-
Notifications
You must be signed in to change notification settings - Fork 0
/
phase3.txt
133 lines (122 loc) · 5.41 KB
/
phase3.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
===================
Phase 3
===================
Move the breakpoint from commands file to 0x8048a98, the beginning of phase_3.
0x8048a98 <main+232>: call 0x80491fc <read_line>
0x8048a9d <main+237>: add $0xfffffff4,%esp
0x8048aa0 <main+240>: push %eax
0x8048aa1 <main+241>: call 0x8048b98 <phase_3>
0x8048aa6 <main+246>: call 0x804952c <phase_defused>
Dump of assembler code for function phase_3:
0x08048b98 <+0>: push ebp
0x08048b99 <+1>: mov ebp,esp
0x08048b9b <+3>: sub esp,0x14
0x08048b9e <+6>: push ebx
0x08048b9f <+7>: mov edx,DWORD PTR [ebp+0x8] --> address of first parameter, the password for phase_3
0x08048ba2 <+10>: add esp,0xfffffff4
0x08048ba5 <+13>: lea eax,[ebp-0x4]
0x08048ba8 <+16>: push eax
0x08048ba9 <+17>: lea eax,[ebp-0x5]
0x08048bac <+20>: push eax
0x08048bad <+21>: lea eax,[ebp-0xc]
0x08048bb0 <+24>: push eax
0x08048bb1 <+25>: push 0x80497de --> the format string for sscanf, "%d %c %d"
0x08048bb6 <+30>: push edx
0x08048bb7 <+31>: call 0x8048860 <sscanf@plt>
0x08048bbc <+36>: add esp,0x20
0x08048bbf <+39>: cmp eax,0x2
0x08048bc2 <+42>: jg 0x8048bc9 <phase_3+49>
0x08048bc4 <+44>: call 0x80494fc <explode_bomb>
0x08048bc9 <+49>: cmp DWORD PTR [ebp-0xc],0x7
0x08048bcd <+53>: ja 0x8048c88 <phase_3+240>
0x08048bd3 <+59>: mov eax,DWORD PTR [ebp-0xc]
0x08048bd6 <+62>: jmp DWORD PTR [eax*4+0x80497e8]
0x08048bdd <+69>: lea esi,[esi+0x0]
0x08048be0 <+72>: mov bl,0x71
0x08048be2 <+74>: cmp DWORD PTR [ebp-0x4],0x309
0x08048be9 <+81>: je 0x8048c8f <phase_3+247>
0x08048bef <+87>: call 0x80494fc <explode_bomb>
0x08048bf4 <+92>: jmp 0x8048c8f <phase_3+247>
0x08048bf9 <+97>: lea esi,[esi+eiz*1+0x0]
0x08048c00 <+104>: mov bl,0x62
0x08048c02 <+106>: cmp DWORD PTR [ebp-0x4],0xd6
0x08048c09 <+113>: je 0x8048c8f <phase_3+247>
0x08048c0f <+119>: call 0x80494fc <explode_bomb>
0x08048c14 <+124>: jmp 0x8048c8f <phase_3+247>
0x08048c16 <+126>: mov bl,0x62
0x08048c18 <+128>: cmp DWORD PTR [ebp-0x4],0x2f3
0x08048c1f <+135>: je 0x8048c8f <phase_3+247>
0x08048c21 <+137>: call 0x80494fc <explode_bomb>
0x08048c26 <+142>: jmp 0x8048c8f <phase_3+247>
0x08048c28 <+144>: mov bl,0x6b
0x08048c2a <+146>: cmp DWORD PTR [ebp-0x4],0xfb
0x08048c31 <+153>: je 0x8048c8f <phase_3+247>
0x08048c33 <+155>: call 0x80494fc <explode_bomb>
0x08048c38 <+160>: jmp 0x8048c8f <phase_3+247>
0x08048c3a <+162>: lea esi,[esi+0x0]
0x08048c40 <+168>: mov bl,0x6f
0x08048c42 <+170>: cmp DWORD PTR [ebp-0x4],0xa0
0x08048c49 <+177>: je 0x8048c8f <phase_3+247>
0x08048c4b <+179>: call 0x80494fc <explode_bomb>
0x08048c50 <+184>: jmp 0x8048c8f <phase_3+247>
0x08048c52 <+186>: mov bl,0x74
0x08048c54 <+188>: cmp DWORD PTR [ebp-0x4],0x1ca
0x08048c5b <+195>: je 0x8048c8f <phase_3+247>
0x08048c5d <+197>: call 0x80494fc <explode_bomb>
0x08048c62 <+202>: jmp 0x8048c8f <phase_3+247>
0x08048c64 <+204>: mov bl,0x76
0x08048c66 <+206>: cmp DWORD PTR [ebp-0x4],0x30c
0x08048c6d <+213>: je 0x8048c8f <phase_3+247>
0x08048c6f <+215>: call 0x80494fc <explode_bomb>
0x08048c74 <+220>: jmp 0x8048c8f <phase_3+247>
0x08048c76 <+222>: mov bl,0x62
0x08048c78 <+224>: cmp DWORD PTR [ebp-0x4],0x20c
0x08048c7f <+231>: je 0x8048c8f <phase_3+247>
0x08048c81 <+233>: call 0x80494fc <explode_bomb>
0x08048c86 <+238>: jmp 0x8048c8f <phase_3+247>
0x08048c88 <+240>: mov bl,0x78
0x08048c8a <+242>: call 0x80494fc <explode_bomb>
0x08048c8f <+247>: cmp bl,BYTE PTR [ebp-0x5]
0x08048c92 <+250>: je 0x8048c99 <phase_3+257>
0x08048c94 <+252>: call 0x80494fc <explode_bomb>
0x08048c99 <+257>: mov ebx,DWORD PTR [ebp-0x18]
0x08048c9c <+260>: mov esp,ebp
0x08048c9e <+262>: pop ebp
0x08048c9f <+263>: ret
End of assembler dump.
(gdb) x/s 0x80497de
0x80497de: "%d %c %d"
For a test with the input for passphrase 3 as "123 x 456", we have the results:
(gdb) p /x $eax
$5 = 0x3
(gdb) x/d $ebp-4
0xbffff3f4: 456
(gdb) x/c $ebp-5
0xbffff3f3: 120 'x'
(gdb) x/d $ebp-0xc
0xbffff3ec: 123
(gdb)
First condition to not explode the bomb: we have to fill all the 3 variables passed to sscanf.
0x08048bbf <+39>: cmp eax,0x2
0x08048bc2 <+42>: jg 0x8048bc9 <phase_3+49>
0x08048bc4 <+44>: call 0x80494fc <explode_bomb>
Second condition: first number must be <=7
0x08048bc9 <+49>: cmp DWORD PTR [ebp-0xc],0x7
0x08048bcd <+53>: ja 0x8048c88 <phase_3+240>
The last part of the function looks like a case structure. We have the following table of addresses:
0x08048bd6 <+62>: jmp DWORD PTR [eax*4+0x80497e8]
In $eax we have the first number, which we chose as 7.
(gdb) x/10wx 0x80497e8
0x80497e8: 0x08048be0 0x08048c00 0x08048c16 0x08048c28
0x80497f8: 0x08048c40 0x08048c52 0x08048c64 0x08048c76
0x8049808: 0x67006425 0x746e6169
In our case, when the first parameter was 7, we'll jump to 0x08048c76.
(gdb) x /x $eax*4+0x80497e8
0x8049804: 0x08048c76
0x08048c76 <+222>: mov bl,0x62 --> ascii letter 'b'
0x08048c78 <+224>: cmp DWORD PTR [ebp-0x4],0x20c --> 524 in decimal
0x08048c7f <+231>: je 0x8048c8f <phase_3+247>
0x08048c81 <+233>: call 0x80494fc <explode_bomb>
0x08048c86 <+238>: jmp 0x8048c8f <phase_3+247>
So we have the password for phase_3:
7 b 524