Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 9799
  • Last Modified:

binary bomb phase 6

i'm stuck on phase6, i think it is the linked list that is giving me problems


node1           db 76h, 3, 2 dup(0), 1, 3 dup(0), 0F0h, 0A5h, 4, 8

I can get to the last bomb explosion function.... but i can't get past it

when i use either of these inputs ( 2 3 1 6 4 5 or 1 3 2 6 4 5) i bypass all bomb explosions... but i keep hitting *0x08048da8  with really high values in the register

eax            0xb4     180
ecx            0x804a5f0        134522352
edx            0x804a5fc        134522364
ebx            0x804a5f0        134522352
esp            0xbffff7d0       0xbffff7d0
ebp            0xbffff818       0xbffff818
esi            0x0      0
edi            0x6      6
eip            0x8048da8        0x8048da8 <phase_6+201>
eflags         0x293    [ CF AF SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
(gdb)

(gdb) info registers
eax            0xb4     180
ecx            0x804a5f0        134522352
edx            0x804a5e4        134522340
ebx            0x804a5f0        134522352
esp            0xbffff7d0       0xbffff7d0
ebp            0xbffff818       0xbffff818
esi            0x0      0
edi            0x6      6
eip            0x8048da8        0x8048da8 <phase_6+201>
eflags         0x297    [ CF PF AF SF IF ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51



could someone please give me a push in the right direction?

thank you
Dump of assembler code for function phase_6:
0x08048cdf <phase_6+0>: push   %ebp
0x08048ce0 <phase_6+1>: mov    %esp,%ebp
0x08048ce2 <phase_6+3>: push   %edi
0x08048ce3 <phase_6+4>: push   %esi
0x08048ce4 <phase_6+5>: push   %ebx
0x08048ce5 <phase_6+6>: sub    $0x3c,%esp
0x08048ce8 <phase_6+9>: lea    -0x24(%ebp),%eax
0x08048ceb <phase_6+12>:        mov    %eax,0x4(%esp)
0x08048cef <phase_6+16>:        mov    0x8(%ebp),%eax
0x08048cf2 <phase_6+19>:        mov    %eax,(%esp)
0x08048cf5 <phase_6+22>:        call   0x8049393 <read_six_numbers>
0x08048cfa <phase_6+27>:        mov    $0x0,%ebx
0x08048cff <phase_6+32>:        mov    -0x24(%ebp,%ebx,4),%eax
0x08048d03 <phase_6+36>:        sub    $0x1,%eax
0x08048d06 <phase_6+39>:        cmp    $0x5,%eax
0x08048d09 <phase_6+42>:        jbe    0x8048d10 <phase_6+49>
0x08048d0b <phase_6+44>:        call   0x8049351 <explode_bomb>
0x08048d10 <phase_6+49>:        lea    0x1(%ebx),%edi
0x08048d13 <phase_6+52>:        cmp    $0x6,%edi
0x08048d16 <phase_6+55>:        jne    0x8048d29 <phase_6+74>
0x08048d18 <phase_6+57>:        mov    $0x804a5fc,%ecx
0x08048d1d <phase_6+62>:        mov    $0x1,%eax
0x08048d22 <phase_6+67>:        mov    $0x0,%edx
0x08048d27 <phase_6+72>:        jmp    0x8048d52 <phase_6+115>
0x08048d29 <phase_6+74>:        lea    -0x24(%ebp,%ebx,4),%esi
0x08048d2d <phase_6+78>:        mov    %edi,%ebx
0x08048d2f <phase_6+80>:        mov    -0x28(%ebp,%edi,4),%eax
0x08048d33 <phase_6+84>:        cmp    0x4(%esi),%eax
0x08048d36 <phase_6+87>:        jne    0x8048d3d <phase_6+94>
0x08048d38 <phase_6+89>:        call   0x8049351 <explode_bomb>
0x08048d3d <phase_6+94>:        add    $0x1,%ebx
0x08048d40 <phase_6+97>:        add    $0x4,%esi
0x08048d43 <phase_6+100>:       cmp    $0x5,%ebx
0x08048d46 <phase_6+103>:       jle    0x8048d2f <phase_6+80>
0x08048d48 <phase_6+105>:       mov    %edi,%ebx
0x08048d4a <phase_6+107>:       jmp    0x8048cff <phase_6+32>
0x08048d4c <phase_6+109>:       mov    0x8(%ecx),%ecx
0x08048d4f <phase_6+112>:       add    $0x1,%eax
0x08048d52 <phase_6+115>:       cmp    -0x24(%ebp,%edx,4),%eax
0x08048d56 <phase_6+119>:       jl     0x8048d4c <phase_6+109>
0x08048d58 <phase_6+121>:       mov    %ecx,-0x3c(%ebp,%edx,4)
0x08048d5c <phase_6+125>:       add    $0x1,%edx
0x08048d5f <phase_6+128>:       cmp    $0x5,%edx
0x08048d62 <phase_6+131>:       jg     0x8048d70 <phase_6+145>
0x08048d64 <phase_6+133>:       mov    $0x804a5fc,%ecx
0x08048d69 <phase_6+138>:       mov    $0x1,%eax
---Type <return> to continue, or q <return> to quit---
0x08048d6e <phase_6+143>:       jmp    0x8048d52 <phase_6+115>
0x08048d70 <phase_6+145>:       mov    -0x3c(%ebp),%ecx
0x08048d73 <phase_6+148>:       mov    -0x38(%ebp),%eax
0x08048d76 <phase_6+151>:       mov    %eax,0x8(%ecx)
0x08048d79 <phase_6+154>:       mov    -0x34(%ebp),%edx
0x08048d7c <phase_6+157>:       mov    %edx,0x8(%eax)
0x08048d7f <phase_6+160>:       mov    -0x30(%ebp),%eax
0x08048d82 <phase_6+163>:       mov    %eax,0x8(%edx)
0x08048d85 <phase_6+166>:       mov    -0x2c(%ebp),%edx
0x08048d88 <phase_6+169>:       mov    %edx,0x8(%eax)
0x08048d8b <phase_6+172>:       mov    -0x28(%ebp),%eax
0x08048d8e <phase_6+175>:       mov    %eax,0x8(%edx)
0x08048d91 <phase_6+178>:       movl   $0x0,0x8(%eax)
0x08048d98 <phase_6+185>:       mov    %ecx,%ebx
0x08048d9a <phase_6+187>:       mov    $0x0,%esi
0x08048d9f <phase_6+192>:       mov    0x8(%ebx),%edx
0x08048da2 <phase_6+195>:       mov    (%ebx),%eax
0x08048da4 <phase_6+197>:       cmp    (%edx),%eax
0x08048da6 <phase_6+199>:       jge    0x8048dad <phase_6+206>
0x08048da8 <phase_6+201>:       call   0x8049351 <explode_bomb>
0x08048dad <phase_6+206>:       mov    0x8(%ebx),%ebx
0x08048db0 <phase_6+209>:       add    $0x1,%esi
0x08048db3 <phase_6+212>:       cmp    $0x5,%esi
0x08048db6 <phase_6+215>:       jne    0x8048d9f <phase_6+192>
0x08048db8 <phase_6+217>:       add    $0x3c,%esp
0x08048dbb <phase_6+220>:       pop    %ebx
0x08048dbc <phase_6+221>:       pop    %esi
0x08048dbd <phase_6+222>:       pop    %edi
0x08048dbe <phase_6+223>:       pop    %ebp
0x08048dbf <phase_6+224>:       ret
End of assembler dump.
 
(gdb) disas 0x804a5fc
Dump of assembler code for function node1:
0x0804a5fc <node1+0>:   jbe    0x804a601 <node1+5>
0x0804a5fe <node1+2>:   add    %al,(%eax)
0x0804a600 <node1+4>:   add    %eax,(%eax)
0x0804a602 <node1+6>:   add    %al,(%eax)
0x0804a604 <node1+8>:   lock movsl %ds:(%esi),%es:(%edi)
0x0804a606 <node1+10>:  add    $0x8,%al
End of assembler dump.

Open in new window

0
braker15
Asked:
braker15
2 Solutions
 
demi-osCommented:
It looks like you should single step the whole thing, well at least you should place a breakpoint before the explode_bomb and see what does it compare at a4, i am not sure, but it doesnt really seems to compare actual numbers you entered.
Also, as you already know, 0x08048d52 looks like "while ( cnt < array_of_int[idx] )" that is inside of while (true) that you may want to single step as well.

           0             1             2           
0x0804A5FC 76 03 00 00   01 00 00 00   F0 A5 04 08 
           (0x00000076)  (0x00000001)  (0x0804A5F0)

Open in new window

0
 
Infinity08Commented:
>> i'm stuck on phase6, i think it is the linked list that is giving me problems

First of all, you have to figure out the contents of the linked list. So, display the data from the first node (at address 0x804a5fc), identify the next pointer from that node, use that to display the data from the second node, etc. until the next pointer is a NULL pointer.

Once you have that information, you can try to figure out which input is valid.

There are four blocks in the phase_6 function, roughly split up like below (note that for the second block, I repeated 3 instructions, because they basically belong to the second block rather than the first block). Figure out what each of them does, and it becomes very easy to find the solution.

If you can describe what each block does in one phrase, we can work further.


>> when i use either of these inputs ( 2 3 1 6 4 5 or 1 3 2 6 4 5) i bypass all bomb explosions...

This means that you figured out part of the requirements for the input. Namely the ones imposed by block 1. There is one more requirement though, and that requires that you understand what the other three blocks do exactly.


Just for information : I do know what's going on, and I know the solution, and the answers to each of the questions I asked in this post. I just want you to find it yourself :) With my guidance if you want.
First block of code
-------------------
 
0x08048ce8 <phase_6+9>: lea    -0x24(%ebp),%eax
0x08048ceb <phase_6+12>:        mov    %eax,0x4(%esp)
0x08048cef <phase_6+16>:        mov    0x8(%ebp),%eax
0x08048cf2 <phase_6+19>:        mov    %eax,(%esp)
0x08048cf5 <phase_6+22>:        call   0x8049393 <read_six_numbers>
0x08048cfa <phase_6+27>:        mov    $0x0,%ebx
0x08048cff <phase_6+32>:        mov    -0x24(%ebp,%ebx,4),%eax
0x08048d03 <phase_6+36>:        sub    $0x1,%eax
0x08048d06 <phase_6+39>:        cmp    $0x5,%eax
0x08048d09 <phase_6+42>:        jbe    0x8048d10 <phase_6+49>
0x08048d0b <phase_6+44>:        call   0x8049351 <explode_bomb>
0x08048d10 <phase_6+49>:        lea    0x1(%ebx),%edi
0x08048d13 <phase_6+52>:        cmp    $0x6,%edi
0x08048d16 <phase_6+55>:        jne    0x8048d29 <phase_6+74>
0x08048d18 <phase_6+57>:        mov    $0x804a5fc,%ecx
0x08048d1d <phase_6+62>:        mov    $0x1,%eax
0x08048d22 <phase_6+67>:        mov    $0x0,%edx
0x08048d27 <phase_6+72>:        jmp    0x8048d52 <phase_6+115>
0x08048d29 <phase_6+74>:        lea    -0x24(%ebp,%ebx,4),%esi
0x08048d2d <phase_6+78>:        mov    %edi,%ebx
0x08048d2f <phase_6+80>:        mov    -0x28(%ebp,%edi,4),%eax
0x08048d33 <phase_6+84>:        cmp    0x4(%esi),%eax
0x08048d36 <phase_6+87>:        jne    0x8048d3d <phase_6+94>
0x08048d38 <phase_6+89>:        call   0x8049351 <explode_bomb>
0x08048d3d <phase_6+94>:        add    $0x1,%ebx
0x08048d40 <phase_6+97>:        add    $0x4,%esi
0x08048d43 <phase_6+100>:       cmp    $0x5,%ebx
0x08048d46 <phase_6+103>:       jle    0x8048d2f <phase_6+80>
0x08048d48 <phase_6+105>:       mov    %edi,%ebx
0x08048d4a <phase_6+107>:       jmp    0x8048cff <phase_6+32>
 
 
Second block of code
--------------------
 
0x08048d18 <phase_6+57>:        mov    $0x804a5fc,%ecx
0x08048d1d <phase_6+62>:        mov    $0x1,%eax
0x08048d22 <phase_6+67>:        mov    $0x0,%edx
 
<SNIP>
 
0x08048d4c <phase_6+109>:       mov    0x8(%ecx),%ecx
0x08048d4f <phase_6+112>:       add    $0x1,%eax
0x08048d52 <phase_6+115>:       cmp    -0x24(%ebp,%edx,4),%eax
0x08048d56 <phase_6+119>:       jl     0x8048d4c <phase_6+109>
0x08048d58 <phase_6+121>:       mov    %ecx,-0x3c(%ebp,%edx,4)
0x08048d5c <phase_6+125>:       add    $0x1,%edx
0x08048d5f <phase_6+128>:       cmp    $0x5,%edx
0x08048d62 <phase_6+131>:       jg     0x8048d70 <phase_6+145>
0x08048d64 <phase_6+133>:       mov    $0x804a5fc,%ecx
0x08048d69 <phase_6+138>:       mov    $0x1,%eax
0x08048d6e <phase_6+143>:       jmp    0x8048d52 <phase_6+115>
 
 
Third block of code
-------------------
 
0x08048d70 <phase_6+145>:       mov    -0x3c(%ebp),%ecx
0x08048d73 <phase_6+148>:       mov    -0x38(%ebp),%eax
0x08048d76 <phase_6+151>:       mov    %eax,0x8(%ecx)
0x08048d79 <phase_6+154>:       mov    -0x34(%ebp),%edx
0x08048d7c <phase_6+157>:       mov    %edx,0x8(%eax)
0x08048d7f <phase_6+160>:       mov    -0x30(%ebp),%eax
0x08048d82 <phase_6+163>:       mov    %eax,0x8(%edx)
0x08048d85 <phase_6+166>:       mov    -0x2c(%ebp),%edx
0x08048d88 <phase_6+169>:       mov    %edx,0x8(%eax)
0x08048d8b <phase_6+172>:       mov    -0x28(%ebp),%eax
0x08048d8e <phase_6+175>:       mov    %eax,0x8(%edx)
0x08048d91 <phase_6+178>:       movl   $0x0,0x8(%eax)
 
 
Fourth block of code
--------------------
 
0x08048d98 <phase_6+185>:       mov    %ecx,%ebx
0x08048d9a <phase_6+187>:       mov    $0x0,%esi
0x08048d9f <phase_6+192>:       mov    0x8(%ebx),%edx
0x08048da2 <phase_6+195>:       mov    (%ebx),%eax
0x08048da4 <phase_6+197>:       cmp    (%edx),%eax
0x08048da6 <phase_6+199>:       jge    0x8048dad <phase_6+206>
0x08048da8 <phase_6+201>:       call   0x8049351 <explode_bomb>
0x08048dad <phase_6+206>:       mov    0x8(%ebx),%ebx
0x08048db0 <phase_6+209>:       add    $0x1,%esi
0x08048db3 <phase_6+212>:       cmp    $0x5,%esi
0x08048db6 <phase_6+215>:       jne    0x8048d9f <phase_6+192>

Open in new window

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now