-
October 18th, 2017, 08:54 PM
#1
Need help deciphering assembly code
Hello there, I've very recently started learning about assembly and came across something called a Binary Bomb which seemed like a fun exercise to test my skills on. To put it simply the objective is to "defuse" a bomb by reading assembly code and figuring out a password that will allow me to move through several phases without exploding the bomb. I have completed phase 1 through 4 and I'm currently stuck on phase 5. I've been staring at this code for hours and I just can't seem to figure it out. I believe it is asking for a string of 6 chars? But beyond that I'm not sure what to do. Any directions or further explanation on what's happening in this code would be greatly appreciated. Thanks!
Code:
Dump of assembler code for function phase_5:
=> 0x0000000000401105 <+0>: push %rbx
0x0000000000401106 <+1>: mov %rdi,%rbx
0x0000000000401109 <+4>: callq 0x40135a <string_length>
0x000000000040110e <+9>: cmp $0x6,%eax
0x0000000000401111 <+12>: je 0x401118 <phase_5+19>
0x0000000000401113 <+14>: callq 0x40164c <explode_bomb>
0x0000000000401118 <+19>: mov %rbx,%rax
0x000000000040111b <+22>: lea 0x6(%rbx),%rdi
0x000000000040111f <+26>: mov $0x0,%ecx
0x0000000000401124 <+31>: movzbl (%rax),%edx
0x0000000000401127 <+34>: and $0xf,%edx
0x000000000040112a <+37>: add 0x4026c0(,%rdx,4),%ecx
0x0000000000401131 <+44>: add $0x1,%rax
0x0000000000401135 <+48>: cmp %rdi,%rax
0x0000000000401138 <+51>: jne 0x401124 <phase_5+31>
0x000000000040113a <+53>: cmp $0x2d,%ecx
0x000000000040113d <+56>: je 0x401144 <phase_5+63>
0x000000000040113f <+58>: callq 0x40164c <explode_bomb>
0x0000000000401144 <+63>: pop %rbx
0x0000000000401145 <+64>: retq
End of assembler dump.
-
October 19th, 2017, 02:54 AM
#2
Re: Need help deciphering assembly code
What assembler language? You also haven't shown the code for the function located at 0x40135a
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
October 19th, 2017, 11:18 AM
#3
Re: Need help deciphering assembly code
My apologies for the lack of clarification. I believe the assembler language should be x86 AT&T. As far as the function at 0x40135a:
Code:
Dump of assembler code for function string_length:
=> 0x000000000040135a <+0>: cmpb $0x0,(%rdi)
0x000000000040135d <+3>: je 0x401372 <string_length+24>
0x000000000040135f <+5>: mov $0x0,%eax
0x0000000000401364 <+10>: add $0x1,%rdi
0x0000000000401368 <+14>: add $0x1,%eax
0x000000000040136b <+17>: cmpb $0x0,(%rdi)
0x000000000040136e <+20>: jne 0x401364 <string_length+10>
0x0000000000401370 <+22>: repz retq
0x0000000000401372 <+24>: mov $0x0,%eax
0x0000000000401377 <+29>: retq
End of assembler dump.
Hopefully, I'm not excluding any other piece of crucial information. Let me know if I am. Thank you.
-
October 19th, 2017, 12:40 PM
#4
Re: Need help deciphering assembly code
I believe it is asking for a string of 6 chars?
It's not a form of x86 assembler I've come across - but for a starter rdi contains the address of the null terminated string. When doing something like this, I tend to look at where the exceptions occur (in this case the bomb) and what doesn't cause the exception and then work back.
Last edited by 2kaud; October 20th, 2017 at 02:57 AM.
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
October 19th, 2017, 02:52 PM
#5
Re: Need help deciphering assembly code
Thanks for the input 2kaud. Can you by chance give me an idea of what the loop in the code is doing? I've been trying to figure it out for a while but no luck so far. Also:
Code:
(gdb) x/s 0x4026c0
0x4026c0 <array.3601>: "\002"
Any idea what this "\002" is? Sorry, for all of the questions I'm throwing your way. This phase is considerably harder than the previous ones and I just want to make sure I get a good understanding of what's happening here.
-
October 20th, 2017, 03:00 AM
#6
Re: Need help deciphering assembly code
Can you by chance give me an idea of what the loop in the code is doing?
Work through it by hand using pen and paper - the way I would have to do! What's stored at 0x4026c0?
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
November 27th, 2017, 07:24 AM
#7
Re: Need help deciphering assembly code
Can someone explain what this code is computing? and what BNZ instruction will do?
Instruction 0: LOAD R1, = 5
1: LOAD R2, = 1
2: MULTIPLY R2, R1
3: SUBTRACT R1, = 1
4: BNZ R1, 2
5: PRINT R2
6: STOP
-
November 27th, 2017, 07:30 AM
#8
Re: Need help deciphering assembly code
I suspect that BNZ means Branch Non Zero - ie branch if the result is not zero. So BNZ r1, 2 I suspect means branch if r1 is not 2.
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
November 28th, 2017, 03:30 AM
#9
Re: Need help deciphering assembly code
Originally Posted by 2kaud
I suspect that BNZ means Branch Non Zero - ie branch if the result is not zero. So BNZ r1, 2 I suspect means branch if r1 is not 2.
Well, my interpretation is that the instruction means "branch to location 2 if R1 is not zero". And based on this, I think I can now tell what the code computes, in simple high-level math terms. (... but of course I'm not doing so. )
Last edited by Eri523; November 29th, 2017 at 04:39 PM.
Reason: Typo
I was thrown out of college for cheating on the metaphysics exam; I looked into the soul of the boy sitting next to me.
This is a snakeskin jacket! And for me it's a symbol of my individuality, and my belief... in personal freedom.
-
November 28th, 2017, 03:33 AM
#10
Re: Need help deciphering assembly code
Originally Posted by Eri523
Well, my interpretation is that the instruction means "branch to location 2 if R1 is not zero". And based on this, I thinnk I can now tell what the code computes, in simple high-level math terms. (... but of course I'm not doing so. )
Doh! Yeah, you're right.
All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!
C++23 Compiler: Microsoft VS2022 (17.6.5)
-
January 8th, 2018, 11:12 AM
#11
Re: Need help deciphering assembly code
Like 19921127 mentioned, this is x86 assebly language using AT&T syntax. The occurrence of AT&T syntax suggests that this binary runs on Linux or a similar OS, but more decisive is the way how the parameter is passed to string_length: through EBX (register) rather than by PUSHing the address where password is stored, as is typical in 32-bit Windows machines. Function string_length was statically added by the linker (and yes, password must be six bytes long). When INT 0x80 is used instead of CALL, the function to execute is specified through EAX.
Originally Posted by 19921127
Thanks for the input 2kaud. Can you by chance give me an idea of what the loop in the code is doing? I've been trying to figure it out for a while but no luck so far. Also:
Code:
(gdb) x/s 0x4026c0
0x4026c0 <array.3601>: "\002"
Any idea what this "\002" is? Sorry, for all of the questions I'm throwing your way. This phase is considerably harder than the previous ones and I just want to make sure I get a good understanding of what's happening here.
The \002 was likely hardcoded by whoever designed this crackme. Without having the actual binary (and access to a machine with Linux installed), my first suggestion would be to do some trial and error toward approximating the value of ECX to $0x2d. See opcodes at 0x040113a and 0x040113d. This is sometimes more efficient than tracking what "decryption" opcodes do in 0x0401118-0x0401138. This approach is taken on the crackme I explained at http://www.oneclubofjusticides.com/p/speedoreveng.html (it's in German, though).
Hope this clarifies.
Iñaki Viggers
Last edited by iviggers; January 8th, 2018 at 11:28 AM.
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|