Binary Bomb phase 3 stuck
The first comparison you have mentioned (the one at +39
) is comparing %eax
which holds the return value from sscanf
. As such it's just testing how many arguments could be converted. This code requires 2
, thus that code is doing if (sscanf() > 1) goto ok; explode_bomb();
The comparison at +49
is checking the first number, it does if ((unsigned)x > 7) explode_bomb();
I hope that's obvious.
Next, at +60
, you have the single most important instruction in this piece of code: jmp *0x804a4c0(,%eax,4)
. That is a jump through a jump table. It will take you to different locations depending on the value in %eax
, which at that point is holding your first input. We know the input is between 0
and 7
so you have 8 entries in that table. You should be able to examine them with x/8a 0x804a4c0
. It's a fair guess that they are various addresses in the following code block and the flow rejoins at +163
. This pattern is commonly used by compilers to implement a switch
statement.
Line +168
further restricts the first number to between 0
and 5
, and line +174
compares the second number to the current value of %eax
and explodes the bomb on mismatch. What this tells us is that the valid inputs form 6 pairs. We can pick an arbitrary first number, follow through the jump table and see what value will be placed in %eax
and input that as second number.
Admin
Updated on March 08, 2020Comments
-
Admin about 4 years
I am honestly very confused on this due to my bomb phase 3 not looking like any of my classmates or the example given to me by my professor. Any help would be greatly appreciated. I have a copy of my recent terminal for use and ill put the I have been trying my hand at this for the better part of 5 hours, I've gotten far enough to know that %d %d is the layout requested, and that its asking for 2 numbers with i believe one of them being negative. Due to the comparison statement and jg here
0x08048fbb <+39>: cmp $0x1,%eax 0x08048fbe <+42>: jg 0x8048fc5 <phase_3+49>
Also that its calling for another comparison of the same value which i think is the first here
0x08048fc5 <+49>: cmpl $0x7,-0xc(%ebp) 0x08048fc9 <+53>: ja 0x8049032 <phase_3+158>
What is throwing me off is all the add and subtract right off the bat and in general all the adding and subtracting that is crammed into the bottom.
Where would i find the values that actually work with these statements at the endor should i just add up the numbers i see. At this point i don't even know if its staring at me in the face. All the comparisons are as followed
0x08048fbb <+39>: cmp $0x1,%eax
0x08048fbe <+42>: jg 0x8048fc5
0x08048fc5 <+49>: cmpl $0x7,-0xc(%ebp) 0x08048fc9 <+53>: ja 0x8049032 <phase_3+158> 0x0804903c <+168>: cmpl $0x5,-0xc(%ebp) 0x08049040 <+172>: jg 0x8049047 <phase_3+179>
But its all mush at the moment I need a new set of eyes on this problem. If its out there any help would be greatly appreciated.
That's number 2. Keep going! 0 1 Breakpoint 1, 0x08048f9a in phase_3 () (gdb) disas Dump of assembler code for function phase_3: 0x08048f94 <+0>: push %ebp 0x08048f95 <+1>: mov %esp,%ebp 0x08048f97 <+3>: sub $0x28,%esp => 0x08048f9a <+6>: lea -0x10(%ebp),%eax 0x08048f9d <+9>: mov %eax,0xc(%esp) 0x08048fa1 <+13>: lea -0xc(%ebp),%eax 0x08048fa4 <+16>: mov %eax,0x8(%esp) 0x08048fa8 <+20>: movl $0x804a58c,0x4(%esp) 0x08048fb0 <+28>: mov 0x8(%ebp),%eax 0x08048fb3 <+31>: mov %eax,(%esp) 0x08048fb6 <+34>: call 0x8048894 <__isoc99_sscanf@plt> 0x08048fbb <+39>: cmp $0x1,%eax 0x08048fbe <+42>: jg 0x8048fc5 <phase_3+49> 0x08048fc0 <+44>: call 0x8049321 <explode_bomb> 0x08048fc5 <+49>: cmpl $0x7,-0xc(%ebp) 0x08048fc9 <+53>: ja 0x8049032 <phase_3+158> 0x08048fcb <+55>: mov -0xc(%ebp),%eax 0x08048fce <+58>: xchg %ax,%ax 0x08048fd0 <+60>: jmp *0x804a4c0(,%eax,4) 0x08048fd7 <+67>: mov $0x0,%eax 0x08048fdc <+72>: lea 0x0(%esi,%eiz,1),%esi 0x08048fe0 <+76>: jmp 0x804902d <phase_3+153> 0x08048fe2 <+78>: mov $0x0,%eax 0x08048fe7 <+83>: jmp 0x804902a <phase_3+150> 0x08048fe9 <+85>: mov $0x0,%eax 0x08048fee <+90>: xchg %ax,%ax 0x08048ff0 <+92>: jmp 0x8049027 <phase_3+147> 0x08048ff2 <+94>: mov $0x0,%eax 0x08048ff7 <+99>: jmp 0x8049024 <phase_3+144> 0x08048ff9 <+101>: mov $0x0,%eax 0x08048ffe <+106>: xchg %ax,%ax 0x08049000 <+108>: jmp 0x8049021 <phase_3+141> 0x08049002 <+110>: mov $0x0,%eax 0x08049007 <+115>: jmp 0x804901c <phase_3+136> 0x08049009 <+117>: mov $0x30d,%eax 0x0804900e <+122>: xchg %ax,%ax 0x08049010 <+124>: jmp 0x8049017 <phase_3+131> 0x08049012 <+126>: mov $0x0,%eax 0x08049017 <+131>: sub $0x264,%eax 0x0804901c <+136>: add $0x3b8,%eax 0x08049021 <+141>: sub $0x49,%eax 0x08049024 <+144>: add $0x49,%eax 0x08049027 <+147>: sub $0x49,%eax 0x0804902a <+150>: add $0x49,%eax 0x0804902d <+153>: sub $0x49,%eax 0x08049030 <+156>: jmp 0x804903c <phase_3+168> 0x08049032 <+158>: call 0x8049321 <explode_bomb> 0x08049037 <+163>: mov $0x0,%eax 0x0804903c <+168>: cmpl $0x5,-0xc(%ebp) 0x08049040 <+172>: jg 0x8049047 <phase_3+179> 0x08049042 <+174>: cmp -0x10(%ebp),%eax 0x08049045 <+177>: je 0x804904c <phase_3+184> 0x08049047 <+179>: call 0x8049321 <explode_bomb> 0x0804904c <+184>: leave 0x0804904d <+185>: lea 0x0(%esi),%esi 0x08049050 <+188>: ret End of assembler dump. (gdb)