Phase 2:
Before we continue, we must put our answers in a defuser.txt
file (./bomb defuser.txt) so that we won't have to keep entering our answers.
Make the file so that each phase's answer is on a separate line.
For phase two, run gdb bomb on terminal and do the
following:
(gdb) break phase_2
Breakpoint
1 at 0x8048cc4
(gdb) run defuser.txt
Starting
program: /.autofs/ilab/ilab_users/user5/Desktop/Bomb124/bomb124/bomb defuser.txt
Welcome
to my fiendish little bomb. You have 9
phases with
which
to blow yourself up. Have a nice day!
Phase
1 defused. How about the next one?
Now look at the assembly to get some clues:
08048cc4
<phase_2>:
8048cc4:
83 ec 1c sub $0x1c,%esp
8048cc7:
c7 44 24 04 30 a5 04 movl $0x804a530,0x4(%esp)
8048cce:
08
8048ccf:
8b 44 24 20 mov 0x20(%esp),%eax
8048cd3:
89 04 24 mov %eax,(%esp)
8048cd6:
e8 3f 05 00 00 call 804921a <strings_not_equal>
8048cdb: 85 c0 test
%eax,%eax
8048cdd: 74 05 je 8048ce4 <phase_2+0x20>
8048cdf: e8 31 08 00 00 call
8049515 <explode_bomb>
8048ce4: 83 c4 1c add $0x1c,%esp
8048ce7: c3 ret
Note the red lines. The strings not equal function is being
called, so we know that two strings are being compared. We have two mov's
before that. We test %eax, %eax and then jump to phase2 +20.
We should run gdb with a test string (literally use test
string as the input string) to see what is happening. Then we'll take a look at
the "disas" and "i r", which will give us the assembly and
the integer register respectively.
Dump of assembler code for function phase_2:
=> 0x08048cc4 <+0>: sub
$0x1c,%esp
0x08048cc7 <+3>:
movl
$0x804a530,0x4(%esp)
0x08048ccf
<+11>: mov 0x20(%esp),%eax
0x08048cd3
<+15>: mov %eax,(%esp)
0x08048cd6 <+18>: call
0x804921a <strings_not_equal>
0x08048cdb <+23>: test
%eax,%eax
0x08048cdd <+25>: je
0x8048ce4 <phase_2+32>
0x08048cdf <+27>: call
0x8049515 <explode_bomb>
0x08048ce4 <+32>: add $0x1c,%esp
0x08048ce7 <+35>: ret
End of assembler dump.
So we see some obvious stuff, like if string doesn't match,
explode bomb, by not jumping. But take a look at <+3>: It has an
interesting string. But before we even go there, we have to know where the heck
our string is. So:
(gdb) p/x
$eax
$1 = 0x804d870
(gdb) x /25c
0x804d870
0x804d870 <input_strings+80>: 116 't' 101 'e'
115 's'
116 't'
32 ' ' 115 's' 116 't' 114 'r'
0x804d878 <input_strings+88>: 105 'i' 110 'n' 103 'g' 0 '\000' 0 '\000'
0 '\000' 0 '\000' 0 '\000'
0x804d880 <input_strings+96>: 0 '\000'
0 '\000' 0 '\000' 0 '\000'
0 '\000'0 '\000' 0 '\000' 0 '\000'
0x804d888 <input_strings+104>: 0 '\000'
Now, let's check what that mystery <+3> hex code could
be.
End
of assembler dump.
(gdb) x /25c
0x804a530
0x804a530: 87 'W' 104 'h' 101 'e' 110 'n' 32 ' ' 73 'I' 32 ' ' 103 'g'
0x804a538: 101 'e' 116 't' 32 ' ' 97 'a' 110 'n' 103 'g' 114 'r' 121 'y'
0x804a540: 44 ',' 32 ' ' 77 'M' 114 'r' 46 '.' 32 ' ' 66 'B' 105 'i'
0x804a548: 103 'g'
(gdb)
Well, doesn't that look familiar. Check the
"interesting strings" from the introduction part of this. We see that
it matches the beginning of the string " When I get angry, Mr.
Bigglesworth gets upset."
Let's test it out!
Welcome
to my fiendish little bomb. You have 9
phases with
which
to blow yourself up. Have a nice day!
Phase
1 defused. How about the next one?
That's
number 2. Keep going!
No comments:
Post a Comment