CODEWITHSUNDEEP
assemblyx86-64reverse-engineeringbinary-bomb
cinos
cinos

Reputation: 117

Understanding Bomb Lab Phase 5 (two integer input)

I am currently stuck on bomb lab phase 5. My phase 5 is different from most other phase 5's I've found online, as it is the input of two integers. Here is the assembly code:

   0x0000555555555536 <+0>:     sub    $0x18,%rsp
   0x000055555555553a <+4>:     mov    %fs:0x28,%rax
   0x0000555555555543 <+13>:    mov    %rax,0x8(%rsp)
   0x0000555555555548 <+18>:    xor    %eax,%eax
   0x000055555555554a <+20>:    lea    0x4(%rsp),%rcx
   0x000055555555554f <+25>:    mov    %rsp,%rdx
   0x0000555555555552 <+28>:    lea    0x1914(%rip),%rsi        # 0x555555556e6d
   0x0000555555555559 <+35>:    callq  0x555555554f60 <__isoc99_sscanf@plt>
   0x000055555555555e <+40>:    cmp    $0x1,%eax
   0x0000555555555561 <+43>:    jle    0x5555555555bd <phase_5+135>
   0x0000555555555563 <+45>:    mov    (%rsp),%eax
   0x0000555555555566 <+48>:    and    $0xf,%eax
   0x0000555555555569 <+51>:    mov    %eax,(%rsp)
   0x000055555555556c <+54>:    cmp    $0xf,%eax
   0x000055555555556f <+57>:    je     0x5555555555a3 <phase_5+109>
   0x0000555555555571 <+59>:    mov    $0x0,%ecx
   0x0000555555555576 <+64>:    mov    $0x0,%edx
   0x000055555555557b <+69>:    lea    0x165e(%rip),%rsi        # 0x555555556be0 <array.3418>
   0x0000555555555582 <+76>:    add    $0x1,%edx
   0x0000555555555585 <+79>:    cltq   
   0x0000555555555587 <+81>:    mov    (%rsi,%rax,4),%eax
   0x000055555555558a <+84>:    add    %eax,%ecx
   0x000055555555558c <+86>:    cmp    $0xf,%eax
   0x000055555555558f <+89>:    jne    0x555555555582 <phase_5+76>
   0x0000555555555591 <+91>:    movl   $0xf,(%rsp)
   0x0000555555555598 <+98>:    cmp    $0xf,%edx
   0x000055555555559b <+101>:   jne    0x5555555555a3 <phase_5+109>
   0x000055555555559d <+103>:   cmp    %ecx,0x4(%rsp)
   0x00005555555555a1 <+107>:   je     0x5555555555a8 <phase_5+114>
   0x00005555555555a3 <+109>:   callq  0x555555555b25 <explode_bomb>
   0x00005555555555a8 <+114>:   mov    0x8(%rsp),%rax
   0x00005555555555ad <+119>:   xor    %fs:0x28,%rax
   0x00005555555555b6 <+128>:   jne    0x5555555555c4 <phase_5+142>
   0x00005555555555b8 <+130>:   add    $0x18,%rsp
   0x00005555555555bc <+134>:   retq   
   0x00005555555555bd <+135>:   callq  0x555555555b25 <explode_bomb>
   0x00005555555555c2 <+140>:   jmp    0x555555555563 <phase_5+45>
   0x00005555555555c4 <+142>:   callq  0x555555554ec0 <__stack_chk_fail@plt>

The list of numbers I've inputed is this:

enter image description here

So far from my understanding, two conditions need to be met:

  1. edx must equal 0xf, meaning the first input has to be 5, 21, 37, etc. (Add 16 each time)
  2. ecx is compared to rsp, which is 15, so we need ecx to equal to 15

What I know so far:

  1. first input cannot be 15, 31, 47, etc.
  2. Changing the second input does not affect the ecx
  3. first input is directly correlated to edx

Questions:

  1. Where is the second input used?
  2. Is it true that the first input has to be 5, 21, 37, etc?

Upvotes: 1

Views: 8810

Answers (2)

Karthikeyan
Karthikeyan

Reputation: 1

The solution is : 5 115. I have given a detailed explanation for phase_5 here: https://techiekarthik.hashnode.dev/cmu-bomblab-walkthrough?t=1676391915473#heading-phase-5

Upvotes: 0

Aman
Aman

Reputation: 1

compare %ecx is 115 line 103 your answer turns out to be 21 115

Upvotes: 0

Related Questions