Binary Bomb Phase 3 -- Confused about using jump table

Question

I am trying to figure out the correct input to defuse the bomb at phase 3 of the binary bomb lab. I have figured out that the input must be two integers, and that the first integer must be less than 7. I have been using an arbitrary first value (1) to try to figure out the second value by using the jump table, but I can't seem to get the answer. Specifically, I keep detonating the bomb after this line 0x0000000000400ffc <+165>: cmp 0x8(%rsp),%eax.

Any help or guidance would be greatly appreciated.

Dump of assembler code for function phase_3:

    0x0000000000400f57 <+0>:    sub    $0x18,%rsp
    0x0000000000400f5b <+4>:    lea    0x8(%rsp),%rcx
    0x0000000000400f60 <+9>:    lea    0xc(%rsp),%rdx
    0x0000000000400f65 <+14>:   mov    $0x4027ed,%esi
    0x0000000000400f6a <+19>:   mov    $0x0,%eax
    0x0000000000400f6f <+24>:   callq  0x400c30 <__isoc99_sscanf@plt>
    0x0000000000400f74 <+29>:   cmp    $0x1,%eax
    0x0000000000400f77 <+32>:   jg     0x400f7e <phase_3+39>
    0x0000000000400f79 <+34>:   callq  0x401574 <explode_bomb>
    0x0000000000400f7e <+39>:   cmpl   $0x7,0xc(%rsp)
    0x0000000000400f83 <+44>:   ja     0x400feb <phase_3+148>
    0x0000000000400f85 <+46>:   mov    0xc(%rsp),%eax
    0x0000000000400f89 <+50>:   jmpq   *0x402520(,%rax,8)
    0x0000000000400f90 <+57>:   mov    $0x0,%eax
    0x0000000000400f95 <+62>:   jmp    0x400f9c <phase_3+69>
    0x0000000000400f97 <+64>:   mov    $0x3a0,%eax
    0x0000000000400f9c <+69>:   sub    $0x3c2,%eax
    0x0000000000400fa1 <+74>:   jmp    0x400fa8 <phase_3+81>
    0x0000000000400fa3 <+76>:   mov    $0x0,%eax
    0x0000000000400fa8 <+81>:   add    $0x23d,%eax
    0x0000000000400fad <+86>:   jmp    0x400fb4 <phase_3+93>
    0x0000000000400faf <+88>:   mov    $0x0,%eax
    0x0000000000400fb4 <+93>:   sub    $0x3e6,%eax
    0x0000000000400fb9 <+98>:   jmp    0x400fc0 <phase_3+105>
    0x0000000000400fbb <+100>:  mov    $0x0,%eax
    0x0000000000400fc0 <+105>:  add    $0x3e6,%eax
    0x0000000000400fc5 <+110>:  jmp    0x400fcc <phase_3+117>
    0x0000000000400fc7 <+112>:  mov    $0x0,%eax
    0x0000000000400fcc <+117>:  sub    $0x3e6,%eax
    0x0000000000400fd1 <+122>:  jmp    0x400fd8 <phase_3+129>
    0x0000000000400fd3 <+124>:  mov    $0x0,%eax
    0x0000000000400fd8 <+129>:  add    $0x3e6,%eax
    0x0000000000400fdd <+134>:  jmp    0x400fe4 <phase_3+141>
    0x0000000000400fdf <+136>:  mov    $0x0,%eax
    0x0000000000400fe4 <+141>:  sub    $0x3e6,%eax
    0x0000000000400fe9 <+146>:  jmp    0x400ff5 <phase_3+158>
    0x0000000000400feb <+148>:  callq  0x401574 <explode_bomb>
    0x0000000000400ff0 <+153>:  mov    $0x0,%eax
    0x0000000000400ff5 <+158>:  cmpl   $0x5,0xc(%rsp)
    0x0000000000400ffa <+163>:  jg     0x401002 <phase_3+171>
 => 0x0000000000400ffc <+165>:  cmp    0x8(%rsp),%eax
    0x0000000000401000 <+169>:  je     0x401007 <phase_3+176>
    0x0000000000401002 <+171>:  callq  0x401574 <explode_bomb>
    0x0000000000401007 <+176>:  add    $0x18,%rsp
    0x000000000040100b <+180>:  retq

score 1 · Answer 1 · answered Apr 18 '18 at 18:29

I have same phase3 in my homework and that is how I got the solution

on line <+165>

(gdb) i r rsp

rsp 0x7fffffffde00 0x7fffffffde00

(gdb) x/d (0x7fffffffde00 + 0x8)

0x7fffffffde08: 2 (the number that I wrote randomly before)

(gdb) i r eax

eax 0xfffffc78 -904

(gdb) print/d 0xfffffc78

$1 = 4294966392

score 0 · Answer 2 · answered Feb 22 '18 at 10:15

on line <+165> the values in register %eax and in 0x8(%rsp) are compared, and the bomb is not detonated if these two are equal.

Considering that the only changes made to 0x8(%rsp) was at <+4>, where the effective address of %rcx was loaded to 0x8(%rsp), it may be easy for you to try and sub in multiple values to check which value ends up in %rcx in the beginning, and eventually at 0x8(%rsp). Try using gdb instructions such as

i r

to check the values in the registers as you progress. You can even pinpoint the exact place you want to examine (even 0x8(%rsp)), just that I don't remember the exact gdb instruction.

%eax is accessed here and then before <+165>, so you may want to try walking backwards in the code from then to check which value would eventually end up in &eax. This would be easier than it sounds, since the code only involves mov, sub or add with %eax. When you get this value, input this value appropriately so that it will end up in %rcx in the beginning, and you will be able to get past the bomb after <+165>.

Binary Bomb Phase 3 -- Confused about using jump table

2 Answers2