ZuoTi.Pro
Question

Below is the disassembled code. PLease help me to defuse the binary bomb phase_4 so the...

Below is the disassembled code. PLease help me to defuse the binary bomb phase_4

so the right input should be  6 numbers with a certain pattern

08048cdb <phase_4>:
 8048cdb:       53                      push   %ebx
 8048cdc:       83 ec 38                sub    $0x38,%esp
 8048cdf:       8d 44 24 18             lea    0x18(%esp),%eax
 8048ce3:       89 44 24 04             mov    %eax,0x4(%esp)
 8048ce7:       8b 44 24 40             mov    0x40(%esp),%eax
 8048ceb:       89 04 24                mov    %eax,(%esp)
 8048cee:       e8 11 07 00 00          call   8049404 <read_six_numbers>
 8048cf3:       83 7c 24 18 00          cmpl   $0x0,0x18(%esp)
 8048cf8:       79 24                   jns    8048d1e <phase_4+0x43>
 8048cfa:       e8 c6 06 00 00          call   80493c5 <explode_bomb>
 8048cff:       90                      nop
 8048d00:       eb 1c                   jmp    8048d1e <phase_4+0x43>
 8048d02:       8d 04 9b                lea    (%ebx,%ebx,4),%eax
 8048d05:       03 44 9c 14             add    0x14(%esp,%ebx,4),%eax
 8048d09:       39 44 9c 18             cmp    %eax,0x18(%esp,%ebx,4)
 8048d0d:       74 05                   je     8048d14 <phase_4+0x39>
 8048d0f:       e8 b1 06 00 00          call   80493c5 <explode_bomb>
 8048d14:       83 c3 01                add    $0x1,%ebx
 8048d17:       83 fb 06                cmp    $0x6,%ebx
 8048d1a:       75 e6                   jne    8048d02 <phase_4+0x27>
 8048d1c:       eb 07                   jmp    8048d25 <phase_4+0x4a>
 8048d1e:       bb 01 00 00 00          mov    $0x1,%ebx
 8048d23:       eb dd                   jmp    8048d02 <phase_4+0x27>
 8048d25:       83 c4 38                add    $0x38,%esp
 8048d28:       5b                      pop    %ebx
 8048d29:       c3                      ret  
08049404 <read_six_numbers>:
 8049404:       83 ec 2c                sub    $0x2c,%esp
 8049407:       8b 44 24 34             mov    0x34(%esp),%eax
 804940b:       8d 50 14                lea    0x14(%eax),%edx
 804940e:       89 54 24 1c             mov    %edx,0x1c(%esp)
 8049412:       8d 50 10                lea    0x10(%eax),%edx
 8049415:       89 54 24 18             mov    %edx,0x18(%esp)
 8049419:       8d 50 0c                lea    0xc(%eax),%edx
 804941c:       89 54 24 14             mov    %edx,0x14(%esp)
 8049420:       8d 50 08                lea    0x8(%eax),%edx
 8049423:       89 54 24 10             mov    %edx,0x10(%esp)
 8049427:       8d 50 04                lea    0x4(%eax),%edx
 804942a:       89 54 24 0c             mov    %edx,0xc(%esp)
 804942e:       89 44 24 08             mov    %eax,0x8(%esp)
 8049432:       c7 44 24 04 55 a6 04    movl   $0x804a655,0x4(%esp)
 8049439:       08 
 804943a:       8b 44 24 30             mov    0x30(%esp),%eax
 804943e:       89 04 24                mov    %eax,(%esp)
 8049441:       e8 2a f4 ff ff          call   8048870 <__isoc99_sscanf@plt>
 8049446:       83 f8 05                cmp    $0x5,%eax
 8049449:       7f 05                   jg     8049450 <read_six_numbers+0x4c>
 804944b:       e8 75 ff ff ff          call   80493c5 <explode_bomb>
 8049450:       83 c4 2c                add    $0x2c,%esp
 8049453:       c3                      ret
engineering   Computer-Science   
0 0
Add a comment Improve this question Transcribed image text
Next > < Previous
Sort answers by oldest

Homework Answers

Answer #1
=========================
Secret phase
=========================
After the first 6 stages:
# ./bomb bomb-answers.txt
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2. Keep going!
Halfway there!
So you got that one. Try this one.
Good work! On to the next...
Congratulations! You've defused the bomb!
In the phase_difused function, we have a function called secret_phase, activated only
after first stages are difused:
Dump of assembler code for function phase_defused:
0x0804952c <+0>: push ebp
0x0804952d <+1>: mov ebp,esp
0x0804952f <+3>: sub esp,0x64
0x08049532 <+6>: push ebx
0x08049533 <+7>: cmp DWORD PTR ds:0x804b480,0x6
0x0804953a <+14>: jne 0x804959f <phase_defused+115>
0x0804953c <+16>: lea ebx,[ebp-0x50]
0x0804953f <+19>: push ebx
0x08049540 <+20>: lea eax,[ebp-0x54]
0x08049543 <+23>: push eax
0x08049544 <+24>: push 0x8049d03 --> "%d %s"
0x08049549 <+29>: push 0x804b770 --> "9" this is the input from phase_4
0x0804954e <+34>: call 0x8048860 <sscanf@plt>
0x08049553 <+39>: add esp,0x10
0x08049556 <+42>: cmp eax,0x2
0x08049559 <+45>: jne 0x8049592 <phase_defused+102>
0x0804955b <+47>: add esp,0xfffffff8
0x0804955e <+50>: push 0x8049d09 --> austinpowers
0x08049563 <+55>: push ebx
0x08049564 <+56>: call 0x8049030 <strings_not_equal>
0x08049569 <+61>: add esp,0x10
0x0804956c <+64>: test eax,eax
0x0804956e <+66>: jne 0x8049592 <phase_defused+102>
0x08049570 <+68>: add esp,0xfffffff4
0x08049573 <+71>: push 0x8049d20 --> "Curses, you've found the secret phase!\n"
0x08049578 <+76>: call 0x8048810 <printf@plt>
0x0804957d <+81>: add esp,0xfffffff4
0x08049580 <+84>: push 0x8049d60 --> "But finding it and solving it are quite different...\n"
0x08049585 <+89>: call 0x8048810 <printf@plt>
0x0804958a <+94>: add esp,0x20
0x0804958d <+97>: call 0x8048ee8 <secret_phase>
0x08049592 <+102>: add esp,0xfffffff4
0x08049595 <+105>: push 0x8049da0
0x0804959a <+110>: call 0x8048810 <printf@plt>
0x0804959f <+115>: mov ebx,DWORD PTR [ebp-0x68]
0x080495a2 <+118>: mov esp,ebp
0x080495a4 <+120>: pop ebp
0x080495a5 <+121>: ret
End of assembler dump.
After all 6 phases are done,we can go on in this function:
0x08049533 <+7>: cmp DWORD PTR ds:0x804b480,0x6
0x0804953a <+14>: jne 0x804959f <phase_defused+115>
We add a word to the password for phase_4, and break the program at *0x0804954e.
0x0804955b <+47>: add esp,0xfffffff8
0x0804955e <+50>: push 0x8049d09 --> "austinpowers"
0x08049563 <+55>: push ebx
0x08049564 <+56>: call 0x8049030 <strings_not_equal>
We add the password "austinpowers" and get the following 2 messages printed:
Curses, you've found the secret phase!
But finding it and solving it are quite different...
Dump of assembler code for function secret_phase:
0x08048ee8 <+0>: push ebp
0x08048ee9 <+1>: mov ebp,esp
0x08048eeb <+3>: sub esp,0x14
0x08048eee <+6>: push ebx
0x08048eef <+7>: call 0x80491fc <read_line>
0x08048ef4 <+12>: push 0x0 // group parameter -> should be 0
0x08048ef6 <+14>: push 0xa // base parameter -> 10, decimal
0x08048ef8 <+16>: push 0x0 // endptr -> NULL
0x08048efa <+18>: push eax // str -> beginning of the string representation
0x08048efb <+19>: call 0x80487f0 <__strtol_internal@plt>
0x08048f00 <+24>: add esp,0x10
0x08048f03 <+27>: mov ebx,eax // eax -> long int decimal value
0x08048f05 <+29>: lea eax,[ebx-0x1]
0x08048f08 <+32>: cmp eax,0x3e8
0x08048f0d <+37>: jbe 0x8048f14 <secret_phase+44> // <= 0x3e8=1000
0x08048f0f <+39>: call 0x80494fc <explode_bomb>
0x08048f14 <+44>: add esp,0xfffffff8
0x08048f17 <+47>: push ebx // 2nd param to fun7
0x08048f18 <+48>: push 0x804b320 // .. 1st param to fun7
0x08048f1d <+53>: call 0x8048e94 <fun7>
0x08048f22 <+58>: add esp,0x10
0x08048f25 <+61>: cmp eax,0x7 // fun7 should return 7
0x08048f28 <+64>: je 0x8048f2f <secret_phase+71>
0x08048f2a <+66>: call 0x80494fc <explode_bomb>
0x08048f2f <+71>: add esp,0xfffffff4
0x08048f32 <+74>: push 0x8049820 // "Wow! You've defused the secret stage!\n"
0x08048f37 <+79>: call 0x8048810 <printf@plt>
0x08048f3c <+84>: call 0x804952c <phase_defused>
0x08048f41 <+89>: mov ebx,DWORD PTR [ebp-0x18]
0x08048f44 <+92>: mov esp,ebp
0x08048f46 <+94>: pop ebp
0x08048f47 <+95>: ret
End of assembler dump.
Dump of assembler code for function fun7:
0x08048e94 <+0>: push ebp
0x08048e95 <+1>: mov ebp,esp
0x08048e97 <+3>: sub esp,0x8
0x08048e9a <+6>: mov edx,DWORD PTR [ebp+0x8] // -> 1st param
0x08048e9d <+9>: mov eax,DWORD PTR [ebp+0xc] // -> 2nd param
0x08048ea0 <+12>: test edx,edx
0x08048ea2 <+14>: jne 0x8048eb0 <fun7+28>
0x08048ea4 <+16>: mov eax,0xffffffff
0x08048ea9 <+21>: jmp 0x8048ee2 <fun7+78>
0x08048eab <+23>: nop // junk ?? (not reachable)
0x08048eac <+24>: lea esi,[esi+eiz*1+0x0] // junk ?? (not reachable)
0x08048eb0 <+28>: cmp eax,DWORD PTR [edx]
0x08048eb2 <+30>: jge 0x8048ec5 <fun7+49>
0x08048eb4 <+32>: add esp,0xfffffff8
0x08048eb7 <+35>: push eax
0x08048eb8 <+36>: mov eax,DWORD PTR [edx+0x4]
0x08048ebb <+39>: push eax
0x08048ebc <+40>: call 0x8048e94 <fun7>
0x08048ec1 <+45>: add eax,eax
0x08048ec3 <+47>: jmp 0x8048ee2 <fun7+78>
0x08048ec5 <+49>: cmp eax,DWORD PTR [edx]
0x08048ec7 <+51>: je 0x8048ee0 <fun7+76>
0x08048ec9 <+53>: add esp,0xfffffff8
0x08048ecc <+56>: push eax
0x08048ecd <+57>: mov eax,DWORD PTR [edx+0x8]
0x08048ed0 <+60>: push eax
0x08048ed1 <+61>: call 0x8048e94 <fun7>
0x08048ed6 <+66>: add eax,eax
0x08048ed8 <+68>: inc eax
0x08048ed9 <+69>: jmp 0x8048ee2 <fun7+78>
0x08048edb <+71>: nop
0x08048edc <+72>: lea esi,[esi+eiz*1+0x0]
0x08048ee0 <+76>: xor eax,eax
0x08048ee2 <+78>: mov esp,ebp
0x08048ee4 <+80>: pop ebp
0x08048ee5 <+81>: ret
End of assembler dump.
The last fun7 is something like this:
int fun7(int *adr, int x) {
if(adr == NULL) {
ret = -1; // 0xffffffff
goto exit;
}
if (x >= *adr) {
if (x == *adr) {
ret = 0
} else {
ret = fun7(*(adr+8), x)
ret *= 2;
ret ++;
}
} else {
ret = fun7(*(adr+4), x)
ret *= 2
}
exit:
return ret;
}
Initial adr is 0x804b320. At this address there is a tree with 4 levels, as below.
We navigate to the left o right branch depending on the input value.
If input x is equal to value in branch, we return 0.
0x24
0x8 0x32
0x6 0x16 0x2d 0x6b
................................... 0x3e9
We want fun7() to return 7.
7 = 2*3+1 = 2*(2*1+1)+1.
f(0x24) = 0
f(0x32) = 2*f(0x24)+1 = 1
f(0x6b) = 2*f(0x32)+1 = 3
f(0x3e9) = 2*f(0x6b)+1 = 7
0x3e9 is 1001 decimal, and is accepted by the first check (param-1 <= 1000).
# ./bomb bomb-answers.txt
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2. Keep going!
Halfway there!
So you got that one. Try this one.
Good work! On to the next...
Curses, you've found the secret phase!
But finding it and solving it are quite different...
Wow! You've defused the secret stage!
Congratulations! You've defused the bomb!
0 0
Add a comment
Know the answer?
Add Answer to:
Below is the disassembled code. PLease help me to defuse the binary bomb phase_4 so the...
Your Answer:

Post as a guest

Your Name:

What's your source?

Earn Coins

Coins can be redeemed for fabulous gifts.

Log In

Sign Up

Not the answer you're looking for? Ask your own homework help question. Our experts will answer your question WITHIN MINUTES for Free.
Similar Homework Help Questions

  • Below is the disassembled code. PLease help me to defuse the binary bomb phase_7 08048e88 <pha...

    Below is the disassembled code. PLease help me to defuse the binary bomb phase_7 08048e88 <phase_7>: 8048e88: 83 ec 2c sub $0x2c,%esp 8048e8b: 8d 44 24 18 lea 0x18(%esp),%eax 8048e8f: 89 44 24 0c mov %eax,0xc(%esp) 8048e93: 8d 44 24 1c lea 0x1c(%esp),%eax 8048e97: 89 44 24 08 mov %eax,0x8(%esp) 8048e9b: c7 44 24 04 61 a6 04 movl $0x804a661,0x4(%esp) 8048ea2: 08 8048ea3: 8b 44 24 30 mov 0x30(%esp),%eax 8048ea7: 89 04 24 mov %eax,(%esp) 8048eaa: e8 c1 f9 ff...

  • I need help finding the input that wont result in explode_bomb in this assembly 08048cd3 <phase_4>:...

    I need help finding the input that wont result in explode_bomb in this assembly 08048cd3 <phase_4>: 8048cd3: 57 push %edi 8048cd4: 56 push %esi 8048cd5: 53 push %ebx 8048cd6: 83 ec 10 sub $0x10,%esp 8048cd9: 8b 74 24 20 mov 0x20(%esp),%esi 8048cdd: 89 34 24 mov %esi,(%esp) 8048ce0: e8 f6 03 00 00 call 80490db <string_length> 8048ce5: 83 c0 01 add $0x1,%eax 8048ce8: 89 04 24 mov %eax,(%esp) 8048ceb: e8 10 fb ff ff call 8048800 <malloc@plt> 8048cf0: 89 c7...

  • When using objdump to disassemble the binary, how to find what the address of a specific...

    When using objdump to disassemble the binary, how to find what the address of a specific function is? For example, 08048934 <function2>: 8048934: 55 push ebp 8048935: 89 e5 mov ebp,esp 8048937: 53 push ebx 8048938: 83 ec 04 sub esp,0x4 804893b: e8 1f 00 00 00 call 804895f <__x86.get_pc_thunk.ax> 8048940: 05 c0 06 09 00 add eax,0x906c0 8048945: 83 ec 0c sub esp,0xc 8048948: 8d 90 70 31 fd ff lea edx,[eax-0x2ce90] 804894e: 52 push edx 804894f: 89 c3...

  • Binary Bomb phase 4 Dump of assembler code for function phase_4: > 0x0000000000400fe7 <+0>:     sub    $0x18,%rsp...

    Binary Bomb phase 4 Dump of assembler code for function phase_4: > 0x0000000000400fe7 <+0>:     sub    $0x18,%rsp    0x0000000000400feb <+4>:     lea    0x8(%rsp),%rcx    0x0000000000400ff0 <+9>:     lea    0xc(%rsp),%rdx    0x0000000000400ff5 <+14>:    mov    $0x40290d,%esi    0x0000000000400ffa <+19>:    mov    $0x0,%eax    0x0000000000400fff <+24>:    callq 0x400c00 <__isoc99_sscanf@plt>    0x0000000000401004 <+29>:    cmp    $0x2,%eax    0x0000000000401007 <+32>:    jne    0x401010 <phase_4+41>    0x0000000000401009 <+34>:    cmpl   $0xe,0xc(%rsp)    0x000000000040100e <+39>:    jbe    0x401015 <phase_4+46>    0x0000000000401010 <+41>:    callq 0x401662 <explode_bomb>    0x0000000000401015 <+46>:    mov    $0xe,%edx    0x000000000040101a <+51>:    mov    $0x0,%esi...

  • Reverse Engineering

    I need to reverse engineer from machine code to C, how do I do it?This problem will give you a chance to reverse engineer a switch statement frommachine code. In the following procedure, the body of the switch statement hasbeen removed:1 int switch_prob(int x, int n)2 {3 int result = x;45 switch(n) {67 /* Fill in code here */8 }910 return result;11 }Figure 3.44 shows the disassembled machine code for the procedure. We cansee in lines 4 and 5 that...

  • Please explain the table solution. The red answers are correct. Please explain step by step why...

    Please explain the table solution. The red answers are correct. Please explain step by step why 5) Mutually assured instruction. (10 pts) a) First, deduce the following functions. (4pts) 000000000000064a <func1>: 64a: 48 83 ec 18 sub $0x18,%rsp 64e: 89 70 24 OC mov %edi, oxc(%rsp) 652: 83 70 24 Oc 00 cmpl $0x0, xc(%rsp) 657: 75 07 jne 660 <func1+0x16> 659: b8 01 00 00 00 mov $0x1,%eax 65e: ebbe jmp 66e <func1+0x24> 660: 85 44 24 Oc mov...

  • This is phase_5 of defusing a binary bomb. (Disass in x86 on a Linux system.) I...

    This is phase_5 of defusing a binary bomb. (Disass in x86 on a Linux system.) I am having trouble "debugging" this and figuring out what I need to enter to defuse this phase, but I am relatively sure I will need 6 inputs. Thanks in advance. Dump of assembler code for function phase_5: 0x00000000004011bf <+0>: push %rbx 0x00000000004011c0 <+1>: mov %rdi,%rbx 0x00000000004011c3 <+4>: callq 0x401414 <string_length> 0x00000000004011c8 <+9>: cmp $0x6,%eax //eax = 6? jump over explode 0x00000000004011cb <+12>: je 0x4011d2...

ADVERTISEMENT
Free Homework Help App
Download From Google Play
Scan Your Homework
to Get Instant Free Answers
Need Online Homework Help?
Ask a Question
Get Answers For Free
Most questions answered within 3 hours.
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT