0

I am stuck on this logic on the binary bomb. I understand a similar question was asked, but my logic seems quite different for me to reverse engineer from that question.

I have commented on what I believe the logic is doing, but have had no success so far. So, eax = 211, so does that mean rax has that value to? because then rax is compared with 194 later. Is this logic just dealing with registers rsi, rdx, rcx. I beleive rdi is potentially checking inputs seperate.

Thanks 

<+24>:  not    %rsi     //NOT rsi
<+27>:  and    %rsi,%rdx     //rdx &= rsi
<+30>:  xor    $0x1b9,%rdx    //rdx ^= 441
<+37>:  mov    $0xd3,%eax    //eax = 211
<+42>:  sub    %rdx,%rax    //rax -= rdx
<+45>:  mov    %rax,%rdx    //rdx = rax
<+48>:  cmp    $0xc2,%rax    //rax == 194
<+54>:  sete   %al
<+57>:  movzbl %al,%eax
<+60>:  cmp    %rcx,%rdx     //Does rdx == rcx?
  • Yes,`mov $0xd3,%eax` sets RAX. https://stackoverflow.com/questions/11177137/why-do-most-x64-instructions-zero-the-upper-part-of-a-32-bit-register – Peter Cordes Sep 29 '17 at 22:19
  • From other recent binary-bomb questions, I think the caller checks the return value in `%eax`, so you have to arrange for the `rax == 194` to be true so the function returns `1` instead of `0`. And yes, some other bombs pass the `scanf` return value as `rdi`, so it's just checking the number of args. – Peter Cordes Sep 29 '17 at 22:21
  • @PeterCordes when you say arrange, do you mean find a value for `rsi` and `rdx` with `rcx` == 194? Sorry if I am having trouble understanding, just a little confused with logic. It looks like `<+45>` overwrites `rdx` with `rax` value –  Sep 30 '17 at 04:39
  • Yes, I mean choose inputs that makes that comparison true. Write down equations and solve them. (There may not be a unique solution, but that's fine, it just means you have multiple choices of inputs that pass this phase.) – Peter Cordes Sep 30 '17 at 04:42
  • @PeterCordes I still have had no luck.I'm confused with line `<+37>`. It sets `eax` to equal 211, then subtracts `rdx` from it which would make `eax` equal -230. On line <+48> it is comparing `rax` with value 194, so where did the previous value dissapear for `eax/rax`? –  Oct 01 '17 at 23:24
  • You can choose the starting value of `rdx` and `rsi`, so `rdx` can be anything you want when that `sub` runs. – Peter Cordes Oct 01 '17 at 23:39
  • This is the same kind of problem as this bomb: https://stackoverflow.com/questions/46261000/how-to-figure-out-second-parameter-register-in-reverse-engineering-assembly. That one presents a method for working backward from what you need to solve for inputs that will work (hint, there isn't always a unique solution, but you don't need that.) – Peter Cordes Oct 02 '17 at 00:11
  • 1
    @PeterCordes Thanks for all the assistance in making things clearer, solved this phase. –  Oct 03 '17 at 00:38

0 Answers0