binary bomb phase_3 stuck..

I'm stuck and don't know a good place to start.. on diffusing the 3rd phase.. we got through 1-2 ok.. but im just blah on where to go from here.. i set a breakpoint before explode_bomb.. and i disassembled the phase_3.. but dont know where to go from here...

any help on direction on where to start would be great.. also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!
0x08048de4 <phase_3+0>: push   %ebp
0x08048de5 <phase_3+1>: mov    %esp,%ebp
0x08048de7 <phase_3+3>: sub    $0x28,%esp
0x08048dea <phase_3+6>: lea    -0x8(%ebp),%eax
0x08048ded <phase_3+9>: mov    %eax,0xc(%esp)
0x08048df1 <phase_3+13>:        lea    -0x4(%ebp),%eax
0x08048df4 <phase_3+16>:        mov    %eax,0x8(%esp)
0x08048df8 <phase_3+20>:        movl   $0x8049ba5,0x4(%esp)
0x08048e00 <phase_3+28>:        mov    0x8(%ebp),%eax
0x08048e03 <phase_3+31>:        mov    %eax,(%esp)
0x08048e06 <phase_3+34>:        call   0x80489d4 <sscanf@plt>
0x08048e0b <phase_3+39>:        cmp    $0x1,%eax
0x08048e0e <phase_3+42>:        jg     0x8048e15 <phase_3+49>
0x08048e10 <phase_3+44>:        call   0x8049301 <explode_bomb>
0x08048e15 <phase_3+49>:        cmpl   $0x7,-0x4(%ebp)
0x08048e19 <phase_3+53>:        ja     0x8048e8a <phase_3+166>
0x08048e1b <phase_3+55>:        mov    -0x4(%ebp),%eax
0x08048e1e <phase_3+58>:        xchg   %ax,%ax
0x08048e20 <phase_3+60>:        jmp    *0x80499c0(,%eax,4)
0x08048e27 <phase_3+67>:        mov    $0x0,%eax
0x08048e2c <phase_3+72>:        lea    0x0(%esi,%eiz,1),%esi
0x08048e30 <phase_3+76>:        jmp    0x8048e83 <phase_3+159>
---Type <return> to continue, or q <return> to quit---
0x08048e32 <phase_3+78>:        mov    $0x0,%eax
0x08048e37 <phase_3+83>:        jmp    0x8048e7e <phase_3+154>
0x08048e39 <phase_3+85>:        mov    $0x0,%eax
0x08048e3e <phase_3+90>:        xchg   %ax,%ax
0x08048e40 <phase_3+92>:        jmp    0x8048e79 <phase_3+149>
0x08048e42 <phase_3+94>:        mov    $0x0,%eax
0x08048e47 <phase_3+99>:        jmp    0x8048e76 <phase_3+146>
0x08048e49 <phase_3+101>:       mov    $0x0,%eax
0x08048e4e <phase_3+106>:       xchg   %ax,%ax
0x08048e50 <phase_3+108>:       jmp    0x8048e71 <phase_3+141>
0x08048e52 <phase_3+110>:       mov    $0x0,%eax
0x08048e57 <phase_3+115>:       jmp    0x8048e6c <phase_3+136>
0x08048e59 <phase_3+117>:       mov    $0x1a3,%eax
0x08048e5e <phase_3+122>:       xchg   %ax,%ax
0x08048e60 <phase_3+124>:       jmp    0x8048e67 <phase_3+131>
0x08048e62 <phase_3+126>:       mov    $0x0,%eax
0x08048e67 <phase_3+131>:       sub    $0x2a2,%eax
0x08048e6c <phase_3+136>:       add    $0x39f,%eax
0x08048e71 <phase_3+141>:       sub    $0x95,%eax
0x08048e76 <phase_3+146>:       add    $0x39,%eax
0x08048e79 <phase_3+149>:       sub    $0x169,%eax
0x08048e7e <phase_3+154>:       add    $0x169,%eax
0x08048e83 <phase_3+159>:       sub    $0x128,%eax
---Type <return> to continue, or q <return> to quit---
0x08048e88 <phase_3+164>:       jmp    0x8048e94 <phase_3+176>
0x08048e8a <phase_3+166>:       call   0x8049301 <explode_bomb>
0x08048e8f <phase_3+171>:       mov    $0x0,%eax
0x08048e94 <phase_3+176>:       cmpl   $0x5,-0x4(%ebp)
0x08048e98 <phase_3+180>:       jg     0x8048e9f <phase_3+187>
0x08048e9a <phase_3+182>:       cmp    -0x8(%ebp),%eax
0x08048e9d <phase_3+185>:       je     0x8048ea5 <phase_3+193>
0x08048e9f <phase_3+187>:       nop
0x08048ea0 <phase_3+188>:       call   0x8049301 <explode_bomb>
0x08048ea5 <phase_3+193>:       leave
0x08048ea6 <phase_3+194>:       ret
End of assembler dump.

Open in new window

txthrizzleAsked:
Who is Participating?
 
Infinity08Connect With a Mentor Commented:
>> 0x4 and 0x8?? are those where they are found??

Those are not addresses - they're just values. But you are on the right track. These are the instructions of interest :

>> 0x08048dea <phase_3+6>: lea    -0x8(%ebp),%eax
>> 0x08048ded <phase_3+9>: mov    %eax,0xc(%esp)
>> 0x08048df1 <phase_3+13>:        lea    -0x4(%ebp),%eax
>> 0x08048df4 <phase_3+16>:        mov    %eax,0x8(%esp)

You succesfully showed one of the values in your gdb session ... Which address did you use for it ? What's the address of the other value ?
0
 
txthrizzleAuthor Commented:
Thank you.
0
 
Infinity08Commented:
>> any help on direction on where to start would be great..

First figure out what is happening. What kind of input does the code expect ? (check the sscanf call) What does it do with that input. For which input will the bomb not explode ?


>> also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!

You can always use this code table :

        http://www.jegerlehner.ch/intel/

which is a nice overview of the x86 instructions.
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
errangCommented:
Hm... I'm no expert... and I'm sure Infinity will correct me if I'm wrong...

If I may put in my 2 cents... I think the answer is in these 2 lines:

0x08048e15 <phase_3+49>:        cmpl   $0x7,-0x4(%ebp)

0x08048e83 <phase_3+159>:       sub    $0x128,%eax
0
 
Infinity08Commented:
errang, do you mean that the other instructions are irrelevant ? The answer can be found by understanding ALL of the code, not just a few instructions. There is something very specific that is happening, and you need to figure out what. Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
0
 
evilrixSenior Software Engineer (Avast)Commented:
>> Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
Thats easy for you to say :)

BTW, I'm following this and hoping to learn more about these bombs. I find them fascinating:)
0
 
Infinity08Commented:
>> >> Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
>> Thats easy for you to say :)

I did say "Once you've figured it out" ;) The figuring out part is not necessarily easy ... But once you have, the correct input data is obvious.
0
 
errangCommented:
>>errang, do you mean that the other instructions are irrelevant ? The answer can be found by understanding ALL of the code, not just a few instructions. There is something very specific that is happening, and you need to figure out what. Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.

True... lol, I'm just trying out my hand to see if I really did learn what I was supposed to learn from doing it , that's all =)
0
 
txthrizzleAuthor Commented:
I started making my way down and figured out that the input required is %d %d.
I'm lost from whre to go from now..
(gdb) b *0x08048e0b
Breakpoint 3 at 0x8048e0b
(gdb) c
Continuing.
 
Breakpoint 3, 0x08048e0b in phase_3 ()
(gdb) x/a $ebp+8
0xbffff820:     0x804a920 <input_strings+160>
(gdb) x/s 0x804a920
0x804a920 <input_strings+160>:   "3 6"
(gdb) x/s 0x8049ba5
0x8049ba5:       "%d %d"
(gdb) x/d $ebp-4
0xbffff814:     3
(gdb) x/c $ebp-5
0xbffff813:     0 '\0'
(gdb) x/d $ebp-0xc
0xbffff80c:     108
(gdb) b *0x08048e20
Breakpoint 4 at 0x8048e20
(gdb) c
Continuing.
 
Breakpoint 4, 0x08048e20 in phase_3 ()
(gdb) x/8x 0x80499c0
0x80499c0:      0x59    0x8e    0x04    0x08    0x62    0x8e    0x04    0x08
(gdb) x/8a 0x80499c0
0x80499c0:      0x8048e59 <phase_3+117> 0x8048e62 <phase_3+126> 0x8048e52 <phase_3+110> 0x8048e49 <phase_3+101>
0x80499d0:      0x8048e42 <phase_3+94>  0x8048e39 <phase_3+85>  0x8048e32 <phase_3+78>  0x8048e27 <phase_3+67>
(gdb) si
0x08048e49 in phase_3 ()

Open in new window

0
 
errangCommented:
you should try writing down what each instruction means in C.. that's what infinity told me when he was helping me out =)
0
 
Infinity08Commented:
>> and figured out that the input required is %d %d.

Good :) Do you see where these two integer values are placed in memory ? (on the stack)

I see that in your gdb session you found one of them ... Where's the other one ?
0
 
txthrizzleAuthor Commented:
0x4 and 0x8?? are those where they are found??
0
 
txthrizzleAuthor Commented:
completed the phase!! thanks everyone for the help!!!
0
All Courses

From novice to tech pro — start learning today.