21

So a little background. I am a beginner with c and assembly code, we have an "bomb" assignment (written in c)which calls methods that require certain passwords, but the code is not visible and I need to determine the correct password by looking at the assembly code.

The code indicates the password for this method is 6 numbers, which is passed as "input" to method phase 2 (I am trying to avoid triggering ).

The part I am getting confused on is is jumping from +64 to +42. It seems to be a loop but I am unsure how the stack is affected with each pass. It looks like the loop exits if the last two numbers are the same, and it has something to do with adding and subtracting 4 but I am unsure how the addresses are traversed. If anyone can translate what exactly is going on, or if i need to look in any particular registers/locations it would help greatly. There are 4 more phases which are each supposed to be more complex so I want to get a good understanding in how to approach reading these.

Also if anyone has a good resource (like a printable table) with assembly code keywords that would be helpful too, and also if there are any differences between 32-bit and 64-bit registers i need to worry about other than the register names..

    82          phase_2(input);
(gdb) disas phase_2
Dump of assembler code for function phase_2:
0x000000000040106b <phase_2+0>: push   %rbp
0x000000000040106c <phase_2+1>: push   %rbx
0x000000000040106d <phase_2+2>: sub    $0x28,%rsp
0x0000000000401071 <phase_2+6>: mov    %rsp,%rsi
0x0000000000401074 <phase_2+9>: callq  0x401457 <read_six_numbers>
0x0000000000401079 <phase_2+14>:        cmpl   $0x0,(%rsp)
0x000000000040107d <phase_2+18>:        jne    0x401086     <phase_2+27>
0x000000000040107f <phase_2+20>:        cmpl   $0x1,0x4(%rsp)
0x0000000000401084 <phase_2+25>:        je     0x40108b <phase_2+32>
0x0000000000401086 <phase_2+27>:        callq  0x401421 <explode_bomb>
0x000000000040108b <phase_2+32>:        lea    0x8(%rsp),%rbx
0x0000000000401090 <phase_2+37>:        lea    0x18(%rsp),%rbp
0x0000000000401095 <phase_2+42>:        mov    -0x8(%rbx),%eax
0x0000000000401098 <phase_2+45>:        add    -0x4(%rbx),%eax
0x000000000040109b <phase_2+48>:        cmp    %eax,(%rbx)
0x000000000040109d <phase_2+50>:        je     0x4010a4 <phase_2+57>
0x000000000040109f <phase_2+52>:        callq  0x401421 <explode_bomb>
0x00000000004010a4 <phase_2+57>:        add    $0x4,%rbx
0x00000000004010a8 <phase_2+61>:        cmp    %rbp,%rbx
0x00000000004010ab <phase_2+64>:        jne    0x401095 <phase_2+42>
0x00000000004010ad <phase_2+66>:        add    $0x28,%rsp
0x00000000004010b1 <phase_2+70>:        pop    %rbx
0x00000000004010b2 <phase_2+71>:        pop    %rbp
0x00000000004010b3 <phase_2+72>:        retq
Bill the Lizard
  • 398,270
  • 210
  • 566
  • 880
Gadesxion
  • 391
  • 2
  • 6
  • 18
  • If you were using windows I'd recommend this: http://www.ollydbg.de/ with gdb (I just find out) use TUI, http://stackoverflow.com/a/2422063/1149736 and than: `layout asm` `start` `layout regs` `ni` `ni` `ni` :) and follow stack carefully http://www.chemie.fu-berlin.de/chemnet/use/info/gdb/gdb_7.html – Vyktor Feb 08 '12 at 00:39
  • 11
    You've got a pretty cool teacher :) – Tim Post Feb 09 '12 at 09:32

1 Answers1

53

Here is a C equivalent of phase2:

int t[6];
read_six_numbers (t);
if ((t[0] != 0) || (t[1] != 1)) {
    explode_bomb();
}

for (int i = 2; i < 6; i++) {
        if (t[i] != t[i - 2] + t[i - 1]) {
            explode_bomb();
    }
}

So the password is 0, 1, 1, 2, 3, 5.

How did I do this ? By gradually replacing the assembly with C.

You'll note that the stack pointer (rsp) never changes. You can see the stack as an array t of 32 bits numbers. That is each time you move by 4 bytes you move to the next element. i.e. 0(%rsp), 4(%rsp), ... are equivalent to t[0], t[1], ...

I'll show you a possible gradual transformation of the bit you have trouble with:

                lea    0x8(%rsp),%rbx
                lea    0x18(%rsp),%rbp
<phase_2+42>:   mov    -0x8(%rbx),%eax
                add    -0x4(%rbx),%eax
                cmp    %eax,(%rbx)
                je     <phase_2+57>
                callq  explode_bomb
<phase_2+57>:   add    $0x4,%rbx
                cmp    %rbp,%rbx
                jne    phase_2+42
------------------------------------------------------
                    rbx = rsp + 8;
                    rbp = rsp + 24;
<phase_2+42>:       eax = [rbx - 8];
                    eax += [rbx - 4];
                    if (eax == [rbx]) goto <phase_2+57>;
                    explode_bomb();
<phase_2+57>:       rbx += 4;
                    if (rbx != rbp) goto phase_2+42;
------------------------------------------------------
rbx = rsp + 8;
rbp = rsp + 24;
do {
    eax = [rbx - 8] + [rbx - 4];
        if (eax != [rbx]) {
        explode_bomb();
    }
        rbx += 4;
} while (rbx != rbp);
------------------------------------------------------
rbx = 8;
do {
    eax = [rsp + rbx - 8] + [rsp + rbx - 4];
        if (eax != [rsp + rbx]) {
        explode_bomb();
    }
        rbx += 4;
} while (rbx < 24);
------------------------------------------------------
i = 2;
do {
    eax = t[i - 2] + t[i - 1];
        if (eax != t[i]) {
        explode_bomb();
    }
        i += 1;
} while (i < 6);
------------------------------------------------------
for (int i = 2; i < 6; i++) {
    if (t[i] != t[i - 2] + t[i - 1]) {
            explode_bomb();
        }
}

If you take the time to understand these transformations you'll be able to transform and understand any piece of assembly.