Search code examples
x86att

Binary Bomb phase 2, assembly ia32, at&t syntax need help understanding code flow


I was assigned a binary bomb to defuse for a class. I am not looking for an answer, just some guidance as to how the code works. I've traced it out on paper, but am totally stumped as to where I could find the answer. I believe if I had someone else's explanation to supplement my trace I would get a better understanding of what I might of done wrong. I was able to crack phase 1 with ease, but apparently I'm missing something here, I'm sure it's something small too.. I have been working on this for several hours, and wouldn't be here unless I absolutely needed help.

Thanks for your time!

Here is phase_2

    Dump of assembler code for function phase_2:
0x0000000000400ec9 <phase_2+0>: push   %rbp
0x0000000000400eca <phase_2+1>: mov    %rsp,%rbp
0x0000000000400ecd <phase_2+4>: sub    $0x30,%rsp     #subtracting 30 from rsp
0x0000000000400ed1 <phase_2+8>: mov    %rdi,-0x28(%rbp)    #moving input to -0x28(%rbp)
0x0000000000400ed5 <phase_2+12>:        lea    -0x20(%rbp),%rsi    #address of -0x20(%rbp) to rsi
0x0000000000400ed9 <phase_2+16>:        mov    -0x28(%rbp),%rdi    #moving input to rdi
0x0000000000400edd <phase_2+20>:        callq  0x4013fd <read_six_numbers>    #read input
0x0000000000400ee2 <phase_2+25>:        mov    -0x20(%rbp),%eax     #moving value to eax, i believe the value is 1
0x0000000000400ee5 <phase_2+28>:        test   %eax,%eax
0x0000000000400ee7 <phase_2+30>:        jns    0x400eee <phase_2+37>
0x0000000000400ee9 <phase_2+32>:        callq  0x401997 <explode_bomb>
0x0000000000400eee <phase_2+37>:        movl   $0x1,-0x4(%rbp)     #moving 1 to -0x4(%rbp)
0x0000000000400ef5 <phase_2+44>:        jmp    0x400f1f <phase_2+86>
0x0000000000400ef7 <phase_2+46>:        mov    -0x4(%rbp),%eax     #moving 1 to eax
0x0000000000400efa <phase_2+49>:        cltq
0x0000000000400efc <phase_2+51>:        mov    -0x20(%rbp,%rax,4),%edx     #edx = -0x20(%rbp + %rax * 4) (i think)
0x0000000000400f00 <phase_2+55>:        mov    -0x4(%rbp),%eax     #moving 1 to eax(again?)
0x0000000000400f03 <phase_2+58>:        sub    $0x1,%eax     # subtracting 1 from eax, eax = 0
0x0000000000400f06 <phase_2+61>:        cltq
0x0000000000400f08 <phase_2+63>:        mov    -0x20(%rbp,%rax,4),%eax     #eax = -0x20(%rbp + %rax * 4)
0x0000000000400f0c <phase_2+67>:        add    -0x4(%rbp),%eax     #adding 1 to eax
0x0000000000400f0f <phase_2+70>:        add    $0x1,%eax     #adding 1 to eax
0x0000000000400f12 <phase_2+73>:        cmp    %eax,%edx     #edx - eax
0x0000000000400f14 <phase_2+75>:        je     0x400f1b <phase_2+82>
0x0000000000400f16 <phase_2+77>:        callq  0x401997 <explode_bomb>
0x0000000000400f1b <phase_2+82>:        addl   $0x1,-0x4(%rbp)     # add 1 to -0x4(%rbp)
0x0000000000400f1f <phase_2+86>:        cmpl   $0x5,-0x4(%rbp)     # 5 - 1
0x0000000000400f23 <phase_2+90>:        jle    0x400ef7 <phase_2+46>
0x0000000000400f25 <phase_2+92>:        leaveq
0x0000000000400f26 <phase_2+93>:        retq
End of assembler dump.

and here is read_six_numbers if it is needed:

Dump of assembler code for function read_six_numbers:
0x00000000004013fd <read_six_numbers+0>:        push   %rbp
0x00000000004013fe <read_six_numbers+1>:        mov    %rsp,%rbp
0x0000000000401401 <read_six_numbers+4>:        sub    $0x30,%rsp
0x0000000000401405 <read_six_numbers+8>:        mov    %rdi,-0x18(%rbp)
0x0000000000401409 <read_six_numbers+12>:       mov    %rsi,-0x20(%rbp)
0x000000000040140d <read_six_numbers+16>:       mov    -0x20(%rbp),%rax
0x0000000000401411 <read_six_numbers+20>:       add    $0x14,%rax
0x0000000000401415 <read_six_numbers+24>:       mov    -0x20(%rbp),%rdx
0x0000000000401419 <read_six_numbers+28>:       add    $0x10,%rdx
0x000000000040141d <read_six_numbers+32>:       mov    -0x20(%rbp),%rcx
0x0000000000401421 <read_six_numbers+36>:       add    $0xc,%rcx
0x0000000000401425 <read_six_numbers+40>:       mov    -0x20(%rbp),%rsi
0x0000000000401429 <read_six_numbers+44>:       add    $0x8,%rsi
0x000000000040142d <read_six_numbers+48>:       mov    -0x20(%rbp),%rdi
0x0000000000401431 <read_six_numbers+52>:       add    $0x4,%rdi
0x0000000000401435 <read_six_numbers+56>:       mov    -0x20(%rbp),%r10
0x0000000000401439 <read_six_numbers+60>:       mov    -0x18(%rbp),%r11
0x000000000040143d <read_six_numbers+64>:       mov    %rax,0x8(%rsp)
0x0000000000401442 <read_six_numbers+69>:       mov    %rdx,(%rsp)
0x0000000000401446 <read_six_numbers+73>:       mov    %rcx,%r9
0x0000000000401449 <read_six_numbers+76>:       mov    %rsi,%r8
0x000000000040144c <read_six_numbers+79>:       mov    %rdi,%rcx
0x000000000040144f <read_six_numbers+82>:       mov    %r10,%rdx
0x0000000000401452 <read_six_numbers+85>:       mov    $0x402ca1,%esi
0x0000000000401457 <read_six_numbers+90>:       mov    %r11,%rdi
0x000000000040145a <read_six_numbers+93>:       mov    $0x0,%eax
0x000000000040145f <read_six_numbers+98>:       callq  0x400b70 <sscanf@plt>
0x0000000000401464 <read_six_numbers+103>:      mov    %eax,-0x4(%rbp)
0x0000000000401467 <read_six_numbers+106>:      cmpl   $0x5,-0x4(%rbp)
0x000000000040146b <read_six_numbers+110>:      jg     0x401472 <read_six_numbers+117>
0x000000000040146d <read_six_numbers+112>:      callq  0x401997 <explode_bomb>
0x0000000000401472 <read_six_numbers+117>:      leaveq
0x0000000000401473 <read_six_numbers+118>:      retq
End of assembler dump.

Solution

  • read_six_numbers will just check to make sure that you are importing 6 numbers. test %eax %eax will make sure that the first number is 0 and then it will iterate through a number of times making other compares. The way to do this assignment is to set breakpoints where ever it is calling the bomb and then before the breakpoints, check the comparisons and try to figure out what value is triggering the bomb to be called. Sometimes you can look into the registers if you are using the correct software and look at what is in the register and what it's comparing it with. I hope this could help a little without giving you the answer. I can try to answer other questions you have though as I just did this assignment in class a month or so ago.