phase_5_analyze

1. 08048efb <phase_5>:
2.  
3. ; Stack frame of phase_5:
4. ; function typedef: DWORD __cdecl phase_5(char* pszStringToScan)
5. ; Segment:
6. ; EBP+0x08: pszStringToScan
7. ; EBP+0x04: Return address
8. ; EBP+0x00: Old EBP value
9. ; EBP-0x04: ESI backup
10. ; EBP-0x08: EBX backup
11. ; ...
12. ; EBP-0x12: First sscanf format list argument
13. ; EBP-0x16: Second sscanf format list argument
14.  
15. 8048efb: 55 push ebp ; Backup old EBP value to use as stack pointer
16. 8048efc: 89 e5 mov ebp,esp ; Copy value from ESP to EBP. EBP stack frame pointer setup done
17. 8048efe: 56 push esi ; Backup ESI to use it
18. 8048eff: 53 push ebx ; Backup EBX to use it
19. 8048f00: 83 ec 20 sub esp,0x20 ;Subtract 0x20 bytes from ESP to allocate stack memory
20. 8048f03: 8d 45 f0 lea eax,[ebp-16] ; Load expression ebp-0x16 to EAX. It's the pointer to the second format list arg for sscanf
21. 8048f06: 89 44 24 0c mov DWORD PTR [esp+12],eax ; Copy value from EAX to [ESP+0x12]. At ESP+0x12 is the fourth function arg
22. 8048f0a: 8d 45 f4 lea eax,[ebp-12] ; Load expression EBP-0x12 to EAX. It's the pointer to the first format list arg for sscanf
23. 8048f0d: 89 44 24 08 mov DWORD PTR [esp+8],eax ; Copy value from EAX to [ESP+0x08]. At ESP+0x08 is the third function arg
24. 8048f11: c7 44 24 04 e4 a6 04 mov DWORD PTR [esp+4],0x804a6e4 ; Copy constant VA value to [ESP+0x04]. At ESP+0x04 is the second function arg
25. 8048f19: 8b 45 08 mov eax,DWORD PTR [ebp+8] ; Copy value at [EBP+0x08] (argument of phase_5()) to EAX. The string which shall be scanned is passed to phase_5() function
26. 8048f1c: 89 04 24 mov DWORD PTR [esp],eax ; Copy value from EAX to [ESP]. At ESP is the first function arg
27. 8048f1f: e8 8c f9 ff ff call 80488b0 <__isoc99_sscanf@plt> ; Call sscanf function (cdecl)
28. 8048f24: 83 f8 01 cmp eax,0x1 ; Perform comparition with EAX and 0x01
29. 8048f27: 7f 05 jg 8048f2e <phase_5+0x33> ; If EAX is greater then jump to address
30. 8048f29: e8 d3 06 00 00 call 8049601 <explode_bomb> ; Else call explode_bomb(). So we don't want to get to this place
31. 8048f2e: 8b 45 f4 mov eax,DWORD PTR [ebp-12] ; Copy DWORD at [EBP-12] (first format list arg) to EAX
32. 8048f31: 83 e0 0f and eax,0xf ; Perform AND operation with EAX and 0x0F
33. 8048f34: 89 45 f4 mov DWORD PTR [ebp-12],eax ; Copy new value back to the stack var
34. 8048f37: 83 f8 0f cmp eax,0xf ; Perform comparision with EAX and 0x0F
35. 8048f3a: 74 29 je 8048f65 <phase_5+0x6a> ; If both are equal jump to the address. That shall not happen.
36. 8048f3c: b9 00 00 00 00 mov ecx,0x0 ; Initialize ECX with 0x00000000 by copying
37. 8048f41: ba 00 00 00 00 mov edx,0x0 ; Initialize EDX with 0x00000000 by copying
38. 8048f46: bb c0 a5 04 08 mov ebx,0x804a5c0 ; Copy VA constant to EBX. It is the base address of a DWORD array
39. ;Begin loop
40. 8048f4b: 83 c2 01 add edx,0x1 ; Add 0x01 to EDX
41. 8048f4e: 8b 04 83 mov eax,DWORD PTR [ebx+eax*4] ; Copy the DWORD at EBX+EAX*4 to EAX. Get index offset by EAX*4
42. 8048f51: 01 c1 add ecx,eax ; Add EAX to ECX
43. 8048f53: 83 f8 0f cmp eax,0xf ; Perform comparison with EAX and 0x0F. To end this loop EAX must have the value 0x0F at its lowest byte
44. 8048f56: 75 f3 jne 8048f4b <phase_5+0x50> ; If both are not equal jump to loop begin.
45. ; End loop
46. 8048f58: 89 45 f4 mov DWORD PTR [ebp-12],eax ; Copy EAX back to the stack var
47. 8048f5b: 83 fa 0f cmp edx,0xf ; Compare EDX with 0x0F
48. 8048f5e: 75 05 jne 8048f65 <phase_5+0x6a> ; If not equal jump to the fail part. So, basically, EDX must have the value 0x0F at its lowest byte to avoid explode_bomb() call
49. 8048f60: 39 4d f0 cmp DWORD PTR [ebp-16],ecx ; Compare DWORD at [EBP-0x016] with ECX
50. 8048f63: 74 05 je 8048f6a <phase_5+0x6f> ; If both are equal jump to the success part!
51. 8048f65: e8 97 06 00 00 call 8049601 <explode_bomb> ; Call explode_bomb() function. So we don't want to get to this place from 8048f3a and 8048f5e
52. 8048f6a: 83 c4 20 add esp,0x20 ; Remove the allocated stack memory by adding
53. 8048f6d: 5b pop ebx ; Restore EBX
54. 8048f6e: 5e pop esi ; Restore ESI
55. 8048f6f: 5d pop ebp ; Restore old EBP
56. 8048f70: c3 ret ; Restore return address
57.  
58. // Possible C implementation
59. DWORD __cdecl phase_5_8048efb(char* pszStringToScan)
60. {
61. static unsigned int uia804a5c0[...] = {...};
62.  
63. DWORD dwEBP12;
64. DWORD dwEBP16;
65.  
66. if (sscanf(pszStringToScan, "%d %d", &dwEBP12, &dwEBP16) <= 0x01)
67. explode_bomb();
68.  
69. DWORD dwEAX = dwEBP12 & 0x0F;
70. dwEBP12 = dwEAX;
71.  
72. if (dwEAX == 0x0F)
73. explode_bomb();
74.  
75. DWORD dwECX, dwEDX;
76. dwECX = dwEDX = 0;
77.  
78. while (dwEAX != 0x0F) {
79. dwEAX = *(DWORD*)((DWORD)uia804a5c0 + dwEAX * 4); //uia804a5c0[dwEAX];
80.  
81. dwECX += dwEAX;
82.  
83. dwEDX++;
84. }
85.  
86. dwEBP12 = dwEAX;
87.  
88. if ((dwEDX != 0x0F) || (dwECX != dwEBP16))
89. explode_bomb();
90.  
91. return dwEAX;
92. }
93.  
94. //Conclusion: If you want the function phase_5() to succeed then the values of the
95. //important registers need the following values (context beginning at 8048f3c till the end):
96. //EAX==0x0F && EDX!=0x0F && ECX!=dwEBP16
97. //Since ECX and EDX get changed inside the loop it all depends on the array element value at a certain position