Solved

# Binary BombLab Phase 2

Posted on 2011-10-12
Medium Priority
4,691 Views
I'm a computer sciences major student, I have an assignment to defuse binary bomb and I currently stuck at Phase 2. I spent more than 10 hours in trying to solve this phase but I still not able to solve it. I explode the bomb 5times. So, I'm hoping anyone out there help me with this phase. The codes are below. What I know thus far is the result will be 6 numbers.

``````08048b94 <phase_2>:
8048b94:	55                   	push   %ebp
8048b95:	89 e5                	mov    %esp,%ebp
8048b97:	56                   	push   %esi
8048b98:	53                   	push   %ebx
8048b99:	83 ec 30             	sub    \$0x30,%esp
8048b9c:	8d 45 e0             	lea    -0x20(%ebp),%eax
8048b9f:	89 44 24 04          	mov    %eax,0x4(%esp)
8048ba3:	8b 45 08             	mov    0x8(%ebp),%eax
8048ba6:	89 04 24             	mov    %eax,(%esp)
8048ba9:	e8 dc 08 00 00       	call   804948a <read_six_numbers>
8048bae:	83 7d e0 01          	cmpl   \$0x1,-0x20(%ebp)
8048bb2:	74 05                	je     8048bb9 <phase_2+0x25>
8048bb4:	e8 6c 07 00 00       	call   8049325 <explode_bomb>
8048bb9:	8d 5d e4             	lea    -0x1c(%ebp),%ebx
8048bbc:	8d 75 f8             	lea    -0x8(%ebp),%esi
8048bbf:	8b 43 fc             	mov    -0x4(%ebx),%eax
8048bc4:	39 03                	cmp    %eax,(%ebx)
8048bc6:	74 05                	je     8048bcd <phase_2+0x39>
8048bc8:	e8 58 07 00 00       	call   8049325 <explode_bomb>
8048bcd:	83 c3 04             	add    \$0x4,%ebx
8048bd0:	39 f3                	cmp    %esi,%ebx
8048bd2:	75 eb                	jne    8048bbf <phase_2+0x2b>
8048bd4:	83 c4 30             	add    \$0x30,%esp
8048bd7:	5b                   	pop    %ebx
8048bd8:	5e                   	pop    %esi
8048bd9:	5d                   	pop    %ebp
8048bda:	c3                   	ret
``````
0
Question by:pplembu
• 9
• 7

LVL 53

Expert Comment

ID: 36960848
>> What I know thus far is the result will be 6 numbers.

Ok, that's a start.

The next step, is to figure out where those 6 numbers will end up in memory (hint : the read_six_numbers function does all that work).

When you know where they are in memory, you can start figuring out what the code does with those numbers, and what limitations it imposes on the possible values of those numbers.

Just take it one step at a time, and post your progress here. If you're stuck somewhere, just ask, and we'll help you out.
0

Author Comment

ID: 36962648
Thanks Infunity08 for replying my question.

Attached here is the read_six_numbers function. However, maybe I'm too dump in GDB and machine language. I have no idea how to figure out those 6numbers' memory. Would you mind to give me some idea ? Thanks
``````0804948a <read_six_numbers>:
804948a:	55                   	push   %ebp
804948b:	89 e5                	mov    %esp,%ebp
804948d:	83 ec 28             	sub    \$0x28,%esp
8049490:	8b 45 0c             	mov    0xc(%ebp),%eax
8049493:	8d 50 14             	lea    0x14(%eax),%edx
8049496:	89 54 24 1c          	mov    %edx,0x1c(%esp)
804949a:	8d 50 10             	lea    0x10(%eax),%edx
804949d:	89 54 24 18          	mov    %edx,0x18(%esp)
80494a1:	8d 50 0c             	lea    0xc(%eax),%edx
80494a4:	89 54 24 14          	mov    %edx,0x14(%esp)
80494a8:	8d 50 08             	lea    0x8(%eax),%edx
80494ab:	89 54 24 10          	mov    %edx,0x10(%esp)
80494af:	8d 50 04             	lea    0x4(%eax),%edx
80494b2:	89 54 24 0c          	mov    %edx,0xc(%esp)
80494b6:	89 44 24 08          	mov    %eax,0x8(%esp)
80494ba:	c7 44 24 04 cd a4 04 	movl   \$0x804a4cd,0x4(%esp)
80494c1:	08
80494c2:	8b 45 08             	mov    0x8(%ebp),%eax
80494c5:	89 04 24             	mov    %eax,(%esp)
80494c8:	e8 07 f3 ff ff       	call   80487d4 <__isoc99_sscanf@plt>
80494cd:	83 f8 05             	cmp    \$0x5,%eax
80494d0:	7f 05                	jg     80494d7 <read_six_numbers+0x4d>
80494d2:	e8 4e fe ff ff       	call   8049325 <explode_bomb>
80494d7:	c9                   	leave
80494d8:	c3                   	ret
``````
0

LVL 53

Expert Comment

ID: 36962662
Do you know how function calls work in assembly ? How parameters are passed ? How results are returned ?

Do you know sscanf ? And how it works ? What its parameters are ?
0

Author Comment

ID: 36962703
Honestly speaking, I don't. I just learnt assembly language last week. And so, I'm totally lost in assembly language. Would you mind to guide me here? Thanks
0

LVL 53

Expert Comment

ID: 36962760
Do you know any programming language ? Preferably C ?
0

Author Comment

ID: 36962772
Yup, I do know C and Jave.
0

Author Comment

ID: 36962819
Well, from what I know about the codes above is: I need to enter 6 numbers. And every number will be the last number plus four, from line below:

8048bcd:      83 c3 04                   add    \$0x4,%ebx

However, I don't know what the first number will be. And I don't know how to get the first number.

Thanks
0

LVL 53

Expert Comment

ID: 36963067
>> Yup, I do know C and Jave.

Good, we'll use that as a starting point then.

The read_six_numbers function calls the sscanf function internally :

>>  80494c8:      e8 07 f3 ff ff             call   80487d4 <__isoc99_sscanf@plt>

I assume you know this function, but for reference :

http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/

The function takes a few parameters (the string to read from, the format string, and 0 or more memory addresses where the read data need to be stored), and then returns the amount of items that were read succesfully.

In assembly, before calling a function, the arguments are placed on the stack (in reverse order in the assembly code), then the function is called. The return value is placed in the eax register.

So, given that information, can you figure out where the 6 numbers will be placed in memory ?
0

Author Comment

ID: 36963841
>>So, given that information, can you figure out where the 6 numbers will be placed in memory ?
The 6numbers will be placed in 80487d4. Am I right?

0

Author Comment

ID: 36964246
8048bae:      83 7d e0 01                cmpl   \$0x1,-0x20(%ebp)

So from this line, it's compare 1 with digit in ebp, so I can be very sure that our first number will be 1.

8048bcd:      83 c3 04                   add    \$0x4,%ebx

This line says that add 4 to the previous number.

So, I'm guessing the answer would be:  1 5 9 13 17 21

I tried. But the bomb is exploded.
0

LVL 53

Expert Comment

ID: 36964679
>> The 6numbers will be placed in 80487d4. Am I right?

That's the start address for the sscanf function.

Remember that the arguments are pushed onto the stack before the function is called.

What does the code do before the sscanf function is called ?
0

Author Comment

ID: 36964844
``````80494c2:	8b 45 08             	mov    0x8(%ebp),%eax
80494c5:	89 04 24             	mov    %eax,(%esp)
``````

move the arguments to esp from %eax. Then call the sscanf function. To check if the arguments if more than 5 numbers. If there are 6 or more numbers, it will return to phase 2. Else, it will explode the bomb.
This is what I understand from the code below:

`````` 80494cd:	83 f8 05             	cmp    \$0x5,%eax
80494d0:	7f 05                	jg     80494d7 <read_six_numbers+0x4d>
80494d2:	e8 4e fe ff ff       	call   8049325 <explode_bomb>
``````

Then in phase 2, from what I understand, it will add 4 to the previous number. This is what line below say:

8048bcd:      83 c3 04                   add    \$0x4,%ebx

But I not sure what the first number will be. However, I found out one line of code:

``````8048bae:	83 7d e0 01          	cmpl   \$0x1,-0x20(%ebp)
8048bb2:	74 05                	je     8048bb9 <phase_2+0x25>
8048bb4:	e8 6c 07 00 00       	call   8049325 <explode_bomb>
``````

So, I'm guessing the answer would be:  1 5 9 13 17 21. Since if it's not 1, the bomb will be exploded.

However, it doesn't work
0

LVL 53

Expert Comment

ID: 36965081
>> move the arguments to esp from %eax.

That's just one of the arguments. Specifically the first argument (the input string).

There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.

So, where will the 6 numbers be placed in memory ?
0

Author Comment

ID: 36965135
>>There are more arguments for sscanf. The second argument is the format string. And the next argulents are the addresses of where the data will end up.

I think it's %eax. Well, I'm not sure. What do you means with "There are more arguments for sscanf". : (
0

Author Comment

ID: 36965987
I think %ebx would be the place the 6 numbers placed in memory. Am I right?
0

LVL 53

Accepted Solution

Infinity08 earned 2000 total points
ID: 36966790
>> What do you means with "There are more arguments for sscanf". : (

Let's go back to my earlier post http:#36963067, where I talked about the sscanf function. If you don't know what it does or how it works, you can read through the reference link I provided there.

Knowing how sscanf works, you'll see that more than 1 argument needs to be passed to it, in order for it to work.

And, since arguments are placed on the stack, one at a time, just before the function is called, it should be easy to find out what those arguments are.

You found the first argument already here :

>>  80494c2:      8b 45 08                   mov    0x8(%ebp),%eax
>>  80494c5:      89 04 24                   mov    %eax,(%esp)

0x8(%ebp) is itself a parameter of the read_six_numbers function (it points to the input string). It is copied into the eax register, and from there, it's placed at the top of the stack (the esp register always points to the top of the stack).

What are the other arguments passed to the sscanf function ? (hint : they will be placed on the stack just before this first argument)
0

## Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the below post we have mentioned the best hosting type for startups. Also, check out some of the superlative web hosting companies that are proposing affordable web hosting solutions to host your startup website.
MSSQL DB-maintenance also needs implementation of multiple activities. However, unprecedented errors can hamper the database management. In that case, deploying Stellar SQL Database Toolkit ensures fast and accurate database and backup repair as welâ€¦
Integration Management Part 2
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calculâ€¦
###### Suggested Courses
Course of the Month14 days, 2 hours left to enroll