binary bomb help

This is a discussion on binary bomb help within the Tech Board forums, part of the Community Boards category; I am really stuck on phase 3. Since the 1st and fourth numbers (same for the 2nd & 5th and ...

  1. #1
    Registered User
    Join Date
    Apr 2009
    Posts
    16

    binary bomb help

    I am really stuck on phase 3. Since the 1st and fourth numbers (same for the 2nd & 5th and 3rd and 6th) should be the same numbers to
    defuse the 1st bomb,
    I confused as to where to begin looking to solve the 2nd bomb. I
    assume that
    This address
    (gdb) print $ebp
    $13 = (void *) 0xbf9cd4a8
    has something to do with. But as to apply it I not sure. Any you
    provide any insight as to what I need to do?
    Code:
    Dump of assembler code for function phase_3:
    0x080488a6 <phase_3+0>: push   %ebp
    0x080488a7 <phase_3+1>: mov    %esp,%ebp
    0x080488a9 <phase_3+3>: sub    $0x28,%esp
    0x080488ac <phase_3+6>: movl   $0x0,0xfffffffc(%ebp)
    0x080488b3 <phase_3+13>:        lea    0xffffffe0(%ebp),%eax
    0x080488b6 <phase_3+16>:        mov    %eax,0x4(%esp)
    0x080488ba <phase_3+20>:        mov    0x8(%ebp),%eax
    0x080488bd <phase_3+23>:        mov    %eax,(%esp)
    0x080488c0 <phase_3+26>:        call   0x8048dac <read_six_numbers>
    0x080488c5 <phase_3+31>:        movl   $0x0,0xfffffff8(%ebp)
    0x080488cc <phase_3+38>:        jmp    0x80488f6 <phase_3+80>
    0x080488ce <phase_3+40>:        mov    0xfffffff8(%ebp),%eax
    0x080488d1 <phase_3+43>:        mov    0xffffffe0(%ebp,%eax,4),%edx
    0x080488d5 <phase_3+47>:        mov    0xfffffff8(%ebp),%eax
    0x080488d8 <phase_3+50>:        add    $0x3,%eax
    0x080488db <phase_3+53>:        mov    0xffffffe0(%ebp,%eax,4),%eax
    0x080488df <phase_3+57>:        cmp    %eax,%edx
    0x080488e1 <phase_3+59>:        je     0x80488e8 <phase_3+66>
    0x080488e3 <phase_3+61>:        call   0x804906c <explode_bomb>
    0x080488e8 <phase_3+66>:        mov    0xfffffff8(%ebp),%eax
    0x080488eb <phase_3+69>:        mov    0xffffffe0(%ebp,%eax,4),%eax
    0x080488ef <phase_3+73>:        add    %eax,0xfffffffc(%ebp)
    0x080488f2 <phase_3+76>:        addl   $0x1,0xfffffff8(%ebp)
    0x080488f6 <phase_3+80>:        cmpl   $0x2,0xfffffff8(%ebp)
    0x080488fa <phase_3+84>:        jle    0x80488ce <phase_3+40>
    0x080488fc <phase_3+86>:        cmpl   $0x0,0xfffffffc(%ebp)
    0x08048900 <phase_3+90>:        jne    0x8048907 <phase_3+97>
    0x08048902 <phase_3+92>:        call   0x804906c <explode_bomb>
    0x08048907 <phase_3+97>:        leave
    0x08048908 <phase_3+98>:        ret
    End of assembler dump.
    That's number 2.  Keep going!
    6 9 12 6 9 12
    
    Breakpoint 1, 0x080488df in phase_3 ()
    (gdb) cont
    Continuing.
    
    Breakpoint 1, 0x080488df in phase_3 ()
    (gdb) cont
    Continuing.
    
    Breakpoint 1, 0x080488df in phase_3 ()
    (gdb) cont
    Continuing.
    Halfway there!
    cont
    
    BOOM!!!
    The bomb has blown up.
    
    Program exited with code 010.
    (gdb)

  2. #2
    Super Moderator VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,586
    what?

  3. #3
    Malum in se abachler's Avatar
    Join Date
    Apr 2007
    Posts
    3,189
    Quote Originally Posted by Bubba View Post
    what?
    I keep saying we need an assembly channel
    Until you can build a working general purpose reprogrammable computer out of basic components from radio shack, you are not fit to call yourself a programmer in my presence. This is cwhizard, signing off.

  4. #4
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    ebp is the frame-pointer, so it points to the stack when the function started.
    Code:
    0x080488a7 <phase_3+1>: mov    %esp,%ebp
    This code
    Code:
    0x080488ce <phase_3+40>:        mov    0xfffffff8(%ebp),%eax
    0x080488d1 <phase_3+43>:        mov    0xffffffe0(%ebp,%eax,4),%edx
    0x080488d5 <phase_3+47>:        mov    0xfffffff8(%ebp),%eax
    0x080488d8 <phase_3+50>:        add    $0x3,%eax
    0x080488db <phase_3+53>:        mov    0xffffffe0(%ebp,%eax,4),%eax
    0x080488df <phase_3+57>:        cmp    %eax,%edx
    0x080488e1 <phase_3+59>:        je     0x80488e8 <phase_3+66>
    is doing the ACTUAL compare of the numbers.

    It doesn't show what numbers are actually being used, but dumping the memory at %ebp-0x20 would do.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  5. #5
    Registered User
    Join Date
    Apr 2009
    Posts
    16
    Quote Originally Posted by matsp View Post
    [/code]
    This code
    Code:
    0x080488ce <phase_3+40>:        mov    0xfffffff8(%ebp),%eax
    0x080488d1 <phase_3+43>:        mov    0xffffffe0(%ebp,%eax,4),%edx
    0x080488d5 <phase_3+47>:        mov    0xfffffff8(%ebp),%eax
    0x080488d8 <phase_3+50>:        add    $0x3,%eax
    0x080488db <phase_3+53>:        mov    0xffffffe0(%ebp,%eax,4),%eax
    0x080488df <phase_3+57>:        cmp    %eax,%edx
    0x080488e1 <phase_3+59>:        je     0x80488e8 <phase_3+66>
    is doing the ACTUAL compare of the numbers.

    It doesn't show what numbers are actually being used, but dumping the memory at %ebp-0x20 would do.

    --
    Mats

    I get that is where the compare is. Because if I entered 1 2 3 4 5 6 as the input and do a break at
    Code:
    0x080488df <phase_3+57>:        cmp    %eax,%edx
    then print $eax I get 4 for eax and 1 for edx (I could have these numbers flipped)
    and the bomb blows up.

    so how would I dump the memory at %ebp-0x20?

  6. #6
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    The x command in gdb will show you memory. You probably will need to format it correctly. Look up the help on x command

    See the line where it adds 3 to eax? That's the index to the second component to compare.

    So it's essentialy checking that data[0] == data[3], and data[1] == data[4], etc.

    --
    Mats
    Compilers can produce warnings - make the compiler programmers happy: Use them!
    Please don't PM me for help - and no, I don't do help over instant messengers.

  7. #7
    Super Moderator VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,586
    The bomb was what I was confused about, not the assembly.

  8. #8
    int x = *((int *) NULL); Cactus_Hugger's Avatar
    Join Date
    Jul 2003
    Location
    Banks of the River Styx
    Posts
    902
    Quote Originally Posted by Bubba View Post
    The bomb was what I was confused about, not the assembly.
    It's a challenge. One of my former professors gave the same challenge to me when I took his class (OP: where are you going to school?). The idea is this: You have a program which accepts some input. Give it the right input and it "defuses", give it the wrong input and it "explodes". The idea is to disassemble the program, look at the assembly, and determine what input to give it.

    My professors "bombs" were semi-unique - there where 5-10 different bombs, distributed randomly among us - and when the bomb blew up, it reported back. (Though some of us knew how to disable that, but then again, we also were able to disassemble the bomb...) It's a foray into reverse engineering & x86 assembly.

    Edit: actually, this line:
    Code:
    0x080488c0 <phase_3+26>:        call   0x8048dac <read_six_numbers>
    ...appears in my old homework (Not exactly, but we had a read_six_numbers). Now I'm really curious as to where the OP goes to school, or if this is just some well known thing that professors do to try and make students sweat. :-) (It's a fun homework, btw.)

    Edit: Also, is the AJAXy-edit thing not working for anyone else?
    Last edited by Cactus_Hugger; 05-21-2009 at 05:28 PM.
    long time; /* know C? */
    Unprecedented performance: Nothing ever ran this slow before.
    Any sufficiently advanced bug is indistinguishable from a feature.
    Real Programmers confuse Halloween and Christmas, because dec 25 == oct 31.
    The best way to accelerate an IBM is at 9.8 m/s/s.
    recursion (re - cur' - zhun) n. 1. (see recursion)

  9. #9
    Registered User
    Join Date
    Apr 2009
    Posts
    16
    First, yes, this bomb is a common assignment (yale to communty college)Therefore, I am in the usa. A google search will confirm this. To catus, ours does not report back (that code was removed).

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. New binary bomb help
    By uscuba2 in forum Tech Board
    Replies: 4
    Last Post: 05-24-2009, 05:45 PM
  2. The destructive power of a nuclear bomb
    By InvariantLoop in forum A Brief History of Cprogramming.com
    Replies: 30
    Last Post: 03-24-2005, 01:46 AM
  3. Binary Search Trees Part III
    By Prelude in forum A Brief History of Cprogramming.com
    Replies: 16
    Last Post: 10-02-2004, 03:00 PM
  4. Tutorial review
    By Prelude in forum A Brief History of Cprogramming.com
    Replies: 11
    Last Post: 03-22-2004, 08:40 PM
  5. Request for comments
    By Prelude in forum A Brief History of Cprogramming.com
    Replies: 15
    Last Post: 01-02-2004, 09:33 AM

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21