CodeGuru Home VC++ / MFC / C++ .NET / C# Visual Basic VB Forums Developer.com
Results 1 to 11 of 11
  1. #1
    Join Date
    Oct 2017
    Posts
    3

    Need help deciphering assembly code

    Hello there, I've very recently started learning about assembly and came across something called a Binary Bomb which seemed like a fun exercise to test my skills on. To put it simply the objective is to "defuse" a bomb by reading assembly code and figuring out a password that will allow me to move through several phases without exploding the bomb. I have completed phase 1 through 4 and I'm currently stuck on phase 5. I've been staring at this code for hours and I just can't seem to figure it out. I believe it is asking for a string of 6 chars? But beyond that I'm not sure what to do. Any directions or further explanation on what's happening in this code would be greatly appreciated. Thanks!

    Code:
    Dump of assembler code for function phase_5:
    => 0x0000000000401105 <+0>:    push   %rbx
       0x0000000000401106 <+1>:    mov    %rdi,%rbx
       0x0000000000401109 <+4>:    callq  0x40135a <string_length>
       0x000000000040110e <+9>:    cmp    $0x6,%eax
       0x0000000000401111 <+12>:    je     0x401118 <phase_5+19>
       0x0000000000401113 <+14>:    callq  0x40164c <explode_bomb>
       0x0000000000401118 <+19>:    mov    %rbx,%rax
       0x000000000040111b <+22>:    lea    0x6(%rbx),%rdi
       0x000000000040111f <+26>:    mov    $0x0,%ecx
       0x0000000000401124 <+31>:    movzbl (%rax),%edx
       0x0000000000401127 <+34>:    and    $0xf,%edx
       0x000000000040112a <+37>:    add    0x4026c0(,%rdx,4),%ecx
       0x0000000000401131 <+44>:    add    $0x1,%rax
       0x0000000000401135 <+48>:    cmp    %rdi,%rax
       0x0000000000401138 <+51>:    jne    0x401124 <phase_5+31>
       0x000000000040113a <+53>:    cmp    $0x2d,%ecx
       0x000000000040113d <+56>:    je     0x401144 <phase_5+63>
       0x000000000040113f <+58>:    callq  0x40164c <explode_bomb>
       0x0000000000401144 <+63>:    pop    %rbx
       0x0000000000401145 <+64>:    retq  
    End of assembler dump.

  2. #2
    2kaud's Avatar
    2kaud is offline Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,822

    Re: Need help deciphering assembly code

    What assembler language? You also haven't shown the code for the function located at 0x40135a
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  3. #3
    Join Date
    Oct 2017
    Posts
    3

    Re: Need help deciphering assembly code

    My apologies for the lack of clarification. I believe the assembler language should be x86 AT&T. As far as the function at 0x40135a:

    Code:
    Dump of assembler code for function string_length:
    => 0x000000000040135a <+0>:    cmpb   $0x0,(%rdi)
       0x000000000040135d <+3>:    je     0x401372 <string_length+24>
       0x000000000040135f <+5>:    mov    $0x0,%eax
       0x0000000000401364 <+10>:    add    $0x1,%rdi
       0x0000000000401368 <+14>:    add    $0x1,%eax
       0x000000000040136b <+17>:    cmpb   $0x0,(%rdi)
       0x000000000040136e <+20>:    jne    0x401364 <string_length+10>
       0x0000000000401370 <+22>:    repz retq
       0x0000000000401372 <+24>:    mov    $0x0,%eax
       0x0000000000401377 <+29>:    retq  
    End of assembler dump.
    Hopefully, I'm not excluding any other piece of crucial information. Let me know if I am. Thank you.

  4. #4
    2kaud's Avatar
    2kaud is offline Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,822

    Re: Need help deciphering assembly code

    I believe it is asking for a string of 6 chars?
    It's not a form of x86 assembler I've come across - but for a starter rdi contains the address of the null terminated string. When doing something like this, I tend to look at where the exceptions occur (in this case the bomb) and what doesn't cause the exception and then work back.
    Last edited by 2kaud; October 20th, 2017 at 02:57 AM.
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  5. #5
    Join Date
    Oct 2017
    Posts
    3

    Re: Need help deciphering assembly code

    Thanks for the input 2kaud. Can you by chance give me an idea of what the loop in the code is doing? I've been trying to figure it out for a while but no luck so far. Also:

    Code:
    (gdb) x/s 0x4026c0
    0x4026c0 <array.3601>: "\002"
    Any idea what this "\002" is? Sorry, for all of the questions I'm throwing your way. This phase is considerably harder than the previous ones and I just want to make sure I get a good understanding of what's happening here.

  6. #6
    2kaud's Avatar
    2kaud is offline Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,822

    Re: Need help deciphering assembly code

    Can you by chance give me an idea of what the loop in the code is doing?
    Work through it by hand using pen and paper - the way I would have to do! What's stored at 0x4026c0?
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  7. #7
    Join Date
    Nov 2017
    Posts
    4

    Re: Need help deciphering assembly code

    Can someone explain what this code is computing? and what BNZ instruction will do?
    Instruction 0: LOAD R1, = 5
    1: LOAD R2, = 1
    2: MULTIPLY R2, R1
    3: SUBTRACT R1, = 1
    4: BNZ R1, 2
    5: PRINT R2
    6: STOP

  8. #8
    2kaud's Avatar
    2kaud is offline Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,822

    Re: Need help deciphering assembly code

    I suspect that BNZ means Branch Non Zero - ie branch if the result is not zero. So BNZ r1, 2 I suspect means branch if r1 is not 2.
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  9. #9
    Join Date
    Jun 2010
    Location
    Germany
    Posts
    2,675

    Re: Need help deciphering assembly code

    Quote Originally Posted by 2kaud View Post
    I suspect that BNZ means Branch Non Zero - ie branch if the result is not zero. So BNZ r1, 2 I suspect means branch if r1 is not 2.
    Well, my interpretation is that the instruction means "branch to location 2 if R1 is not zero". And based on this, I think I can now tell what the code computes, in simple high-level math terms. (... but of course I'm not doing so. )
    Last edited by Eri523; November 29th, 2017 at 04:39 PM. Reason: Typo
    I was thrown out of college for cheating on the metaphysics exam; I looked into the soul of the boy sitting next to me.

    This is a snakeskin jacket! And for me it's a symbol of my individuality, and my belief... in personal freedom.

  10. #10
    2kaud's Avatar
    2kaud is offline Super Moderator Power Poster
    Join Date
    Dec 2012
    Location
    England
    Posts
    7,822

    Re: Need help deciphering assembly code

    Quote Originally Posted by Eri523 View Post
    Well, my interpretation is that the instruction means "branch to location 2 if R1 is not zero". And based on this, I thinnk I can now tell what the code computes, in simple high-level math terms. (... but of course I'm not doing so. )
    Doh! Yeah, you're right.
    All advice is offered in good faith only. All my code is tested (unless stated explicitly otherwise) with the latest version of Microsoft Visual Studio (using the supported features of the latest standard) and is offered as examples only - not as production quality. I cannot offer advice regarding any other c/c++ compiler/IDE or incompatibilities with VS. You are ultimately responsible for the effects of your programs and the integrity of the machines they run on. Anything I post, code snippets, advice, etc is licensed as Public Domain https://creativecommons.org/publicdomain/zero/1.0/ and can be used without reference or acknowledgement. Also note that I only provide advice and guidance via the forums - and not via private messages!

    C++23 Compiler: Microsoft VS2022 (17.6.5)

  11. #11
    Join Date
    Dec 2006
    Posts
    72

    Re: Need help deciphering assembly code

    Like 19921127 mentioned, this is x86 assebly language using AT&T syntax. The occurrence of AT&T syntax suggests that this binary runs on Linux or a similar OS, but more decisive is the way how the parameter is passed to string_length: through EBX (register) rather than by PUSHing the address where password is stored, as is typical in 32-bit Windows machines. Function string_length was statically added by the linker (and yes, password must be six bytes long). When INT 0x80 is used instead of CALL, the function to execute is specified through EAX.

    Quote Originally Posted by 19921127 View Post
    Thanks for the input 2kaud. Can you by chance give me an idea of what the loop in the code is doing? I've been trying to figure it out for a while but no luck so far. Also:

    Code:
    (gdb) x/s 0x4026c0
    0x4026c0 <array.3601>: "\002"
    Any idea what this "\002" is? Sorry, for all of the questions I'm throwing your way. This phase is considerably harder than the previous ones and I just want to make sure I get a good understanding of what's happening here.
    The \002 was likely hardcoded by whoever designed this crackme. Without having the actual binary (and access to a machine with Linux installed), my first suggestion would be to do some trial and error toward approximating the value of ECX to $0x2d. See opcodes at 0x040113a and 0x040113d. This is sometimes more efficient than tracking what "decryption" opcodes do in 0x0401118-0x0401138. This approach is taken on the crackme I explained at http://www.oneclubofjusticides.com/p/speedoreveng.html (it's in German, though).

    Hope this clarifies.

    Iñaki Viggers
    Last edited by iviggers; January 8th, 2018 at 11:28 AM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  





Click Here to Expand Forum to Full Width

Featured