binary bomb

cs
Author

dd21

Published

January 4, 2023

Abstract

do some practise of asm and disasm, analazy the elf file and do some revserse things

Referance

nju cs base lesson of cs on MOOC

first we get the disassembly file of elf

objdump -d bomb > bomb.s

analazy the bomb.s and bomb.c file

enter the main function we can see like this

then we need to see the .s file to continue analazy the bomb

read the file of bomb.s

vim bomb.s

/pase_0

0804946f <phase_0>:
 804946f:       55                      push   %ebp         // 压栈
 8049470:       89 e5                   mov    %esp,%ebp
 8049472:       83 ec 08                sub    $0x8,%esp
 8049475:       83 ec 08                sub    $0x8,%esp
 8049478:       68 98 a1 04 08          push   $0x804a198  // 压入对比的字符串
 804947d:       ff 75 08                push   0x8(%ebp) // 压入输入的字符串
 8049480:       e8 52 07 00 00          call   8049bd7 <strings_not_equal> // 调用string_not_rqual 函数
 8049485:       83 c4 10                add    $0x10,%esp
 8049488:       85 c0                   test   %eax,%eax // 测试eax是否为0
 804948a:       74 0c                   je     8049498 <phase_0+0x29> // 判断是否等于 如果等于就跳转到8049498 如果不等于往下执行
 804948c:       e8 ae 09 00 00          call   8049e3f <explode_bomb>
 8049491:       b8 00 00 00 00          mov    $0x0,%eax
 8049496:       eb 05                   jmp    804949d <phase_0+0x2e> // 跳转出函数
 8049498:       b8 01 00 00 00          mov    $0x1,%eax
 804949d:       c9                      leave
 804949e:       c3                      ret
label

这里需要进入到运行状态, 查看 804a198 进行查看该处的字符串

将程序在断点设置在该处 

gdb bomb

b *0x8049480
r


For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from bomb...
(gdb) b *0x8049480
Breakpoint 1 at 0x8049480
(gdb) r
Starting program: /home/dd21/Projects/csBase/base4/boom/bomb

This GDB supports auto-downloading debuginfo from the following URLs:
https://debuginfod.archlinux.org
Enable debuginfod for this session? (y or [n]) n
Debuginfod has been disabled.
To make this setting permanent, add 'set debuginfod enabled off' to .gdbinit.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
Welcome to my fiendish little bomb. You have 7 phases with
which to blow yourself up. Have a nice day!


[input string:xxxxxxx]

enter some string and the program will be borokened at 0x8049480

labelhello world

Breakpoint 1, 0x8049480 in phase_0 ()

使用 x 查看内存中的值

x/40c  0x804a198     // 将该地址处的数据解析为字符40 个字节
x/1s 0x804a198        // 字符串输出


Breakpoint 1, 0x08049480 in phase_0 ()
(gdb) x/1s 0x804a198
0x804a198:      "Disks are constructed from platters."

this means the answer is “Disks are constructed from platters.”

next bomb of ieee754(浮点数表示)

ieee754 标准

Type 符号 阶码 尾数 偏置
float 1bit 8bit 23bit 127
double 1bit 11bit 52bit 1023

非数(nan):阶码 255(SP)2047(DP) ,尾数非 0 [ 0 11111111 1110 1110 0000 0000 0000 000] +∞/-∞:阶码 255(SP)2047(DP) ,尾数 0[ -∞:1 11111111 0000 0000 0000 0000 0000 000 ] 0: 阶码尾数全 0 [ +0:0 00000000 0000 0000 0000 0000 0000 000 ] 非规格化数(+-2^-126): 尾数最高位为 0, 阶码为 0 [ -0.x: 1 00000000 1111 0000 0000 1111 0000 000] 规格化数:尾数最高位为 1(隐藏不写), 阶码为!=0 [0 10001010 1111 0000 1111 1111 0000 0000]

浮点数实验

查看反汇编结果 phase_1

0804949f <phase_1>:
 804949f:       55                      push   %ebp
 80494a0:       89 e5                   mov    %esp,%ebp
 80494a2:       83 ec 28                sub    $0x28,%esp
 80494a5:       c7 45 f4 f6 cc 4e 1a    movl   $0x1a4eccf6,-0xc(%ebp)  // 将立即数压栈到ebp-0xc的位置
 80494ac:       db 45 f4                fildl  -0xc(%ebp)   // 将ebp中的值加载到浮点计算器栈顶
 80494af:       dd 5d e8                fstpl  -0x18(%ebp)  // 将浮点寄存器的栈顶数据出栈放到ebp-0x18的位置上
 80494b2:       8d 45 e0                lea    -0x20(%ebp),%eax // eax 压栈
 80494b5:       50                      push   %eax
 80494b6:       8d 45 e4                lea    -0x1c(%ebp),%eax
 80494b9:       50                      push   %eax
 80494ba:       68 bd a1 04 08          push   $0x804a1bd
 80494bf:       ff 75 08                push   0x8(%ebp)
 80494c2:       e8 09 fc ff ff          call   80490d0 <__isoc99_sscanf@plt>
 80494c7:       83 c4 10                add    $0x10,%esp
 80494ca:       83 f8 02                cmp    $0x2,%eax // 判断是否输入的是两个数
 80494cd:       74 0c                   je     80494db <phase_1+0x3c>  // 如果等于 就跳转到80494db
 80494cf:       e8 6b 09 00 00          call   8049e3f <explode_bomb>  // 不相等
 80494d4:       b8 00 00 00 00          mov    $0x0,%eax
 80494d9:       eb 2c                   jmp    8049507 <phase_1+0x68>
 80494db:       8d 45 e8                lea    -0x18(%ebp),%eax
 80494de:       8b 10                   mov    (%eax),%edx
 80494e0:       8b 45 e4                mov    -0x1c(%ebp),%eax
 80494e3:       39 c2                   cmp    %eax,%edx
 80494e5:       75 0f                   jne    80494f6 <phase_1+0x57>
 80494e7:       8d 45 e8                lea    -0x18(%ebp),%eax
 80494ea:       83 c0 04                add    $0x4,%eax
 80494ed:       8b 10                   mov    (%eax),%edx
 80494ef:       8b 45 e0                mov    -0x20(%ebp),%eax
 80494f2:       39 c2                   cmp    %eax,%edx
 80494f4:       74 0c                   je     8049502 <phase_1+0x63>
 80494f6:       e8 44 09 00 00          call   8049e3f <explode_bomb>
 80494fb:       b8 00 00 00 00          mov    $0x0,%eax
 8049500:       eb 05                   jmp    8049507 <phase_1+0x68>
 8049502:       b8 01 00 00 00          mov    $0x1,%eax
 8049507:       c9                      leave
 8049508:       c3                      ret

The bomb has blown up. -167772160 1102728908 Phase 1 defused. How about the next one?