Phase 3 of Binary Bomb Lab In this lab, we want to find the input that would byp

Question

Phase 3 of Binary Bomb Lab

In this lab, we want to find the input that would bypass the explode line.

08048ce8 <phase_3>:
8048ce8:   83 ec 1c    sub $0x1c,%esp
8048ceb:   c7 04 24 18 a5 04 08    movl $0x804a518,(%esp)
8048cf2:   e8 b4 04 00 00    call 80491ab <string_length>
8048cf7:   83 c0 01    add $0x1,%eax
8048cfa:   89 04 24    mov %eax,(%esp)
8048cfd:   e8 6e fb ff ff    call 8048870 <malloc@plt>
8048d02:   c7 00 57 68 79 20     movl $0x20796857,(%eax)
8048d08:   c7 40 04 6d 61 6b 65    movl $0x656b616d,0x4(%eax)
8048d0f:   c7 40 08 20 74 72 69    movl $0x69727420,0x8(%eax)
8048d16:   c7 40 0c 6c 6c 69 6f    movl $0x6f696c6c,0xc(%eax)
8048d1d:   c7 40 10 6e 73 20 77    movl $0x7720736e,0x10(%eax)
8048d24:   c7 40 14 68 65 6e 20    movl $0x206e6568,0x14(%eax)
8048d2b:   c7 40 18 77 65 20 63    movl $0x63206577,0x18(%eax)
8048d32:   c7 40 1c 6f 75 6c 64    movl $0x646c756f,0x1c(%eax)
8048d39:   c7 40 20 20 6d 61 6b    movl $0x6b616d20,0x20(%eax)
8048d40:   c7 40 24 65 2e 2e 2e    movl $0x2e2e2e65,0x24(%eax)
8048d47:   c7 40 28 20 62 69 6c    movl $0x6c696220,0x28(%eax)
8048d4e:   c7 40 2c 6c 69 6f 6e    movl $0x6e6f696c,0x2c(%eax)
8048d55:   66 c7 40 30 73 3f     movw $0x3f73,0x30(%eax)
8048d5b:   c6 40 32 00     movb $0x0,0x32(%eax)
8048d5f:   c6 40 12 61     movb $0x61,0x12(%eax)
8048d63:   89 44 24 04     mov %eax,0x4(%esp)
8048d67:   8b 44 24 20     mov 0x20(%esp),%eax
8048d6b:   89 04 24    mov %eax,(%esp)
8048d6e:   e8 57 04 00 00    call 80491ca <strings_not_equal>
8048d73:   85 c0     test %eax,%eax
8048d75:   74 05     je 8048d7c <phase_3+0x94>
8048d77:   e8 49 07 00 00    call 80494c5 <explode_bomb>
8048d7c:   83 c4 1c    add $0x1c,%esp
8048d7f:   90    nop
8048d80:   c3    ret

08048870 <malloc@plt>:
8048870:   ff 25 34 d0 04 08     jmp *0x804d034
8048876:   68 50 00 00 00    push $0x50
804887b:   e9 40 ff ff ff    jmp 80487c0 <_init+0x30>

080491ab <string_length>:
80491ab:   8b 54 24 04     mov 0x4(%esp),%edx
80491af:   80 3a 00    cmpb $0x0,(%edx)
80491b2:   74 10     je 80491c4 <string_length+0x19>
80491b4:   b8 00 00 00 00    mov $0x0,%eax
80491b9:   83 c0 01    add $0x1,%eax
80491bc:   80 3c 02 00     cmpb $0x0,(%edx,%eax,1)
80491c0:   75 f7     jne 80491b9 <string_length+0xe>
80491c2:   f3 c3     repz ret
80491c4:   b8 00 00 00 00    mov $0x0,%eax
80491c9:   c3    ret

080491ca <strings_not_equal>:
80491ca:   57    push %edi
80491cb:   56    push %esi
80491cc:   53    push %ebx
80491cd:   83 ec 04    sub $0x4,%esp
80491d0:   8b 5c 24 14     mov 0x14(%esp),%ebx
80491d4:   8b 74 24 18     mov 0x18(%esp),%esi
80491d8:   89 1c 24    mov %ebx,(%esp)
80491db:   e8 cb ff ff ff    call 80491ab <string_length>
80491e0:   89 c7     mov %eax,%edi
80491e2:   89 34 24    mov %esi,(%esp)
80491e5:   e8 c1 ff ff ff    call 80491ab <string_length>
80491ea:   ba 01 00 00 00    mov $0x1,%edx
80491ef:   39 c7     cmp %eax,%edi
80491f1:   75 3a     jne 804922d <strings_not_equal+0x63>
80491f3:   0f b6 03    movzbl (%ebx),%eax
80491f6:   84 c0     test %al,%al
80491f8:   74 20     je 804921a <strings_not_equal+0x50>
80491fa:   3a 06     cmp (%esi),%al
80491fc:   74 08     je 8049206 <strings_not_equal+0x3c>
80491fe:   66 90     xchg %ax,%ax
8049200:   eb 1f     jmp 8049221 <strings_not_equal+0x57>
8049202:   3a 06     cmp (%esi),%al
8049204:   75 22     jne 8049228 <strings_not_equal+0x5e>
8049206:   83 c3 01    add $0x1,%ebx
8049209:   83 c6 01    add $0x1,%esi
804920c:   0f b6 03    movzbl (%ebx),%eax
804920f:   84 c0     test %al,%al
8049211:   75 ef     jne 8049202 <strings_not_equal+0x38>
8049213:   ba 00 00 00 00    mov $0x0,%edx
8049218:   eb 13     jmp 804922d <strings_not_equal+0x63>
804921a:   ba 00 00 00 00    mov $0x0,%edx
804921f:   eb 0c     jmp 804922d <strings_not_equal+0x63>
8049221:   ba 01 00 00 00    mov $0x1,%edx
8049226:   eb 05     jmp 804922d <strings_not_equal+0x63>
8049228:   ba 01 00 00 00    mov $0x1,%edx
804922d:   89 d0     mov %edx,%eax
804922f:   83 c4 04    add $0x4,%esp
8049232:   5b    pop %ebx
8049233:   5e    pop %esi
8049234:   5f    pop %edi
8049235:   c3    ret

The string being affected is:

Why make trillions when we could make... billions?

Can you please explain it too, I'm very stuck here. Thank you. The input should be the string, but altered according to the code.

Explanation / Answer

There are a lot of conditionals here. Maybe you’re an IA32 warrior who can take one look at this code and immediately tell what is going on, but for the rest of us, an iterative approach might work better here.

The first interesting thing we see here is the call to scanf which occurs at memory address 8048bb7 in my objdump output file. There are two values that are pushed onto the stack right before scanf is called. After the call to scanf is made, the two pushed values are compared, and the bomb explodes if they’re not equal. Let’s use gdb to figure out what they are.

As usual, we will set a breakpoint at our phase, phase_3, and then run the bomb using answers.txt as an argument. After that, we can input a test string and when our breakpoint hits, we can use the gdb command x/s [memory-address] to print whatever string we find at that memory address:

Related Questions

Navigate

• Browse (All)
• Browse P
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.