# binary bomb help

• 05-20-2009
uscuba2
binary bomb help
I am really stuck on phase 3. Since the 1st and fourth numbers (same for the 2nd & 5th and 3rd and 6th) should be the same numbers to
defuse the 1st bomb,
I confused as to where to begin looking to solve the 2nd bomb. I
assume that
(gdb) print \$ebp
\$13 = (void *) 0xbf9cd4a8
has something to do with. But as to apply it I not sure. Any you
provide any insight as to what I need to do?
Code:

```Dump of assembler code for function phase_3: 0x080488a6 <phase_3+0>: push  %ebp 0x080488a7 <phase_3+1>: mov    %esp,%ebp 0x080488a9 <phase_3+3>: sub    \$0x28,%esp 0x080488ac <phase_3+6>: movl  \$0x0,0xfffffffc(%ebp) 0x080488b3 <phase_3+13>:        lea    0xffffffe0(%ebp),%eax 0x080488b6 <phase_3+16>:        mov    %eax,0x4(%esp) 0x080488ba <phase_3+20>:        mov    0x8(%ebp),%eax 0x080488bd <phase_3+23>:        mov    %eax,(%esp) 0x080488c0 <phase_3+26>:        call  0x8048dac <read_six_numbers> 0x080488c5 <phase_3+31>:        movl  \$0x0,0xfffffff8(%ebp) 0x080488cc <phase_3+38>:        jmp    0x80488f6 <phase_3+80> 0x080488ce <phase_3+40>:        mov    0xfffffff8(%ebp),%eax 0x080488d1 <phase_3+43>:        mov    0xffffffe0(%ebp,%eax,4),%edx 0x080488d5 <phase_3+47>:        mov    0xfffffff8(%ebp),%eax 0x080488d8 <phase_3+50>:        add    \$0x3,%eax 0x080488db <phase_3+53>:        mov    0xffffffe0(%ebp,%eax,4),%eax 0x080488df <phase_3+57>:        cmp    %eax,%edx 0x080488e1 <phase_3+59>:        je    0x80488e8 <phase_3+66> 0x080488e3 <phase_3+61>:        call  0x804906c <explode_bomb> 0x080488e8 <phase_3+66>:        mov    0xfffffff8(%ebp),%eax 0x080488eb <phase_3+69>:        mov    0xffffffe0(%ebp,%eax,4),%eax 0x080488ef <phase_3+73>:        add    %eax,0xfffffffc(%ebp) 0x080488f2 <phase_3+76>:        addl  \$0x1,0xfffffff8(%ebp) 0x080488f6 <phase_3+80>:        cmpl  \$0x2,0xfffffff8(%ebp) 0x080488fa <phase_3+84>:        jle    0x80488ce <phase_3+40> 0x080488fc <phase_3+86>:        cmpl  \$0x0,0xfffffffc(%ebp) 0x08048900 <phase_3+90>:        jne    0x8048907 <phase_3+97> 0x08048902 <phase_3+92>:        call  0x804906c <explode_bomb> 0x08048907 <phase_3+97>:        leave 0x08048908 <phase_3+98>:        ret End of assembler dump. That's number 2.  Keep going! 6 9 12 6 9 12 Breakpoint 1, 0x080488df in phase_3 () (gdb) cont Continuing. Breakpoint 1, 0x080488df in phase_3 () (gdb) cont Continuing. Breakpoint 1, 0x080488df in phase_3 () (gdb) cont Continuing. Halfway there! cont BOOM!!! The bomb has blown up. Program exited with code 010. (gdb)```
• 05-21-2009
VirtualAce
what?
• 05-21-2009
abachler
Quote:

Originally Posted by Bubba
what?

I keep saying we need an assembly channel :)
• 05-21-2009
matsp
ebp is the frame-pointer, so it points to the stack when the function started.
Code:

`0x080488a7 <phase_3+1>: mov    %esp,%ebp`
This code
Code:

```0x080488ce <phase_3+40>:        mov    0xfffffff8(%ebp),%eax 0x080488d1 <phase_3+43>:        mov    0xffffffe0(%ebp,%eax,4),%edx 0x080488d5 <phase_3+47>:        mov    0xfffffff8(%ebp),%eax 0x080488d8 <phase_3+50>:        add    \$0x3,%eax 0x080488db <phase_3+53>:        mov    0xffffffe0(%ebp,%eax,4),%eax 0x080488df <phase_3+57>:        cmp    %eax,%edx 0x080488e1 <phase_3+59>:        je    0x80488e8 <phase_3+66>```
is doing the ACTUAL compare of the numbers.

It doesn't show what numbers are actually being used, but dumping the memory at %ebp-0x20 would do.

--
Mats
• 05-21-2009
uscuba2
Quote:

Originally Posted by matsp
[/code]
This code
Code:

```0x080488ce <phase_3+40>:        mov    0xfffffff8(%ebp),%eax 0x080488d1 <phase_3+43>:        mov    0xffffffe0(%ebp,%eax,4),%edx 0x080488d5 <phase_3+47>:        mov    0xfffffff8(%ebp),%eax 0x080488d8 <phase_3+50>:        add    \$0x3,%eax 0x080488db <phase_3+53>:        mov    0xffffffe0(%ebp,%eax,4),%eax 0x080488df <phase_3+57>:        cmp    %eax,%edx 0x080488e1 <phase_3+59>:        je    0x80488e8 <phase_3+66>```
is doing the ACTUAL compare of the numbers.

It doesn't show what numbers are actually being used, but dumping the memory at %ebp-0x20 would do.

--
Mats

I get that is where the compare is. Because if I entered 1 2 3 4 5 6 as the input and do a break at
Code:

`0x080488df <phase_3+57>:        cmp    %eax,%edx`
then print \$eax I get 4 for eax and 1 for edx (I could have these numbers flipped)
and the bomb blows up.

so how would I dump the memory at %ebp-0x20?
• 05-21-2009
matsp
The x command in gdb will show you memory. You probably will need to format it correctly. Look up the help on x command

See the line where it adds 3 to eax? That's the index to the second component to compare.

So it's essentialy checking that data[0] == data[3], and data[1] == data[4], etc.

--
Mats
• 05-21-2009
VirtualAce
The bomb was what I was confused about, not the assembly.
• 05-21-2009
Cactus_Hugger
Quote:

Originally Posted by Bubba
The bomb was what I was confused about, not the assembly.

It's a challenge. One of my former professors gave the same challenge to me when I took his class (OP: where are you going to school?). The idea is this: You have a program which accepts some input. Give it the right input and it "defuses", give it the wrong input and it "explodes". The idea is to disassemble the program, look at the assembly, and determine what input to give it.

My professors "bombs" were semi-unique - there where 5-10 different bombs, distributed randomly among us - and when the bomb blew up, it reported back. (Though some of us knew how to disable that, but then again, we also were able to disassemble the bomb...) It's a foray into reverse engineering & x86 assembly.

Edit: actually, this line:
Code:

`0x080488c0 <phase_3+26>:        call  0x8048dac <read_six_numbers>`
...appears in my old homework (Not exactly, but we had a read_six_numbers). Now I'm really curious as to where the OP goes to school, or if this is just some well known thing that professors do to try and make students sweat. :-) (It's a fun homework, btw.)

Edit: Also, is the AJAXy-edit thing not working for anyone else?
• 05-22-2009
uscuba2
First, yes, this bomb is a common assignment (yale to communty college)Therefore, I am in the usa. A google search will confirm this. To catus, ours does not report back (that code was removed).