Wednesday, March 29, 2017

Binary Bomb: Phase 4



Phase 4:

This is actually pretty short because I was able to catch the sequence early on. I was lucky. 
Let's take a look at the assembly code.
8048d81:   56                       push   %esi
 8048d82:   53                      push   %ebx
 8048d83:   83 ec 34                sub    $0x34,%esp
 8048d86:   8d 44 24 18             lea    0x18(%esp),%eax
 8048d8a:   89 44 24 04             mov    %eax,0x4(%esp)
 8048d8e:   8b 44 24 40             mov    0x40(%esp),%eax
 8048d92:   89 04 24                mov    %eax,(%esp)
 8048d95:   e8 ba 07 00 00          call   8049554 <read_six_numbers>
 8048d9a:   83 7c 24 18 05          cmpl   $0x5,0x18(%esp)
 8048d9f:   75 07                   jne    8048da8 <phase_4+0x27>
 8048da1:   83 7c 24 1c 08          cmpl   $0x8,0x1c(%esp)
 8048da6:   74 22                   je     8048dca <phase_4+0x49>
 8048da8:   e8 68 07 00 00          call   8049515 <explode_bomb>
 8048dad:   8d 76 00                lea    0x0(%esi),%esi
 8048db0:   eb 18                   jmp    8048dca <phase_4+0x49>
 8048db2:   8b 43 f8                mov    -0x8(%ebx),%eax
 8048db5:   03 43 fc                add    -0x4(%ebx),%eax
 8048db8:   39 03                   cmp    %eax,(%ebx)
 8048dba:   74 05                   je     8048dc1 <phase_4+0x40>
 8048dbc:   e8 54 07 00 00          call   8049515 <explode_bomb>
 8048dc1:   83 c3 04                add    $0x4,%ebx
 8048dc4:   39 f3                   cmp    %esi,%ebx
 8048dc6:   75 ea                   jne    8048db2 <phase_4+0x31>
 8048dc8:   eb 0a                   jmp    8048dd4 <phase_4+0x53>
 8048dca:   8d 5c 24 20             lea    0x20(%esp),%ebx
 8048dce:   8d 74 24 30             lea    0x30(%esp),%esi
 8048dd2:   eb de                   jmp    8048db2 <phase_4+0x31>
 8048dd4:   83 c4 34                add    $0x34,%esp
 8048dd7:   5b                      pop    %ebx
 8048dd8:   5e                      pop    %esi
 8048dd9:   c3                      ret   

Off the top of my head, I see many comparison statements, pushing, popping, read six numbers, so that's our input. I see jumping if not equal. They may be loops. Lets run through the beginning stages of GDB:
Dump of assembler code for function phase_4:
=> 0x08048d81 <+0>:     push   %esi
   0x08048d82 <+1>:     push   %ebx
   0x08048d83 <+2>:     sub    $0x34,%esp
   0x08048d86 <+5>:     lea    0x18(%esp),%eax
   0x08048d8a <+9>:     mov    %eax,0x4(%esp)
   0x08048d8e <+13>:    mov    0x40(%esp),%eax
   0x08048d92 <+17>:    mov    %eax,(%esp)
   0x08048d95 <+20>:    call   0x8049554 <read_six_numbers>
   0x08048d9a <+25>:    cmpl   $0x5,0x18(%esp)
   0x08048d9f <+30>:    jne    0x8048da8 <phase_4+39>
   0x08048da1 <+32>:    cmpl   $0x8,0x1c(%esp)
   0x08048da6 <+37>:    je     0x8048dca <phase_4+73>
   0x08048da8 <+39>:    call   0x8049515 <explode_bomb>
   0x08048dad <+44>:    lea    0x0(%esi),%esi
   0x08048db0 <+47>:    jmp    0x8048dca <phase_4+73>
   0x08048db2 <+49>:    mov    -0x8(%ebx),%eax
   0x08048db5 <+52>:    add    -0x4(%ebx),%eax
   0x08048db8 <+55>:    cmp    %eax,(%ebx)
   0x08048dba <+57>:    je     0x8048dc1 <phase_4+64>
   0x08048dbc <+59>:    call   0x8049515 <explode_bomb>
   0x08048dc1 <+64>:    add    $0x4,%ebx
   0x08048dc4 <+67>:    cmp    %esi,%ebx
   0x08048dc6 <+69>:    jne    0x8048db2 <phase_4+49>
   0x08048dc8 <+71>:    jmp    0x8048dd4 <phase_4+83>
   0x08048dca <+73>:    lea    0x20(%esp),%ebx
   0x08048dce <+77>:    lea    0x30(%esp),%esi
   0x08048dd2 <+81>:    jmp    0x8048db2 <phase_4+49>
   0x08048dd4 <+83>:    add    $0x34,%esp
---Type <return> to continue, or q <return> to quit---
   0x08048dd7 <+86>:    pop    %ebx
   0x08048dd8 <+87>:    pop    %esi
   0x08048dd9 <+88>:    ret   
End of assembler dump.

So I put in a random set of six numbers (1 2 3 4 5 6) but I don't need to do that. In fact, this is a very easy sequence to spot. Look at line 25 and 32. It's comparing 5 and 8. We can safely assume that the first two parts of our input are 5 and 8. The next thing to do is go through gdb step by step, and to step into the read six numbers function, so we see how everything moves.
Suppose we inputted 5 8 1 1 1 1 instead. Now, when we go through each instruction, step by step using gdb, we see that we soon get "i r" like:
gdb) i r
eax            0xd  13
ecx            0x0  0

Note that eax now points to 13.
So now we have 5, 8, 13. This sort of looks like the fibonacci sequence, doesn't it?

 


So, now we check the very last address. By that I mean:
(gdb) until *0x08048dd4
0x08048dd4 in phase_4 ()
(gdb) disas
Dump of assembler code for function phase_4:
   0x08048d81 <+0>: push   %esi
   ...
=> 0x08048dd4 <+83>:    add    $0x34,%esp
---Type <return> to continue, or q <return> to quit---
   0x08048dd7 <+86>:    pop    %ebx
   0x08048dd8 <+87>:    pop    %esi
   0x08048dd9 <+88>:    ret   
End of assembler dump.
(gdb) i r
eax            0x37 55
ecx            0x0  0

So this is definitely the Fib sequence. Plug it in: 5 8 13 21 34 55
On to Phase 5!
Posted by at
Labels: , , , , ,

1 comment:

  1. laelaquarantaMarch 3, 2022 at 3:36 PM

    NJ Casinos - Where All Casinos Are - JTM Hub
    This is where 전주 출장안마 all of the 김제 출장마사지 state's casinos got to 통영 출장샵 be, and all 용인 출장마사지 of 인천광역 출장안마 the places that are currently located near the state lines are packed with gaming

    ReplyDelete

Subscribe to: Post Comments (Atom)