0

Hi i'm currently doing a binary bomb and am wondering if I am understanding some stuff correctly. I have this;

   0x00000000004011d4 <+0>:     sub    $0x8,%rsp
   0x00000000004011d8 <+4>:     cmpb   $0x59,(%rdi)
   0x00000000004011db <+7>:     jne    0x4011fd <phase_1+41>
   0x00000000004011dd <+9>:     cmpb   $0x46,0x2(%rdi)
   0x00000000004011e1 <+13>:    jne    0x4011fd <phase_1+41>
   0x00000000004011e3 <+15>:    cmpb   $0x68,0x1(%rdi)
   0x00000000004011e7 <+19>:    je     0x40120b <phase_1+55>
   0x00000000004011e9 <+21>:    movsbl 0x10(%rdi),%ecx
   0x00000000004011ed <+25>:    movsbl 0x5(%rdi),%edx
   0x00000000004011f1 <+29>:    add    $0xb,%edx
   0x00000000004011f4 <+32>:    mov    $0x1,%eax
   0x00000000004011f9 <+37>:    cmp    %edx,%ecx
   0x00000000004011fb <+39>:    je     0x401210 <phase_1+60>
   0x00000000004011fd <+41>:    callq  0x401b20 <bomb_activation>
   0x0000000000401202 <+46>:    mov    $0xffffffffffffffff,%rax
   0x0000000000401209 <+53>:    jmp    0x401210 <phase_1+60>
   0x000000000040120b <+55>:    mov    $0x0,%eax
   0x0000000000401210 <+60>:    add    $0x8,%rsp
   0x0000000000401214 <+64>:    retq

and so far I have translated it to this;

if(arr[0] != 'Y'){
bomb_activation();
}
if(arr[2] != 'F'){
bomb_activation();
}
if(arr[1] == 'h'){
bomb_activation();
}

int a = arr[10];
int b = arr[5];
b += 11;
status = 1;

if(t1 != t2){
bomb_activation();
}
return status;
}

As you can probably tell i'm really confused on how exactly to read these lines, I see it as moving the 10th element of the array into the ecx registry and filling the rest of the registry with 0s and the same logic to edx, however i'm not too sure how to determine what the value of arr[5] or arr[10] is just from this. 

   0x00000000004011e9 <+21>:    movsbl 0x10(%rdi),%ecx
   0x00000000004011ed <+25>:    movsbl 0x5(%rdi),%edx
   0x00000000004011f1 <+29>:    add    $0xb,%edx
   0x00000000004011f4 <+32>:    mov    $0x1,%eax
   0x00000000004011f9 <+37>:    cmp    %edx,%ecx

and more specifically how I am meant to determine the size of the array, maybe I am not understanding it at all though, any help would be great thanks.

Steve Summit
  • 45,437
  • 7
  • 70
  • 103
kreltin junior
  • 11
  • 1
  • why do you expect to see their values and the array size in this assembly? – izac89 Sep 29 '18 at 16:42
  • Like I said I am pretty confused but I just assumed there was a way to determine values and size from the assembly code given because the defusal answer is suppose to be a string derived from it, am i translating stuff wrong? – kreltin junior Sep 29 '18 at 16:49
  • 1
    `je 0x40120b ` is not `bomb_activation();`, but `return 0;` | `movsbl` does sign-extend the value, so it fills upper bits with 7th bit, not zeroes. (i.e. 0x33 -> 0x00000033, but 0x80 -> 0xFFFFFF80). .. the casting is more like `int32_t a = (int32_t)((int8_t)arr[16]);` (also notice the index, `0x10` is 16, not 10). You can't tell any value from array from this code, the content of array can be anything, also length. You are probably asking what to provide to pass through the test w/o activating bomb, and for that you can provide at 6th and 17th position of byte array any +11 val – Ped7g Sep 29 '18 at 16:49
  • it may be in the end best for you to load up such code in debugger (just write your own variant outside of lab env, if you are not free to debug it as many times as you wish inside the lab) and provide for example some array like `arr = {0, 1, 2, 3, 4, ...., 19};` and step over single instructions in debugger, making the final adjustments to your assumptions. Seems to me like you are generally on the correct path, but you underestimate so far how precise you must be in assembler, it takes lot more effort and focus to read the functionality correctly just from the source (than reading some C). – Ped7g Sep 29 '18 at 16:53
  • This is actually really helpful thanks, still slightly confused about the values/length of the array, are you saying that an answer as long as it provides the necessary values would pass no matter the size and value of the elements remaining as long as they don't activate the bomb? – kreltin junior Sep 29 '18 at 17:29
  • from the piece you provided yes, you can provide basically infinite amount of "correct" answers (limited only by the amount of memory available). It will be still a small sub-set from the total possible inputs, i.e. your array must have certain specific values at certain places, but seems to me like only about 16mil:1 reduction (from "any" array to "passable") will happen, once you have length at least 17 bytes (under 17 theoretically all inputs are "wrong", but by accident some may still pass when 6th and 17th byte are +11 apart after sign extension). – Ped7g Sep 29 '18 at 17:42
  • Make sure there no external constraints (like the answer should be "string" for example), and adjust by that too. Anyway it's common in C/C++/asm that the code does lot of dangerous assumptions, like in this one there is no check if argument provided is "long" enough, that's what "unmanaged" languages do, there are no guards in release (optimized) variant of code and it's up to programmer to keep the code from doing something stupid, which is generally the major point why Java/C#/JS are often deemed "easier" for newcomers, for example in Java the short input would cause "OutOfBoundsException". – Ped7g Sep 29 '18 at 17:45
  • the answer should be a string is the only constraint which is fine, i'm really confused now about the +11 value, is 11 a +11 value? what does that exactly mean, is it to do with the byte extension? – kreltin junior Sep 30 '18 at 08:10

0 Answers0