Below is the disassembled code. PLease help me to defuse the binary bomb phase_4
so the right input should be 6 numbers with a certain pattern
08048cdb <phase_4>: 8048cdb: 53 push %ebx 8048cdc: 83 ec 38 sub $0x38,%esp 8048cdf: 8d 44 24 18 lea 0x18(%esp),%eax 8048ce3: 89 44 24 04 mov %eax,0x4(%esp) 8048ce7: 8b 44 24 40 mov 0x40(%esp),%eax 8048ceb: 89 04 24 mov %eax,(%esp) 8048cee: e8 11 07 00 00 call 8049404 <read_six_numbers> 8048cf3: 83 7c 24 18 00 cmpl $0x0,0x18(%esp) 8048cf8: 79 24 jns 8048d1e <phase_4+0x43> 8048cfa: e8 c6 06 00 00 call 80493c5 <explode_bomb> 8048cff: 90 nop 8048d00: eb 1c jmp 8048d1e <phase_4+0x43> 8048d02: 8d 04 9b lea (%ebx,%ebx,4),%eax 8048d05: 03 44 9c 14 add 0x14(%esp,%ebx,4),%eax 8048d09: 39 44 9c 18 cmp %eax,0x18(%esp,%ebx,4) 8048d0d: 74 05 je 8048d14 <phase_4+0x39> 8048d0f: e8 b1 06 00 00 call 80493c5 <explode_bomb> 8048d14: 83 c3 01 add $0x1,%ebx 8048d17: 83 fb 06 cmp $0x6,%ebx 8048d1a: 75 e6 jne 8048d02 <phase_4+0x27> 8048d1c: eb 07 jmp 8048d25 <phase_4+0x4a> 8048d1e: bb 01 00 00 00 mov $0x1,%ebx 8048d23: eb dd jmp 8048d02 <phase_4+0x27> 8048d25: 83 c4 38 add $0x38,%esp 8048d28: 5b pop %ebx 8048d29: c3 ret
08049404 <read_six_numbers>: 8049404: 83 ec 2c sub $0x2c,%esp 8049407: 8b 44 24 34 mov 0x34(%esp),%eax 804940b: 8d 50 14 lea 0x14(%eax),%edx 804940e: 89 54 24 1c mov %edx,0x1c(%esp) 8049412: 8d 50 10 lea 0x10(%eax),%edx 8049415: 89 54 24 18 mov %edx,0x18(%esp) 8049419: 8d 50 0c lea 0xc(%eax),%edx 804941c: 89 54 24 14 mov %edx,0x14(%esp) 8049420: 8d 50 08 lea 0x8(%eax),%edx 8049423: 89 54 24 10 mov %edx,0x10(%esp) 8049427: 8d 50 04 lea 0x4(%eax),%edx 804942a: 89 54 24 0c mov %edx,0xc(%esp) 804942e: 89 44 24 08 mov %eax,0x8(%esp) 8049432: c7 44 24 04 55 a6 04 movl $0x804a655,0x4(%esp) 8049439: 08 804943a: 8b 44 24 30 mov 0x30(%esp),%eax 804943e: 89 04 24 mov %eax,(%esp) 8049441: e8 2a f4 ff ff call 8048870 <__isoc99_sscanf@plt> 8049446: 83 f8 05 cmp $0x5,%eax 8049449: 7f 05 jg 8049450 <read_six_numbers+0x4c> 804944b: e8 75 ff ff ff call 80493c5 <explode_bomb> 8049450: 83 c4 2c add $0x2c,%esp 8049453: c3 ret
========================= | |
Secret phase | |
========================= | |
After the first 6 stages: | |
# ./bomb bomb-answers.txt | |
Welcome to my fiendish little bomb. You have 6 phases with | |
which to blow yourself up. Have a nice day! | |
Phase 1 defused. How about the next one? | |
That's number 2. Keep going! | |
Halfway there! | |
So you got that one. Try this one. | |
Good work! On to the next... | |
Congratulations! You've defused the bomb! | |
In the phase_difused function, we have a function called secret_phase, activated only | |
after first stages are difused: | |
Dump of assembler code for function phase_defused: | |
0x0804952c <+0>: push ebp | |
0x0804952d <+1>: mov ebp,esp | |
0x0804952f <+3>: sub esp,0x64 | |
0x08049532 <+6>: push ebx | |
0x08049533 <+7>: cmp DWORD PTR ds:0x804b480,0x6 | |
0x0804953a <+14>: jne 0x804959f <phase_defused+115> | |
0x0804953c <+16>: lea ebx,[ebp-0x50] | |
0x0804953f <+19>: push ebx | |
0x08049540 <+20>: lea eax,[ebp-0x54] | |
0x08049543 <+23>: push eax | |
0x08049544 <+24>: push 0x8049d03 --> "%d %s" | |
0x08049549 <+29>: push 0x804b770 --> "9" this is the input from phase_4 | |
0x0804954e <+34>: call 0x8048860 <sscanf@plt> | |
0x08049553 <+39>: add esp,0x10 | |
0x08049556 <+42>: cmp eax,0x2 | |
0x08049559 <+45>: jne 0x8049592 <phase_defused+102> | |
0x0804955b <+47>: add esp,0xfffffff8 | |
0x0804955e <+50>: push 0x8049d09 --> austinpowers | |
0x08049563 <+55>: push ebx | |
0x08049564 <+56>: call 0x8049030 <strings_not_equal> | |
0x08049569 <+61>: add esp,0x10 | |
0x0804956c <+64>: test eax,eax | |
0x0804956e <+66>: jne 0x8049592 <phase_defused+102> | |
0x08049570 <+68>: add esp,0xfffffff4 | |
0x08049573 <+71>: push 0x8049d20 --> "Curses, you've found the secret phase!\n" | |
0x08049578 <+76>: call 0x8048810 <printf@plt> | |
0x0804957d <+81>: add esp,0xfffffff4 | |
0x08049580 <+84>: push 0x8049d60 --> "But finding it and solving it are quite different...\n" | |
0x08049585 <+89>: call 0x8048810 <printf@plt> | |
0x0804958a <+94>: add esp,0x20 | |
0x0804958d <+97>: call 0x8048ee8 <secret_phase> | |
0x08049592 <+102>: add esp,0xfffffff4 | |
0x08049595 <+105>: push 0x8049da0 | |
0x0804959a <+110>: call 0x8048810 <printf@plt> | |
0x0804959f <+115>: mov ebx,DWORD PTR [ebp-0x68] | |
0x080495a2 <+118>: mov esp,ebp | |
0x080495a4 <+120>: pop ebp | |
0x080495a5 <+121>: ret | |
End of assembler dump. | |
After all 6 phases are done,we can go on in this function: | |
0x08049533 <+7>: cmp DWORD PTR ds:0x804b480,0x6 | |
0x0804953a <+14>: jne 0x804959f <phase_defused+115> | |
We add a word to the password for phase_4, and break the program at *0x0804954e. | |
0x0804955b <+47>: add esp,0xfffffff8 | |
0x0804955e <+50>: push 0x8049d09 --> "austinpowers" | |
0x08049563 <+55>: push ebx | |
0x08049564 <+56>: call 0x8049030 <strings_not_equal> | |
We add the password "austinpowers" and get the following 2 messages printed: | |
Curses, you've found the secret phase! | |
But finding it and solving it are quite different... | |
Dump of assembler code for function secret_phase: | |
0x08048ee8 <+0>: push ebp | |
0x08048ee9 <+1>: mov ebp,esp | |
0x08048eeb <+3>: sub esp,0x14 | |
0x08048eee <+6>: push ebx | |
0x08048eef <+7>: call 0x80491fc <read_line> | |
0x08048ef4 <+12>: push 0x0 // group parameter -> should be 0 | |
0x08048ef6 <+14>: push 0xa // base parameter -> 10, decimal | |
0x08048ef8 <+16>: push 0x0 // endptr -> NULL | |
0x08048efa <+18>: push eax // str -> beginning of the string representation | |
0x08048efb <+19>: call 0x80487f0 <__strtol_internal@plt> | |
0x08048f00 <+24>: add esp,0x10 | |
0x08048f03 <+27>: mov ebx,eax // eax -> long int decimal value | |
0x08048f05 <+29>: lea eax,[ebx-0x1] | |
0x08048f08 <+32>: cmp eax,0x3e8 | |
0x08048f0d <+37>: jbe 0x8048f14 <secret_phase+44> // <= 0x3e8=1000 | |
0x08048f0f <+39>: call 0x80494fc <explode_bomb> | |
0x08048f14 <+44>: add esp,0xfffffff8 | |
0x08048f17 <+47>: push ebx // 2nd param to fun7 | |
0x08048f18 <+48>: push 0x804b320 // .. 1st param to fun7 | |
0x08048f1d <+53>: call 0x8048e94 <fun7> | |
0x08048f22 <+58>: add esp,0x10 | |
0x08048f25 <+61>: cmp eax,0x7 // fun7 should return 7 | |
0x08048f28 <+64>: je 0x8048f2f <secret_phase+71> | |
0x08048f2a <+66>: call 0x80494fc <explode_bomb> | |
0x08048f2f <+71>: add esp,0xfffffff4 | |
0x08048f32 <+74>: push 0x8049820 // "Wow! You've defused the secret stage!\n" | |
0x08048f37 <+79>: call 0x8048810 <printf@plt> | |
0x08048f3c <+84>: call 0x804952c <phase_defused> | |
0x08048f41 <+89>: mov ebx,DWORD PTR [ebp-0x18] | |
0x08048f44 <+92>: mov esp,ebp | |
0x08048f46 <+94>: pop ebp | |
0x08048f47 <+95>: ret | |
End of assembler dump. | |
Dump of assembler code for function fun7: | |
0x08048e94 <+0>: push ebp | |
0x08048e95 <+1>: mov ebp,esp | |
0x08048e97 <+3>: sub esp,0x8 | |
0x08048e9a <+6>: mov edx,DWORD PTR [ebp+0x8] // -> 1st param | |
0x08048e9d <+9>: mov eax,DWORD PTR [ebp+0xc] // -> 2nd param | |
0x08048ea0 <+12>: test edx,edx | |
0x08048ea2 <+14>: jne 0x8048eb0 <fun7+28> | |
0x08048ea4 <+16>: mov eax,0xffffffff | |
0x08048ea9 <+21>: jmp 0x8048ee2 <fun7+78> | |
0x08048eab <+23>: nop // junk ?? (not reachable) | |
0x08048eac <+24>: lea esi,[esi+eiz*1+0x0] // junk ?? (not reachable) | |
0x08048eb0 <+28>: cmp eax,DWORD PTR [edx] | |
0x08048eb2 <+30>: jge 0x8048ec5 <fun7+49> | |
0x08048eb4 <+32>: add esp,0xfffffff8 | |
0x08048eb7 <+35>: push eax | |
0x08048eb8 <+36>: mov eax,DWORD PTR [edx+0x4] | |
0x08048ebb <+39>: push eax | |
0x08048ebc <+40>: call 0x8048e94 <fun7> | |
0x08048ec1 <+45>: add eax,eax | |
0x08048ec3 <+47>: jmp 0x8048ee2 <fun7+78> | |
0x08048ec5 <+49>: cmp eax,DWORD PTR [edx] | |
0x08048ec7 <+51>: je 0x8048ee0 <fun7+76> | |
0x08048ec9 <+53>: add esp,0xfffffff8 | |
0x08048ecc <+56>: push eax | |
0x08048ecd <+57>: mov eax,DWORD PTR [edx+0x8] | |
0x08048ed0 <+60>: push eax | |
0x08048ed1 <+61>: call 0x8048e94 <fun7> | |
0x08048ed6 <+66>: add eax,eax | |
0x08048ed8 <+68>: inc eax | |
0x08048ed9 <+69>: jmp 0x8048ee2 <fun7+78> | |
0x08048edb <+71>: nop | |
0x08048edc <+72>: lea esi,[esi+eiz*1+0x0] | |
0x08048ee0 <+76>: xor eax,eax | |
0x08048ee2 <+78>: mov esp,ebp | |
0x08048ee4 <+80>: pop ebp | |
0x08048ee5 <+81>: ret | |
End of assembler dump. | |
The last fun7 is something like this: | |
int fun7(int *adr, int x) { | |
if(adr == NULL) { | |
ret = -1; // 0xffffffff | |
goto exit; | |
} | |
if (x >= *adr) { | |
if (x == *adr) { | |
ret = 0 | |
} else { | |
ret = fun7(*(adr+8), x) | |
ret *= 2; | |
ret ++; | |
} | |
} else { | |
ret = fun7(*(adr+4), x) | |
ret *= 2 | |
} | |
exit: | |
return ret; | |
} | |
Initial adr is 0x804b320. At this address there is a tree with 4 levels, as below. | |
We navigate to the left o right branch depending on the input value. | |
If input x is equal to value in branch, we return 0. | |
0x24 | |
0x8 0x32 | |
0x6 0x16 0x2d 0x6b | |
................................... 0x3e9 | |
We want fun7() to return 7. | |
7 = 2*3+1 = 2*(2*1+1)+1. | |
f(0x24) = 0 | |
f(0x32) = 2*f(0x24)+1 = 1 | |
f(0x6b) = 2*f(0x32)+1 = 3 | |
f(0x3e9) = 2*f(0x6b)+1 = 7 | |
0x3e9 is 1001 decimal, and is accepted by the first check (param-1 <= 1000). | |
# ./bomb bomb-answers.txt | |
Welcome to my fiendish little bomb. You have 6 phases with | |
which to blow yourself up. Have a nice day! | |
Phase 1 defused. How about the next one? | |
That's number 2. Keep going! | |
Halfway there! | |
So you got that one. Try this one. | |
Good work! On to the next... | |
Curses, you've found the secret phase! | |
But finding it and solving it are quite different... | |
Wow! You've defused the secret stage! | |
Congratulations! You've defused the bomb! |
Below is the disassembled code. PLease help me to defuse the binary bomb phase_4 so the...
Below is the disassembled code. PLease help me to defuse the binary bomb phase_7 08048e88 <phase_7>: 8048e88: 83 ec 2c sub $0x2c,%esp 8048e8b: 8d 44 24 18 lea 0x18(%esp),%eax 8048e8f: 89 44 24 0c mov %eax,0xc(%esp) 8048e93: 8d 44 24 1c lea 0x1c(%esp),%eax 8048e97: 89 44 24 08 mov %eax,0x8(%esp) 8048e9b: c7 44 24 04 61 a6 04 movl $0x804a661,0x4(%esp) 8048ea2: 08 8048ea3: 8b 44 24 30 mov 0x30(%esp),%eax 8048ea7: 89 04 24 mov %eax,(%esp) 8048eaa: e8 c1 f9 ff...
I need help finding the input that wont result in explode_bomb in this assembly 08048cd3 <phase_4>: 8048cd3: 57 push %edi 8048cd4: 56 push %esi 8048cd5: 53 push %ebx 8048cd6: 83 ec 10 sub $0x10,%esp 8048cd9: 8b 74 24 20 mov 0x20(%esp),%esi 8048cdd: 89 34 24 mov %esi,(%esp) 8048ce0: e8 f6 03 00 00 call 80490db <string_length> 8048ce5: 83 c0 01 add $0x1,%eax 8048ce8: 89 04 24 mov %eax,(%esp) 8048ceb: e8 10 fb ff ff call 8048800 <malloc@plt> 8048cf0: 89 c7...
When using objdump to disassemble the binary, how to find what the address of a specific function is? For example, 08048934 <function2>: 8048934: 55 push ebp 8048935: 89 e5 mov ebp,esp 8048937: 53 push ebx 8048938: 83 ec 04 sub esp,0x4 804893b: e8 1f 00 00 00 call 804895f <__x86.get_pc_thunk.ax> 8048940: 05 c0 06 09 00 add eax,0x906c0 8048945: 83 ec 0c sub esp,0xc 8048948: 8d 90 70 31 fd ff lea edx,[eax-0x2ce90] 804894e: 52 push edx 804894f: 89 c3...
Binary Bomb phase 4 Dump of assembler code for function phase_4: > 0x0000000000400fe7 <+0>: sub $0x18,%rsp 0x0000000000400feb <+4>: lea 0x8(%rsp),%rcx 0x0000000000400ff0 <+9>: lea 0xc(%rsp),%rdx 0x0000000000400ff5 <+14>: mov $0x40290d,%esi 0x0000000000400ffa <+19>: mov $0x0,%eax 0x0000000000400fff <+24>: callq 0x400c00 <__isoc99_sscanf@plt> 0x0000000000401004 <+29>: cmp $0x2,%eax 0x0000000000401007 <+32>: jne 0x401010 <phase_4+41> 0x0000000000401009 <+34>: cmpl $0xe,0xc(%rsp) 0x000000000040100e <+39>: jbe 0x401015 <phase_4+46> 0x0000000000401010 <+41>: callq 0x401662 <explode_bomb> 0x0000000000401015 <+46>: mov $0xe,%edx 0x000000000040101a <+51>: mov $0x0,%esi...
I need to reverse engineer from machine code to C, how do I do it?This problem will give you a chance to reverse engineer a switch statement frommachine code. In the following procedure, the body of the switch statement hasbeen removed:1 int switch_prob(int x, int n)2 {3 int result = x;45 switch(n) {67 /* Fill in code here */8 }910 return result;11 }Figure 3.44 shows the disassembled machine code for the procedure. We cansee in lines 4 and 5 that...
Please explain the table solution. The red answers are correct. Please explain step by step why 5) Mutually assured instruction. (10 pts) a) First, deduce the following functions. (4pts) 000000000000064a <func1>: 64a: 48 83 ec 18 sub $0x18,%rsp 64e: 89 70 24 OC mov %edi, oxc(%rsp) 652: 83 70 24 Oc 00 cmpl $0x0, xc(%rsp) 657: 75 07 jne 660 <func1+0x16> 659: b8 01 00 00 00 mov $0x1,%eax 65e: ebbe jmp 66e <func1+0x24> 660: 85 44 24 Oc mov...
This is phase_5 of defusing a binary bomb. (Disass in x86 on a Linux system.) I am having trouble "debugging" this and figuring out what I need to enter to defuse this phase, but I am relatively sure I will need 6 inputs. Thanks in advance. Dump of assembler code for function phase_5: 0x00000000004011bf <+0>: push %rbx 0x00000000004011c0 <+1>: mov %rdi,%rbx 0x00000000004011c3 <+4>: callq 0x401414 <string_length> 0x00000000004011c8 <+9>: cmp $0x6,%eax //eax = 6? jump over explode 0x00000000004011cb <+12>: je 0x4011d2...