Below is the disassembled code. PLease help me to defuse the binary bomb phase_7 08048e88 <phase_7>: 8048e88: 83 ec 2c sub $0x2c,%esp 8048e8b: 8d 44 24 18 lea 0x18(%esp),%eax 8048e8f: 89 44 24 0c mov %eax,0xc(%esp) 8048e93: 8d 44 24 1c lea 0x1c(%esp),%eax 8048e97: 89 44 24 08 mov %eax,0x8(%esp) 8048e9b: c7 44 24 04 61 a6 04 movl $0x804a661,0x4(%esp) 8048ea2: 08 8048ea3: 8b 44 24 30 mov 0x30(%esp),%eax 8048ea7: 89 04 24 mov %eax,(%esp) 8048eaa: e8 c1 f9 ff ff call 8048870 <__isoc99_sscanf@plt> 8048eaf: 83 f8 01 cmp $0x1,%eax 8048eb2: 7f 05 jg 8048eb9 <phase_7+0x31> 8048eb4: e8 0c 05 00 00 call 80493c5 <explode_bomb> 8048eb9: 8b 44 24 1c mov 0x1c(%esp),%eax 8048ebd: 83 e0 0f and $0xf,%eax 8048ec0: 89 44 24 1c mov %eax,0x1c(%esp) 8048ec4: 83 f8 0f cmp $0xf,%eax 8048ec7: 74 2a je 8048ef3 <phase_7+0x6b> 8048ec9: b9 00 00 00 00 mov $0x0,%ecx 8048ece: ba 00 00 00 00 mov $0x0,%edx 8048ed3: 83 c2 01 add $0x1,%edx 8048ed6: 8b 04 85 40 a4 04 08 mov 0x804a440(,%eax,4),%eax 8048edd: 01 c1 add %eax,%ecx 8048edf: 83 f8 0f cmp $0xf,%eax 8048ee2: 75 ef jne 8048ed3 <phase_7+0x4b> 8048ee4: 89 44 24 1c mov %eax,0x1c(%esp) 8048ee8: 83 fa 0f cmp $0xf,%edx 8048eeb: 75 06 jne 8048ef3 <phase_7+0x6b> 8048eed: 3b 4c 24 18 cmp 0x18(%esp),%ecx 8048ef1: 74 05 je 8048ef8 <phase_7+0x70> 8048ef3: e8 cd 04 00 00 call 80493c5 <explode_bomb> 8048ef8: 83 c4 2c add $0x2c,%esp 8048efb: c3 ret
phase 7 is a secret phase
========================= | |
Secret phase | |
========================= | |
After the first 6 stages: | |
# ./bomb bomb-answers.txt | |
Welcome to my fiendish little bomb. You have 6 phases with | |
which to blow yourself up. Have a nice day! | |
Phase 1 defused. How about the next one? | |
That's number 2. Keep going! | |
Halfway there! | |
So you got that one. Try this one. | |
Good work! On to the next... | |
Congratulations! You've defused the bomb! | |
In the phase_difused function, we have a function called secret_phase, activated only | |
after first stages are difused: | |
Dump of assembler code for function phase_defused: | |
0x0804952c <+0>: push ebp | |
0x0804952d <+1>: mov ebp,esp | |
0x0804952f <+3>: sub esp,0x64 | |
0x08049532 <+6>: push ebx | |
0x08049533 <+7>: cmp DWORD PTR ds:0x804b480,0x6 | |
0x0804953a <+14>: jne 0x804959f <phase_defused+115> | |
0x0804953c <+16>: lea ebx,[ebp-0x50] | |
0x0804953f <+19>: push ebx | |
0x08049540 <+20>: lea eax,[ebp-0x54] | |
0x08049543 <+23>: push eax | |
0x08049544 <+24>: push 0x8049d03 --> "%d %s" | |
0x08049549 <+29>: push 0x804b770 --> "9" this is the input from phase_4 | |
0x0804954e <+34>: call 0x8048860 <sscanf@plt> | |
0x08049553 <+39>: add esp,0x10 | |
0x08049556 <+42>: cmp eax,0x2 | |
0x08049559 <+45>: jne 0x8049592 <phase_defused+102> | |
0x0804955b <+47>: add esp,0xfffffff8 | |
0x0804955e <+50>: push 0x8049d09 --> austinpowers | |
0x08049563 <+55>: push ebx | |
0x08049564 <+56>: call 0x8049030 <strings_not_equal> | |
0x08049569 <+61>: add esp,0x10 | |
0x0804956c <+64>: test eax,eax | |
0x0804956e <+66>: jne 0x8049592 <phase_defused+102> | |
0x08049570 <+68>: add esp,0xfffffff4 | |
0x08049573 <+71>: push 0x8049d20 --> "Curses, you've found the secret phase!\n" | |
0x08049578 <+76>: call 0x8048810 <printf@plt> | |
0x0804957d <+81>: add esp,0xfffffff4 | |
0x08049580 <+84>: push 0x8049d60 --> "But finding it and solving it are quite different...\n" | |
0x08049585 <+89>: call 0x8048810 <printf@plt> | |
0x0804958a <+94>: add esp,0x20 | |
0x0804958d <+97>: call 0x8048ee8 <secret_phase> | |
0x08049592 <+102>: add esp,0xfffffff4 | |
0x08049595 <+105>: push 0x8049da0 | |
0x0804959a <+110>: call 0x8048810 <printf@plt> | |
0x0804959f <+115>: mov ebx,DWORD PTR [ebp-0x68] | |
0x080495a2 <+118>: mov esp,ebp | |
0x080495a4 <+120>: pop ebp | |
0x080495a5 <+121>: ret | |
End of assembler dump. | |
After all 6 phases are done,we can go on in this function: | |
0x08049533 <+7>: cmp DWORD PTR ds:0x804b480,0x6 | |
0x0804953a <+14>: jne 0x804959f <phase_defused+115> | |
We add a word to the password for phase_4, and break the program at *0x0804954e. | |
0x0804955b <+47>: add esp,0xfffffff8 | |
0x0804955e <+50>: push 0x8049d09 --> "austinpowers" | |
0x08049563 <+55>: push ebx | |
0x08049564 <+56>: call 0x8049030 <strings_not_equal> | |
We add the password "austinpowers" and get the following 2 messages printed: | |
Curses, you've found the secret phase! | |
But finding it and solving it are quite different... | |
Dump of assembler code for function secret_phase: | |
0x08048ee8 <+0>: push ebp | |
0x08048ee9 <+1>: mov ebp,esp | |
0x08048eeb <+3>: sub esp,0x14 | |
0x08048eee <+6>: push ebx | |
0x08048eef <+7>: call 0x80491fc <read_line> | |
0x08048ef4 <+12>: push 0x0 // group parameter -> should be 0 | |
0x08048ef6 <+14>: push 0xa // base parameter -> 10, decimal | |
0x08048ef8 <+16>: push 0x0 // endptr -> NULL | |
0x08048efa <+18>: push eax // str -> beginning of the string representation | |
0x08048efb <+19>: call 0x80487f0 <__strtol_internal@plt> | |
0x08048f00 <+24>: add esp,0x10 | |
0x08048f03 <+27>: mov ebx,eax // eax -> long int decimal value | |
0x08048f05 <+29>: lea eax,[ebx-0x1] | |
0x08048f08 <+32>: cmp eax,0x3e8 | |
0x08048f0d <+37>: jbe 0x8048f14 <secret_phase+44> // <= 0x3e8=1000 | |
0x08048f0f <+39>: call 0x80494fc <explode_bomb> | |
0x08048f14 <+44>: add esp,0xfffffff8 | |
0x08048f17 <+47>: push ebx // 2nd param to fun7 | |
0x08048f18 <+48>: push 0x804b320 // .. 1st param to fun7 | |
0x08048f1d <+53>: call 0x8048e94 <fun7> | |
0x08048f22 <+58>: add esp,0x10 | |
0x08048f25 <+61>: cmp eax,0x7 // fun7 should return 7 | |
0x08048f28 <+64>: je 0x8048f2f <secret_phase+71> | |
0x08048f2a <+66>: call 0x80494fc <explode_bomb> | |
0x08048f2f <+71>: add esp,0xfffffff4 | |
0x08048f32 <+74>: push 0x8049820 // "Wow! You've defused the secret stage!\n" | |
0x08048f37 <+79>: call 0x8048810 <printf@plt> | |
0x08048f3c <+84>: call 0x804952c <phase_defused> | |
0x08048f41 <+89>: mov ebx,DWORD PTR [ebp-0x18] | |
0x08048f44 <+92>: mov esp,ebp | |
0x08048f46 <+94>: pop ebp | |
0x08048f47 <+95>: ret | |
End of assembler dump. | |
Dump of assembler code for function fun7: | |
0x08048e94 <+0>: push ebp | |
0x08048e95 <+1>: mov ebp,esp | |
0x08048e97 <+3>: sub esp,0x8 | |
0x08048e9a <+6>: mov edx,DWORD PTR [ebp+0x8] // -> 1st param | |
0x08048e9d <+9>: mov eax,DWORD PTR [ebp+0xc] // -> 2nd param | |
0x08048ea0 <+12>: test edx,edx | |
0x08048ea2 <+14>: jne 0x8048eb0 <fun7+28> | |
0x08048ea4 <+16>: mov eax,0xffffffff | |
0x08048ea9 <+21>: jmp 0x8048ee2 <fun7+78> | |
0x08048eab <+23>: nop // junk ?? (not reachable) | |
0x08048eac <+24>: lea esi,[esi+eiz*1+0x0] // junk ?? (not reachable) | |
0x08048eb0 <+28>: cmp eax,DWORD PTR [edx] | |
0x08048eb2 <+30>: jge 0x8048ec5 <fun7+49> | |
0x08048eb4 <+32>: add esp,0xfffffff8 | |
0x08048eb7 <+35>: push eax | |
0x08048eb8 <+36>: mov eax,DWORD PTR [edx+0x4] | |
0x08048ebb <+39>: push eax | |
0x08048ebc <+40>: call 0x8048e94 <fun7> | |
0x08048ec1 <+45>: add eax,eax | |
0x08048ec3 <+47>: jmp 0x8048ee2 <fun7+78> | |
0x08048ec5 <+49>: cmp eax,DWORD PTR [edx] | |
0x08048ec7 <+51>: je 0x8048ee0 <fun7+76> | |
0x08048ec9 <+53>: add esp,0xfffffff8 | |
0x08048ecc <+56>: push eax | |
0x08048ecd <+57>: mov eax,DWORD PTR [edx+0x8] | |
0x08048ed0 <+60>: push eax | |
0x08048ed1 <+61>: call 0x8048e94 <fun7> | |
0x08048ed6 <+66>: add eax,eax | |
0x08048ed8 <+68>: inc eax | |
0x08048ed9 <+69>: jmp 0x8048ee2 <fun7+78> | |
0x08048edb <+71>: nop | |
0x08048edc <+72>: lea esi,[esi+eiz*1+0x0] | |
0x08048ee0 <+76>: xor eax,eax | |
0x08048ee2 <+78>: mov esp,ebp | |
0x08048ee4 <+80>: pop ebp | |
0x08048ee5 <+81>: ret | |
End of assembler dump. | |
The last fun7 is something like this: | |
int fun7(int *adr, int x) { | |
if(adr == NULL) { | |
ret = -1; // 0xffffffff | |
goto exit; | |
} | |
if (x >= *adr) { | |
if (x == *adr) { | |
ret = 0 | |
} else { | |
ret = fun7(*(adr+8), x) | |
ret *= 2; | |
ret ++; | |
} | |
} else { | |
ret = fun7(*(adr+4), x) | |
ret *= 2 | |
} | |
exit: | |
return ret; | |
} | |
Initial adr is 0x804b320. At this address there is a tree with 4 levels, as below. | |
We navigate to the left o right branch depending on the input value. | |
If input x is equal to value in branch, we return 0. | |
0x24 | |
0x8 0x32 | |
0x6 0x16 0x2d 0x6b | |
................................... 0x3e9 | |
We want fun7() to return 7. | |
7 = 2*3+1 = 2*(2*1+1)+1. | |
f(0x24) = 0 | |
f(0x32) = 2*f(0x24)+1 = 1 | |
f(0x6b) = 2*f(0x32)+1 = 3 | |
f(0x3e9) = 2*f(0x6b)+1 = 7 | |
0x3e9 is 1001 decimal, and is accepted by the first check (param-1 <= 1000). | |
# ./bomb bomb-answers.txt | |
Welcome to my fiendish little bomb. You have 6 phases with | |
which to blow yourself up. Have a nice day! | |
Phase 1 defused. How about the next one? | |
That's number 2. Keep going! | |
Halfway there! | |
So you got that one. Try this one. | |
Good work! On to the next... | |
Curses, you've found the secret phase! | |
But finding it and solving it are quite different... | |
Wow! You've defused the secret stage! | |
Congratulations! You've defused the bomb! |
Below is the disassembled code. PLease help me to defuse the binary bomb phase_7 08048e88 <pha...
Below is the disassembled code. PLease help me to defuse the binary bomb phase_4 so the right input should be 6 numbers with a certain pattern 08048cdb <phase_4>: 8048cdb: 53 push %ebx 8048cdc: 83 ec 38 sub $0x38,%esp 8048cdf: 8d 44 24 18 lea 0x18(%esp),%eax 8048ce3: 89 44 24 04 mov %eax,0x4(%esp) 8048ce7: 8b 44 24 40 mov 0x40(%esp),%eax 8048ceb: 89 04 24 mov %eax,(%esp) 8048cee: e8 11 07 00 00 call 8049404 <read_six_numbers> 8048cf3: 83 7c 24 18 00 cmpl...
I need help finding the input that wont result in explode_bomb in this assembly 08048cd3 <phase_4>: 8048cd3: 57 push %edi 8048cd4: 56 push %esi 8048cd5: 53 push %ebx 8048cd6: 83 ec 10 sub $0x10,%esp 8048cd9: 8b 74 24 20 mov 0x20(%esp),%esi 8048cdd: 89 34 24 mov %esi,(%esp) 8048ce0: e8 f6 03 00 00 call 80490db <string_length> 8048ce5: 83 c0 01 add $0x1,%eax 8048ce8: 89 04 24 mov %eax,(%esp) 8048ceb: e8 10 fb ff ff call 8048800 <malloc@plt> 8048cf0: 89 c7...
This is phase_5 of defusing a binary bomb. (Disass in x86 on a Linux system.) I am having trouble "debugging" this and figuring out what I need to enter to defuse this phase, but I am relatively sure I will need 6 inputs. Thanks in advance. Dump of assembler code for function phase_5: 0x00000000004011bf <+0>: push %rbx 0x00000000004011c0 <+1>: mov %rdi,%rbx 0x00000000004011c3 <+4>: callq 0x401414 <string_length> 0x00000000004011c8 <+9>: cmp $0x6,%eax //eax = 6? jump over explode 0x00000000004011cb <+12>: je 0x4011d2...
Binary Bomb phase 4 Dump of assembler code for function phase_4: > 0x0000000000400fe7 <+0>: sub $0x18,%rsp 0x0000000000400feb <+4>: lea 0x8(%rsp),%rcx 0x0000000000400ff0 <+9>: lea 0xc(%rsp),%rdx 0x0000000000400ff5 <+14>: mov $0x40290d,%esi 0x0000000000400ffa <+19>: mov $0x0,%eax 0x0000000000400fff <+24>: callq 0x400c00 <__isoc99_sscanf@plt> 0x0000000000401004 <+29>: cmp $0x2,%eax 0x0000000000401007 <+32>: jne 0x401010 <phase_4+41> 0x0000000000401009 <+34>: cmpl $0xe,0xc(%rsp) 0x000000000040100e <+39>: jbe 0x401015 <phase_4+46> 0x0000000000401010 <+41>: callq 0x401662 <explode_bomb> 0x0000000000401015 <+46>: mov $0xe,%edx 0x000000000040101a <+51>: mov $0x0,%esi...
Please explain the table solution. The red answers are correct. Please explain step by step why 5) Mutually assured instruction. (10 pts) a) First, deduce the following functions. (4pts) 000000000000064a <func1>: 64a: 48 83 ec 18 sub $0x18,%rsp 64e: 89 70 24 OC mov %edi, oxc(%rsp) 652: 83 70 24 Oc 00 cmpl $0x0, xc(%rsp) 657: 75 07 jne 660 <func1+0x16> 659: b8 01 00 00 00 mov $0x1,%eax 65e: ebbe jmp 66e <func1+0x24> 660: 85 44 24 Oc mov...
When using objdump to disassemble the binary, how to find what the address of a specific function is? For example, 08048934 <function2>: 8048934: 55 push ebp 8048935: 89 e5 mov ebp,esp 8048937: 53 push ebx 8048938: 83 ec 04 sub esp,0x4 804893b: e8 1f 00 00 00 call 804895f <__x86.get_pc_thunk.ax> 8048940: 05 c0 06 09 00 add eax,0x906c0 8048945: 83 ec 0c sub esp,0xc 8048948: 8d 90 70 31 fd ff lea edx,[eax-0x2ce90] 804894e: 52 push edx 804894f: 89 c3...
I need to reverse engineer from machine code to C, how do I do it?This problem will give you a chance to reverse engineer a switch statement frommachine code. In the following procedure, the body of the switch statement hasbeen removed:1 int switch_prob(int x, int n)2 {3 int result = x;45 switch(n) {67 /* Fill in code here */8 }910 return result;11 }Figure 3.44 shows the disassembled machine code for the procedure. We cansee in lines 4 and 5 that...
This is the bomb lab phase2, I just have no idea on how to solve it. I know the answer is a six number array, I want to know what numbers they are? 6x00000000004015d7<+136> : pop %rbx 0x00000000004015d8 <+137>: retq of assembler dump. b) stepi 00401572 in phase2 ) db) disas mp of assenbler code for function phase2: %rbx $0x20,%rsp %fs:0x28,%rax %rax,0x18(%rsp) %eax , %eax %rsp,Krst 0x000000000040154f <+0>: 0x0000000000401550 <+1>: 0x0000000000401554 <+5>: push sub nov 6x000000000040155d <+14s: <+19> : 21»:...