bomblab phase_6: Where did I make mistake?

1

This is the code of node6.

   0x00005555555558ab <+0>:     endbr64
   0x00005555555558af <+4>:     push   %r14
   0x00005555555558b1 <+6>:     push   %r13
   0x00005555555558b3 <+8>:     push   %r12
   0x00005555555558b5 <+10>:    push   %rbp
   0x00005555555558b6 <+11>:    push   %rbx
   0x00005555555558b7 <+12>:    sub    $0x60,%rsp
   0x00005555555558bb <+16>:    mov    %fs:0x28,%rax
   0x00005555555558c4 <+25>:    mov    %rax,0x58(%rsp)
   0x00005555555558c9 <+30>:    xor    %eax,%eax
   0x00005555555558cb <+32>:    mov    %rsp,%r13
   0x00005555555558ce <+35>:    mov    %r13,%rsi
   0x00005555555558d1 <+38>:    callq  0x555555555e53 <read_six_numbers>
   0x00005555555558d6 <+43>:    mov    $0x1,%r14d
   0x00005555555558dc <+49>:    mov    %rsp,%r12
   0x00005555555558df <+52>:    jmp    0x555555555909 <phase_6+94>
   0x00005555555558e1 <+54>:    callq  0x555555555e11 <explode_bomb>
   0x00005555555558e6 <+59>:    jmp    0x555555555918 <phase_6+109>
   0x00005555555558e8 <+61>:    add    $0x1,%rbx
   0x00005555555558ec <+65>:    cmp    $0x5,%ebx
   0x00005555555558ef <+68>:    jg     0x555555555901 <phase_6+86>
   0x00005555555558f1 <+70>:    mov    (%r12,%rbx,4),%eax
   0x00005555555558f5 <+74>:    cmp    %eax,0x0(%rbp)
   0x00005555555558f8 <+77>:    jne    0x5555555558e8 <phase_6+61>
   0x00005555555558fa <+79>:    callq  0x555555555e11 <explode_bomb>
   0x00005555555558ff <+84>:    jmp    0x5555555558e8 <phase_6+61>
   0x0000555555555901 <+86>:    add    $0x1,%r14
   0x0000555555555905 <+90>:    add    $0x4,%r13
   0x0000555555555909 <+94>:    mov    %r13,%rbp
   0x000055555555590c <+97>:    mov    0x0(%r13),%eax
   0x0000555555555910 <+101>:   sub    $0x1,%eax
   0x0000555555555913 <+104>:   cmp    $0x5,%eax
   0x0000555555555916 <+107>:   ja     0x5555555558e1 <phase_6+54>
   0x0000555555555918 <+109>:   cmp    $0x5,%r14d
   0x000055555555591c <+113>:   jg     0x555555555923 <phase_6+120>
   0x000055555555591e <+115>:   mov    %r14,%rbx
   0x0000555555555921 <+118>:   jmp    0x5555555558f1 <phase_6+70>
   0x0000555555555923 <+120>:   mov    $0x0,%esi
   0x0000555555555928 <+125>:   mov    (%rsp,%rsi,4),%ecx
   0x000055555555592b <+128>:   mov    $0x1,%eax
   0x0000555555555930 <+133>:   lea    0x38f9(%rip),%rdx        # 0x555555559230 <node1>
   0x0000555555555937 <+140>:   cmp    $0x1,%ecx
   0x000055555555593a <+143>:   jle    0x555555555947 <phase_6+156>
   0x000055555555593c <+145>:   mov    0x8(%rdx),%rdx
   0x0000555555555940 <+149>:   add    $0x1,%eax
   0x0000555555555943 <+152>:   cmp    %ecx,%eax
   0x0000555555555945 <+154>:   jne    0x55555555593c <phase_6+145>
   0x0000555555555947 <+156>:   mov    %rdx,0x20(%rsp,%rsi,8)
   0x000055555555594c <+161>:   add    $0x1,%rsi
   0x0000555555555950 <+165>:   cmp    $0x6,%rsi
   0x0000555555555954 <+169>:   jne    0x555555555928 <phase_6+125>
   0x0000555555555956 <+171>:   mov    0x20(%rsp),%rbx
   0x000055555555595b <+176>:   mov    0x28(%rsp),%rax
   0x0000555555555960 <+181>:   mov    %rax,0x8(%rbx)
   0x0000555555555964 <+185>:   mov    0x30(%rsp),%rdx
   0x0000555555555969 <+190>:   mov    %rdx,0x8(%rax)
   0x000055555555596d <+194>:   mov    0x38(%rsp),%rax
   0x0000555555555972 <+199>:   mov    %rax,0x8(%rdx)
   0x0000555555555976 <+203>:   mov    0x40(%rsp),%rdx
   0x000055555555597b <+208>:   mov    %rdx,0x8(%rax)
   0x000055555555597f <+212>:   mov    0x48(%rsp),%rax
   0x0000555555555984 <+217>:   mov    %rax,0x8(%rdx)
   0x0000555555555988 <+221>:   movq   $0x0,0x8(%rax)
   0x0000555555555990 <+229>:   mov    $0x5,%ebp
   0x0000555555555995 <+234>:   jmp    0x5555555559a0 <phase_6+245>
   0x0000555555555997 <+236>:   mov    0x8(%rbx),%rbx
   0x000055555555599b <+240>:   sub    $0x1,%ebp
   0x000055555555599e <+243>:   je     0x5555555559b1 <phase_6+262>
   0x00005555555559a0 <+245>:   mov    0x8(%rbx),%rax
   0x00005555555559a4 <+249>:   mov    (%rax),%eax
   0x00005555555559a6 <+251>:   cmp    %eax,(%rbx)
   0x00005555555559a8 <+253>:   jle    0x555555555997 <phase_6+236>
   0x00005555555559aa <+255>:   callq  0x555555555e11 <explode_bomb>
   0x00005555555559af <+260>:   jmp    0x555555555997 <phase_6+236>
   0x00005555555559b1 <+262>:   mov    0x58(%rsp),%rax
   0x00005555555559b6 <+267>:   xor    %fs:0x28,%rax
   0x00005555555559bf <+276>:   jne    0x5555555559ce <phase_6+291>
   0x00005555555559c1 <+278>:   add    $0x60,%rsp
   0x00005555555559c5 <+282>:   pop    %rbx
   0x00005555555559c6 <+283>:   pop    %rbp
   0x00005555555559c7 <+284>:   pop    %r12
   0x00005555555559c9 <+286>:   pop    %r13
   0x00005555555559cb <+288>:   pop    %r14
   0x00005555555559cd <+290>:   retq
   0x00005555555559ce <+291>:   callq  0x555555555250 <__stack_chk_fail@plt>

I know that this phase need 6 integers because of 'read_six_numbers'. And I think that the six numbers are sorted according to certain conditions. So, I found the node1 ~ node6. This is the information of each node.

0x555555559230 <node1>: 0x00000303      0x00000001      0x55559240      0x00005555
0x555555559240 <node2>: 0x000001dc      0x00000002      0x55559250      0x00005555
0x555555559250 <node3>: 0x00000332      0x00000003      0x55559260      0x00005555
0x555555559260 <node4>: 0x000003c6      0x00000004      0x55559270      0x00005555
0x555555559270 <node5>: 0x000002d9      0x00000005      0x55559110      0x00005555
0x555555559110 <node6>: 0x000003c3      0x00000006      0x00000000      0x00000000

After finding this, I sorted the nodes in large order. The result of '4 6 3 1 5 2'came out, and I entered the result, but it was wrong. So, when I saw the solution others had solved, they used the seven's complement. So I tried solving the problem again after using it, but it was wrong again. I looked at the code again, but there was no progress. I really want to solve the problem. Please help me.

assembly
x86-64
reverse-engineering
asked on Stack Overflow Oct 2, 2020 by NaHoGu

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0