0

I'm attempting to solve phase 5 of a Binary Bomb exercise, which requires the user to put in a string comprised of 6 characters to proceed. While I have figured out that the total sum the 6 characters need to add up to is 0x39 aka 57, I am having trouble understanding the process to this however. All the guides I have found for phase 5 advise to pick 6 numbers from the array that sum up to 0x1c/28 then pick 6 characters that have the appropriate index as the "low 4 bits", but frankly I cannot figure out how to correspond letters/characters to the low 4 bits of an index.

Right now I have 6 numbers from the array which sum up to 28, which are 1, 3, 4, 5, 6, and 9. But I don't know how to correspond these to the low 4 bits.

Here is the phase 5 code in case it is relevant.

   0x08048b58 <+0>: push   %ebp
   0x08048b59 <+1>: mov    %esp,%ebp
   0x08048b5b <+3>: push   %edi
   0x08048b5c <+4>: push   %esi
   0x08048b5d <+5>: push   %ebx
=> 0x08048b5e <+6>: sub    $0x1c,%esp
   0x08048b61 <+9>: mov    0x8(%ebp),%ebx
   0x08048b64 <+12>:    mov    %ebx,(%esp)
   0x08048b67 <+15>:    call   0x8048d10 <string_length>
   0x08048b6c <+20>:    cmp    $0x6,%eax
   0x08048b6f <+23>:    je     0x8048b76 <phase_5+30>
   0x08048b71 <+25>:    call   0x8048e51 <explode_bomb>
   0x08048b76 <+30>:    mov    $0x0,%edx
   0x08048b7b <+35>:    mov    $0x0,%eax
   0x08048b80 <+40>:    mov    $0x8049400,%ecx
   0x08048b85 <+45>:    movsbl (%ebx,%eax,1),%esi
   0x08048b89 <+49>:    and    $0xf,%esi
   0x08048b8c <+52>:    add    (%ecx,%esi,4),%edx
   0x08048b8f <+55>:    add    $0x1,%eax
   0x08048b92 <+58>:    cmp    $0x6,%eax
   0x08048b95 <+61>:    jne    0x8048b85 <phase_5+45>
   0x08048b97 <+63>:    cmp    $0x39,%edx
---Type <return> to continue, or q <return> to quit---
   0x08048b9a <+66>:    je     0x8048ba1 <phase_5+73>
   0x08048b9c <+68>:    call   0x8048e51 <explode_bomb>
   0x08048ba1 <+73>:    add    $0x1c,%esp
   0x08048ba4 <+76>:    pop    %ebx
   0x08048ba5 <+77>:    pop    %esi
   0x08048ba6 <+78>:    pop    %edi
   0x08048ba7 <+79>:    pop    %ebp
   0x08048ba8 <+80>:    ret   ```
NewCoder019
  • 19
  • 7
  • 1
    Consult an [ascii table](http://man7.org/linux/man-pages/man7/ascii.7.html). See also [this answer](https://stackoverflow.com/a/14651462/547981). Pick 6 entries from the lookup table that add up to the given sum, then pick an appropriate input for each index that has the same low 4 bits (that is the least significant digit in hex). See the example in the linked answer - if you need index 6, you can pick any input with ascii code that ends in 6 in hex. – Jester Jul 19 '19 at 19:01
  • 1
    It's just an array. The code does `sum += array[i & 0xf];`. You can do `x/16wd 0x8049400` to print the table. – Jester Jul 19 '19 at 19:19
  • You mapped the values apparently, not the indices. – Jester Jul 19 '19 at 22:04
  • @Jester (gdb) x/16wd 0x8049400 The exact readout was ```0x8049400 : 2 10 6 1``` ```0x8049410 : 12 16 9 3``` ```0x8049420 : 4 7 14 5``` ```0x8049430 : 11 8 15 13 ``` So I am mapping this incorrectly by doing the values after the ? – NewCoder019 Jul 19 '19 at 22:12
  • You picked the **values** 1,3,4,5,6,9 but you need to use their **indices** e.g. 1 has index 3, 3 has index 7, etc. PS: not sure why you are adding to 28 either ... `cmp $0x39,%edx` is not 28 in decimal. – Jester Jul 19 '19 at 22:30
  • @Jester Ugh I have no idea how I ended up thinking the ```$0x1c``` in ```add $0x1c,%esp``` was the value it needed to be summed up to. Thank you for the clarification, I now have the actual 6 values needed to sum it up. Last question I swear and I will be able to complete this phase: how do I find the indices of values (i.e. 1 index 3, 3 index 7 as you mentioned)? Is there a table similar to the ascii one you linked earlier to find indices or a command function in assembly/gdb? Thank you once again for all your help. – NewCoder019 Jul 19 '19 at 22:56
  • Umm ... count the position in the array? Indexing starts from zero. You see `1` is the 4th element, so index 3. – Jester Jul 19 '19 at 23:21
  • 2
    @Jester Finally got it! Thank you for all your help, i couldn't have done it without you. I had a lot of trouble at first because i chose numbers with double digit values but i switched to a different set of 6 all in single digits and it was much easier. – NewCoder019 Jul 19 '19 at 23:46

0 Answers0