summaryrefslogtreecommitdiff
path: root/docs/posts/2023-10-04-bomb-lab.html
diff options
context:
space:
mode:
Diffstat (limited to 'docs/posts/2023-10-04-bomb-lab.html')
-rw-r--r--docs/posts/2023-10-04-bomb-lab.html1162
1 files changed, 1162 insertions, 0 deletions
diff --git a/docs/posts/2023-10-04-bomb-lab.html b/docs/posts/2023-10-04-bomb-lab.html
new file mode 100644
index 0000000..2c9518c
--- /dev/null
+++ b/docs/posts/2023-10-04-bomb-lab.html
@@ -0,0 +1,1162 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+
+ <link rel="stylesheet" href="/assets/main.css" />
+ <link rel="stylesheet" href="/assets/sakura.css" />
+ <meta charset="utf-8">
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+ <title>Bomb Lab</title>
+ <meta name="og:site_name" content="Navan Chauhan" />
+ <link rel="canonical" href="https://web.navan.dev/" />
+ <meta name="twitter:url" content="https://web.navan.dev/" />
+ <meta name="og:url" content="https://web.navan.dev/" />
+ <meta name="twitter:title" content="Bomb Lab" />
+ <meta name="og:title" content="Bomb Lab" />
+ <meta name="description" content="Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2" />
+ <meta name="twitter:description" content="Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2" />
+ <meta name="og:description" content="Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2" />
+ <meta name="twitter:card" content="summary_large_image" />
+ <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+ <link rel="shortcut icon" href="/images/favicon.png" type="image/png" />
+ <link rel="alternate" href="/feed.rss" type="application/rss+xml" title="Subscribe to Navan Chauhan" />
+ <meta name="twitter:image" content="https://web.navan.dev/images/opengraph/posts/2023-10-04-bomb-lab.png" />
+ <meta name="og:image" content="https://web.navan.dev/images/opengraph/posts/2023-10-04-bomb-lab.png" />
+ <link rel="manifest" href="manifest.json" />
+ <meta name="google-site-verification" content="LVeSZxz-QskhbEjHxOi7-BM5dDxTg53x2TwrjFxfL0k" />
+ <script data-goatcounter="https://navanchauhan.goatcounter.com/count"
+ async src="//gc.zgo.at/count.js"></script>
+ <script defer data-domain="web.navan.dev" src="https://plausible.io/js/plausible.js"></script>
+ <script defer data-domain="web.navan.dev" src="https://plausible.navan.dev/js/plausible.js"></script>
+ <!-- Begin Inspectlet Asynchronous Code. Only for some testing, will be removed soon -->
+ <script type="text/javascript">
+ (function() {
+ window.__insp = window.__insp || [];
+ __insp.push(['wid', 1038401947]);
+ var ldinsp = function(){
+ if(typeof window.__inspld != "undefined") return; window.__inspld = 1; var insp = document.createElement('script'); insp.type = 'text/javascript'; insp.async = true; insp.id = "inspsync"; insp.src = ('https:' == document.location.protocol ? 'https' : 'http') + '://cdn.inspectlet.com/inspectlet.js?wid=1038401947&r=' + Math.floor(new Date().getTime()/3600000); var x = document.getElementsByTagName('script')[0]; x.parentNode.insertBefore(insp, x); };
+ setTimeout(ldinsp, 0);
+ })();
+ </script>
+ <!-- End Inspectlet Asynchronous Code -->
+
+</head>
+<body>
+ <nav style="display: block;">
+|
+<a href="/">home</a> |
+<a href="/about/">about/links</a> |
+<a href="/posts/">posts</a> |
+<a href="/publications/">publications</a> |
+<a href="/repo/">iOS repo</a> |
+<a href="/feed.rss">RSS Feed</a> |
+</nav>
+
+<main>
+
+ <h1>Bomb Lab</h1>
+
+<h2>Introduction</h2>
+
+<p>Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems</p>
+
+<blockquote>
+ <p>The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.</p>
+</blockquote>
+
+<blockquote>
+ <p>There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!</p>
+</blockquote>
+
+<p>I like using objdump to disassemble the code and get a broad overview of what is happening before I start. </p>
+
+<p><code>objdump -d bomb &gt; dis.txt</code></p>
+
+<p><em>Note: I am not sure about the history of the bomb lab. I think it started at CMU.</em></p>
+
+<h2>Phase 1</h2>
+
+<div class="codehilite">
+<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$<span class="w"> </span>gdb<span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;break phase_1&#39;</span><span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;break explode_bomb&#39;</span><span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;run&#39;</span><span class="w"> </span>./bomb<span class="w"> </span>
+GNU<span class="w"> </span>gdb<span class="w"> </span><span class="o">(</span>Ubuntu<span class="w"> </span><span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span><span class="w"> </span><span class="m">12</span>.1
+Copyright<span class="w"> </span><span class="o">(</span>C<span class="o">)</span><span class="w"> </span><span class="m">2022</span><span class="w"> </span>Free<span class="w"> </span>Software<span class="w"> </span>Foundation,<span class="w"> </span>Inc.
+License<span class="w"> </span>GPLv3+:<span class="w"> </span>GNU<span class="w"> </span>GPL<span class="w"> </span>version<span class="w"> </span><span class="m">3</span><span class="w"> </span>or<span class="w"> </span>later<span class="w"> </span>&lt;http://gnu.org/licenses/gpl.html&gt;
+This<span class="w"> </span>is<span class="w"> </span>free<span class="w"> </span>software:<span class="w"> </span>you<span class="w"> </span>are<span class="w"> </span>free<span class="w"> </span>to<span class="w"> </span>change<span class="w"> </span>and<span class="w"> </span>redistribute<span class="w"> </span>it.
+There<span class="w"> </span>is<span class="w"> </span>NO<span class="w"> </span>WARRANTY,<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>extent<span class="w"> </span>permitted<span class="w"> </span>by<span class="w"> </span>law.
+Type<span class="w"> </span><span class="s2">&quot;show copying&quot;</span><span class="w"> </span>and<span class="w"> </span><span class="s2">&quot;show warranty&quot;</span><span class="w"> </span><span class="k">for</span><span class="w"> </span>details.
+This<span class="w"> </span>GDB<span class="w"> </span>was<span class="w"> </span>configured<span class="w"> </span>as<span class="w"> </span><span class="s2">&quot;x86_64-linux-gnu&quot;</span>.
+Type<span class="w"> </span><span class="s2">&quot;show configuration&quot;</span><span class="w"> </span><span class="k">for</span><span class="w"> </span>configuration<span class="w"> </span>details.
+For<span class="w"> </span>bug<span class="w"> </span>reporting<span class="w"> </span>instructions,<span class="w"> </span>please<span class="w"> </span>see:
+&lt;https://www.gnu.org/software/gdb/bugs/&gt;.
+Find<span class="w"> </span>the<span class="w"> </span>GDB<span class="w"> </span>manual<span class="w"> </span>and<span class="w"> </span>other<span class="w"> </span>documentation<span class="w"> </span>resources<span class="w"> </span>online<span class="w"> </span>at:
+<span class="w"> </span>&lt;http://www.gnu.org/software/gdb/documentation/&gt;.
+
+For<span class="w"> </span>help,<span class="w"> </span><span class="nb">type</span><span class="w"> </span><span class="s2">&quot;help&quot;</span>.
+Type<span class="w"> </span><span class="s2">&quot;apropos word&quot;</span><span class="w"> </span>to<span class="w"> </span>search<span class="w"> </span><span class="k">for</span><span class="w"> </span>commands<span class="w"> </span>related<span class="w"> </span>to<span class="w"> </span><span class="s2">&quot;word&quot;</span>...
+Reading<span class="w"> </span>symbols<span class="w"> </span>from<span class="w"> </span>./bomb...
+Breakpoint<span class="w"> </span><span class="m">1</span><span class="w"> </span>at<span class="w"> </span>0x15c7
+Breakpoint<span class="w"> </span><span class="m">2</span><span class="w"> </span>at<span class="w"> </span>0x1d4a
+Starting<span class="w"> </span>program:<span class="w"> </span>/home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb<span class="w"> </span>
+<span class="o">[</span>Thread<span class="w"> </span>debugging<span class="w"> </span>using<span class="w"> </span>libthread_db<span class="w"> </span>enabled<span class="o">]</span>
+Using<span class="w"> </span>host<span class="w"> </span>libthread_db<span class="w"> </span>library<span class="w"> </span><span class="s2">&quot;/lib/x86_64-linux-gnu/libthread_db.so.1&quot;</span>.
+Welcome<span class="w"> </span>to<span class="w"> </span>my<span class="w"> </span>fiendish<span class="w"> </span>little<span class="w"> </span>bomb.<span class="w"> </span>You<span class="w"> </span>have<span class="w"> </span><span class="m">6</span><span class="w"> </span>phases<span class="w"> </span>with
+which<span class="w"> </span>to<span class="w"> </span>blow<span class="w"> </span>yourself<span class="w"> </span>up.<span class="w"> </span>Have<span class="w"> </span>a<span class="w"> </span>nice<span class="w"> </span>day!
+<span class="nb">test</span><span class="w"> </span>string
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x00005555555555c7<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_1<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>dias<span class="w"> </span>phase_1
+Undefined<span class="w"> </span>command:<span class="w"> </span><span class="s2">&quot;dias&quot;</span>.<span class="w"> </span>Try<span class="w"> </span><span class="s2">&quot;help&quot;</span>.
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>disas<span class="w"> </span>phase_1
+Dump<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>code<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span>phase_1:
+<span class="o">=</span>&gt;<span class="w"> </span>0x00005555555555c7<span class="w"> </span>&lt;+0&gt;:<span class="w"> </span>endbr64<span class="w"> </span>
+<span class="w"> </span>0x00005555555555cb<span class="w"> </span>&lt;+4&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x8,%rsp
+<span class="w"> </span>0x00005555555555cf<span class="w"> </span>&lt;+8&gt;:<span class="w"> </span>lea<span class="w"> </span>0x1b7a<span class="o">(</span>%rip<span class="o">)</span>,%rsi<span class="w"> </span><span class="c1"># 0x555555557150</span>
+<span class="w"> </span>0x00005555555555d6<span class="w"> </span>&lt;+15&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555b31<span class="w"> </span>&lt;strings_not_equal&gt;
+<span class="w"> </span>0x00005555555555db<span class="w"> </span>&lt;+20&gt;:<span class="w"> </span><span class="nb">test</span><span class="w"> </span>%eax,%eax
+<span class="w"> </span>0x00005555555555dd<span class="w"> </span>&lt;+22&gt;:<span class="w"> </span>jne<span class="w"> </span>0x5555555555e4<span class="w"> </span>&lt;phase_1+29&gt;
+<span class="w"> </span>0x00005555555555df<span class="w"> </span>&lt;+24&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x8,%rsp
+<span class="w"> </span>0x00005555555555e3<span class="w"> </span>&lt;+28&gt;:<span class="w"> </span>ret<span class="w"> </span>
+<span class="w"> </span>0x00005555555555e4<span class="w"> </span>&lt;+29&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x00005555555555e9<span class="w"> </span>&lt;+34&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555555df<span class="w"> </span>&lt;phase_1+24&gt;
+End<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>dump.
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>print<span class="w"> </span>0x555555557150
+<span class="nv">$1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="m">93824992244048</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/1s<span class="w"> </span>0x555555557150
+0x555555557150:<span class="w"> </span><span class="s2">&quot;Controlling complexity is the essence of computer programming.&quot;</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>
+</code></pre>
+</div>
+
+<h2>Phase 2</h2>
+
+<div class="codehilite">
+<pre><span></span><code>Phase<span class="w"> </span><span class="m">1</span><span class="w"> </span>defused.<span class="w"> </span>How<span class="w"> </span>about<span class="w"> </span>the<span class="w"> </span>next<span class="w"> </span>one?
+<span class="m">1</span><span class="w"> </span><span class="m">2</span><span class="w"> </span><span class="m">3</span><span class="w"> </span><span class="m">4</span><span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="m">6</span>
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x00005555555555eb<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_2<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>disas
+Dump<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>code<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span>phase_2:
+<span class="o">=</span>&gt;<span class="w"> </span>0x00005555555555eb<span class="w"> </span>&lt;+0&gt;:<span class="w"> </span>endbr64<span class="w"> </span>
+<span class="w"> </span>0x00005555555555ef<span class="w"> </span>&lt;+4&gt;:<span class="w"> </span>push<span class="w"> </span>%rbp
+<span class="w"> </span>0x00005555555555f0<span class="w"> </span>&lt;+5&gt;:<span class="w"> </span>push<span class="w"> </span>%rbx
+<span class="w"> </span>0x00005555555555f1<span class="w"> </span>&lt;+6&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x28,%rsp
+<span class="w"> </span>0x00005555555555f5<span class="w"> </span>&lt;+10&gt;:<span class="w"> </span>mov<span class="w"> </span>%rsp,%rsi
+<span class="w"> </span>0x00005555555555f8<span class="w"> </span>&lt;+13&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d97<span class="w"> </span>&lt;read_six_numbers&gt;
+<span class="w"> </span>0x00005555555555fd<span class="w"> </span>&lt;+18&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x0,<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555601<span class="w"> </span>&lt;+22&gt;:<span class="w"> </span>js<span class="w"> </span>0x55555555560d<span class="w"> </span>&lt;phase_2+34&gt;
+<span class="w"> </span>0x0000555555555603<span class="w"> </span>&lt;+24&gt;:<span class="w"> </span>mov<span class="w"> </span>%rsp,%rbp
+<span class="w"> </span>0x0000555555555606<span class="w"> </span>&lt;+27&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x1,%ebx
+<span class="w"> </span>0x000055555555560b<span class="w"> </span>&lt;+32&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555620<span class="w"> </span>&lt;phase_2+53&gt;
+<span class="w"> </span>0x000055555555560d<span class="w"> </span>&lt;+34&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x0000555555555612<span class="w"> </span>&lt;+39&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555603<span class="w"> </span>&lt;phase_2+24&gt;
+<span class="w"> </span>0x0000555555555614<span class="w"> </span>&lt;+41&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x1,%ebx
+<span class="w"> </span>0x0000555555555617<span class="w"> </span>&lt;+44&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x4,%rbp
+<span class="w"> </span>0x000055555555561b<span class="w"> </span>&lt;+48&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x6,%ebx
+<span class="w"> </span>0x000055555555561e<span class="w"> </span>&lt;+51&gt;:<span class="w"> </span>je<span class="w"> </span>0x555555555631<span class="w"> </span>&lt;phase_2+70&gt;
+<span class="w"> </span>0x0000555555555620<span class="w"> </span>&lt;+53&gt;:<span class="w"> </span>mov<span class="w"> </span>%ebx,%eax
+<span class="w"> </span>0x0000555555555622<span class="w"> </span>&lt;+55&gt;:<span class="w"> </span>add<span class="w"> </span>0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax
+<span class="w"> </span>0x0000555555555625<span class="w"> </span>&lt;+58&gt;:<span class="w"> </span>cmp<span class="w"> </span>%eax,0x4<span class="o">(</span>%rbp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555628<span class="w"> </span>&lt;+61&gt;:<span class="w"> </span>je<span class="w"> </span>0x555555555614<span class="w"> </span>&lt;phase_2+41&gt;
+<span class="w"> </span>0x000055555555562a<span class="w"> </span>&lt;+63&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x000055555555562f<span class="w"> </span>&lt;+68&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555614<span class="w"> </span>&lt;phase_2+41&gt;
+<span class="w"> </span>0x0000555555555631<span class="w"> </span>&lt;+70&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x28,%rsp
+<span class="w"> </span>0x0000555555555635<span class="w"> </span>&lt;+74&gt;:<span class="w"> </span>pop<span class="w"> </span>%rbx
+<span class="w"> </span>0x0000555555555636<span class="w"> </span>&lt;+75&gt;:<span class="w"> </span>pop<span class="w"> </span>%rbp
+<span class="w"> </span>0x0000555555555637<span class="w"> </span>&lt;+76&gt;:<span class="w"> </span>ret<span class="w"> </span>
+End<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>dump.
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>
+</code></pre>
+</div>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555555fd<span class="w"> </span>&lt;+18&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x0,<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555601<span class="w"> </span>&lt;+22&gt;:<span class="w"> </span>js<span class="w"> </span>0x55555555560d<span class="w"> </span>&lt;phase_2+34&gt;
+...
+<span class="w"> </span>0x000055555555560d<span class="w"> </span>&lt;+34&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+</code></pre>
+</div>
+
+<p>The program first compares if the first number is not 0. If the number is not 0, then the <code>cmpl</code> instruction returns a negative value. The <code>js</code> instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x0000555555555603<span class="w"> </span>&lt;+24&gt;:<span class="w"> </span>mov<span class="w"> </span>%rsp,%rbp
+<span class="w"> </span>0x0000555555555606<span class="w"> </span>&lt;+27&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x1,%ebx
+</code></pre>
+</div>
+
+<p><code>%rsp</code> in x86-64 asm, is the stack pointer i.e. it points to the top of the current stack frame. Since the program just read six numbers, the top of the stack (<code>%rsp</code>) contains the address of the first number.</p>
+
+<p>By executing <code>mov %rsp,%rbp</code> we are setting the base pointer (<code>%rbp</code>) to point to this address.</p>
+
+<p>Now, for the second instruction <code>mov $0x1,%ebx</code>, we are initalising the <code>%ebx</code> register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x000055555555560b<span class="w"> </span>&lt;+32&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555620<span class="w"> </span>&lt;phase_2+53&gt;
+</code></pre>
+</div>
+
+<p>The program now jumps to <phase_2+53></p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x0000555555555620<span class="w"> </span>&lt;+53&gt;:<span class="w"> </span>mov<span class="w"> </span>%ebx,%eax
+<span class="w"> </span>0x0000555555555622<span class="w"> </span>&lt;+55&gt;:<span class="w"> </span>add<span class="w"> </span>0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax
+<span class="w"> </span>0x0000555555555625<span class="w"> </span>&lt;+58&gt;:<span class="w"> </span>cmp<span class="w"> </span>%eax,0x4<span class="o">(</span>%rbp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555628<span class="w"> </span>&lt;+61&gt;:<span class="w"> </span>je<span class="w"> </span>0x555555555614<span class="w"> </span>&lt;phase_2+41&gt;
+</code></pre>
+</div>
+
+<p>Here, the value from <code>%ebx</code> is copied to the <code>%eax</code> register. For this iteration, the value should be 1.</p>
+
+<p>Then, the value at the memory location pointed by <code>%rbp</code> is added to the value in <code>%eax</code>. For now, 0 is added (the first number that we read).</p>
+
+<p><code>cmp %eax,0x4(%rbp)</code> - The instruction compares the value in %eax to the value at the memory address <code>%rbp + 4</code>. Since Integers in this context are stored using a word of memory of 4 bytes, this indicates it checks against the second number in the sequence.</p>
+
+<p><code>je 0x555555555614 &lt;phase_2+41&gt;</code> - The program will jump to <code>phase_2+41</code> if the previous <code>cmp</code> instruction determined the values as equal. </p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x0000555555555614<span class="w"> </span>&lt;+41&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x1,%ebx
+<span class="w"> </span>0x0000555555555617<span class="w"> </span>&lt;+44&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x4,%rbp
+<span class="w"> </span>0x000055555555561b<span class="w"> </span>&lt;+48&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x6,%ebx
+<span class="w"> </span>0x000055555555561e<span class="w"> </span>&lt;+51&gt;:<span class="w"> </span>je<span class="w"> </span>0x555555555631<span class="w"> </span>&lt;phase_2+70&gt;
+<span class="w"> </span>0x0000555555555620<span class="w"> </span>&lt;+53&gt;:<span class="w"> </span>mov<span class="w"> </span>%ebx,%eax
+<span class="w"> </span>0x0000555555555622<span class="w"> </span>&lt;+55&gt;:<span class="w"> </span>add<span class="w"> </span>0x0<span class="o">(</span>%rbp<span class="o">)</span>,%eax
+<span class="w"> </span>0x0000555555555625<span class="w"> </span>&lt;+58&gt;:<span class="w"> </span>cmp<span class="w"> </span>%eax,0x4<span class="o">(</span>%rbp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555628<span class="w"> </span>&lt;+61&gt;:<span class="w"> </span>je<span class="w"> </span>0x555555555614<span class="w"> </span>&lt;phase_2+41&gt;
+</code></pre>
+</div>
+
+<p>Here, we can see that the program increments <code>%ebx</code> by 1, adds a 4 byte offset to <code>%rbp</code> (the number we will be matching now), and checks if <code>%ebx</code> is equal to 6. If it is, it breaks the loop and jumps to <code>&lt;phase_2+70&gt;</code> succesfully finishing this stage.</p>
+
+<p>Now, given that we know the first two numbers in the sequence are <code>0 1</code>, we can calculate the other numbers by following the pattern of adding the counter and the value of the previous number.</p>
+
+<p>Thus,</p>
+
+<ul>
+<li>3rd number = 1 (previous value) + 2 = 3</li>
+<li>4th number = 3 (prev value) + 3 = 6</li>
+<li>5th number = 6 (prev value) + 4 = 10</li>
+<li>6th number = 10 (prev value) + 5 = 15</li>
+</ul>
+
+<div class="codehilite">
+<pre><span></span><code>...
+Phase<span class="w"> </span><span class="m">1</span><span class="w"> </span>defused.<span class="w"> </span>How<span class="w"> </span>about<span class="w"> </span>the<span class="w"> </span>next<span class="w"> </span>one?
+<span class="m">0</span><span class="w"> </span><span class="m">1</span><span class="w"> </span><span class="m">3</span><span class="w"> </span><span class="m">6</span><span class="w"> </span><span class="m">10</span><span class="w"> </span><span class="m">15</span>
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x00005555555555eb<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_2<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span><span class="k">continue</span>
+Continuing.
+That<span class="err">&#39;</span>s<span class="w"> </span>number<span class="w"> </span><span class="m">2</span>.<span class="w"> </span>Keep<span class="w"> </span>going!
+</code></pre>
+</div>
+
+<h2>Phase 3</h2>
+
+<p>Let us look at the disassembled code first</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="m">0000000000001638</span><span class="w"> </span>&lt;phase_3&gt;:
+<span class="w"> </span><span class="m">1638</span>:<span class="w"> </span>f3<span class="w"> </span>0f<span class="w"> </span>1e<span class="w"> </span>fa<span class="w"> </span>endbr64<span class="w"> </span>
+<span class="w"> </span>163c:<span class="w"> </span><span class="m">48</span><span class="w"> </span><span class="m">83</span><span class="w"> </span>ec<span class="w"> </span><span class="m">18</span><span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x18,%rsp
+<span class="w"> </span><span class="m">1640</span>:<span class="w"> </span><span class="m">48</span><span class="w"> </span>8d<span class="w"> </span>4c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">07</span><span class="w"> </span>lea<span class="w"> </span>0x7<span class="o">(</span>%rsp<span class="o">)</span>,%rcx
+<span class="w"> </span><span class="m">1645</span>:<span class="w"> </span><span class="m">48</span><span class="w"> </span>8d<span class="w"> </span><span class="m">54</span><span class="w"> </span><span class="m">24</span><span class="w"> </span>0c<span class="w"> </span>lea<span class="w"> </span>0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx
+<span class="w"> </span>164a:<span class="w"> </span>4c<span class="w"> </span>8d<span class="w"> </span><span class="m">44</span><span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span>lea<span class="w"> </span>0x8<span class="o">(</span>%rsp<span class="o">)</span>,%r8
+<span class="w"> </span>164f:<span class="w"> </span><span class="m">48</span><span class="w"> </span>8d<span class="w"> </span><span class="m">35</span><span class="w"> </span><span class="m">60</span><span class="w"> </span>1b<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>lea<span class="w"> </span>0x1b60<span class="o">(</span>%rip<span class="o">)</span>,%rsi<span class="w"> </span><span class="c1"># 31b6 &lt;_IO_stdin_used+0x1b6&gt;</span>
+<span class="w"> </span><span class="m">1656</span>:<span class="w"> </span>b8<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x0,%eax
+<span class="w"> </span>165b:<span class="w"> </span>e8<span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="nb">fc</span><span class="w"> </span>ff<span class="w"> </span>ff<span class="w"> </span>call<span class="w"> </span>12e0<span class="w"> </span>&lt;__isoc99_sscanf@plt&gt;
+<span class="w"> </span><span class="m">1660</span>:<span class="w"> </span><span class="m">83</span><span class="w"> </span>f8<span class="w"> </span><span class="m">02</span><span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x2,%eax
+<span class="w"> </span><span class="m">1663</span>:<span class="w"> </span>7e<span class="w"> </span><span class="m">20</span><span class="w"> </span>jle<span class="w"> </span><span class="m">1685</span><span class="w"> </span>&lt;phase_3+0x4d&gt;
+<span class="w"> </span><span class="m">1665</span>:<span class="w"> </span><span class="m">83</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span>0c<span class="w"> </span><span class="m">07</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>166a:<span class="w"> </span>0f<span class="w"> </span><span class="m">87</span><span class="w"> </span>0d<span class="w"> </span><span class="m">01</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>ja<span class="w"> </span>177d<span class="w"> </span>&lt;phase_3+0x145&gt;
+<span class="w"> </span><span class="m">1670</span>:<span class="w"> </span>8b<span class="w"> </span><span class="m">44</span><span class="w"> </span><span class="m">24</span><span class="w"> </span>0c<span class="w"> </span>mov<span class="w"> </span>0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax
+<span class="w"> </span><span class="m">1674</span>:<span class="w"> </span><span class="m">48</span><span class="w"> </span>8d<span class="w"> </span><span class="m">15</span><span class="w"> </span><span class="m">55</span><span class="w"> </span>1b<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>lea<span class="w"> </span>0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx<span class="w"> </span><span class="c1"># 31d0 &lt;_IO_stdin_used+0x1d0&gt;</span>
+<span class="w"> </span>167b:<span class="w"> </span><span class="m">48</span><span class="w"> </span><span class="m">63</span><span class="w"> </span><span class="m">04</span><span class="w"> </span><span class="m">82</span><span class="w"> </span>movslq<span class="w"> </span><span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax
+<span class="w"> </span>167f:<span class="w"> </span><span class="m">48</span><span class="w"> </span><span class="m">01</span><span class="w"> </span>d0<span class="w"> </span>add<span class="w"> </span>%rdx,%rax
+<span class="w"> </span><span class="m">1682</span>:<span class="w"> </span>3e<span class="w"> </span>ff<span class="w"> </span>e0<span class="w"> </span>notrack<span class="w"> </span>jmp<span class="w"> </span>*%rax
+<span class="w"> </span><span class="m">1685</span>:<span class="w"> </span>e8<span class="w"> </span>c0<span class="w"> </span><span class="m">06</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>168a:<span class="w"> </span>eb<span class="w"> </span>d9<span class="w"> </span>jmp<span class="w"> </span><span class="m">1665</span><span class="w"> </span>&lt;phase_3+0x2d&gt;
+<span class="w"> </span>168c:<span class="w"> </span>b8<span class="w"> </span><span class="m">63</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x63,%eax
+<span class="w"> </span><span class="m">1691</span>:<span class="w"> </span><span class="m">81</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span>3d<span class="w"> </span><span class="m">02</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x23d,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span><span class="m">1698</span>:<span class="w"> </span><span class="m">00</span><span class="w"> </span>
+<span class="w"> </span><span class="m">1699</span>:<span class="w"> </span>0f<span class="w"> </span><span class="m">84</span><span class="w"> </span>e8<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>je<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>169f:<span class="w"> </span>e8<span class="w"> </span>a6<span class="w"> </span><span class="m">06</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>16a4:<span class="w"> </span>b8<span class="w"> </span><span class="m">63</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x63,%eax
+<span class="w"> </span>16a9:<span class="w"> </span>e9<span class="w"> </span>d9<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>jmp<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>16ae:<span class="w"> </span>b8<span class="w"> </span><span class="m">61</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x61,%eax
+<span class="w"> </span>16b3:<span class="w"> </span><span class="m">81</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span><span class="m">27</span><span class="w"> </span><span class="m">01</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x127,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>16ba:<span class="w"> </span><span class="m">00</span><span class="w"> </span>
+<span class="w"> </span>16bb:<span class="w"> </span>0f<span class="w"> </span><span class="m">84</span><span class="w"> </span>c6<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>je<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>16c1:<span class="w"> </span>e8<span class="w"> </span><span class="m">84</span><span class="w"> </span><span class="m">06</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>16c6:<span class="w"> </span>b8<span class="w"> </span><span class="m">61</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x61,%eax
+<span class="w"> </span>16cb:<span class="w"> </span>e9<span class="w"> </span>b7<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>jmp<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>16d0:<span class="w"> </span>b8<span class="w"> </span><span class="m">78</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x78,%eax
+<span class="w"> </span>16d5:<span class="w"> </span><span class="m">81</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span>e7<span class="w"> </span><span class="m">02</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x2e7,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>16dc:<span class="w"> </span><span class="m">00</span><span class="w"> </span>
+<span class="w"> </span>16dd:<span class="w"> </span>0f<span class="w"> </span><span class="m">84</span><span class="w"> </span>a4<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>je<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>16e3:<span class="w"> </span>e8<span class="w"> </span><span class="m">62</span><span class="w"> </span><span class="m">06</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>16e8:<span class="w"> </span>b8<span class="w"> </span><span class="m">78</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x78,%eax
+<span class="w"> </span>16ed:<span class="w"> </span>e9<span class="w"> </span><span class="m">95</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>jmp<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>16f2:<span class="w"> </span>b8<span class="w"> </span><span class="m">64</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x64,%eax
+<span class="w"> </span>16f7:<span class="w"> </span><span class="m">81</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="m">02</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x280,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>16fe:<span class="w"> </span><span class="m">00</span><span class="w"> </span>
+<span class="w"> </span>16ff:<span class="w"> </span>0f<span class="w"> </span><span class="m">84</span><span class="w"> </span><span class="m">82</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>je<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span><span class="m">1705</span>:<span class="w"> </span>e8<span class="w"> </span><span class="m">40</span><span class="w"> </span><span class="m">06</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>170a:<span class="w"> </span>b8<span class="w"> </span><span class="m">64</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x64,%eax
+<span class="w"> </span>170f:<span class="w"> </span>eb<span class="w"> </span><span class="m">76</span><span class="w"> </span>jmp<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span><span class="m">1711</span>:<span class="w"> </span>b8<span class="w"> </span>6d<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x6d,%eax
+<span class="w"> </span><span class="m">1716</span>:<span class="w"> </span><span class="m">81</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span>ff<span class="w"> </span><span class="m">02</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x2ff,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>171d:<span class="w"> </span><span class="m">00</span><span class="w"> </span>
+<span class="w"> </span>171e:<span class="w"> </span><span class="m">74</span><span class="w"> </span><span class="m">67</span><span class="w"> </span>je<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span><span class="m">1720</span>:<span class="w"> </span>e8<span class="w"> </span><span class="m">25</span><span class="w"> </span><span class="m">06</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span><span class="m">1725</span>:<span class="w"> </span>b8<span class="w"> </span>6d<span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x6d,%eax
+<span class="w"> </span>172a:<span class="w"> </span>eb<span class="w"> </span>5b<span class="w"> </span>jmp<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>172c:<span class="w"> </span>b8<span class="w"> </span><span class="m">71</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x71,%eax
+<span class="w"> </span><span class="m">1731</span>:<span class="w"> </span><span class="m">81</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span><span class="m">75</span><span class="w"> </span><span class="m">03</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x375,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span><span class="m">1738</span>:<span class="w"> </span><span class="m">00</span><span class="w"> </span>
+<span class="w"> </span><span class="m">1739</span>:<span class="w"> </span><span class="m">74</span><span class="w"> </span>4c<span class="w"> </span>je<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>173b:<span class="w"> </span>e8<span class="w"> </span>0a<span class="w"> </span><span class="m">06</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span><span class="m">1740</span>:<span class="w"> </span>b8<span class="w"> </span><span class="m">71</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x71,%eax
+<span class="w"> </span><span class="m">1745</span>:<span class="w"> </span>eb<span class="w"> </span><span class="m">40</span><span class="w"> </span>jmp<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span><span class="m">1747</span>:<span class="w"> </span>b8<span class="w"> </span><span class="m">79</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x79,%eax
+<span class="w"> </span>174c:<span class="w"> </span><span class="m">81</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span><span class="m">94</span><span class="w"> </span><span class="m">02</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x294,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span><span class="m">1753</span>:<span class="w"> </span><span class="m">00</span><span class="w"> </span>
+<span class="w"> </span><span class="m">1754</span>:<span class="w"> </span><span class="m">74</span><span class="w"> </span><span class="m">31</span><span class="w"> </span>je<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span><span class="m">1756</span>:<span class="w"> </span>e8<span class="w"> </span>ef<span class="w"> </span><span class="m">05</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>175b:<span class="w"> </span>b8<span class="w"> </span><span class="m">79</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x79,%eax
+<span class="w"> </span><span class="m">1760</span>:<span class="w"> </span>eb<span class="w"> </span><span class="m">25</span><span class="w"> </span>jmp<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span><span class="m">1762</span>:<span class="w"> </span>b8<span class="w"> </span><span class="m">79</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x79,%eax
+<span class="w"> </span><span class="m">1767</span>:<span class="w"> </span><span class="m">81</span><span class="w"> </span>7c<span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">08</span><span class="w"> </span><span class="m">88</span><span class="w"> </span><span class="m">02</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x288,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>176e:<span class="w"> </span><span class="m">00</span><span class="w"> </span>
+<span class="w"> </span>176f:<span class="w"> </span><span class="m">74</span><span class="w"> </span><span class="m">16</span><span class="w"> </span>je<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span><span class="m">1771</span>:<span class="w"> </span>e8<span class="w"> </span>d4<span class="w"> </span><span class="m">05</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span><span class="m">1776</span>:<span class="w"> </span>b8<span class="w"> </span><span class="m">79</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x79,%eax
+<span class="w"> </span>177b:<span class="w"> </span>eb<span class="w"> </span>0a<span class="w"> </span>jmp<span class="w"> </span><span class="m">1787</span><span class="w"> </span>&lt;phase_3+0x14f&gt;
+<span class="w"> </span>177d:<span class="w"> </span>e8<span class="w"> </span>c8<span class="w"> </span><span class="m">05</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span><span class="m">1782</span>:<span class="w"> </span>b8<span class="w"> </span><span class="m">68</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x68,%eax
+<span class="w"> </span><span class="m">1787</span>:<span class="w"> </span><span class="m">38</span><span class="w"> </span><span class="m">44</span><span class="w"> </span><span class="m">24</span><span class="w"> </span><span class="m">07</span><span class="w"> </span>cmp<span class="w"> </span>%al,0x7<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>178b:<span class="w"> </span><span class="m">75</span><span class="w"> </span><span class="m">05</span><span class="w"> </span>jne<span class="w"> </span><span class="m">1792</span><span class="w"> </span>&lt;phase_3+0x15a&gt;
+<span class="w"> </span>178d:<span class="w"> </span><span class="m">48</span><span class="w"> </span><span class="m">83</span><span class="w"> </span>c4<span class="w"> </span><span class="m">18</span><span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x18,%rsp
+<span class="w"> </span><span class="m">1791</span>:<span class="w"> </span>c3<span class="w"> </span>ret<span class="w"> </span>
+<span class="w"> </span><span class="m">1792</span>:<span class="w"> </span>e8<span class="w"> </span>b3<span class="w"> </span><span class="m">05</span><span class="w"> </span><span class="m">00</span><span class="w"> </span><span class="m">00</span><span class="w"> </span>call<span class="w"> </span>1d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span><span class="m">1797</span>:<span class="w"> </span>eb<span class="w"> </span>f4<span class="w"> </span>jmp<span class="w"> </span>178d<span class="w"> </span>&lt;phase_3+0x155&gt;
+</code></pre>
+</div>
+
+<div class="codehilite">
+<pre><span></span><code>...
+<span class="w"> </span>165b:<span class="w"> </span>e8<span class="w"> </span><span class="m">80</span><span class="w"> </span><span class="nb">fc</span><span class="w"> </span>ff<span class="w"> </span>ff<span class="w"> </span>call<span class="w"> </span>12e0<span class="w"> </span>&lt;__isoc99_sscanf@plt&gt;
+...
+</code></pre>
+</div>
+
+<p>We can see that <code>scanf</code> is being called which means we need to figure out what datatype(s) the program is expecting.</p>
+
+<p>Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.</p>
+
+<div class="codehilite">
+<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$<span class="w"> </span>gdb<span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;break phase_3&#39;</span><span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;break explode_bomb&#39;</span><span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;run&#39;</span><span class="w"> </span>-args<span class="w"> </span>./bomb<span class="w"> </span>sol.txt<span class="w"> </span>
+GNU<span class="w"> </span>gdb<span class="w"> </span><span class="o">(</span>Ubuntu<span class="w"> </span><span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span><span class="w"> </span><span class="m">12</span>.1
+Copyright<span class="w"> </span><span class="o">(</span>C<span class="o">)</span><span class="w"> </span><span class="m">2022</span><span class="w"> </span>Free<span class="w"> </span>Software<span class="w"> </span>Foundation,<span class="w"> </span>Inc.
+License<span class="w"> </span>GPLv3+:<span class="w"> </span>GNU<span class="w"> </span>GPL<span class="w"> </span>version<span class="w"> </span><span class="m">3</span><span class="w"> </span>or<span class="w"> </span>later<span class="w"> </span>&lt;http://gnu.org/licenses/gpl.html&gt;
+This<span class="w"> </span>is<span class="w"> </span>free<span class="w"> </span>software:<span class="w"> </span>you<span class="w"> </span>are<span class="w"> </span>free<span class="w"> </span>to<span class="w"> </span>change<span class="w"> </span>and<span class="w"> </span>redistribute<span class="w"> </span>it.
+There<span class="w"> </span>is<span class="w"> </span>NO<span class="w"> </span>WARRANTY,<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>extent<span class="w"> </span>permitted<span class="w"> </span>by<span class="w"> </span>law.
+Type<span class="w"> </span><span class="s2">&quot;show copying&quot;</span><span class="w"> </span>and<span class="w"> </span><span class="s2">&quot;show warranty&quot;</span><span class="w"> </span><span class="k">for</span><span class="w"> </span>details.
+This<span class="w"> </span>GDB<span class="w"> </span>was<span class="w"> </span>configured<span class="w"> </span>as<span class="w"> </span><span class="s2">&quot;x86_64-linux-gnu&quot;</span>.
+Type<span class="w"> </span><span class="s2">&quot;show configuration&quot;</span><span class="w"> </span><span class="k">for</span><span class="w"> </span>configuration<span class="w"> </span>details.
+For<span class="w"> </span>bug<span class="w"> </span>reporting<span class="w"> </span>instructions,<span class="w"> </span>please<span class="w"> </span>see:
+&lt;https://www.gnu.org/software/gdb/bugs/&gt;.
+Find<span class="w"> </span>the<span class="w"> </span>GDB<span class="w"> </span>manual<span class="w"> </span>and<span class="w"> </span>other<span class="w"> </span>documentation<span class="w"> </span>resources<span class="w"> </span>online<span class="w"> </span>at:
+<span class="w"> </span>&lt;http://www.gnu.org/software/gdb/documentation/&gt;.
+
+For<span class="w"> </span>help,<span class="w"> </span><span class="nb">type</span><span class="w"> </span><span class="s2">&quot;help&quot;</span>.
+Type<span class="w"> </span><span class="s2">&quot;apropos word&quot;</span><span class="w"> </span>to<span class="w"> </span>search<span class="w"> </span><span class="k">for</span><span class="w"> </span>commands<span class="w"> </span>related<span class="w"> </span>to<span class="w"> </span><span class="s2">&quot;word&quot;</span>...
+Reading<span class="w"> </span>symbols<span class="w"> </span>from<span class="w"> </span>./bomb...
+Breakpoint<span class="w"> </span><span class="m">1</span><span class="w"> </span>at<span class="w"> </span>0x1638
+Breakpoint<span class="w"> </span><span class="m">2</span><span class="w"> </span>at<span class="w"> </span>0x1d4a
+Starting<span class="w"> </span>program:<span class="w"> </span>/home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb<span class="w"> </span>sol.txt
+<span class="o">[</span>Thread<span class="w"> </span>debugging<span class="w"> </span>using<span class="w"> </span>libthread_db<span class="w"> </span>enabled<span class="o">]</span>
+Using<span class="w"> </span>host<span class="w"> </span>libthread_db<span class="w"> </span>library<span class="w"> </span><span class="s2">&quot;/lib/x86_64-linux-gnu/libthread_db.so.1&quot;</span>.
+Welcome<span class="w"> </span>to<span class="w"> </span>my<span class="w"> </span>fiendish<span class="w"> </span>little<span class="w"> </span>bomb.<span class="w"> </span>You<span class="w"> </span>have<span class="w"> </span><span class="m">6</span><span class="w"> </span>phases<span class="w"> </span>with
+which<span class="w"> </span>to<span class="w"> </span>blow<span class="w"> </span>yourself<span class="w"> </span>up.<span class="w"> </span>Have<span class="w"> </span>a<span class="w"> </span>nice<span class="w"> </span>day!
+Phase<span class="w"> </span><span class="m">1</span><span class="w"> </span>defused.<span class="w"> </span>How<span class="w"> </span>about<span class="w"> </span>the<span class="w"> </span>next<span class="w"> </span>one?
+That<span class="err">&#39;</span>s<span class="w"> </span>number<span class="w"> </span><span class="m">2</span>.<span class="w"> </span>Keep<span class="w"> </span>going!
+random<span class="w"> </span>string
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x0000555555555638<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_3<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>disas
+Dump<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>code<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span>phase_3:
+<span class="o">=</span>&gt;<span class="w"> </span>0x0000555555555638<span class="w"> </span>&lt;+0&gt;:<span class="w"> </span>endbr64<span class="w"> </span>
+<span class="w"> </span>0x000055555555563c<span class="w"> </span>&lt;+4&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x18,%rsp
+<span class="w"> </span>0x0000555555555640<span class="w"> </span>&lt;+8&gt;:<span class="w"> </span>lea<span class="w"> </span>0x7<span class="o">(</span>%rsp<span class="o">)</span>,%rcx
+<span class="w"> </span>0x0000555555555645<span class="w"> </span>&lt;+13&gt;:<span class="w"> </span>lea<span class="w"> </span>0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx
+<span class="w"> </span>0x000055555555564a<span class="w"> </span>&lt;+18&gt;:<span class="w"> </span>lea<span class="w"> </span>0x8<span class="o">(</span>%rsp<span class="o">)</span>,%r8
+<span class="w"> </span>0x000055555555564f<span class="w"> </span>&lt;+23&gt;:<span class="w"> </span>lea<span class="w"> </span>0x1b60<span class="o">(</span>%rip<span class="o">)</span>,%rsi<span class="w"> </span><span class="c1"># 0x5555555571b6</span>
+<span class="w"> </span>0x0000555555555656<span class="w"> </span>&lt;+30&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x0,%eax
+<span class="w"> </span>0x000055555555565b<span class="w"> </span>&lt;+35&gt;:<span class="w"> </span>call<span class="w"> </span>0x5555555552e0<span class="w"> </span>&lt;__isoc99_sscanf@plt&gt;
+<span class="w"> </span>0x0000555555555660<span class="w"> </span>&lt;+40&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x2,%eax
+<span class="w"> </span>0x0000555555555663<span class="w"> </span>&lt;+43&gt;:<span class="w"> </span>jle<span class="w"> </span>0x555555555685<span class="w"> </span>&lt;phase_3+77&gt;
+<span class="w"> </span>0x0000555555555665<span class="w"> </span>&lt;+45&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x000055555555566a<span class="w"> </span>&lt;+50&gt;:<span class="w"> </span>ja<span class="w"> </span>0x55555555577d<span class="w"> </span>&lt;phase_3+325&gt;
+<span class="w"> </span>0x0000555555555670<span class="w"> </span>&lt;+56&gt;:<span class="w"> </span>mov<span class="w"> </span>0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax
+<span class="w"> </span>0x0000555555555674<span class="w"> </span>&lt;+60&gt;:<span class="w"> </span>lea<span class="w"> </span>0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx<span class="w"> </span><span class="c1"># 0x5555555571d0</span>
+<span class="w"> </span>0x000055555555567b<span class="w"> </span>&lt;+67&gt;:<span class="w"> </span>movslq<span class="w"> </span><span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax
+<span class="w"> </span>0x000055555555567f<span class="w"> </span>&lt;+71&gt;:<span class="w"> </span>add<span class="w"> </span>%rdx,%rax
+<span class="w"> </span>0x0000555555555682<span class="w"> </span>&lt;+74&gt;:<span class="w"> </span>notrack<span class="w"> </span>jmp<span class="w"> </span>*%rax
+<span class="w"> </span>0x0000555555555685<span class="w"> </span>&lt;+77&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x000055555555568a<span class="w"> </span>&lt;+82&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555665<span class="w"> </span>&lt;phase_3+45&gt;
+<span class="w"> </span>0x000055555555568c<span class="w"> </span>&lt;+84&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x63,%eax
+<span class="w"> </span>0x0000555555555691<span class="w"> </span>&lt;+89&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x23d,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555699<span class="w"> </span>&lt;+97&gt;:<span class="w"> </span>je<span class="w"> </span>0x555555555787<span class="w"> </span>&lt;phase_3+335&gt;
+<span class="w"> </span>0x000055555555569f<span class="w"> </span>&lt;+103&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x00005555555556a4<span class="w"> </span>&lt;+108&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x63,%eax
+<span class="w"> </span>0x00005555555556a9<span class="w"> </span>&lt;+113&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555787<span class="w"> </span>&lt;phase_3+335&gt;
+--Type<span class="w"> </span>&lt;RET&gt;<span class="w"> </span><span class="k">for</span><span class="w"> </span>more,<span class="w"> </span>q<span class="w"> </span>to<span class="w"> </span>quit,<span class="w"> </span>c<span class="w"> </span>to<span class="w"> </span><span class="k">continue</span><span class="w"> </span>without<span class="w"> </span>paging--
+</code></pre>
+</div>
+
+<p><code>gdb</code> has thankfully marked the address which is being passed to <code>scanf</code>. We can access the value:</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/1s<span class="w"> </span>0x5555555571b6
+0x5555555571b6:<span class="w"> </span><span class="s2">&quot;%d %c %d&quot;</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>
+</code></pre>
+</div>
+
+<p>BINGO! The program expects an integer, character, and another integer. Onwards.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x0000555555555660<span class="w"> </span>&lt;+40&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x2,%eax
+<span class="w"> </span>0x0000555555555663<span class="w"> </span>&lt;+43&gt;:<span class="w"> </span>jle<span class="w"> </span>0x555555555685<span class="w"> </span>&lt;phase_3+77&gt;
+...
+<span class="w"> </span>0x0000555555555685<span class="w"> </span>&lt;+77&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+</code></pre>
+</div>
+
+<p>The program checks whether <code>scanf</code> returns a value &lt;= 2, if it does then it calls the <code>explode_bomb</code> function. </p>
+
+<p><em>Note: <code>scanf</code> returns the number of fields that were succesfully converted and assigned</em></p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x0000555555555665<span class="w"> </span>&lt;+45&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x7,0xc<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x000055555555566a<span class="w"> </span>&lt;+50&gt;:<span class="w"> </span>ja<span class="w"> </span>0x55555555577d<span class="w"> </span>&lt;phase_3+325&gt;
+...
+<span class="w"> </span>0x000055555555577d<span class="w"> </span>&lt;+325&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+</code></pre>
+</div>
+
+<p>Similarly, the program checks and ensures the returned value is not &gt; 7. </p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x0000555555555670<span class="w"> </span>&lt;+56&gt;:<span class="w"> </span>mov<span class="w"> </span>0xc<span class="o">(</span>%rsp<span class="o">)</span>,%eax
+<span class="w"> </span>0x0000555555555674<span class="w"> </span>&lt;+60&gt;:<span class="w"> </span>lea<span class="w"> </span>0x1b55<span class="o">(</span>%rip<span class="o">)</span>,%rdx<span class="w"> </span><span class="c1"># 0x5555555571d0</span>
+<span class="w"> </span>0x000055555555567b<span class="w"> </span>&lt;+67&gt;:<span class="w"> </span>movslq<span class="w"> </span><span class="o">(</span>%rdx,%rax,4<span class="o">)</span>,%rax
+<span class="w"> </span>0x000055555555567f<span class="w"> </span>&lt;+71&gt;:<span class="w"> </span>add<span class="w"> </span>%rdx,%rax
+<span class="w"> </span>0x0000555555555682<span class="w"> </span>&lt;+74&gt;:<span class="w"> </span>notrack<span class="w"> </span>jmp<span class="w"> </span>*%rax
+<span class="w"> </span>0x0000555555555685<span class="w"> </span>&lt;+77&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+</code></pre>
+</div>
+
+<ul>
+<li><code>0x0000555555555670 &lt;+56&gt;: mov 0xc(%rsp),%eax</code> - Moves value located at <code>0xc</code> (12 in Decimal) bytes above the stack pointer to <code>%eax</code> register. </li>
+<li><code>0x0000555555555674 &lt;+60&gt;: lea 0x1b55(%rip),%rdx # 0x5555555571d0</code> - This instruction calculates an effective address by adding <code>0x1b55</code> to the current instruction pointer (<code>%rip</code>). The result is stored in the <code>%rdx</code> register. </li>
+<li><code>0x000055555555567b &lt;+67&gt;: movslq (%rdx,%rax,4),%rax</code>
+<ul>
+<li><code>movslq</code> stands for "move with sign-extension from a 32-bit value to a 64-bit value." (if the 32-bit value is negative, the 64-bit result will have all its upper 32 bits set to 1; otherwise, they'll be set to 0). </li>
+<li><code>(%rdx,%rax,4)</code> - First start with the value in the %rdx register, then add to it the value in the %rax register multiplied by 4.</li>
+<li><code>%rax</code> - Destination Register</li>
+</ul></li>
+<li><code>0x000055555555567f &lt;+71&gt;: add %rdx,%rax</code> - Adds base address in <code>%rdx</code> to the offset in <code>%rax</code> </li>
+<li><code>0x0000555555555682 &lt;+74&gt;: notrack jmp *%rax</code> - Jumps to the address stored in <code>%rax</code></li>
+<li><code>0x0000555555555685 &lt;+77&gt;: call 0x555555555d4a &lt;explode_bomb&gt;</code> - If we are unable to jump to the specified instruction, call <code>explode_bomb</code></li>
+</ul>
+
+<p>Let us try to run the program again with a valid input for the first number and see what the program is computing for the address.</p>
+
+<p>I used the input: <code>3 c 123</code>.</p>
+
+<p>To check what is the computed address, we can switch to the asm layout by running <code>layout asm</code>, and then going through instructions <code>ni</code> or <code>si</code> until we reach the line <code>movslq (%rdx,%rax,4),%rax</code></p>
+
+<p><code>%rax</code> should hold the value 3.</p>
+
+<pre><code>(gdb) print $rax
+$1 = 3
+</code></pre>
+
+<p><img src="/assets/bomb-lab/phase-3.png" alt="Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to" /></p>
+
+<p>We can see that this makes us jump to <code>&lt;phase_3+186&gt;</code> (Continue to step through the code by using <code>ni</code>)</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555556f2<span class="w"> </span>&lt;+186&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x64,%eax
+<span class="w"> </span>0x00005555555556f7<span class="w"> </span>&lt;+191&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x280,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x00005555555556ff<span class="w"> </span>&lt;+199&gt;:<span class="w"> </span>je<span class="w"> </span>0x555555555787<span class="w"> </span>&lt;phase_3+335&gt;
+<span class="w"> </span>0x0000555555555705<span class="w"> </span>&lt;+205&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+</code></pre>
+</div>
+
+<p>We see that <code>0x64</code> (Decimal 100) is being stored in <code>%eax</code>. Then, the program compares <code>0x280</code> (Decimal 640) with memory address <code>0x8</code> bytes above the stack pointer (<code>%rsp</code>). If the values are equal, then it jumps to <code>&lt;phase_3+335&gt;</code>, otherwise <code>explode_bomb</code> is called.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x0000555555555787<span class="w"> </span>&lt;+335&gt;:<span class="w"> </span>cmp<span class="w"> </span>%al,0x7<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x000055555555578b<span class="w"> </span>&lt;+339&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555792<span class="w"> </span>&lt;phase_3+346&gt;
+<span class="w"> </span>0x000055555555578d<span class="w"> </span>&lt;+341&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x18,%rsp
+<span class="w"> </span>0x0000555555555791<span class="w"> </span>&lt;+345&gt;:<span class="w"> </span>ret<span class="w"> </span>
+<span class="w"> </span>0x0000555555555792<span class="w"> </span>&lt;+346&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+</code></pre>
+</div>
+
+<p>Here, the program is comparing the value of our given character to the value stored in <code>%al</code> (lower 8 bits of <code>EAX</code>), and checks if they are not equal.</p>
+
+<p>Knowing that the character is stored at an offset of 7 bytes to <code>%rsp</code>, we can print and check the value by running:</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/1cw<span class="w"> </span><span class="nv">$rsp</span>+7
+c
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>print<span class="w"> </span><span class="nv">$al</span>
+<span class="nv">$1</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="m">100</span>
+</code></pre>
+</div>
+
+<p>We can simply lookup the <a rel="noopener" target="_blank" href="https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html">ASCII table</a>, and see that 100 in decimal stands for the character <code>d</code>. Let us try this answer:</p>
+
+<div class="codehilite">
+<pre><span></span><code>...
+That<span class="err">&#39;</span>s<span class="w"> </span>number<span class="w"> </span><span class="m">2</span>.<span class="w"> </span>Keep<span class="w"> </span>going!
+<span class="m">3</span><span class="w"> </span>d<span class="w"> </span><span class="m">640</span>
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x0000555555555638<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_3<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span><span class="k">continue</span>
+Continuing.
+Halfway<span class="w"> </span>there!
+</code></pre>
+</div>
+
+<h2>Phase 4</h2>
+
+<div class="codehilite">
+<pre><span></span><code>joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$<span class="w"> </span>gdb<span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;break phase_4&#39;</span><span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;break explode_bomb&#39;</span><span class="w"> </span>-ex<span class="w"> </span><span class="s1">&#39;run&#39;</span><span class="w"> </span>-args<span class="w"> </span>./bomb<span class="w"> </span>sol.txt<span class="w"> </span>
+GNU<span class="w"> </span>gdb<span class="w"> </span><span class="o">(</span>Ubuntu<span class="w"> </span><span class="m">12</span>.1-0ubuntu1~22.04<span class="o">)</span><span class="w"> </span><span class="m">12</span>.1
+Copyright<span class="w"> </span><span class="o">(</span>C<span class="o">)</span><span class="w"> </span><span class="m">2022</span><span class="w"> </span>Free<span class="w"> </span>Software<span class="w"> </span>Foundation,<span class="w"> </span>Inc.
+License<span class="w"> </span>GPLv3+:<span class="w"> </span>GNU<span class="w"> </span>GPL<span class="w"> </span>version<span class="w"> </span><span class="m">3</span><span class="w"> </span>or<span class="w"> </span>later<span class="w"> </span>&lt;http://gnu.org/licenses/gpl.html&gt;
+This<span class="w"> </span>is<span class="w"> </span>free<span class="w"> </span>software:<span class="w"> </span>you<span class="w"> </span>are<span class="w"> </span>free<span class="w"> </span>to<span class="w"> </span>change<span class="w"> </span>and<span class="w"> </span>redistribute<span class="w"> </span>it.
+There<span class="w"> </span>is<span class="w"> </span>NO<span class="w"> </span>WARRANTY,<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>extent<span class="w"> </span>permitted<span class="w"> </span>by<span class="w"> </span>law.
+Type<span class="w"> </span><span class="s2">&quot;show copying&quot;</span><span class="w"> </span>and<span class="w"> </span><span class="s2">&quot;show warranty&quot;</span><span class="w"> </span><span class="k">for</span><span class="w"> </span>details.
+This<span class="w"> </span>GDB<span class="w"> </span>was<span class="w"> </span>configured<span class="w"> </span>as<span class="w"> </span><span class="s2">&quot;x86_64-linux-gnu&quot;</span>.
+Type<span class="w"> </span><span class="s2">&quot;show configuration&quot;</span><span class="w"> </span><span class="k">for</span><span class="w"> </span>configuration<span class="w"> </span>details.
+For<span class="w"> </span>bug<span class="w"> </span>reporting<span class="w"> </span>instructions,<span class="w"> </span>please<span class="w"> </span>see:
+&lt;https://www.gnu.org/software/gdb/bugs/&gt;.
+Find<span class="w"> </span>the<span class="w"> </span>GDB<span class="w"> </span>manual<span class="w"> </span>and<span class="w"> </span>other<span class="w"> </span>documentation<span class="w"> </span>resources<span class="w"> </span>online<span class="w"> </span>at:
+<span class="w"> </span>&lt;http://www.gnu.org/software/gdb/documentation/&gt;.
+
+For<span class="w"> </span>help,<span class="w"> </span><span class="nb">type</span><span class="w"> </span><span class="s2">&quot;help&quot;</span>.
+Type<span class="w"> </span><span class="s2">&quot;apropos word&quot;</span><span class="w"> </span>to<span class="w"> </span>search<span class="w"> </span><span class="k">for</span><span class="w"> </span>commands<span class="w"> </span>related<span class="w"> </span>to<span class="w"> </span><span class="s2">&quot;word&quot;</span>...
+Reading<span class="w"> </span>symbols<span class="w"> </span>from<span class="w"> </span>./bomb...
+Breakpoint<span class="w"> </span><span class="m">1</span><span class="w"> </span>at<span class="w"> </span>0x17d3
+Breakpoint<span class="w"> </span><span class="m">2</span><span class="w"> </span>at<span class="w"> </span>0x1d4a
+Starting<span class="w"> </span>program:<span class="w"> </span>/home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb<span class="w"> </span>sol.txt
+<span class="o">[</span>Thread<span class="w"> </span>debugging<span class="w"> </span>using<span class="w"> </span>libthread_db<span class="w"> </span>enabled<span class="o">]</span>
+Using<span class="w"> </span>host<span class="w"> </span>libthread_db<span class="w"> </span>library<span class="w"> </span><span class="s2">&quot;/lib/x86_64-linux-gnu/libthread_db.so.1&quot;</span>.
+Welcome<span class="w"> </span>to<span class="w"> </span>my<span class="w"> </span>fiendish<span class="w"> </span>little<span class="w"> </span>bomb.<span class="w"> </span>You<span class="w"> </span>have<span class="w"> </span><span class="m">6</span><span class="w"> </span>phases<span class="w"> </span>with
+which<span class="w"> </span>to<span class="w"> </span>blow<span class="w"> </span>yourself<span class="w"> </span>up.<span class="w"> </span>Have<span class="w"> </span>a<span class="w"> </span>nice<span class="w"> </span>day!
+Phase<span class="w"> </span><span class="m">1</span><span class="w"> </span>defused.<span class="w"> </span>How<span class="w"> </span>about<span class="w"> </span>the<span class="w"> </span>next<span class="w"> </span>one?
+That<span class="err">&#39;</span>s<span class="w"> </span>number<span class="w"> </span><span class="m">2</span>.<span class="w"> </span>Keep<span class="w"> </span>going!
+Halfway<span class="w"> </span>there!
+<span class="nb">test</span><span class="w"> </span>string
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x00005555555557d3<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_4<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>disas<span class="w"> </span>phase_4
+Dump<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>code<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span>phase_4:
+<span class="o">=</span>&gt;<span class="w"> </span>0x00005555555557d3<span class="w"> </span>&lt;+0&gt;:<span class="w"> </span>endbr64<span class="w"> </span>
+<span class="w"> </span>0x00005555555557d7<span class="w"> </span>&lt;+4&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x18,%rsp
+<span class="w"> </span>0x00005555555557db<span class="w"> </span>&lt;+8&gt;:<span class="w"> </span>lea<span class="w"> </span>0x8<span class="o">(</span>%rsp<span class="o">)</span>,%rcx
+<span class="w"> </span>0x00005555555557e0<span class="w"> </span>&lt;+13&gt;:<span class="w"> </span>lea<span class="w"> </span>0xc<span class="o">(</span>%rsp<span class="o">)</span>,%rdx
+<span class="w"> </span>0x00005555555557e5<span class="w"> </span>&lt;+18&gt;:<span class="w"> </span>lea<span class="w"> </span>0x1bba<span class="o">(</span>%rip<span class="o">)</span>,%rsi<span class="w"> </span><span class="c1"># 0x5555555573a6</span>
+<span class="w"> </span>0x00005555555557ec<span class="w"> </span>&lt;+25&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x0,%eax
+<span class="w"> </span>0x00005555555557f1<span class="w"> </span>&lt;+30&gt;:<span class="w"> </span>call<span class="w"> </span>0x5555555552e0<span class="w"> </span>&lt;__isoc99_sscanf@plt&gt;
+<span class="w"> </span>0x00005555555557f6<span class="w"> </span>&lt;+35&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x2,%eax
+<span class="w"> </span>0x00005555555557f9<span class="w"> </span>&lt;+38&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555802<span class="w"> </span>&lt;phase_4+47&gt;
+<span class="w"> </span>0x00005555555557fb<span class="w"> </span>&lt;+40&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>xe,0xc<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555800<span class="w"> </span>&lt;+45&gt;:<span class="w"> </span>jbe<span class="w"> </span>0x555555555807<span class="w"> </span>&lt;phase_4+52&gt;
+<span class="w"> </span>0x0000555555555802<span class="w"> </span>&lt;+47&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x0000555555555807<span class="w"> </span>&lt;+52&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>xe,%edx
+<span class="w"> </span>0x000055555555580c<span class="w"> </span>&lt;+57&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x0,%esi
+<span class="w"> </span>0x0000555555555811<span class="w"> </span>&lt;+62&gt;:<span class="w"> </span>mov<span class="w"> </span>0xc<span class="o">(</span>%rsp<span class="o">)</span>,%edi
+<span class="w"> </span>0x0000555555555815<span class="w"> </span>&lt;+66&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555799<span class="w"> </span>&lt;func4&gt;
+<span class="w"> </span>0x000055555555581a<span class="w"> </span>&lt;+71&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x2,%eax
+<span class="w"> </span>0x000055555555581d<span class="w"> </span>&lt;+74&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555826<span class="w"> </span>&lt;phase_4+83&gt;
+<span class="w"> </span>0x000055555555581f<span class="w"> </span>&lt;+76&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555824<span class="w"> </span>&lt;+81&gt;:<span class="w"> </span>je<span class="w"> </span>0x55555555582b<span class="w"> </span>&lt;phase_4+88&gt;
+<span class="w"> </span>0x0000555555555826<span class="w"> </span>&lt;+83&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x000055555555582b<span class="w"> </span>&lt;+88&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x18,%rsp
+<span class="w"> </span>0x000055555555582f<span class="w"> </span>&lt;+92&gt;:<span class="w"> </span>ret<span class="w"> </span>
+End<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>dump.
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>
+</code></pre>
+</div>
+
+<p>Again, <code>gdb</code> has marked the string being passed to <code>scanf</code></p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/1s<span class="w"> </span>0x5555555573a6
+0x5555555573a6:<span class="w"> </span><span class="s2">&quot;%d %d&quot;</span>
+</code></pre>
+</div>
+
+<p>Okay, so this time we are supposed to enter 2 numbers.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555557f6<span class="w"> </span>&lt;+35&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x2,%eax
+<span class="w"> </span>0x00005555555557f9<span class="w"> </span>&lt;+38&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555802<span class="w"> </span>&lt;phase_4+47&gt;
+</code></pre>
+</div>
+
+<p>Checks if there were 2 values read from calling <code>scanf</code>, if not -> jump to <code>&lt;phase_4+47&gt;</code> which calls <code>&lt;explode_bomb&gt;</code>.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555557fb<span class="w"> </span>&lt;+40&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>xe,0xc<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555800<span class="w"> </span>&lt;+45&gt;:<span class="w"> </span>jbe<span class="w"> </span>0x555555555807<span class="w"> </span>&lt;phase_4+52&gt;
+</code></pre>
+</div>
+
+<p>Compare <code>0xe</code> (14 in Decimal) and value stored at <code>$rsp</code> + <code>0xc</code> bytes (Decimal 12). If this condition is met (&lt;= 14), jump to <code>&lt;phase_4+52&gt;</code>. If not, then explode bomb.</p>
+
+<div class="codehilite">
+<pre><span></span><code>...
+<span class="w"> </span>0x0000555555555807<span class="w"> </span>&lt;+52&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>xe,%edx
+<span class="w"> </span>0x000055555555580c<span class="w"> </span>&lt;+57&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x0,%esi
+<span class="w"> </span>0x0000555555555811<span class="w"> </span>&lt;+62&gt;:<span class="w"> </span>mov<span class="w"> </span>0xc<span class="o">(</span>%rsp<span class="o">)</span>,%edi
+<span class="w"> </span>0x0000555555555815<span class="w"> </span>&lt;+66&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555799<span class="w"> </span>&lt;func4&gt;
+<span class="w"> </span>0x000055555555581a<span class="w"> </span>&lt;+71&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x2,%eax
+<span class="w"> </span>0x000055555555581d<span class="w"> </span>&lt;+74&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555826<span class="w"> </span>&lt;phase_4+83&gt;
+<span class="w"> </span>0x000055555555581f<span class="w"> </span>&lt;+76&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555824<span class="w"> </span>&lt;+81&gt;:<span class="w"> </span>je<span class="w"> </span>0x55555555582b<span class="w"> </span>&lt;phase_4+88&gt;
+<span class="w"> </span>0x0000555555555826<span class="w"> </span>&lt;+83&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+</code></pre>
+</div>
+
+<ul>
+<li><code>0x0000555555555815 &lt;+66&gt;: call 0x555555555799 &lt;func4&gt;</code> calls another function called <code>func4</code></li>
+<li>The returned value is compared with <code>0x2</code>, if they are not equal then the program jumps to call <code>&lt;explode_bomb&gt;</code>. This tells us that <code>func4</code> should return 2.</li>
+</ul>
+
+<p>Let us look into <code>func4</code></p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>disas<span class="w"> </span>func4
+Dump<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>code<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span>func4:
+<span class="w"> </span>0x0000555555555799<span class="w"> </span>&lt;+0&gt;:<span class="w"> </span>endbr64<span class="w"> </span>
+<span class="w"> </span>0x000055555555579d<span class="w"> </span>&lt;+4&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x8,%rsp
+<span class="w"> </span>0x00005555555557a1<span class="w"> </span>&lt;+8&gt;:<span class="w"> </span>mov<span class="w"> </span>%edx,%ecx
+<span class="w"> </span>0x00005555555557a3<span class="w"> </span>&lt;+10&gt;:<span class="w"> </span>sub<span class="w"> </span>%esi,%ecx
+<span class="w"> </span>0x00005555555557a5<span class="w"> </span>&lt;+12&gt;:<span class="w"> </span>shr<span class="w"> </span>%ecx
+<span class="w"> </span>0x00005555555557a7<span class="w"> </span>&lt;+14&gt;:<span class="w"> </span>add<span class="w"> </span>%esi,%ecx
+<span class="w"> </span>0x00005555555557a9<span class="w"> </span>&lt;+16&gt;:<span class="w"> </span>cmp<span class="w"> </span>%edi,%ecx
+<span class="w"> </span>0x00005555555557ab<span class="w"> </span>&lt;+18&gt;:<span class="w"> </span>ja<span class="w"> </span>0x5555555557b9<span class="w"> </span>&lt;func4+32&gt;
+<span class="w"> </span>0x00005555555557ad<span class="w"> </span>&lt;+20&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x0,%eax
+<span class="w"> </span>0x00005555555557b2<span class="w"> </span>&lt;+25&gt;:<span class="w"> </span>jb<span class="w"> </span>0x5555555557c5<span class="w"> </span>&lt;func4+44&gt;
+<span class="w"> </span>0x00005555555557b4<span class="w"> </span>&lt;+27&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x8,%rsp
+<span class="w"> </span>0x00005555555557b8<span class="w"> </span>&lt;+31&gt;:<span class="w"> </span>ret<span class="w"> </span>
+<span class="w"> </span>0x00005555555557b9<span class="w"> </span>&lt;+32&gt;:<span class="w"> </span>lea<span class="w"> </span>-0x1<span class="o">(</span>%rcx<span class="o">)</span>,%edx
+<span class="w"> </span>0x00005555555557bc<span class="w"> </span>&lt;+35&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555799<span class="w"> </span>&lt;func4&gt;
+<span class="w"> </span>0x00005555555557c1<span class="w"> </span>&lt;+40&gt;:<span class="w"> </span>add<span class="w"> </span>%eax,%eax
+<span class="w"> </span>0x00005555555557c3<span class="w"> </span>&lt;+42&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555557b4<span class="w"> </span>&lt;func4+27&gt;
+<span class="w"> </span>0x00005555555557c5<span class="w"> </span>&lt;+44&gt;:<span class="w"> </span>lea<span class="w"> </span>0x1<span class="o">(</span>%rcx<span class="o">)</span>,%esi
+<span class="w"> </span>0x00005555555557c8<span class="w"> </span>&lt;+47&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555799<span class="w"> </span>&lt;func4&gt;
+<span class="w"> </span>0x00005555555557cd<span class="w"> </span>&lt;+52&gt;:<span class="w"> </span>lea<span class="w"> </span>0x1<span class="o">(</span>%rax,%rax,1<span class="o">)</span>,%eax
+<span class="w"> </span>0x00005555555557d1<span class="w"> </span>&lt;+56&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555557b4<span class="w"> </span>&lt;func4+27&gt;
+</code></pre>
+</div>
+
+<p>This looks like a recursive function :( (I hate recursive functions)</p>
+
+<p>Let's annotate the instructions.</p>
+
+<div class="codehilite">
+<pre><span></span><code>endbr64
+sub<span class="w"> </span><span class="nv">$0</span>x8,%rsp<span class="w"> </span>//<span class="w"> </span>subtract<span class="w"> </span><span class="m">8</span><span class="w"> </span>bytes<span class="w"> </span>from<span class="w"> </span>the<span class="w"> </span>stack<span class="w"> </span>pointer
+mov<span class="w"> </span>%edx,%ecx<span class="w"> </span>//<span class="w"> </span>Move<span class="w"> </span>the<span class="w"> </span>value<span class="w"> </span><span class="k">in</span><span class="w"> </span>register<span class="w"> </span>%edx<span class="w"> </span>to<span class="w"> </span>%ecx
+sub<span class="w"> </span>%esi,%ecx<span class="w"> </span>//<span class="w"> </span>Subtract<span class="w"> </span>the<span class="w"> </span>value<span class="w"> </span><span class="k">in</span><span class="w"> </span>%esi<span class="w"> </span>from<span class="w"> </span>%ecx
+shr<span class="w"> </span>%ecx<span class="w"> </span>//<span class="w"> </span>Right<span class="w"> </span><span class="nb">shift</span><span class="w"> </span>the<span class="w"> </span>value<span class="w"> </span><span class="k">in</span><span class="w"> </span>%ecx<span class="w"> </span>by<span class="w"> </span>one<span class="w"> </span>bit<span class="w"> </span><span class="o">(</span>dividing<span class="w"> </span>the<span class="w"> </span>value<span class="w"> </span>by<span class="w"> </span><span class="m">2</span><span class="o">)</span>
+add<span class="w"> </span>%esi,%ecx<span class="w"> </span>//<span class="w"> </span>Add<span class="w"> </span>the<span class="w"> </span>value<span class="w"> </span><span class="k">in</span><span class="w"> </span>%esi<span class="w"> </span>to<span class="w"> </span>%ecx
+cmp<span class="w"> </span>%edi,%ecx<span class="w"> </span>//<span class="w"> </span>Compare
+ja<span class="w"> </span>0x5555555557b9<span class="w"> </span>&lt;func4+32&gt;<span class="w"> </span>//<span class="w"> </span>If<span class="w"> </span>%ecx<span class="w"> </span>&gt;<span class="w"> </span>%edi<span class="w"> </span>-&gt;<span class="w"> </span>jump<span class="w"> </span>to<span class="w"> </span>instruction<span class="w"> </span>at<span class="w"> </span>offset<span class="w"> </span>+32
+mov<span class="w"> </span><span class="nv">$0</span>x0,%eax<span class="w"> </span>//<span class="w"> </span>Move<span class="w"> </span><span class="m">0</span><span class="w"> </span>to<span class="w"> </span>%eax
+jb<span class="w"> </span>0x5555555557c5<span class="w"> </span>&lt;func4+44&gt;<span class="w"> </span>//<span class="w"> </span>If<span class="w"> </span>%ecx<span class="w"> </span>&lt;<span class="w"> </span>%edi<span class="w"> </span>-&gt;<span class="w"> </span>jump<span class="w"> </span>to<span class="w"> </span>instruction<span class="w"> </span>at<span class="w"> </span>offset<span class="w"> </span>+44.
+add<span class="w"> </span><span class="nv">$0</span>x8,%rsp<span class="w"> </span>//<span class="w"> </span>add<span class="w"> </span><span class="m">8</span><span class="w"> </span>bytes<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>stack<span class="w"> </span>pointer
+ret<span class="w"> </span>//<span class="w"> </span><span class="k">return</span>
+lea<span class="w"> </span>-0x1<span class="o">(</span>%rcx<span class="o">)</span>,%edx<span class="w"> </span>//<span class="w"> </span>LEA<span class="w"> </span>of<span class="w"> </span><span class="nv">$rxc</span><span class="w"> </span>-<span class="w"> </span><span class="m">1</span><span class="w"> </span>into<span class="w"> </span><span class="nv">$edx</span>
+call<span class="w"> </span>0x555555555799<span class="w"> </span>&lt;func4&gt;<span class="w"> </span>//<span class="w"> </span>Call<span class="w"> </span>itself
+add<span class="w"> </span>%eax,%eax<span class="w"> </span>//<span class="w"> </span>Double<span class="w"> </span>the<span class="w"> </span>value<span class="w"> </span><span class="k">in</span><span class="w"> </span>%eax
+jmp<span class="w"> </span>0x5555555557b4<span class="w"> </span>&lt;func4+27&gt;<span class="w"> </span>//<span class="w"> </span>jump<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>instruction<span class="w"> </span>at<span class="w"> </span>offset<span class="w"> </span>+27
+lea<span class="w"> </span>0x1<span class="o">(</span>%rcx<span class="o">)</span>,%esi
+call<span class="w"> </span>0x555555555799<span class="w"> </span>&lt;func4&gt;
+lea<span class="w"> </span>0x1<span class="o">(</span>%rax,%rax,1<span class="o">)</span>,%eax<span class="w"> </span>//<span class="w"> </span>LEA<span class="w"> </span>of<span class="w"> </span>%rax<span class="w"> </span>*<span class="w"> </span><span class="m">2</span><span class="w"> </span>+<span class="w"> </span><span class="m">1</span><span class="w"> </span>into<span class="w"> </span><span class="nv">$eax</span><span class="w"> </span>
+jmp<span class="w"> </span>0x5555555557b4<span class="w"> </span>&lt;func4+27&gt;
+</code></pre>
+</div>
+
+<p>We can either try to compute the values by hand, or write a simple script in Python to get the answer.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="k">def</span> <span class="nf">func4</span><span class="p">(</span><span class="n">edi</span><span class="p">,</span> <span class="n">esi</span><span class="o">=</span><span class="mi">0</span><span class="p">,</span> <span class="n">edx</span><span class="o">=</span><span class="mi">20</span><span class="p">):</span>
+ <span class="n">ecx</span> <span class="o">=</span> <span class="p">(</span><span class="n">edx</span> <span class="o">-</span> <span class="n">esi</span><span class="p">)</span> <span class="o">//</span> <span class="mi">2</span> <span class="o">+</span> <span class="n">esi</span>
+ <span class="k">if</span> <span class="n">ecx</span> <span class="o">&gt;</span> <span class="n">edi</span><span class="p">:</span>
+ <span class="k">return</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">func4</span><span class="p">(</span><span class="n">edi</span><span class="p">,</span> <span class="n">esi</span><span class="p">,</span> <span class="n">ecx</span> <span class="o">-</span> <span class="mi">1</span><span class="p">)</span>
+ <span class="k">elif</span> <span class="n">ecx</span> <span class="o">&lt;</span> <span class="n">edi</span><span class="p">:</span>
+ <span class="k">return</span> <span class="mi">2</span> <span class="o">*</span> <span class="n">func4</span><span class="p">(</span><span class="n">edi</span><span class="p">,</span> <span class="n">ecx</span> <span class="o">+</span> <span class="mi">1</span><span class="p">,</span> <span class="n">edx</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span>
+ <span class="k">else</span><span class="p">:</span>
+ <span class="k">return</span> <span class="mi">0</span>
+
+<span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="nb">range</span><span class="p">(</span><span class="mi">15</span><span class="p">):</span> <span class="c1"># We can limit to 14</span>
+ <span class="k">if</span> <span class="n">func4</span><span class="p">(</span><span class="n">x</span><span class="p">)</span> <span class="o">==</span> <span class="mi">2</span><span class="p">:</span>
+ <span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&quot;answer is </span><span class="si">{</span><span class="n">x</span><span class="si">}</span><span class="s2">&quot;</span><span class="p">)</span>
+ <span class="k">break</span>
+</code></pre>
+</div>
+
+<p>Running this code, we get: <code>answer is 5</code></p>
+
+<p>Okay, so we know that the number needed to be passed to <code>func4</code> is 5. But, what about the second digit?</p>
+
+<p>If we go back to the code for <code>&lt;phase_4&gt;</code>, we can see that:</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x000055555555581f<span class="w"> </span>&lt;+76&gt;:<span class="w"> </span>cmpl<span class="w"> </span><span class="nv">$0</span>x2,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555824<span class="w"> </span>&lt;+81&gt;:<span class="w"> </span>je<span class="w"> </span>0x55555555582b<span class="w"> </span>&lt;phase_4+88&gt;
+</code></pre>
+</div>
+
+<p>The value at <code>$rsp+8</code> should be equal to 2. So, let us try passing <code>5 2</code> as our input.</p>
+
+<div class="codehilite">
+<pre><span></span><code>...
+Phase<span class="w"> </span><span class="m">1</span><span class="w"> </span>defused.<span class="w"> </span>How<span class="w"> </span>about<span class="w"> </span>the<span class="w"> </span>next<span class="w"> </span>one?
+That<span class="err">&#39;</span>s<span class="w"> </span>number<span class="w"> </span><span class="m">2</span>.<span class="w"> </span>Keep<span class="w"> </span>going!
+Halfway<span class="w"> </span>there!
+<span class="m">5</span><span class="w"> </span><span class="m">2</span>
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x00005555555557d3<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_4<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span><span class="k">continue</span>
+Continuing.
+So<span class="w"> </span>you<span class="w"> </span>got<span class="w"> </span>that<span class="w"> </span>one.<span class="w"> </span>Try<span class="w"> </span>this<span class="w"> </span>one.
+</code></pre>
+</div>
+
+<h2>Phase 5</h2>
+
+<div class="codehilite">
+<pre><span></span><code>So<span class="w"> </span>you<span class="w"> </span>got<span class="w"> </span>that<span class="w"> </span>one.<span class="w"> </span>Try<span class="w"> </span>this<span class="w"> </span>one.
+<span class="nb">test</span><span class="w"> </span>string
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x0000555555555830<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_5<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>disas<span class="w"> </span>phase_5
+Dump<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>code<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span>phase_5:
+<span class="o">=</span>&gt;<span class="w"> </span>0x0000555555555830<span class="w"> </span>&lt;+0&gt;:<span class="w"> </span>endbr64<span class="w"> </span>
+<span class="w"> </span>0x0000555555555834<span class="w"> </span>&lt;+4&gt;:<span class="w"> </span>push<span class="w"> </span>%rbx
+<span class="w"> </span>0x0000555555555835<span class="w"> </span>&lt;+5&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x10,%rsp
+<span class="w"> </span>0x0000555555555839<span class="w"> </span>&lt;+9&gt;:<span class="w"> </span>mov<span class="w"> </span>%rdi,%rbx
+<span class="w"> </span>0x000055555555583c<span class="w"> </span>&lt;+12&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555b10<span class="w"> </span>&lt;string_length&gt;
+<span class="w"> </span>0x0000555555555841<span class="w"> </span>&lt;+17&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x6,%eax
+<span class="w"> </span>0x0000555555555844<span class="w"> </span>&lt;+20&gt;:<span class="w"> </span>jne<span class="w"> </span>0x55555555588b<span class="w"> </span>&lt;phase_5+91&gt;
+<span class="w"> </span>0x0000555555555846<span class="w"> </span>&lt;+22&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x0,%eax
+<span class="w"> </span>0x000055555555584b<span class="w"> </span>&lt;+27&gt;:<span class="w"> </span>lea<span class="w"> </span>0x199e<span class="o">(</span>%rip<span class="o">)</span>,%rcx<span class="w"> </span><span class="c1"># 0x5555555571f0 &lt;array.0&gt;</span>
+<span class="w"> </span>0x0000555555555852<span class="w"> </span>&lt;+34&gt;:<span class="w"> </span>movzbl<span class="w"> </span><span class="o">(</span>%rbx,%rax,1<span class="o">)</span>,%edx
+<span class="w"> </span>0x0000555555555856<span class="w"> </span>&lt;+38&gt;:<span class="w"> </span>and<span class="w"> </span><span class="nv">$0</span>xf,%edx
+<span class="w"> </span>0x0000555555555859<span class="w"> </span>&lt;+41&gt;:<span class="w"> </span>movzbl<span class="w"> </span><span class="o">(</span>%rcx,%rdx,1<span class="o">)</span>,%edx
+<span class="w"> </span>0x000055555555585d<span class="w"> </span>&lt;+45&gt;:<span class="w"> </span>mov<span class="w"> </span>%dl,0x9<span class="o">(</span>%rsp,%rax,1<span class="o">)</span>
+<span class="w"> </span>0x0000555555555861<span class="w"> </span>&lt;+49&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x1,%rax
+<span class="w"> </span>0x0000555555555865<span class="w"> </span>&lt;+53&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x6,%rax
+<span class="w"> </span>0x0000555555555869<span class="w"> </span>&lt;+57&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555852<span class="w"> </span>&lt;phase_5+34&gt;
+<span class="w"> </span>0x000055555555586b<span class="w"> </span>&lt;+59&gt;:<span class="w"> </span>movb<span class="w"> </span><span class="nv">$0</span>x0,0xf<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x0000555555555870<span class="w"> </span>&lt;+64&gt;:<span class="w"> </span>lea<span class="w"> </span>0x9<span class="o">(</span>%rsp<span class="o">)</span>,%rdi
+<span class="w"> </span>0x0000555555555875<span class="w"> </span>&lt;+69&gt;:<span class="w"> </span>lea<span class="w"> </span>0x1943<span class="o">(</span>%rip<span class="o">)</span>,%rsi<span class="w"> </span><span class="c1"># 0x5555555571bf</span>
+<span class="w"> </span>0x000055555555587c<span class="w"> </span>&lt;+76&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555b31<span class="w"> </span>&lt;strings_not_equal&gt;
+<span class="w"> </span>0x0000555555555881<span class="w"> </span>&lt;+81&gt;:<span class="w"> </span><span class="nb">test</span><span class="w"> </span>%eax,%eax
+<span class="w"> </span>0x0000555555555883<span class="w"> </span>&lt;+83&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555892<span class="w"> </span>&lt;phase_5+98&gt;
+<span class="w"> </span>0x0000555555555885<span class="w"> </span>&lt;+85&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x10,%rsp
+<span class="w"> </span>0x0000555555555889<span class="w"> </span>&lt;+89&gt;:<span class="w"> </span>pop<span class="w"> </span>%rbx
+<span class="w"> </span>0x000055555555588a<span class="w"> </span>&lt;+90&gt;:<span class="w"> </span>ret<span class="w"> </span>
+<span class="w"> </span>0x000055555555588b<span class="w"> </span>&lt;+91&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x0000555555555890<span class="w"> </span>&lt;+96&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555846<span class="w"> </span>&lt;phase_5+22&gt;
+<span class="w"> </span>0x0000555555555892<span class="w"> </span>&lt;+98&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x0000555555555897<span class="w"> </span>&lt;+103&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555885<span class="w"> </span>&lt;phase_5+85&gt;
+End<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>dump.
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>
+</code></pre>
+</div>
+
+<div class="codehilite">
+<pre><span></span><code>...
+<span class="w"> </span>0x000055555555583c<span class="w"> </span>&lt;+12&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555b10<span class="w"> </span>&lt;string_length&gt;
+<span class="w"> </span>0x0000555555555841<span class="w"> </span>&lt;+17&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x6,%eax
+<span class="w"> </span>0x0000555555555844<span class="w"> </span>&lt;+20&gt;:<span class="w"> </span>jne<span class="w"> </span>0x55555555588b<span class="w"> </span>&lt;phase_5+91&gt;
+...
+<span class="w"> </span>0x000055555555588b<span class="w"> </span>&lt;+91&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+...
+</code></pre>
+</div>
+
+<p>First things first, these instructions check to make sure the passed string is of length 6, otherwise <code>explode_bomb</code> is called.</p>
+
+<p>We can also see a similar pattern compared to Phase 2, where we had a loop:</p>
+
+<ul>
+<li>The looping part:
+<ul>
+<li><code>mov $0x0,%eax</code> - Initialise <code>%eax</code> and set it to 0 (our counter/iterator)</li>
+<li><code>movzbl (%rbx,%rax,1),%edx</code> - Access <code>%rbx + 1 * %rax</code> and store it in <code>%edx</code></li>
+<li><code>and $0xf,%edx</code> - Take the least significant 4 bits of the byte.</li>
+<li><code>movzbl (%rcx,%rdx,1),%edx</code> - Use the 4 bits as an index into another array and load the corresponding byte into <code>%edx</code></li>
+<li><code>mov %dl,0x9(%rsp,%rax,1)</code> - Store the transformed byte into a buffer on the stack</li>
+<li><code>add $0x1,%rax</code> - Increment <code>%rax</code></li>
+<li><code>cmp $0x6,%rax</code> - If the index is not yet 6, loop again</li>
+</ul></li>
+<li><code>movb $0x0,0xf(%rsp)</code> - Null-terminate the transformed string</li>
+<li><code>lea 0x9(%rsp),%rdi</code> and <code>lea 0x1943(%rip),%rsi</code> </li>
+<li><code>all 0x555555555b31 &lt;strings_not_equal&gt;</code> check if the two strings loaded up just before this are equal or not.</li>
+</ul>
+
+<p>We can check the reference string we need, which <code>gdb</code> has marked as <code># 0x5555555571bf</code>, and the lookup table marked as <code># 0x5555555571f0 &lt;array.0&gt;</code></p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/s<span class="w"> </span>0x5555555571bf
+0x5555555571bf:<span class="w"> </span><span class="s2">&quot;bruins&quot;</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/s<span class="w"> </span>0x5555555571f0
+0x5555555571f0<span class="w"> </span>&lt;array.0&gt;:<span class="w"> </span><span class="s2">&quot;maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?&quot;</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>
+</code></pre>
+</div>
+
+<p>To summarize the transformation process:</p>
+
+<ul>
+<li>The function takes each byte of the string</li>
+<li>It keeps only the least significant 4 bits of each byte</li>
+<li>It uses these 4 bits as an index into the lookup table (<code>array.0</code>)</li>
+<li>The value from the array is then stored in a buffer</li>
+</ul>
+
+<p>Here's how the transformation process can be reversed for each character in "bruins":
+1. Find the index of <code>b</code> in the lookup table (in our case, it is 13 since we index starting 0)
+2. Calculate binary representation of this index (in our case 13 can be written as 1101 in binary)
+3. Find ASCII character whose least significant 4 bits match (in our case, <code>m</code> has binary representation <code>01101101</code>)</p>
+
+<p>Repeat for all 6 characters</p>
+
+<p><em>Hint: Using an <a rel="noopener" target="_blank" href="http://sticksandstones.kstrom.com/appen.html">ASCII - Binary Table</a> can save you time.</em> </p>
+
+<p>Thus, we can have the following transformation:</p>
+
+<pre><code>b -&gt; m
+r -&gt; f
+u -&gt; c
+i -&gt; d
+n -&gt; h
+s -&gt; g
+</code></pre>
+
+<p>Let us try out this answer:</p>
+
+<div class="codehilite">
+<pre><span></span><code>...
+That<span class="err">&#39;</span>s<span class="w"> </span>number<span class="w"> </span><span class="m">2</span>.<span class="w"> </span>Keep<span class="w"> </span>going!
+Halfway<span class="w"> </span>there!
+So<span class="w"> </span>you<span class="w"> </span>got<span class="w"> </span>that<span class="w"> </span>one.<span class="w"> </span>Try<span class="w"> </span>this<span class="w"> </span>one.
+mfcdhg
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x0000555555555830<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_5<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span><span class="k">continue</span>
+Continuing.
+Good<span class="w"> </span>work!<span class="w"> </span>On<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>next...
+</code></pre>
+</div>
+
+<p>Awesome!</p>
+
+<h2>Phase 6</h2>
+
+<div class="codehilite">
+<pre><span></span><code>Good<span class="w"> </span>work!<span class="w"> </span>On<span class="w"> </span>to<span class="w"> </span>the<span class="w"> </span>next...
+<span class="nb">test</span><span class="w"> </span>string
+
+Breakpoint<span class="w"> </span><span class="m">1</span>,<span class="w"> </span>0x0000555555555899<span class="w"> </span><span class="k">in</span><span class="w"> </span>phase_6<span class="w"> </span><span class="o">()</span>
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>disas<span class="w"> </span>phase_6
+Dump<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>code<span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="k">function</span><span class="w"> </span>phase_6:
+<span class="o">=</span>&gt;<span class="w"> </span>0x0000555555555899<span class="w"> </span>&lt;+0&gt;:<span class="w"> </span>endbr64<span class="w"> </span>
+<span class="w"> </span>0x000055555555589d<span class="w"> </span>&lt;+4&gt;:<span class="w"> </span>push<span class="w"> </span>%r15
+<span class="w"> </span>0x000055555555589f<span class="w"> </span>&lt;+6&gt;:<span class="w"> </span>push<span class="w"> </span>%r14
+<span class="w"> </span>0x00005555555558a1<span class="w"> </span>&lt;+8&gt;:<span class="w"> </span>push<span class="w"> </span>%r13
+<span class="w"> </span>0x00005555555558a3<span class="w"> </span>&lt;+10&gt;:<span class="w"> </span>push<span class="w"> </span>%r12
+<span class="w"> </span>0x00005555555558a5<span class="w"> </span>&lt;+12&gt;:<span class="w"> </span>push<span class="w"> </span>%rbp
+<span class="w"> </span>0x00005555555558a6<span class="w"> </span>&lt;+13&gt;:<span class="w"> </span>push<span class="w"> </span>%rbx
+<span class="w"> </span>0x00005555555558a7<span class="w"> </span>&lt;+14&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x68,%rsp
+<span class="w"> </span>0x00005555555558ab<span class="w"> </span>&lt;+18&gt;:<span class="w"> </span>lea<span class="w"> </span>0x40<span class="o">(</span>%rsp<span class="o">)</span>,%rax
+<span class="w"> </span>0x00005555555558b0<span class="w"> </span>&lt;+23&gt;:<span class="w"> </span>mov<span class="w"> </span>%rax,%r14
+<span class="w"> </span>0x00005555555558b3<span class="w"> </span>&lt;+26&gt;:<span class="w"> </span>mov<span class="w"> </span>%rax,0x8<span class="o">(</span>%rsp<span class="o">)</span>
+<span class="w"> </span>0x00005555555558b8<span class="w"> </span>&lt;+31&gt;:<span class="w"> </span>mov<span class="w"> </span>%rax,%rsi
+<span class="w"> </span>0x00005555555558bb<span class="w"> </span>&lt;+34&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d97<span class="w"> </span>&lt;read_six_numbers&gt;
+<span class="w"> </span>0x00005555555558c0<span class="w"> </span>&lt;+39&gt;:<span class="w"> </span>mov<span class="w"> </span>%r14,%r12
+<span class="w"> </span>0x00005555555558c3<span class="w"> </span>&lt;+42&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x1,%r15d
+<span class="w"> </span>0x00005555555558c9<span class="w"> </span>&lt;+48&gt;:<span class="w"> </span>mov<span class="w"> </span>%r14,%r13
+<span class="w"> </span>0x00005555555558cc<span class="w"> </span>&lt;+51&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555997<span class="w"> </span>&lt;phase_6+254&gt;
+<span class="w"> </span>0x00005555555558d1<span class="w"> </span>&lt;+56&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x00005555555558d6<span class="w"> </span>&lt;+61&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555559a9<span class="w"> </span>&lt;phase_6+272&gt;
+<span class="w"> </span>0x00005555555558db<span class="w"> </span>&lt;+66&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x1,%rbx
+<span class="w"> </span>0x00005555555558df<span class="w"> </span>&lt;+70&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x5,%ebx
+<span class="w"> </span>0x00005555555558e2<span class="w"> </span>&lt;+73&gt;:<span class="w"> </span>jg<span class="w"> </span>0x55555555598f<span class="w"> </span>&lt;phase_6+246&gt;
+<span class="w"> </span>0x00005555555558e8<span class="w"> </span>&lt;+79&gt;:<span class="w"> </span>mov<span class="w"> </span>0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax
+<span class="w"> </span>0x00005555555558ed<span class="w"> </span>&lt;+84&gt;:<span class="w"> </span>cmp<span class="w"> </span>%eax,0x0<span class="o">(</span>%rbp<span class="o">)</span>
+<span class="w"> </span>0x00005555555558f0<span class="w"> </span>&lt;+87&gt;:<span class="w"> </span>jne<span class="w"> </span>0x5555555558db<span class="w"> </span>&lt;phase_6+66&gt;
+<span class="w"> </span>0x00005555555558f2<span class="w"> </span>&lt;+89&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x00005555555558f7<span class="w"> </span>&lt;+94&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555558db<span class="w"> </span>&lt;phase_6+66&gt;
+<span class="w"> </span>0x00005555555558f9<span class="w"> </span>&lt;+96&gt;:<span class="w"> </span>mov<span class="w"> </span>0x8<span class="o">(</span>%rsp<span class="o">)</span>,%rdx
+<span class="w"> </span>0x00005555555558fe<span class="w"> </span>&lt;+101&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x18,%rdx
+<span class="w"> </span>0x0000555555555902<span class="w"> </span>&lt;+105&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x7,%ecx
+<span class="w"> </span>0x0000555555555907<span class="w"> </span>&lt;+110&gt;:<span class="w"> </span>mov<span class="w"> </span>%ecx,%eax
+<span class="w"> </span>0x0000555555555909<span class="w"> </span>&lt;+112&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="o">(</span>%r12<span class="o">)</span>,%eax
+<span class="w"> </span>0x000055555555590d<span class="w"> </span>&lt;+116&gt;:<span class="w"> </span>mov<span class="w"> </span>%eax,<span class="o">(</span>%r12<span class="o">)</span>
+<span class="w"> </span>0x0000555555555911<span class="w"> </span>&lt;+120&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x4,%r12
+<span class="w"> </span>0x0000555555555915<span class="w"> </span>&lt;+124&gt;:<span class="w"> </span>cmp<span class="w"> </span>%r12,%rdx
+<span class="w"> </span>0x0000555555555918<span class="w"> </span>&lt;+127&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555907<span class="w"> </span>&lt;phase_6+110&gt;
+<span class="w"> </span>0x000055555555591a<span class="w"> </span>&lt;+129&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x0,%esi
+<span class="w"> </span>0x000055555555591f<span class="w"> </span>&lt;+134&gt;:<span class="w"> </span>mov<span class="w"> </span>0x40<span class="o">(</span>%rsp,%rsi,4<span class="o">)</span>,%ecx
+<span class="w"> </span>0x0000555555555923<span class="w"> </span>&lt;+138&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x1,%eax
+<span class="w"> </span>0x0000555555555928<span class="w"> </span>&lt;+143&gt;:<span class="w"> </span>lea<span class="w"> </span>0x3d01<span class="o">(</span>%rip<span class="o">)</span>,%rdx<span class="w"> </span><span class="c1"># 0x555555559630 &lt;node1&gt;</span>
+--Type<span class="w"> </span>&lt;RET&gt;<span class="w"> </span><span class="k">for</span><span class="w"> </span>more,<span class="w"> </span>q<span class="w"> </span>to<span class="w"> </span>quit,<span class="w"> </span>c<span class="w"> </span>to<span class="w"> </span><span class="k">continue</span><span class="w"> </span>without<span class="w"> </span>paging--
+<span class="w"> </span>0x000055555555592f<span class="w"> </span>&lt;+150&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x1,%ecx
+<span class="w"> </span>0x0000555555555932<span class="w"> </span>&lt;+153&gt;:<span class="w"> </span>jle<span class="w"> </span>0x55555555593f<span class="w"> </span>&lt;phase_6+166&gt;
+<span class="w"> </span>0x0000555555555934<span class="w"> </span>&lt;+155&gt;:<span class="w"> </span>mov<span class="w"> </span>0x8<span class="o">(</span>%rdx<span class="o">)</span>,%rdx
+<span class="w"> </span>0x0000555555555938<span class="w"> </span>&lt;+159&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x1,%eax
+<span class="w"> </span>0x000055555555593b<span class="w"> </span>&lt;+162&gt;:<span class="w"> </span>cmp<span class="w"> </span>%ecx,%eax
+<span class="w"> </span>0x000055555555593d<span class="w"> </span>&lt;+164&gt;:<span class="w"> </span>jne<span class="w"> </span>0x555555555934<span class="w"> </span>&lt;phase_6+155&gt;
+<span class="w"> </span>0x000055555555593f<span class="w"> </span>&lt;+166&gt;:<span class="w"> </span>mov<span class="w"> </span>%rdx,0x10<span class="o">(</span>%rsp,%rsi,8<span class="o">)</span>
+<span class="w"> </span>0x0000555555555944<span class="w"> </span>&lt;+171&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x1,%rsi
+<span class="w"> </span>0x0000555555555948<span class="w"> </span>&lt;+175&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x6,%rsi
+<span class="w"> </span>0x000055555555594c<span class="w"> </span>&lt;+179&gt;:<span class="w"> </span>jne<span class="w"> </span>0x55555555591f<span class="w"> </span>&lt;phase_6+134&gt;
+<span class="w"> </span>0x000055555555594e<span class="w"> </span>&lt;+181&gt;:<span class="w"> </span>mov<span class="w"> </span>0x10<span class="o">(</span>%rsp<span class="o">)</span>,%rbx
+<span class="w"> </span>0x0000555555555953<span class="w"> </span>&lt;+186&gt;:<span class="w"> </span>mov<span class="w"> </span>0x18<span class="o">(</span>%rsp<span class="o">)</span>,%rax
+<span class="w"> </span>0x0000555555555958<span class="w"> </span>&lt;+191&gt;:<span class="w"> </span>mov<span class="w"> </span>%rax,0x8<span class="o">(</span>%rbx<span class="o">)</span>
+<span class="w"> </span>0x000055555555595c<span class="w"> </span>&lt;+195&gt;:<span class="w"> </span>mov<span class="w"> </span>0x20<span class="o">(</span>%rsp<span class="o">)</span>,%rdx
+<span class="w"> </span>0x0000555555555961<span class="w"> </span>&lt;+200&gt;:<span class="w"> </span>mov<span class="w"> </span>%rdx,0x8<span class="o">(</span>%rax<span class="o">)</span>
+<span class="w"> </span>0x0000555555555965<span class="w"> </span>&lt;+204&gt;:<span class="w"> </span>mov<span class="w"> </span>0x28<span class="o">(</span>%rsp<span class="o">)</span>,%rax
+<span class="w"> </span>0x000055555555596a<span class="w"> </span>&lt;+209&gt;:<span class="w"> </span>mov<span class="w"> </span>%rax,0x8<span class="o">(</span>%rdx<span class="o">)</span>
+<span class="w"> </span>0x000055555555596e<span class="w"> </span>&lt;+213&gt;:<span class="w"> </span>mov<span class="w"> </span>0x30<span class="o">(</span>%rsp<span class="o">)</span>,%rdx
+<span class="w"> </span>0x0000555555555973<span class="w"> </span>&lt;+218&gt;:<span class="w"> </span>mov<span class="w"> </span>%rdx,0x8<span class="o">(</span>%rax<span class="o">)</span>
+<span class="w"> </span>0x0000555555555977<span class="w"> </span>&lt;+222&gt;:<span class="w"> </span>mov<span class="w"> </span>0x38<span class="o">(</span>%rsp<span class="o">)</span>,%rax
+<span class="w"> </span>0x000055555555597c<span class="w"> </span>&lt;+227&gt;:<span class="w"> </span>mov<span class="w"> </span>%rax,0x8<span class="o">(</span>%rdx<span class="o">)</span>
+<span class="w"> </span>0x0000555555555980<span class="w"> </span>&lt;+231&gt;:<span class="w"> </span>movq<span class="w"> </span><span class="nv">$0</span>x0,0x8<span class="o">(</span>%rax<span class="o">)</span>
+<span class="w"> </span>0x0000555555555988<span class="w"> </span>&lt;+239&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x5,%ebp
+<span class="w"> </span>0x000055555555598d<span class="w"> </span>&lt;+244&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555559c4<span class="w"> </span>&lt;phase_6+299&gt;
+<span class="w"> </span>0x000055555555598f<span class="w"> </span>&lt;+246&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x1,%r15
+<span class="w"> </span>0x0000555555555993<span class="w"> </span>&lt;+250&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x4,%r14
+<span class="w"> </span>0x0000555555555997<span class="w"> </span>&lt;+254&gt;:<span class="w"> </span>mov<span class="w"> </span>%r14,%rbp
+<span class="w"> </span>0x000055555555599a<span class="w"> </span>&lt;+257&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="o">(</span>%r14<span class="o">)</span>,%eax
+<span class="w"> </span>0x000055555555599d<span class="w"> </span>&lt;+260&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x1,%eax
+<span class="w"> </span>0x00005555555559a0<span class="w"> </span>&lt;+263&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x5,%eax
+<span class="w"> </span>0x00005555555559a3<span class="w"> </span>&lt;+266&gt;:<span class="w"> </span>ja<span class="w"> </span>0x5555555558d1<span class="w"> </span>&lt;phase_6+56&gt;
+<span class="w"> </span>0x00005555555559a9<span class="w"> </span>&lt;+272&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x5,%r15d
+<span class="w"> </span>0x00005555555559ad<span class="w"> </span>&lt;+276&gt;:<span class="w"> </span>jg<span class="w"> </span>0x5555555558f9<span class="w"> </span>&lt;phase_6+96&gt;
+<span class="w"> </span>0x00005555555559b3<span class="w"> </span>&lt;+282&gt;:<span class="w"> </span>mov<span class="w"> </span>%r15,%rbx
+<span class="w"> </span>0x00005555555559b6<span class="w"> </span>&lt;+285&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555558e8<span class="w"> </span>&lt;phase_6+79&gt;
+<span class="w"> </span>0x00005555555559bb<span class="w"> </span>&lt;+290&gt;:<span class="w"> </span>mov<span class="w"> </span>0x8<span class="o">(</span>%rbx<span class="o">)</span>,%rbx
+<span class="w"> </span>0x00005555555559bf<span class="w"> </span>&lt;+294&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x1,%ebp
+<span class="w"> </span>0x00005555555559c2<span class="w"> </span>&lt;+297&gt;:<span class="w"> </span>je<span class="w"> </span>0x5555555559d5<span class="w"> </span>&lt;phase_6+316&gt;
+<span class="w"> </span>0x00005555555559c4<span class="w"> </span>&lt;+299&gt;:<span class="w"> </span>mov<span class="w"> </span>0x8<span class="o">(</span>%rbx<span class="o">)</span>,%rax
+<span class="w"> </span>0x00005555555559c8<span class="w"> </span>&lt;+303&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="o">(</span>%rax<span class="o">)</span>,%eax
+<span class="w"> </span>0x00005555555559ca<span class="w"> </span>&lt;+305&gt;:<span class="w"> </span>cmp<span class="w"> </span>%eax,<span class="o">(</span>%rbx<span class="o">)</span>
+--Type<span class="w"> </span>&lt;RET&gt;<span class="w"> </span><span class="k">for</span><span class="w"> </span>more,<span class="w"> </span>q<span class="w"> </span>to<span class="w"> </span>quit,<span class="w"> </span>c<span class="w"> </span>to<span class="w"> </span><span class="k">continue</span><span class="w"> </span>without<span class="w"> </span>paging--
+<span class="w"> </span>0x00005555555559cc<span class="w"> </span>&lt;+307&gt;:<span class="w"> </span>jge<span class="w"> </span>0x5555555559bb<span class="w"> </span>&lt;phase_6+290&gt;
+<span class="w"> </span>0x00005555555559ce<span class="w"> </span>&lt;+309&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x00005555555559d3<span class="w"> </span>&lt;+314&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555559bb<span class="w"> </span>&lt;phase_6+290&gt;
+<span class="w"> </span>0x00005555555559d5<span class="w"> </span>&lt;+316&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x68,%rsp
+<span class="w"> </span>0x00005555555559d9<span class="w"> </span>&lt;+320&gt;:<span class="w"> </span>pop<span class="w"> </span>%rbx
+<span class="w"> </span>0x00005555555559da<span class="w"> </span>&lt;+321&gt;:<span class="w"> </span>pop<span class="w"> </span>%rbp
+<span class="w"> </span>0x00005555555559db<span class="w"> </span>&lt;+322&gt;:<span class="w"> </span>pop<span class="w"> </span>%r12
+<span class="w"> </span>0x00005555555559dd<span class="w"> </span>&lt;+324&gt;:<span class="w"> </span>pop<span class="w"> </span>%r13
+<span class="w"> </span>0x00005555555559df<span class="w"> </span>&lt;+326&gt;:<span class="w"> </span>pop<span class="w"> </span>%r14
+<span class="w"> </span>0x00005555555559e1<span class="w"> </span>&lt;+328&gt;:<span class="w"> </span>pop<span class="w"> </span>%r15
+<span class="w"> </span>0x00005555555559e3<span class="w"> </span>&lt;+330&gt;:<span class="w"> </span>ret<span class="w"> </span>
+End<span class="w"> </span>of<span class="w"> </span>assembler<span class="w"> </span>dump.
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>
+</code></pre>
+</div>
+
+<p>Again, we see the familiar <code>read_six_digits</code> function.</p>
+
+<p>Let us analyse this function in chunks:</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555558bb<span class="w"> </span>&lt;+34&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d97<span class="w"> </span>&lt;read_six_numbers&gt;
+<span class="w"> </span>0x00005555555558c0<span class="w"> </span>&lt;+39&gt;:<span class="w"> </span>mov<span class="w"> </span>%r14,%r12
+<span class="w"> </span>0x00005555555558c3<span class="w"> </span>&lt;+42&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="nv">$0</span>x1,%r15d
+<span class="w"> </span>0x00005555555558c9<span class="w"> </span>&lt;+48&gt;:<span class="w"> </span>mov<span class="w"> </span>%r14,%r13
+<span class="w"> </span>0x00005555555558cc<span class="w"> </span>&lt;+51&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x555555555997<span class="w"> </span>&lt;phase_6+254&gt;
+</code></pre>
+</div>
+
+<ol>
+<li>Read six numbers</li>
+<li>Initialise Registers:
+2.1. <code>mov %r14,%r12</code>: <code>%r14</code> should be pointing to the location of the stack where the numbers were read into. This address is copied onto <code>%r12</code>
+2.2. <code>mov $0x1,%r15d</code>: The value <code>1</code> is moved into <code>%r15</code> register (probably acting like a counter)
+2.3. <code>mov %r14,%r13</code>: The value is also copied to <code>%r13</code></li>
+<li>Jump to start of loop:</li>
+</ol>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x0000555555555997<span class="w"> </span>&lt;+254&gt;:<span class="w"> </span>mov<span class="w"> </span>%r14,%rbp
+<span class="w"> </span>0x000055555555599a<span class="w"> </span>&lt;+257&gt;:<span class="w"> </span>mov<span class="w"> </span><span class="o">(</span>%r14<span class="o">)</span>,%eax
+<span class="w"> </span>0x000055555555599d<span class="w"> </span>&lt;+260&gt;:<span class="w"> </span>sub<span class="w"> </span><span class="nv">$0</span>x1,%eax
+<span class="w"> </span>0x00005555555559a0<span class="w"> </span>&lt;+263&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x5,%eax
+<span class="w"> </span>0x00005555555559a3<span class="w"> </span>&lt;+266&gt;:<span class="w"> </span>ja<span class="w"> </span>0x5555555558d1<span class="w"> </span>&lt;phase_6+56&gt;
+</code></pre>
+</div>
+
+<ol>
+<li>Initialise register and point to first number in sequence</li>
+<li>Adjust number(s):
+2.1. <code>mov (%r14),%eax</code> -> load the current number in the sequence
+2.2. <code>sub $0x1,%eax</code> -> decrement number by 1</li>
+<li>Validation
+3.1. <code>cmp $0x5,%eax</code>: This compares the adjusted value in <code>%eax</code> with 5.
+3.2. <code>ja 0x5555555558d1 &lt;phase_6+56&gt;</code>: jump if given value is &gt; 5 or &lt; 0</li>
+</ol>
+
+<p>=&gt; All numbers should be between 1 and 6.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555559a9<span class="w"> </span>&lt;+272&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x5,%r15d
+<span class="w"> </span>0x00005555555559ad<span class="w"> </span>&lt;+276&gt;:<span class="w"> </span>jg<span class="w"> </span>0x5555555558f9<span class="w"> </span>&lt;phase_6+96&gt;
+</code></pre>
+</div>
+
+<p>This checks if the value stored in <code>%r15</code> is &gt; 5, if it is then it jumps somewhere else. This validates our assumption that <code>%r15</code> is acting as a counter.</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555559b3<span class="w"> </span>&lt;+282&gt;:<span class="w"> </span>mov<span class="w"> </span>%r15,%rbx
+<span class="w"> </span>0x00005555555559b6<span class="w"> </span>&lt;+285&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555558e8<span class="w"> </span>&lt;phase_6+79&gt;
+</code></pre>
+</div>
+
+<p>Let us jump to +79</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555558e8<span class="w"> </span>&lt;+79&gt;:<span class="w"> </span>mov<span class="w"> </span>0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax
+<span class="w"> </span>0x00005555555558ed<span class="w"> </span>&lt;+84&gt;:<span class="w"> </span>cmp<span class="w"> </span>%eax,0x0<span class="o">(</span>%rbp<span class="o">)</span>
+<span class="w"> </span>0x00005555555558f0<span class="w"> </span>&lt;+87&gt;:<span class="w"> </span>jne<span class="w"> </span>0x5555555558db<span class="w"> </span>&lt;phase_6+66&gt;
+<span class="w"> </span>0x00005555555558f2<span class="w"> </span>&lt;+89&gt;:<span class="w"> </span>call<span class="w"> </span>0x555555555d4a<span class="w"> </span>&lt;explode_bomb&gt;
+<span class="w"> </span>0x00005555555558f7<span class="w"> </span>&lt;+94&gt;:<span class="w"> </span>jmp<span class="w"> </span>0x5555555558db<span class="w"> </span>&lt;phase_6+66&gt;
+</code></pre>
+</div>
+
+<p>This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="w"> </span>0x00005555555558db<span class="w"> </span>&lt;+66&gt;:<span class="w"> </span>add<span class="w"> </span><span class="nv">$0</span>x1,%rbx<span class="w"> </span>//<span class="w"> </span>Increments<span class="w"> </span>by<span class="w"> </span><span class="m">1</span>
+<span class="w"> </span>0x00005555555558df<span class="w"> </span>&lt;+70&gt;:<span class="w"> </span>cmp<span class="w"> </span><span class="nv">$0</span>x5,%ebx<span class="w"> </span>
+<span class="w"> </span>0x00005555555558e2<span class="w"> </span>&lt;+73&gt;:<span class="w"> </span>jg<span class="w"> </span>0x55555555598f<span class="w"> </span>&lt;phase_6+246&gt;<span class="w"> </span>//<span class="w"> </span>Jump<span class="w"> </span><span class="k">if</span><span class="w"> </span>&gt;<span class="w"> </span><span class="m">5</span><span class="w"> </span><span class="o">(</span>Loop<span class="w"> </span>iterations<span class="w"> </span>are<span class="w"> </span><span class="nb">complete</span><span class="o">)</span>
+<span class="w"> </span>0x00005555555558e8<span class="w"> </span>&lt;+79&gt;:<span class="w"> </span>mov<span class="w"> </span>0x0<span class="o">(</span>%r13,%rbx,4<span class="o">)</span>,%eax<span class="w"> </span>
+<span class="w"> </span>0x00005555555558ed<span class="w"> </span>&lt;+84&gt;:<span class="w"> </span>cmp<span class="w"> </span>%eax,0x0<span class="o">(</span>%rbp<span class="o">)</span>
+<span class="w"> </span>0x00005555555558f0<span class="w"> </span>&lt;+87&gt;:<span class="w"> </span>jne<span class="w"> </span>0x5555555558db<span class="w"> </span>&lt;phase_6+66&gt;<span class="w"> </span>//<span class="w"> </span>Again,<span class="w"> </span>check<span class="w"> </span><span class="k">if</span><span class="w"> </span>the<span class="w"> </span>number<span class="w"> </span>being<span class="w"> </span>seen<span class="w"> </span>is<span class="w"> </span>unique
+</code></pre>
+</div>
+
+<p>Now we know that the numbers are unique, between 1-6 (inclusive).</p>
+
+<p>After stepping through the instructions, we can also see that the numbers are being transformed:
+* By subtracting it from 7 (mov $0x7,%ecx followed by sub (%r12),%eax)
+* This effectively maps the numbers as follows: 1 to 6, 2 to 5, 3 to 4, 4 to 3, 5 to 2, and 6 to 1.</p>
+
+<p>Let us try to figure out what <code>0x0000555555555928 &lt;+143&gt;: lea 0x3d01(%rip),%rdx # 0x555555559630 &lt;node1&gt;</code> is:</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/30wx<span class="w"> </span>0x555555559630
+0x555555559630<span class="w"> </span>&lt;node1&gt;:<span class="w"> </span>0x000000d9<span class="w"> </span>0x00000001<span class="w"> </span>0x55559640<span class="w"> </span>0x00005555
+0x555555559640<span class="w"> </span>&lt;node2&gt;:<span class="w"> </span>0x000003ab<span class="w"> </span>0x00000002<span class="w"> </span>0x55559650<span class="w"> </span>0x00005555
+0x555555559650<span class="w"> </span>&lt;node3&gt;:<span class="w"> </span>0x0000014f<span class="w"> </span>0x00000003<span class="w"> </span>0x55559660<span class="w"> </span>0x00005555
+0x555555559660<span class="w"> </span>&lt;node4&gt;:<span class="w"> </span>0x000000a1<span class="w"> </span>0x00000004<span class="w"> </span>0x55559670<span class="w"> </span>0x00005555
+0x555555559670<span class="w"> </span>&lt;node5&gt;:<span class="w"> </span>0x000001b3<span class="w"> </span>0x00000005<span class="w"> </span>0x55559120<span class="w"> </span>0x00005555
+0x555555559680<span class="w"> </span>&lt;host_table&gt;:<span class="w"> </span>0x555573f5<span class="w"> </span>0x00005555<span class="w"> </span>0x5555740f<span class="w"> </span>0x00005555
+0x555555559690<span class="w"> </span>&lt;host_table+16&gt;:<span class="w"> </span>0x55557429<span class="w"> </span>0x00005555<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+0x5555555596a0<span class="w"> </span>&lt;host_table+32&gt;:<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>x/30wx<span class="w"> </span>0x555555559120
+0x555555559120<span class="w"> </span>&lt;node6&gt;:<span class="w"> </span>0x000002da<span class="w"> </span>0x00000006<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+0x555555559130:<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+0x555555559140<span class="w"> </span>&lt;userid&gt;:<span class="w"> </span>0x61767861<span class="w"> </span>0x38383535<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+0x555555559150<span class="w"> </span>&lt;userid+16&gt;:<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+0x555555559160<span class="w"> </span>&lt;userid+32&gt;:<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+0x555555559170<span class="w"> </span>&lt;userid+48&gt;:<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+0x555555559180<span class="w"> </span>&lt;userid+64&gt;:<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+0x555555559190<span class="w"> </span>&lt;userid+80&gt;:<span class="w"> </span>0x00000000<span class="w"> </span>0x00000000
+<span class="o">(</span>gdb<span class="o">)</span><span class="w"> </span>
+</code></pre>
+</div>
+
+<p>It appears that this is a linked list. With roughly the following structure:</p>
+
+<div class="codehilite">
+<pre><span></span><code><span class="k">struct</span><span class="w"> </span><span class="nc">node</span><span class="w"> </span><span class="p">{</span>
+<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">value</span><span class="p">;</span>
+<span class="w"> </span><span class="kt">int</span><span class="w"> </span><span class="n">index</span><span class="p">;</span>
+<span class="w"> </span><span class="k">struct</span><span class="w"> </span><span class="nc">node</span><span class="w"> </span><span class="o">*</span><span class="n">next</span><span class="p">;</span>
+<span class="p">};</span>
+</code></pre>
+</div>
+
+<p>Let us convert the values into decimal:</p>
+
+<pre><code>0x000000d9 -&gt; 217
+0x000003ab -&gt; 939
+0x0000014f -&gt; 335
+0x000000a1 -&gt; 161
+0x000001b3 -&gt; 435
+0x000002da -&gt; 730
+</code></pre>
+
+<p><strong>Missing Notes</strong></p>
+
+<p>To re-arrange this linked list in descending order, we would arrange it as follows:</p>
+
+<pre><code>Node 2 -&gt; Node 6 -&gt; Node 5 -&gt; Node 3 -&gt; Node 1 -&gt; Node 4
+</code></pre>
+
+<p>Since we also need to apply the transformation: <code>7 - x</code>:</p>
+
+<pre><code>(7-2) -&gt; (7-6) -&gt; ... -&gt; (7-4)
+</code></pre>
+
+<p>Final answer: <code>5 1 2 4 6 3</code></p>
+
+<p>Let us try the answer:</p>
+
+<pre><code>...
+That's number 2. Keep going!
+Halfway there!
+So you got that one. Try this one.
+Good work! On to the next...
+5 1 2 4 6 3
+
+Breakpoint 1, 0x0000555555555899 in phase_6 ()
+(gdb) continue
+Continuing.
+Congratulations! You've defused the bomb!
+Your instructor has been notified and will verify your solution.
+[Inferior 1 (process 1754) exited normally]
+</code></pre>
+
+<p>But, what about the secret phase?</p>
+
+ <blockquote>If you have scrolled this far, consider subscribing to my mailing list <a href="https://listmonk.navan.dev/subscription/form">here.</a> You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.</blockquote>
+ <script data-isso="//comments.navan.dev/"
+ src="//comments.navan.dev/js/embed.min.js"></script>
+ <section id="isso-thread">
+ <noscript>Javascript needs to be activated to view comments.</noscript>
+ </section>
+</main>
+
+
+<script src="assets/manup.min.js"></script>
+<script src="/pwabuilder-sw-register.js"></script>
+</body>
+</html> \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-20 08:48:22 +0000