Solved

binary bomb phase 6

Posted on 2009-05-16
2
8,453 Views
Last Modified: 2013-11-13
i'm stuck on phase6, i think it is the linked list that is giving me problems


node1           db 76h, 3, 2 dup(0), 1, 3 dup(0), 0F0h, 0A5h, 4, 8

I can get to the last bomb explosion function.... but i can't get past it

when i use either of these inputs ( 2 3 1 6 4 5 or 1 3 2 6 4 5) i bypass all bomb explosions... but i keep hitting *0x08048da8  with really high values in the register

eax            0xb4     180
ecx            0x804a5f0        134522352
edx            0x804a5fc        134522364
ebx            0x804a5f0        134522352
esp            0xbffff7d0       0xbffff7d0
ebp            0xbffff818       0xbffff818
esi            0x0      0
edi            0x6      6
eip            0x8048da8        0x8048da8 <phase_6+201>
eflags         0x293    [ CF AF SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb)

(gdb) info registers
eax            0xb4     180
ecx            0x804a5f0        134522352
edx            0x804a5e4        134522340
ebx            0x804a5f0        134522352
esp            0xbffff7d0       0xbffff7d0
ebp            0xbffff818       0xbffff818
esi            0x0      0
edi            0x6      6
eip            0x8048da8        0x8048da8 <phase_6+201>
eflags         0x297    [ CF PF AF SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51



could someone please give me a push in the right direction?

thank you
Dump of assembler code for function phase_6:

0x08048cdf <phase_6+0>: push   %ebp

0x08048ce0 <phase_6+1>: mov    %esp,%ebp

0x08048ce2 <phase_6+3>: push   %edi

0x08048ce3 <phase_6+4>: push   %esi

0x08048ce4 <phase_6+5>: push   %ebx

0x08048ce5 <phase_6+6>: sub    $0x3c,%esp

0x08048ce8 <phase_6+9>: lea    -0x24(%ebp),%eax

0x08048ceb <phase_6+12>:        mov    %eax,0x4(%esp)

0x08048cef <phase_6+16>:        mov    0x8(%ebp),%eax

0x08048cf2 <phase_6+19>:        mov    %eax,(%esp)

0x08048cf5 <phase_6+22>:        call   0x8049393 <read_six_numbers>

0x08048cfa <phase_6+27>:        mov    $0x0,%ebx

0x08048cff <phase_6+32>:        mov    -0x24(%ebp,%ebx,4),%eax

0x08048d03 <phase_6+36>:        sub    $0x1,%eax

0x08048d06 <phase_6+39>:        cmp    $0x5,%eax

0x08048d09 <phase_6+42>:        jbe    0x8048d10 <phase_6+49>

0x08048d0b <phase_6+44>:        call   0x8049351 <explode_bomb>

0x08048d10 <phase_6+49>:        lea    0x1(%ebx),%edi

0x08048d13 <phase_6+52>:        cmp    $0x6,%edi

0x08048d16 <phase_6+55>:        jne    0x8048d29 <phase_6+74>

0x08048d18 <phase_6+57>:        mov    $0x804a5fc,%ecx

0x08048d1d <phase_6+62>:        mov    $0x1,%eax

0x08048d22 <phase_6+67>:        mov    $0x0,%edx

0x08048d27 <phase_6+72>:        jmp    0x8048d52 <phase_6+115>

0x08048d29 <phase_6+74>:        lea    -0x24(%ebp,%ebx,4),%esi

0x08048d2d <phase_6+78>:        mov    %edi,%ebx

0x08048d2f <phase_6+80>:        mov    -0x28(%ebp,%edi,4),%eax

0x08048d33 <phase_6+84>:        cmp    0x4(%esi),%eax

0x08048d36 <phase_6+87>:        jne    0x8048d3d <phase_6+94>

0x08048d38 <phase_6+89>:        call   0x8049351 <explode_bomb>

0x08048d3d <phase_6+94>:        add    $0x1,%ebx

0x08048d40 <phase_6+97>:        add    $0x4,%esi

0x08048d43 <phase_6+100>:       cmp    $0x5,%ebx

0x08048d46 <phase_6+103>:       jle    0x8048d2f <phase_6+80>

0x08048d48 <phase_6+105>:       mov    %edi,%ebx

0x08048d4a <phase_6+107>:       jmp    0x8048cff <phase_6+32>

0x08048d4c <phase_6+109>:       mov    0x8(%ecx),%ecx

0x08048d4f <phase_6+112>:       add    $0x1,%eax

0x08048d52 <phase_6+115>:       cmp    -0x24(%ebp,%edx,4),%eax

0x08048d56 <phase_6+119>:       jl     0x8048d4c <phase_6+109>

0x08048d58 <phase_6+121>:       mov    %ecx,-0x3c(%ebp,%edx,4)

0x08048d5c <phase_6+125>:       add    $0x1,%edx

0x08048d5f <phase_6+128>:       cmp    $0x5,%edx

0x08048d62 <phase_6+131>:       jg     0x8048d70 <phase_6+145>

0x08048d64 <phase_6+133>:       mov    $0x804a5fc,%ecx

0x08048d69 <phase_6+138>:       mov    $0x1,%eax

---Type <return> to continue, or q <return> to quit---

0x08048d6e <phase_6+143>:       jmp    0x8048d52 <phase_6+115>

0x08048d70 <phase_6+145>:       mov    -0x3c(%ebp),%ecx

0x08048d73 <phase_6+148>:       mov    -0x38(%ebp),%eax

0x08048d76 <phase_6+151>:       mov    %eax,0x8(%ecx)

0x08048d79 <phase_6+154>:       mov    -0x34(%ebp),%edx

0x08048d7c <phase_6+157>:       mov    %edx,0x8(%eax)

0x08048d7f <phase_6+160>:       mov    -0x30(%ebp),%eax

0x08048d82 <phase_6+163>:       mov    %eax,0x8(%edx)

0x08048d85 <phase_6+166>:       mov    -0x2c(%ebp),%edx

0x08048d88 <phase_6+169>:       mov    %edx,0x8(%eax)

0x08048d8b <phase_6+172>:       mov    -0x28(%ebp),%eax

0x08048d8e <phase_6+175>:       mov    %eax,0x8(%edx)

0x08048d91 <phase_6+178>:       movl   $0x0,0x8(%eax)

0x08048d98 <phase_6+185>:       mov    %ecx,%ebx

0x08048d9a <phase_6+187>:       mov    $0x0,%esi

0x08048d9f <phase_6+192>:       mov    0x8(%ebx),%edx

0x08048da2 <phase_6+195>:       mov    (%ebx),%eax

0x08048da4 <phase_6+197>:       cmp    (%edx),%eax

0x08048da6 <phase_6+199>:       jge    0x8048dad <phase_6+206>

0x08048da8 <phase_6+201>:       call   0x8049351 <explode_bomb>

0x08048dad <phase_6+206>:       mov    0x8(%ebx),%ebx

0x08048db0 <phase_6+209>:       add    $0x1,%esi

0x08048db3 <phase_6+212>:       cmp    $0x5,%esi

0x08048db6 <phase_6+215>:       jne    0x8048d9f <phase_6+192>

0x08048db8 <phase_6+217>:       add    $0x3c,%esp

0x08048dbb <phase_6+220>:       pop    %ebx

0x08048dbc <phase_6+221>:       pop    %esi

0x08048dbd <phase_6+222>:       pop    %edi

0x08048dbe <phase_6+223>:       pop    %ebp

0x08048dbf <phase_6+224>:       ret

End of assembler dump.
 

(gdb) disas 0x804a5fc

Dump of assembler code for function node1:

0x0804a5fc <node1+0>:   jbe    0x804a601 <node1+5>

0x0804a5fe <node1+2>:   add    %al,(%eax)

0x0804a600 <node1+4>:   add    %eax,(%eax)

0x0804a602 <node1+6>:   add    %al,(%eax)

0x0804a604 <node1+8>:   lock movsl %ds:(%esi),%es:(%edi)

0x0804a606 <node1+10>:  add    $0x8,%al

End of assembler dump.

Open in new window

0
Comment
Question by:braker15
2 Comments
 
LVL 3

Accepted Solution

by:
demi-os earned 250 total points
ID: 24407366
It looks like you should single step the whole thing, well at least you should place a breakpoint before the explode_bomb and see what does it compare at a4, i am not sure, but it doesnt really seems to compare actual numbers you entered.
Also, as you already know, 0x08048d52 looks like "while ( cnt < array_of_int[idx] )" that is inside of while (true) that you may want to single step as well.

           0             1             2           

0x0804A5FC 76 03 00 00   01 00 00 00   F0 A5 04 08 

           (0x00000076)  (0x00000001)  (0x0804A5F0)

Open in new window

0
 
LVL 53

Assisted Solution

by:Infinity08
Infinity08 earned 250 total points
ID: 24410201
>> i'm stuck on phase6, i think it is the linked list that is giving me problems

First of all, you have to figure out the contents of the linked list. So, display the data from the first node (at address 0x804a5fc), identify the next pointer from that node, use that to display the data from the second node, etc. until the next pointer is a NULL pointer.

Once you have that information, you can try to figure out which input is valid.

There are four blocks in the phase_6 function, roughly split up like below (note that for the second block, I repeated 3 instructions, because they basically belong to the second block rather than the first block). Figure out what each of them does, and it becomes very easy to find the solution.

If you can describe what each block does in one phrase, we can work further.


>> when i use either of these inputs ( 2 3 1 6 4 5 or 1 3 2 6 4 5) i bypass all bomb explosions...

This means that you figured out part of the requirements for the input. Namely the ones imposed by block 1. There is one more requirement though, and that requires that you understand what the other three blocks do exactly.


Just for information : I do know what's going on, and I know the solution, and the answers to each of the questions I asked in this post. I just want you to find it yourself :) With my guidance if you want.
First block of code

-------------------
 

0x08048ce8 <phase_6+9>: lea    -0x24(%ebp),%eax

0x08048ceb <phase_6+12>:        mov    %eax,0x4(%esp)

0x08048cef <phase_6+16>:        mov    0x8(%ebp),%eax

0x08048cf2 <phase_6+19>:        mov    %eax,(%esp)

0x08048cf5 <phase_6+22>:        call   0x8049393 <read_six_numbers>

0x08048cfa <phase_6+27>:        mov    $0x0,%ebx

0x08048cff <phase_6+32>:        mov    -0x24(%ebp,%ebx,4),%eax

0x08048d03 <phase_6+36>:        sub    $0x1,%eax

0x08048d06 <phase_6+39>:        cmp    $0x5,%eax

0x08048d09 <phase_6+42>:        jbe    0x8048d10 <phase_6+49>

0x08048d0b <phase_6+44>:        call   0x8049351 <explode_bomb>

0x08048d10 <phase_6+49>:        lea    0x1(%ebx),%edi

0x08048d13 <phase_6+52>:        cmp    $0x6,%edi

0x08048d16 <phase_6+55>:        jne    0x8048d29 <phase_6+74>

0x08048d18 <phase_6+57>:        mov    $0x804a5fc,%ecx

0x08048d1d <phase_6+62>:        mov    $0x1,%eax

0x08048d22 <phase_6+67>:        mov    $0x0,%edx

0x08048d27 <phase_6+72>:        jmp    0x8048d52 <phase_6+115>

0x08048d29 <phase_6+74>:        lea    -0x24(%ebp,%ebx,4),%esi

0x08048d2d <phase_6+78>:        mov    %edi,%ebx

0x08048d2f <phase_6+80>:        mov    -0x28(%ebp,%edi,4),%eax

0x08048d33 <phase_6+84>:        cmp    0x4(%esi),%eax

0x08048d36 <phase_6+87>:        jne    0x8048d3d <phase_6+94>

0x08048d38 <phase_6+89>:        call   0x8049351 <explode_bomb>

0x08048d3d <phase_6+94>:        add    $0x1,%ebx

0x08048d40 <phase_6+97>:        add    $0x4,%esi

0x08048d43 <phase_6+100>:       cmp    $0x5,%ebx

0x08048d46 <phase_6+103>:       jle    0x8048d2f <phase_6+80>

0x08048d48 <phase_6+105>:       mov    %edi,%ebx

0x08048d4a <phase_6+107>:       jmp    0x8048cff <phase_6+32>
 
 

Second block of code

--------------------
 

0x08048d18 <phase_6+57>:        mov    $0x804a5fc,%ecx

0x08048d1d <phase_6+62>:        mov    $0x1,%eax

0x08048d22 <phase_6+67>:        mov    $0x0,%edx
 

<SNIP>
 

0x08048d4c <phase_6+109>:       mov    0x8(%ecx),%ecx

0x08048d4f <phase_6+112>:       add    $0x1,%eax

0x08048d52 <phase_6+115>:       cmp    -0x24(%ebp,%edx,4),%eax

0x08048d56 <phase_6+119>:       jl     0x8048d4c <phase_6+109>

0x08048d58 <phase_6+121>:       mov    %ecx,-0x3c(%ebp,%edx,4)

0x08048d5c <phase_6+125>:       add    $0x1,%edx

0x08048d5f <phase_6+128>:       cmp    $0x5,%edx

0x08048d62 <phase_6+131>:       jg     0x8048d70 <phase_6+145>

0x08048d64 <phase_6+133>:       mov    $0x804a5fc,%ecx

0x08048d69 <phase_6+138>:       mov    $0x1,%eax

0x08048d6e <phase_6+143>:       jmp    0x8048d52 <phase_6+115>
 
 

Third block of code

-------------------
 

0x08048d70 <phase_6+145>:       mov    -0x3c(%ebp),%ecx

0x08048d73 <phase_6+148>:       mov    -0x38(%ebp),%eax

0x08048d76 <phase_6+151>:       mov    %eax,0x8(%ecx)

0x08048d79 <phase_6+154>:       mov    -0x34(%ebp),%edx

0x08048d7c <phase_6+157>:       mov    %edx,0x8(%eax)

0x08048d7f <phase_6+160>:       mov    -0x30(%ebp),%eax

0x08048d82 <phase_6+163>:       mov    %eax,0x8(%edx)

0x08048d85 <phase_6+166>:       mov    -0x2c(%ebp),%edx

0x08048d88 <phase_6+169>:       mov    %edx,0x8(%eax)

0x08048d8b <phase_6+172>:       mov    -0x28(%ebp),%eax

0x08048d8e <phase_6+175>:       mov    %eax,0x8(%edx)

0x08048d91 <phase_6+178>:       movl   $0x0,0x8(%eax)
 
 

Fourth block of code

--------------------
 

0x08048d98 <phase_6+185>:       mov    %ecx,%ebx

0x08048d9a <phase_6+187>:       mov    $0x0,%esi

0x08048d9f <phase_6+192>:       mov    0x8(%ebx),%edx

0x08048da2 <phase_6+195>:       mov    (%ebx),%eax

0x08048da4 <phase_6+197>:       cmp    (%edx),%eax

0x08048da6 <phase_6+199>:       jge    0x8048dad <phase_6+206>

0x08048da8 <phase_6+201>:       call   0x8049351 <explode_bomb>

0x08048dad <phase_6+206>:       mov    0x8(%ebx),%ebx

0x08048db0 <phase_6+209>:       add    $0x1,%esi

0x08048db3 <phase_6+212>:       cmp    $0x5,%esi

0x08048db6 <phase_6+215>:       jne    0x8048d9f <phase_6+192>

Open in new window

0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
An API detour question 7 67
nestparen challenge 4 56
wordlen challenge 3 47
SQL Server RDS clr assembly 4 36
This article is meant to give a basic understanding of how to use R Sweave as a way to merge LaTeX and R code seamlessly into one presentable document.
Whether you’re a college noob or a soon-to-be pro, these tips are sure to help you in your journey to becoming a programming ninja and stand out from the crowd.
The goal of this video is to provide viewers with basic examples to understand and use structures in the C programming language.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now