CMU binary Bombs

This article refers to: http://www.cnblogs.com/remlostime/archive/2011/05/21/2052708.html the great god of the article, sometimes no idea will look, But ensure that each stage of this article is self-thinking after the summary written out.

Phase_1

For Phase1, we just focus on the red box two lines of code, respectively, the memory 0x8049678 at the string A and ebp+0x8 at the string B as a parameter to invoke the Strings_not_equal subroutine, then the logic here is also very clear-- To know the string that asks us to enter, just look at the string at the memory 0x8049678:

Read that Phase_4 finally wondered why the DWORD PTR [ebp+0x8] represented the parameters that the subroutine had accepted, and the subroutine called the model as shown:

ebp+0x4 is 4 bytes across the EBP, plus 4 is 4 units across the return address.

Phase_2

First we focus on the red part, phase_2 the values of EAX and [ebp+0x8] as parameters to the <read_six_numbers> subroutine, here: push EAX because Phase_ 2 after the subroutine calls to use the value of the eax, and the calling subroutine happens to use the value of eax, in order to maintain Eax,caller choose to press the stack, which is a way to save eax, and [ebp+0x8] is the value of the program from the keyboard read our input, As a parameter to call phase_2, and for this parameter placement, is the entire phase_2 the most critical place!

These two lines are two lines of code inside the Read_six_numbers subroutine, first ebp+0x8 is passed to the subroutine's parameters, that is, the phase_2 ebp+0x8, that is, our keyboard input 6 number. The proc then reads the data from the input with sscanf-- where to put it? Yes, the Green Line of the Phase_2 subroutine, if not rigorously tested, we only look at the code, the Yellow Line set ESI's designated location, and the subsequent loop process, can help us to determine The sscanf function of read_six_numbers is to read the input string to the [ebp-0x20] position.

If the most scientific approach should be this: we set a breakpoint on the line of the Green Line, then execute the program, and then input the parameters of the 2nd function to a x,x of a random integer (no more than the int range), and then we look at the DWORD at [ebp-0x20] and we see that this value is 23. --that proves the speculation we have.

Phase_3

First look at the beginning of the red part, are called sscanf function parameters to press the stack, first red box is not difficult to see is used to store parameters, then that memory address inside what is it? Look at it to make it clear:

Yes, it is the string format parameter that is required to pass the SSCANF function, and then we can read what we need from the memory pointed to by [ebp+0x8] to the appropriate location, and there is a point to note that the switch selection statement for the green box We can show all the 16 binary contents behind the memory address by the corresponding instruction:

So which one to choose, we look at the yellow statement below, he tells us that the value of one parameter must be less than or equal to 5, that is, eax*4<=20, that is, we can choose up to 0x8048bcc this memory address, And then from the first address to the end of the 6 address of the choice of one to calculate, the answer can be obtained through phase_3, the subsequent arithmetic process is not difficult, not to elaborate.

Phase_4:

With Phase_3 view the value at memory 0x804996b, you can see that is "%d", visible sscanf is input to read a number, which can be seen by the return value EAX. The yellow box indicates that the number we entered must be positive. The green Box tells us that the return value of FUNC4 (input) is 144D (0x90), and the idea is obvious, we are concerned with the return value of the FUNC4 function.

This is the disassembly-code of the FUNC4 function, first the brown box can see each call subroutine with EBX to save the value of the parameter and then is to determine the value of the parameter, if it is greater than 1, it is reversed to the offset address of 20, and vice versa jumps to the 50 offset address, The intermediate specific operations are given below: Func (1): 1return 1 func (2): 2esi = 0esi += func (1)  = 0+1  = 1ebx = 2-2 = 0    noreturn esi+1 = 1+1  = 2 func (3): 3esi = 0esi += func (2)  = 0+2 = 2ebx =  3-2 = 1    noreturn esi+1 = 2+1 = 3 func (4) : 5esi = 0esi += func (3)  = 0+3 = 3ebx = 4-2 = 2     okesi += func (2-1)  = 3+1 = 4ebx = 2-2 =  0    noreturn esi+1 = 4+1 = 5 func (5): 8esi =  0esi += func (4)  = 0+5 = 5ebx = 5-2 = 3     okesi += func (3-1) = 5+2 = 7ebx = 3-2 = 1    noreturn esi+1  = 7+1 = 8 func (6): 13esi = 0esi += func (5)  = 0+8 =  8ebx = 6-2 = 4    okesi += func (4-1)  = 8+3  = 11ebx = 4-2 = 2    okesi += func (2-1)  =  11+1 = 12ebx = 2-2 = 0    noreturn esi+1 =  12+1 = 13 func (7): 21esi = 0esi += func (6)  = 0+13 =  13ebx = 7-2 = 5    okesi += func (5-1)  = 13+5  = 18ebx = 5-2 = 3    okesi += func (3-1)  =  18+2 = 20ebx = 3-2 = 1    noreturn esi+1 =  20+1 = 21  func (8): 34esi = 0esi += func (7)  = 0+21 = 21ebx = 8-2 =  6    okesi += func (6-1)  = 21+8 = 29ebx = 6-2  = 4    okesi += func (4-1)  = 29+3 = 32ebx =  4-2 = 2    okesi += func (2-1)  = 32+1 = 33ebx  = 2-2 = 0    noreturn esi+1 = 33+1 = 34  func (9): 55esi = 0esi += func (8)  = 0+34 = 34ebx = 9-2  = 7    okesi += func (7-1)  = 34+13 = 47ebx =  7-2 = 5    okesi += func (5-1)  = 47+5 = 52ebx  = 5-2 = 3    okesi += func (3-1)  = 52+2 =  54ebx = 3-2 = 1    noreturn esi+1 = 54+1 = 55 func (10) : 11esi = 0esi += func (9)  = 0+55 = 55ebx = 10-2 = 8     okesi += func (8-1)  = 55+21 = 76ebx = 8-2  = 6    okesi += func (6-1)  = 76+8 = 84ebx =  6-2 = 4    okesi += func (4-1)  = 84+3 = 87ebx  = 4-2 = 2    okesi += func (2-1)  = 87+1 =  88ebx = 2-2 = 0    noreturn esi+1 = 88+1 = 89  func (one): Esi = 0esi += func (Ten)  = 0+89 = 89ebx = 11-2  = 9    okesi += func (9-1)  = 89+34 = 123ebx =  9-2 =  7    okesi += func (7-1)  = 123+13 = 136ebx = 7-2  = 5    okesi += func (5-1)  = 136+5 = 141ebx =  5-2 = 3    okesi += func (3-1)  = 141+2 =  143ebx = 3-2 = 1    noreturn esi+1 = 143+1 =  144  It is important to note that the value of ESI is also changed back to the pre-call, which is always 0, and the pit has been around for a long time.

Phase_5:

There is nothing to say, the green part is the loop body, the function is to transfer the parameters of the phase_5 to the address pointed to by ECX, edx as a cyclic variable from 1 to 6

It is easy to know that the topic gives us the hint that the converted string equals memory 0x80496c2 the beginning of the content, we look at this content

The converted characters here are useless, the converted ASCII is the key to our hack, and each ASCII code is shown in a red box: First, the ASCII code of the original operand is stored in the EAX, and then four bits are retained. Then the latter four bits as the offset address to find the corresponding new ASCII code according to the 0X80496C2 6 numbers, we can turn out the original 6 char ASCII code after four bits, and then we can measure the ASCII code of abcdef four bits, The discovery is growing from 0001, so you can list the next four-bit ASCII code for a-Z, and then bring the corresponding characters into it (4 answers are correct for this question) converted before Al conversion116/t 1101 m 105/i 0000 p 116/t 1101 m 97/a 0101 e/u 110/n 1011 k 115/s 0001 a/q Phase_6: The question is an insult to my IQ, I refuse to post it. Secrete_phase: This bomb toss can have a week, this afternoon to the 6th to split out, feel the interest in the Assembly is not too big, did not do this, but I refer to the article has a detailed explanation of secrete_phase, we can go to see.

CMU binary Bombs