pplembu
asked on
Binary BombLab Phase 2
I'm a computer sciences major student, I have an assignment to defuse binary bomb and I currently stuck at Phase 2. I spent more than 10 hours in trying to solve this phase but I still not able to solve it. I explode the bomb 5times. So, I'm hoping anyone out there help me with this phase. The codes are below. What I know thus far is the result will be 6 numbers.
08048b94 <phase_2>:
8048b94: 55 push %ebp
8048b95: 89 e5 mov %esp,%ebp
8048b97: 56 push %esi
8048b98: 53 push %ebx
8048b99: 83 ec 30 sub $0x30,%esp
8048b9c: 8d 45 e0 lea -0x20(%ebp),%eax
8048b9f: 89 44 24 04 mov %eax,0x4(%esp)
8048ba3: 8b 45 08 mov 0x8(%ebp),%eax
8048ba6: 89 04 24 mov %eax,(%esp)
8048ba9: e8 dc 08 00 00 call 804948a <read_six_numbers>
8048bae: 83 7d e0 01 cmpl $0x1,-0x20(%ebp)
8048bb2: 74 05 je 8048bb9 <phase_2+0x25>
8048bb4: e8 6c 07 00 00 call 8049325 <explode_bomb>
8048bb9: 8d 5d e4 lea -0x1c(%ebp),%ebx
8048bbc: 8d 75 f8 lea -0x8(%ebp),%esi
8048bbf: 8b 43 fc mov -0x4(%ebx),%eax
8048bc2: 01 c0 add %eax,%eax
8048bc4: 39 03 cmp %eax,(%ebx)
8048bc6: 74 05 je 8048bcd <phase_2+0x39>
8048bc8: e8 58 07 00 00 call 8049325 <explode_bomb>
8048bcd: 83 c3 04 add $0x4,%ebx
8048bd0: 39 f3 cmp %esi,%ebx
8048bd2: 75 eb jne 8048bbf <phase_2+0x2b>
8048bd4: 83 c4 30 add $0x30,%esp
8048bd7: 5b pop %ebx
8048bd8: 5e pop %esi
8048bd9: 5d pop %ebp
8048bda: c3 ret
ASKER
Thanks Infunity08 for replying my question.
Attached here is the read_six_numbers function. However, maybe I'm too dump in GDB and machine language. I have no idea how to figure out those 6numbers' memory. Would you mind to give me some idea ? Thanks
Attached here is the read_six_numbers function. However, maybe I'm too dump in GDB and machine language. I have no idea how to figure out those 6numbers' memory. Would you mind to give me some idea ? Thanks
0804948a <read_six_numbers>:
804948a: 55 push %ebp
804948b: 89 e5 mov %esp,%ebp
804948d: 83 ec 28 sub $0x28,%esp
8049490: 8b 45 0c mov 0xc(%ebp),%eax
8049493: 8d 50 14 lea 0x14(%eax),%edx
8049496: 89 54 24 1c mov %edx,0x1c(%esp)
804949a: 8d 50 10 lea 0x10(%eax),%edx
804949d: 89 54 24 18 mov %edx,0x18(%esp)
80494a1: 8d 50 0c lea 0xc(%eax),%edx
80494a4: 89 54 24 14 mov %edx,0x14(%esp)
80494a8: 8d 50 08 lea 0x8(%eax),%edx
80494ab: 89 54 24 10 mov %edx,0x10(%esp)
80494af: 8d 50 04 lea 0x4(%eax),%edx
80494b2: 89 54 24 0c mov %edx,0xc(%esp)
80494b6: 89 44 24 08 mov %eax,0x8(%esp)
80494ba: c7 44 24 04 cd a4 04 movl $0x804a4cd,0x4(%esp)
80494c1: 08
80494c2: 8b 45 08 mov 0x8(%ebp),%eax
80494c5: 89 04 24 mov %eax,(%esp)
80494c8: e8 07 f3 ff ff call 80487d4 <__isoc99_sscanf@plt>
80494cd: 83 f8 05 cmp $0x5,%eax
80494d0: 7f 05 jg 80494d7 <read_six_numbers+0x4d>
80494d2: e8 4e fe ff ff call 8049325 <explode_bomb>
80494d7: c9 leave
80494d8: c3 ret
Do you know how function calls work in assembly ? How parameters are passed ? How results are returned ?
Do you know sscanf ? And how it works ? What its parameters are ?
Do you know sscanf ? And how it works ? What its parameters are ?
ASKER
Honestly speaking, I don't. I just learnt assembly language last week. And so, I'm totally lost in assembly language. Would you mind to guide me here? Thanks
Do you know any programming language ? Preferably C ?
ASKER
Yup, I do know C and Jave.
ASKER
Well, from what I know about the codes above is: I need to enter 6 numbers. And every number will be the last number plus four, from line below:
8048bcd: 83 c3 04 add $0x4,%ebx
However, I don't know what the first number will be. And I don't know how to get the first number.
Thanks
8048bcd: 83 c3 04 add $0x4,%ebx
However, I don't know what the first number will be. And I don't know how to get the first number.
Thanks
>> Yup, I do know C and Jave.
Good, we'll use that as a starting point then.
The read_six_numbers function calls the sscanf function internally :
>> 80494c8: e8 07 f3 ff ff call 80487d4 <__isoc99_sscanf@plt>
I assume you know this function, but for reference :
http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/
The function takes a few parameters (the string to read from, the format string, and 0 or more memory addresses where the read data need to be stored), and then returns the amount of items that were read succesfully.
In assembly, before calling a function, the arguments are placed on the stack (in reverse order in the assembly code), then the function is called. The return value is placed in the eax register.
So, given that information, can you figure out where the 6 numbers will be placed in memory ?
Good, we'll use that as a starting point then.
The read_six_numbers function calls the sscanf function internally :
>> 80494c8: e8 07 f3 ff ff call 80487d4 <__isoc99_sscanf@plt>
I assume you know this function, but for reference :
http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/
The function takes a few parameters (the string to read from, the format string, and 0 or more memory addresses where the read data need to be stored), and then returns the amount of items that were read succesfully.
In assembly, before calling a function, the arguments are placed on the stack (in reverse order in the assembly code), then the function is called. The return value is placed in the eax register.
So, given that information, can you figure out where the 6 numbers will be placed in memory ?
ASKER
>>So, given that information, can you figure out where the 6 numbers will be placed in memory ?
The 6numbers will be placed in 80487d4. Am I right?
The 6numbers will be placed in 80487d4. Am I right?
ASKER
8048bae: 83 7d e0 01 cmpl $0x1,-0x20(%ebp)
So from this line, it's compare 1 with digit in ebp, so I can be very sure that our first number will be 1.
8048bcd: 83 c3 04 add $0x4,%ebx
This line says that add 4 to the previous number.
So, I'm guessing the answer would be: 1 5 9 13 17 21
I tried. But the bomb is exploded.
So from this line, it's compare 1 with digit in ebp, so I can be very sure that our first number will be 1.
8048bcd: 83 c3 04 add $0x4,%ebx
This line says that add 4 to the previous number.
So, I'm guessing the answer would be: 1 5 9 13 17 21
I tried. But the bomb is exploded.
>> The 6numbers will be placed in 80487d4. Am I right?
That's the start address for the sscanf function.
Remember that the arguments are pushed onto the stack before the function is called.
What does the code do before the sscanf function is called ?
That's the start address for the sscanf function.
Remember that the arguments are pushed onto the stack before the function is called.
What does the code do before the sscanf function is called ?
ASKER
80494c2: 8b 45 08 mov 0x8(%ebp),%eax
80494c5: 89 04 24 mov %eax,(%esp)
move the arguments to esp from %eax. Then call the sscanf function. To check if the arguments if more than 5 numbers. If there are 6 or more numbers, it will return to phase 2. Else, it will explode the bomb.
This is what I understand from the code below:
80494cd: 83 f8 05 cmp $0x5,%eax
80494d0: 7f 05 jg 80494d7 <read_six_numbers+0x4d>
80494d2: e8 4e fe ff ff call 8049325 <explode_bomb>
Then in phase 2, from what I understand, it will add 4 to the previous number. This is what line below say:
8048bcd: 83 c3 04 add $0x4,%ebx
But I not sure what the first number will be. However, I found out one line of code:
8048bae: 83 7d e0 01 cmpl $0x1,-0x20(%ebp)
8048bb2: 74 05 je 8048bb9 <phase_2+0x25>
8048bb4: e8 6c 07 00 00 call 8049325 <explode_bomb>
So, I'm guessing the answer would be: 1 5 9 13 17 21. Since if it's not 1, the bomb will be exploded.
However, it doesn't work
>> move the arguments to esp from %eax.
That's just one of the arguments. Specifically the first argument (the input string).
There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.
So, where will the 6 numbers be placed in memory ?
That's just one of the arguments. Specifically the first argument (the input string).
There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.
So, where will the 6 numbers be placed in memory ?
ASKER
>>There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.
I think it's %eax. Well, I'm not sure. What do you means with "There are more arguments for sscanf". : (
I think it's %eax. Well, I'm not sure. What do you means with "There are more arguments for sscanf". : (
ASKER
I think %ebx would be the place the 6 numbers placed in memory. Am I right?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Ok, that's a start.
The next step, is to figure out where those 6 numbers will end up in memory (hint : the read_six_numbers function does all that work).
When you know where they are in memory, you can start figuring out what the code does with those numbers, and what limitations it imposes on the possible values of those numbers.
Just take it one step at a time, and post your progress here. If you're stuck somewhere, just ask, and we'll help you out.