what is the input that doesn\'t go to exploit_bomb. Dump of assembler code for f
ID: 3758816 • Letter: W
Question
what is the input that doesn't go to exploit_bomb.
Dump of assembler code for function phase_3:
=> 0x08048c7a <+0>: sub $0x2c,%esp
0x08048c7d <+3>: lea 0x1c(%esp),%eax
0x08048c81 <+7>: mov %eax,0xc(%esp)
0x08048c85 <+11>: lea 0x18(%esp),%eax
0x08048c89 <+15>: mov %eax,0x8(%esp)
0x08048c8d <+19>: movl $0x804a6e1,0x4(%esp)
0x08048c95 <+27>: mov 0x30(%esp),%eax
0x08048c99 <+31>: mov %eax,(%esp)
0x08048c9c <+34>: call 0x80488d0 <__isoc99_sscanf@plt>
0x08048ca1 <+39>: cmp $0x1,%eax
0x08048ca4 <+42>: jg 0x8048cab
0x08048ca6 <+44>: call 0x8049365
0x08048cab <+49>: cmpl $0x7,0x18(%esp)
0x08048cb0 <+54>: ja 0x8048cee
0x08048cb2 <+56>: mov 0x18(%esp),%eax
0x08048cb6 <+60>: jmp *0x804a440(,%eax,4)
0x08048cbd <+67>: mov $0x45,%eax
0x08048cc2 <+72>: jmp 0x8048cff
0x08048cc4 <+74>: mov $0x3aa,%eax
0x08048cc9 <+79>: jmp 0x8048cff
0x08048ccb <+81>: mov $0x32,%eax
0x08048cd0 <+86>: jmp 0x8048cff
---Type to continue, or q to quit---return
0x08048cd2 <+88>: mov $0x1d3,%eax
0x08048cd7 <+93>: jmp 0x8048cff
0x08048cd9 <+95>: mov $0x3a3,%eax
0x08048cde <+100>: jmp 0x8048cff
0x08048ce0 <+102>: mov $0x64,%eax
0x08048ce5 <+107>: jmp 0x8048cff
0x08048ce7 <+109>: mov $0x1fb,%eax
0x08048cec <+114>: jmp 0x8048cff
0x08048cee <+116>: call 0x8049365
0x08048cf3 <+121>: mov $0x0,%eax
0x08048cf8 <+126>: jmp 0x8048cff
0x08048cfa <+128>: mov $0x3b,%eax
0x08048cff <+133>: cmp 0x1c(%esp),%eax
0x08048d03 <+137>: je 0x8048d0a
0x08048d05 <+139>: call 0x8049365
0x08048d0a <+144>: add $0x2c,%esp
0x08048d0d <+147>: ret
Explanation / Answer
p of assembler code for function phase_3:
0x08048b98 <+0>: push ebp
0x08048b99 <+1>: mov ebp,esp
0x08048b9b <+3>: sub esp,0x14
0x08048b9e <+6>: push ebx
0x08048b9f <+7>: mov edx,DWORD PTR [ebp+0x8] --> address of first parameter, the password for phase_3
0x08048ba2 <+10>: add esp,0xfffffff4
0x08048ba5 <+13>: lea eax,[ebp-0x4]
0x08048ba8 <+16>: push eax
0x08048ba9 <+17>: lea eax,[ebp-0x5]
0x08048bac <+20>: push eax
0x08048bad <+21>: lea eax,[ebp-0xc]
0x08048bb0 <+24>: push eax
0x08048bb1 <+25>: push 0x80497de --> the format string for sscanf, "%d %c %d"
0x08048bb6 <+30>: push edx
0x08048bb7 <+31>: call 0x8048860 <sscanf@plt>
0x08048bbc <+36>: add esp,0x20
0x08048bbf <+39>: cmp eax,0x2
0x08048bc2 <+42>: jg 0x8048bc9 <phase_3+49>
0x08048bc4 <+44>: call 0x80494fc <explode_bomb>
0x08048bc9 <+49>: cmp DWORD PTR [ebp-0xc],0x7
0x08048bcd <+53>: ja 0x8048c88 <phase_3+240>
0x08048bd3 <+59>: mov eax,DWORD PTR [ebp-0xc]
0x08048bd6 <+62>: jmp DWORD PTR [eax*4+0x80497e8]
0x08048bdd <+69>: lea esi,[esi+0x0]
0x08048be0 <+72>: mov bl,0x71
0x08048be2 <+74>: cmp DWORD PTR [ebp-0x4],0x309
0x08048be9 <+81>: je 0x8048c8f <phase_3+247>
0x08048bef <+87>: call 0x80494fc <explode_bomb>
0x08048bf4 <+92>: jmp 0x8048c8f <phase_3+247>
0x08048bf9 <+97>: lea esi,[esi+eiz*1+0x0]
0x08048c00 <+104>: mov bl,0x62
0x08048c02 <+106>: cmp DWORD PTR [ebp-0x4],0xd6
0x08048c09 <+113>: je 0x8048c8f <phase_3+247>
0x08048c0f <+119>: call 0x80494fc <explode_bomb>
0x08048c14 <+124>: jmp 0x8048c8f <phase_3+247>
0x08048c16 <+126>: mov bl,0x62
0x08048c18 <+128>: cmp DWORD PTR [ebp-0x4],0x2f3
0x08048c1f <+135>: je 0x8048c8f <phase_3+247>
0x08048c21 <+137>: call 0x80494fc <explode_bomb>
0x08048c26 <+142>: jmp 0x8048c8f <phase_3+247>
0x08048c28 <+144>: mov bl,0x6b
0x08048c2a <+146>: cmp DWORD PTR [ebp-0x4],0xfb
0x08048c31 <+153>: je 0x8048c8f <phase_3+247>
0x08048c33 <+155>: call 0x80494fc <explode_bomb>
0x08048c38 <+160>: jmp 0x8048c8f <phase_3+247>
0x08048c3a <+162>: lea esi,[esi+0x0]
0x08048c40 <+168>: mov bl,0x6f
0x08048c42 <+170>: cmp DWORD PTR [ebp-0x4],0xa0
0x08048c49 <+177>: je 0x8048c8f <phase_3+247>
0x08048c4b <+179>: call 0x80494fc <explode_bomb>
0x08048c50 <+184>: jmp 0x8048c8f <phase_3+247>
0x08048c52 <+186>: mov bl,0x74
0x08048c54 <+188>: cmp DWORD PTR [ebp-0x4],0x1ca
0x08048c5b <+195>: je 0x8048c8f <phase_3+247>
0x08048c5d <+197>: call 0x80494fc <explode_bomb>
0x08048c62 <+202>: jmp 0x8048c8f <phase_3+247>
0x08048c64 <+204>: mov bl,0x76
0x08048c66 <+206>: cmp DWORD PTR [ebp-0x4],0x30c
0x08048c6d <+213>: je 0x8048c8f <phase_3+247>
0x08048c6f <+215>: call 0x80494fc <explode_bomb>
0x08048c74 <+220>: jmp 0x8048c8f <phase_3+247>
0x08048c76 <+222>: mov bl,0x62
0x08048c78 <+224>: cmp DWORD PTR [ebp-0x4],0x20c
0x08048c7f <+231>: je 0x8048c8f <phase_3+247>
0x08048c81 <+233>: call 0x80494fc <explode_bomb>
0x08048c86 <+238>: jmp 0x8048c8f <phase_3+247>
0x08048c88 <+240>: mov bl,0x78
0x08048c8a <+242>: call 0x80494fc <explode_bomb>
0x08048c8f <+247>: cmp bl,BYTE PTR [ebp-0x5]
0x08048c92 <+250>: je 0x8048c99 <phase_3+257>
0x08048c94 <+252>: call 0x80494fc <explode_bomb>
0x08048c99 <+257>: mov ebx,DWORD PTR [ebp-0x18]
0x08048c9c <+260>: mov esp,ebp
0x08048c9e <+262>: pop ebp
0x08048c9f <+263>: ret
Move the breakpoint from commands file to 0x8048a98, the beginning of phase_3.
0x8048a98 <main+232>: call 0x80491fc <read_line>
0x8048a9d <main+237>: add $0xfffffff4,%esp
0x8048aa0 <main+240>: push %eax
0x8048aa1 <main+241>: call 0x8048b98 <phase_3>
0x8048aa6 <main+246>: call 0x804952c <phase_defused>
Dump of assembler code for function phase_3:
0x08048b98 <+0>: push ebp
0x08048b99 <+1>: mov ebp,esp
0x08048b9b <+3>: sub esp,0x14
0x08048b9e <+6>: push ebx
0x08048b9f <+7>: mov edx,DWORD PTR [ebp+0x8] --> address of first parameter, the password for phase_3
0x08048ba2 <+10>: add esp,0xfffffff4
0x08048ba5 <+13>: lea eax,[ebp-0x4]
0x08048ba8 <+16>: push eax
0x08048ba9 <+17>: lea eax,[ebp-0x5]
0x08048bac <+20>: push eax
0x08048bad <+21>: lea eax,[ebp-0xc]
0x08048bb0 <+24>: push eax
0x08048bb1 <+25>: push 0x80497de --> the format string for sscanf, "%d %c %d"
0x08048bb6 <+30>: push edx
0x08048bb7 <+31>: call 0x8048860 <sscanf@plt>
0x08048bbc <+36>: add esp,0x20
0x08048bbf <+39>: cmp eax,0x2
0x08048bc2 <+42>: jg 0x8048bc9 <phase_3+49>
0x08048bc4 <+44>: call 0x80494fc <explode_bomb>
0x08048bc9 <+49>: cmp DWORD PTR [ebp-0xc],0x7
0x08048bcd <+53>: ja 0x8048c88 <phase_3+240>
0x08048bd3 <+59>: mov eax,DWORD PTR [ebp-0xc]
0x08048bd6 <+62>: jmp DWORD PTR [eax*4+0x80497e8]
0x08048bdd <+69>: lea esi,[esi+0x0]
0x08048be0 <+72>: mov bl,0x71
0x08048be2 <+74>: cmp DWORD PTR [ebp-0x4],0x309
0x08048be9 <+81>: je 0x8048c8f <phase_3+247>
0x08048bef <+87>: call 0x80494fc <explode_bomb>
0x08048bf4 <+92>: jmp 0x8048c8f <phase_3+247>
0x08048bf9 <+97>: lea esi,[esi+eiz*1+0x0]
0x08048c00 <+104>: mov bl,0x62
0x08048c02 <+106>: cmp DWORD PTR [ebp-0x4],0xd6
0x08048c09 <+113>: je 0x8048c8f <phase_3+247>
0x08048c0f <+119>: call 0x80494fc <explode_bomb>
0x08048c14 <+124>: jmp 0x8048c8f <phase_3+247>
0x08048c16 <+126>: mov bl,0x62
0x08048c18 <+128>: cmp DWORD PTR [ebp-0x4],0x2f3
0x08048c1f <+135>: je 0x8048c8f <phase_3+247>
0x08048c21 <+137>: call 0x80494fc <explode_bomb>
0x08048c26 <+142>: jmp 0x8048c8f <phase_3+247>
0x08048c28 <+144>: mov bl,0x6b
0x08048c2a <+146>: cmp DWORD PTR [ebp-0x4],0xfb
0x08048c31 <+153>: je 0x8048c8f <phase_3+247>
0x08048c33 <+155>: call 0x80494fc <explode_bomb>
0x08048c38 <+160>: jmp 0x8048c8f <phase_3+247>
0x08048c3a <+162>: lea esi,[esi+0x0]
0x08048c40 <+168>: mov bl,0x6f
0x08048c42 <+170>: cmp DWORD PTR [ebp-0x4],0xa0
0x08048c49 <+177>: je 0x8048c8f <phase_3+247>
0x08048c4b <+179>: call 0x80494fc <explode_bomb>
0x08048c50 <+184>: jmp 0x8048c8f <phase_3+247>
0x08048c52 <+186>: mov bl,0x74
0x08048c54 <+188>: cmp DWORD PTR [ebp-0x4],0x1ca
0x08048c5b <+195>: je 0x8048c8f <phase_3+247>
0x08048c5d <+197>: call 0x80494fc <explode_bomb>
0x08048c62 <+202>: jmp 0x8048c8f <phase_3+247>
0x08048c64 <+204>: mov bl,0x76
0x08048c66 <+206>: cmp DWORD PTR [ebp-0x4],0x30c
0x08048c6d <+213>: je 0x8048c8f <phase_3+247>
0x08048c6f <+215>: call 0x80494fc <explode_bomb>
0x08048c74 <+220>: jmp 0x8048c8f <phase_3+247>
0x08048c76 <+222>: mov bl,0x62
0x08048c78 <+224>: cmp DWORD PTR [ebp-0x4],0x20c
0x08048c7f <+231>: je 0x8048c8f <phase_3+247>
0x08048c81 <+233>: call 0x80494fc <explode_bomb>
0x08048c86 <+238>: jmp 0x8048c8f <phase_3+247>
0x08048c88 <+240>: mov bl,0x78
0x08048c8a <+242>: call 0x80494fc <explode_bomb>
0x08048c8f <+247>: cmp bl,BYTE PTR [ebp-0x5]
0x08048c92 <+250>: je 0x8048c99 <phase_3+257>
0x08048c94 <+252>: call 0x80494fc <explode_bomb>
0x08048c99 <+257>: mov ebx,DWORD PTR [ebp-0x18]
0x08048c9c <+260>: mov esp,ebp
0x08048c9e <+262>: pop ebp
0x08048c9f <+263>: ret
End of assembler dump.
(gdb) x/s 0x80497de
0x80497de: "%d %c %d"
For a test with the input for passphrase 3 as "123 x 456", we have the results:
(gdb) p /x $eax
$5 = 0x3
(gdb) x/d $ebp-4
0xbffff3f4: 456
(gdb) x/c $ebp-5
0xbffff3f3: 120 'x'
(gdb) x/d $ebp-0xc
0xbffff3ec: 123
(gdb)
First condition to not explode the bomb: we have to fill all the 3 variables passed to sscanf.
0x08048bbf <+39>: cmp eax,0x2
0x08048bc2 <+42>: jg 0x8048bc9 <phase_3+49>
0x08048bc4 <+44>: call 0x80494fc <explode_bomb>
Second condition: first number must be <=7
0x08048bc9 <+49>: cmp DWORD PTR [ebp-0xc],0x7
0x08048bcd <+53>: ja 0x8048c88 <phase_3+240>
The last part of the function looks like a case structure. We have the following table of addresses:
0x08048bd6 <+62>: jmp DWORD PTR [eax*4+0x80497e8]
In $eax we have the first number, which we chose as 7.
(gdb) x/10wx 0x80497e8
0x80497e8: 0x08048be0 0x08048c00 0x08048c16 0x08048c28
0x80497f8: 0x08048c40 0x08048c52 0x08048c64 0x08048c76
0x8049808: 0x67006425 0x746e6169
In our case, when the first parameter was 7, we'll jump to 0x08048c76.
(gdb) x /x $eax*4+0x80497e8
0x8049804: 0x08048c76
0x08048c76 <+222>: mov bl,0x62 --> ascii letter 'b'
0x08048c78 <+224>: cmp DWORD PTR [ebp-0x4],0x20c --> 524 in decimal
0x08048c7f <+231>: je 0x8048c8f <phase_3+247>
0x08048c81 <+233>: call 0x80494fc <explode_bomb>
0x08048c86 <+238>: jmp 0x8048c8f <phase_3+247>
So we have the password for phase_3:
7 b 524
End of assembler dump.
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.