• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5194
  • Last Modified:

Help! Solving Phase 4 of my binary bomb

I cannot seem to figure out the loops of the func4. I believe my code asks for 2 "inputs" in the input string and that the final result in %eax needs to equal 17711 (which is a strange number!). I have stepped through the sequence a few times but am not sure what is happening in the func4 section.

I know a lot of times people ask for comments but I wrote mine on paper and do not really want to put them all in...

basically though i do know whats going on with the transfer of memory addresses I just cannot figure out what then are the actual procedures going on that will allow me to understand what the input needs to be.

Any suggestions?! Thanks!
08048d25 <func4>:
 8048d25:	55                   	push   %ebp
 8048d26:	89 e5                	mov    %esp,%ebp
 8048d28:	56                   	push   %esi
 8048d29:	53                   	push   %ebx
 8048d2a:	8b 75 08             	mov    0x8(%ebp),%esi
 8048d2d:	b8 01 00 00 00       	mov    $0x1,%eax
 8048d32:	83 fe 01             	cmp    $0x1,%esi
 8048d35:	7e 1c                	jle    8048d53 <func4+0x2e>
 8048d37:	83 ec 0c             	sub    $0xc,%esp
 8048d3a:	8d 46 ff             	lea    0xffffffff(%esi),%eax
 8048d3d:	50                   	push   %eax
 8048d3e:	e8 e2 ff ff ff       	call   8048d25 <func4>
 8048d43:	89 c3                	mov    %eax,%ebx
 8048d45:	8d 46 fe             	lea    0xfffffffe(%esi),%eax
 8048d48:	89 04 24             	mov    %eax,(%esp)
 8048d4b:	e8 d5 ff ff ff       	call   8048d25 <func4>
 8048d50:	8d 04 03             	lea    (%ebx,%eax,1),%eax
 8048d53:	8d 65 f8             	lea    0xfffffff8(%ebp),%esp
 8048d56:	5b                   	pop    %ebx
 8048d57:	5e                   	pop    %esi
 8048d58:	c9                   	leave  
 8048d59:	c3                   	ret    

08048d5a <phase_4>:
 8048d5a:	55                   	push   %ebp
 8048d5b:	89 e5                	mov    %esp,%ebp
 8048d5d:	83 ec 0c             	sub    $0xc,%esp
 8048d60:	8d 45 fc             	lea    0xfffffffc(%ebp),%eax
 8048d63:	50                   	push   %eax
 8048d64:	68 c4 98 04 08       	push   $0x80498c4
 8048d69:	ff 75 08             	pushl  0x8(%ebp)
 8048d6c:	e8 c3 fb ff ff       	call   8048934 <sscanf@plt>
 8048d71:	83 c4 10             	add    $0x10,%esp
 8048d74:	83 f8 01             	cmp    $0x1,%eax
 8048d77:	75 06                	jne    8048d7f <phase_4+0x25>
 8048d79:	83 7d fc 00          	cmpl   $0x0,0xfffffffc(%ebp)
 8048d7d:	7f 05                	jg     8048d84 <phase_4+0x2a>
 8048d7f:	e8 fc 07 00 00       	call   8049580 <explode_bomb>
 8048d84:	ff 75 fc             	pushl  0xfffffffc(%ebp)
 8048d87:	e8 99 ff ff ff       	call   8048d25 <func4>
 8048d8c:	83 c4 04             	add    $0x4,%esp
 8048d8f:	3d 2f 45 00 00       	cmp    $0x452f,%eax
 8048d94:	74 05                	je     8048d9b <phase_4+0x41>
 8048d96:	e8 e5 07 00 00       	call   8049580 <explode_bomb>
 8048d9b:	c9                   	leave  
 8048d9c:	c3                   	ret

Open in new window

1
gpower90
Asked:
gpower90
  • 5
  • 4
1 Solution
 
Infinity08Commented:
>> I know a lot of times people ask for comments but I wrote mine on paper and do not really want to put them all in...

Still, it would make it a lot easier for us to see where your problem lies. func4 has only about 20 instructions, so it shouldn't be too much trouble to comment them ;)

Do you know what recursive function calls are ?
0
 
gpower90Author Commented:
I know what recursive functions are - functions that call themselves... interesting I forgot about that but I'm not sure I see the significance...

I added some comments. But it's still difficult to visualize what is really going on here.

08048d25 <func4>:
 8048d25:	55                   	push   %ebp //save frame ptr
 8048d26:	89 e5                	mov    %esp,%ebp 
 8048d28:	56                   	push   %esi //parameter2
 8048d29:	53                   	push   %ebx //parameter1
 8048d2a:	8b 75 08             	mov    0x8(%ebp),%esi //esi=ebp+8
 8048d2d:	b8 01 00 00 00       	mov    $0x1,%eax //eax=1
 8048d32:	83 fe 01             	cmp    $0x1,%esi //compare
 8048d35:	7e 1c                	jle    8048d53 <func4+0x2e> //check if esi<=1 if yes jump to end if not next line
 8048d37:	83 ec 0c             	sub    $0xc,%esp //esp-10
 8048d3a:	8d 46 ff             	lea    0xffffffff(%esi),%eax //eax = esi-1
 8048d3d:	50                   	push   %eax //esp-4
 8048d3e:	e8 e2 ff ff ff       	call   8048d25 <func4> eax=func4(eax)
 8048d43:	89 c3                	mov    %eax,%ebx //ebx = eax
 8048d45:	8d 46 fe             	lea    0xfffffffe(%esi),%eax // eax = esi-2
 8048d48:	89 04 24             	mov    %eax,(%esp) // *esp = eax
 8048d4b:	e8 d5 ff ff ff       	call   8048d25 <func4> //eax=func4(eax)
 8048d50:	8d 04 03             	lea    (%ebx,%eax,1),%eax //eax = ebx+eax
 8048d53:	8d 65 f8             	lea    0xfffffff8(%ebp),%esp // esp = ebp-8
 8048d56:	5b                   	pop    %ebx
 8048d57:	5e                   	pop    %esi // prepare to leave the function
 8048d58:	c9                   	leave  
 8048d59:	c3                   	ret

Open in new window

0
 
Infinity08Commented:
>> I'm not sure I see the significance...

The significance, is that func4 is a recursive function ... Realizing that is necessary to understand what's happening.


>>  8048d28:      56                         push   %esi //parameter2
>>  8048d29:      53                         push   %ebx //parameter1

They aren't parameters. These two lines are simply saving the state of two registers onto the stack, so they can be restored at the end of the function.
This is necessary, especially because the function will call itself recursively, and you want to keep track of the state of each call.


>>  8048d2a:      8b 75 08                   mov    0x8(%ebp),%esi //esi=ebp+8

Not exactly. In a mov instruction, the () indicates that a memory address is calculated, and the value AT THAT ADDRESS is copied.


>>  8048d37:      83 ec 0c                   sub    $0xc,%esp //esp-10

0xc is 12 in decimal, not 10.


The rest looks ok.

So, now, it's a matter of figuring out what's actually going on at a higher level. The func4 code calls itself , but when and how ? And how does the recursion end ? And what's the final result ?

Try looking at the low-level interpretation you just gave (the comments), and write down a more high-level description of what's going on.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
gpower90Author Commented:
is this true?

>> I believe my code asks for 2 "inputs" in the input string and that the final result in %eax needs to equal 17711 (which is a strange number!)

also, so now I see I think that the recursive calls to func4 (the first one being saved in %ebx) are added together and stored in %eax after the second recursive call?

0
 
Infinity08Commented:
>> is this true?

The format string for sscanf is at $0x80498c4, so you can easily check it ... The code only indicates one value though ...


>> also, so now I see I think that the recursive calls to func4 (the first one being saved in %ebx) are added together and stored in %eax after the second recursive call?

Ok. So, given an argument x to the func4 function, what does the function calculate ? Or in other words, what will y be :

        y = func4(x);
0
 
gpower90Author Commented:
So i see that the string for scanf is 37...

and I figured out the answer is 21. I still cannot quite explain func4 but I know it does addition of the previous 2 values (as in input 2 output 2,  input 3 output 3,  input 4 output 5,  input 5 output 8 etc.)

I don't understand though how to tell that the users string input was only 1 value (%d)? any comments that could help me as I try to determine the user input for my next phases?

Thanks!
0
 
gpower90Author Commented:
Sorry, I mentioned that sscanf had 37 does that do anything later in the problem that number specifically? or is all that matters about that is that it is one token?
0
 
gpower90Author Commented:
Last one for now... how could you tell the format string for sscanf is at $0x80498c4 and not my input?
0
 
Infinity08Commented:
>> So i see that the string for scanf is 37...

I'm not sure what you mean by that, but if you mean that the format string is "37", then I'm sure you looked in the wrong place. It should have been something like "%d".


>> I don't understand though how to tell that the users string input was only 1 value (%d)?

sscanf returns the number of succesfully read tokens. The code checks the return value (%eax), and requires it to be 1 :

>>  8048d74:      83 f8 01                   cmp    $0x1,%eax
>>  8048d77:      75 06                      jne    8048d7f <phase_4+0x25>


>> how could you tell the format string for sscanf is at $0x80498c4 and not my input?

The second parameter of sscanf is the format string.
The second parameter that the code passes to sscanf is :

>>  8048d64:      68 c4 98 04 08             push   $0x80498c4


Maybe it's a good idea to read up on how sscanf works. On this reference page eg. :

        http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/


>> I still cannot quite explain func4

As I said earlier : to figure that out, you need to take the low-level description you posted in http:#35458672, and try to make sense of it, by writing down a corresponding high-level description in pseudo code.

The func4 function makes two recursive calls to itself, yes. But what is it passing as parameter to those recursive calls ? What is it doing with the results of those recursive calls ? What's the termination condition of the recursive calls ?

And then finally, what would y be if func4 were called with x as parameter ?

        y = func4(x)
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now