Below is the disassembled code. PLease help me to defuse the binary bomb phase_7 08048e88 <phase_7>: 8048e88: 83 ec 2c sub $0x2c,%esp 8048e8b: 8d 44 24 18 lea 0x18(%esp),%eax 8048e8f: 89 44 24 0c mov %eax,0xc(%esp) 8048e93: 8d 44 24 1c lea 0x1c(%esp),%eax 8048e97: 89 44 24 08 mov %eax,0x8(%esp) 8048e9b: c7 44 24 04 61 a6 04 movl $0x804a661,0x4(%esp) 8048ea2: 08 8048ea3: 8b 44 24 30 mov 0x30(%esp),%eax 8048ea7: 89 04 24 mov %eax,(%esp) 8048eaa: e8 c1 f9 ff ff call 8048870 <__isoc99_sscanf@plt> 8048eaf: 83 f8 01 cmp $0x1,%eax 8048eb2: 7f 05 jg 8048eb9 <phase_7+0x31> 8048eb4: e8 0c 05 00 00 call 80493c5 <explode_bomb> 8048eb9: 8b 44 24 1c mov 0x1c(%esp),%eax 8048ebd: 83 e0 0f and $0xf,%eax 8048ec0: 89 44 24 1c mov %eax,0x1c(%esp) 8048ec4: 83 f8 0f cmp $0xf,%eax 8048ec7: 74 2a je 8048ef3 <phase_7+0x6b> 8048ec9: b9 00 00 00 00 mov $0x0,%ecx 8048ece: ba 00 00 00 00 mov $0x0,%edx 8048ed3: 83 c2 01 add $0x1,%edx 8048ed6: 8b 04 85 40 a4 04 08 mov 0x804a440(,%eax,4),%eax 8048edd: 01 c1 add %eax,%ecx 8048edf: 83 f8 0f cmp $0xf,%eax 8048ee2: 75 ef jne 8048ed3 <phase_7+0x4b> 8048ee4: 89 44 24 1c mov %eax,0x1c(%esp) 8048ee8: 83 fa 0f cmp $0xf,%edx 8048eeb: 75 06 jne 8048ef3 <phase_7+0x6b> 8048eed: 3b 4c 24 18 cmp 0x18(%esp),%ecx 8048ef1: 74 05 je 8048ef8 <phase_7+0x70> 8048ef3: e8 cd 04 00 00 call 80493c5 <explode_bomb> 8048ef8: 83 c4 2c add $0x2c,%esp 8048efb: c3 ret
phase 7 is a secret phase
| ========================= | |
| Secret phase | |
| ========================= | |
| After the first 6 stages: | |
| # ./bomb bomb-answers.txt | |
| Welcome to my fiendish little bomb. You have 6 phases with | |
| which to blow yourself up. Have a nice day! | |
| Phase 1 defused. How about the next one? | |
| That's number 2. Keep going! | |
| Halfway there! | |
| So you got that one. Try this one. | |
| Good work! On to the next... | |
| Congratulations! You've defused the bomb! | |
| In the phase_difused function, we have a function called secret_phase, activated only | |
| after first stages are difused: | |
| Dump of assembler code for function phase_defused: | |
| 0x0804952c <+0>: push ebp | |
| 0x0804952d <+1>: mov ebp,esp | |
| 0x0804952f <+3>: sub esp,0x64 | |
| 0x08049532 <+6>: push ebx | |
| 0x08049533 <+7>: cmp DWORD PTR ds:0x804b480,0x6 | |
| 0x0804953a <+14>: jne 0x804959f <phase_defused+115> | |
| 0x0804953c <+16>: lea ebx,[ebp-0x50] | |
| 0x0804953f <+19>: push ebx | |
| 0x08049540 <+20>: lea eax,[ebp-0x54] | |
| 0x08049543 <+23>: push eax | |
| 0x08049544 <+24>: push 0x8049d03 --> "%d %s" | |
| 0x08049549 <+29>: push 0x804b770 --> "9" this is the input from phase_4 | |
| 0x0804954e <+34>: call 0x8048860 <sscanf@plt> | |
| 0x08049553 <+39>: add esp,0x10 | |
| 0x08049556 <+42>: cmp eax,0x2 | |
| 0x08049559 <+45>: jne 0x8049592 <phase_defused+102> | |
| 0x0804955b <+47>: add esp,0xfffffff8 | |
| 0x0804955e <+50>: push 0x8049d09 --> austinpowers | |
| 0x08049563 <+55>: push ebx | |
| 0x08049564 <+56>: call 0x8049030 <strings_not_equal> | |
| 0x08049569 <+61>: add esp,0x10 | |
| 0x0804956c <+64>: test eax,eax | |
| 0x0804956e <+66>: jne 0x8049592 <phase_defused+102> | |
| 0x08049570 <+68>: add esp,0xfffffff4 | |
| 0x08049573 <+71>: push 0x8049d20 --> "Curses, you've found the secret phase!\n" | |
| 0x08049578 <+76>: call 0x8048810 <printf@plt> | |
| 0x0804957d <+81>: add esp,0xfffffff4 | |
| 0x08049580 <+84>: push 0x8049d60 --> "But finding it and solving it are quite different...\n" | |
| 0x08049585 <+89>: call 0x8048810 <printf@plt> | |
| 0x0804958a <+94>: add esp,0x20 | |
| 0x0804958d <+97>: call 0x8048ee8 <secret_phase> | |
| 0x08049592 <+102>: add esp,0xfffffff4 | |
| 0x08049595 <+105>: push 0x8049da0 | |
| 0x0804959a <+110>: call 0x8048810 <printf@plt> | |
| 0x0804959f <+115>: mov ebx,DWORD PTR [ebp-0x68] | |
| 0x080495a2 <+118>: mov esp,ebp | |
| 0x080495a4 <+120>: pop ebp | |
| 0x080495a5 <+121>: ret | |
| End of assembler dump. | |
| After all 6 phases are done,we can go on in this function: | |
| 0x08049533 <+7>: cmp DWORD PTR ds:0x804b480,0x6 | |
| 0x0804953a <+14>: jne 0x804959f <phase_defused+115> | |
| We add a word to the password for phase_4, and break the program at *0x0804954e. | |
| 0x0804955b <+47>: add esp,0xfffffff8 | |
| 0x0804955e <+50>: push 0x8049d09 --> "austinpowers" | |
| 0x08049563 <+55>: push ebx | |
| 0x08049564 <+56>: call 0x8049030 <strings_not_equal> | |
| We add the password "austinpowers" and get the following 2 messages printed: | |
| Curses, you've found the secret phase! | |
| But finding it and solving it are quite different... | |
| Dump of assembler code for function secret_phase: | |
| 0x08048ee8 <+0>: push ebp | |
| 0x08048ee9 <+1>: mov ebp,esp | |
| 0x08048eeb <+3>: sub esp,0x14 | |
| 0x08048eee <+6>: push ebx | |
| 0x08048eef <+7>: call 0x80491fc <read_line> | |
| 0x08048ef4 <+12>: push 0x0 // group parameter -> should be 0 | |
| 0x08048ef6 <+14>: push 0xa // base parameter -> 10, decimal | |
| 0x08048ef8 <+16>: push 0x0 // endptr -> NULL | |
| 0x08048efa <+18>: push eax // str -> beginning of the string representation | |
| 0x08048efb <+19>: call 0x80487f0 <__strtol_internal@plt> | |
| 0x08048f00 <+24>: add esp,0x10 | |
| 0x08048f03 <+27>: mov ebx,eax // eax -> long int decimal value | |
| 0x08048f05 <+29>: lea eax,[ebx-0x1] | |
| 0x08048f08 <+32>: cmp eax,0x3e8 | |
| 0x08048f0d <+37>: jbe 0x8048f14 <secret_phase+44> // <= 0x3e8=1000 | |
| 0x08048f0f <+39>: call 0x80494fc <explode_bomb> | |
| 0x08048f14 <+44>: add esp,0xfffffff8 | |
| 0x08048f17 <+47>: push ebx // 2nd param to fun7 | |
| 0x08048f18 <+48>: push 0x804b320 // .. 1st param to fun7 | |
| 0x08048f1d <+53>: call 0x8048e94 <fun7> | |
| 0x08048f22 <+58>: add esp,0x10 | |
| 0x08048f25 <+61>: cmp eax,0x7 // fun7 should return 7 | |
| 0x08048f28 <+64>: je 0x8048f2f <secret_phase+71> | |
| 0x08048f2a <+66>: call 0x80494fc <explode_bomb> | |
| 0x08048f2f <+71>: add esp,0xfffffff4 | |
| 0x08048f32 <+74>: push 0x8049820 // "Wow! You've defused the secret stage!\n" | |
| 0x08048f37 <+79>: call 0x8048810 <printf@plt> | |
| 0x08048f3c <+84>: call 0x804952c <phase_defused> | |
| 0x08048f41 <+89>: mov ebx,DWORD PTR [ebp-0x18] | |
| 0x08048f44 <+92>: mov esp,ebp | |
| 0x08048f46 <+94>: pop ebp | |
| 0x08048f47 <+95>: ret | |
| End of assembler dump. | |
| Dump of assembler code for function fun7: | |
| 0x08048e94 <+0>: push ebp | |
| 0x08048e95 <+1>: mov ebp,esp | |
| 0x08048e97 <+3>: sub esp,0x8 | |
| 0x08048e9a <+6>: mov edx,DWORD PTR [ebp+0x8] // -> 1st param | |
| 0x08048e9d <+9>: mov eax,DWORD PTR [ebp+0xc] // -> 2nd param | |
| 0x08048ea0 <+12>: test edx,edx | |
| 0x08048ea2 <+14>: jne 0x8048eb0 <fun7+28> | |
| 0x08048ea4 <+16>: mov eax,0xffffffff | |
| 0x08048ea9 <+21>: jmp 0x8048ee2 <fun7+78> | |
| 0x08048eab <+23>: nop // junk ?? (not reachable) | |
| 0x08048eac <+24>: lea esi,[esi+eiz*1+0x0] // junk ?? (not reachable) | |
| 0x08048eb0 <+28>: cmp eax,DWORD PTR [edx] | |
| 0x08048eb2 <+30>: jge 0x8048ec5 <fun7+49> | |
| 0x08048eb4 <+32>: add esp,0xfffffff8 | |
| 0x08048eb7 <+35>: push eax | |
| 0x08048eb8 <+36>: mov eax,DWORD PTR [edx+0x4] | |
| 0x08048ebb <+39>: push eax | |
| 0x08048ebc <+40>: call 0x8048e94 <fun7> | |
| 0x08048ec1 <+45>: add eax,eax | |
| 0x08048ec3 <+47>: jmp 0x8048ee2 <fun7+78> | |
| 0x08048ec5 <+49>: cmp eax,DWORD PTR [edx] | |
| 0x08048ec7 <+51>: je 0x8048ee0 <fun7+76> | |
| 0x08048ec9 <+53>: add esp,0xfffffff8 | |
| 0x08048ecc <+56>: push eax | |
| 0x08048ecd <+57>: mov eax,DWORD PTR [edx+0x8] | |
| 0x08048ed0 <+60>: push eax | |
| 0x08048ed1 <+61>: call 0x8048e94 <fun7> | |
| 0x08048ed6 <+66>: add eax,eax | |
| 0x08048ed8 <+68>: inc eax | |
| 0x08048ed9 <+69>: jmp 0x8048ee2 <fun7+78> | |
| 0x08048edb <+71>: nop | |
| 0x08048edc <+72>: lea esi,[esi+eiz*1+0x0] | |
| 0x08048ee0 <+76>: xor eax,eax | |
| 0x08048ee2 <+78>: mov esp,ebp | |
| 0x08048ee4 <+80>: pop ebp | |
| 0x08048ee5 <+81>: ret | |
| End of assembler dump. | |
| The last fun7 is something like this: | |
| int fun7(int *adr, int x) { | |
| if(adr == NULL) { | |
| ret = -1; // 0xffffffff | |
| goto exit; | |
| } | |
| if (x >= *adr) { | |
| if (x == *adr) { | |
| ret = 0 | |
| } else { | |
| ret = fun7(*(adr+8), x) | |
| ret *= 2; | |
| ret ++; | |
| } | |
| } else { | |
| ret = fun7(*(adr+4), x) | |
| ret *= 2 | |
| } | |
| exit: | |
| return ret; | |
| } | |
| Initial adr is 0x804b320. At this address there is a tree with 4 levels, as below. | |
| We navigate to the left o right branch depending on the input value. | |
| If input x is equal to value in branch, we return 0. | |
| 0x24 | |
| 0x8 0x32 | |
| 0x6 0x16 0x2d 0x6b | |
| ................................... 0x3e9 | |
| We want fun7() to return 7. | |
| 7 = 2*3+1 = 2*(2*1+1)+1. | |
| f(0x24) = 0 | |
| f(0x32) = 2*f(0x24)+1 = 1 | |
| f(0x6b) = 2*f(0x32)+1 = 3 | |
| f(0x3e9) = 2*f(0x6b)+1 = 7 | |
| 0x3e9 is 1001 decimal, and is accepted by the first check (param-1 <= 1000). | |
| # ./bomb bomb-answers.txt | |
| Welcome to my fiendish little bomb. You have 6 phases with | |
| which to blow yourself up. Have a nice day! | |
| Phase 1 defused. How about the next one? | |
| That's number 2. Keep going! | |
| Halfway there! | |
| So you got that one. Try this one. | |
| Good work! On to the next... | |
| Curses, you've found the secret phase! | |
| But finding it and solving it are quite different... | |
| Wow! You've defused the secret stage! | |
| Congratulations! You've defused the bomb! |
Below is the disassembled code. PLease help me to defuse the binary bomb phase_7 08048e88 <pha...
Below is the disassembled code. PLease help me to defuse the binary bomb phase_4 so the right input should be 6 numbers with a certain pattern 08048cdb <phase_4>: 8048cdb: 53 push %ebx 8048cdc: 83 ec 38 sub $0x38,%esp 8048cdf: 8d 44 24 18 lea 0x18(%esp),%eax 8048ce3: 89 44 24 04 mov %eax,0x4(%esp) 8048ce7: 8b 44 24 40 mov 0x40(%esp),%eax 8048ceb: 89 04 24 mov %eax,(%esp) 8048cee: e8 11 07 00 00 call 8049404 <read_six_numbers> 8048cf3: 83 7c 24 18 00 cmpl...
I need help finding the input that wont result in explode_bomb in this assembly 08048cd3 <phase_4>: 8048cd3: 57 push %edi 8048cd4: 56 push %esi 8048cd5: 53 push %ebx 8048cd6: 83 ec 10 sub $0x10,%esp 8048cd9: 8b 74 24 20 mov 0x20(%esp),%esi 8048cdd: 89 34 24 mov %esi,(%esp) 8048ce0: e8 f6 03 00 00 call 80490db <string_length> 8048ce5: 83 c0 01 add $0x1,%eax 8048ce8: 89 04 24 mov %eax,(%esp) 8048ceb: e8 10 fb ff ff call 8048800 <malloc@plt> 8048cf0: 89 c7...
This is phase_5 of defusing a binary bomb. (Disass in x86 on a Linux system.) I am having trouble "debugging" this and figuring out what I need to enter to defuse this phase, but I am relatively sure I will need 6 inputs. Thanks in advance. Dump of assembler code for function phase_5: 0x00000000004011bf <+0>: push %rbx 0x00000000004011c0 <+1>: mov %rdi,%rbx 0x00000000004011c3 <+4>: callq 0x401414 <string_length> 0x00000000004011c8 <+9>: cmp $0x6,%eax //eax = 6? jump over explode 0x00000000004011cb <+12>: je 0x4011d2...
Binary Bomb phase 4 Dump of assembler code for function phase_4: > 0x0000000000400fe7 <+0>: sub $0x18,%rsp 0x0000000000400feb <+4>: lea 0x8(%rsp),%rcx 0x0000000000400ff0 <+9>: lea 0xc(%rsp),%rdx 0x0000000000400ff5 <+14>: mov $0x40290d,%esi 0x0000000000400ffa <+19>: mov $0x0,%eax 0x0000000000400fff <+24>: callq 0x400c00 <__isoc99_sscanf@plt> 0x0000000000401004 <+29>: cmp $0x2,%eax 0x0000000000401007 <+32>: jne 0x401010 <phase_4+41> 0x0000000000401009 <+34>: cmpl $0xe,0xc(%rsp) 0x000000000040100e <+39>: jbe 0x401015 <phase_4+46> 0x0000000000401010 <+41>: callq 0x401662 <explode_bomb> 0x0000000000401015 <+46>: mov $0xe,%edx 0x000000000040101a <+51>: mov $0x0,%esi...
Please explain the table solution. The red answers are correct.
Please explain step by step why
5) Mutually assured instruction. (10 pts) a) First, deduce the following functions. (4pts) 000000000000064a <func1>: 64a: 48 83 ec 18 sub $0x18,%rsp 64e: 89 70 24 OC mov %edi, oxc(%rsp) 652: 83 70 24 Oc 00 cmpl $0x0, xc(%rsp) 657: 75 07 jne 660 <func1+0x16> 659: b8 01 00 00 00 mov $0x1,%eax 65e: ebbe jmp 66e <func1+0x24> 660: 85 44 24 Oc mov...
When using objdump to disassemble the binary, how to find what the address of a specific function is? For example, 08048934 <function2>: 8048934: 55 push ebp 8048935: 89 e5 mov ebp,esp 8048937: 53 push ebx 8048938: 83 ec 04 sub esp,0x4 804893b: e8 1f 00 00 00 call 804895f <__x86.get_pc_thunk.ax> 8048940: 05 c0 06 09 00 add eax,0x906c0 8048945: 83 ec 0c sub esp,0xc 8048948: 8d 90 70 31 fd ff lea edx,[eax-0x2ce90] 804894e: 52 push edx 804894f: 89 c3...
I need to reverse engineer from machine code to C, how do I do it?This problem will give you a chance to reverse engineer a switch statement frommachine code. In the following procedure, the body of the switch statement hasbeen removed:1 int switch_prob(int x, int n)2 {3 int result = x;45 switch(n) {67 /* Fill in code here */8 }910 return result;11 }Figure 3.44 shows the disassembled machine code for the procedure. We cansee in lines 4 and 5 that...
This is the bomb lab phase2, I just have no idea on how to
solve it. I know the answer is a six number array, I want to know
what numbers they are?
6x00000000004015d7<+136> : pop %rbx 0x00000000004015d8 <+137>: retq of assembler dump. b) stepi 00401572 in phase2 ) db) disas mp of assenbler code for function phase2: %rbx $0x20,%rsp %fs:0x28,%rax %rax,0x18(%rsp) %eax , %eax %rsp,Krst 0x000000000040154f <+0>: 0x0000000000401550 <+1>: 0x0000000000401554 <+5>: push sub nov 6x000000000040155d <+14s: <+19> : 21»:...
From the following hexdump, answer the questions below: 0000 00 1d 6b 99 98 68 00 1d d9 2e 4f 61 08 00 45 00 0010 01 41 44 90 40 00 3f 06 d6 5a c0 a8 01 40 4a 7d 0020 13 67 98 f1 01 bb 2e cb 07 05 fb dd 38 75 80 18 0030 ff ff 02 16 00 00 01 01 08 0a 2a 7b 63 c9 3b 78 0040 e0 8b 8d...