Defusing a Binary Bomb: phase_5

-1

Here is my understanding of what the code is doing, and how I'd like to solve it: First I need to find a string, and then reverse engineer that string, based on the 16-byte lookup table that I have found. I do know that the values of these "offsets" must add up to 60, see line <+53>.

I have tried to find this 6 character string by using x/s 0x4011fe, and other examine commands (x/6c etc), yet I am not getting anything close to correct. Is there something I can change to get the correct output so that I can continue defusing this phase?

Once I find this string, my idea is to look at this required output string, then figure out the input string required to get to the expected output. I am thinking- look at the hex value of each char, compare those to my table (lowest order), and then find a corresponding char using the ascii table. I'm only wondering if this is the correct approach, thanks.

Lookup table:

(gdb) x/16xw 0x402780
<array.3600>: 0x00000002    0x0000000a    0x00000006    0x00000001
<array.3600>: 0x0000000c    0x00000010    0x00000009    0x00000003
<array.3600>: 0x00000004    0x00000007    0x0000000e    0x00000005
<array.3600>: 0x0000000b    0x00000008    0x0000000f    0x0000000d

Disassembly of phase_5:

0x00000000004011bf <+0>:    push   %rbx
0x00000000004011c0 <+1>:    mov    %rdi,%rbx
0x00000000004011c3 <+4>:    callq  0x401414 <string_length>
0x00000000004011c8 <+9>:    cmp    $0x6,%eax //6 letter string!
0x00000000004011cb <+12>:   je     0x4011d2 <phase_5+19> //if 6, jump over the explode
0x00000000004011cd <+14>:   callq  0x401706 <explode_bomb>
0x00000000004011d2 <+19>:   mov    %rbx,%rax 
0x00000000004011d5 <+22>:   lea    0x6(%rbx),%rdi
0x00000000004011d9 <+26>:   mov    $0x0,%ecx
0x00000000004011de <+31>:   movzbl (%rax),%edx
0x00000000004011e1 <+34>:   and    $0xf,%edx //”and” each letter
0x00000000004011e4 <+37>:   add    0x402780(,%rdx,4),%ecx
0x00000000004011eb <+44>:   add   $0x1,%rax
0x00000000004011ef <+48>:   cmp    %rdi,%rax //compare, and then loop again. 
0x00000000004011f2 <+51>:   jne    0x4011de <phase_5+31> //loop!
0x00000000004011f4 <+53>:   cmp    $0x3c,%ecx //final compare, and then done! (0x3c = 60)
0x00000000004011f7 <+56>:   je     0x4011fe <phase_5+63> //jump over explode, and finish! 
0x00000000004011f9 <+58>:   callq  0x401706 <explode_bomb>
0x00000000004011fe <+63>:   pop    %rbx
0x00000000004011ff <+64>:   retq   
End of assembler dump.
assembly
x86
reverse-engineering
asked on Stack Overflow Dec 3, 2016 by Mary • edited Dec 3, 2016 by Ross Ridge

1 Answer

2

After much thought, I have successfully found an answer. It turns out there is no string to compare, only the value of 0x3c. Over-thinking seems to be a common demise for me when it comes to reading assembly code.

Essentially, I needed to pick 6 numbers from the array that sum up to 0x3c. Then pick 6 printable characters, or numbers, that have the appropriate index as the low 4 bits. So, the easiest choice was 0xa, which has an index of 1, (0xa = 10, so getting 6 values was trivial).

Thanks for the comments everyone.

answered on Stack Overflow Dec 3, 2016 by Mary

User contributions licensed under CC BY-SA 3.0