0

So heres the phase: 

0x00000000004013d9 <+0>:     sub    $0x2c8,%rsp                 #reserve 0x2c8 in stack
0x00000000004013e0 <+7>:     mov    %rdi,%rsi                   #rsi =  rdi 
0x00000000004013e3 <+10>:    movw   $0x6cb,0x42(%rsp)           #stack pointer + 0x42 = 0x6cb
0x00000000004013ea <+17>:    movw   $0xcc26,0x50(%rsp)          # "
0x00000000004013f1 <+24>:    movw   $0x8a1,0x44(%rsp)           # "
0x00000000004013f8 <+31>:    movb   $0x7,0x40(%rsp)             # "
0x00000000004013fd <+36>:    movl   $0x12fad68e,0x3c(%rsp)      # "
0x0000000000401405 <+44>:    movq   $0x0,0x48(%rsp)             #same as above with corresponding values
0x000000000040140e <+53>:    lea    0x30(%rsp),%rdi             #rdi = value at 0x30 in stack
0x0000000000401413 <+58>:    callq  0x400ca0 <strcpy@plt>       #string copy
0x0000000000401418 <+63>:    movzbl 0x40(%rsp),%eax             #eax = value at 0x40 in stack
0x000000000040141d <+68>:    cmp    $0x57,%al                   #compare lower 8 bits of eax to 0x57
0x000000000040141f <+70>:    je     0x401426 <phase_4+77>       #continue if same
0x0000000000401421 <+72>:    callq  0x401bbe <bomb_ignition>
0x0000000000401426 <+77>:    movzwl 0x50(%rsp),%eax             #eax = value at 0x50 in stack
0x000000000040142b <+82>:    cmp    $0xcc26,%ax                 #compare lower 16 bits of eax to 0xcc26
0x000000000040142f <+86>:    je     0x401436 <phase_4+93>       #continue if same
0x0000000000401431 <+88>:    callq  0x401bbe <bomb_ignition>
0x0000000000401436 <+93>:    mov    0x48(%rsp),%rax             #rax = value at 0x48 in stack
0x000000000040143b <+98>:    test   %rax,%rax                   #rax = rax & rax
0x000000000040143e <+101>:   je     0x401445 <phase_4+108>      #continue if same
0x0000000000401440 <+103>:   callq  0x401bbe <bomb_ignition> 
0x0000000000401445 <+108>:   movzwl 0x42(%rsp),%eax             #eax = value at 0x42 in stack
0x000000000040144a <+113>:   cmp    $0x425b,%ax                 #compare lower 16 bits of eax to 0x425b
0x000000000040144e <+117>:   je     0x401455 <phase_4+124>      #continue if same
0x0000000000401450 <+119>:   callq  0x401bbe <bomb_ignition>
0x0000000000401455 <+124>:   movzwl 0x44(%rsp),%edx             #edx = value at 0x44 in stack
0x000000000040145a <+129>:   mov    0x3c(%rsp),%eax             #eax = value at 0x3c in stack
0x000000000040145e <+133>:   shl    $0x5,%eax                   #eax *= 32 
0x0000000000401461 <+136>:   movswl %dx,%edx                    #edx = lower 16 bits of rdx
0x0000000000401464 <+139>:   xor    %edx,%eax                   #eax ^= edx
0x0000000000401466 <+141>:   cmp    $0x2e8ee3c5,%eax            #compare eax a 0x2e8ee3c5
0x000000000040146b <+146>:   sete   %al
0x000000000040146e <+149>:   movzbl %al,%eax
0x0000000000401471 <+152>:   add    $0x2c8,%rsp                     
0x0000000000401478 <+159>:   retq

Ive annotated what I think its doing next to it, but I cant figure out the big picture.

My guess is it takes the input and compares it to what it puts in the stack? Im am unsure of the strcpy and where it copies to. Im guessing its the rax/eax register. Because it then compares the values in the stack to that. But Im still unsure of how to figure out what the input is supposed to be. I tried putting some of the values it movs into the stack, like 0x6cb, 0x8a1 and 0x7, into and hex to ascii convertor but the values characters they produce cant be put as input, because some are emojis and stuff. The hint "dr evil" gave was "go with the flow, buffer overflow" so im sure its bufferoverflowing.

Id appreciate any help. Thank you.

Improve this question
2
  • 2
    "Im am unsure of the strcpy and where it copies to." You should look at agner's calling convention doc. Section 7 has a table that shows what registers are used for parameters for various OSs. Commented Sep 28, 2017 at 5:52
  • Also note that some of the values it checks are already on the stack and some need to be overwritten with a different value. Commented Sep 28, 2017 at 11:49

1 Answer 1

Reset to default
1

In a really simple way you could:
1- look at the strcpy function (man strcpy)

char * strcpy ( char * destination, const char * source );

2- look at the calling convention (In your case it should be a linux 64bit file)

Parameters in registers are RDI, RSI, RDX, RCX, R8, R9, XMM0–7
Then:

> strcpy(RDI, RSI)

3- Start the debugger and set a breakpoint at this address 0x0000000000401413 and then look at the content of the registre RDI and RSI with the command i r $rdi $rsi

If you have the control of the values at the address of $rsi, you could overwrite the values at the $rdi address

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.