I'll assume to start directly at sym.phase_3 beyond the input handling routines previously discussed.
Phase 3 starts with a call to sscanf with a format string of "%d %c %d". So we should provide a number, character, and a number. The first number should be less than or equal to 7
cmp dword [ebp-0xc], 0x7
and is used to calculate a jump address
mov eax, [ebp-0xc]
jmp dword [eax*4+0x80497e8]
If we start with eax containing 0 this jumps us to a location stored at 0x80497e8. That address is 0x08048be0 - or just over the next instruction.
mov bl, 0x71
cmp dword [ebp-0x4], 0x309
This sets bl to 0x71 (ASCII 'q') and compares the third input to 777. If the third input is 777 control jumps to
cmp bl, [ebp-0x5]
So, to avoid the bomb we can provide the following input: 0 q 777 and we have a valid solution.
But what about setting eax to something other than 0 to start? Let's look at the other possible jump addresses for values less than 8 but greater than 0 for the first input. I've abbreviated the code and commented what is different from the above description.
; eax == 1 - 0x08048c00
mov bl, 0x62 ; ASCII 'b'
cmp dword [ebp-0x4], 0xd6 ; 214
; eax == 2 - 0x08048c16
mov bl, 0x62 ; ASCII 'b'
cmp dword [ebp-0x4], 0x2f3 ; 755
; eax == 3 - 0x08048c28
mov bl, 0x6b ; ASCII 'k'
cmp dword [ebp-0x4], 0xfb ; 251
; eax == 4 - 0x08048c40
mov bl, 0x6f ; ASCII 'o'
cmp dword [ebp-0x4], 0xa0 ; 160
; eax == 5 - 0x08048c52
mov bl, 0x74 ; ASCII 't'
cmp dword [ebp-0x4], 0x1ca ; 458
; eax == 6 - 0x08048c64
mov bl, 0x76 ; ASCII 'v'
cmp dword [ebp-0x4], 0x30c ; 780
; eax == 7 - 0x08048c76
mov bl, 0x62 ; ASCII 'b'
cmp dword [ebp-0x4], 0x20c ; 524
So it looks as if there are several answers to this part of the riddle. Let's verify at least one of the others work.
Next, phase 4.
No comments :
Post a Comment