Here is my understanding of what the code is doing, and how I'd like to solve it: First I need to find a string, and then reverse engineer that string, based on the 16-byte lookup table that I have found. I do know that the values of these "offsets" must add up to 60, see line <+53>.
I have tried to find this 6 character string by using x/s 0x4011fe, and other examine commands (x/6c etc), yet I am not getting anything close to correct. Is there something I can change to get the correct output so that I can continue defusing this phase?
Once I find this string, my idea is to look at this required output string, then figure out the input string required to get to the expected output. I am thinking- look at the hex value of each char, compare those to my table (lowest order), and then find a corresponding char using the ascii table. I'm only wondering if this is the correct approach, thanks.
(gdb) x/16xw 0x402780 <array.3600>: 0x00000002 0x0000000a 0x00000006 0x00000001 <array.3600>: 0x0000000c 0x00000010 0x00000009 0x00000003 <array.3600>: 0x00000004 0x00000007 0x0000000e 0x00000005 <array.3600>: 0x0000000b 0x00000008 0x0000000f 0x0000000d
Disassembly of phase_5:
0x00000000004011bf <+0>: push %rbx 0x00000000004011c0 <+1>: mov %rdi,%rbx 0x00000000004011c3 <+4>: callq 0x401414 <string_length> 0x00000000004011c8 <+9>: cmp $0x6,%eax //6 letter string! 0x00000000004011cb <+12>: je 0x4011d2 <phase_5+19> //if 6, jump over the explode 0x00000000004011cd <+14>: callq 0x401706 <explode_bomb> 0x00000000004011d2 <+19>: mov %rbx,%rax 0x00000000004011d5 <+22>: lea 0x6(%rbx),%rdi 0x00000000004011d9 <+26>: mov $0x0,%ecx 0x00000000004011de <+31>: movzbl (%rax),%edx 0x00000000004011e1 <+34>: and $0xf,%edx //”and” each letter 0x00000000004011e4 <+37>: add 0x402780(,%rdx,4),%ecx 0x00000000004011eb <+44>: add $0x1,%rax 0x00000000004011ef <+48>: cmp %rdi,%rax //compare, and then loop again. 0x00000000004011f2 <+51>: jne 0x4011de <phase_5+31> //loop! 0x00000000004011f4 <+53>: cmp $0x3c,%ecx //final compare, and then done! (0x3c = 60) 0x00000000004011f7 <+56>: je 0x4011fe <phase_5+63> //jump over explode, and finish! 0x00000000004011f9 <+58>: callq 0x401706 <explode_bomb> 0x00000000004011fe <+63>: pop %rbx 0x00000000004011ff <+64>: retq End of assembler dump.
After much thought, I have successfully found an answer. It turns out there is no string to compare, only the value of 0x3c. Over-thinking seems to be a common demise for me when it comes to reading assembly code.
Essentially, I needed to pick 6 numbers from the array that sum up to 0x3c. Then pick 6 printable characters, or numbers, that have the appropriate index as the low 4 bits. So, the easiest choice was 0xa, which has an index of 1, (0xa = 10, so getting 6 values was trivial).
Thanks for the comments everyone.
User contributions licensed under CC BY-SA 3.0