Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
764 views
in Technique[技术] by (71.8m points)

assembly - Binary Bomb Phase 5 - lookup table translation -> string compare

I have been working on a Binary Bomb for school, and I am absolutely lost in Phase 5. The object of the assignment is to dissemble the code and find a string, which I have found to be "flyers" and reverse engineer it to have the same numerical value as "flyers" does. However, I have spent the last 3-4 hours trying to find out how to do this? You don't have to give answers, but PLEASE help me understand what I need to do. Here is the disassembled code using gdb:

Dump of assembler code for function phase_5:
0x08048d88 <+0>:    push   %ebx
0x08048d89 <+1>:    sub    $0x28,%esp
0x08048d8c <+4>:    mov    0x30(%esp),%ebx
0x08048d90 <+8>:    mov    %gs:0x14,%eax
0x08048d96 <+14>:    mov    %eax,0x1c(%esp)
0x08048d9a <+18>:    xor    %eax,%eax
0x08048d9c <+20>:    mov    %ebx,(%esp)
0x08048d9f <+23>:    call   0x804902b <string_length>
0x08048da4 <+28>:    cmp    $0x6,%eax
0x08048da7 <+31>:    je     0x8048dae <phase_5+38>
0x08048da9 <+33>:    call   0x804934c <explode_bomb>
0x08048dae <+38>:    mov    $0x0,%eax
0x08048db3 <+43>:    movsbl (%ebx,%eax,1),%edx
0x08048db7 <+47>:    and    $0xf,%edx
0x08048dba <+50>:    movzbl 0x804a4b8(%edx),%edx
0x08048dc1 <+57>:    mov    %dl,0x15(%esp,%eax,1)
0x08048dc5 <+61>:    add    $0x1,%eax
0x08048dc8 <+64>:    cmp    $0x6,%eax
0x08048dcb <+67>:    jne    0x8048db3 <phase_5+43>
0x08048dcd <+69>:    movb   $0x0,0x1b(%esp)
0x08048dd2 <+74>:    movl   $0x804a48e,0x4(%esp)
0x08048dda <+82>:    lea    0x15(%esp),%eax
0x08048dde <+86>:    mov    %eax,(%esp)
0x08048de1 <+89>:    call   0x8049044 <strings_not_equal>
0x08048de6 <+94>:    test   %eax,%eax
0x08048de8 <+96>:    je     0x8048def <phase_5+103>
0x08048dea <+98>:    call   0x804934c <explode_bomb>
0x08048def <+103>:    mov    0x1c(%esp),%eax
0x08048df3 <+107>:    xor    %gs:0x14,%eax
0x08048dfa <+114>:    je     0x8048e05 <phase_5+125>
0x08048dfc <+116>:    lea    0x0(%esi,%eiz,1),%esi
0x08048e00 <+120>:    call   0x8048810 <__stack_chk_fail@plt>
0x08048e05 <+125>:    add    $0x28,%esp
0x08048e08 <+128>:    pop    %ebx
0x08048e09 <+129>:    ret    
End of assembler dump.
See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

It isn't quite clear what flyers is, I assume that is one correct input and you have to find others.

The important part is at <+47> and <+50>. It is using a 16-byte lookup table to transform the input string. The code is basically doing:

for(int i = 0; i != 6; i += 1) output[i] = table[input[i] & 0xf];

It's obvious that any characters that share the low 4 bits will produce the same output (even if the values in the lookup table are unique). For example, the first character f has ascii code 0x66, so it is mapped by table entry 0x06. The same applies to any character with 0x06 as low 4 bits, such as & (0x26), 6 (0x36), F (0x46), V (0x56), v (0x76). You can replace f with any of those (non-printable and full 8 bit values omitted for brevity). You can work out the equivalences for the other letters similarly.

If flyers instead is the required output, then you have to examine the contents of the lookup table at address 0x804a4b8 and provide input string with the correct letters that map to the expected output.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...