Bomb Lab(Phase_3)

We finished phase_2. This time we will try to finish phase_3.

Firstly, we post the code.

0000000000400f43 <phase_3>:
  400f43:	48 83 ec 18          	sub    $0x18,%rsp
  400f47:	48 8d 4c 24 0c       	lea    0xc(%rsp),%rcx
  400f4c:	48 8d 54 24 08       	lea    0x8(%rsp),%rdx
  400f51:	be cf 25 40 00       	mov    $0x4025cf,%esi
  400f56:	b8 00 00 00 00       	mov    $0x0,%eax
  400f5b:	e8 90 fc ff ff       	callq  400bf0 <__isoc99_sscanf@plt>
  400f60:	83 f8 01             	cmp    $0x1,%eax
  400f63:	7f 05                	jg     400f6a <phase_3+0x27>
  400f65:	e8 d0 04 00 00       	callq  40143a <explode_bomb>
  400f6a:	83 7c 24 08 07       	cmpl   $0x7,0x8(%rsp)
  400f6f:	77 3c                	ja     400fad <phase_3+0x6a>
  400f71:	8b 44 24 08          	mov    0x8(%rsp),%eax
  400f75:	ff 24 c5 70 24 40 00 	jmpq   *0x402470(,%rax,8)
  400f7c:	b8 cf 00 00 00       	mov    $0xcf,%eax
  400f81:	eb 3b                	jmp    400fbe <phase_3+0x7b>
  400f83:	b8 c3 02 00 00       	mov    $0x2c3,%eax
  400f88:	eb 34                	jmp    400fbe <phase_3+0x7b>
  400f8a:	b8 00 01 00 00       	mov    $0x100,%eax
  400f8f:	be 2d                	jmp    400fbe <phase_3+0x7b>
  400f91:	b8 85 01 00 00       	mov    $0x185,%eax
  400f96:	eb 26                	jmp    400fbe <phase_3+0x7b>
  400f98:	b8 ce 00 00 00       	mov    $0xce,%eax
  400f9d:	eb 1f                	jmp    400fbe <phase_3+0x7b>
  400f9f:	b8 aa 02 00 00       	mov    $0x2aa,%eax
  400fa4:	eb 18                	jmp    400fbe <phase_3+0x7b>
  400fa6:	b8 47 01 00 00       	mov    $0x147,%eax
  400fab:	eb 11                	jmp    400fbe <phase_3+0x7b>
  400fad:	e8 88 04 00 00       	callq  40143a <explode_bomb>
  400fb2:	b8 00 00 00 00       	mov    $0x0,%eax
  400fb7:	eb 05                	jmp    400fbe <phase_3+0x7b>
  400fb9:	b8 37 01 00 00       	mov    $0x137,%eax
  400fbe:	3b 44 24 0c          	cmp    0xc(%rsp),%eax
  400fc2:	74 05                	je     400fc9 <phase_3+0x86>
  400fc4:	e8 71 04 00 00       	callq  40143a <explode_bomb>
  400fc9:	48 83 c4 18          	add    $0x18,%rsp
  400fcd:	c3                   	retq   

We can see that phase_3 does not call other functions except “scanf()” and “explode_bomb”.

As before, we can try to find how to explode the bomb.

    400f5b:	e8 90 fc ff ff       	callq  400bf0 <__isoc99_sscanf@plt>
    400f60:	83 f8 01             	cmp    $0x1,%eax
    400f63:	7f 05                	jg     400f6a <phase_3+0x27>
    400f65:	e8 d0 04 00 00       	callq  40143a <explode_bomb>

Before this code block, %eax was initialized by 0. Then it calls “scanf()”. We know that scanf() has a return value, the value is how many numbers it received. From 400f63, we can know that the return value of scanf() must exceed 1.

The second point to explode the bomb is before the part of the code where the mov and jmp keep repeating.

  400f6a:	83 7c 24 08 07       	cmpl   $0x7,0x8(%rsp)
  400f6f:	77 3c                	ja     400fad <phase_3+0x6a>
  400fad:	e8 88 04 00 00       	callq  40143a <explode_bomb>

This means that (%rsp +8) must be less than 7.

The third point to explode the bomb is the end of the function.

  400fbe:	3b 44 24 0c          	cmp    0xc(%rsp),%eax
  400fc2:	74 05                	je     400fc9 <phase_3+0x86>
  400fc4:	e8 71 04 00 00       	callq  40143a <explode_bomb>
  400fc9:	48 83 c4 18          	add    $0x18,%rsp
  400fcd:	c3                   	retq   

In this block of the function, we find that (%rsp+12) must equal to %eax.

We can also find the middle part of the function always repeat jmp and mov. So, this part may be a special structure.

We have looked through this code. It’s time to read it carefully. The beginning of the code is to prepare the stack. And there are two “lea” commands. We guess we at least enter two numbers. Then we find the strange number 0x4025cf. It is given to %esi. And %esi is the register to store argument. So, there must be something important at this address, 0x4025cf. Then we try to print it out.

It’s our old friend. So, we confirmed that we need to enter two numbers, which will be loaded into 0x8(%rsp) and 0xc(%rsp). And the first number needs to be less than 7. What about next?

  400f71:	8b 44 24 08          	mov    0x8(%rsp),%eax
  400f75:	ff 24 c5 70 24 40 00 	jmpq   *0x402470(,%rax,8)

We can see that the first number was moved to %eax. After that, it jumps to *0x402470(,%rax,8). Because of the “*” before 0x402470, this is not an immediate number. It is an address that contains the base of the target address. Just print it out.

So, we can get the formula of the target address: 0x400f7c+8*%rax. And now we can see that this reputation of mov and jmp is the body of the switch. When the first number is 0, jump to 0x400f7c, it compares the second number and 0xcf. And for 1, it compares the second number and 0x2c3 and so on. Why do we need to multiply %rax by 8? Because each “case” has 7 bytes. It needs to turn to the next “case”(7+1).

The answers are: 0 207 ; 1 707 ; 2 256 ; 3 389 ; 4 206 ; 5 682 ; 6 327 ;

Try it. And do not forget to set the breakpoint before explode_bomb!

Halfway there!

The key of phase 1: Border relations with Canada have never been better.

The key of phase 2: 1 2 4 8 16 32

The key of phase 3: 0 207

Bye!

Next: Phase_4

Views: 95