Below is the disassembled code. PLease help me to defuse the binary bomb Dump of

Question

Below is the disassembled code. PLease help me to defuse the binary bomb


Dump of assembler code for function phase_2:


0x08048d3d <phase_2+0>: push %ebp
0x08048d3e <phase_2+1>: mov %esp,%ebp
0x08048d40 <phase_2+3>: push %ebx
0x08048d41 <phase_2+4>: sub $0x34,%esp
0x08048d44 <phase_2+7>: lea -0x1c(%ebp),%eax
0x08048d47 <phase_2+10>: mov %eax,0x4(%esp)
0x08048d4b <phase_2+14>: mov 0x8(%ebp),%eax
0x08048d4e <phase_2+17>: mov %eax,(%esp)
0x08048d51 <phase_2+20>: call 0x80491a7 <read_six_numbers>
0x08048d56 <phase_2+25>: cmpl $0x0,-0x1c(%ebp)
0x08048d5a <phase_2+29>: jne 0x8048d62 <phase_2+37>
0x08048d5c <phase_2+31>: cmpl $0x1,-0x18(%ebp)
0x08048d60 <phase_2+35>: je 0x8048d67 <phase_2+42>
0x08048d62 <phase_2+37>: call 0x8049165 <explode_bomb>
0x08048d67 <phase_2+42>: lea -0x14(%ebp),%ebx
0x08048d6a <phase_2+45>: mov -0x8(%ebx),%eax
0x08048d6d <phase_2+48>: add -0x4(%ebx),%eax
0x08048d70 <phase_2+51>: cmp %eax,(%ebx)
0x08048d72 <phase_2+53>: je 0x8048d79 <phase_2+60>
0x08048d74 <phase_2+55>: call 0x8049165 <explode_bomb>
0x08048d79 <phase_2+60>: add $0x4,%ebx
0x08048d7c <phase_2+63>: lea -0x4(%ebp),%eax
0x08048d7f <phase_2+66>: cmp %eax,%ebx
0x08048d81 <phase_2+68>: jne 0x8048d6a <phase_2+45>
0x08048d83 <phase_2+70>: add $0x34,%esp
0x08048d86 <phase_2+73>: pop %ebx
0x08048d87 <phase_2+74>: pop %ebp
0x08048d88 <phase_2+75>: ret
End of assembler dump.


Dump of assembler code for function phase_3:
0x08048e67 <phase_3+0>: push %ebp
0x08048e68 <phase_3+1>: mov %esp,%ebp
0x08048e6a <phase_3+3>: sub $0x28,%esp
0x08048e6d <phase_3+6>: lea -0x8(%ebp),%eax
0x08048e70 <phase_3+9>: mov %eax,0xc(%esp)
0x08048e74 <phase_3+13>: lea -0x4(%ebp),%eax
0x08048e77 <phase_3+16>: mov %eax,0x8(%esp)
0x08048e7b <phase_3+20>: movl $0x804a38a,0x4(%esp)
0x08048e83 <phase_3+28>: mov 0x8(%ebp),%eax
0x08048e86 <phase_3+31>: mov %eax,(%esp)
0x08048e89 <phase_3+34>: call 0x8048884 <sscanf@plt>
0x08048e8e <phase_3+39>: cmp $0x1,%eax
0x08048e91 <phase_3+42>: jg 0x8048e98 <phase_3+49>
0x08048e93 <phase_3+44>: call 0x8049165 <explode_bomb>
0x08048e98 <phase_3+49>: cmpl $0x7,-0x4(%ebp)
0x08048e9c <phase_3+53>: lea 0x0(%esi,%eiz,1),%esi
0x08048ea0 <phase_3+57>: ja 0x8048f02 <phase_3+155>
0x08048ea2 <phase_3+59>: mov -0x4(%ebp),%eax
0x08048ea5 <phase_3+62>: jmp *0x804a2c0(,%eax,4)
0x08048eac <phase_3+69>: mov $0x0,%eax
0x08048eb1 <phase_3+74>: jmp 0x8048efd <phase_3+150>
0x08048eb3 <phase_3+76>: mov $0x0,%eax
0x08048eb8 <phase_3+81>: jmp 0x8048efa <phase_3+147>
0x08048eba <phase_3+83>: mov $0x0,%eax
0x08048ebf <phase_3+88>: nop
0x08048ec0 <phase_3+89>: jmp 0x8048ef7 <phase_3+144>
0x08048ec2 <phase_3+91>: mov $0x0,%eax
0x08048ec7 <phase_3+96>: jmp 0x8048ef4 <phase_3+141>
0x08048ec9 <phase_3+98>: mov $0x0,%eax
0x08048ece <phase_3+103>: xchg %ax,%ax
0x08048ed0 <phase_3+105>: jmp 0x8048ef1 <phase_3+138>
0x08048ed2 <phase_3+107>: mov $0x0,%eax
0x08048ed7 <phase_3+112>: jmp 0x8048eec <phase_3+133>
0x08048ed9 <phase_3+114>: mov $0x1c3,%eax
0x08048ede <phase_3+119>: xchg %ax,%ax
0x08048ee0 <phase_3+121>: jmp 0x8048ee7 <phase_3+128>
0x08048ee2 <phase_3+123>: mov $0x0,%eax
0x08048ee7 <phase_3+128>: sub $0xf5,%eax
0x08048eec <phase_3+133>: add $0x22c,%eax
---Type <return> to continue, or q <return> to quit---
0x08048ef1 <phase_3+138>: sub $0x39,%eax
0x08048ef4 <phase_3+141>: add $0x39,%eax
0x08048ef7 <phase_3+144>: sub $0x39,%eax
0x08048efa <phase_3+147>: add $0x39,%eax
0x08048efd <phase_3+150>: sub $0x39,%eax
0x08048f00 <phase_3+153>: jmp 0x8048f0c <phase_3+165>
0x08048f02 <phase_3+155>: call 0x8049165 <explode_bomb>
0x08048f07 <phase_3+160>: mov $0x0,%eax
0x08048f0c <phase_3+165>: cmpl $0x5,-0x4(%ebp)
0x08048f10 <phase_3+169>: jg 0x8048f17 <phase_3+176>
0x08048f12 <phase_3+171>: cmp -0x8(%ebp),%eax
0x08048f15 <phase_3+174>: je 0x8048f1c <phase_3+181>
0x08048f17 <phase_3+176>: call 0x8049165 <explode_bomb>
0x08048f1c <phase_3+181>: leave
0x08048f1d <phase_3+182>: lea 0x0(%esi),%esi
0x08048f20 <phase_3+185>: ret
End of assembler dump.
(gdb) disas phase_4
Dump of assembler code for function phase_4:
0x08048dfb <phase_4+0>: push %ebp
0x08048dfc <phase_4+1>: mov %esp,%ebp
0x08048dfe <phase_4+3>: sub $0x28,%esp
0x08048e01 <phase_4+6>: lea -0x8(%ebp),%eax
0x08048e04 <phase_4+9>: mov %eax,0xc(%esp)
0x08048e08 <phase_4+13>: lea -0x4(%ebp),%eax
0x08048e0b <phase_4+16>: mov %eax,0x8(%esp)
0x08048e0f <phase_4+20>: movl $0x804a38a,0x4(%esp)
0x08048e17 <phase_4+28>: mov 0x8(%ebp),%eax
0x08048e1a <phase_4+31>: mov %eax,(%esp)
0x08048e1d <phase_4+34>: call 0x8048884 <sscanf@plt>
0x08048e22 <phase_4+39>: cmp $0x2,%eax
0x08048e25 <phase_4+42>: jne 0x8048e33 <phase_4+56>
0x08048e27 <phase_4+44>: mov -0x4(%ebp),%eax
0x08048e2a <phase_4+47>: test %eax,%eax
0x08048e2c <phase_4+49>: js 0x8048e33 <phase_4+56>
0x08048e2e <phase_4+51>: cmp $0xe,%eax
0x08048e31 <phase_4+54>: jle 0x8048e38 <phase_4+61>
0x08048e33 <phase_4+56>: call 0x8049165 <explode_bomb>
0x08048e38 <phase_4+61>: movl $0xe,0x8(%esp)
0x08048e40 <phase_4+69>: movl $0x0,0x4(%esp)
0x08048e48 <phase_4+77>: mov -0x4(%ebp),%eax
0x08048e4b <phase_4+80>: mov %eax,(%esp)
0x08048e4e <phase_4+83>: call 0x8048b00 <func4>
0x08048e53 <phase_4+88>: cmp $0x12,%eax
0x08048e56 <phase_4+91>: jne 0x8048e5e <phase_4+99>
0x08048e58 <phase_4+93>: cmpl $0x12,-0x8(%ebp)
0x08048e5c <phase_4+97>: je 0x8048e65 <phase_4+106>
0x08048e5e <phase_4+99>: xchg %ax,%ax
0x08048e60 <phase_4+101>: call 0x8049165 <explode_bomb>
0x08048e65 <phase_4+106>: leave
0x08048e66 <phase_4+107>: ret
End of assembler dump.


Dump of assembler code for function phase_5:
0x08048d89 <phase_5+0>: push %ebp
0x08048d8a <phase_5+1>: mov %esp,%ebp
0x08048d8c <phase_5+3>: sub $0x28,%esp
0x08048d8f <phase_5+6>: lea -0x8(%ebp),%eax
0x08048d92 <phase_5+9>: mov %eax,0xc(%esp)
0x08048d96 <phase_5+13>: lea -0x4(%ebp),%eax
0x08048d99 <phase_5+16>: mov %eax,0x8(%esp)
0x08048d9d <phase_5+20>: movl $0x804a38a,0x4(%esp)
0x08048da5 <phase_5+28>: mov 0x8(%ebp),%eax
0x08048da8 <phase_5+31>: mov %eax,(%esp)
0x08048dab <phase_5+34>: call 0x8048884 <sscanf@plt>
0x08048db0 <phase_5+39>: cmp $0x1,%eax
0x08048db3 <phase_5+42>: jg 0x8048dba <phase_5+49>
0x08048db5 <phase_5+44>: call 0x8049165 <explode_bomb>
0x08048dba <phase_5+49>: mov -0x4(%ebp),%eax
0x08048dbd <phase_5+52>: and $0xf,%eax
0x08048dc0 <phase_5+55>: mov %eax,-0x4(%ebp)
0x08048dc3 <phase_5+58>: cmp $0xf,%eax
0x08048dc6 <phase_5+61>: je 0x8048df4 <phase_5+107>
0x08048dc8 <phase_5+63>: mov $0x0,%edx
0x08048dcd <phase_5+68>: mov $0x0,%ecx
0x08048dd2 <phase_5+73>: add $0x1,%edx
0x08048dd5 <phase_5+76>: mov 0x804a2e0(,%eax,4),%eax
0x08048ddc <phase_5+83>: add %eax,%ecx
0x08048dde <phase_5+85>: cmp $0xf,%eax
0x08048de1 <phase_5+88>: jne 0x8048dd2 <phase_5+73>
0x08048de3 <phase_5+90>: movl $0xf,-0x4(%ebp)
0x08048dea <phase_5+97>: cmp $0xf,%edx
0x08048ded <phase_5+100>: jne 0x8048df4 <phase_5+107>
0x08048def <phase_5+102>: cmp %ecx,-0x8(%ebp)
0x08048df2 <phase_5+105>: je 0x8048df9 <phase_5+112>
0x08048df4 <phase_5+107>: call 0x8049165 <explode_bomb>
0x08048df9 <phase_5+112>: leave
0x08048dfa <phase_5+113>: ret
End of assembler dump.




Dump of assembler code for function phase_6:
0x08048c2a <phase_6+0>: push %ebp
0x08048c2b <phase_6+1>: mov %esp,%ebp
0x08048c2d <phase_6+3>: push %edi
0x08048c2e <phase_6+4>: push %esi
0x08048c2f <phase_6+5>: push %ebx
0x08048c30 <phase_6+6>: sub $0x3c,%esp
0x08048c33 <phase_6+9>: lea -0x24(%ebp),%eax
0x08048c36 <phase_6+12>: mov %eax,0x4(%esp)
0x08048c3a <phase_6+16>: mov 0x8(%ebp),%eax
0x08048c3d <phase_6+19>: mov %eax,(%esp)
0x08048c40 <phase_6+22>: call 0x80491a7 <read_six_numbers>
0x08048c45 <phase_6+27>: mov $0x0,%ebx
0x08048c4a <phase_6+32>: mov -0x24(%ebp,%ebx,4),%eax
0x08048c4e <phase_6+36>: sub $0x1,%eax
0x08048c51 <phase_6+39>: cmp $0x5,%eax
0x08048c54 <phase_6+42>: jbe 0x8048c5b <phase_6+49>
0x08048c56 <phase_6+44>: call 0x8049165 <explode_bomb>
0x08048c5b <phase_6+49>: lea 0x1(%ebx),%edi
0x08048c5e <phase_6+52>: cmp $0x6,%edi
0x08048c61 <phase_6+55>: je 0x8048d2a <phase_6+256>
0x08048c67 <phase_6+61>: lea -0x24(%ebp,%ebx,4),%esi
0x08048c6b <phase_6+65>: mov %edi,%ebx
0x08048c6d <phase_6+67>: lea -0x24(%ebp),%eax
0x08048c70 <phase_6+70>: mov %eax,-0x40(%ebp)
0x08048c73 <phase_6+73>: mov -0x40(%ebp),%edx
0x08048c76 <phase_6+76>: mov -0x4(%edx,%edi,4),%eax
0x08048c7a <phase_6+80>: cmp 0x4(%esi),%eax
0x08048c7d <phase_6+83>: jne 0x8048c84 <phase_6+90>
0x08048c7f <phase_6+85>: call 0x8049165 <explode_bomb>
0x08048c84 <phase_6+90>: add $0x1,%ebx
0x08048c87 <phase_6+93>: add $0x4,%esi
0x08048c8a <phase_6+96>: cmp $0x5,%ebx
0x08048c8d <phase_6+99>: jle 0x8048c73 <phase_6+73>
0x08048c8f <phase_6+101>: mov %edi,%ebx
0x08048c91 <phase_6+103>: jmp 0x8048c4a <phase_6+32>
0x08048c93 <phase_6+105>: lea -0x24(%ebp),%edx
0x08048c96 <phase_6+108>: mov $0x7,%eax
0x08048c9b <phase_6+113>: sub -0x4(%edx,%ecx,4),%eax
0x08048c9f <phase_6+117>: mov %eax,-0x4(%edx,%ecx,4)

You will be life saver. help me with you best.

Explanation / Answer

to get you started, for phase 2 it is reading in your input for 6 numbers you have to enter, for the 2nd line: it is comparing the 1st number you entered my advice would be to find these duo lines and parse what they are comparing your numbers to and making sure that the 3rd statement (jump) does not bring you to the explode bomb function 0x08048d51 : call 0x80491a7 0x08048d56 : cmpl $0x0,-0x1c(%ebp) 0x08048d5a : jne 0x8048d62 *also: to never make your bomb explode, run it through the debugger and set up a breakpoint before it enters the function so you will always stop before you blow up the bomb :)

Related Questions

Navigate

• Browse (All)
• Browse B
• Subjects

---