-1

When run, it prompts the user to type in 6 different strings. If any of these is incorrect, the bomb "explodes," printing an error message and logging the event on a grading server. Students must "defuse" their own unique bomb by disassembling and reverse engineering the program to determine what the 6 strings should be.

0x08048e35 <+99>:    mov    $0x69,%eax                   
   0x08048e3a <+104>:   jmp    0x8048f0e <phase_3+316>
   0x08048e3f <+109>:   cmpl   $0x1ce,-0x10(%ebp)
   0x08048e46 <+116>:   je     0x8048f09 <phase_3+311>
   0x08048e4c <+122>:   call   0x8049168 <explode_bomb>
   0x08048e51 <+127>:   mov    $0x68,%eax
   0x08048e56 <+132>:   jmp    0x8048f0e <phase_3+316>
   0x08048e5b <+137>:   mov    $0x72,%eax
   0x08048e60 <+142>:   cmpl   $0xa9,-0x10(%ebp)
   0x08048e67 <+149>:   je     0x8048f0e <phase_3+316>
   0x08048e6d <+155>:   call   0x8049168 <explode_bomb>
   0x08048e72 <+160>:   mov    $0x72,%eax
   0x08048e77 <+165>:   jmp    0x8048f0e <phase_3+316>
   0x08048e7c <+170>:   mov    $0x62,%eax
   0x08048e81 <+175>:   cmpl   $0xbb,-0x10(%ebp)
   0x08048e88 <+182>:   je     0x8048f0e <phase_3+316>
   0x08048e8e <+188>:   call   0x8049168 <explode_bomb>
   0x08048e93 <+193>:   mov    $0x62,%eax
   0x08048e98 <+198>:   jmp    0x8048f0e <phase_3+316>
   0x08048e9a <+200>:   cmpl   $0xe0,-0x10(%ebp)
   0x08048ea1 <+207>:   je     0x8048f09 <phase_3+311>
   0x08048ea3 <+209>:   call   0x8049168 <explode_bomb>
   0x08048ea8 <+214>:   mov    $0x68,%eax
   0x08048ead <+219>:   jmp    0x8048f0e <phase_3+316>
   0x08048eaf <+221>:   mov    $0x79,%eax
   0x08048eb4 <+226>:   cmpl   $0x2e2,-0x10(%ebp)
   0x08048ebb <+233>:   je     0x8048f0e <phase_3+316>
   0x08048ebd <+235>:   call   0x8049168 <explode_bomb>
   0x08048ec2 <+240>:   mov    $0x79,%eax
   0x08048ec7 <+245>:   jmp    0x8048f0e <phase_3+316>
   0x08048ec9 <+247>:   mov    $0x6b,%eax
   0x08048ece <+252>:   cmpl   $0x3ba,-0x10(%ebp)
   0x08048ed5 <+259>:   je     0x8048f0e <phase_3+316>
   0x08048ed7 <+261>:   call   0x8049168 <explode_bomb>
   0x08048edc <+266>:   mov    $0x6b,%eax
   0x08048ee1 <+271>:   jmp    0x8048f0e <phase_3+316>
   0x08048ee3 <+273>:   mov    $0x61,%eax
   0x08048ee8 <+278>:   cmpl   $0x2a8,-0x10(%ebp)
   0x08048eef <+285>:   je     0x8048f0e <phase_3+316>
   0x08048ef1 <+287>:   call   0x8049168 <explode_bomb>
   0x08048ef6 <+292>:   mov    $0x61,%eax
   0x08048efb <+297>:   jmp    0x8048f0e <phase_3+316>
   0x08048efd <+299>:   call   0x8049168 <explode_bomb>
Jongware
  • 22,200
  • 8
  • 54
  • 100
User123
  • 1
  • 4
  • 1
    This question appears to be off-topic because it is unlikely to help any other future visitors. – karlphillip Oct 16 '14 at 23:16
  • @karlphillip: unfortunately that is not *quite* true. It's only a matter of time before one of the more overzealous answerers give out "the" answer, much to the benefit of all Bomb Related questioners (which in turn may lead to a short rise of the number of bad programmers, but surely social Darwinism will take take of that). – Jongware Oct 19 '14 at 21:37
  • 1
    @Jongware I understand what you are saying, but it doesn't look like that many guys in the world go to his class and have access to this problem. I also thought Stackoverflow wasn't doing homework questions anymore. By the way, I didn't down vote the question, but I still do think it's a bad one. – karlphillip Oct 19 '14 at 21:45

1 Answers1

1

Looks like you got most of it figured out. Line +43 is indeed accessing an array, which holds some integer constants. We know this because %ecx is scaled by 4. Also, since %ecx has been masked to only retain the low 4 bits, we know this table has size 16. You can thus print it using x/16w 0x804a380.

The array item is simply added to %edx which has been zeroed earlier. Thus, %edx will give you the sum of all array items as indexed by the low 4 bits of the characters in the input string. It is then checked whether the sum equals 36.

So, to defuse the bomb, you just need to find 6 array items that give a sum of 36, then pick arbitrary characters that have the appropriate low 4 bits for the array indices (in any order).

See also this question, which was somewhat similar to yours.

Community
  • 1
  • 1
Jester
  • 56,577
  • 4
  • 81
  • 125