0x8048e94 <phase_3+176>

0x08048e8a <phase_3+166>:       call   0x8049301 <explode_bomb>

0x08048e8f <phase_3+171>:       mov    $0x0,%eax

0x08048e94 <phase_3+176>:       cmpl   $0x5,-0x4(%ebp)

0x08048e98 <phase_3+180>:       jg     0x8048e9f <phase_3+187>

0x08048e9a <phase_3+182>:       cmp    -0x8(%ebp),%eax

0x08048e9d <phase_3+185>:       je     0x8048ea5 <phase_3+193>

0x08048e9f <phase_3+187>:       nop

0x08048ea0 <phase_3+188>:       call   0x8049301 <explode_bomb>

0x08048ea5 <phase_3+193>:       leave

0x08048ea6 <phase_3+194>:       ret

End of assembler dump.

Open in new window

0
Comment
Question by:txthrizzle
  • 5
  • 4
  • 3
  • +1
14 Comments
 

Author Comment

by:txthrizzle
ID: 24380726
Thank you.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24382120
>> any help on direction on where to start would be great..

First figure out what is happening. What kind of input does the code expect ? (check the sscanf call) What does it do with that input. For which input will the bomb not explode ?


>> also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!

You can always use this code table :

        http://www.jegerlehner.ch/intel/

which is a nice overview of the x86 instructions.
0
 

Expert Comment

by:errang
ID: 24382577
Hm... I'm no expert... and I'm sure Infinity will correct me if I'm wrong...

If I may put in my 2 cents... I think the answer is in these 2 lines:

0x08048e15 <phase_3+49>:        cmpl   $0x7,-0x4(%ebp)

0x08048e83 <phase_3+159>:       sub    $0x128,%eax
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24383292
errang, do you mean that the other instructions are irrelevant ? The answer can be found by understanding ALL of the code, not just a few instructions. There is something very specific that is happening, and you need to figure out what. Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
0
 
LVL 40

Expert Comment

by:evilrix
ID: 24383380
>> Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
Thats easy for you to say :)

BTW, I'm following this and hoping to learn more about these bombs. I find them fascinating:)
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24383401
>> >> Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
>> Thats easy for you to say :)

I did say "Once you've figured it out" ;) The figuring out part is not necessarily easy ... But once you have, the correct input data is obvious.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Expert Comment

by:errang
ID: 24386914
>>errang, do you mean that the other instructions are irrelevant ? The answer can be found by understanding ALL of the code, not just a few instructions. There is something very specific that is happening, and you need to figure out what. Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.

True... lol, I'm just trying out my hand to see if I really did learn what I was supposed to learn from doing it , that's all =)
0
 

Author Comment

by:txthrizzle
ID: 24399361
I started making my way down and figured out that the input required is %d %d.
I'm lost from whre to go from now..
(gdb) b *0x08048e0b

Breakpoint 3 at 0x8048e0b

(gdb) c

Continuing.
 

Breakpoint 3, 0x08048e0b in phase_3 ()

(gdb) x/a $ebp+8

0xbffff820:     0x804a920 <input_strings+160>

(gdb) x/s 0x804a920

0x804a920 <input_strings+160>:   "3 6"

(gdb) x/s 0x8049ba5

0x8049ba5:       "%d %d"

(gdb) x/d $ebp-4

0xbffff814:     3

(gdb) x/c $ebp-5

0xbffff813:     0 '\0'

(gdb) x/d $ebp-0xc

0xbffff80c:     108

(gdb) b *0x08048e20

Breakpoint 4 at 0x8048e20

(gdb) c

Continuing.
 

Breakpoint 4, 0x08048e20 in phase_3 ()

(gdb) x/8x 0x80499c0

0x80499c0:      0x59    0x8e    0x04    0x08    0x62    0x8e    0x04    0x08

(gdb) x/8a 0x80499c0

0x80499c0:      0x8048e59 <phase_3+117> 0x8048e62 <phase_3+126> 0x8048e52 <phase_3+110> 0x8048e49 <phase_3+101>

0x80499d0:      0x8048e42 <phase_3+94>  0x8048e39 <phase_3+85>  0x8048e32 <phase_3+78>  0x8048e27 <phase_3+67>

(gdb) si

0x08048e49 in phase_3 ()

Open in new window

0
 

Expert Comment

by:errang
ID: 24399908
you should try writing down what each instruction means in C.. that's what infinity told me when he was helping me out =)
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24399970
>> and figured out that the input required is %d %d.

Good :) Do you see where these two integer values are placed in memory ? (on the stack)

I see that in your gdb session you found one of them ... Where's the other one ?
0
 

Author Comment

by:txthrizzle
ID: 24400064
0x4 and 0x8?? are those where they are found??
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 24400187
>> 0x4 and 0x8?? are those where they are found??

Those are not addresses - they're just values. But you are on the right track. These are the instructions of interest :

>> 0x08048dea <phase_3+6>: lea    -0x8(%ebp),%eax
>> 0x08048ded <phase_3+9>: mov    %eax,0xc(%esp)
>> 0x08048df1 <phase_3+13>:        lea    -0x4(%ebp),%eax
>> 0x08048df4 <phase_3+16>:        mov    %eax,0x8(%esp)

You succesfully showed one of the values in your gdb session ... Which address did you use for it ? What's the address of the other value ?
0
 

Author Comment

by:txthrizzle
ID: 24400843
completed the phase!! thanks everyone for the help!!!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Have you thought about creating an iPhone application (app), but didn't even know where to get started? Here's how: ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Important pre-programming comments: I’ve never tri…
This tutorial is posted by Aaron Wojnowski, administrator at SDKExpert.net.  To view more iPhone tutorials, visit www.sdkexpert.net. This is a very simple tutorial on finding the user's current location easily. In this tutorial, you will learn ho…
The goal of this video is to provide viewers with basic examples to understand opening and writing to files in the C programming language.
The goal of this video is to provide viewers with basic examples to understand how to create, access, and change arrays in the C programming language.

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now