Bomb lab phase 5 - 6 char string, movzbl load, and $0xf, %ecx, and index an array with that?
what does adding the string (param1) with the loop counter (eax_1) do?
That's just array indexing. It gives you the address of the appropriate character. ecx = *(unsigned char*)(param1 + eax_1)
is basically ecx = param1[eax_1]
.
As you say, the code loops through all 6 letters, keeps the low 4 bits of the ascii code and uses that to index a hardcoded lookup table. The selected values from said lookup table are summed up, and that's your result which has to be 0x42
.
Smreks
Updated on June 04, 2022Comments
-
Smreks almost 2 years
Alright so this is the ever so popular bomb lab and I am currently on phase 5 and I'm only stuck on two lines. Here's the assembly code:
Dump of assembler code for function phase_5: 0x08048e29 <+0>: push %ebx 0x08048e2a <+1>: sub $0x18,%esp 0x08048e2d <+4>: mov 0x20(%esp),%ebx 0x08048e31 <+8>: mov %ebx,(%esp) 0x08048e34 <+11>: call 0x804908b <string_length> 0x08048e39 <+16>: cmp $0x6,%eax 0x08048e3c <+19>: je 0x8048e43 <phase_5+26> 0x08048e3e <+21>: call 0x80493a5 <explode_bomb> 0x08048e43 <+26>: mov $0x0,%edx 0x08048e48 <+31>: mov $0x0,%eax 0x08048e4d <+36>: movzbl (%ebx,%eax,1),%ecx 0x08048e51 <+40>: and $0xf,%ecx 0x08048e54 <+43>: add 0x804a4a0(,%ecx,4),%edx 0x08048e5b <+50>: add $0x1,%eax 0x08048e5e <+53>: cmp $0x6,%eax 0x08048e61 <+56>: jne 0x8048e4d <phase_5+36> => 0x08048e63 <+58>: cmp $0x42,%edx 0x08048e66 <+61>: je 0x8048e6d <phase_5+68> 0x08048e68 <+63>: call 0x80493a5 <explode_bomb> 0x08048e6d <+68>: add $0x18,%esp 0x08048e70 <+71>: pop %ebx 0x08048e71 <+72>: ret ---Type <return> to continue, or q <return> to quit--- End of assembler dump.
Here's a barebones look when I run it through a decompiler:
void phase_5(__size8 *param1) { __size32 eax; // r24 int eax_1; // r24{48} unsigned int ecx; // r25 __size32 edx; // r26 eax = string_length(param1); if (eax != 6) { explode_bomb(); } edx = 0; eax = 0; do { eax_1 = eax; ecx = *(unsigned char*)(param1 + eax_1); edx += array.3142[(ecx & 0xf)]; eax = eax_1 + 1; } while (eax_1 + 1 != 6); if (edx != 66) { explode_bomb(); } return; }
So the general synopsis of this phase is that the string input needs to be 6 characters, then it goes through a do while loop where it takes the string and turns it into a number through its algorithm and then compares it if it's 66 at the end. My questions is what do these two lines do:
ecx = (unsigned char)(param1 + eax_1); edx += array.3142[(ecx & 0xf)];
More specifically the first one. The second line &s the value of the first line with 15 which essentially gives the last 4 bits of ecx but what does adding the string (param1) with the loop counter (eax_1) do? Also is this the line that converts each character in the string into a number? Any help would be greatly appreciated!
-
Smreks about 9 yearsAh I see, so how come when I run "kkkkkk" it gives me 30 instead of 66? If I did the math out, shouldn't it just be 11 + 11 + 11... 6 times since the binary for k ends in 1011 which is 11.
-
Smreks about 9 yearsOh wait I think I misunderstood, you mean they have their own ascii code in array.3142, meaning that they have their own numerical values for letters?
-
Smreks about 9 yearsother than finding these keys the long way could you tell me where they are storing the table in the assembly language ^.^
-
Smreks about 9 yearsHey I got it defused! As usual thanks for the help Jester, but could you still tell me where I could find their table in the assembly code just for future notice.
-
Jester about 9 yearsSince you have
add 0x804a4a0(,%ecx,4),%edx
the table is at address0x804a4a0
and it has length 16. So you should be able to print it usingx/16 0x804a4a0
.