Binary Bomb/GDB Questions

All,

So I am trying to attempt the famous Binary bomb lab. I am pretty good with most of the textbook problems, and following each assembly line and see what is going on. However, this programming assignment has brought new challenges that I am trying to tackle.

I was able to solve problem 1 using the x /s <memory> command after taking a quick glance at the code (it really wasn't too difficult).

Phase 2 is slightly more tricky.

Here is the code I am looking at:

0x08048dd9 <phase_2+0>: push   %ebp
0x08048dda <phase_2+1>: mov    %esp,%ebp
0x08048ddc <phase_2+3>: push   %esi
0x08048ddd <phase_2+4>: push   %ebx
0x08048dde <phase_2+5>: sub    $0x30,%esp
0x08048de1 <phase_2+8>: lea    -0x20(%ebp),%eax
0x08048de4 <phase_2+11>:        mov    %eax,0x4(%esp)
0x08048de8 <phase_2+15>:        mov    0x8(%ebp),%eax
0x08048deb <phase_2+18>:        mov    %eax,(%esp)
0x08048dee <phase_2+21>:        call   0x8049225 <read_six_numbers>
0x08048df3 <phase_2+26>:        cmpl   $0x1,-0x20(%ebp)
0x08048df7 <phase_2+30>:        je     0x8048dfe <phase_2+37>
0x08048df9 <phase_2+32>:        call   0x80491e3 <explode_bomb>
0x08048dfe <phase_2+37>:        mov    $0x2,%ebx
0x08048e03 <phase_2+42>:        lea    -0x20(%ebp),%esi
0x08048e06 <phase_2+45>:        mov    %ebx,%eax
0x08048e08 <phase_2+47>:        imul   -0x8(%esi,%ebx,4),%eax
0x08048e0d <phase_2+52>:        cmp    %eax,-0x4(%esi,%ebx,4)
0x08048e11 <phase_2+56>:        je     0x8048e18 <phase_2+63>
0x08048e13 <phase_2+58>:        call   0x80491e3 <explode_bomb>
0x08048e18 <phase_2+63>:        add    $0x1,%ebx
0x08048e1b <phase_2+66>:        cmp    $0x7,%ebx
0x08048e1e <phase_2+69>:        jne    0x8048e06 <phase_2+45>
0x08048e20 <phase_2+71>:        add    $0x30,%esp
0x08048e23 <phase_2+74>:        pop    %ebx
0x08048e24 <phase_2+75>:        pop    %esi
0x08048e25 <phase_2+76>:        pop    %ebp
0x08048e26 <phase_2+77>:        ret


0x08049225 <read_six_numbers+0>:        push   %ebp
0x08049226 <read_six_numbers+1>:        mov    %esp,%ebp
0x08049228 <read_six_numbers+3>:        sub    $0x28,%esp
0x0804922b <read_six_numbers+6>:        mov    0xc(%ebp),%edx
0x0804922e <read_six_numbers+9>:        lea    0x14(%edx),%eax
0x08049231 <read_six_numbers+12>:       mov    %eax,0x1c(%esp)
0x08049235 <read_six_numbers+16>:       lea    0x10(%edx),%eax
0x08049238 <read_six_numbers+19>:       mov    %eax,0x18(%esp)
0x0804923c <read_six_numbers+23>:       lea    0xc(%edx),%eax
0x0804923f <read_six_numbers+26>:       mov    %eax,0x14(%esp)
0x08049243 <read_six_numbers+30>:       lea    0x8(%edx),%eax
0x08049246 <read_six_numbers+33>:       mov    %eax,0x10(%esp)
0x0804924a <read_six_numbers+37>:       lea    0x4(%edx),%eax
0x0804924d <read_six_numbers+40>:       mov    %eax,0xc(%esp)
0x08049251 <read_six_numbers+44>:       mov    %edx,0x8(%esp)
0x08049255 <read_six_numbers+48>:       movl   $0x8049a1a,0x4(%esp)
0x0804925d <read_six_numbers+56>:       mov    0x8(%ebp),%eax
0x08049260 <read_six_numbers+59>:       mov    %eax,(%esp)
0x08049263 <read_six_numbers+62>:       call   0x80488b4 <sscanf@plt>
0x08049268 <read_six_numbers+67>:       cmp    $0x5,%eax
0x0804926b <read_six_numbers+70>:       jg     0x8049272 <read_six_numbers+77>
0x0804926d <read_six_numbers+72>:       call   0x80491e3 <explode_bomb>
0x08049272 <read_six_numbers+77>:       leave
0x08049273 <read_six_numbers+78>:       ret

Open in new window


I've figured out that the the function calls the user input into the read six numbers function, and runs a check through sscanf. If there is more than 5 numbers (which there should be), it diffuses the bomb within that loop.

It then brings back that result to phase_2.

What I am most confused about is how to find the values they are using on the registers. Specifically, I want to double check my stacks and see what values are being put where.

The following code is what I have left to decipher and see what it is doing.

0x08048dfe <phase_2+37>:        mov    $0x2,%ebx
0x08048e03 <phase_2+42>:        lea    -0x20(%ebp),%esi
0x08048e06 <phase_2+45>:        mov    %ebx,%eax
0x08048e08 <phase_2+47>:        imul   -0x8(%esi,%ebx,4),%eax
0x08048e0d <phase_2+52>:        cmp    %eax,-0x4(%esi,%ebx,4)
0x08048e11 <phase_2+56>:        je     0x8048e18 <phase_2+63>
0x08048e13 <phase_2+58>:        call   0x80491e3 <explode_bomb>
0x08048e18 <phase_2+63>:        add    $0x1,%ebx
0x08048e1b <phase_2+66>:        cmp    $0x7,%ebx
0x08048e1e <phase_2+69>:        jne    0x8048e06 <phase_2+45>
0x08048e20 <phase_2+71>:        add    $0x30,%esp
0x08048e23 <phase_2+74>:        pop    %ebx
0x08048e24 <phase_2+75>:        pop    %esi
0x08048e25 <phase_2+76>:        pop    %ebp
0x08048e26 <phase_2+77>:        ret

Open in new window


Any thought provoking questions would be great, I am trying to learn from this and grasp a thorough understanding of this problem.
simplproggyAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

simplproggyAuthor Commented:
Specifically, how would I go about checking this line of code:


0x08048de1 <phase_2+8>: lea    -0x20(%ebp),%eax

Open in new window


I put the following in GDB

(gdb) x -0x20(%ebp)
A syntax error in expression, near `%ebp)'.
(gdb) x -0x20($ebp)
No registers.

Open in new window


So I am somewhat stuck. I know how to set breakpoints, but not exactly sure how to manipulate them. I would like to be able to run the program past phase 1 (I have the solution), to phase 2, have the registers be set so I could then call the values to them.
0
simplproggyAuthor Commented:
So after some thorough research I am able to understand how to run the debugger. My issue is that whenever I try to run the bomb using my .txt, it keeps blowing up.

For example, the string for the first phase was:

You are the Diet Coke of evil, just one calorie, not evil enough.

If i type this manually, the bomb is defused.

I copy and paste that line into psol.txt, and run gdb after creating breakpoints for phase_1, explode_bomb, read_six_numbers, and phase_2. It seems like phase_1 is not accepting the correct string statement from psol.txt - so I am also having a formatting issue.

Once that is done however, I would use the breakpoints I mentioned above and then start checking registers (x %eax) etc. After that point I can observe the changes to each register - the problem here just seems to be getting to this step.
0
Infinity08Commented:
>> What I am most confused about is how to find the values they are using on the registers. Specifically, I want to double check my stacks and see what values are being put where.

The read_six_numbers function will place the 6 numbers on the stack. The calling code needs to reserve enough space on the stack to hold those numbers.

It does that by doing :

>> 0x08048dde <phase_2+5>: sub    $0x30,%esp

ie. it reserves space for 12 32-bit values on the stack.

Of course, it needs to then let the read_six_numbers function know which part of that it can use for the 6 numbers. It does that by passing as start address as argument to the function :

>> 0x08048de1 <phase_2+8>: lea    -0x20(%ebp),%eax
>> 0x08048de4 <phase_2+11>:        mov    %eax,0x4(%esp)

You asked specifically about that first line, which indicates you're on the right track.

The lea instruction is the "load effective address" instruction. It calculates an address (%ebp - 0x20 in this case), and copies that to the target location (the eax register in this case).

So, that shows where the 6 numbers will end up.


>> Any thought provoking questions would be great, I am trying to learn from this and grasp a thorough understanding of this problem.

Once you understand where the 6 numbers go, it should then be possible to follow what the rest of the code does with those numbers (or more specifically : what checks it performs on them).


Maybe the bit of information you need to get you going, is about addressing modes :

The addressing mode of the form offset(base, index, size) calculates the address as (base + offset + (index * size)).
The addressing mode of the form offset(base) calculates the address as (base + offset).
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

simplproggyAuthor Commented:
Hey, I figured this one out. I am, however, stuck on phase 4 - should I post in here? Phase 3 was very easy simply by figuring our break points and forcing a few combinations.
0
simplproggyAuthor Commented:
Got phase 4 - sort stuck on phase 5 and what the movbzl and movbxl commands actually do.
0
Infinity08Commented:
The movzbl instruction is the "move zero extended byte to long" instruction. That says it all : it copies a byte to a 32bit long (in the least significant position), adding zero bytes in the most significant positions.

I don't know what typo you made in movbxl though - there's no such instruction.
0
simplproggyAuthor Commented:
Yeah, i made a typo - I figured the rest of the phases out. Phase 2 was actually the hardest since I wasn't sure how to use the compiler.

I am stuck on the secret phase now, and I know its a recursive function and maybe a linked list?

0x08048c02 <secret_phase+0>:    push   %ebp
0x08048c03 <secret_phase+1>:    mov    %esp,%ebp
0x08048c05 <secret_phase+3>:    push   %ebx
0x08048c06 <secret_phase+4>:    sub    $0x14,%esp
0x08048c09 <secret_phase+7>:    call   0x80492f3 <read_line>
0x08048c0e <secret_phase+12>:   movl   $0x0,0xc(%esp)
0x08048c16 <secret_phase+20>:   movl   $0xa,0x8(%esp)
0x08048c1e <secret_phase+28>:   movl   $0x0,0x4(%esp)
0x08048c26 <secret_phase+36>:   mov    %eax,(%esp)
0x08048c29 <secret_phase+39>:   call   0x8048764 <__strtol_internal@plt>
0x08048c2e <secret_phase+44>:   mov    %eax,%ebx
0x08048c30 <secret_phase+46>:   lea    -0x1(%eax),%eax
0x08048c33 <secret_phase+49>:   cmp    $0x3e8,%eax
0x08048c38 <secret_phase+54>:   jbe    0x8048c3f <secret_phase+61>
0x08048c3a <secret_phase+56>:   call   0x80491e3 <explode_bomb>
0x08048c3f <secret_phase+61>:   mov    %ebx,0x4(%esp)
0x08048c43 <secret_phase+65>:   movl   $0x804a6d4,(%esp)
0x08048c4a <secret_phase+72>:   call   0x8048bb1 <fun7>
0x08048c4f <secret_phase+77>:   cmp    $0x5,%eax
0x08048c52 <secret_phase+80>:   je     0x8048c59 <secret_phase+87>
0x08048c54 <secret_phase+82>:   call   0x80491e3 <explode_bomb>
0x08048c59 <secret_phase+87>:   movl   $0x804980c,(%esp)
---Type <return> to continue, or q <return> to quit---
0x08048c60 <secret_phase+94>:   call   0x80488a4 <puts@plt>
0x08048c65 <secret_phase+99>:   call   0x8049151 <phase_defused>
0x08048c6a <secret_phase+104>:  add    $0x14,%esp
0x08048c6d <secret_phase+107>:  pop    %ebx
0x08048c6e <secret_phase+108>:  pop    %ebp
0x08048c6f <secret_phase+109>:  ret

Open in new window


0x08048bb1 <fun7+0>:    push   %ebp
0x08048bb2 <fun7+1>:    mov    %esp,%ebp
0x08048bb4 <fun7+3>:    push   %ebx
0x08048bb5 <fun7+4>:    sub    $0x8,%esp
0x08048bb8 <fun7+7>:    mov    0x8(%ebp),%ebx
0x08048bbb <fun7+10>:   mov    0xc(%ebp),%ecx
0x08048bbe <fun7+13>:   mov    $0xffffffff,%eax
0x08048bc3 <fun7+18>:   test   %ebx,%ebx
0x08048bc5 <fun7+20>:   je     0x8048bfc <fun7+75>
0x08048bc7 <fun7+22>:   mov    (%ebx),%edx
0x08048bc9 <fun7+24>:   cmp    %ecx,%edx
0x08048bcb <fun7+26>:   jle    0x8048be0 <fun7+47>
0x08048bcd <fun7+28>:   mov    %ecx,0x4(%esp)
0x08048bd1 <fun7+32>:   mov    0x4(%ebx),%eax
0x08048bd4 <fun7+35>:   mov    %eax,(%esp)
0x08048bd7 <fun7+38>:   call   0x8048bb1 <fun7>
0x08048bdc <fun7+43>:   add    %eax,%eax
0x08048bde <fun7+45>:   jmp    0x8048bfc <fun7+75>
0x08048be0 <fun7+47>:   mov    $0x0,%eax
0x08048be5 <fun7+52>:   cmp    %ecx,%edx
0x08048be7 <fun7+54>:   je     0x8048bfc <fun7+75>
0x08048be9 <fun7+56>:   mov    %ecx,0x4(%esp)
---Type <return> to continue, or q <return> to quit---
0x08048bed <fun7+60>:   mov    0x8(%ebx),%eax
0x08048bf0 <fun7+63>:   mov    %eax,(%esp)
0x08048bf3 <fun7+66>:   call   0x8048bb1 <fun7>
0x08048bf8 <fun7+71>:   lea    0x1(%eax,%eax,1),%eax
0x08048bfc <fun7+75>:   add    $0x8,%esp
0x08048bff <fun7+78>:   pop    %ebx
0x08048c00 <fun7+79>:   pop    %ebp
0x08048c01 <fun7+80>:   ret

Open in new window


From a quick glance I can tell the recursive function needs to return the value 5. I also can tell that some value needs to be compared to the integer value of 1000:

0x08048c33 <secret_phase+49>:   cmp    $0x3e8,%eax
0x08048c38 <secret_phase+54>:   jbe    0x8048c3f <secret_phase+61>
0x08048c3a <secret_phase+56>:   call   0x80491e3 <explode_bomb>
0x08048c3f <secret_phase+61>:   mov    %ebx,0x4(%esp)

The question is : what value? And what type of input should I be inserting?

0
Infinity08Commented:
>> I am stuck on the secret phase now, and I know its a recursive function and maybe a linked list?

It's recursive indeed, but not exactly a linked list (although there are nodes that are linked together, but not linearly).


>> From a quick glance I can tell the recursive function needs to return the value 5.

Yes.


>> I also can tell that some value needs to be compared to the integer value of 1000:

That's just some rough input validation. The real magic happens in the fun7 function.


>> The question is : what value? And what type of input should I be inserting?

In the beginning of the secret_phase function, that input is obtained by calling two functions : read_line and strtol.
0
evilrixSenior Software Engineer (Avast)Commented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Assembly

From novice to tech pro — start learning today.