My current class assignment consists of reverse engineering a piece of code written by the professor. Basically the program reads in one line from STDIN at a time and checks to see if it’s the right phrase. If it is, that bomb is defused and it continues to the next one. If the phrase is incorrect that the bomb blows up and I’ll have to try again.
Below is my methodology for Phase 1.
** Note that as a student we were given access to the source code of the “shell” program that calls the other functions that actually do the compare. So I know that the functions are called phase_1() through phase_6(). The function names could also be guessed by using objdump –t bomb.exe and looking at the function names.
** Also, solutions.txt contains a single line with content: testing
(gdb) b phase_1
(gdb) display /i $pc
(gdb) r solutions.txt
That runs the program until the breakpoint is hit. Once it’s hit I run disas to display the assembly of the current function. I notice that there is a call to strings_not_equal and figure that the two values pushed onto %esp are likely the arguments, and based on the functions name, are likely strings. I then use display /a $eax to take a look at the address contained in %eax. Finally, I use x /s 0x405040 and x /s 0x404140 to look at the strings located at those addresses. One is the string I passed in, and the other is the wining string. I change my solutions.txt file to have the new string in it and test it to validate. It works! Bomb 1 defused!