ASM help - assembly language binary bomb phase_6


I have been working on this for hours. I have tried to find the right answer, but I just can't. I have searched around, and many people say that the input is numbers 1-6 and no repeat, but I can't find where it says that anywhere in the assembly code. Also, I finally found the nodes after looking hard for them.

(gdb)   x /4x 0x804a62c
0x804a62c <node0>:  0x00000006  0x00000000  0x0804a620  0x000003e9

(gdb) x /4x 0x804a614
0x804a614 <node2>:  0x0000003e  0x00000002  0x0804a608  0x0000014b

(gdb) x /4x 0x804a620
0x804a620 <node1>:  0x0000014b  0x00000001  0x0804a62c  0x00000006

(gdb) x /4x 0x804a608
0x804a608 <node3>:  0x000003e4  0x00000003  0x0804a5fc  0x0000003e

(gdb) x /4x 0x804a5fc
0x804a5fc <node4>:  0x0000016e  0x00000004  0x0804a5f0  0x000003e4

(gdb) x /4x 0x804a5f0
0x804a5f0 <node5>:  0x00000397  0x00000005  0x0804a5e4  0x0000016e

(gdb) x /4x 0x804a5e4
0x804a5e4 <node6>:  0x00000194  0x00000006  0x0804a5d8  0x00000397

(gdb) x /4x 0x804a5d8
0x804a5d8 <node7>:  0x000002a8  0x00000007  0x0804a5cc  0x00000194

(gdb) x /4x 0x804a5cc
0x804a5cc <node8>:  0x000000b9  0x00000008  0x0804a5c0  0x000002a8

(gdb) x /4x 0x804a5c0
0x804a5c0 <node9>:  0x00000355  0x00000009  0x00000000  0x000000b9

So I put them in order and I got 3 5 9 7 6 4 1 8 2 0 , but when I put that in, it still doesn't work. Here is the asm code for this

     Dump of assembler code for function phase_6:
       0x08048ca0 <+0>: push   %ebp
       0x08048ca1 <+1>: mov    %esp,%ebp
       0x08048ca3 <+3>: push   %ebx
       0x08048ca4 <+4>: sub    $0x14,%esp
       0x08048ca7 <+7>: movl   $0xa,0x8(%esp)
       0x08048caf <+15>:    movl   $0x0,0x4(%esp)
       0x08048cb7 <+23>:    mov    0x8(%ebp),%eax
       0x08048cba <+26>:    mov    %eax,(%esp)
       0x08048cbd <+29>:    call   0x80487e8 <strtol@plt>
       0x08048cc2 <+34>:    mov    $0x804a62c,%ebx
       0x08048cc7 <+39>:    mov    %eax,(%ebx)
       0x08048cc9 <+41>:    mov    %ebx,(%esp)
       0x08048ccc <+44>:    call   0x8048b8d <fun6>
       0x08048cd1 <+49>:    mov    0x8(%eax),%eax
       0x08048cd4 <+52>:    mov    0x8(%eax),%eax
       0x08048cd7 <+55>:    mov    0x8(%eax),%eax
       0x08048cda <+58>:    mov    (%eax),%eax
       0x08048cdc <+60>:    cmp    (%ebx),%eax
       0x08048cde <+62>:    je     0x8048ce5 <phase_6+69>
       0x08048ce0 <+64>:    call   0x8049236 <explode_bomb>
       0x08048ce5 <+69>:    add    $0x14,%esp
       0x08048ce8 <+72>:    pop    %ebx
       0x08048ce9 <+73>:    pop    %ebp
       0x08048cea <+74>:    ret    
    End of assembler dump.

And for the fun6 function:

Dump of assembler code for function fun6:
   0x08048b8d <+0>: push   %ebp
   0x08048b8e <+1>: mov    %esp,%ebp
   0x08048b90 <+3>: push   %edi
   0x08048b91 <+4>: push   %esi
   0x08048b92 <+5>: push   %ebx
   0x08048b93 <+6>: mov    0x8(%ebp),%edx
   0x08048b96 <+9>: mov    0x8(%edx),%esi
   0x08048b99 <+12>:    movl   $0x0,0x8(%edx)
   0x08048ba0 <+19>:    mov    %edx,%eax
   0x08048ba2 <+21>:    mov    %edx,%ecx
   0x08048ba4 <+23>:    mov    %edx,%edi
   0x08048ba6 <+25>:    test   %esi,%esi
   0x08048ba8 <+27>:    jne    0x8048bd8 <fun6+75>
   0x08048baa <+29>:    jmp    0x8048be4 <fun6+87>
   0x08048bac <+31>:    mov    %edx,%ecx
   0x08048bae <+33>:    mov    0x8(%ecx),%edx
   0x08048bb1 <+36>:    test   %edx,%edx
   0x08048bb3 <+38>:    je     0x8048bb9 <fun6+44>
   0x08048bb5 <+40>:    cmp    %ebx,(%edx)
   0x08048bb7 <+42>:    jg     0x8048bac <fun6+31>
   0x08048bb9 <+44>:    mov    %ecx,%edi
   0x08048bbb <+46>:    mov    %edx,%ecx
   0x08048bbd <+48>:    cmp    %ecx,%edi
   0x08048bbf <+50>:    jne    0x8048bc5 <fun6+56>
   0x08048bc1 <+52>:    mov    %esi,%eax
   0x08048bc3 <+54>:    jmp    0x8048bc8 <fun6+59>
   0x08048bc5 <+56>:    mov    %esi,0x8(%edi)
   0x08048bc8 <+59>:    mov    0x8(%esi),%edx
   0x08048bcb <+62>:    mov    %ecx,0x8(%esi)
   0x08048bce <+65>:    test   %edx,%edx
   0x08048bd0 <+67>:    je     0x8048be4 <fun6+87>
   0x08048bd2 <+69>:    mov    %edx,%esi
   0x08048bd4 <+71>:    mov    %eax,%ecx
   0x08048bd6 <+73>:    mov    %eax,%edi
   0x08048bd8 <+75>:    test   %ecx,%ecx
   0x08048bda <+77>:    je     0x8048bbd <fun6+48>
   0x08048bdc <+79>:    mov    (%esi),%ebx
   0x08048bde <+81>:    cmp    %ebx,(%ecx)
   0x08048be0 <+83>:    jg     0x8048bae <fun6+33>
   0x08048be2 <+85>:    jmp    0x8048bbd <fun6+48>
   0x08048be4 <+87>:    pop    %ebx
   0x08048be5 <+88>:    pop    %esi
   0x08048be6 <+89>:    pop    %edi
   0x08048be7 <+90>:    pop    %ebp
   0x08048be8 <+91>:    ret    
End of assembler dump.

I have been at this for hours! Any help would be greatly appreciated!

asked on Stack Overflow Mar 5, 2014 by user2396030 • edited Mar 6, 2014 by user2396030

1 Answer


Note that there are many versions of the bomb, so the fact that some people told you the answer was 3 5 9 7 6 4 1 8 2 0 doesn't have much to do with the facts. As you can see, phase6 invokes a single strtol on line +29, so only a single number is expected as input. That number is then stored into node0 and fun6 is invoked with the node's address, which will eventually return with a node pointer that is checked for some condition. Try to work out what fun6 is doing and what the condition is.

answered on Stack Overflow Mar 5, 2014 by Jester

User contributions licensed under CC BY-SA 3.0