Binary bomb- phase 6

0

This is the disassembly of phase_6:

 08048dbf <phase_6>:
 8048dbf:   55                      push   %ebp
 8048dc0:   89 e5                   mov    %esp,%ebp
 8048dc2:   83 ec 18                sub    $0x18,%esp
 8048dc5:   c7 44 24 0c 00 00 00    movl   $0x0,0xc(%esp)
 8048dcc:   00 
 8048dcd:   c7 44 24 08 0a 00 00    movl   $0xa,0x8(%esp)
 8048dd4:   00 
 8048dd5:   c7 44 24 04 00 00 00    movl   $0x0,0x4(%esp)
 8048ddc:   00 
 8048ddd:   8b 45 08                mov    0x8(%ebp),%eax
 8048de0:   89 04 24                mov    %eax,(%esp)
 8048de3:   e8 0c fa ff ff          call   80487f4 <__strtol_internal@plt>
 8048de8:   a3 4c b5 04 08          mov    %eax,0x804b54c
 8048ded:   c7 04 24 4c b5 04 08    movl   $0x804b54c,(%esp)
 8048df4:   e8 76 ff ff ff          call   8048d6f <fun6>
 8048df9:   ba 01 00 00 00          mov    $0x1,%edx
 8048dfe:   8b 40 08                mov    0x8(%eax),%eax
 8048e01:   42                      inc    %edx //HERE
 8048e02:   83 fa 06                cmp    $0x6,%edx//HERE
 8048e05:   7e f7                   jle    8048dfe <phase_6+0x3f>
 8048e07:   8b 00                   mov    (%eax),%eax
 8048e09:   3b 05 4c b5 04 08       cmp    0x804b54c,%eax
 8048e0f:   74 05                   je     8048e16 <phase_6+0x57>
 8048e11:   e8 2d 06 00 00          call   8049443 <explode_bomb>
 8048e16:   c9                      leave  
 8048e17:   c3                      ret

And the dissasembly of fun6:

 08048d6f <fun6>:
 8048d6f:   55                      push   %ebp
 8048d70:   89 e5                   mov    %esp,%ebp
 8048d72:   56                      push   %esi
 8048d73:   53                      push   %ebx
 8048d74:   8b 75 08                mov    0x8(%ebp),%esi
 8048d77:   8b 5e 08                mov    0x8(%esi),%ebx
 8048d7a:   c7 46 08 00 00 00 00    movl   $0x0,0x8(%esi)
 8048d81:   85 db                   test   %ebx,%ebx
 8048d83:   74 34                   je     8048db9 <fun6+0x4a>
 8048d85:   89 f2                   mov    %esi,%edx
 8048d87:   89 f1                   mov    %esi,%ecx
 8048d89:   85 f6                   test   %esi,%esi
 8048d8b:   74 15                   je     8048da2 <fun6+0x33>
 8048d8d:   8b 06                   mov    (%esi),%eax
 8048d8f:   3b 03                   cmp    (%ebx),%eax
 8048d91:   7e 0f                   jle    8048da2 <fun6+0x33>
 8048d93:   89 d1                   mov    %edx,%ecx
 8048d95:   8b 52 08                mov    0x8(%edx),%edx
 8048d98:   85 d2                   test   %edx,%edx
 8048d9a:   74 06                   je     8048da2 <fun6+0x33>
 8048d9c:   8b 02                   mov    (%edx),%eax
 8048d9e:   3b 03                   cmp    (%ebx),%eax
 8048da0:   7f f1                   jg     8048d93 <fun6+0x24>
 8048da2:   39 d1                   cmp    %edx,%ecx
 8048da4:   74 05                   je     8048dab <fun6+0x3c>
 8048da6:   89 59 08                mov    %ebx,0x8(%ecx)
 8048da9:   eb 02                   jmp    8048dad <fun6+0x3e>
 8048dab:   89 de                   mov    %ebx,%esi
 8048dad:   8b 4b 08                mov    0x8(%ebx),%ecx
 8048db0:   89 53 08                mov    %edx,0x8(%ebx)
 8048db3:   89 cb                   mov    %ecx,%ebx
 8048db5:   85 c9                   test   %ecx,%ecx
 8048db7:   75 cc                   jne    8048d85 <fun6+0x16>
 8048db9:   89 f0                   mov    %esi,%eax
 8048dbb:   5b                      pop    %ebx
 8048dbc:   5e                      pop    %esi
 8048dbd:   5d                      pop    %ebp
 8048dbe:   c3                      ret

I know that this phase is a linked list, but I am not sure how many inputs to use. The two places I indicated in phase_6 make me think that there needs to be 6 inputs, but there are 9 nodes that look like this:

0x804b510 <node5>:      0x000003e3      0x00000005      0x804b528   (995)
0x804b528 <node3>:      0x000003d2      0x00000003      0x0804b51c  (978)   
0x804b51c <node4>:      0x00000365      0x00000004      0x0804b504  (869) 
0x804b504 <node6>:      0x000002ff      0x00000006      0x0804b4e0  (767)
0x804b4e0 <node9>:      0x00000280      0x00000009      0x0804b534  (640)            
0x804b534 <node2>:      0x000001b6      0x00000002      0x0804b4f8  (438)
0x804b4f8 <node7>:      0x00000106      0x00000007      0x0804b540  (262)
0x804b540 <node1>:      0x000000c6      0x00000001      0x0804b4ec  (198)
0x804b4ec <node8>:      0x00000052      0x00000008      0x0804b54c  (82)

Where the numbers in the parenthesis are the conversions from hex to decimal of the numbers in the first column. What is peculiar to me is that these nodes appear to be in descending order. I have tried the input of 5 3 4 6 9 2 7 1 8 and it did not work (also did it reversed).

My question is how do I know how many inputs to expect? I believe it is 6, but why would there be 9 nodes?

assembly
x86
reverse-engineering
asked on Stack Overflow Apr 20, 2016 by Nick Predey • edited Apr 20, 2016 by Jester

1 Answer

2

There is only 1 input, which should be obvious from the single strtol call at 8048de3. The number of nodes in the list has nothing to do with the number of inputs.

Since you have only asked about the number of inputs, that's the only thing I answered.

answered on Stack Overflow Apr 20, 2016 by Jester

User contributions licensed under CC BY-SA 3.0