In Bomb Lab phase_6, what are the appropriate steps to take after I identified the nodes?

Question

In Bomb Lab phase_6, what are the appropriate steps to take after I identified the nodes?

I found the nodes, but I'm a little bit stuck. Maybe it's because I've been staring at this for too long, but I can't seem to figure out what to do next.

From what I found, the nodes are in ascending order. I think. The expected input for phase 6 is six distinct integers; so the input is 1 2 3 4 5 6 in some order.

And that's all I know, and I'm a little sad.

Dump of assembler code for function phase_6:
0x000000000040118d <+0>:     push   %r14
0x000000000040118f <+2>:     push   %r13
0x0000000000401191 <+4>:     push   %r12
0x0000000000401193 <+6>:     push   %rbp
0x0000000000401194 <+7>:     push   %rbx
0x0000000000401195 <+8>:     sub    $0x50,%rsp
0x0000000000401199 <+12>:    mov    %rsp,%r13
0x000000000040119c <+15>:    mov    %rsp,%rsi
0x000000000040119f <+18>:    callq  0x4016d7 <read_six_numbers>
0x00000000004011a4 <+23>:    mov    %rsp,%r14
0x00000000004011a7 <+26>:    mov    $0x0,%r12d
0x00000000004011ad <+32>:    mov    %r13,%rbp
0x00000000004011b0 <+35>:    mov    0x0(%r13),%eax
0x00000000004011b4 <+39>:    sub    $0x1,%eax
0x00000000004011b7 <+42>:    cmp    $0x5,%eax
0x00000000004011ba <+45>:    jbe    0x4011c1 <phase_6+52>
0x00000000004011bc <+47>:    callq  0x4016a1 <explode_bomb>
0x00000000004011c1 <+52>:    add    $0x1,%r12d
0x00000000004011c5 <+56>:    cmp    $0x6,%r12d
0x00000000004011c9 <+60>:    je     0x4011ec <phase_6+95>
0x00000000004011cb <+62>:    mov    %r12d,%ebx
0x00000000004011ce <+65>:    movslq %ebx,%rax
---Type <return> to continue, or q <return> to quit---
0x00000000004011d1 <+68>:    mov    (%rsp,%rax,4),%eax
0x00000000004011d4 <+71>:    cmp    %eax,0x0(%rbp)
0x00000000004011d7 <+74>:    jne    0x4011de <phase_6+81>
0x00000000004011d9 <+76>:    callq  0x4016a1 <explode_bomb>
0x00000000004011de <+81>:    add    $0x1,%ebx
0x00000000004011e1 <+84>:    cmp    $0x5,%ebx
0x00000000004011e4 <+87>:    jle    0x4011ce <phase_6+65>
0x00000000004011e6 <+89>:    add    $0x4,%r13
0x00000000004011ea <+93>:    jmp    0x4011ad <phase_6+32>
0x00000000004011ec <+95>:    lea    0x18(%rsp),%rsi
0x00000000004011f1 <+100>:   mov    %r14,%rax
0x00000000004011f4 <+103>:   mov    $0x7,%ecx
0x00000000004011f9 <+108>:   mov    %ecx,%edx
0x00000000004011fb <+110>:   sub    (%rax),%edx
0x00000000004011fd <+112>:   mov    %edx,(%rax)
0x00000000004011ff <+114>:   add    $0x4,%rax
0x0000000000401203 <+118>:   cmp    %rsi,%rax
0x0000000000401206 <+121>:   jne    0x4011f9 <phase_6+108>
0x0000000000401208 <+123>:   mov    $0x0,%esi
0x000000000040120d <+128>:   jmp    0x401230 <phase_6+163>
0x000000000040120f <+130>:   mov    0x8(%rdx),%rdx
0x0000000000401213 <+134>:   add    $0x1,%eax
0x0000000000401216 <+137>:   cmp    %ecx,%eax
---Type <return> to continue, or q <return> to quit---
0x0000000000401218 <+139>:   jne    0x40120f <phase_6+130>
0x000000000040121a <+141>:   jmp    0x401221 <phase_6+148>
0x000000000040121c <+143>:   mov    $0x604310,%edx
0x0000000000401221 <+148>:   mov    %rdx,0x20(%rsp,%rsi,2)
0x0000000000401226 <+153>:   add    $0x4,%rsi
0x000000000040122a <+157>:   cmp    $0x18,%rsi
0x000000000040122e <+161>:   je     0x401244 <phase_6+183>
0x0000000000401230 <+163>:   mov    (%rsp,%rsi,1),%ecx
0x0000000000401233 <+166>:   cmp    $0x1,%ecx
0x0000000000401236 <+169>:   jle    0x40121c <phase_6+143>
0x0000000000401238 <+171>:   mov    $0x1,%eax
0x000000000040123d <+176>:   mov    $0x604310,%edx
0x0000000000401242 <+181>:   jmp    0x40120f <phase_6+130>
0x0000000000401244 <+183>:   mov    0x20(%rsp),%rbx
0x0000000000401249 <+188>:   lea    0x28(%rsp),%rax
0x000000000040124e <+193>:   lea    0x50(%rsp),%rsi
0x0000000000401253 <+198>:   mov    %rbx,%rcx
0x0000000000401256 <+201>:   mov    (%rax),%rdx
0x0000000000401259 <+204>:   mov    %rdx,0x8(%rcx)
0x000000000040125d <+208>:   add    $0x8,%rax
0x0000000000401261 <+212>:   cmp    %rsi,%rax
0x0000000000401264 <+215>:   je     0x40126b <phase_6+222>
0x0000000000401266 <+217>:   mov    %rdx,%rcx
---Type <return> to continue, or q <return> to quit---
0x0000000000401269 <+220>:   jmp    0x401256 <phase_6+201>
0x000000000040126b <+222>:   movq   $0x0,0x8(%rdx)
0x0000000000401273 <+230>:   mov    $0x5,%ebp
0x0000000000401278 <+235>:   mov    0x8(%rbx),%rax
0x000000000040127c <+239>:   mov    (%rax),%eax
0x000000000040127e <+241>:   cmp    %eax,(%rbx)
0x0000000000401280 <+243>:   jge    0x401287 <phase_6+250>
0x0000000000401282 <+245>:   callq  0x4016a1 <explode_bomb>
0x0000000000401287 <+250>:   mov    0x8(%rbx),%rbx
0x000000000040128b <+254>:   sub    $0x1,%ebp
0x000000000040128e <+257>:   jne    0x401278 <phase_6+235>
0x0000000000401290 <+259>:   add    $0x50,%rsp                        
0x0000000000401294 <+263>:   pop    %rbx
0x0000000000401295 <+264>:   pop    %rbp
0x0000000000401296 <+265>:   pop    %r12
0x0000000000401298 <+267>:   pop    %r13
0x000000000040129a <+269>:   pop    %r14
0x000000000040129c <+271>:   retq
End of assembler dump.

(gdb) x/wx  0x604360
0x604360 <node6>:       0x00000032
(gdb) x/wx  0x604350
0x604350 <node5>:       0x000002cc
(gdb) x/wx  0x604340
0x604340 <node4>:       0x0000006c
(gdb) x/wx  0x604330
0x604330 <node3>:       0x000003b8
(gdb) x/wx  0x604320
0x604320 <node2>:       0x000000f3
(gdb) x/wx  0x604310
0x604310 <node1>:       0x000000ec

0x604310 <node1>:       236
(gdb) x/wd  0x604320
0x604320 <node2>:       243
(gdb) x/wd  0x604330
0x604330 <node3>:       952
(gdb) x/wd  0x604340
0x604340 <node4>:       108
(gdb) x/wd  0x604350
0x604350 <node5>:       716
(gdb) x/wd  0x604360
0x604360 <node6>:       50

Initially, I thought the answer was 6 4 2 1 5 3, which was wrong. Any help or advice is appreciated. I had so much fun with this lab, and I want to make sure that I complete it.

assembly

gdb

x86-64

reverse-engineering

asked on Stack Overflow Apr 6, 2019 by

Soph Kwon • edited Apr 7, 2019 by

Soph Kwon

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0