logo
Tags down

shadow

Binary Bomb Phase 2 - Decoding assembly code


By : Csaba
Date : October 17 2020, 01:08 AM
around this issue You should take on the problem one step at time.
First let's start by removing useless stuff from the dump (extra addresses that only add verbosity); I also like my assembly to be in Intel syntax, the memory accesses and the compares/subtractions read way more nicely.
code :
 <+0>:    push   rbp        ; save clobbered registers
 <+1>:    push   rbx
 <+2>:    sub    rsp,0x28   ; 40 bytes of locals
 <+6>:    mov    rax,dword ptr fs:0x28  ; stuff referenced from fs are generally
                                        ; thread-local variables of some kind
<+15>:    mov    qword ptr[rsp+0x18],rax; at offset 0x18 there's a long long local
<+20>:    xor    eax,eax
<+22>:    mov    rsi,rsp    ; rsi in System V ABI is the first parameter;
                            ; it's passing straight the start of our locals as a
                            ; pointer
<+25>:    call   <read_six_numbers> ; we can imagine that read_six_numbers takes
                                    ; an array of 6 int values, which are probably
                                    ; the locals between rsp and rsp+0x18 (0x18 =
                                    ; 24 = 6*sizeof(int))
<+30>:    cmp    dword ptr[rsp],0x1 ; this is the first read value
<+34>:    je     <phase_2+41>       ; --\
<+36>:    call   <explode_bomb>     ;   |      first bomb explosion
<+41>:    mov    rbx,rsp            ; <-/   rbx points to the first number
<+44>:    lea    rbp,[rsp+0x14]     ; 0x14 = 20 = 5th element of the numbers array
<+49>:    mov    eax,dword ptr[rbx]
<+51>:    add    eax,eax
<+53>:    cmp    dword ptr[rbx+4],eax   ; rbx points to an integer, so +4 is
                                        ; really the integer that follows it
<+56>:    je     <phase_2+63>
<+58>:    call   <explode_bomb>     ; second bomb explosion
<+63>:    add    rbx,0x4    ; again, this is a +1 in C pointer notation
<+67>:    cmp    rbx,rbp
<+70>:    jne    <phase_2+49>
<+72>:    mov    rax,qword ptr[rsp+0x18]    ; again that long long
<+77>:    xor    rax,qword ptr fs:0x28      ; again that thread-local
<+86>:    je     <phase_2+93>
<+88>:    call   <__stack_chk_fail@plt> ; aaaah they have to do with stack smashing
                                        ; protection; we can ignore them, it's
                                        ; compiler-injected stuff
<+93>:    add    rsp,0x28               ; epilogue
<+97>:    pop    rbx
<+98>:    pop    rbp
<+99>:    ret
void phase_2() {
    int numbers[6];
    read_six_numbers(numbers);
    if(numbers[0] == 1) goto l_41;
    explode_bomb();
l_41:
    int *rbx = &numbers[0];
    int *rbp = &numbers[5];
l_49:
    int eax = *rbx;
    eax += eax;
    if(eax == rbx[1]) goto l_63;
    explode_bomb();
l_63:
    rbx++;
    if(rbx != rbp) goto l_49;
}
void phase_2() {
    int numbers[6];
    read_six_numbers(numbers);
    if(numbers[0] != 1) explode_bomb();
    int *rbx = &numbers[0];
    int *rbp = &numbers[5];
    do {
        int eax = *rbx;
        eax += eax;
        if(eax != rbx[1]) explode_bomb();
        rbx++;
    } while(rbx != rbp);
}
void phase_2() {
    int numbers[6];
    read_six_numbers(numbers);
    if(numbers[0] != 1) explode_bomb();
    for(int *ptr = &numbers[0], *end = &numbers[5]; ptr!=end; ++ptr) {
        if(ptr[0]*2 != ptr[1]) explode_bomb();
    }
}
void phase_2() {
    int numbers[6];
    read_six_numbers(numbers);
    if(numbers[0] != 1) explode_bomb();
    for(int i = 0; i!=5; ++i) {
        if(numbers[i]*2 != numbers[i+1]) explode_bomb();
    }
}


Share : facebook icon twitter icon

Binary Bomb Phase 3 Assembly


By : boris_horis
Date : March 29 2020, 07:55 AM
it fixes the issue It isn't comparing %rsp to 0x240. Rather, it is comparing whatever is stored at the memory location %rsp + 0x10 to 0x240, in other words, it's comparing a constant to what you'd call a "local variable" in most languages.

understanding assembly code for binary bomb phase 2


By : Hong . bin
Date : March 29 2020, 07:55 AM
I think the issue was by ths following , %ebp usually used as the stack frame pointer -- the -0x4 is an offset from the address stored in %ebp -- and values below (negative offset) %ebp are typically local variables (if compiled from C code) and values above (positive offset) are usually function parameters. This code appears to be code produced from compiling C code, and the %ebp usage is typical. -0x4(%ebp) would refer to the first local variable of the function. It appears to have been set a few statements earlier with mov %cl,-0x4(%ebp). That raises the question of where the value in the %cl value came frome, and if we trace further back, we can see that it was mov 0x8(%ebp),%cx that set %cl. Notice that the cmpb instruction has a b prefix, meaning that it is a byte-compare. (As opposed to a 16-bit or 32-bit compare.) This matches the observation that the value there was set using only %cl, which is also an 8-bit value.
All of this tells us that the line you are asking about is doing an 8-bit compare with the hex value 0x77. If you look at an ASCII table, you can see 0x77 is lowercase 'w'. The next instruction jumps if the byte isn't equal to that value. This leads me to conclude we are checking the first parameter passed to the function to see if it is a 'w' character.

Binary Bomb phase 2, assembly ia32, at&t syntax need help understanding code flow


By : lukyprasetya
Date : March 29 2020, 07:55 AM
Hope this helps read_six_numbers will just check to make sure that you are importing 6 numbers. test %eax %eax will make sure that the first number is 0 and then it will iterate through a number of times making other compares. The way to do this assignment is to set breakpoints where ever it is calling the bomb and then before the breakpoints, check the comparisons and try to figure out what value is triggering the bomb to be called. Sometimes you can look into the registers if you are using the correct software and look at what is in the register and what it's comparing it with. I hope this could help a little without giving you the answer. I can try to answer other questions you have though as I just did this assignment in class a month or so ago.

Decoding Assembly Language (Bomb Lab Phase 5)


By : user3456203
Date : March 29 2020, 07:55 AM
Any of those help
what does adding the string (param1) with the loop counter (eax_1) do?

Binary Bomb Defusion. Decoding Dump - Phase 2


By : johnrobert
Date : March 29 2020, 07:55 AM
Hope that helps OK this is going to be kind of a long answer, but here you go:
Let me start with your specific question about the +46/+49 lines. What they do is:
shadow
Privacy Policy - Terms - Contact Us © soohba.com