## Thursday, May 22, 2014

### Of Binary Bombs (part 3)

In part 2 I explained both sym.read_line and the solution to sym.phase_2. Here I work through the third phase of Dr. Evil's nasty binary bomb.

I'll assume to start directly at sym.phase_3 beyond the input handling routines previously discussed.

Phase 3 starts with a call to sscanf with a format string of "%d %c %d". So we should provide a number, character, and a number. The first number should be less than or equal to 7

    cmp dword [ebp-0xc], 0x7


and is used to calculate a jump address

    mov eax, [ebp-0xc]
jmp dword [eax*4+0x80497e8]


If we start with eax containing 0 this jumps us to a location stored at 0x80497e8. That address is 0x08048be0 - or just over the next instruction.

    mov bl, 0x71
cmp dword [ebp-0x4], 0x309


This sets bl to 0x71 (ASCII 'q') and compares the third input to 777. If the third input is 777 control jumps to

    cmp bl, [ebp-0x5]


So, to avoid the bomb we can provide the following input: 0 q 777 and we have a valid solution.

But what about setting eax to something other than 0 to start? Let's look at the other possible jump addresses for values less than 8 but greater than 0 for the first input. I've abbreviated the code and commented what is different from the above description.

; eax == 1 - 0x08048c00
mov bl, 0x62                ; ASCII 'b'
cmp dword [ebp-0x4], 0xd6   ; 214

; eax == 2 - 0x08048c16
mov bl, 0x62                ; ASCII 'b'
cmp dword [ebp-0x4], 0x2f3  ; 755

; eax == 3 - 0x08048c28
mov bl, 0x6b                ; ASCII 'k'
cmp dword [ebp-0x4], 0xfb   ; 251

; eax == 4 - 0x08048c40
mov bl, 0x6f                ; ASCII 'o'
cmp dword [ebp-0x4], 0xa0   ; 160

; eax == 5 - 0x08048c52
mov bl, 0x74                ; ASCII 't'
cmp dword [ebp-0x4], 0x1ca  ; 458

; eax == 6 - 0x08048c64
mov bl, 0x76                ; ASCII 'v'
cmp dword [ebp-0x4], 0x30c  ; 780

; eax == 7 - 0x08048c76
mov bl, 0x62                ; ASCII 'b'
cmp dword [ebp-0x4], 0x20c  ; 524


So it looks as if there are several answers to this part of the riddle. Let's verify at least one of the others work.

Next, phase 4.