-1

I'm having trouble with the password for phase_4 of my binary bomb.

So far, I understand... the inputs must be 2 integers (line 29)

and the second integer should <= than or equal to 2 when 2 is subtracted from it (lines 38-44). Which means it should be a number 2-4

Then, it calls func4, and compares the output of func4 to rsp (which I've done some testing and rsp is always 0) so i need to find a number that returns 0 when inputed into func4.

Whats confusing me is: if the result of func4 needs to be 0, that means it's input should be 0. Taking into account line 38 in phase_4 where it subtracts 2 from my input, that should mean my second # should be 2...? However I have tried that and it makes it explode in line 46 as it doesn't satisfy the first comparison.

I have tried numbers like (0 2) (2 0) (0 1) (0 3) and they all failed. Any suggestions to point me in the right direction? Thanks! 

phase_4:
   0x000000000040101e <+0>: sub    $0x18,%rsp
   0x0000000000401022 <+4>: lea    0xc(%rsp),%rcx
   0x0000000000401027 <+9>: lea    0x8(%rsp),%rdx
   0x000000000040102c <+14>:    mov    $0x4027cd,%esi
   0x0000000000401031 <+19>:    mov    $0x0,%eax
   0x0000000000401036 <+24>:    callq  0x400c30 <__isoc99_sscanf@plt>
   0x000000000040103b <+29>:    cmp    $0x2,%eax        //check if 2 inputs
   0x000000000040103e <+32>:    jne    0x40104c <phase_4+46>
   0x0000000000401040 <+34>:    mov    0xc(%rsp),%eax   
=> 0x0000000000401044 <+38>:    sub    $0x2,%eax        
   0x0000000000401047 <+41>:    cmp    $0x2,%eax
   0x000000000040104a <+44>:    jbe    0x401051 <phase_4+51>//if unsigned eax <= 2
   0x000000000040104c <+46>:    callq  0x401554 <explode_bomb>
   0x0000000000401051 <+51>:    mov    0xc(%rsp),%esi  
   0x0000000000401055 <+55>:    mov    $0x7,%edi      
   0x000000000040105a <+60>:    callq  0x400fe6 <func4>
   0x000000000040105f <+65>:    cmp    0x8(%rsp),%eax  //comparing eax to 0
   0x0000000000401063 <+69>:    je     0x40106a <phase_4+76> 
   0x0000000000401065 <+71>:    callq  0x401554 <explode_bomb> //explode if output != 0
   0x000000000040106a <+76>:    add    $0x18,%rsp
   0x000000000040106e <+80>:    retq 

Func4
   0x0000000000400fe6 <+0>: push   %r12
   0x0000000000400fe8 <+2>: push   %rbp
   0x0000000000400fe9 <+3>: push   %rbx
   0x0000000000400fea <+4>: mov    %edi,%ebx
   0x0000000000400fec <+6>: test   %edi,%edi
   0x0000000000400fee <+8>: jle    0x401014 <func4+46> //if input <= 0
   0x0000000000400ff0 <+10>:    mov    %esi,%ebp
   0x0000000000400ff2 <+12>:    mov    %esi,%eax
   0x0000000000400ff4 <+14>:    cmp    $0x1,%edi
   0x0000000000400ff7 <+17>:    je     0x401019 <func4+51>
   0x0000000000400ff9 <+19>:    lea    -0x1(%rdi),%edi
   0x0000000000400ffc <+22>:    callq  0x400fe6 <func4>
   0x0000000000401001 <+27>:    lea    (%rax,%rbp,1),%r12d
   0x0000000000401005 <+31>:    lea    -0x2(%rbx),%edi
   0x0000000000401008 <+34>:    mov    %ebp,%esi
   0x000000000040100a <+36>:    callq  0x400fe6 <func4>
   0x000000000040100f <+41>:    add    %r12d,%eax
   0x0000000000401012 <+44>:    jmp    0x401019 <func4+51>
   0x0000000000401014 <+46>:    mov    $0x0,%eax  //make return val 0
   0x0000000000401019 <+51>:    pop    %rbx
   0x000000000040101a <+52>:    pop    %rbp
   0x000000000040101b <+53>:    pop    %r12
   0x000000000040101d <+55>:    retq
Improve this question
3
  • Might want to explain what a binary bomb is and explain a bit more what your approach has been for solving it and why you think it's not working. Commented Oct 22, 2016 at 22:26
  • Possible duplicate of Binary Bomb - Phase 4 Commented Oct 22, 2016 at 22:49
  • 1
    @BoPersson phase 4 is similar, but func 4 is different. I believe in my case func4 is a recursive Fibonacci function. And i know my second input must be >= 2 Commented Oct 22, 2016 at 22:52

1 Answer 1

Reset to default
2

Then, it calls func4, and compares the output of func4 to rsp (which I've done some testing and rsp is always 0) so i need to find a number that returns 0 when inputed into func4.

This is incorrect. The output of func4 is compared with [rsp + 8], in which the first number was stored.

If we write the desired input as (a, b), then we have a = func4 (7, b) and 2 <= b <= 4.

To understand what func4 (x, y) does I recommend that you convert it to C. See my answer to this question for an illustration.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

thanks so much, yeah i figured that out yesterday. i was doing "i r rsp" thinking it automatically did the addition, but it didn't. Turns out it was just comparing the output of func4 to the first integer that i inputed. Thanks for your help!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.