binary bomb phase_6

Hello guys,

Im struggling solving the last phase of my project. I would appreciate if i can get some tips and any idea of whats happening here.

Dump of assembler code for function phase_6:
0x08048df1 <phase_6+0>: push   %ebp
0x08048df2 <phase_6+1>: mov    %esp,%ebp
0x08048df4 <phase_6+3>: sub    $0x18,%esp
0x08048df7 <phase_6+6>: movl   $0x0,0xc(%esp)
0x08048dff <phase_6+14>:        movl   $0xa,0x8(%esp)
0x08048e07 <phase_6+22>:        movl   $0x0,0x4(%esp)
0x08048e0f <phase_6+30>:        mov    0x8(%ebp),%eax
0x08048e12 <phase_6+33>:        mov    %eax,(%esp)
0x08048e15 <phase_6+36>:        call   0x8048744 <__strtol_internal@plt>
0x08048e1a <phase_6+41>:        mov    %eax,0x804a62c
0x08048e1f <phase_6+46>:        movl   $0x804a62c,(%esp)
0x08048e26 <phase_6+53>:        call   0x8048b38 <fun6>
0x08048e2b <phase_6+58>:        mov    $0x1,%edx
0x08048e30 <phase_6+63>:        mov    0x8(%eax),%eax
0x08048e33 <phase_6+66>:        add    $0x1,%edx
0x08048e36 <phase_6+69>:        cmp    $0x8,%edx
0x08048e39 <phase_6+72>:        jne    0x8048e30 <phase_6+63>
0x08048e3b <phase_6+74>:        mov    (%eax),%eax
0x08048e3d <phase_6+76>:        cmp    0x804a62c,%eax
0x08048e43 <phase_6+82>:        je     0x8048e4a <phase_6+89>
0x08048e45 <phase_6+84>:        call   0x80491b3 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048e4a <phase_6+89>:        leave  
0x08048e4b <phase_6+90>:        ret    
End of assembler dump.

08048744 <__strtol_internal@plt>:
 8048744:      ff 25 0c a1 04 08          jmp    *0x804a10c
 804874a:      68 40 00 00 00             push   $0x40
 804874f:      e9 60 ff ff ff             jmp    80486b4 <_init+0x18>
Who is Participating?
Infinity08Connect With a Mentor Commented:
Seeing as you got through 5 earlier phases, I'll assume you know the basics of interpreting assembler code. So I'll skip over the basic parts quickly :

>> 0x08048df7 <phase_6+6>: movl   $0x0,0xc(%esp)
>> 0x08048dff <phase_6+14>:        movl   $0xa,0x8(%esp)
>> 0x08048e07 <phase_6+22>:        movl   $0x0,0x4(%esp)
>> 0x08048e0f <phase_6+30>:        mov    0x8(%ebp),%eax
>> 0x08048e12 <phase_6+33>:        mov    %eax,(%esp)
>> 0x08048e15 <phase_6+36>:        call   0x8048744 <__strtol_internal@plt>

This is a standard call to strtol :

whose result is then passed to the fun6 function :

>> 0x08048e1a <phase_6+41>:        mov    %eax,0x804a62c
>> 0x08048e1f <phase_6+46>:        movl   $0x804a62c,(%esp)
>> 0x08048e26 <phase_6+53>:        call   0x8048b38 <fun6>

the data structure returned by the fun6 function, is then iterated over a few times :

>> 0x08048e2b <phase_6+58>:        mov    $0x1,%edx
>> 0x08048e30 <phase_6+63>:        mov    0x8(%eax),%eax
>> 0x08048e33 <phase_6+66>:        add    $0x1,%edx
>> 0x08048e36 <phase_6+69>:        cmp    $0x8,%edx
>> 0x08048e39 <phase_6+72>:        jne    0x8048e30 <phase_6+63>

to get to a certain value which has to match a given value in order for the bomb not to explode :

>> 0x08048e3b <phase_6+74>:        mov    (%eax),%eax
>> 0x08048e3d <phase_6+76>:        cmp    0x804a62c,%eax
>> 0x08048e43 <phase_6+82>:        je     0x8048e4a <phase_6+89>
>> 0x08048e45 <phase_6+84>:        call   0x80491b3 <explode_bomb>

That's in a nutshell what the phase_6 function does. Do you agree ? Is there anything you're not clear about ?

If the phase_6 function is sufficiently clear, we can move on to the fun6 function. Could I ask you to post your understanding of what happens in that function, and to explain what it is that you're unsure about ?
lecosAuthor Commented:
I failed to add this important info:

08048b38 <fun6>:
 8048b38:      55                         push   %ebp
 8048b39:      89 e5                      mov    %esp,%ebp
 8048b3b:      56                         push   %esi
 8048b3c:      53                         push   %ebx
 8048b3d:      8b 4d 08                   mov    0x8(%ebp),%ecx
 8048b40:      8b 59 08                   mov    0x8(%ecx),%ebx
 8048b43:      c7 41 08 00 00 00 00       movl   $0x0,0x8(%ecx)
 8048b4a:      89 ce                      mov    %ecx,%esi
 8048b4c:      89 c8                      mov    %ecx,%eax
 8048b4e:      89 ca                      mov    %ecx,%edx
 8048b50:      85 db                      test   %ebx,%ebx
 8048b52:      75 2a                      jne    8048b7e <fun6+0x46>
 8048b54:      eb 34                      jmp    8048b8a <fun6+0x52>
 8048b56:      89 d0                      mov    %edx,%eax
 8048b58:      8b 52 08                   mov    0x8(%edx),%edx
 8048b5b:      85 d2                      test   %edx,%edx
 8048b5d:      74 04                      je     8048b63 <fun6+0x2b>
 8048b5f:      39 0a                      cmp    %ecx,(%edx)
 8048b61:      7f f3                      jg     8048b56 <fun6+0x1e>
 8048b63:      39 d0                      cmp    %edx,%eax
 8048b65:      75 04                      jne    8048b6b <fun6+0x33>
 8048b67:      89 de                      mov    %ebx,%esi
 8048b69:      eb 03                      jmp    8048b6e <fun6+0x36>
 8048b6b:      89 58 08                   mov    %ebx,0x8(%eax)
 8048b6e:      8b 43 08                   mov    0x8(%ebx),%eax
 8048b71:      89 53 08                   mov    %edx,0x8(%ebx)
 8048b74:      89 c3                      mov    %eax,%ebx
 8048b76:      89 f2                      mov    %esi,%edx
 8048b78:      89 f0                      mov    %esi,%eax
 8048b7a:      85 db                      test   %ebx,%ebx
 8048b7c:      74 0c                      je     8048b8a <fun6+0x52>
 8048b7e:      85 d2                      test   %edx,%edx
 8048b80:      74 e1                      je     8048b63 <fun6+0x2b>
 8048b82:      8b 0b                      mov    (%ebx),%ecx
 8048b84:      39 0a                      cmp    %ecx,(%edx)
 8048b86:      7f ce                      jg     8048b56 <fun6+0x1e>
 8048b88:      eb d9                      jmp    8048b63 <fun6+0x2b>
 8048b8a:      89 f0                      mov    %esi,%eax
 8048b8c:      5b                         pop    %ebx
 8048b8d:      5e                         pop    %esi
 8048b8e:      5d                         pop    %ebp
 8048b8f:      90                         nop    
 8048b90:      c3                         ret    
lecosAuthor Commented:
hi infinity,

the comments you made were helpful, i was able to diffuse this bomb. Ill probably need your help later with the buffer bomb.

Glad to hear that :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.