Link to home
Start Free TrialLog in
Avatar of pplembu
pplembu

asked on

Binary BombLab Phase 2

I'm a computer sciences major student, I have an assignment to defuse binary bomb and I currently stuck at Phase 2. I spent more than 10 hours in trying to solve this phase but I still not able to solve it. I explode the bomb 5times. So, I'm hoping anyone out there help me with this phase. The codes are below. What I know thus far is the result will be 6 numbers.

 
08048b94 <phase_2>:
 8048b94:	55                   	push   %ebp
 8048b95:	89 e5                	mov    %esp,%ebp
 8048b97:	56                   	push   %esi
 8048b98:	53                   	push   %ebx
 8048b99:	83 ec 30             	sub    $0x30,%esp
 8048b9c:	8d 45 e0             	lea    -0x20(%ebp),%eax
 8048b9f:	89 44 24 04          	mov    %eax,0x4(%esp)
 8048ba3:	8b 45 08             	mov    0x8(%ebp),%eax
 8048ba6:	89 04 24             	mov    %eax,(%esp)
 8048ba9:	e8 dc 08 00 00       	call   804948a <read_six_numbers>
 8048bae:	83 7d e0 01          	cmpl   $0x1,-0x20(%ebp)
 8048bb2:	74 05                	je     8048bb9 <phase_2+0x25>
 8048bb4:	e8 6c 07 00 00       	call   8049325 <explode_bomb>
 8048bb9:	8d 5d e4             	lea    -0x1c(%ebp),%ebx
 8048bbc:	8d 75 f8             	lea    -0x8(%ebp),%esi
 8048bbf:	8b 43 fc             	mov    -0x4(%ebx),%eax
 8048bc2:	01 c0                	add    %eax,%eax
 8048bc4:	39 03                	cmp    %eax,(%ebx)
 8048bc6:	74 05                	je     8048bcd <phase_2+0x39>
 8048bc8:	e8 58 07 00 00       	call   8049325 <explode_bomb>
 8048bcd:	83 c3 04             	add    $0x4,%ebx
 8048bd0:	39 f3                	cmp    %esi,%ebx
 8048bd2:	75 eb                	jne    8048bbf <phase_2+0x2b>
 8048bd4:	83 c4 30             	add    $0x30,%esp
 8048bd7:	5b                   	pop    %ebx
 8048bd8:	5e                   	pop    %esi
 8048bd9:	5d                   	pop    %ebp
 8048bda:	c3                   	ret

Open in new window

Avatar of Infinity08
Infinity08
Flag of Belgium image

>> What I know thus far is the result will be 6 numbers.

Ok, that's a start.

The next step, is to figure out where those 6 numbers will end up in memory (hint : the read_six_numbers function does all that work).

When you know where they are in memory, you can start figuring out what the code does with those numbers, and what limitations it imposes on the possible values of those numbers.

Just take it one step at a time, and post your progress here. If you're stuck somewhere, just ask, and we'll help you out.
Avatar of pplembu
pplembu

ASKER

Thanks Infunity08 for replying my question.

Attached here is the read_six_numbers function. However, maybe I'm too dump in GDB and machine language. I have no idea how to figure out those 6numbers' memory. Would you mind to give me some idea ? Thanks
0804948a <read_six_numbers>:
 804948a:	55                   	push   %ebp
 804948b:	89 e5                	mov    %esp,%ebp
 804948d:	83 ec 28             	sub    $0x28,%esp
 8049490:	8b 45 0c             	mov    0xc(%ebp),%eax
 8049493:	8d 50 14             	lea    0x14(%eax),%edx
 8049496:	89 54 24 1c          	mov    %edx,0x1c(%esp)
 804949a:	8d 50 10             	lea    0x10(%eax),%edx
 804949d:	89 54 24 18          	mov    %edx,0x18(%esp)
 80494a1:	8d 50 0c             	lea    0xc(%eax),%edx
 80494a4:	89 54 24 14          	mov    %edx,0x14(%esp)
 80494a8:	8d 50 08             	lea    0x8(%eax),%edx
 80494ab:	89 54 24 10          	mov    %edx,0x10(%esp)
 80494af:	8d 50 04             	lea    0x4(%eax),%edx
 80494b2:	89 54 24 0c          	mov    %edx,0xc(%esp)
 80494b6:	89 44 24 08          	mov    %eax,0x8(%esp)
 80494ba:	c7 44 24 04 cd a4 04 	movl   $0x804a4cd,0x4(%esp)
 80494c1:	08 
 80494c2:	8b 45 08             	mov    0x8(%ebp),%eax
 80494c5:	89 04 24             	mov    %eax,(%esp)
 80494c8:	e8 07 f3 ff ff       	call   80487d4 <__isoc99_sscanf@plt>
 80494cd:	83 f8 05             	cmp    $0x5,%eax
 80494d0:	7f 05                	jg     80494d7 <read_six_numbers+0x4d>
 80494d2:	e8 4e fe ff ff       	call   8049325 <explode_bomb>
 80494d7:	c9                   	leave  
 80494d8:	c3                   	ret

Open in new window

Do you know how function calls work in assembly ? How parameters are passed ? How results are returned ?

Do you know sscanf ? And how it works ? What its parameters are ?
Avatar of pplembu

ASKER

Honestly speaking, I don't. I just learnt assembly language last week. And so, I'm totally lost in assembly language. Would you mind to guide me here? Thanks
Do you know any programming language ? Preferably C ?
Avatar of pplembu

ASKER

Yup, I do know C and Jave.
Avatar of pplembu

ASKER

Well, from what I know about the codes above is: I need to enter 6 numbers. And every number will be the last number plus four, from line below:



 8048bcd:      83 c3 04                   add    $0x4,%ebx


However, I don't know what the first number will be. And I don't know how to get the first number.


Thanks
>> Yup, I do know C and Jave.

Good, we'll use that as a starting point then.

The read_six_numbers function calls the sscanf function internally :

>>  80494c8:      e8 07 f3 ff ff             call   80487d4 <__isoc99_sscanf@plt>

I assume you know this function, but for reference :

        http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/

The function takes a few parameters (the string to read from, the format string, and 0 or more memory addresses where the read data need to be stored), and then returns the amount of items that were read succesfully.

In assembly, before calling a function, the arguments are placed on the stack (in reverse order in the assembly code), then the function is called. The return value is placed in the eax register.

So, given that information, can you figure out where the 6 numbers will be placed in memory ?
Avatar of pplembu

ASKER

>>So, given that information, can you figure out where the 6 numbers will be placed in memory ?
The 6numbers will be placed in 80487d4. Am I right?


Avatar of pplembu

ASKER

8048bae:      83 7d e0 01                cmpl   $0x1,-0x20(%ebp)

So from this line, it's compare 1 with digit in ebp, so I can be very sure that our first number will be 1.

 8048bcd:      83 c3 04                   add    $0x4,%ebx

This line says that add 4 to the previous number.

So, I'm guessing the answer would be:  1 5 9 13 17 21

I tried. But the bomb is exploded.
>> The 6numbers will be placed in 80487d4. Am I right?

That's the start address for the sscanf function.

Remember that the arguments are pushed onto the stack before the function is called.

What does the code do before the sscanf function is called ?
Avatar of pplembu

ASKER

80494c2:	8b 45 08             	mov    0x8(%ebp),%eax
 80494c5:	89 04 24             	mov    %eax,(%esp)

Open in new window


move the arguments to esp from %eax. Then call the sscanf function. To check if the arguments if more than 5 numbers. If there are 6 or more numbers, it will return to phase 2. Else, it will explode the bomb.
This is what I understand from the code below:

 
 80494cd:	83 f8 05             	cmp    $0x5,%eax
 80494d0:	7f 05                	jg     80494d7 <read_six_numbers+0x4d>
 80494d2:	e8 4e fe ff ff       	call   8049325 <explode_bomb>

Open in new window


Then in phase 2, from what I understand, it will add 4 to the previous number. This is what line below say:

8048bcd:      83 c3 04                   add    $0x4,%ebx

But I not sure what the first number will be. However, I found out one line of code:

8048bae:	83 7d e0 01          	cmpl   $0x1,-0x20(%ebp)
 8048bb2:	74 05                	je     8048bb9 <phase_2+0x25>
 8048bb4:	e8 6c 07 00 00       	call   8049325 <explode_bomb>

Open in new window


So, I'm guessing the answer would be:  1 5 9 13 17 21. Since if it's not 1, the bomb will be exploded.

However, it doesn't work
>> move the arguments to esp from %eax.

That's just one of the arguments. Specifically the first argument (the input string).

There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.

So, where will the 6 numbers be placed in memory ?
Avatar of pplembu

ASKER

>>There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.


I think it's %eax. Well, I'm not sure. What do you means with "There are more arguments for sscanf". : (
Avatar of pplembu

ASKER

I think %ebx would be the place the 6 numbers placed in memory. Am I right?
ASKER CERTIFIED SOLUTION
Avatar of Infinity08
Infinity08
Flag of Belgium image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial