Solved

How do I utilize this array in Binary Bomb Phase 5?

Posted on 2009-05-13
7
3,151 Views
Last Modified: 2012-05-06
I have been struggling with this phase. I seem to be missing something crucial in this code.
I know that this phase requires %d %d. I think I have a pretty good understanding of what most of the code is doing. I see there is an array of integers...I am trying to figure out how to use them appropriately to solve this problem. I have listed code below. It
seems like it has to loop 10 times in order to get the value of $ecx
which I believe is the 2nd number to be used as input.  I've tried
different combos of numbers for input but nothing has worked so far.
 Any insight would be greatly
appreciated!  What am I missing?
0x08048d4f <phase_5+0>: push   %ebp

0x08048d50 <phase_5+1>: mov    %esp,%ebp

0x08048d52 <phase_5+3>: sub    $0x28,%esp

0x08048d55 <phase_5+6>: lea    -0x8(%ebp),%eax

0x08048d58 <phase_5+9>: mov    %eax,0xc(%esp)

0x08048d5c <phase_5+13>:        lea    -0x4(%ebp),%eax

0x08048d5f <phase_5+16>:        mov    %eax,0x8(%esp)

0x08048d63 <phase_5+20>:        movl   $0x8049ca5,0x4(%esp)  // %d %d  requires 2 ints

0x08048d6b <phase_5+28>:        mov    0x8(%ebp),%eax

0x08048d6e <phase_5+31>:        mov    %eax,(%esp)

0x08048d71 <phase_5+34>:        call   0x80489d4 <sscanf@plt>  //scansinput

0x08048d76 <phase_5+39>:        cmp    $0x1,%eax         //compare 1 to input

0x08048d79 <phase_5+42>:        jg     0x8048d80 <phase_5+49> //if > 1 int jump to 0x8048d80

0x08048d7b <phase_5+44>:        call   0x80493e1 <explode_bomb>

0x08048d80 <phase_5+49>:        mov    -0x4(%ebp),%eax

0x08048d83 <phase_5+52>:        and    $0xf,%eax         // eax & 15

0x08048d86 <phase_5+55>:        mov    %eax,-0x4(%ebp)

0x08048d89 <phase_5+58>:        cmp    $0xf,%eax         //eax:15

0x08048d8c <phase_5+61>:        je     0x8048dba <phase_5+107> //if equal jump to explode bomb

0x08048d8e <phase_5+63>:        mov    $0x0,%edx  //edx=0

0x08048d93 <phase_5+68>:        mov    $0x0,%ecx  //ecx=0

0x08048d98 <phase_5+73>:        add    $0x1,%edx  //edx=1 beginning of loop...edx is the counter

0x08048d9b <phase_5+76>:        mov    0x8049ae0(,%eax,4),%eax  //0x8049ae0 is an array(contents displayed below)

0x08048da2 <phase_5+83>:        add    %eax,%ecx  //ecx += eax

0x08048da4 <phase_5+85>:        cmp    $0xf,%eax  //compare 15 to eax

0x08048da7 <phase_5+88>:        jne    0x8048d98 <phase_5+73>  //if not equal jump back to loop 0x08048d98

0x08048da9 <phase_5+90>:        movl   $0xf,-0x4(%ebp)

0x08048db0 <phase_5+97>:        cmp    $0xa,%edx  //compare 10 to edx

0x08048db3 <phase_5+100>:       jne    0x8048dba <phase_5+107> //if edx != 10, jump to explode bomb

0x08048db5 <phase_5+102>:       cmp    %ecx,-0x8(%ebp)

0x08048db8 <phase_5+105>:       je     0x8048dbf <phase_5+112>

0x08048dba <phase_5+107>:       call   0x80493e1 <explode_bomb>

0x08048dbf <phase_5+112>:       leave

0x08048dc0 <phase_5+113>:       ret

End of assembler dump.

 

 HERE IS THE ARRAY:

(gdb) x/16wd 0x8049ae0

0x8049ae0 <array.3022>: 10      2       14      7

0x8049af0 <array.3022+16>:      8       12      15      11

0x8049b00 <array.3022+32>:      0       4       1       13

0x8049b10 <array.3022+48>:      3       9       6

Open in new window

0
Comment
Question by:redearthite
  • 3
  • 3
7 Comments
 
LVL 53

Accepted Solution

by:
Infinity08 earned 500 total points
ID: 24383392
>> 0x08048d76 <phase_5+39>:        cmp    $0x1,%eax         //compare 1 to input

At that point, eax contains the return value of the sscanf call. sscanf returns the amount of succesfully read values.


>> I know that this phase requires %d %d.

Right, it reads two integer values. Where does sscanf place these two values ? figuring that out is the start to know what happens with the values, and what the code expects them to be.


>> 0x08048d98 <phase_5+73>:        add    $0x1,%edx  //edx=1 beginning of loop...edx is the counter

This is an add instruction, so it's not a simple assignment ... 'edx=1' is not accurate.


>> It seems like it has to loop 10 times in order to get the value of $ecx
>> which I believe is the 2nd number to be used as input.

Right. The second input value has to be able to the value calculated in ecx. The calculation of that value depends on the first input value, and the array of integers. There is a restriction that it has to loop exactly 10 times, and that it has to end at a certain position in the array.


>> I've tried different combos of numbers for input but nothing has worked so far.

Don't just try ... Figure out what's really happening, and the answer will be clear :)
0
 

Author Comment

by:redearthite
ID: 24383736
Thank you for responding so promptly. I went into the scanf function. I guess I'm confused at what is happening here... The code is below:

0x080489d4 <sscanf@plt+0>:      jmp    *0x804a16c    //below is the jump table
0x080489da <sscanf@plt+6>:      push   $0xf0                 //pushes 240 onto stack and then what?
0x080489df <sscanf@plt+11>:     jmp    0x80487e4 <_init+48>  //when i examine this address it gives me another address but it won't let me access it

(gdb) x/16wd 0x804a16c           //how do i read this?
0x804a16c <_GLOBAL_OFFSET_TABLE_+132>:  -1209115328     -1208500608     134515194       0
0x804a17c:      0       0       0       134520844
0x804a18c <p.5841+4>:   0       0       0       0
0x804a19c <p.5841+20>:  0       51      0       0

(gdb) x 0x80487e4
0x80487e4 <_init+48>:   0xa0ec35ff        //can't access this address

Thank you for your assistance.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24383826
>> I went into the scanf function.

No need to analyze the function itself. It's a standard C function, which is described here :

        http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/

That pages lists all you need to know about the function :)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:redearthite
ID: 24384754
Ok. I guess I was trying to figure out the important question you raised about where does scanf place these values?
i thought it placed the first value into $eax. Then used it in equation 0x8049ae0 + $eax*4, which replaces the value in eax.

0x08048d9b <phase_5+76>:        mov    0x8049ae0(,%eax,4),%eax

Does it mean that for the first loop cycle it takes the first element in the array + my first input value * 4?
Then that would give the new value of $eax which would be used in the equation in the second pass through the loop and so on?
Is my second input value inconsequential until I find the value of %ecx after the 10 loops?
I am at work now, so I don't get try out this theory until later!!
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24384846
>> i thought it placed the first value into $eax.

Not really no. I'll give you a hint : sscanf takes 4 parameters in this case : the source string, the format string, and two addresses where the two values are placed. Before the function call, these 4 parameters are pushed onto the stack (in reverse order).


>> Does it mean that for the first loop cycle it takes the first element in the array + my first input value * 4?

0x8049ae0(,%eax,4) is an addressing mode of the form base(offset, index, size). The address is calculated as follows :

        base + offset + (index * size)

Now, you have to keep in mind that 0x8049ae0 refers to an array of 32bit integer values. 32 bits == 4 bytes.


>> Then that would give the new value of $eax which would be used in the equation in the second pass through the loop and so on?

Right.


>> Is my second input value inconsequential until I find the value of %ecx after the 10 loops?

Indeed. The second input value is only used to compare it to the ecx value at the end.
0
 

Author Closing Comment

by:redearthite
ID: 31581294
Thank you for your concise instructions. You were a great help in breaking the problem down step by step in order to understand what was really going on.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

An Outlet in Cocoa is a persistent reference to a GUI control; it connects a property (a variable) to a control.  For example, it is common to create an Outlet for the text field GUI control and change the text that appears in this field via that Ou…
Preface I don't like visual development tools that are supposed to write a program for me. Even if it is Xcode and I can use Interface Builder. Yes, it is a perfect tool and has helped me a lot, mainly, in the beginning, when my programs were small…
The goal of this video is to provide viewers with basic examples to understand opening and writing to files in the C programming language.
Video by: Grant
The goal of this video is to provide viewers with basic examples to understand and use for-loops in the C programming language.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now