Binary Bomb/GDB Questions

All,

So I am trying to attempt the famous Binary bomb lab. I am pretty good with most of the textbook problems, and following each assembly line and see what is going on. However, this programming assignment has brought new challenges that I am trying to tackle.

I was able to solve problem 1 using the x /s <memory> command after taking a quick glance at the code (it really wasn't too difficult).

Phase 2 is slightly more tricky.

Here is the code I am looking at:

0x08048dd9 <phase_2+0>: push   %ebp
0x08048dda <phase_2+1>: mov    %esp,%ebp
0x08048ddc <phase_2+3>: push   %esi
0x08048ddd <phase_2+4>: push   %ebx
0x08048dde <phase_2+5>: sub    $0x30,%esp
0x08048de1 <phase_2+8>: lea    -0x20(%ebp),%eax
0x08048de4 <phase_2+11>:        mov    %eax,0x4(%esp)
0x08048de8 <phase_2+15>:        mov    0x8(%ebp),%eax
0x08048deb <phase_2+18>:        mov    %eax,(%esp)
0x08048dee <phase_2+21>:        call   0x8049225 <read_six_numbers>
0x08048df3 <phase_2+26>:        cmpl   $0x1,-0x20(%ebp)
0x08048df7 <phase_2+30>:        je     0x8048dfe <phase_2+37>
0x08048df9 <phase_2+32>:        call   0x80491e3 <explode_bomb>
0x08048dfe <phase_2+37>:        mov    $0x2,%ebx
0x08048e03 <phase_2+42>:        lea    -0x20(%ebp),%esi
0x08048e06 <phase_2+45>:        mov    %ebx,%eax
0x08048e08 <phase_2+47>:        imul   -0x8(%esi,%ebx,4),%eax
0x08048e0d <phase_2+52>:        cmp    %eax,-0x4(%esi,%ebx,4)
0x08048e11 <phase_2+56>:        je     0x8048e18 <phase_2+63>
0x08048e13 <phase_2+58>:        call   0x80491e3 <explode_bomb>
0x08048e18 <phase_2+63>:        add    $0x1,%ebx
0x08048e1b <phase_2+66>:        cmp    $0x7,%ebx
0x08048e1e <phase_2+69>:        jne    0x8048e06 <phase_2+45>
0x08048e20 <phase_2+71>:        add    $0x30,%esp
0x08048e23 <phase_2+74>:        pop    %ebx
0x08048e24 <phase_2+75>:        pop    %esi
0x08048e25 <phase_2+76>:        pop    %ebp
0x08048e26 <phase_2+77>:        ret


0x08049225 <read_six_numbers+0>:        push   %ebp
0x08049226 <read_six_numbers+1>:        mov    %esp,%ebp
0x08049228 <read_six_numbers+3>:        sub    $0x28,%esp
0x0804922b <read_six_numbers+6>:        mov    0xc(%ebp),%edx
0x0804922e <read_six_numbers+9>:        lea    0x14(%edx),%eax
0x08049231 <read_six_numbers+12>:       mov    %eax,0x1c(%esp)
0x08049235 <read_six_numbers+16>:       lea    0x10(%edx),%eax
0x08049238 <read_six_numbers+19>:       mov    %eax,0x18(%esp)
0x0804923c <read_six_numbers+23>:       lea    0xc(%edx),%eax
0x0804923f <read_six_numbers+26>:       mov    %eax,0x14(%esp)
0x08049243 <read_six_numbers+30>:       lea    0x8(%edx),%eax
0x08049246 <read_six_numbers+33>:       mov    %eax,0x10(%esp)
0x0804924a <read_six_numbers+37>:       lea    0x4(%edx),%eax
0x0804924d <read_six_numbers+40>:       mov    %eax,0xc(%esp)
0x08049251 <read_six_numbers+44>:       mov    %edx,0x8(%esp)
0x08049255 <read_six_numbers+48>:       movl   $0x8049a1a,0x4(%esp)
0x0804925d <read_six_numbers+56>:       mov    0x8(%ebp),%eax
0x08049260 <read_six_numbers+59>:       mov    %eax,(%esp)
0x08049263 <read_six_numbers+62>:       call   0x80488b4 <sscanf@plt>
0x08049268 <read_six_numbers+67>:       cmp    $0x5,%eax
0x0804926b <read_six_numbers+70>:       jg     0x8049272 <read_six_numbers+77>
0x0804926d <read_six_numbers+72>:       call   0x80491e3 <explode_bomb>
0x08049272 <read_six_numbers+77>:       leave
0x08049273 <read_six_numbers+78>:       ret

Open in new window


I've figured out that the the function calls the user input into the read six numbers function, and runs a check through sscanf. If there is more than 5 numbers (which there should be), it diffuses the bomb within that loop.

It then brings back that result to phase_2.

What I am most confused about is how to find the values they are using on the registers. Specifically, I want to double check my stacks and see what values are being put where.

The following code is what I have left to decipher and see what it is doing.

0x08048dfe <phase_2+37>:        mov    $0x2,%ebx
0x08048e03 <phase_2+42>:        lea    -0x20(%ebp),%esi
0x08048e06 <phase_2+45>:        mov    %ebx,%eax
0x08048e08 <phase_2+47>:        imul   -0x8(%esi,%ebx,4),%eax
0x08048e0d <phase_2+52>:        cmp    %eax,-0x4(%esi,%ebx,4)
0x08048e11 <phase_2+56>:        je     0x8048e18 <phase_2+63>
0x08048e13 <phase_2+58>:        call   0x80491e3 <explode_bomb>
0x08048e18 <phase_2+63>:        add    $0x1,%ebx
0x08048e1b <phase_2+66>:        cmp    $0x7,%ebx
0x08048e1e <phase_2+69>:        jne    0x8048e06 <phase_2+45>
0x08048e20 <phase_2+71>:        add    $0x30,%esp
0x08048e23 <phase_2+74>:        pop    %ebx
0x08048e24 <phase_2+75>:        pop    %esi
0x08048e25 <phase_2+76>:        pop    %ebp
0x08048e26 <phase_2+77>:        ret

Open in new window


Any thought provoking questions would be great, I am trying to learn from this and grasp a thorough understanding of this problem.
simplproggyAsked:
Who is Participating?
 
Infinity08Connect With a Mentor Commented:
>> What I am most confused about is how to find the values they are using on the registers. Specifically, I want to double check my stacks and see what values are being put where.

The read_six_numbers function will place the 6 numbers on the stack. The calling code needs to reserve enough space on the stack to hold those numbers.

It does that by doing :

>> 0x08048dde <phase_2+5>: sub    $0x30,%esp

ie. it reserves space for 12 32-bit values on the stack.

Of course, it needs to then let the read_six_numbers function know which part of that it can use for the 6 numbers. It does that by passing as start address as argument to the function :

>> 0x08048de1 <phase_2+8>: lea    -0x20(%ebp),%eax
>> 0x08048de4 <phase_2+11>:        mov    %eax,0x4(%esp)

You asked specifically about that first line, which indicates you're on the right track.

The lea instruction is the "load effective address" instruction. It calculates an address (%ebp - 0x20 in this case), and copies that to the target location (the eax register in this case).

So, that shows where the 6 numbers will end up.


>> Any thought provoking questions would be great, I am trying to learn from this and grasp a thorough understanding of this problem.

Once you understand where the 6 numbers go, it should then be possible to follow what the rest of the code does with those numbers (or more specifically : what checks it performs on them).


Maybe the bit of information you need to get you going, is about addressing modes :

The addressing mode of the form offset(base, index, size) calculates the address as (base + offset + (index * size)).
The addressing mode of the form offset(base) calculates the address as (base + offset).
0
 
simplproggyAuthor Commented:
Specifically, how would I go about checking this line of code:


0x08048de1 <phase_2+8>: lea    -0x20(%ebp),%eax

Open in new window


I put the following in GDB

(gdb) x -0x20(%ebp)
A syntax error in expression, near `%ebp)'.
(gdb) x -0x20($ebp)
No registers.

Open in new window


So I am somewhat stuck. I know how to set breakpoints, but not exactly sure how to manipulate them. I would like to be able to run the program past phase 1 (I have the solution), to phase 2, have the registers be set so I could then call the values to them.
0
 
simplproggyAuthor Commented:
So after some thorough research I am able to understand how to run the debugger. My issue is that whenever I try to run the bomb using my .txt, it keeps blowing up.

For example, the string for the first phase was:

You are the Diet Coke of evil, just one calorie, not evil enough.

If i type this manually, the bomb is defused.

I copy and paste that line into psol.txt, and run gdb after creating breakpoints for phase_1, explode_bomb, read_six_numbers, and phase_2. It seems like phase_1 is not accepting the correct string statement from psol.txt - so I am also having a formatting issue.

Once that is done however, I would use the breakpoints I mentioned above and then start checking registers (x %eax) etc. After that point I can observe the changes to each register - the problem here just seems to be getting to this step.
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
simplproggyAuthor Commented:
Hey, I figured this one out. I am, however, stuck on phase 4 - should I post in here? Phase 3 was very easy simply by figuring our break points and forcing a few combinations.
0
 
simplproggyAuthor Commented:
Got phase 4 - sort stuck on phase 5 and what the movbzl and movbxl commands actually do.
0
 
Infinity08Connect With a Mentor Commented:
The movzbl instruction is the "move zero extended byte to long" instruction. That says it all : it copies a byte to a 32bit long (in the least significant position), adding zero bytes in the most significant positions.

I don't know what typo you made in movbxl though - there's no such instruction.
0
 
simplproggyAuthor Commented:
Yeah, i made a typo - I figured the rest of the phases out. Phase 2 was actually the hardest since I wasn't sure how to use the compiler.

I am stuck on the secret phase now, and I know its a recursive function and maybe a linked list?

0x08048c02 <secret_phase+0>:    push   %ebp
0x08048c03 <secret_phase+1>:    mov    %esp,%ebp
0x08048c05 <secret_phase+3>:    push   %ebx
0x08048c06 <secret_phase+4>:    sub    $0x14,%esp
0x08048c09 <secret_phase+7>:    call   0x80492f3 <read_line>
0x08048c0e <secret_phase+12>:   movl   $0x0,0xc(%esp)
0x08048c16 <secret_phase+20>:   movl   $0xa,0x8(%esp)
0x08048c1e <secret_phase+28>:   movl   $0x0,0x4(%esp)
0x08048c26 <secret_phase+36>:   mov    %eax,(%esp)
0x08048c29 <secret_phase+39>:   call   0x8048764 <__strtol_internal@plt>
0x08048c2e <secret_phase+44>:   mov    %eax,%ebx
0x08048c30 <secret_phase+46>:   lea    -0x1(%eax),%eax
0x08048c33 <secret_phase+49>:   cmp    $0x3e8,%eax
0x08048c38 <secret_phase+54>:   jbe    0x8048c3f <secret_phase+61>
0x08048c3a <secret_phase+56>:   call   0x80491e3 <explode_bomb>
0x08048c3f <secret_phase+61>:   mov    %ebx,0x4(%esp)
0x08048c43 <secret_phase+65>:   movl   $0x804a6d4,(%esp)
0x08048c4a <secret_phase+72>:   call   0x8048bb1 <fun7>
0x08048c4f <secret_phase+77>:   cmp    $0x5,%eax
0x08048c52 <secret_phase+80>:   je     0x8048c59 <secret_phase+87>
0x08048c54 <secret_phase+82>:   call   0x80491e3 <explode_bomb>
0x08048c59 <secret_phase+87>:   movl   $0x804980c,(%esp)
---Type <return> to continue, or q <return> to quit---
0x08048c60 <secret_phase+94>:   call   0x80488a4 <puts@plt>
0x08048c65 <secret_phase+99>:   call   0x8049151 <phase_defused>
0x08048c6a <secret_phase+104>:  add    $0x14,%esp
0x08048c6d <secret_phase+107>:  pop    %ebx
0x08048c6e <secret_phase+108>:  pop    %ebp
0x08048c6f <secret_phase+109>:  ret

Open in new window


0x08048bb1 <fun7+0>:    push   %ebp
0x08048bb2 <fun7+1>:    mov    %esp,%ebp
0x08048bb4 <fun7+3>:    push   %ebx
0x08048bb5 <fun7+4>:    sub    $0x8,%esp
0x08048bb8 <fun7+7>:    mov    0x8(%ebp),%ebx
0x08048bbb <fun7+10>:   mov    0xc(%ebp),%ecx
0x08048bbe <fun7+13>:   mov    $0xffffffff,%eax
0x08048bc3 <fun7+18>:   test   %ebx,%ebx
0x08048bc5 <fun7+20>:   je     0x8048bfc <fun7+75>
0x08048bc7 <fun7+22>:   mov    (%ebx),%edx
0x08048bc9 <fun7+24>:   cmp    %ecx,%edx
0x08048bcb <fun7+26>:   jle    0x8048be0 <fun7+47>
0x08048bcd <fun7+28>:   mov    %ecx,0x4(%esp)
0x08048bd1 <fun7+32>:   mov    0x4(%ebx),%eax
0x08048bd4 <fun7+35>:   mov    %eax,(%esp)
0x08048bd7 <fun7+38>:   call   0x8048bb1 <fun7>
0x08048bdc <fun7+43>:   add    %eax,%eax
0x08048bde <fun7+45>:   jmp    0x8048bfc <fun7+75>
0x08048be0 <fun7+47>:   mov    $0x0,%eax
0x08048be5 <fun7+52>:   cmp    %ecx,%edx
0x08048be7 <fun7+54>:   je     0x8048bfc <fun7+75>
0x08048be9 <fun7+56>:   mov    %ecx,0x4(%esp)
---Type <return> to continue, or q <return> to quit---
0x08048bed <fun7+60>:   mov    0x8(%ebx),%eax
0x08048bf0 <fun7+63>:   mov    %eax,(%esp)
0x08048bf3 <fun7+66>:   call   0x8048bb1 <fun7>
0x08048bf8 <fun7+71>:   lea    0x1(%eax,%eax,1),%eax
0x08048bfc <fun7+75>:   add    $0x8,%esp
0x08048bff <fun7+78>:   pop    %ebx
0x08048c00 <fun7+79>:   pop    %ebp
0x08048c01 <fun7+80>:   ret

Open in new window


From a quick glance I can tell the recursive function needs to return the value 5. I also can tell that some value needs to be compared to the integer value of 1000:

0x08048c33 <secret_phase+49>:   cmp    $0x3e8,%eax
0x08048c38 <secret_phase+54>:   jbe    0x8048c3f <secret_phase+61>
0x08048c3a <secret_phase+56>:   call   0x80491e3 <explode_bomb>
0x08048c3f <secret_phase+61>:   mov    %ebx,0x4(%esp)

The question is : what value? And what type of input should I be inserting?

0
 
Infinity08Connect With a Mentor Commented:
>> I am stuck on the secret phase now, and I know its a recursive function and maybe a linked list?

It's recursive indeed, but not exactly a linked list (although there are nodes that are linked together, but not linearly).


>> From a quick glance I can tell the recursive function needs to return the value 5.

Yes.


>> I also can tell that some value needs to be compared to the integer value of 1000:

That's just some rough input validation. The real magic happens in the fun7 function.


>> The question is : what value? And what type of input should I be inserting?

In the beginning of the secret_phase function, that input is obtained by calling two functions : read_line and strtol.
0
 
evilrixSenior Software Engineer (Avast)Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
All Courses

From novice to tech pro — start learning today.