Binary Bomb Lab Phase 9 -stuck

I'm really stuck on Bomb Lab Phase 9 and was looking for some tips/suggestions.

Here is my assembly code:

Dump of assembler code for function phase_9:
   0x08048fc8 <+0>: push   %ebx
   0x08048fc9 <+1>: sub    $0x18,%esp
   0x08048fcc <+4>: movl   $0xa,0x8(%esp)
   0x08048fd4 <+12>: movl   $0x0,0x4(%esp)
   0x08048fdc <+20>: mov    0x20(%esp),%eax
   0x08048fe0 <+24>: mov    %eax,(%esp)
   0x08048fe3 <+27>: call   0x80488d0 <strtol@plt>
   0x08048fe8 <+32>: mov    %eax,%ebx
   0x08048fea <+34>: lea    -0x1(%eax),%eax
   0x08048fed <+37>: cmp    $0x3e8,%eax
   0x08048ff2 <+42>: jbe    0x8048ff9 <phase_9+49>
   0x08048ff4 <+44>: call   0x8049353 <explode_bomb>
   0x08048ff9 <+49>: mov    %ebx,0x4(%esp)
   0x08048ffd <+53>: movl   $0x804d0a0,(%esp)
   0x08049004 <+60>: call   0x8048f77 <fun9>
=> 0x08049009 <+65>: cmp    $0x7,%eax
   0x0804900c <+68>: je     0x8049013 <phase_9+75>
   0x0804900e <+70>: call   0x8049353 <explode_bomb>
   0x08049013 <+75>: add    $0x18,%esp
   0x08049016 <+78>: pop    %ebx
   0x08049017 <+79>: ret 

And here is the assembly code for a Function 9 inside:

Dump of assembler code for function fun9:
   0x08048f77 <+0>: push   %ebx
   0x08048f78 <+1>: sub    $0x18,%esp
   0x08048f7b <+4>: mov    0x20(%esp),%edx
   0x08048f7f <+8>: mov    0x24(%esp),%ecx
   0x08048f83 <+12>: test   %edx,%edx
   0x08048f85 <+14>: je     0x8048fbe <fun9+71>
   0x08048f87 <+16>: mov    (%edx),%ebx
   0x08048f89 <+18>: cmp    %ecx,%ebx
   0x08048f8b <+20>: jle    0x8048fa0 <fun9+41>
   0x08048f8d <+22>: mov    %ecx,0x4(%esp)
   0x08048f91 <+26>: mov    0x4(%edx),%eax
   0x08048f94 <+29>: mov    %eax,(%esp)
   0x08048f97 <+32>: call   0x8048f77 <fun9>
   0x08048f9c <+37>: add    %eax,%eax
   0x08048f9e <+39>: jmp    0x8048fc3 <fun9+76>
   0x08048fa0 <+41>: mov    $0x0,%eax
   0x08048fa5 <+46>: cmp    %ecx,%ebx
   0x08048fa7 <+48>: je     0x8048fc3 <fun9+76>
   0x08048fa9 <+50>: mov    %ecx,0x4(%esp)
   0x08048fad <+54>: mov    0x8(%edx),%eax
   0x08048fb0 <+57>: mov    %eax,(%esp)
   0x08048fb3 <+60>: call   0x8048f77 <fun9>
   0x08048fb8 <+65>: lea    0x1(%eax,%eax,1),%eax
   0x08048fbc <+69>: jmp    0x8048fc3 <fun9+76>
   0x08048fbe <+71>: mov    $0xffffffff,%eax
=> 0x08048fc3 <+76>: add    $0x18,%esp
   0x08048fc6 <+79>: pop    %ebx
   0x08048fc7 <+80>: ret 

Here's what I know:

• It's a number greater than 0
• The $eax inside of fun9 must return a 7
• The $edx inside fun9 has a 75 inside, and the $ebx increments/decrements depending on whether the input number is less than/greater than 75
• The input number must avoid line <+71> inside fun9 because that moves the number -1 inside of $eax, meaning that it can't ever make $eax = 7(I could be wrong?) as it will keep decrementing. This also implies that $edx shouldn't ever be 0 to pass through the test on line <+12> inside fun9

All I've tried doing is test different numbers and traced the registers inside fun9 to see how $eax changes. I thought the answer was 75 as it was inside $edx but it's not. I know there are several recursion calls inside of this too - I'm trying to find an input where $eax is equal to 7 by the end of fun9.

Any tips on how I could try solving this? Are there any registers I'm missing? I'm looking at eax, ebx, ecx and edx.

Thank you.