?
Solved

Binary BombLab Phase 2

Posted on 2011-10-12
16
Medium Priority
?
4,691 Views
Last Modified: 2012-05-12
I'm a computer sciences major student, I have an assignment to defuse binary bomb and I currently stuck at Phase 2. I spent more than 10 hours in trying to solve this phase but I still not able to solve it. I explode the bomb 5times. So, I'm hoping anyone out there help me with this phase. The codes are below. What I know thus far is the result will be 6 numbers.

 
08048b94 <phase_2>:
 8048b94:	55                   	push   %ebp
 8048b95:	89 e5                	mov    %esp,%ebp
 8048b97:	56                   	push   %esi
 8048b98:	53                   	push   %ebx
 8048b99:	83 ec 30             	sub    $0x30,%esp
 8048b9c:	8d 45 e0             	lea    -0x20(%ebp),%eax
 8048b9f:	89 44 24 04          	mov    %eax,0x4(%esp)
 8048ba3:	8b 45 08             	mov    0x8(%ebp),%eax
 8048ba6:	89 04 24             	mov    %eax,(%esp)
 8048ba9:	e8 dc 08 00 00       	call   804948a <read_six_numbers>
 8048bae:	83 7d e0 01          	cmpl   $0x1,-0x20(%ebp)
 8048bb2:	74 05                	je     8048bb9 <phase_2+0x25>
 8048bb4:	e8 6c 07 00 00       	call   8049325 <explode_bomb>
 8048bb9:	8d 5d e4             	lea    -0x1c(%ebp),%ebx
 8048bbc:	8d 75 f8             	lea    -0x8(%ebp),%esi
 8048bbf:	8b 43 fc             	mov    -0x4(%ebx),%eax
 8048bc2:	01 c0                	add    %eax,%eax
 8048bc4:	39 03                	cmp    %eax,(%ebx)
 8048bc6:	74 05                	je     8048bcd <phase_2+0x39>
 8048bc8:	e8 58 07 00 00       	call   8049325 <explode_bomb>
 8048bcd:	83 c3 04             	add    $0x4,%ebx
 8048bd0:	39 f3                	cmp    %esi,%ebx
 8048bd2:	75 eb                	jne    8048bbf <phase_2+0x2b>
 8048bd4:	83 c4 30             	add    $0x30,%esp
 8048bd7:	5b                   	pop    %ebx
 8048bd8:	5e                   	pop    %esi
 8048bd9:	5d                   	pop    %ebp
 8048bda:	c3                   	ret

Open in new window

0
Comment
Question by:pplembu
  • 9
  • 7
16 Comments
 
LVL 53

Expert Comment

by:Infinity08
ID: 36960848
>> What I know thus far is the result will be 6 numbers.

Ok, that's a start.

The next step, is to figure out where those 6 numbers will end up in memory (hint : the read_six_numbers function does all that work).

When you know where they are in memory, you can start figuring out what the code does with those numbers, and what limitations it imposes on the possible values of those numbers.

Just take it one step at a time, and post your progress here. If you're stuck somewhere, just ask, and we'll help you out.
0
 

Author Comment

by:pplembu
ID: 36962648
Thanks Infunity08 for replying my question.

Attached here is the read_six_numbers function. However, maybe I'm too dump in GDB and machine language. I have no idea how to figure out those 6numbers' memory. Would you mind to give me some idea ? Thanks
0804948a <read_six_numbers>:
 804948a:	55                   	push   %ebp
 804948b:	89 e5                	mov    %esp,%ebp
 804948d:	83 ec 28             	sub    $0x28,%esp
 8049490:	8b 45 0c             	mov    0xc(%ebp),%eax
 8049493:	8d 50 14             	lea    0x14(%eax),%edx
 8049496:	89 54 24 1c          	mov    %edx,0x1c(%esp)
 804949a:	8d 50 10             	lea    0x10(%eax),%edx
 804949d:	89 54 24 18          	mov    %edx,0x18(%esp)
 80494a1:	8d 50 0c             	lea    0xc(%eax),%edx
 80494a4:	89 54 24 14          	mov    %edx,0x14(%esp)
 80494a8:	8d 50 08             	lea    0x8(%eax),%edx
 80494ab:	89 54 24 10          	mov    %edx,0x10(%esp)
 80494af:	8d 50 04             	lea    0x4(%eax),%edx
 80494b2:	89 54 24 0c          	mov    %edx,0xc(%esp)
 80494b6:	89 44 24 08          	mov    %eax,0x8(%esp)
 80494ba:	c7 44 24 04 cd a4 04 	movl   $0x804a4cd,0x4(%esp)
 80494c1:	08 
 80494c2:	8b 45 08             	mov    0x8(%ebp),%eax
 80494c5:	89 04 24             	mov    %eax,(%esp)
 80494c8:	e8 07 f3 ff ff       	call   80487d4 <__isoc99_sscanf@plt>
 80494cd:	83 f8 05             	cmp    $0x5,%eax
 80494d0:	7f 05                	jg     80494d7 <read_six_numbers+0x4d>
 80494d2:	e8 4e fe ff ff       	call   8049325 <explode_bomb>
 80494d7:	c9                   	leave  
 80494d8:	c3                   	ret

Open in new window

0
 
LVL 53

Expert Comment

by:Infinity08
ID: 36962662
Do you know how function calls work in assembly ? How parameters are passed ? How results are returned ?

Do you know sscanf ? And how it works ? What its parameters are ?
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 

Author Comment

by:pplembu
ID: 36962703
Honestly speaking, I don't. I just learnt assembly language last week. And so, I'm totally lost in assembly language. Would you mind to guide me here? Thanks
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 36962760
Do you know any programming language ? Preferably C ?
0
 

Author Comment

by:pplembu
ID: 36962772
Yup, I do know C and Jave.
0
 

Author Comment

by:pplembu
ID: 36962819
Well, from what I know about the codes above is: I need to enter 6 numbers. And every number will be the last number plus four, from line below:



 8048bcd:      83 c3 04                   add    $0x4,%ebx


However, I don't know what the first number will be. And I don't know how to get the first number.


Thanks
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 36963067
>> Yup, I do know C and Jave.

Good, we'll use that as a starting point then.

The read_six_numbers function calls the sscanf function internally :

>>  80494c8:      e8 07 f3 ff ff             call   80487d4 <__isoc99_sscanf@plt>

I assume you know this function, but for reference :

        http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/

The function takes a few parameters (the string to read from, the format string, and 0 or more memory addresses where the read data need to be stored), and then returns the amount of items that were read succesfully.

In assembly, before calling a function, the arguments are placed on the stack (in reverse order in the assembly code), then the function is called. The return value is placed in the eax register.

So, given that information, can you figure out where the 6 numbers will be placed in memory ?
0
 

Author Comment

by:pplembu
ID: 36963841
>>So, given that information, can you figure out where the 6 numbers will be placed in memory ?
The 6numbers will be placed in 80487d4. Am I right?


0
 

Author Comment

by:pplembu
ID: 36964246
8048bae:      83 7d e0 01                cmpl   $0x1,-0x20(%ebp)

So from this line, it's compare 1 with digit in ebp, so I can be very sure that our first number will be 1.

 8048bcd:      83 c3 04                   add    $0x4,%ebx

This line says that add 4 to the previous number.

So, I'm guessing the answer would be:  1 5 9 13 17 21

I tried. But the bomb is exploded.
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 36964679
>> The 6numbers will be placed in 80487d4. Am I right?

That's the start address for the sscanf function.

Remember that the arguments are pushed onto the stack before the function is called.

What does the code do before the sscanf function is called ?
0
 

Author Comment

by:pplembu
ID: 36964844
80494c2:	8b 45 08             	mov    0x8(%ebp),%eax
 80494c5:	89 04 24             	mov    %eax,(%esp)

Open in new window


move the arguments to esp from %eax. Then call the sscanf function. To check if the arguments if more than 5 numbers. If there are 6 or more numbers, it will return to phase 2. Else, it will explode the bomb.
This is what I understand from the code below:

 
 80494cd:	83 f8 05             	cmp    $0x5,%eax
 80494d0:	7f 05                	jg     80494d7 <read_six_numbers+0x4d>
 80494d2:	e8 4e fe ff ff       	call   8049325 <explode_bomb>

Open in new window


Then in phase 2, from what I understand, it will add 4 to the previous number. This is what line below say:

8048bcd:      83 c3 04                   add    $0x4,%ebx

But I not sure what the first number will be. However, I found out one line of code:

8048bae:	83 7d e0 01          	cmpl   $0x1,-0x20(%ebp)
 8048bb2:	74 05                	je     8048bb9 <phase_2+0x25>
 8048bb4:	e8 6c 07 00 00       	call   8049325 <explode_bomb>

Open in new window


So, I'm guessing the answer would be:  1 5 9 13 17 21. Since if it's not 1, the bomb will be exploded.

However, it doesn't work
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 36965081
>> move the arguments to esp from %eax.

That's just one of the arguments. Specifically the first argument (the input string).

There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.

So, where will the 6 numbers be placed in memory ?
0
 

Author Comment

by:pplembu
ID: 36965135
>>There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.


I think it's %eax. Well, I'm not sure. What do you means with "There are more arguments for sscanf". : (
0
 

Author Comment

by:pplembu
ID: 36965987
I think %ebx would be the place the 6 numbers placed in memory. Am I right?
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 2000 total points
ID: 36966790
>> What do you means with "There are more arguments for sscanf". : (

Let's go back to my earlier post http:#36963067, where I talked about the sscanf function. If you don't know what it does or how it works, you can read through the reference link I provided there.

Knowing how sscanf works, you'll see that more than 1 argument needs to be passed to it, in order for it to work.

And, since arguments are placed on the stack, one at a time, just before the function is called, it should be easy to find out what those arguments are.

You found the first argument already here :

>>  80494c2:      8b 45 08                   mov    0x8(%ebp),%eax
>>  80494c5:      89 04 24                   mov    %eax,(%esp)

0x8(%ebp) is itself a parameter of the read_six_numbers function (it points to the input string). It is copied into the eax register, and from there, it's placed at the top of the stack (the esp register always points to the top of the stack).

What are the other arguments passed to the sscanf function ? (hint : they will be placed on the stack just before this first argument)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the below post we have mentioned the best hosting type for startups. Also, check out some of the superlative web hosting companies that are proposing affordable web hosting solutions to host your startup website.
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as wel…
Integration Management Part 2
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question