Bomb Lab Phase 6 :Stuck on the last step

-2

This is asm code for phase_6

    08048de3 <phase_6>:
 8048de3:   56                      push   %esi
 8048de4:   53                      push   %ebx
 8048de5:   83 ec 4c                sub    $0x4c,%esp
 8048de8:   65 a1 14 00 00 00       mov    %gs:0x14,%eax
 8048dee:   89 44 24 44             mov    %eax,0x44(%esp)
 8048df2:   31 c0                   xor    %eax,%eax
 8048df4:   8d 44 24 14             lea    0x14(%esp),%eax
 8048df8:   50                      push   %eax
 8048df9:   ff 74 24 5c             pushl  0x5c(%esp)
 8048dfd:   e8 42 03 00 00          call   8049144 <read_six_numbers>
 8048e02:   83 c4 10                add    $0x10,%esp
 8048e05:   be 00 00 00 00          mov    $0x0,%esi
 8048e0a:   8b 44 b4 0c             mov    0xc(%esp,%esi,4),%eax
 8048e0e:   83 e8 01                sub    $0x1,%eax
 8048e11:   83 f8 05                cmp    $0x5,%eax
 8048e14:   76 05                   jbe    8048e1b <phase_6+0x38>
 8048e16:   e8 04 03 00 00          call   804911f <explode_bomb>
 8048e1b:   83 c6 01                add    $0x1,%esi
 8048e1e:   83 fe 06                cmp    $0x6,%esi
 8048e21:   74 1b                   je     8048e3e <phase_6+0x5b>
 8048e23:   89 f3                   mov    %esi,%ebx
 8048e25:   8b 44 9c 0c             mov    0xc(%esp,%ebx,4),%eax
 8048e29:   39 44 b4 08             cmp    %eax,0x8(%esp,%esi,4)
 8048e2d:   75 05                   jne    8048e34 <phase_6+0x51>
 8048e2f:   e8 eb 02 00 00          call   804911f <explode_bomb>
 8048e34:   83 c3 01                add    $0x1,%ebx
 8048e37:   83 fb 05                cmp    $0x5,%ebx
 8048e3a:   7e e9                   jle    8048e25 <phase_6+0x42>
 8048e3c:   eb cc                   jmp    8048e0a <phase_6+0x27>
 8048e3e:   8d 44 24 0c             lea    0xc(%esp),%eax
 8048e42:   8d 5c 24 24             lea    0x24(%esp),%ebx
 8048e46:   b9 07 00 00 00          mov    $0x7,%ecx
 8048e4b:   89 ca                   mov    %ecx,%edx
 8048e4d:   2b 10                   sub    (%eax),%edx
 8048e4f:   89 10                   mov    %edx,(%eax)
 8048e51:   83 c0 04                add    $0x4,%eax
 8048e54:   39 c3                   cmp    %eax,%ebx
 8048e56:   75 f3                   jne    8048e4b <phase_6+0x68>
 8048e58:   bb 00 00 00 00          mov    $0x0,%ebx
 8048e5d:   eb 16                   jmp    8048e75 <phase_6+0x92>
 8048e5f:   8b 52 08                mov    0x8(%edx),%edx
 8048e62:   83 c0 01                add    $0x1,%eax
 8048e65:   39 c8                   cmp    %ecx,%eax
 8048e67:   75 f6                   jne    8048e5f <phase_6+0x7c>
 8048e69:   89 54 b4 24             mov    %edx,0x24(%esp,%esi,4)
 8048e6d:   83 c3 01                add    $0x1,%ebx
 8048e70:   83 fb 06                cmp    $0x6,%ebx
 8048e73:   74 17                   je     8048e8c <phase_6+0xa9>
 8048e75:   89 de                   mov    %ebx,%esi
 8048e77:   8b 4c 9c 0c             mov    0xc(%esp,%ebx,4),%ecx
 8048e7b:   b8 01 00 00 00          mov    $0x1,%eax
 8048e80:   ba 3c c1 04 08          mov    $0x804c13c,%edx
 8048e85:   83 f9 01                cmp    $0x1,%ecx
 8048e88:   7f d5                   jg     8048e5f <phase_6+0x7c>
 8048e8a:   eb dd                   jmp    8048e69 <phase_6+0x86>
 8048e8c:   8b 5c 24 24             mov    0x24(%esp),%ebx
 8048e90:   8d 44 24 24             lea    0x24(%esp),%eax
 8048e94:   8d 74 24 38             lea    0x38(%esp),%esi
 8048e98:   89 d9                   mov    %ebx,%ecx
 8048e9a:   8b 50 04                mov    0x4(%eax),%edx
 8048e9d:   89 51 08                mov    %edx,0x8(%ecx)
 8048ea0:   83 c0 04                add    $0x4,%eax
 8048ea3:   89 d1                   mov    %edx,%ecx
 8048ea5:   39 c6                   cmp    %eax,%esi
 8048ea7:   75 f1                   jne    8048e9a <phase_6+0xb7>
 8048ea9:   c7 42 08 00 00 00 00    movl   $0x0,0x8(%edx)
 8048eb0:   be 05 00 00 00          mov    $0x5,%esi
 8048eb5:   8b 43 08                mov    0x8(%ebx),%eax
 8048eb8:   8b 00                   mov    (%eax),%eax
 8048eba:   39 03                   cmp    %eax,(%ebx)
 8048ebc:   7d 05                   jge    8048ec3 <phase_6+0xe0>
 8048ebe:   e8 5c 02 00 00          call   804911f <explode_bomb>
 8048ec3:   8b 5b 08                mov    0x8(%ebx),%ebx
 8048ec6:   83 ee 01                sub    $0x1,%esi
 8048ec9:   75 ea                   jne    8048eb5 <phase_6+0xd2>
 8048ecb:   8b 44 24 3c             mov    0x3c(%esp),%eax
 8048ecf:   65 33 05 14 00 00 00    xor    %gs:0x14,%eax
 8048ed6:   74 05                   je     8048edd <phase_6+0xfa>
 8048ed8:   e8 b3 f8 ff ff          call   8048790 <__stack_chk_fail@plt>
 8048edd:   83 c4 44                add    $0x44,%esp
 8048ee0:   5b                      pop    %ebx
 8048ee1:   5e                      pop    %esi
 8048ee2:   c3                      ret    

By analysing, i have to input 6 non identical digits and are less than 6 and should separated by space. So randomly entered 6 5 4 3 2 1 . Values of nodes 1 to node 6 are as follows:

(gdb) x/3x $ebx
0x804c13c <node1>:  0x000003c8  0x00000001  0x0804c148
(gdb) x/3x *($ebx + 8)
0x804c148 <node2>:  0x0000018c  0x00000002  0x0804c154
(gdb) x/3x *(*($ebx + 8 )+ 8)
0x804c154 <node3>:  0x00000325  0x00000003  0x0804c160
(gdb) x/3x *(*(*($ebx+8)+8)+8)
0x804c160 <node4>:  0x0000012c  0x00000004  0x0804c16c
(gdb) x/3x *(*(*(*($ebx+8)+8)+8)+8)
0x804c16c <node5>:  0x0000008a  0x00000005  0x0804c178
(gdb) x/3x *(*(*(*(*($ebx+8)+8)+8)+8)+8)
0x804c178 <node6>:  0x00000219  0x00000006  0x00000000

From there, in ascending order, the input should 5 4 2 6 3 1 but i get exploded, i even tried 1 3 6 2 4 5 but i kept getting exploded. Where am i doing it wrong?

linux
assembly
x86
reverse-engineering
asked on Stack Overflow Jun 8, 2020 by Bkk

1 Answer

1

I managed to see where i was wrong, on the line 8048e46: b9 07 00 00 00 mov $0x7,%ecx can be written as f(x)=7-x where x is an index. So before, input was 1 3 6 2 4 5 which is wrong, i had to apply the function. The new input is 6 4 1 5 3 2 which defused the bomb

answered on Stack Overflow Jun 8, 2020 by Bkk • edited Jun 8, 2020 by Bkk

User contributions licensed under CC BY-SA 3.0