Question

how to solve the binary bomb phase 3.. what is the password

Answer 1

Dear student I understand your problem and interpret that you need a help with the Binary bomb phase 3.

Please go through the information given below this would surely help you with the query.

I'm taking a shot at stage three of the bomb and I think I have an overall thought on what sort of info I need was contemplating whether somebody could confirm.

It would appear that I have to pass two sources of info and the data sources can differ. The previously info would be put away at

0x08048cd7 <phase_3+6>: lea - 0x8(%ebp),%eax

put away at (ebp-8)

at that point the subsequent information would be put away at

0x08048cde <phase_3+13>: lea - 0x4(%ebp),%eax

put away at (ebp-4)

at that point whenever input 2 at (ebp-4) <= 7

switch(*(ebp-4))

which changes to one of the announcements relying upon what the estimation of *(ebp-4) is.

which would then set the estimation of eax relying upon the announcement changed to.

which would then bounce to the memory area referred to in the switch case which at that point plays out a procedure on eax and sets eax equivalent to the outcome.

at that point if *(ebp - 4) > 5 or eax != *(ebp - 8)

bomb_explode is called

in any case stage is diffused

Dump of assembler code for function phase_3:
0x08048cd1 <phase_3+0>: push %ebp
0x08048cd2 <phase_3+1>: mov %esp,%ebp
0x08048cd4 <phase_3+3>: sub $0x28,%esp
0x08048cd7 <phase_3+6>: lea -0x8(%ebp),%eax
0x08048cda <phase_3+9>: mov %eax,0xc(%esp)
0x08048cde <phase_3+13>: lea -0x4(%ebp),%eax
0x08048ce1 <phase_3+16>: mov %eax,0x8(%esp)
0x08048ce5 <phase_3+20>: movl $0x80497bb,0x4(%esp)
0x08048ced <phase_3+28>: mov 0x8(%ebp),%eax
0x08048cf0 <phase_3+31>: mov %eax,(%esp)
0x08048cf3 <phase_3+34>: call 0x8048828 <sscanf@plt>
0x08048cf8 <phase_3+39>: cmp $0x1,%eax
0x08048cfb <phase_3+42>: jg 0x8048d02 <phase_3+49>
0x08048cfd <phase_3+44>: call 0x8048f2c <explode_bomb>
0x08048d02 <phase_3+49>: cmpl $0x7,-0x4(%ebp)
0x08048d06 <phase_3+53>: ja 0x8048d73 <phase_3+162>
0x08048d08 <phase_3+55>: mov -0x4(%ebp),%eax
0x08048d0b <phase_3+58>: jmp *0x804974c(,%eax,4)
0x08048d12 <phase_3+65>: mov $0x0,%eax
0x08048d17 <phase_3+70>: jmp 0x8048d6c <phase_3+155>
0x08048d19 <phase_3+72>: mov $0x0,%eax
0x08048d1e <phase_3+77>: xchg %ax,%ax
0x08048d20 <phase_3+79>: jmp 0x8048d67 <phase_3+150>
0x08048d22 <phase_3+81>: mov $0x0,%eax
0x08048d27 <phase_3+86>: jmp 0x8048d62 <phase_3+145>
0x08048d29 <phase_3+88>: mov $0x0,%eax
0x08048d2e <phase_3+93>: xchg %ax,%ax
0x08048d30 <phase_3+95>: jmp 0x8048d5d <phase_3+140>
0x08048d32 <phase_3+97>: mov $0x0,%eax
0x08048d37 <phase_3+102>: jmp 0x8048d58 <phase_3+135>
0x08048d39 <phase_3+104>: mov $0x0,%eax
0x08048d3e <phase_3+109>: xchg %ax,%ax
0x08048d40 <phase_3+111>: jmp 0x8048d53 <phase_3+130>
0x08048d42 <phase_3+113>: mov $0x6a,%eax
0x08048d47 <phase_3+118>: jmp 0x8048d4e <phase_3+125>
0x08048d49 <phase_3+120>: mov $0x0,%eax
0x08048d4e <phase_3+125>: sub $0x363,%eax
0x08048d53 <phase_3+130>: add $0x396,%eax
0x08048d58 <phase_3+135>: sub $0x39d,%eax
0x08048d5d <phase_3+140>: add $0x1d2,%eax
0x08048d62 <phase_3+145>: sub $0x2ed,%eax
0x08048d67 <phase_3+150>: add $0x2ed,%eax
0x08048d6c <phase_3+155>: sub $0x331,%eax
0x08048d71 <phase_3+160>: jmp 0x8048d7d <phase_3+172>
0x08048d73 <phase_3+162>: call 0x8048f2c <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048d78 <phase_3+167>: mov $0x0,%eax
0x08048d7d <phase_3+172>: cmpl $0x5,-0x4(%ebp)
0x08048d81 <phase_3+176>: jg 0x8048d88 <phase_3+183>
0x08048d83 <phase_3+178>: cmp -0x8(%ebp),%eax
0x08048d86 <phase_3+181>: je 0x8048d8d <phase_3+188>
0x08048d88 <phase_3+183>: call 0x8048f2c <explode_bomb>
0x08048d8d <phase_3+188>: leave
0x08048d8e <phase_3+189>: xchg %ax,%ax
0x08048d90 <phase_3+191>: ret
End of assembler dump.

so the two numbers I have to enter as info would be entered backward request? for example whenever input = 3 6

(ebp+8) = 6

(ebp+4) = 3

Likewise I've been taking a gander at the conditionals and it appears (ebp - 4) must be either 2,3, or 4 and afterward dependent on which esteem it is there would be a hop to one of these memory areas

on the off chance that 2 hop to 0x08048d53

on the off chance that 3 hop to 0x08048d58

on the off chance that 4 bounce to 0x08048d5d

at that point subsequent to playing out a figuring at those areas set = eax

a restrictive that if *(ebp-4) > 5 or eax != *(ebp-8) approaches tru the bomb detonates in any case diffused

that being said I could utilize 2,3 or 4 and afterward dependent on which I pick and where it hops from on the contingent I would need to tackle the estimation for the subsequent client input?

Is the what's going on and after doing so I would get the required second worth?

Dear student I hope you would have gone through the above Solution and this would have surely resolved your query to the max way possible.Thanks a lot!