-
Binary Bomb help
I am trying to figure our how to solve the binary bomb. I used "strings" to solve the first phase. But, now I don't know how to trace through the code. What do I need to look at? I did an objdump -d and -t, i have done a disas on main(), phase_2, read_six_number(), and sscanf().
08048d28 <phase_2>:
8048d28: 55 push %ebp
8048d29: 89 e5 mov %esp,%ebp
8048d2b: 56 push %esi
8048d2c: 53 push %ebx
8048d2d: 83 ec 30 sub $0x30,%esp
8048d30: 8d 45 e0 lea 0xffffffe0(%ebp),%eax
8048d33: 89 44 24 04 mov %eax,0x4(%esp)
8048d37: 8b 45 08 mov 0x8(%ebp),%eax
8048d3a: 89 04 24 mov %eax,(%esp)
8048d3d: e8 15 04 00 00 call 8049157 <read_six_numbers>
8048d42: 83 7d e0 00 cmpl $0x0,0xffffffe0(%ebp)
8048d46: 79 05 jns 8048d4d <phase_2+0x25>
8048d48: e8 c8 03 00 00 call 8049115 <explode_bomb>
8048d4d: bb 01 00 00 00 mov $0x1,%ebx
8048d52: 8d 75 e0 lea 0xffffffe0(%ebp),%esi
8048d55: 89 d8 mov %ebx,%eax
8048d57: 03 44 9e fc add 0xfffffffc(%esi,%ebx,4),%eax
8048d5b: 39 04 9e cmp %eax,(%esi,%ebx,4)
8048d5e: 74 05 je 8048d65 <phase_2+0x3d>
8048d60: e8 b0 03 00 00 call 8049115 <explode_bomb>
8048d65: 83 c3 01 add $0x1,%ebx
8048d68: 83 fb 06 cmp $0x6,%ebx
8048d6b: 75 e8 jne 8048d55 <phase_2+0x2d>
8048d6d: 83 c4 30 add $0x30,%esp
8048d70: 5b pop %ebx
8048d71: 5e pop %esi
8048d72: 5d pop %ebp
8048d73: c3 ret
(gdb) disas phase_2
Dump of assembler code for function phase_2:
0x08048d28 <phase_2+0>: push %ebp
0x08048d29 <phase_2+1>: mov %esp,%ebp
0x08048d2b <phase_2+3>: push %esi
0x08048d2c <phase_2+4>: push %ebx
0x08048d2d <phase_2+5>: sub $0x30,%esp
0x08048d30 <phase_2+8>: lea -0x20(%ebp),%eax
0x08048d33 <phase_2+11>: mov %eax,0x4(%esp)
0x08048d37 <phase_2+15>: mov 0x8(%ebp),%eax
0x08048d3a <phase_2+18>: mov %eax,(%esp)
0x08048d3d <phase_2+21>: call 0x8049157 <read_six_numbers>
0x08048d42 <phase_2+26>: cmpl $0x0,-0x20(%ebp)
0x08048d46 <phase_2+30>: jns 0x8048d4d <phase_2+37>
0x08048d48 <phase_2+32>: call 0x8049115 <explode_bomb>
0x08048d4d <phase_2+37>: mov $0x1,%ebx // mov 1 to ebx
0x08048d52 <phase_2+42>: lea -0x20(%ebp),%esi
0x08048d55 <phase_2+45>: mov %ebx,%eax
0x08048d57 <phase_2+47>: add -0x4(%esi,%ebx,4),%eax
0x08048d5b <phase_2+51>: cmp %eax,(%esi,%ebx,4)
0x08048d5e <phase_2+54>: je 0x8048d65 <phase_2+61>
0x08048d60 <phase_2+56>: call 0x8049115<explode_bomb>
0x08048d65 <phase_2+61>: add $0x1,%ebx
0x08048d68 <phase_2+64>: cmp $0x6,%ebx
0x08048d6b <phase_2+67>: jne 0x8048d55 <phase_2+45>
0x08048d6d <phase_2+69>: add $0x30,%esp
0x08048d70 <phase_2+72>: pop %ebx
0x08048d71 <phase_2+73>: pop %esi
0x08048d72 <phase_2+74>: pop %ebp
0x08048d73 <phase_2+75>: ret
End of assembler dump.
(gdb) disas read_six_numbers
Dump of assembler code for function read_six_numbers:
0x08049157 <read_six_numbers+0>: push %ebp
0x08049158 <read_six_numbers+1>: mov %esp,%ebp
0x0804915a <read_six_numbers+3>: sub $0x28,%esp
0x0804915d <read_six_numbers+6>: mov 0xc(%ebp),%edx
0x08049160 <read_six_numbers+9>: lea 0x14(%edx),%eax
0x08049163 <read_six_numbers+12>: mov %eax,0x1c(%esp)
0x08049167 <read_six_numbers+16>: lea 0x10(%edx),%eax
0x0804916a <read_six_numbers+19>: mov %eax,0x18(%esp)
0x0804916e <read_six_numbers+23>: lea 0xc(%edx),%eax
0x08049171 <read_six_numbers+26>: mov %eax,0x14(%esp)
0x08049175 <read_six_numbers+30>: lea 0x8(%edx),%eax
0x08049178 <read_six_numbers+33>: mov %eax,0x10(%esp)
0x0804917c <read_six_numbers+37>: lea 0x4(%edx),%eax
0x0804917f <read_six_numbers+40>: mov %eax,0xc(%esp)
0x08049183 <read_six_numbers+44>: mov %edx,0x8(%esp)
0x08049187 <read_six_numbers+48>: movl $0x804a2d6,0x4(%esp)
0x0804918f <read_six_numbers+56>: mov 0x8(%ebp),%eax
0x08049192 <read_six_numbers+59>: mov %eax,(%esp)
0x08049195 <read_six_numbers+62>: call 0x8048884 <sscanf@plt>
0x0804919a <read_six_numbers+67>: cmp $0x5,%eax
0x0804919d <read_six_numbers+70>: jg 0x80491a4 <read_six_numbers+77>
0x0804919f <read_six_numbers+72>: call 0x8049115 <explode_bomb>
0x080491a4 <read_six_numbers+77>: leave
0x080491a5 <read_six_numbers+78>: ret
End of assembler dump.
(gdb) disas sscanf
Dump of assembler code for function sscanf:
0x00236bc0 <sscanf+0>: push %ebp
0x00236bc1 <sscanf+1>: mov %esp,%ebp
0x00236bc3 <sscanf+3>: push %ebx
0x00236bc4 <sscanf+4>: sub $0x10,%esp
0x00236bc7 <sscanf+7>: lea 0x10(%ebp),%eax
0x00236bca <sscanf+10>: mov %eax,-0x8(%ebp)
0x00236bcd <sscanf+13>: mov %eax,0x8(%esp)
0x00236bd1 <sscanf+17>: mov 0xc(%ebp),%eax
0x00236bd4 <sscanf+20>: call 0x1f6ce0 <__i686.get_pc_thunk.bx>
0x00236bd9 <sscanf+25>: add $0xff41b,%ebx
0x00236bdf <sscanf+31>: mov %eax,0x4(%esp)
0x00236be3 <sscanf+35>: mov 0x8(%ebp),%eax
0x00236be6 <sscanf+38>: mov %eax,(%esp)
0x00236be9 <sscanf+41>: call 0x23ba00 <vsscanf>
0x00236bee <sscanf+46>: add $0x10,%esp
0x00236bf1 <sscanf+49>: pop %ebx
0x00236bf2 <sscanf+50>: pop %ebp
0x00236bf3 <sscanf+51>: ret
End of assembler dump.
-
Variations of this appear as either an online challenge or as homework -> CS:APP2e, Bryant and O'Hallaron
I suppose one thing you could do is theorise what the "C" code looks like, then use "gcc -S prog.c" to generate prog.s and see how close you get.
And yes, there are some sites which just blurt out the answer, if you're not really interested in learning anything.