Stuck on binary bomb

I am having a difficult time figuring out how to defuse a binary bomb for school. Apparently it takes a string of characters and we need to buffer overflow it. Here is the code:

   0x00000000004013f2 <+0>:     sub    $0x308,%rsp
   0x00000000004013f9 <+7>:     mov    %rdi,%rsi
   0x00000000004013fc <+10>:    movl   $0x1802fd09,0x38(%rsp)
   0x0000000000401404 <+18>:    movb   $0x11,0x3e(%rsp)
   0x0000000000401409 <+23>:    movw   $0x0,0x40(%rsp)
   0x0000000000401410 <+30>:    movq   $0x28779e81,0x48(%rsp)
   0x0000000000401419 <+39>:    movw   $0x1d52,0x34(%rsp)
   0x0000000000401420 <+46>:    movw   $0x116e,0x3c(%rsp)
   0x0000000000401427 <+53>:    movw   $0x617a,0x20(%rsp)
   0x000000000040142e <+60>:    movb   $0x0,0x22(%rsp)
   0x0000000000401433 <+65>:    lea    0x20(%rsp),%rdi
   0x0000000000401438 <+70>:    callq  0x401194 <strcat>
   0x000000000040143d <+75>:    movzwl 0x34(%rsp),%eax
   0x0000000000401442 <+80>:    cmp    $0x453a,%ax
   0x0000000000401446 <+84>:    je     0x40144d <phase_4+91>
   0x0000000000401448 <+86>:    callq  0x401bf6 <activate_bomb>
   0x000000000040144d <+91>:    mov    0x48(%rsp),%rax
   0x0000000000401452 <+96>:    cmp    $0x28779e81,%rax
   0x0000000000401458 <+102>:   je     0x40145f <phase_4+109>
   0x000000000040145a <+104>:   callq  0x401bf6 <activate_bomb>
   0x000000000040145f <+109>:   movzbl 0x3e(%rsp),%eax
   0x0000000000401464 <+114>:   cmp    $0x2d,%al
   0x0000000000401466 <+116>:   je     0x40146d <phase_4+123>
   0x0000000000401468 <+118>:   callq  0x401bf6 <activate_bomb>
   0x000000000040146d <+123>:   movzwl 0x40(%rsp),%eax
   0x0000000000401472 <+128>:   test   %ax,%ax
   0x0000000000401475 <+131>:   je     0x40147c <phase_4+138>
   0x0000000000401477 <+133>:   callq  0x401bf6 <activate_bomb>
   0x000000000040147c <+138>:   movzwl 0x3c(%rsp),%edx
   0x0000000000401481 <+143>:   mov    0x38(%rsp),%eax
   0x0000000000401485 <+147>:   shr    $0x2,%eax
   0x0000000000401488 <+150>:   not    %eax
   0x000000000040148a <+152>:   movswl %dx,%edx
   0x000000000040148d <+155>:   and    %edx,%eax
   0x000000000040148f <+157>:   cmp    $0x2000,%eax
   0x0000000000401494 <+162>:   sete   %al
   0x0000000000401497 <+165>:   movzbl %al,%eax
   0x000000000040149a <+168>:   add    $0x308,%rsp
   0x00000000004014a1 <+175>:   retq

I typed in the string abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ as my answer and when I got to +80, I figured out that I needed to change st to :E (Because 453a in hex is :E in ASCII.)

I am now stuck on +96 where it compares %rax with $0x28779e81. The value of rax at this point is 0x54535251504f4e4d so I am guessing that I need to replace MNOPQRST with the ascii equivalent of 0x28779e81 (this is how I solved +80). But I can't figure out how to convert 0x28779e81 into ASCII because 9e81 is not in the regular ascii chart. I had a look at an extended ASCII chart where it showed 9e = ₧ and 81 = ü so I replaced MNOPQRST with ü₧w( but I think that is wrong because the value of rax is not 0x28779e81. Any help is appreciated. Thanks.

0 Comment



Captcha image