Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

binary bomb phase_3 stuck..

Posted on 2009-05-13
14
Medium Priority
?
2,378 Views
Last Modified: 2012-05-06
I'm stuck and don't know a good place to start.. on diffusing the 3rd phase.. we got through 1-2 ok.. but im just blah on where to go from here.. i set a breakpoint before explode_bomb.. and i disassembled the phase_3.. but dont know where to go from here...

any help on direction on where to start would be great.. also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!
0x08048de4 <phase_3+0>: push   %ebp
0x08048de5 <phase_3+1>: mov    %esp,%ebp
0x08048de7 <phase_3+3>: sub    $0x28,%esp
0x08048dea <phase_3+6>: lea    -0x8(%ebp),%eax
0x08048ded <phase_3+9>: mov    %eax,0xc(%esp)
0x08048df1 <phase_3+13>:        lea    -0x4(%ebp),%eax
0x08048df4 <phase_3+16>:        mov    %eax,0x8(%esp)
0x08048df8 <phase_3+20>:        movl   $0x8049ba5,0x4(%esp)
0x08048e00 <phase_3+28>:        mov    0x8(%ebp),%eax
0x08048e03 <phase_3+31>:        mov    %eax,(%esp)
0x08048e06 <phase_3+34>:        call   0x80489d4 <sscanf@plt>
0x08048e0b <phase_3+39>:        cmp    $0x1,%eax
0x08048e0e <phase_3+42>:        jg     0x8048e15 <phase_3+49>
0x08048e10 <phase_3+44>:        call   0x8049301 <explode_bomb>
0x08048e15 <phase_3+49>:        cmpl   $0x7,-0x4(%ebp)
0x08048e19 <phase_3+53>:        ja     0x8048e8a <phase_3+166>
0x08048e1b <phase_3+55>:        mov    -0x4(%ebp),%eax
0x08048e1e <phase_3+58>:        xchg   %ax,%ax
0x08048e20 <phase_3+60>:        jmp    *0x80499c0(,%eax,4)
0x08048e27 <phase_3+67>:        mov    $0x0,%eax
0x08048e2c <phase_3+72>:        lea    0x0(%esi,%eiz,1),%esi
0x08048e30 <phase_3+76>:        jmp    0x8048e83 <phase_3+159>
---Type <return> to continue, or q <return> to quit---
0x08048e32 <phase_3+78>:        mov    $0x0,%eax
0x08048e37 <phase_3+83>:        jmp    0x8048e7e <phase_3+154>
0x08048e39 <phase_3+85>:        mov    $0x0,%eax
0x08048e3e <phase_3+90>:        xchg   %ax,%ax
0x08048e40 <phase_3+92>:        jmp    0x8048e79 <phase_3+149>
0x08048e42 <phase_3+94>:        mov    $0x0,%eax
0x08048e47 <phase_3+99>:        jmp    0x8048e76 <phase_3+146>
0x08048e49 <phase_3+101>:       mov    $0x0,%eax
0x08048e4e <phase_3+106>:       xchg   %ax,%ax
0x08048e50 <phase_3+108>:       jmp    0x8048e71 <phase_3+141>
0x08048e52 <phase_3+110>:       mov    $0x0,%eax
0x08048e57 <phase_3+115>:       jmp    0x8048e6c <phase_3+136>
0x08048e59 <phase_3+117>:       mov    $0x1a3,%eax
0x08048e5e <phase_3+122>:       xchg   %ax,%ax
0x08048e60 <phase_3+124>:       jmp    0x8048e67 <phase_3+131>
0x08048e62 <phase_3+126>:       mov    $0x0,%eax
0x08048e67 <phase_3+131>:       sub    $0x2a2,%eax
0x08048e6c <phase_3+136>:       add    $0x39f,%eax
0x08048e71 <phase_3+141>:       sub    $0x95,%eax
0x08048e76 <phase_3+146>:       add    $0x39,%eax
0x08048e79 <phase_3+149>:       sub    $0x169,%eax
0x08048e7e <phase_3+154>:       add    $0x169,%eax
0x08048e83 <phase_3+159>:       sub    $0x128,%eax
---Type <return> to continue, or q <return> to quit---
0x08048e88 <phase_3+164>:       jmp    0x8048e94 <phase_3+176>
0x08048e8a <phase_3+166>:       call   0x8049301 <explode_bomb>
0x08048e8f <phase_3+171>:       mov    $0x0,%eax
0x08048e94 <phase_3+176>:       cmpl   $0x5,-0x4(%ebp)
0x08048e98 <phase_3+180>:       jg     0x8048e9f <phase_3+187>
0x08048e9a <phase_3+182>:       cmp    -0x8(%ebp),%eax
0x08048e9d <phase_3+185>:       je     0x8048ea5 <phase_3+193>
0x08048e9f <phase_3+187>:       nop
0x08048ea0 <phase_3+188>:       call   0x8049301 <explode_bomb>
0x08048ea5 <phase_3+193>:       leave
0x08048ea6 <phase_3+194>:       ret
End of assembler dump.

Open in new window

0
Comment
Question by:txthrizzle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 3
  • +1
14 Comments
 

Author Comment

by:txthrizzle
ID: 24380726
Thank you.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24382120
>> any help on direction on where to start would be great..

First figure out what is happening. What kind of input does the code expect ? (check the sscanf call) What does it do with that input. For which input will the bomb not explode ?


>> also if there is a webpage which says what "jg" or "cmp" or mov" or "je" stands for would be great too! thank you!

You can always use this code table :

        http://www.jegerlehner.ch/intel/

which is a nice overview of the x86 instructions.
0
 

Expert Comment

by:errang
ID: 24382577
Hm... I'm no expert... and I'm sure Infinity will correct me if I'm wrong...

If I may put in my 2 cents... I think the answer is in these 2 lines:

0x08048e15 <phase_3+49>:        cmpl   $0x7,-0x4(%ebp)

0x08048e83 <phase_3+159>:       sub    $0x128,%eax
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 53

Expert Comment

by:Infinity08
ID: 24383292
errang, do you mean that the other instructions are irrelevant ? The answer can be found by understanding ALL of the code, not just a few instructions. There is something very specific that is happening, and you need to figure out what. Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
0
 
LVL 40

Expert Comment

by:evilrix
ID: 24383380
>> Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
Thats easy for you to say :)

BTW, I'm following this and hoping to learn more about these bombs. I find them fascinating:)
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24383401
>> >> Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.
>> Thats easy for you to say :)

I did say "Once you've figured it out" ;) The figuring out part is not necessarily easy ... But once you have, the correct input data is obvious.
0
 

Expert Comment

by:errang
ID: 24386914
>>errang, do you mean that the other instructions are irrelevant ? The answer can be found by understanding ALL of the code, not just a few instructions. There is something very specific that is happening, and you need to figure out what. Once you have figured it out, it's very easy to retrieve the correct input data to pass this phase.

True... lol, I'm just trying out my hand to see if I really did learn what I was supposed to learn from doing it , that's all =)
0
 

Author Comment

by:txthrizzle
ID: 24399361
I started making my way down and figured out that the input required is %d %d.
I'm lost from whre to go from now..
(gdb) b *0x08048e0b
Breakpoint 3 at 0x8048e0b
(gdb) c
Continuing.
 
Breakpoint 3, 0x08048e0b in phase_3 ()
(gdb) x/a $ebp+8
0xbffff820:     0x804a920 <input_strings+160>
(gdb) x/s 0x804a920
0x804a920 <input_strings+160>:   "3 6"
(gdb) x/s 0x8049ba5
0x8049ba5:       "%d %d"
(gdb) x/d $ebp-4
0xbffff814:     3
(gdb) x/c $ebp-5
0xbffff813:     0 '\0'
(gdb) x/d $ebp-0xc
0xbffff80c:     108
(gdb) b *0x08048e20
Breakpoint 4 at 0x8048e20
(gdb) c
Continuing.
 
Breakpoint 4, 0x08048e20 in phase_3 ()
(gdb) x/8x 0x80499c0
0x80499c0:      0x59    0x8e    0x04    0x08    0x62    0x8e    0x04    0x08
(gdb) x/8a 0x80499c0
0x80499c0:      0x8048e59 <phase_3+117> 0x8048e62 <phase_3+126> 0x8048e52 <phase_3+110> 0x8048e49 <phase_3+101>
0x80499d0:      0x8048e42 <phase_3+94>  0x8048e39 <phase_3+85>  0x8048e32 <phase_3+78>  0x8048e27 <phase_3+67>
(gdb) si
0x08048e49 in phase_3 ()

Open in new window

0
 

Expert Comment

by:errang
ID: 24399908
you should try writing down what each instruction means in C.. that's what infinity told me when he was helping me out =)
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24399970
>> and figured out that the input required is %d %d.

Good :) Do you see where these two integer values are placed in memory ? (on the stack)

I see that in your gdb session you found one of them ... Where's the other one ?
0
 

Author Comment

by:txthrizzle
ID: 24400064
0x4 and 0x8?? are those where they are found??
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 2000 total points
ID: 24400187
>> 0x4 and 0x8?? are those where they are found??

Those are not addresses - they're just values. But you are on the right track. These are the instructions of interest :

>> 0x08048dea <phase_3+6>: lea    -0x8(%ebp),%eax
>> 0x08048ded <phase_3+9>: mov    %eax,0xc(%esp)
>> 0x08048df1 <phase_3+13>:        lea    -0x4(%ebp),%eax
>> 0x08048df4 <phase_3+16>:        mov    %eax,0x8(%esp)

You succesfully showed one of the values in your gdb session ... Which address did you use for it ? What's the address of the other value ?
0
 

Author Comment

by:txthrizzle
ID: 24400843
completed the phase!! thanks everyone for the help!!!
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An Outlet in Cocoa is a persistent reference to a GUI control; it connects a property (a variable) to a control.  For example, it is common to create an Outlet for the text field GUI control and change the text that appears in this field via that Ou…
Examines three attack vectors, specifically, the different types of malware used in malicious attacks, web application attacks, and finally, network based attacks.  Concludes by examining the means of securing and protecting critical systems and inf…
The goal of this video is to provide viewers with basic examples to understand and use structures in the C programming language.
The goal of this video is to provide viewers with basic examples to understand opening and writing to files in the C programming language.

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question