I'm working on a project where I have an executable file and the main function to the executable. The executable takes in 6 strings, one at a time, if the string matches what it is accepting then it will request the next string.

The project is to use gdb debugger to go into the program and examine the disassembled functions being used to determine what each string is. I figured out the first one but the second is giving me a problem. Here is the disassembled phase_2 function:


Dump of assembler code for function phase_2:
0x08048bed <phase_2+0>: push %ebp
0x08048bee <phase_2+1>: mov %esp,%ebp
0x08048bf0 <phase_2+3>: push %ebx
0x08048bf1 <phase_2+4>: sub $0x2c,%esp
0x08048bf4 <phase_2+7>: lea 0xffffffd8(%ebp),%eax
0x08048bf7 <phase_2+10>: push %eax
0x08048bf8 <phase_2+11>: pushl 0x8(%ebp)
0x08048bfb <phase_2+14>: call 0x8048f5d <read_six_numbers>
0x08048c00 <phase_2+19>: add $0x10,%esp
0x08048c03 <phase_2+22>: cmpl $0x1,0xffffffd8(%ebp)
0x08048c07 <phase_2+26>: je 0x8048c0e <phase_2+33>
0x08048c09 <phase_2+28>: call 0x8049530 <explode_bomb>
0x08048c0e <phase_2+33>: mov $0x1,%ebx
0x08048c13 <phase_2+38>: lea 0x1(%ebx),%eax
0x08048c16 <phase_2+41>: imul 0xffffffd4(%ebp,%ebx,4),%eax
0x08048c1b <phase_2+46>: cmp %eax,0xffffffd8(%ebp,%ebx,4)
0x08048c1f <phase_2+50>: je 0x8048c26 <phase_2+57>
0x08048c21 <phase_2+52>: call 0x8049530 <explode_bomb>
0x08048c26 <phase_2+57>: inc %ebx
0x08048c27 <phase_2+58>: cmp $0x5,%ebx
0x08048c2a <phase_2+61>: jle 0x8048c13 <phase_2+38>
0x08048c2c <phase_2+63>: mov 0xfffffffc(%ebp),%ebx
---Type <return> to continue, or q <return> to quit---
0x08048c2f <phase_2+66>: leave
0x08048c30 <phase_2+67>: ret
End of assembler dump.

From examining that I need to then disassemble the read_six_numbers function which gives me this:


Dump of assembler code for function read_six_numbers:
0x08048f5d <read_six_numbers+0>: push %ebp
0x08048f5e <read_six_numbers+1>: mov %esp,%ebp
0x08048f60 <read_six_numbers+3>: sub $0x8,%esp
0x08048f63 <read_six_numbers+6>: mov 0xc(%ebp),%edx
0x08048f66 <read_six_numbers+9>: lea 0x14(%edx),%eax
0x08048f69 <read_six_numbers+12>: push %eax
0x08048f6a <read_six_numbers+13>: lea 0x10(%edx),%eax
0x08048f6d <read_six_numbers+16>: push %eax
0x08048f6e <read_six_numbers+17>: lea 0xc(%edx),%eax
0x08048f71 <read_six_numbers+20>: push %eax
0x08048f72 <read_six_numbers+21>: lea 0x8(%edx),%eax
0x08048f75 <read_six_numbers+24>: push %eax
0x08048f76 <read_six_numbers+25>: lea 0x4(%edx),%eax
0x08048f79 <read_six_numbers+28>: push %eax
0x08048f7a <read_six_numbers+29>: push %edx
0x08048f7b <read_six_numbers+30>: push $0x80498d8
0x08048f80 <read_six_numbers+35>: pushl 0x8(%ebp)
0x08048f83 <read_six_numbers+38>: call 0x8048934
0x08048f88 <read_six_numbers+43>: add $0x20,%esp
0x08048f8b <read_six_numbers+46>: cmp $0x5,%eax
0x08048f8e <read_six_numbers+49>: jg 0x8048f95 <read_six_numbers+56>
0x08048f90 <read_six_numbers+51>: call 0x8049530 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048f95 <read_six_numbers+56>: leave
0x08048f96 <read_six_numbers+57>: ret


I haven't been able to get much of any progress on this, if anyone can help read this and give some suggestions as to where to start it would be greatly appreciated.

on a side note at read_six_numbers+38 where it says: call 0x8048934; disassembling 0x8048934 says there is no function at that address, so what is it calling?

Also at read_six_numbers+30 the function is pushing 0x80498d8 onto the stack, checking the string at 0x80498d8 gives me: 0x80498d8 <_IO_stdin_used+508>: "%d %d %d %d %d %d"
I'm not sure what that means, or if its useful at all.

Thanks in advance if anybody can lend assistance, I will post any updates as I work on this.

Sorry for the double post, if an admin wants to merge these posts go ahead but I could not edit the above post as it is hours after I posted it.

So i finally figured it out... the answer needed six integers... 1 2 6 24 120 720

Now I'm stuck on phase 3... heres the code:


0x08048c31 <phase_3+0>: push %ebp
0x08048c32 <phase_3+1>: mov %esp,%ebp
0x08048c34 <phase_3+3>: push %ebx
0x08048c35 <phase_3+4>: sub $0x14,%esp
0x08048c38 <phase_3+7>: mov $0x0,%ebx
0x08048c3d <phase_3+12>: lea 0xfffffff8(%ebp),%eax
0x08048c40 <phase_3+15>: push %eax
0x08048c41 <phase_3+16>: lea 0xfffffff4(%ebp),%eax
0x08048c44 <phase_3+19>: push %eax
0x08048c45 <phase_3+20>: push $0x80498e4
0x08048c4a <phase_3+25>: pushl 0x8(%ebp)
0x08048c4d <phase_3+28>: call 0x8048934
0x08048c52 <phase_3+33>: add $0x10,%esp
0x08048c55 <phase_3+36>: cmp $0x1,%eax
0x08048c58 <phase_3+39>: jg 0x8048c5f <phase_3+46>
0x08048c5a <phase_3+41>: call 0x8049530 <explode_bomb>
0x08048c5f <phase_3+46>: cmpl $0x7,0xfffffff4(%ebp)
0x08048c63 <phase_3+50>: ja 0x8048c9e <phase_3+109>
0x08048c65 <phase_3+52>: mov 0xfffffff4(%ebp),%eax
0x08048c68 <phase_3+55>: jmp *0x804987c(,%eax,4)
0x08048c6f <phase_3+62>: add $0x298,%ebx
0x08048c75 <phase_3+68>: sub $0xea,%ebx
0x08048c7b <phase_3+74>: add $0x206,%ebx
0x08048c81 <phase_3+80>: sub $0x372,%ebx
0x08048c87 <phase_3+86>: add $0x7c,%ebx
0x08048c8a <phase_3+89>: sub $0x256,%ebx
0x08048c90 <phase_3+95>: add $0x256,%ebx
0x08048c96 <phase_3+101>: sub $0xb4,%ebx
0x08048c9c <phase_3+107>: jmp 0x8048ca3 <phase_3+114>
0x08048c9e <phase_3+109>: call 0x8049530 <explode_bomb>
0x08048ca3 <phase_3+114>: cmpl $0x5,0xfffffff4(%ebp)
0x08048ca7 <phase_3+118>: jg 0x8048cae <phase_3+125>
0x08048ca9 <phase_3+120>: cmp 0xfffffff8(%ebp),%ebx
0x08048cac <phase_3+123>: je 0x8048cb3 <phase_3+130>
0x08048cae <phase_3+125>: call 0x8049530 <explode_bomb>
0x08048cb3 <phase_3+130>: mov 0xfffffffc(%ebp),%ebx
0x08048cb6 <phase_3+133>: leave
0x08048cb7 <phase_3+134>: ret

So far I've figured out that you need two integers, when I enter "4 4 %s" (%s being any string I enter) it gets all the way to 0x08048cac but does not jump... once again any help will be appreciated.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.