Binary Bomb phase 6 no nodes


This question is based on the same project as the other Binary Bomb Phase 6 questions (most likely will be related links), but for some reason I can't find the nodes themselves, to check their increasing/decreasing values. When I try to use the function: x/3x $eax, it returns: Cannot access memory at 0x4, which makes me think that it actually isn't a node. It is, however, what is in the end being compared to check for equality.

(gdb) x/3x $eax
0x4:    Cannot access memory at address 0x4

Here is the function phase_6:

   0x08048dea <+0>:     push   %esi
   0x08048deb <+1>:     push   %ebx
   0x08048dec <+2>:     sub    $0x44,%esp
   0x08048def <+5>:     lea    0x10(%esp),%eax
   0x08048df3 <+9>:     mov    %eax,0x4(%esp)
   0x08048df7 <+13>:    mov    0x50(%esp),%eax
   0x08048dfb <+17>:    mov    %eax,(%esp)
   0x08048dfe <+20>:    call   0x8049479 <read_six_numbers>
   0x08048e03 <+25>:    mov    $0x0,%esi
   0x08048e08 <+30>:    mov    0x10(%esp,%esi,4),%eax
   0x08048e0c <+34>:    sub    $0x1,%eax
   0x08048e0f <+37>:    cmp    $0x5,%eax
   0x08048e12 <+40>:    jbe    0x8048e19 <phase_6+47>
   0x08048e14 <+42>:    call   0x804932c <explode_bomb>
   0x08048e19 <+47>:    add    $0x1,%esi
   0x08048e1c <+50>:    cmp    $0x6,%esi
   0x08048e1f <+53>:    je     0x8048e54 <phase_6+106>
   0x08048e21 <+55>:    mov    %esi,%ebx
   0x08048e23 <+57>:    mov    0x10(%esp,%ebx,4),%eax
   0x08048e27 <+61>:    cmp    %eax,0xc(%esp,%esi,4)
   0x08048e2b <+65>:    jne    0x8048e32 <phase_6+72>
   0x08048e2d <+67>:    call   0x804932c <explode_bomb>
   0x08048e32 <+72>:    add    $0x1,%ebx
   0x08048e35 <+75>:    cmp    $0x5,%ebx
   0x08048e38 <+78>:    jle    0x8048e23 <phase_6+57>
   0x08048e3a <+80>:    jmp    0x8048e08 <phase_6+30>
   0x08048e3c <+82>:    mov    0x8(%edx),%edx
   0x08048e3f <+85>:    add    $0x1,%eax
   0x08048e42 <+88>:    cmp    %ecx,%eax
   0x08048e44 <+90>:    jne    0x8048e3c <phase_6+82>
   0x08048e46 <+92>:    mov    %edx,0x28(%esp,%esi,4)
   0x08048e4a <+96>:    add    $0x1,%ebx
   0x08048e4d <+99>:    cmp    $0x6,%ebx
   0x08048e50 <+102>:   jne    0x8048e59 <phase_6+111>
   0x08048e52 <+104>:   jmp    0x8048e70 <phase_6+134>
   0x08048e54 <+106>:   mov    $0x0,%ebx
   0x08048e59 <+111>:   mov    %ebx,%esi
   0x08048e5b <+113>:   mov    0x10(%esp,%ebx,4),%ecx
   0x08048e5f <+117>:   mov    $0x1,%eax
   0x08048e64 <+122>:   mov    $0x804d154,%edx
   0x08048e69 <+127>:   cmp    $0x1,%ecx
   0x08048e6c <+130>:   jg     0x8048e3c <phase_6+82>
   0x08048e6e <+132>:   jmp    0x8048e46 <phase_6+92>
   0x08048e70 <+134>:   mov    0x28(%esp),%ebx
   0x08048e74 <+138>:   mov    0x2c(%esp),%eax
   0x08048e78 <+142>:   mov    %eax,0x8(%ebx)
   0x08048e7b <+145>:   mov    0x30(%esp),%edx
   0x08048e7f <+149>:   mov    %edx,0x8(%eax)
   0x08048e82 <+152>:   mov    0x34(%esp),%eax
   0x08048e86 <+156>:   mov    %eax,0x8(%edx)
   0x08048e89 <+159>:   mov    0x38(%esp),%edx
   0x08048e8d <+163>:   mov    %edx,0x8(%eax)
   0x08048e90 <+166>:   mov    0x3c(%esp),%eax
   0x08048e94 <+170>:   mov    %eax,0x8(%edx)
   0x08048e97 <+173>:   movl   $0x0,0x8(%eax)
   0x08048e9e <+180>:   mov    $0x5,%esi
   0x08048ea3 <+185>:   mov    0x8(%ebx),%eax
*   0x08048ea6 <+188>:   mov    (%eax),%edx
*   0x08048ea8 <+190>:   cmp    %edx,(%ebx)
   0x08048eaa <+192>:   jge    0x8048eb1 <phase_6+199>
   0x08048eac <+194>:   call   0x804932c <explode_bomb>
   0x08048eb1 <+199>:   mov    0x8(%ebx),%ebx
   0x08048eb4 <+202>:   sub    $0x1,%esi
   0x08048eb7 <+205>:   jne    0x8048ea3 <phase_6+185>
   0x08048eb9 <+207>:   add    $0x44,%esp
   0x08048ebc <+210>:   pop    %ebx
   0x08048ebd <+211>:   pop    %esi
   0x08048ebe <+212>:   ret

In the two lines before which I put the asterisk, that is where the nodes are being compared, I think. Essentially eax is being compared to ebx. However, when I try to find what the nodes are for eax, it gives me that error. When I try to run the same method on ebx, this is what returns:

(gdb) x/3x $ebx
0xffffd4c4:     0xffffd625      0x00000000      0xffffd651
(gdb) x/3x *($ebx + 8)
0xffffd651:     0x5f474458      0x53534553      0x5f4e4f49
(gdb) x/3x *(*($ebx+8)+8)
0x5f4e4f49:     Cannot access memory at address 0x5f4e4f49

Does that mean ebx doesn't go past that memory address?

Here is what I DO know: it is taking in 6 integers, none of them can be equal to another, they must be less than or equal to 6, and they must be put in decreasing node order.


After going to the asterisked lines, here is my issue:

(gdb) x/3x *(*(*(*($eax+8)+8)+8)+8)
0x804d154 <node1>:      0x00000395      0x00000001      0x00000000
(gdb) x/3x *(*(*($eax+8)+8)+8)
0x804d160 <node2>:      0x000001e2      0x00000002      0x0804d154
(gdb) x/3x*( *($eax+8)+8)
0x804d16c <node3>:      0x00000328      0x00000003      0x0804d160
(gdb) x/3x*($eax+8)
0x804d178 <node4>:      0x000000d3      0x00000004      0x0804d16c
(gdb) x/3x $eax
0x804d184 <node5>:      0x00000273      0x00000005      0x0804d178

There seem to only be 5 nodes instead of the necessary 6.

asked on Stack Overflow Nov 11, 2016 by Red Icing • edited Nov 11, 2016 by Red Icing

1 Answer


try *(*(*(*($eax+8)+8)+8)+8), *(*(*($eax+8)+8)+8), *(*($eax+8)+8), *($eax+8), $eax, AND $edx.

> run bomb

---after input 6 int---
---breakpoints phase6, explode_bomb

> until *0x08048ea8
> x/3x *(*(*(*($eax+8)+8)+8)+8)
> x/3x *(*(*($eax+8)+8)+8)
> x/3x *(*($eax+8)+8)
> x/3x *($eax+8)
> x/3x $eax
> x/3x $edx
answered on Stack Overflow Sep 29, 2018 by MangoTatsy • edited Sep 30, 2018 by MangoTatsy

User contributions licensed under CC BY-SA 3.0