Reverse engineering The first of the binary bombs

Down the binary bomb experiment, the name is cool isn't it. Briefly introduced, the binary bomb is an executable file that, when run, prompts the user to enter 6 different strings, and if any one of them is incorrect, the bomb will explode. There are six levels of preliminary judgment, and the level of difficulty increases progressively. The experiment requires students to determine which 6 answers to the program disassembly and reverse engineering, thus dismantling its bombs.

The documentation hints at GDB and objdump, so the problem comes. What's the first step?

As usual, I had a objdump–help, and then I turned on the help, there is a-t parameter, you can print the program's symbol table, as far as I know the symbol table is stored in a number of function names and variable names, perhaps I can find some regular symbols to find clues. Open up!

Objdump–t  bomb > 1

Browse again, found clues, the table has phase_1 to phase_6 this kind of symbol, exactly and 6 levels a little correspondence, saying this information a bit messy, we grep

Well, the results are clear, but what does this invalid_phase and secret_phase do? Not very clear. Just ignore it.

Disassembly bomb program, import file 2, locate the Phase_1 section

There is a call to Explode_bomb inside the phase_1, which is now OK.

Next-----------> Tracking phase_1

Analyze the Phase_1 section, the logic is clear. Call Strings_not_equal, determine if the strings are equal, and if so, I jump to the leave statement and return. , the Explode_bomb is called and the program ends.

Let me follow up to analyze the Strings_not_equal code:

The key part I added the comment, strings_not_equal logic is this:

Call String_length to calculate the string length of the user input, and then compare it to the key length, if not unequal, then explode directly, equal, then further.

String_length Sub-section:

Well, the key code analysis is almost, let me go through, briefly draw a block diagram.

Phase_1 of the first bomb logic:

String_not_equal Sub-module analysis:

Well, I can't wait to break the egg.

Next-----------> Add breakpoints, step through with GDB debugging tool

Add a breakpoint at the entrance to the Strings_not_equal function, in fact I would like to say here can draw the key, because the logic of the bomb is very simple, passing string parameter comparison,

Before calling the function, be sure to press the comparison value into the stack, such as this one:

0x8048b22:   $0x8049678

It's suspicious.

Let's try to print it out:

It sure is. :-D

But it's too boring to tear it down so quickly, let's go inside and analyze it ~

Ask a question? What should I do if I want to know the length of the key?

Analysis: We call the String_length function in the String_not_equal function to calculate the length, the result of the function is passed through the EAX register, then it is very simple to add a breakpoint directly after the String_length function that passed the key. Then print the value of the register EAX!

We 0x8048f49 set a breakpoint after the String_length function, print, how, come out, key length 35! Don't believe it. You count:-D

Then ask another question, I want to know what the user input data, what should do???

The above to understand my analysis of the code is sure to know that the pass parameter is nothing more than the pressure stack, using the frame pointer plus the offset is out! Quickly navigate to address 0x8048f38, add breakpoints, print ESI register values, bingo!!

I have a dream! Cool gorgeous!

Here is to tell you to use the C program to format the output string technique, this is debugging Java Virtual machine, Riobo taught me.

We just found out that the string length is 35, so we use GDB to print out the 35 characters of the first address stored in the string.

Then write a C program:

OK, that's it.

The bomb hasn't been dismantled yet, finally run the bomb program and enter the key: "The futre will be better tomorrow."

At this point, the bomb was dismantled.

The second one I haven't analyzed, go back to Live!

Reverse engineering The first of the binary bombs