Bomb Lab Phase 6 :Stuck on the last step
This is asm code for phase_6
08048de3 <phase_6>:
8048de3: 56 push %esi
8048de4: 53 push %ebx
8048de5: 83 ec 4c sub $0x4c,%esp
8048de8: 65 a1 14 00 00 00 mov %gs:0x14,%eax
8048dee: 89 44 24 44 mov %eax,0x44(%esp)
8048df2: 31 c0 xor %eax,%eax
8048df4: 8d 44 24 14 lea 0x14(%esp),%eax
8048df8: 50 push %eax
8048df9: ff 74 24 5c pushl 0x5c(%esp)
8048dfd: e8 42 03 00 00 call 8049144 <read_six_numbers>
8048e02: 83 c4 10 add $0x10,%esp
8048e05: be 00 00 00 00 mov $0x0,%esi
8048e0a: 8b 44 b4 0c mov 0xc(%esp,%esi,4),%eax
8048e0e: 83 e8 01 sub $0x1,%eax
8048e11: 83 f8 05 cmp $0x5,%eax
8048e14: 76 05 jbe 8048e1b <phase_6+0x38>
8048e16: e8 04 03 00 00 call 804911f <explode_bomb>
8048e1b: 83 c6 01 add $0x1,%esi
8048e1e: 83 fe 06 cmp $0x6,%esi
8048e21: 74 1b je 8048e3e <phase_6+0x5b>
8048e23: 89 f3 mov %esi,%ebx
8048e25: 8b 44 9c 0c mov 0xc(%esp,%ebx,4),%eax
8048e29: 39 44 b4 08 cmp %eax,0x8(%esp,%esi,4)
8048e2d: 75 05 jne 8048e34 <phase_6+0x51>
8048e2f: e8 eb 02 00 00 call 804911f <explode_bomb>
8048e34: 83 c3 01 add $0x1,%ebx
8048e37: 83 fb 05 cmp $0x5,%ebx
8048e3a: 7e e9 jle 8048e25 <phase_6+0x42>
8048e3c: eb cc jmp 8048e0a <phase_6+0x27>
8048e3e: 8d 44 24 0c lea 0xc(%esp),%eax
8048e42: 8d 5c 24 24 lea 0x24(%esp),%ebx
8048e46: b9 07 00 00 00 mov $0x7,%ecx
8048e4b: 89 ca mov %ecx,%edx
8048e4d: 2b 10 sub (%eax),%edx
8048e4f: 89 10 mov %edx,(%eax)
8048e51: 83 c0 04 add $0x4,%eax
8048e54: 39 c3 cmp %eax,%ebx
8048e56: 75 f3 jne 8048e4b <phase_6+0x68>
8048e58: bb 00 00 00 00 mov $0x0,%ebx
8048e5d: eb 16 jmp 8048e75 <phase_6+0x92>
8048e5f: 8b 52 08 mov 0x8(%edx),%edx
8048e62: 83 c0 01 add $0x1,%eax
8048e65: 39 c8 cmp %ecx,%eax
8048e67: 75 f6 jne 8048e5f <phase_6+0x7c>
8048e69: 89 54 b4 24 mov %edx,0x24(%esp,%esi,4)
8048e6d: 83 c3 01 add $0x1,%ebx
8048e70: 83 fb 06 cmp $0x6,%ebx
8048e73: 74 17 je 8048e8c <phase_6+0xa9>
8048e75: 89 de mov %ebx,%esi
8048e77: 8b 4c 9c 0c mov 0xc(%esp,%ebx,4),%ecx
8048e7b: b8 01 00 00 00 mov $0x1,%eax
8048e80: ba 3c c1 04 08 mov $0x804c13c,%edx
8048e85: 83 f9 01 cmp $0x1,%ecx
8048e88: 7f d5 jg 8048e5f <phase_6+0x7c>
8048e8a: eb dd jmp 8048e69 <phase_6+0x86>
8048e8c: 8b 5c 24 24 mov 0x24(%esp),%ebx
8048e90: 8d 44 24 24 lea 0x24(%esp),%eax
8048e94: 8d 74 24 38 lea 0x38(%esp),%esi
8048e98: 89 d9 mov %ebx,%ecx
8048e9a: 8b 50 04 mov 0x4(%eax),%edx
8048e9d: 89 51 08 mov %edx,0x8(%ecx)
8048ea0: 83 c0 04 add $0x4,%eax
8048ea3: 89 d1 mov %edx,%ecx
8048ea5: 39 c6 cmp %eax,%esi
8048ea7: 75 f1 jne 8048e9a <phase_6+0xb7>
8048ea9: c7 42 08 00 00 00 00 movl $0x0,0x8(%edx)
8048eb0: be 05 00 00 00 mov $0x5,%esi
8048eb5: 8b 43 08 mov 0x8(%ebx),%eax
8048eb8: 8b 00 mov (%eax),%eax
8048eba: 39 03 cmp %eax,(%ebx)
8048ebc: 7d 05 jge 8048ec3 <phase_6+0xe0>
8048ebe: e8 5c 02 00 00 call 804911f <explode_bomb>
8048ec3: 8b 5b 08 mov 0x8(%ebx),%ebx
8048ec6: 83 ee 01 sub $0x1,%esi
8048ec9: 75 ea jne 8048eb5 <phase_6+0xd2>
8048ecb: 8b 44 24 3c mov 0x3c(%esp),%eax
8048ecf: 65 33 05 14 00 00 00 xor %gs:0x14,%eax
8048ed6: 74 05 je 8048edd <phase_6+0xfa>
8048ed8: e8 b3 f8 ff ff call 8048790 <__stack_chk_fail@plt>
8048edd: 83 c4 44 add $0x44,%esp
8048ee0: 5b pop %ebx
8048ee1: 5e pop %esi
8048ee2: c3 ret
By analysing, i have to input 6 non identical digits and are less than 6 and should separated by space. So randomly entered 6 5 4 3 2 1 . Values of nodes 1 to node 6 are as follows:
(gdb) x/3x $ebx
0x804c13c <node1>: 0x000003c8 0x00000001 0x0804c148
(gdb) x/3x *($ebx + 8)
0x804c148 <node2>: 0x0000018c 0x00000002 0x0804c154
(gdb) x/3x *(*($ebx + 8 )+ 8)
0x804c154 <node3>: 0x00000325 0x00000003 0x0804c160
(gdb) x/3x *(*(*($ebx+8)+8)+8)
0x804c160 <node4>: 0x0000012c 0x00000004 0x0804c16c
(gdb) x/3x *(*(*(*($ebx+8)+8)+8)+8)
0x804c16c <node5>: 0x0000008a 0x00000005 0x0804c178
(gdb) x/3x *(*(*(*(*($ebx+8)+8)+8)+8)+8)
0x804c178 <node6>: 0x00000219 0x00000006 0x00000000
From there, in ascending order, the input should 5 4 2 6 3 1
but i get exploded, i even tried 1 3 6 2 4 5 but i kept getting exploded. Where am i doing it wrong?
asked on Stack Overflow Jun 8, 2020 by 
Bkk
Bkk1 Answer
I managed to see where i was wrong, on the line 8048e46: b9 07 00 00 00 mov $0x7,%ecx can be written as f(x)=7-x where x is an index.
So before, input was 1 3 6 2 4 5 which is wrong, i had to apply the function.
The new input is 6 4 1 5 3 2 which defused the bomb
User contributions licensed under CC BY-SA 3.0