Binary Bomb: Phase 1

Phase 1:

The following is the assembly for Phase 1. Basically, we have two comparisons and a hex string that we need to match.

08048c80 <phase_1>:

 8048c80:   83 ec 2c                sub    $0x2c,%esp

 8048c83:   c7 44 24 1c 00 00 00    movl   $0x0,0x1c(%esp)

 8048c8a:   00

 8048c8b:   8d 44 24 1c             lea    0x1c(%esp),%eax

 8048c8f:   89 44 24 08             mov    %eax,0x8(%esp)

 8048c93:   c7 44 24 04 ac a7 04    movl   $0x804a7ac,0x4(%esp)

 8048c9a:   08

 8048c9b:   8b 44 24 30             mov    0x30(%esp),%eax

 8048c9f:   89 04 24                mov    %eax,(%esp)

 8048ca2:   e8 59 fc ff ff          call   8048900 <__isoc99_sscanf@plt>

 8048ca7:   83 f8 01                cmp    $0x1,%eax

 8048caa:   74 05                   je     8048cb1 <phase_1+0x31>

 8048cac:   e8 64 08 00 00          call   8049515 <explode_bomb>

 8048cb1:   81 7c 24 1c bb 02 00    cmpl   $0x2bb,0x1c(%esp)

 8048cb8:   00

 8048cb9:   74 05                   je     8048cc0 <phase_1+0x40>

 8048cbb:   e8 55 08 00 00          call   8049515 <explode_bomb>

 8048cc0:   83 c4 2c                add    $0x2c,%esp

 8048cc3:   c3                      ret   

Noted some important places in red: Now fire up GDB and set a breakpoint at phase_1

[user5@cd bomb124]$ gdb bomb

GNU gdb (GDB) Red Hat Enterprise Linux 7.6.1-80.el7

Copyright (C) 2013 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.  Type "show copying"

and "show warranty" for details.

This GDB was configured as "x86_64-redhat-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /.autofs/ilab/ilab_users/user5/Desktop/HW3/Bomb124/bomb124/bomb...done.

(gdb) break phase_1

Breakpoint 1 at 0x8048c80

(gdb)

We know that it must be an integer input, so enter two random integers and then check the assembly with the instruction "disas"
Follow the assembly carefully:

(gdb) run

Starting program: /.autofs/ilab/ilab_users/user5/Desktop/HW3/Bomb124/bomb124/bomb

Welcome to my fiendish little bomb. You have 9 phases with

which to blow yourself up. Have a nice day!

1 2

Breakpoint 1, 0x08048c80 in phase_1 ()

Missing separate debuginfos, use: debuginfo-install glibc-2.17-106.el7_2.8.i686

(gdb) disas

Dump of assembler code for function phase_1:

=> 0x08048c80 <+0>:     sub    $0x2c,%esp

   0x08048c83 <+3>:     movl   $0x0,0x1c(%esp)

   0x08048c8b <+11>:    lea    0x1c(%esp),%eax

   0x08048c8f <+15>:    mov    %eax,0x8(%esp)

   0x08048c93 <+19>:    movl   $0x804a7ac,0x4(%esp)

   0x08048c9b <+27>:    mov    0x30(%esp),%eax

   0x08048c9f <+31>:    mov    %eax,(%esp)

   0x08048ca2 <+34>:    call   0x8048900 <__isoc99_sscanf@plt>

   0x08048ca7 <+39>:    cmp    $0x1,%eax

   0x08048caa <+42>:    je     0x8048cb1 <phase_1+49>

   0x08048cac <+44>:    call   0x8049515 <explode_bomb>

   0x08048cb1 <+49>:    cmpl   $0x2bb,0x1c(%esp)

   0x08048cb9 <+57>:    je     0x8048cc0 <phase_1+64>

   0x08048cbb <+59>:    call   0x8049515 <explode_bomb>

   0x08048cc0 <+64>:    add    $0x2c,%esp

   0x08048cc3 <+67>:    ret   

End of assembler dump.

(gdb)

Note that in the assembly, we have a call to scanf, and then compare 1 to eax. If this is there, then jump to phase_1+49. Note that this means that there must only be 1 input. I put in two inputs. So next time we'll only input one number. So looking at the 49^th level, we see $0x2bb,0x1c(%esp)which must be our input requirement. So this means that esp = 0x2bb.

We now convert from hex to decimal and we get 699.

Now quit gdb and in command line, test it out, and phase 1 should be defused.

Note that usually, for Binary Bomb, the first couple phases are the easiest. This is certainly the case, especially for this bomb.