From fafd62dd9c374f9ab3075ee0a023d6c68d380e1e Mon Sep 17 00:00:00 2001 From: Navan Chauhan Date: Wed, 4 Oct 2023 20:05:17 -0600 Subject: finished bomb lab 1-6 --- Content/posts/2023-10-04-bomb-lab.md | 153 +++-- docs/feed.rss | 1045 ++++++++++++++++++--------------- docs/index.html | 4 +- docs/posts/2023-10-04-bomb-lab.html | 1047 +++++++++++++++++++--------------- docs/posts/index.html | 4 +- 5 files changed, 1265 insertions(+), 988 deletions(-) diff --git a/Content/posts/2023-10-04-bomb-lab.md b/Content/posts/2023-10-04-bomb-lab.md index d72322f..c805279 100644 --- a/Content/posts/2023-10-04-bomb-lab.md +++ b/Content/posts/2023-10-04-bomb-lab.md @@ -1,23 +1,29 @@ --- date: 2023-10-04 13:12 -description: Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2 +description: Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2 tags: gdb, reverse-engineering, c++, csci2400, assembly --- -# Bomb Lab Phases 1-5 +# Bomb Lab ## Introduction -Lab 2 for CSCI 2400 - Computer Systems. +Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems -I like using objdump to disassemble the code and see a broad overview of what is happening. +> The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused. + +> There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad! + +I like using objdump to disassemble the code and get a broad overview of what is happening before I start. `objdump -d bomb > dis.txt` +*Note: I am not sure about the history of the bomb lab. I think it started at CMU.* + ## Phase 1 -``` -jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb +```shell +joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later @@ -36,7 +42,7 @@ Type "apropos word" to search for commands related to "word"... Reading symbols from ./bomb... Breakpoint 1 at 0x15c7 Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Welcome to my fiendish little bomb. You have 6 phases with @@ -68,7 +74,7 @@ $1 = 93824992244048 ## Phase 2 -``` +```shell Phase 1 defused. How about the next one? 1 2 3 4 5 6 @@ -106,7 +112,7 @@ End of assembler dump. (gdb) ``` -``` +```shell 0x00005555555555fd <+18>: cmpl $0x0,(%rsp) 0x0000555555555601 <+22>: js 0x55555555560d ... @@ -116,7 +122,7 @@ End of assembler dump. The program first compares if the first number is not 0. If the number is not 0, then the `cmpl` instruction returns a negative value. The `js` instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called. -``` +```shell 0x0000555555555603 <+24>: mov %rsp,%rbp 0x0000555555555606 <+27>: mov $0x1,%ebx ``` @@ -129,13 +135,13 @@ By executing `mov %rsp,%rbp` we are setting the base pointer (`%rbp`) to point t Now, for the second instruction `mov $0x1,%ebx`, we are initalising the `%ebx` register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop. -``` +```shell 0x000055555555560b <+32>: jmp 0x555555555620 ``` The program now jumps to -``` +```shell 0x0000555555555620 <+53>: mov %ebx,%eax 0x0000555555555622 <+55>: add 0x0(%rbp),%eax 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) @@ -150,7 +156,7 @@ Then, the value at the memory location pointed by `%rbp` is added to the value i `je 0x555555555614 ` - The program will jump to `phase_2+41` if the previous `cmp` instruction determined the values as equal. -``` +```shell 0x0000555555555614 <+41>: add $0x1,%ebx 0x0000555555555617 <+44>: add $0x4,%rbp 0x000055555555561b <+48>: cmp $0x6,%ebx @@ -173,7 +179,7 @@ Thus, * 6th number = 10 (prev value) + 5 = 15 -``` +```shell ... Phase 1 defused. How about the next one? 0 1 3 6 10 15 @@ -188,7 +194,7 @@ That's number 2. Keep going! Let us look at the disassembled code first -``` +```shell 0000000000001638 : 1638: f3 0f 1e fa endbr64 163c: 48 83 ec 18 sub $0x18,%rsp @@ -275,7 +281,7 @@ Let us look at the disassembled code first 1797: eb f4 jmp 178d ``` -``` +```shell ... 165b: e8 80 fc ff ff call 12e0 <__isoc99_sscanf@plt> ... @@ -285,8 +291,8 @@ We can see that `scanf` is being called which means we need to figure out what d Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions. -``` -jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt +```shell +joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later @@ -305,7 +311,7 @@ Type "apropos word" to search for commands related to "word"... Reading symbols from ./bomb... Breakpoint 1 at 0x1638 Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Welcome to my fiendish little bomb. You have 6 phases with @@ -348,7 +354,7 @@ Dump of assembler code for function phase_3: `gdb` has thankfully marked the address which is being passed to `scanf`. We can access the value: -``` +```shell (gdb) x/1s 0x5555555571b6 0x5555555571b6: "%d %c %d" (gdb) @@ -356,7 +362,7 @@ Dump of assembler code for function phase_3: BINGO! The program expects an integer, character, and another integer. Onwards. -``` +```shell 0x0000555555555660 <+40>: cmp $0x2,%eax 0x0000555555555663 <+43>: jle 0x555555555685 ... @@ -367,7 +373,7 @@ The program checks whether `scanf` returns a value <= 2, if it does then it call *Note: `scanf` returns the number of fields that were succesfully converted and assigned* -``` +```shell 0x0000555555555665 <+45>: cmpl $0x7,0xc(%rsp) 0x000055555555566a <+50>: ja 0x55555555577d ... @@ -377,7 +383,7 @@ The program checks whether `scanf` returns a value <= 2, if it does then it call Similarly, the program checks and ensures the returned value is not > 7. -``` +```shell 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax 0x0000555555555674 <+60>: lea 0x1b55(%rip),%rdx # 0x5555555571d0 0x000055555555567b <+67>: movslq (%rdx,%rax,4),%rax @@ -413,7 +419,7 @@ $1 = 3 We can see that this makes us jump to `` (Continue to step through the code by using `ni`) -``` +```shell 0x00005555555556f2 <+186>: mov $0x64,%eax 0x00005555555556f7 <+191>: cmpl $0x280,0x8(%rsp) 0x00005555555556ff <+199>: je 0x555555555787 @@ -422,7 +428,7 @@ We can see that this makes us jump to `` (Continue to step through We see that `0x64` (Decimal 100) is being stored in `%eax`. Then, the program compares `0x280` (Decimal 640) with memory address `0x8` bytes above the stack pointer (`%rsp`). If the values are equal, then it jumps to ``, otherwise `explode_bomb` is called. -``` +```shell 0x0000555555555787 <+335>: cmp %al,0x7(%rsp) 0x000055555555578b <+339>: jne 0x555555555792 0x000055555555578d <+341>: add $0x18,%rsp @@ -434,7 +440,7 @@ Here, the program is comparing the value of our given character to the value sto Knowing that the character is stored at an offset of 7 bytes to `%rsp`, we can print and check the value by running: -``` +```shell (gdb) x/1cw $rsp+7 c (gdb) print $al @@ -443,7 +449,7 @@ $1 = 100 We can simply lookup the [ASCII table](https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html), and see that 100 in decimal stands for the character `d`. Let us try this answer: -``` +```shell ... That's number 2. Keep going! 3 d 640 @@ -456,8 +462,8 @@ Halfway there! ## Phase 4 -``` -jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt +```shell +joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1 Copyright (C) 2022 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later @@ -476,7 +482,7 @@ Type "apropos word" to search for commands related to "word"... Reading symbols from ./bomb... Breakpoint 1 at 0x17d3 Breakpoint 2 at 0x1d4a -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Welcome to my fiendish little bomb. You have 6 phases with @@ -518,28 +524,28 @@ End of assembler dump. Again, `gdb` has marked the string being passed to `scanf` -``` +```shell (gdb) x/1s 0x5555555573a6 0x5555555573a6: "%d %d" ``` Okay, so this time we are supposed to enter 2 numbers. -``` +```shell 0x00005555555557f6 <+35>: cmp $0x2,%eax 0x00005555555557f9 <+38>: jne 0x555555555802 ``` Checks if there were 2 values read from calling `scanf`, if not -> jump to `` which calls ``. -``` +```shell 0x00005555555557fb <+40>: cmpl $0xe,0xc(%rsp) 0x0000555555555800 <+45>: jbe 0x555555555807 ``` Compare `0xe` (14 in Decimal) and value stored at `$rsp` + `0xc` bytes (Decimal 12). If this condition is met (<= 14), jump to ``. If not, then explode bomb. -``` +```shell ... 0x0000555555555807 <+52>: mov $0xe,%edx 0x000055555555580c <+57>: mov $0x0,%esi @@ -557,7 +563,7 @@ Compare `0xe` (14 in Decimal) and value stored at `$rsp` + `0xc` bytes (Decimal Let us look into `func4` -``` +```shell (gdb) disas func4 Dump of assembler code for function func4: 0x0000555555555799 <+0>: endbr64 @@ -586,7 +592,7 @@ This looks like a recursive function :( (I hate recursive functions) Let's annotate the instructions. -``` +```shell endbr64 sub $0x8,%rsp // subtract 8 bytes from the stack pointer mov %edx,%ecx // Move the value in register %edx to %ecx @@ -633,14 +639,14 @@ Okay, so we know that the number needed to be passed to `func4` is 5. But, what If we go back to the code for ``, we can see that: -``` +```shell 0x000055555555581f <+76>: cmpl $0x2,0x8(%rsp) 0x0000555555555824 <+81>: je 0x55555555582b ``` The value at `$rsp+8` should be equal to 2. So, let us try passing `5 2` as our input. -``` +```shell ... Phase 1 defused. How about the next one? That's number 2. Keep going! @@ -655,7 +661,7 @@ So you got that one. Try this one. ## Phase 5 -``` +```shell So you got that one. Try this one. test string @@ -695,7 +701,7 @@ End of assembler dump. (gdb) ``` -``` +```shell ... 0x000055555555583c <+12>: call 0x555555555b10 0x0000555555555841 <+17>: cmp $0x6,%eax @@ -723,7 +729,7 @@ We can also see a similar pattern compared to Phase 2, where we had a loop: We can check the reference string we need, which `gdb` has marked as `# 0x5555555571bf`, and the lookup table marked as `# 0x5555555571f0 ` -``` +```shell (gdb) x/s 0x5555555571bf 0x5555555571bf: "bruins" (gdb) x/s 0x5555555571f0 @@ -761,7 +767,7 @@ s -> g Let us try out this answer: -``` +```shell ... That's number 2. Keep going! Halfway there! @@ -778,7 +784,7 @@ Awesome! ## Phase 6 -``` +```shell Good work! On to the next... test string @@ -887,7 +893,7 @@ Again, we see the familiar `read_six_digits` function. Let us analyse this function in chunks: -``` +```shell 0x00005555555558bb <+34>: call 0x555555555d97 0x00005555555558c0 <+39>: mov %r14,%r12 0x00005555555558c3 <+42>: mov $0x1,%r15d @@ -902,7 +908,7 @@ Let us analyse this function in chunks: 2.3. `mov %r14,%r13`: The value is also copied to `%r13` 3. Jump to start of loop: -``` +```shell 0x0000555555555997 <+254>: mov %r14,%rbp 0x000055555555599a <+257>: mov (%r14),%eax 0x000055555555599d <+260>: sub $0x1,%eax @@ -920,21 +926,21 @@ Let us analyse this function in chunks: => All numbers should be between 1 and 6. -``` +```shell 0x00005555555559a9 <+272>: cmp $0x5,%r15d 0x00005555555559ad <+276>: jg 0x5555555558f9 ``` This checks if the value stored in `%r15` is > 5, if it is then it jumps somewhere else. This validates our assumption that `%r15` is acting as a counter. -``` +```shell 0x00005555555559b3 <+282>: mov %r15,%rbx 0x00005555555559b6 <+285>: jmp 0x5555555558e8 ``` Let us jump to +79 -``` +```shell 0x00005555555558e8 <+79>: mov 0x0(%r13,%rbx,4),%eax 0x00005555555558ed <+84>: cmp %eax,0x0(%rbp) 0x00005555555558f0 <+87>: jne 0x5555555558db @@ -944,7 +950,7 @@ Let us jump to +79 This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique -``` +```shell 0x00005555555558db <+66>: add $0x1,%rbx // Increments by 1 0x00005555555558df <+70>: cmp $0x5,%ebx 0x00005555555558e2 <+73>: jg 0x55555555598f // Jump if > 5 (Loop iterations are complete) @@ -961,7 +967,7 @@ After stepping through the instructions, we can also see that the numbers are be Let us try to figure out what ` 0x0000555555555928 <+143>: lea 0x3d01(%rip),%rdx # 0x555555559630 ` is: -``` +```shell (gdb) x/30wx 0x555555559630 0x555555559630 : 0x000000d9 0x00000001 0x55559640 0x00005555 0x555555559640 : 0x000003ab 0x00000002 0x55559650 0x00005555 @@ -993,4 +999,49 @@ struct node { }; ``` -Let us convert the values into decimal +Let us convert the values into decimal: + +``` +0x000000d9 -> 217 +0x000003ab -> 939 +0x0000014f -> 335 +0x000000a1 -> 161 +0x000001b3 -> 435 +0x000002da -> 730 +``` + +**Missing Notes** + +To re-arrange this linked list in descending order, we would arrange it as follows: + +``` +Node 2 -> Node 6 -> Node 5 -> Node 3 -> Node 1 -> Node 4 +``` + +Since we also need to apply the transformation: `7 - x`: + +``` +(7-2) -> (7-6) -> ... -> (7-4) +``` + +Final answer: `5 1 2 4 6 3` + +Let us try the answer: + +``` +... +That's number 2. Keep going! +Halfway there! +So you got that one. Try this one. +Good work! On to the next... +5 1 2 4 6 3 + +Breakpoint 1, 0x0000555555555899 in phase_6 () +(gdb) continue +Continuing. +Congratulations! You've defused the bomb! +Your instructor has been notified and will verify your solution. +[Inferior 1 (process 1754) exited normally] +``` + +But, what about the secret phase? \ No newline at end of file diff --git a/docs/feed.rss b/docs/feed.rss index 17c12c3..b1ead9e 100644 --- a/docs/feed.rss +++ b/docs/feed.rss @@ -4,8 +4,8 @@ Navan's Archive Rare Tips, Tricks and Posts https://web.navan.dev/en - Wed, 04 Oct 2023 16:58:57 -0000 - Wed, 04 Oct 2023 16:58:57 -0000 + Wed, 04 Oct 2023 20:05:03 -0000 + Wed, 04 Oct 2023 20:05:03 -0000 250 @@ -3212,141 +3212,160 @@ logger.info("rdkit-{} installation finished!".format(rdkit.__version__)) https://web.navan.dev/posts/2023-10-04-bomb-lab.html - Bomb Lab Phases 1-5 + Bomb Lab - Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2 + Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2 https://web.navan.dev/posts/2023-10-04-bomb-lab.html Wed, 04 Oct 2023 13:12:00 -0000 - Bomb Lab Phases 1-5 + Bomb Lab

Introduction

-

Lab 2 for CSCI 2400 - Computer Systems.

+

Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems

-

I like using objdump to disassemble the code and see a broad overview of what is happening.

+
+

The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.

+
+ +
+

There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!

+
+ +

I like using objdump to disassemble the code and get a broad overview of what is happening before I start.

objdump -d bomb > dis.txt

+

Note: I am not sure about the history of the bomb lab. I think it started at CMU.

+

Phase 1

-
jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb 
-GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
-Copyright (C) 2022 Free Software Foundation, Inc.
-License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
+
+
joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb 
+GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
+Copyright (C) 2022 Free Software Foundation, Inc.
+License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.
-Type "show copying" and "show warranty" for details.
-This GDB was configured as "x86_64-linux-gnu".
-Type "show configuration" for configuration details.
+Type "show copying" and "show warranty" for details.
+This GDB was configured as "x86_64-linux-gnu".
+Type "show configuration" for configuration details.
 For bug reporting instructions, please see:
 <https://www.gnu.org/software/gdb/bugs/>.
 Find the GDB manual and other documentation resources online at:
     <http://www.gnu.org/software/gdb/documentation/>.
 
-For help, type "help".
-Type "apropos word" to search for commands related to "word"...
+For help, type "help".
+Type "apropos word" to search for commands related to "word"...
 Reading symbols from ./bomb...
-Breakpoint 1 at 0x15c7
-Breakpoint 2 at 0x1d4a
-Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb 
-[Thread debugging using libthread_db enabled]
-Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
-Welcome to my fiendish little bomb. You have 6 phases with
+Breakpoint 1 at 0x15c7
+Breakpoint 2 at 0x1d4a
+Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb 
+[Thread debugging using libthread_db enabled]
+Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
+Welcome to my fiendish little bomb. You have 6 phases with
 which to blow yourself up. Have a nice day!
-test string
-
-Breakpoint 1, 0x00005555555555c7 in phase_1 ()
-(gdb) dias phase_1
-Undefined command: "dias".  Try "help".
-(gdb) disas phase_1
-Dump of assembler code for function phase_1:
-=> 0x00005555555555c7 <+0>:     endbr64 
-   0x00005555555555cb <+4>:     sub    $0x8,%rsp
-   0x00005555555555cf <+8>:     lea    0x1b7a(%rip),%rsi        # 0x555555557150
+test string
+
+Breakpoint 1, 0x00005555555555c7 in phase_1 ()
+(gdb) dias phase_1
+Undefined command: "dias".  Try "help".
+(gdb) disas phase_1
+Dump of assembler code for function phase_1:
+=> 0x00005555555555c7 <+0>:     endbr64 
+   0x00005555555555cb <+4>:     sub    $0x8,%rsp
+   0x00005555555555cf <+8>:     lea    0x1b7a(%rip),%rsi        # 0x555555557150
    0x00005555555555d6 <+15>:    call   0x555555555b31 <strings_not_equal>
-   0x00005555555555db <+20>:    test   %eax,%eax
+   0x00005555555555db <+20>:    test   %eax,%eax
    0x00005555555555dd <+22>:    jne    0x5555555555e4 <phase_1+29>
-   0x00005555555555df <+24>:    add    $0x8,%rsp
+   0x00005555555555df <+24>:    add    $0x8,%rsp
    0x00005555555555e3 <+28>:    ret    
    0x00005555555555e4 <+29>:    call   0x555555555d4a <explode_bomb>
    0x00005555555555e9 <+34>:    jmp    0x5555555555df <phase_1+24>
 End of assembler dump.
-(gdb) print 0x555555557150
-$1 = 93824992244048
-(gdb) x/1s 0x555555557150
-0x555555557150: "Controlling complexity is the essence of computer programming."
-(gdb) 
+(gdb) print 0x555555557150
+$1 = 93824992244048
+(gdb) x/1s 0x555555557150
+0x555555557150: "Controlling complexity is the essence of computer programming."
+(gdb) 
 
+

Phase 2

-
Phase 1 defused. How about the next one?
-1 2 3 4 5 6
+
+
Phase 1 defused. How about the next one?
+1 2 3 4 5 6
 
-Breakpoint 1, 0x00005555555555eb in phase_2 ()
-(gdb) disas
-Dump of assembler code for function phase_2:
-=> 0x00005555555555eb <+0>:     endbr64 
+Breakpoint 1, 0x00005555555555eb in phase_2 ()
+(gdb) disas
+Dump of assembler code for function phase_2:
+=> 0x00005555555555eb <+0>:     endbr64 
    0x00005555555555ef <+4>:     push   %rbp
    0x00005555555555f0 <+5>:     push   %rbx
-   0x00005555555555f1 <+6>:     sub    $0x28,%rsp
+   0x00005555555555f1 <+6>:     sub    $0x28,%rsp
    0x00005555555555f5 <+10>:    mov    %rsp,%rsi
    0x00005555555555f8 <+13>:    call   0x555555555d97 <read_six_numbers>
-   0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
+   0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
    0x0000555555555601 <+22>:    js     0x55555555560d <phase_2+34>
    0x0000555555555603 <+24>:    mov    %rsp,%rbp
-   0x0000555555555606 <+27>:    mov    $0x1,%ebx
+   0x0000555555555606 <+27>:    mov    $0x1,%ebx
    0x000055555555560b <+32>:    jmp    0x555555555620 <phase_2+53>
    0x000055555555560d <+34>:    call   0x555555555d4a <explode_bomb>
    0x0000555555555612 <+39>:    jmp    0x555555555603 <phase_2+24>
-   0x0000555555555614 <+41>:    add    $0x1,%ebx
-   0x0000555555555617 <+44>:    add    $0x4,%rbp
-   0x000055555555561b <+48>:    cmp    $0x6,%ebx
+   0x0000555555555614 <+41>:    add    $0x1,%ebx
+   0x0000555555555617 <+44>:    add    $0x4,%rbp
+   0x000055555555561b <+48>:    cmp    $0x6,%ebx
    0x000055555555561e <+51>:    je     0x555555555631 <phase_2+70>
    0x0000555555555620 <+53>:    mov    %ebx,%eax
-   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
-   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
+   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
+   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
    0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
    0x000055555555562a <+63>:    call   0x555555555d4a <explode_bomb>
    0x000055555555562f <+68>:    jmp    0x555555555614 <phase_2+41>
-   0x0000555555555631 <+70>:    add    $0x28,%rsp
+   0x0000555555555631 <+70>:    add    $0x28,%rsp
    0x0000555555555635 <+74>:    pop    %rbx
    0x0000555555555636 <+75>:    pop    %rbp
    0x0000555555555637 <+76>:    ret    
 End of assembler dump.
-(gdb) 
+(gdb) 
 
+
-
   0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
+
+
   0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
    0x0000555555555601 <+22>:    js     0x55555555560d <phase_2+34>
 ...
    0x000055555555560d <+34>:    call   0x555555555d4a <explode_bomb>
 
+
-

The program first compares if the first number is not 0. If the number is not 0, then the cmpl instruction returns a negative value. The js instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called.

- -
   0x0000555555555603 <+24>:    mov    %rsp,%rbp
-   0x0000555555555606 <+27>:    mov    $0x1,%ebx
-
+

The program first compares if the first number is not 0. If the number is not 0, then the cmpl instruction returns a negative value. The js instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called. +

+
0x0000555555555603 <+24>:    mov    %rsp,%rbp
+   0x0000555555555606 <+27>:    mov    $0x1,%ebx
+   
+

%rsp in x86-64 asm, is the stack pointer i.e. it points to the top of the current stack frame. Since the program just read six numbers, the top of the stack (%rsp) contains the address of the first number.

By executing mov %rsp,%rbp we are setting the base pointer (%rbp) to point to this address.

-

Now, for the second instruction mov $0x1,%ebx, we are initalising the %ebx register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop.

- -
   0x000055555555560b <+32>:    jmp    0x555555555620 <phase_2+53>
-
- -

The program now jumps to

- -
   0x0000555555555620 <+53>:    mov    %ebx,%eax
-   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
-   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
+

Now, for the second instruction mov $0x1,%ebx, we are initalising the %ebx register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop. +

+
0x000055555555560b <+32>:    jmp    0x555555555620 <phase_2+53>
+   
+

+ +

The program now jumps to +

+
0x0000555555555620 <+53>:    mov    %ebx,%eax
+   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
+   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
    0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
-
+
+

Here, the value from %ebx is copied to the %eax register. For this iteration, the value should be 1.

@@ -3354,17 +3373,18 @@ End of assembler dump.

cmp %eax,0x4(%rbp) - The instruction compares the value in %eax to the value at the memory address %rbp + 4. Since Integers in this context are stored using a word of memory of 4 bytes, this indicates it checks against the second number in the sequence.

-

je 0x555555555614 <phase_2+41> - The program will jump to phase_2+41 if the previous cmp instruction determined the values as equal.

- -
   0x0000555555555614 <+41>:    add    $0x1,%ebx
-   0x0000555555555617 <+44>:    add    $0x4,%rbp
-   0x000055555555561b <+48>:    cmp    $0x6,%ebx
-   0x000055555555561e <+51>:    je     0x555555555631 <phase_2+70>
+

je 0x555555555614 <phase_2+41> - The program will jump to phase_2+41 if the previous cmp instruction determined the values as equal. +

+
0x0000555555555614 <+41>:    add    $0x1,%ebx
+   0x0000555555555617 <+44>:    add    $0x4,%rbp
+   0x000055555555561b <+48>:    cmp    $0x6,%ebx
+   0x000055555555561e <+51>:    je     0x555555555631 <phase2+70>
    0x0000555555555620 <+53>:    mov    %ebx,%eax
-   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
-   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
-   0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
-
+ 0x0000555555555622 <+55>: add 0x0(%rbp),%eax + 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) + 0x0000555555555628 <+61>: je 0x555555555614 <phase2+41> +
+

Here, we can see that the program increments %ebx by 1, adds a 4 byte offset to %rbp (the number we will be matching now), and checks if %ebx is equal to 6. If it is, it breaks the loop and jumps to <phase_2+70> succesfully finishing this stage.

@@ -3379,208 +3399,223 @@ End of assembler dump.
  • 6th number = 10 (prev value) + 5 = 15
  • -
    ...
    -Phase 1 defused. How about the next one?
    -0 1 3 6 10 15
    +
    +
    ...
    +Phase 1 defused. How about the next one?
    +0 1 3 6 10 15
     
    -Breakpoint 1, 0x00005555555555eb in phase_2 ()
    -(gdb) continue
    +Breakpoint 1, 0x00005555555555eb in phase_2 ()
    +(gdb) continue
     Continuing.
    -That's number 2.  Keep going!
    +That's number 2.  Keep going!
     
    +

    Phase 3

    Let us look at the disassembled code first

    -
    0000000000001638 <phase_3>:
    -    1638:   f3 0f 1e fa             endbr64 
    -    163c:   48 83 ec 18             sub    $0x18,%rsp
    -    1640:   48 8d 4c 24 07          lea    0x7(%rsp),%rcx
    -    1645:   48 8d 54 24 0c          lea    0xc(%rsp),%rdx
    -    164a:   4c 8d 44 24 08          lea    0x8(%rsp),%r8
    -    164f:   48 8d 35 60 1b 00 00    lea    0x1b60(%rip),%rsi        # 31b6 <_IO_stdin_used+0x1b6>
    -    1656:   b8 00 00 00 00          mov    $0x0,%eax
    -    165b:   e8 80 fc ff ff          call   12e0 <__isoc99_sscanf@plt>
    -    1660:   83 f8 02                cmp    $0x2,%eax
    -    1663:   7e 20                   jle    1685 <phase_3+0x4d>
    -    1665:   83 7c 24 0c 07          cmpl   $0x7,0xc(%rsp)
    -    166a:   0f 87 0d 01 00 00       ja     177d <phase_3+0x145>
    -    1670:   8b 44 24 0c             mov    0xc(%rsp),%eax
    -    1674:   48 8d 15 55 1b 00 00    lea    0x1b55(%rip),%rdx        # 31d0 <_IO_stdin_used+0x1d0>
    -    167b:   48 63 04 82             movslq (%rdx,%rax,4),%rax
    -    167f:   48 01 d0                add    %rdx,%rax
    -    1682:   3e ff e0                notrack jmp *%rax
    -    1685:   e8 c0 06 00 00          call   1d4a <explode_bomb>
    -    168a:   eb d9                   jmp    1665 <phase_3+0x2d>
    -    168c:   b8 63 00 00 00          mov    $0x63,%eax
    -    1691:   81 7c 24 08 3d 02 00    cmpl   $0x23d,0x8(%rsp)
    -    1698:   00 
    -    1699:   0f 84 e8 00 00 00       je     1787 <phase_3+0x14f>
    -    169f:   e8 a6 06 00 00          call   1d4a <explode_bomb>
    -    16a4:   b8 63 00 00 00          mov    $0x63,%eax
    -    16a9:   e9 d9 00 00 00          jmp    1787 <phase_3+0x14f>
    -    16ae:   b8 61 00 00 00          mov    $0x61,%eax
    -    16b3:   81 7c 24 08 27 01 00    cmpl   $0x127,0x8(%rsp)
    -    16ba:   00 
    -    16bb:   0f 84 c6 00 00 00       je     1787 <phase_3+0x14f>
    -    16c1:   e8 84 06 00 00          call   1d4a <explode_bomb>
    -    16c6:   b8 61 00 00 00          mov    $0x61,%eax
    -    16cb:   e9 b7 00 00 00          jmp    1787 <phase_3+0x14f>
    -    16d0:   b8 78 00 00 00          mov    $0x78,%eax
    -    16d5:   81 7c 24 08 e7 02 00    cmpl   $0x2e7,0x8(%rsp)
    -    16dc:   00 
    -    16dd:   0f 84 a4 00 00 00       je     1787 <phase_3+0x14f>
    -    16e3:   e8 62 06 00 00          call   1d4a <explode_bomb>
    -    16e8:   b8 78 00 00 00          mov    $0x78,%eax
    -    16ed:   e9 95 00 00 00          jmp    1787 <phase_3+0x14f>
    -    16f2:   b8 64 00 00 00          mov    $0x64,%eax
    -    16f7:   81 7c 24 08 80 02 00    cmpl   $0x280,0x8(%rsp)
    -    16fe:   00 
    -    16ff:   0f 84 82 00 00 00       je     1787 <phase_3+0x14f>
    -    1705:   e8 40 06 00 00          call   1d4a <explode_bomb>
    -    170a:   b8 64 00 00 00          mov    $0x64,%eax
    -    170f:   eb 76                   jmp    1787 <phase_3+0x14f>
    -    1711:   b8 6d 00 00 00          mov    $0x6d,%eax
    -    1716:   81 7c 24 08 ff 02 00    cmpl   $0x2ff,0x8(%rsp)
    -    171d:   00 
    -    171e:   74 67                   je     1787 <phase_3+0x14f>
    -    1720:   e8 25 06 00 00          call   1d4a <explode_bomb>
    -    1725:   b8 6d 00 00 00          mov    $0x6d,%eax
    -    172a:   eb 5b                   jmp    1787 <phase_3+0x14f>
    -    172c:   b8 71 00 00 00          mov    $0x71,%eax
    -    1731:   81 7c 24 08 75 03 00    cmpl   $0x375,0x8(%rsp)
    -    1738:   00 
    -    1739:   74 4c                   je     1787 <phase_3+0x14f>
    -    173b:   e8 0a 06 00 00          call   1d4a <explode_bomb>
    -    1740:   b8 71 00 00 00          mov    $0x71,%eax
    -    1745:   eb 40                   jmp    1787 <phase_3+0x14f>
    -    1747:   b8 79 00 00 00          mov    $0x79,%eax
    -    174c:   81 7c 24 08 94 02 00    cmpl   $0x294,0x8(%rsp)
    -    1753:   00 
    -    1754:   74 31                   je     1787 <phase_3+0x14f>
    -    1756:   e8 ef 05 00 00          call   1d4a <explode_bomb>
    -    175b:   b8 79 00 00 00          mov    $0x79,%eax
    -    1760:   eb 25                   jmp    1787 <phase_3+0x14f>
    -    1762:   b8 79 00 00 00          mov    $0x79,%eax
    -    1767:   81 7c 24 08 88 02 00    cmpl   $0x288,0x8(%rsp)
    -    176e:   00 
    -    176f:   74 16                   je     1787 <phase_3+0x14f>
    -    1771:   e8 d4 05 00 00          call   1d4a <explode_bomb>
    -    1776:   b8 79 00 00 00          mov    $0x79,%eax
    -    177b:   eb 0a                   jmp    1787 <phase_3+0x14f>
    -    177d:   e8 c8 05 00 00          call   1d4a <explode_bomb>
    -    1782:   b8 68 00 00 00          mov    $0x68,%eax
    -    1787:   38 44 24 07             cmp    %al,0x7(%rsp)
    -    178b:   75 05                   jne    1792 <phase_3+0x15a>
    -    178d:   48 83 c4 18             add    $0x18,%rsp
    -    1791:   c3                      ret    
    -    1792:   e8 b3 05 00 00          call   1d4a <explode_bomb>
    -    1797:   eb f4                   jmp    178d <phase_3+0x155>
    +
    +
    0000000000001638 <phase_3>:
    +    1638:   f3 0f 1e fa             endbr64 
    +    163c:   48 83 ec 18             sub    $0x18,%rsp
    +    1640:   48 8d 4c 24 07          lea    0x7(%rsp),%rcx
    +    1645:   48 8d 54 24 0c          lea    0xc(%rsp),%rdx
    +    164a:   4c 8d 44 24 08          lea    0x8(%rsp),%r8
    +    164f:   48 8d 35 60 1b 00 00    lea    0x1b60(%rip),%rsi        # 31b6 <_IO_stdin_used+0x1b6>
    +    1656:   b8 00 00 00 00          mov    $0x0,%eax
    +    165b:   e8 80 fc ff ff          call   12e0 <__isoc99_sscanf@plt>
    +    1660:   83 f8 02                cmp    $0x2,%eax
    +    1663:   7e 20                   jle    1685 <phase_3+0x4d>
    +    1665:   83 7c 24 0c 07          cmpl   $0x7,0xc(%rsp)
    +    166a:   0f 87 0d 01 00 00       ja     177d <phase_3+0x145>
    +    1670:   8b 44 24 0c             mov    0xc(%rsp),%eax
    +    1674:   48 8d 15 55 1b 00 00    lea    0x1b55(%rip),%rdx        # 31d0 <_IO_stdin_used+0x1d0>
    +    167b:   48 63 04 82             movslq (%rdx,%rax,4),%rax
    +    167f:   48 01 d0                add    %rdx,%rax
    +    1682:   3e ff e0                notrack jmp *%rax
    +    1685:   e8 c0 06 00 00          call   1d4a <explode_bomb>
    +    168a:   eb d9                   jmp    1665 <phase_3+0x2d>
    +    168c:   b8 63 00 00 00          mov    $0x63,%eax
    +    1691:   81 7c 24 08 3d 02 00    cmpl   $0x23d,0x8(%rsp)
    +    1698:   00 
    +    1699:   0f 84 e8 00 00 00       je     1787 <phase_3+0x14f>
    +    169f:   e8 a6 06 00 00          call   1d4a <explode_bomb>
    +    16a4:   b8 63 00 00 00          mov    $0x63,%eax
    +    16a9:   e9 d9 00 00 00          jmp    1787 <phase_3+0x14f>
    +    16ae:   b8 61 00 00 00          mov    $0x61,%eax
    +    16b3:   81 7c 24 08 27 01 00    cmpl   $0x127,0x8(%rsp)
    +    16ba:   00 
    +    16bb:   0f 84 c6 00 00 00       je     1787 <phase_3+0x14f>
    +    16c1:   e8 84 06 00 00          call   1d4a <explode_bomb>
    +    16c6:   b8 61 00 00 00          mov    $0x61,%eax
    +    16cb:   e9 b7 00 00 00          jmp    1787 <phase_3+0x14f>
    +    16d0:   b8 78 00 00 00          mov    $0x78,%eax
    +    16d5:   81 7c 24 08 e7 02 00    cmpl   $0x2e7,0x8(%rsp)
    +    16dc:   00 
    +    16dd:   0f 84 a4 00 00 00       je     1787 <phase_3+0x14f>
    +    16e3:   e8 62 06 00 00          call   1d4a <explode_bomb>
    +    16e8:   b8 78 00 00 00          mov    $0x78,%eax
    +    16ed:   e9 95 00 00 00          jmp    1787 <phase_3+0x14f>
    +    16f2:   b8 64 00 00 00          mov    $0x64,%eax
    +    16f7:   81 7c 24 08 80 02 00    cmpl   $0x280,0x8(%rsp)
    +    16fe:   00 
    +    16ff:   0f 84 82 00 00 00       je     1787 <phase_3+0x14f>
    +    1705:   e8 40 06 00 00          call   1d4a <explode_bomb>
    +    170a:   b8 64 00 00 00          mov    $0x64,%eax
    +    170f:   eb 76                   jmp    1787 <phase_3+0x14f>
    +    1711:   b8 6d 00 00 00          mov    $0x6d,%eax
    +    1716:   81 7c 24 08 ff 02 00    cmpl   $0x2ff,0x8(%rsp)
    +    171d:   00 
    +    171e:   74 67                   je     1787 <phase_3+0x14f>
    +    1720:   e8 25 06 00 00          call   1d4a <explode_bomb>
    +    1725:   b8 6d 00 00 00          mov    $0x6d,%eax
    +    172a:   eb 5b                   jmp    1787 <phase_3+0x14f>
    +    172c:   b8 71 00 00 00          mov    $0x71,%eax
    +    1731:   81 7c 24 08 75 03 00    cmpl   $0x375,0x8(%rsp)
    +    1738:   00 
    +    1739:   74 4c                   je     1787 <phase_3+0x14f>
    +    173b:   e8 0a 06 00 00          call   1d4a <explode_bomb>
    +    1740:   b8 71 00 00 00          mov    $0x71,%eax
    +    1745:   eb 40                   jmp    1787 <phase_3+0x14f>
    +    1747:   b8 79 00 00 00          mov    $0x79,%eax
    +    174c:   81 7c 24 08 94 02 00    cmpl   $0x294,0x8(%rsp)
    +    1753:   00 
    +    1754:   74 31                   je     1787 <phase_3+0x14f>
    +    1756:   e8 ef 05 00 00          call   1d4a <explode_bomb>
    +    175b:   b8 79 00 00 00          mov    $0x79,%eax
    +    1760:   eb 25                   jmp    1787 <phase_3+0x14f>
    +    1762:   b8 79 00 00 00          mov    $0x79,%eax
    +    1767:   81 7c 24 08 88 02 00    cmpl   $0x288,0x8(%rsp)
    +    176e:   00 
    +    176f:   74 16                   je     1787 <phase_3+0x14f>
    +    1771:   e8 d4 05 00 00          call   1d4a <explode_bomb>
    +    1776:   b8 79 00 00 00          mov    $0x79,%eax
    +    177b:   eb 0a                   jmp    1787 <phase_3+0x14f>
    +    177d:   e8 c8 05 00 00          call   1d4a <explode_bomb>
    +    1782:   b8 68 00 00 00          mov    $0x68,%eax
    +    1787:   38 44 24 07             cmp    %al,0x7(%rsp)
    +    178b:   75 05                   jne    1792 <phase_3+0x15a>
    +    178d:   48 83 c4 18             add    $0x18,%rsp
    +    1791:   c3                      ret    
    +    1792:   e8 b3 05 00 00          call   1d4a <explode_bomb>
    +    1797:   eb f4                   jmp    178d <phase_3+0x155>
     
    +
    -
    ...
    -    165b:   e8 80 fc ff ff          call   12e0 <__isoc99_sscanf@plt>
    +
    +
    ...
    +    165b:   e8 80 fc ff ff          call   12e0 <__isoc99_sscanf@plt>
     ...
     
    +

    We can see that scanf is being called which means we need to figure out what datatype(s) the program is expecting.

    Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.

    -
    jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
    -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
    -Copyright (C) 2022 Free Software Foundation, Inc.
    -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
    +
    +
    joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
    +GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
    +Copyright (C) 2022 Free Software Foundation, Inc.
    +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
     This is free software: you are free to change and redistribute it.
     There is NO WARRANTY, to the extent permitted by law.
    -Type "show copying" and "show warranty" for details.
    -This GDB was configured as "x86_64-linux-gnu".
    -Type "show configuration" for configuration details.
    +Type "show copying" and "show warranty" for details.
    +This GDB was configured as "x86_64-linux-gnu".
    +Type "show configuration" for configuration details.
     For bug reporting instructions, please see:
     <https://www.gnu.org/software/gdb/bugs/>.
     Find the GDB manual and other documentation resources online at:
         <http://www.gnu.org/software/gdb/documentation/>.
     
    -For help, type "help".
    -Type "apropos word" to search for commands related to "word"...
    +For help, type "help".
    +Type "apropos word" to search for commands related to "word"...
     Reading symbols from ./bomb...
    -Breakpoint 1 at 0x1638
    -Breakpoint 2 at 0x1d4a
    -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
    -[Thread debugging using libthread_db enabled]
    -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    -Welcome to my fiendish little bomb. You have 6 phases with
    +Breakpoint 1 at 0x1638
    +Breakpoint 2 at 0x1d4a
    +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
    +[Thread debugging using libthread_db enabled]
    +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    +Welcome to my fiendish little bomb. You have 6 phases with
     which to blow yourself up. Have a nice day!
    -Phase 1 defused. How about the next one?
    -That's number 2.  Keep going!
    +Phase 1 defused. How about the next one?
    +That's number 2.  Keep going!
     random string
     
    -Breakpoint 1, 0x0000555555555638 in phase_3 ()
    -(gdb) disas
    -Dump of assembler code for function phase_3:
    -=> 0x0000555555555638 <+0>:     endbr64 
    -   0x000055555555563c <+4>:     sub    $0x18,%rsp
    -   0x0000555555555640 <+8>:     lea    0x7(%rsp),%rcx
    -   0x0000555555555645 <+13>:    lea    0xc(%rsp),%rdx
    -   0x000055555555564a <+18>:    lea    0x8(%rsp),%r8
    -   0x000055555555564f <+23>:    lea    0x1b60(%rip),%rsi        # 0x5555555571b6
    -   0x0000555555555656 <+30>:    mov    $0x0,%eax
    +Breakpoint 1, 0x0000555555555638 in phase_3 ()
    +(gdb) disas
    +Dump of assembler code for function phase_3:
    +=> 0x0000555555555638 <+0>:     endbr64 
    +   0x000055555555563c <+4>:     sub    $0x18,%rsp
    +   0x0000555555555640 <+8>:     lea    0x7(%rsp),%rcx
    +   0x0000555555555645 <+13>:    lea    0xc(%rsp),%rdx
    +   0x000055555555564a <+18>:    lea    0x8(%rsp),%r8
    +   0x000055555555564f <+23>:    lea    0x1b60(%rip),%rsi        # 0x5555555571b6
    +   0x0000555555555656 <+30>:    mov    $0x0,%eax
        0x000055555555565b <+35>:    call   0x5555555552e0 <__isoc99_sscanf@plt>
    -   0x0000555555555660 <+40>:    cmp    $0x2,%eax
    +   0x0000555555555660 <+40>:    cmp    $0x2,%eax
        0x0000555555555663 <+43>:    jle    0x555555555685 <phase_3+77>
    -   0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
    +   0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
        0x000055555555566a <+50>:    ja     0x55555555577d <phase_3+325>
    -   0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
    -   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
    -   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
    +   0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
    +   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
    +   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
        0x000055555555567f <+71>:    add    %rdx,%rax
        0x0000555555555682 <+74>:    notrack jmp *%rax
        0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
        0x000055555555568a <+82>:    jmp    0x555555555665 <phase_3+45>
    -   0x000055555555568c <+84>:    mov    $0x63,%eax
    -   0x0000555555555691 <+89>:    cmpl   $0x23d,0x8(%rsp)
    +   0x000055555555568c <+84>:    mov    $0x63,%eax
    +   0x0000555555555691 <+89>:    cmpl   $0x23d,0x8(%rsp)
        0x0000555555555699 <+97>:    je     0x555555555787 <phase_3+335>
        0x000055555555569f <+103>:   call   0x555555555d4a <explode_bomb>
    -   0x00005555555556a4 <+108>:   mov    $0x63,%eax
    +   0x00005555555556a4 <+108>:   mov    $0x63,%eax
        0x00005555555556a9 <+113>:   jmp    0x555555555787 <phase_3+335>
    ---Type <RET> for more, q to quit, c to continue without paging--
    +--Type <RET> for more, q to quit, c to continue without paging--
     
    +

    gdb has thankfully marked the address which is being passed to scanf. We can access the value:

    -
    (gdb) x/1s 0x5555555571b6
    -0x5555555571b6: "%d %c %d"
    -(gdb) 
    +
    +
    (gdb) x/1s 0x5555555571b6
    +0x5555555571b6: "%d %c %d"
    +(gdb) 
     
    +

    BINGO! The program expects an integer, character, and another integer. Onwards.

    -
       0x0000555555555660 <+40>:    cmp    $0x2,%eax
    +
    +
       0x0000555555555660 <+40>:    cmp    $0x2,%eax
        0x0000555555555663 <+43>:    jle    0x555555555685 <phase_3+77>
     ...
        0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
     
    +

    The program checks whether scanf returns a value <= 2, if it does then it calls the explode_bomb function.

    Note: scanf returns the number of fields that were succesfully converted and assigned

    -
       0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
    +
    +
       0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
        0x000055555555566a <+50>:    ja     0x55555555577d <phase_3+325>
     ...
        0x000055555555577d <+325>:   call   0x555555555d4a <explode_bomb>
     
    +
    -

    Similarly, the program checks and ensures the returned value is not > 7.

    - -
       0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
    -   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
    -   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
    +

    Similarly, the program checks and ensures the returned value is not > 7. +

    +
    0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
    +   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
    +   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
        0x000055555555567f <+71>:    add    %rdx,%rax
        0x0000555555555682 <+74>:    notrack jmp *%rax
        0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
    -
    +
    +

    • 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax - Moves value located at 0xc (12 in Decimal) bytes above the stack pointer to %eax register.
    • @@ -3610,137 +3645,151 @@ $1 = 3

      Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to

      -

      We can see that this makes us jump to <phase_3+186> (Continue to step through the code by using ni)

      - -
         0x00005555555556f2 <+186>:   mov    $0x64,%eax
      -   0x00005555555556f7 <+191>:   cmpl   $0x280,0x8(%rsp)
      -   0x00005555555556ff <+199>:   je     0x555555555787 <phase_3+335>
      -   0x0000555555555705 <+205>:   call   0x555555555d4a <explode_bomb>
      -
      - -

      We see that 0x64 (Decimal 100) is being stored in %eax. Then, the program compares 0x280 (Decimal 640) with memory address 0x8 bytes above the stack pointer (%rsp). If the values are equal, then it jumps to <phase_3+335>, otherwise explode_bomb is called.

      - -
         0x0000555555555787 <+335>:   cmp    %al,0x7(%rsp)
      -   0x000055555555578b <+339>:   jne    0x555555555792 <phase_3+346>
      -   0x000055555555578d <+341>:   add    $0x18,%rsp
      -   0x0000555555555791 <+345>:   ret    
      -   0x0000555555555792 <+346>:   call   0x555555555d4a <explode_bomb>
      -
      +

      We can see that this makes us jump to <phase_3+186> (Continue to step through the code by using ni) +

      +
      0x00005555555556f2 <+186>:   mov    $0x64,%eax
      +   0x00005555555556f7 <+191>:   cmpl   $0x280,0x8(%rsp)
      +   0x00005555555556ff <+199>:   je     0x555555555787 <phase3+335>
      +   0x0000555555555705 <+205>:   call   0x555555555d4a <explodebomb>
      +   
      +

      + +

      We see that 0x64 (Decimal 100) is being stored in %eax. Then, the program compares 0x280 (Decimal 640) with memory address 0x8 bytes above the stack pointer (%rsp). If the values are equal, then it jumps to <phase_3+335>, otherwise explode_bomb is called. +

      +
      0x0000555555555787 <+335>:   cmp    %al,0x7(%rsp)
      +   0x000055555555578b <+339>:   jne    0x555555555792 <phase3+346>
      +   0x000055555555578d <+341>:   add    $0x18,%rsp
      +   0x0000555555555791 <+345>:   ret 
      + 0x0000555555555792 <+346>: call 0x555555555d4a <explode
      bomb> +
      +

      Here, the program is comparing the value of our given character to the value stored in %al (lower 8 bits of EAX), and checks if they are not equal.

      Knowing that the character is stored at an offset of 7 bytes to %rsp, we can print and check the value by running:

      -
      (gdb) x/1cw $rsp+7
      +
      +
      (gdb) x/1cw $rsp+7
       c
      -(gdb) print $al
      -$1 = 100
      +(gdb) print $al
      +$1 = 100
       
      +

      We can simply lookup the ASCII table, and see that 100 in decimal stands for the character d. Let us try this answer:

      -
      ...
      -That's number 2.  Keep going!
      -3 d 640
      +
      +
      ...
      +That's number 2.  Keep going!
      +3 d 640
       
      -Breakpoint 1, 0x0000555555555638 in phase_3 ()
      -(gdb) continue
      +Breakpoint 1, 0x0000555555555638 in phase_3 ()
      +(gdb) continue
       Continuing.
       Halfway there!
       
      +

      Phase 4

      -
      jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
      -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
      -Copyright (C) 2022 Free Software Foundation, Inc.
      -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
      +
      +
      joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
      +GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
      +Copyright (C) 2022 Free Software Foundation, Inc.
      +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
       This is free software: you are free to change and redistribute it.
       There is NO WARRANTY, to the extent permitted by law.
      -Type "show copying" and "show warranty" for details.
      -This GDB was configured as "x86_64-linux-gnu".
      -Type "show configuration" for configuration details.
      +Type "show copying" and "show warranty" for details.
      +This GDB was configured as "x86_64-linux-gnu".
      +Type "show configuration" for configuration details.
       For bug reporting instructions, please see:
       <https://www.gnu.org/software/gdb/bugs/>.
       Find the GDB manual and other documentation resources online at:
           <http://www.gnu.org/software/gdb/documentation/>.
       
      -For help, type "help".
      -Type "apropos word" to search for commands related to "word"...
      +For help, type "help".
      +Type "apropos word" to search for commands related to "word"...
       Reading symbols from ./bomb...
      -Breakpoint 1 at 0x17d3
      -Breakpoint 2 at 0x1d4a
      -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
      -[Thread debugging using libthread_db enabled]
      -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
      -Welcome to my fiendish little bomb. You have 6 phases with
      +Breakpoint 1 at 0x17d3
      +Breakpoint 2 at 0x1d4a
      +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
      +[Thread debugging using libthread_db enabled]
      +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
      +Welcome to my fiendish little bomb. You have 6 phases with
       which to blow yourself up. Have a nice day!
      -Phase 1 defused. How about the next one?
      -That's number 2.  Keep going!
      +Phase 1 defused. How about the next one?
      +That's number 2.  Keep going!
       Halfway there!
      -test string
      -
      -Breakpoint 1, 0x00005555555557d3 in phase_4 ()
      -(gdb) disas phase_4
      -Dump of assembler code for function phase_4:
      -=> 0x00005555555557d3 <+0>:     endbr64 
      -   0x00005555555557d7 <+4>:     sub    $0x18,%rsp
      -   0x00005555555557db <+8>:     lea    0x8(%rsp),%rcx
      -   0x00005555555557e0 <+13>:    lea    0xc(%rsp),%rdx
      -   0x00005555555557e5 <+18>:    lea    0x1bba(%rip),%rsi        # 0x5555555573a6
      -   0x00005555555557ec <+25>:    mov    $0x0,%eax
      +test string
      +
      +Breakpoint 1, 0x00005555555557d3 in phase_4 ()
      +(gdb) disas phase_4
      +Dump of assembler code for function phase_4:
      +=> 0x00005555555557d3 <+0>:     endbr64 
      +   0x00005555555557d7 <+4>:     sub    $0x18,%rsp
      +   0x00005555555557db <+8>:     lea    0x8(%rsp),%rcx
      +   0x00005555555557e0 <+13>:    lea    0xc(%rsp),%rdx
      +   0x00005555555557e5 <+18>:    lea    0x1bba(%rip),%rsi        # 0x5555555573a6
      +   0x00005555555557ec <+25>:    mov    $0x0,%eax
          0x00005555555557f1 <+30>:    call   0x5555555552e0 <__isoc99_sscanf@plt>
      -   0x00005555555557f6 <+35>:    cmp    $0x2,%eax
      +   0x00005555555557f6 <+35>:    cmp    $0x2,%eax
          0x00005555555557f9 <+38>:    jne    0x555555555802 <phase_4+47>
      -   0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
      +   0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
          0x0000555555555800 <+45>:    jbe    0x555555555807 <phase_4+52>
          0x0000555555555802 <+47>:    call   0x555555555d4a <explode_bomb>
      -   0x0000555555555807 <+52>:    mov    $0xe,%edx
      -   0x000055555555580c <+57>:    mov    $0x0,%esi
      -   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
      +   0x0000555555555807 <+52>:    mov    $0xe,%edx
      +   0x000055555555580c <+57>:    mov    $0x0,%esi
      +   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
          0x0000555555555815 <+66>:    call   0x555555555799 <func4>
      -   0x000055555555581a <+71>:    cmp    $0x2,%eax
      +   0x000055555555581a <+71>:    cmp    $0x2,%eax
          0x000055555555581d <+74>:    jne    0x555555555826 <phase_4+83>
      -   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
      +   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
          0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
          0x0000555555555826 <+83>:    call   0x555555555d4a <explode_bomb>
      -   0x000055555555582b <+88>:    add    $0x18,%rsp
      +   0x000055555555582b <+88>:    add    $0x18,%rsp
          0x000055555555582f <+92>:    ret    
       End of assembler dump.
      -(gdb) 
      +(gdb) 
       
      +

      Again, gdb has marked the string being passed to scanf

      -
      (gdb) x/1s 0x5555555573a6
      -0x5555555573a6: "%d %d"
      +
      +
      (gdb) x/1s 0x5555555573a6
      +0x5555555573a6: "%d %d"
       
      +
      -

      Okay, so this time we are supposed to enter 2 numbers.

      - -
         0x00005555555557f6 <+35>:    cmp    $0x2,%eax
      +

      Okay, so this time we are supposed to enter 2 numbers. +

      +
      0x00005555555557f6 <+35>:    cmp    $0x2,%eax
          0x00005555555557f9 <+38>:    jne    0x555555555802 <phase_4+47>
      -
      - -

      Checks if there were 2 values read from calling scanf, if not -> jump to <phase_4+47> which calls <explode_bomb>.

      +
      +

      -
         0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
      +

      Checks if there were 2 values read from calling scanf, if not -> jump to <phase_4+47> which calls <explode_bomb>. +

      +
      0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
          0x0000555555555800 <+45>:    jbe    0x555555555807 <phase_4+52>
      -
      +
      +

      Compare 0xe (14 in Decimal) and value stored at $rsp + 0xc bytes (Decimal 12). If this condition is met (<= 14), jump to <phase_4+52>. If not, then explode bomb.

      -
      ...
      -   0x0000555555555807 <+52>:    mov    $0xe,%edx
      -   0x000055555555580c <+57>:    mov    $0x0,%esi
      -   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
      +
      +
      ...
      +   0x0000555555555807 <+52>:    mov    $0xe,%edx
      +   0x000055555555580c <+57>:    mov    $0x0,%esi
      +   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
          0x0000555555555815 <+66>:    call   0x555555555799 <func4>
      -   0x000055555555581a <+71>:    cmp    $0x2,%eax
      +   0x000055555555581a <+71>:    cmp    $0x2,%eax
          0x000055555555581d <+74>:    jne    0x555555555826 <phase_4+83>
      -   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
      +   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
          0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
          0x0000555555555826 <+83>:    call   0x555555555d4a <explode_bomb>
       
      +
      • 0x0000555555555815 <+66>: call 0x555555555799 <func4> calls another function called func4
      • @@ -3749,55 +3798,59 @@ End of assembler dump.

        Let us look into func4

        -
        (gdb) disas func4
        -Dump of assembler code for function func4:
        +
        +
        (gdb) disas func4
        +Dump of assembler code for function func4:
            0x0000555555555799 <+0>:     endbr64 
        -   0x000055555555579d <+4>:     sub    $0x8,%rsp
        +   0x000055555555579d <+4>:     sub    $0x8,%rsp
            0x00005555555557a1 <+8>:     mov    %edx,%ecx
            0x00005555555557a3 <+10>:    sub    %esi,%ecx
            0x00005555555557a5 <+12>:    shr    %ecx
            0x00005555555557a7 <+14>:    add    %esi,%ecx
            0x00005555555557a9 <+16>:    cmp    %edi,%ecx
            0x00005555555557ab <+18>:    ja     0x5555555557b9 <func4+32>
        -   0x00005555555557ad <+20>:    mov    $0x0,%eax
        +   0x00005555555557ad <+20>:    mov    $0x0,%eax
            0x00005555555557b2 <+25>:    jb     0x5555555557c5 <func4+44>
        -   0x00005555555557b4 <+27>:    add    $0x8,%rsp
        +   0x00005555555557b4 <+27>:    add    $0x8,%rsp
            0x00005555555557b8 <+31>:    ret    
        -   0x00005555555557b9 <+32>:    lea    -0x1(%rcx),%edx
        +   0x00005555555557b9 <+32>:    lea    -0x1(%rcx),%edx
            0x00005555555557bc <+35>:    call   0x555555555799 <func4>
            0x00005555555557c1 <+40>:    add    %eax,%eax
            0x00005555555557c3 <+42>:    jmp    0x5555555557b4 <func4+27>
        -   0x00005555555557c5 <+44>:    lea    0x1(%rcx),%esi
        +   0x00005555555557c5 <+44>:    lea    0x1(%rcx),%esi
            0x00005555555557c8 <+47>:    call   0x555555555799 <func4>
        -   0x00005555555557cd <+52>:    lea    0x1(%rax,%rax,1),%eax
        +   0x00005555555557cd <+52>:    lea    0x1(%rax,%rax,1),%eax
            0x00005555555557d1 <+56>:    jmp    0x5555555557b4 <func4+27>
         
        +

        This looks like a recursive function :( (I hate recursive functions)

        Let's annotate the instructions.

        -
        endbr64
        -sub $0x8,%rsp  // subtract 8 bytes from the stack pointer
        -mov %edx,%ecx  // Move the value in register %edx to %ecx
        -sub %esi,%ecx  // Subtract the value in %esi from %ecx
        -shr %ecx       // Right shift the value in %ecx by one bit (dividing the value by 2)
        -add %esi,%ecx  // Add the value in %esi to %ecx
        +
        +
        endbr64
        +sub $0x8,%rsp  // subtract 8 bytes from the stack pointer
        +mov %edx,%ecx  // Move the value in register %edx to %ecx
        +sub %esi,%ecx  // Subtract the value in %esi from %ecx
        +shr %ecx       // Right shift the value in %ecx by one bit (dividing the value by 2)
        +add %esi,%ecx  // Add the value in %esi to %ecx
         cmp %edi,%ecx  // Compare
         ja 0x5555555557b9 <func4+32> // If %ecx > %edi -> jump to instruction at offset +32
        -mov $0x0,%eax  // Move 0 to %eax
        +mov $0x0,%eax  // Move 0 to %eax
         jb 0x5555555557c5 <func4+44> // If %ecx < %edi -> jump to instruction at offset +44.
        -add $0x8,%rsp  // add 8 bytes to the stack pointer
        -ret            // return
        -lea -0x1(%rcx),%edx // LEA of $rxc - 1 into $edx
        +add $0x8,%rsp  // add 8 bytes to the stack pointer
        +ret            // return
        +lea -0x1(%rcx),%edx // LEA of $rxc - 1 into $edx
         call 0x555555555799 <func4> // Call itself
        -add %eax,%eax  // Double the value in %eax
        +add %eax,%eax  // Double the value in %eax
         jmp 0x5555555557b4 <func4+27> // jump to the instruction at offset +27
        -lea 0x1(%rcx),%esi
        +lea 0x1(%rcx),%esi
         call 0x555555555799 <func4>
        -lea 0x1(%rax,%rax,1),%eax // LEA of %rax * 2 + 1 into $eax 
        +lea 0x1(%rax,%rax,1),%eax // LEA of %rax * 2 + 1 into $eax 
         jmp 0x5555555557b4 <func4+27>
         
        +

        We can either try to compute the values by hand, or write a simple script in Python to get the answer.

        @@ -3822,57 +3875,61 @@ jmp 0x5555555557b4 <func4+27>

        Okay, so we know that the number needed to be passed to func4 is 5. But, what about the second digit?

        -

        If we go back to the code for <phase_4>, we can see that:

        - -
           0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
        +

        If we go back to the code for <phase_4>, we can see that: +

        +
        0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
            0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
        -
        +
        +

        The value at $rsp+8 should be equal to 2. So, let us try passing 5 2 as our input.

        -
        ...
        -Phase 1 defused. How about the next one?
        -That's number 2.  Keep going!
        +
        +
        ...
        +Phase 1 defused. How about the next one?
        +That's number 2.  Keep going!
         Halfway there!
        -5 2
        +5 2
         
        -Breakpoint 1, 0x00005555555557d3 in phase_4 ()
        -(gdb) continue
        +Breakpoint 1, 0x00005555555557d3 in phase_4 ()
        +(gdb) continue
         Continuing.
         So you got that one.  Try this one.
         
        +

        Phase 5

        -
        So you got that one.  Try this one.
        -test string
        +
        +
        So you got that one.  Try this one.
        +test string
         
        -Breakpoint 1, 0x0000555555555830 in phase_5 ()
        -(gdb) disas phase_5
        -Dump of assembler code for function phase_5:
        -=> 0x0000555555555830 <+0>:     endbr64 
        +Breakpoint 1, 0x0000555555555830 in phase_5 ()
        +(gdb) disas phase_5
        +Dump of assembler code for function phase_5:
        +=> 0x0000555555555830 <+0>:     endbr64 
            0x0000555555555834 <+4>:     push   %rbx
        -   0x0000555555555835 <+5>:     sub    $0x10,%rsp
        +   0x0000555555555835 <+5>:     sub    $0x10,%rsp
            0x0000555555555839 <+9>:     mov    %rdi,%rbx
            0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
        -   0x0000555555555841 <+17>:    cmp    $0x6,%eax
        +   0x0000555555555841 <+17>:    cmp    $0x6,%eax
            0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
        -   0x0000555555555846 <+22>:    mov    $0x0,%eax
        -   0x000055555555584b <+27>:    lea    0x199e(%rip),%rcx        # 0x5555555571f0 <array.0>
        -   0x0000555555555852 <+34>:    movzbl (%rbx,%rax,1),%edx
        -   0x0000555555555856 <+38>:    and    $0xf,%edx
        -   0x0000555555555859 <+41>:    movzbl (%rcx,%rdx,1),%edx
        -   0x000055555555585d <+45>:    mov    %dl,0x9(%rsp,%rax,1)
        -   0x0000555555555861 <+49>:    add    $0x1,%rax
        -   0x0000555555555865 <+53>:    cmp    $0x6,%rax
        +   0x0000555555555846 <+22>:    mov    $0x0,%eax
        +   0x000055555555584b <+27>:    lea    0x199e(%rip),%rcx        # 0x5555555571f0 <array.0>
        +   0x0000555555555852 <+34>:    movzbl (%rbx,%rax,1),%edx
        +   0x0000555555555856 <+38>:    and    $0xf,%edx
        +   0x0000555555555859 <+41>:    movzbl (%rcx,%rdx,1),%edx
        +   0x000055555555585d <+45>:    mov    %dl,0x9(%rsp,%rax,1)
        +   0x0000555555555861 <+49>:    add    $0x1,%rax
        +   0x0000555555555865 <+53>:    cmp    $0x6,%rax
            0x0000555555555869 <+57>:    jne    0x555555555852 <phase_5+34>
        -   0x000055555555586b <+59>:    movb   $0x0,0xf(%rsp)
        -   0x0000555555555870 <+64>:    lea    0x9(%rsp),%rdi
        -   0x0000555555555875 <+69>:    lea    0x1943(%rip),%rsi        # 0x5555555571bf
        +   0x000055555555586b <+59>:    movb   $0x0,0xf(%rsp)
        +   0x0000555555555870 <+64>:    lea    0x9(%rsp),%rdi
        +   0x0000555555555875 <+69>:    lea    0x1943(%rip),%rsi        # 0x5555555571bf
            0x000055555555587c <+76>:    call   0x555555555b31 <strings_not_equal>
        -   0x0000555555555881 <+81>:    test   %eax,%eax
        +   0x0000555555555881 <+81>:    test   %eax,%eax
            0x0000555555555883 <+83>:    jne    0x555555555892 <phase_5+98>
        -   0x0000555555555885 <+85>:    add    $0x10,%rsp
        +   0x0000555555555885 <+85>:    add    $0x10,%rsp
            0x0000555555555889 <+89>:    pop    %rbx
            0x000055555555588a <+90>:    ret    
            0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
        @@ -3880,17 +3937,20 @@ Dump of assembler code for function phase_5:
            0x0000555555555892 <+98>:    call   0x555555555d4a <explode_bomb>
            0x0000555555555897 <+103>:   jmp    0x555555555885 <phase_5+85>
         End of assembler dump.
        -(gdb) 
        +(gdb) 
         
        +
        -
        ...
        +
        +
        ...
            0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
        -   0x0000555555555841 <+17>:    cmp    $0x6,%eax
        +   0x0000555555555841 <+17>:    cmp    $0x6,%eax
            0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
         ...
            0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
         ...
         
        +

        First things first, these instructions check to make sure the passed string is of length 6, otherwise explode_bomb is called.

        @@ -3914,12 +3974,14 @@ End of assembler dump.

        We can check the reference string we need, which gdb has marked as # 0x5555555571bf, and the lookup table marked as # 0x5555555571f0 <array.0>

        -
        (gdb) x/s 0x5555555571bf
        -0x5555555571bf: "bruins"
        -(gdb) x/s 0x5555555571f0
        -0x5555555571f0 <array.0>:       "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
        -(gdb) 
        +
        +
        (gdb) x/s 0x5555555571bf
        +0x5555555571bf: "bruins"
        +(gdb) x/s 0x5555555571f0
        +0x5555555571f0 <array.0>:       "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
        +(gdb) 
         
        +

        To summarize the transformation process:

        @@ -3951,115 +4013,118 @@ s -> g

        Let us try out this answer:

        -
        ...
        -That's number 2.  Keep going!
        +
        +
        ...
        +That's number 2.  Keep going!
         Halfway there!
         So you got that one.  Try this one.
         mfcdhg
         
        -Breakpoint 1, 0x0000555555555830 in phase_5 ()
        -(gdb) continue
        +Breakpoint 1, 0x0000555555555830 in phase_5 ()
        +(gdb) continue
         Continuing.
         Good work!  On to the next...
         
        +

        Awesome!

        Phase 6

        -
        Good work!  On to the next...
        -test string
        +
        +
        Good work!  On to the next...
        +test string
         
        -Breakpoint 1, 0x0000555555555899 in phase_6 ()
        -(gdb) disas phase_6
        -Dump of assembler code for function phase_6:
        -=> 0x0000555555555899 <+0>:     endbr64 
        +Breakpoint 1, 0x0000555555555899 in phase_6 ()
        +(gdb) disas phase_6
        +Dump of assembler code for function phase_6:
        +=> 0x0000555555555899 <+0>:     endbr64 
            0x000055555555589d <+4>:     push   %r15
            0x000055555555589f <+6>:     push   %r14
            0x00005555555558a1 <+8>:     push   %r13
            0x00005555555558a3 <+10>:    push   %r12
            0x00005555555558a5 <+12>:    push   %rbp
            0x00005555555558a6 <+13>:    push   %rbx
        -   0x00005555555558a7 <+14>:    sub    $0x68,%rsp
        -   0x00005555555558ab <+18>:    lea    0x40(%rsp),%rax
        +   0x00005555555558a7 <+14>:    sub    $0x68,%rsp
        +   0x00005555555558ab <+18>:    lea    0x40(%rsp),%rax
            0x00005555555558b0 <+23>:    mov    %rax,%r14
        -   0x00005555555558b3 <+26>:    mov    %rax,0x8(%rsp)
        +   0x00005555555558b3 <+26>:    mov    %rax,0x8(%rsp)
            0x00005555555558b8 <+31>:    mov    %rax,%rsi
            0x00005555555558bb <+34>:    call   0x555555555d97 <read_six_numbers>
            0x00005555555558c0 <+39>:    mov    %r14,%r12
        -   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
        +   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
            0x00005555555558c9 <+48>:    mov    %r14,%r13
            0x00005555555558cc <+51>:    jmp    0x555555555997 <phase_6+254>
            0x00005555555558d1 <+56>:    call   0x555555555d4a <explode_bomb>
            0x00005555555558d6 <+61>:    jmp    0x5555555559a9 <phase_6+272>
        -   0x00005555555558db <+66>:    add    $0x1,%rbx
        -   0x00005555555558df <+70>:    cmp    $0x5,%ebx
        +   0x00005555555558db <+66>:    add    $0x1,%rbx
        +   0x00005555555558df <+70>:    cmp    $0x5,%ebx
            0x00005555555558e2 <+73>:    jg     0x55555555598f <phase_6+246>
        -   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
        -   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
        +   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
        +   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
            0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66>
            0x00005555555558f2 <+89>:    call   0x555555555d4a <explode_bomb>
            0x00005555555558f7 <+94>:    jmp    0x5555555558db <phase_6+66>
        -   0x00005555555558f9 <+96>:    mov    0x8(%rsp),%rdx
        -   0x00005555555558fe <+101>:   add    $0x18,%rdx
        -   0x0000555555555902 <+105>:   mov    $0x7,%ecx
        +   0x00005555555558f9 <+96>:    mov    0x8(%rsp),%rdx
        +   0x00005555555558fe <+101>:   add    $0x18,%rdx
        +   0x0000555555555902 <+105>:   mov    $0x7,%ecx
            0x0000555555555907 <+110>:   mov    %ecx,%eax
        -   0x0000555555555909 <+112>:   sub    (%r12),%eax
        -   0x000055555555590d <+116>:   mov    %eax,(%r12)
        -   0x0000555555555911 <+120>:   add    $0x4,%r12
        +   0x0000555555555909 <+112>:   sub    (%r12),%eax
        +   0x000055555555590d <+116>:   mov    %eax,(%r12)
        +   0x0000555555555911 <+120>:   add    $0x4,%r12
            0x0000555555555915 <+124>:   cmp    %r12,%rdx
            0x0000555555555918 <+127>:   jne    0x555555555907 <phase_6+110>
        -   0x000055555555591a <+129>:   mov    $0x0,%esi
        -   0x000055555555591f <+134>:   mov    0x40(%rsp,%rsi,4),%ecx
        -   0x0000555555555923 <+138>:   mov    $0x1,%eax
        -   0x0000555555555928 <+143>:   lea    0x3d01(%rip),%rdx        # 0x555555559630 <node1>
        ---Type <RET> for more, q to quit, c to continue without paging--
        -   0x000055555555592f <+150>:   cmp    $0x1,%ecx
        +   0x000055555555591a <+129>:   mov    $0x0,%esi
        +   0x000055555555591f <+134>:   mov    0x40(%rsp,%rsi,4),%ecx
        +   0x0000555555555923 <+138>:   mov    $0x1,%eax
        +   0x0000555555555928 <+143>:   lea    0x3d01(%rip),%rdx        # 0x555555559630 <node1>
        +--Type <RET> for more, q to quit, c to continue without paging--
        +   0x000055555555592f <+150>:   cmp    $0x1,%ecx
            0x0000555555555932 <+153>:   jle    0x55555555593f <phase_6+166>
        -   0x0000555555555934 <+155>:   mov    0x8(%rdx),%rdx
        -   0x0000555555555938 <+159>:   add    $0x1,%eax
        +   0x0000555555555934 <+155>:   mov    0x8(%rdx),%rdx
        +   0x0000555555555938 <+159>:   add    $0x1,%eax
            0x000055555555593b <+162>:   cmp    %ecx,%eax
            0x000055555555593d <+164>:   jne    0x555555555934 <phase_6+155>
        -   0x000055555555593f <+166>:   mov    %rdx,0x10(%rsp,%rsi,8)
        -   0x0000555555555944 <+171>:   add    $0x1,%rsi
        -   0x0000555555555948 <+175>:   cmp    $0x6,%rsi
        +   0x000055555555593f <+166>:   mov    %rdx,0x10(%rsp,%rsi,8)
        +   0x0000555555555944 <+171>:   add    $0x1,%rsi
        +   0x0000555555555948 <+175>:   cmp    $0x6,%rsi
            0x000055555555594c <+179>:   jne    0x55555555591f <phase_6+134>
        -   0x000055555555594e <+181>:   mov    0x10(%rsp),%rbx
        -   0x0000555555555953 <+186>:   mov    0x18(%rsp),%rax
        -   0x0000555555555958 <+191>:   mov    %rax,0x8(%rbx)
        -   0x000055555555595c <+195>:   mov    0x20(%rsp),%rdx
        -   0x0000555555555961 <+200>:   mov    %rdx,0x8(%rax)
        -   0x0000555555555965 <+204>:   mov    0x28(%rsp),%rax
        -   0x000055555555596a <+209>:   mov    %rax,0x8(%rdx)
        -   0x000055555555596e <+213>:   mov    0x30(%rsp),%rdx
        -   0x0000555555555973 <+218>:   mov    %rdx,0x8(%rax)
        -   0x0000555555555977 <+222>:   mov    0x38(%rsp),%rax
        -   0x000055555555597c <+227>:   mov    %rax,0x8(%rdx)
        -   0x0000555555555980 <+231>:   movq   $0x0,0x8(%rax)
        -   0x0000555555555988 <+239>:   mov    $0x5,%ebp
        +   0x000055555555594e <+181>:   mov    0x10(%rsp),%rbx
        +   0x0000555555555953 <+186>:   mov    0x18(%rsp),%rax
        +   0x0000555555555958 <+191>:   mov    %rax,0x8(%rbx)
        +   0x000055555555595c <+195>:   mov    0x20(%rsp),%rdx
        +   0x0000555555555961 <+200>:   mov    %rdx,0x8(%rax)
        +   0x0000555555555965 <+204>:   mov    0x28(%rsp),%rax
        +   0x000055555555596a <+209>:   mov    %rax,0x8(%rdx)
        +   0x000055555555596e <+213>:   mov    0x30(%rsp),%rdx
        +   0x0000555555555973 <+218>:   mov    %rdx,0x8(%rax)
        +   0x0000555555555977 <+222>:   mov    0x38(%rsp),%rax
        +   0x000055555555597c <+227>:   mov    %rax,0x8(%rdx)
        +   0x0000555555555980 <+231>:   movq   $0x0,0x8(%rax)
        +   0x0000555555555988 <+239>:   mov    $0x5,%ebp
            0x000055555555598d <+244>:   jmp    0x5555555559c4 <phase_6+299>
        -   0x000055555555598f <+246>:   add    $0x1,%r15
        -   0x0000555555555993 <+250>:   add    $0x4,%r14
        +   0x000055555555598f <+246>:   add    $0x1,%r15
        +   0x0000555555555993 <+250>:   add    $0x4,%r14
            0x0000555555555997 <+254>:   mov    %r14,%rbp
        -   0x000055555555599a <+257>:   mov    (%r14),%eax
        -   0x000055555555599d <+260>:   sub    $0x1,%eax
        -   0x00005555555559a0 <+263>:   cmp    $0x5,%eax
        +   0x000055555555599a <+257>:   mov    (%r14),%eax
        +   0x000055555555599d <+260>:   sub    $0x1,%eax
        +   0x00005555555559a0 <+263>:   cmp    $0x5,%eax
            0x00005555555559a3 <+266>:   ja     0x5555555558d1 <phase_6+56>
        -   0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
        +   0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
            0x00005555555559ad <+276>:   jg     0x5555555558f9 <phase_6+96>
            0x00005555555559b3 <+282>:   mov    %r15,%rbx
            0x00005555555559b6 <+285>:   jmp    0x5555555558e8 <phase_6+79>
        -   0x00005555555559bb <+290>:   mov    0x8(%rbx),%rbx
        -   0x00005555555559bf <+294>:   sub    $0x1,%ebp
        +   0x00005555555559bb <+290>:   mov    0x8(%rbx),%rbx
        +   0x00005555555559bf <+294>:   sub    $0x1,%ebp
            0x00005555555559c2 <+297>:   je     0x5555555559d5 <phase_6+316>
        -   0x00005555555559c4 <+299>:   mov    0x8(%rbx),%rax
        -   0x00005555555559c8 <+303>:   mov    (%rax),%eax
        -   0x00005555555559ca <+305>:   cmp    %eax,(%rbx)
        ---Type <RET> for more, q to quit, c to continue without paging--
        +   0x00005555555559c4 <+299>:   mov    0x8(%rbx),%rax
        +   0x00005555555559c8 <+303>:   mov    (%rax),%eax
        +   0x00005555555559ca <+305>:   cmp    %eax,(%rbx)
        +--Type <RET> for more, q to quit, c to continue without paging--
            0x00005555555559cc <+307>:   jge    0x5555555559bb <phase_6+290>
            0x00005555555559ce <+309>:   call   0x555555555d4a <explode_bomb>
            0x00005555555559d3 <+314>:   jmp    0x5555555559bb <phase_6+290>
        -   0x00005555555559d5 <+316>:   add    $0x68,%rsp
        +   0x00005555555559d5 <+316>:   add    $0x68,%rsp
            0x00005555555559d9 <+320>:   pop    %rbx
            0x00005555555559da <+321>:   pop    %rbp
            0x00005555555559db <+322>:   pop    %r12
        @@ -4068,19 +4133,21 @@ Dump of assembler code for function phase_6:
            0x00005555555559e1 <+328>:   pop    %r15
            0x00005555555559e3 <+330>:   ret    
         End of assembler dump.
        -(gdb) 
        +(gdb) 
         
        +

        Again, we see the familiar read_six_digits function.

        -

        Let us analyse this function in chunks:

        - -
           0x00005555555558bb <+34>:    call   0x555555555d97 <read_six_numbers>
        +

        Let us analyse this function in chunks: +

        +
        0x00005555555558bb <+34>:    call   0x555555555d97 <readsixnumbers>
            0x00005555555558c0 <+39>:    mov    %r14,%r12
        -   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
        +   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
            0x00005555555558c9 <+48>:    mov    %r14,%r13
            0x00005555555558cc <+51>:    jmp    0x555555555997 <phase_6+254>
        -
        +
        +

        1. Read six numbers
        2. @@ -4088,18 +4155,17 @@ End of assembler dump. 2.1. mov %r14,%r12: %r14 should be pointing to the location of the stack where the numbers were read into. This address is copied onto %r12 2.2. mov $0x1,%r15d: The value 1 is moved into %r15 register (probably acting like a counter) 2.3. mov %r14,%r13: The value is also copied to %r13 -
        3. Jump to start of loop:
        4. -
        +
      • Jump to start of loop:

        -
           0x0000555555555997 <+254>:   mov    %r14,%rbp
        -   0x000055555555599a <+257>:   mov    (%r14),%eax
        -   0x000055555555599d <+260>:   sub    $0x1,%eax
        -   0x00005555555559a0 <+263>:   cmp    $0x5,%eax
        -   0x00005555555559a3 <+266>:   ja     0x5555555558d1 <phase_6+56>
        -
        - -
          -
        1. Initialise register and point to first number in sequence
        2. +
          +
          0x0000555555555997 <+254>:   mov    %r14,%rbp
          +0x000055555555599a <+257>:   mov    (%r14),%eax
          +0x000055555555599d <+260>:   sub    $0x1,%eax
          +0x00005555555559a0 <+263>:   cmp    $0x5,%eax
          +0x00005555555559a3 <+266>:   ja     0x5555555558d1 <phase_6+56>
          +
          +
          +
        3. Initialise register and point to first number in sequence

        4. Adjust number(s): 2.1. mov (%r14),%eax -> load the current number in the sequence 2.2. sub $0x1,%eax -> decrement number by 1
        5. @@ -4108,36 +4174,40 @@ End of assembler dump. 3.2. ja 0x5555555558d1 <phase_6+56>: jump if given value is > 5 or < 0
        -

        => All numbers should be between 1 and 6.

        - -
           0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
        +

        => All numbers should be between 1 and 6. +

        +
        0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
            0x00005555555559ad <+276>:   jg     0x5555555558f9 <phase_6+96>
        -
        - -

        This checks if the value stored in %r15 is > 5, if it is then it jumps somewhere else. This validates our assumption that %r15 is acting as a counter.

        +
        +

        -
           0x00005555555559b3 <+282>:   mov    %r15,%rbx
        +

        This checks if the value stored in %r15 is > 5, if it is then it jumps somewhere else. This validates our assumption that %r15 is acting as a counter. +

        +
        0x00005555555559b3 <+282>:   mov    %r15,%rbx
            0x00005555555559b6 <+285>:   jmp    0x5555555558e8 <phase_6+79>
        -
        - -

        Let us jump to +79

        - -
           0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
        -   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
        -   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66>
        -   0x00005555555558f2 <+89>:    call   0x555555555d4a <explode_bomb>
        +   
        +

        + +

        Let us jump to +79 +

        +
        0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
        +   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
        +   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase6+66>
        +   0x00005555555558f2 <+89>:    call   0x555555555d4a <explodebomb>
            0x00005555555558f7 <+94>:    jmp    0x5555555558db <phase_6+66>
        -
        - -

        This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique

        - -
           0x00005555555558db <+66>:    add    $0x1,%rbx // Increments by 1
        -   0x00005555555558df <+70>:    cmp    $0x5,%ebx 
        -   0x00005555555558e2 <+73>:    jg     0x55555555598f <phase_6+246> // Jump if > 5 (Loop iterations are complete)
        -   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax 
        -   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
        -   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66> // Again, check if the number being seen is unique
        -
        +
        +

        + +

        This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique +

        +
        0x00005555555558db <+66>:    add    $0x1,%rbx // Increments by 1
        +   0x00005555555558df <+70>:    cmp    $0x5,%ebx 
        +   0x00005555555558e2 <+73>:    jg     0x55555555598f <phase6+246> // Jump if > 5 (Loop iterations are complete)
        +   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax 
        +   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
        +   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase6+66> // Again, check if the number being seen is unique
        +   
        +

        Now we know that the numbers are unique, between 1-6 (inclusive).

        @@ -4147,7 +4217,8 @@ End of assembler dump.

        Let us try to figure out what 0x0000555555555928 <+143>: lea 0x3d01(%rip),%rdx # 0x555555559630 <node1> is:

        -
        (gdb) x/30wx 0x555555559630
        +
        +
        (gdb) x/30wx 0x555555559630
         0x555555559630 <node1>: 0x000000d9      0x00000001      0x55559640      0x00005555
         0x555555559640 <node2>: 0x000003ab      0x00000002      0x55559650      0x00005555
         0x555555559650 <node3>: 0x0000014f      0x00000003      0x55559660      0x00005555
        @@ -4156,7 +4227,7 @@ End of assembler dump.
         0x555555559680 <host_table>:    0x555573f5      0x00005555      0x5555740f      0x00005555
         0x555555559690 <host_table+16>: 0x55557429      0x00005555      0x00000000      0x00000000
         0x5555555596a0 <host_table+32>: 0x00000000      0x00000000
        -(gdb) x/30wx 0x555555559120
        +(gdb) x/30wx 0x555555559120
         0x555555559120 <node6>: 0x000002da      0x00000006      0x00000000      0x00000000
         0x555555559130: 0x00000000      0x00000000      0x00000000      0x00000000
         0x555555559140 <userid>:        0x61767861      0x38383535      0x00000000      0x00000000
        @@ -4165,8 +4236,9 @@ End of assembler dump.
         0x555555559170 <userid+48>:     0x00000000      0x00000000      0x00000000      0x00000000
         0x555555559180 <userid+64>:     0x00000000      0x00000000      0x00000000      0x00000000
         0x555555559190 <userid+80>:     0x00000000      0x00000000
        -(gdb) 
        +(gdb) 
         
        +

        It appears that this is a linked list. With roughly the following structure:

        @@ -4179,7 +4251,48 @@ End of assembler dump.
        -

        Let us convert the values into decimal

        +

        Let us convert the values into decimal:

        + +
        0x000000d9 -> 217
        +0x000003ab -> 939
        +0x0000014f -> 335
        +0x000000a1 -> 161
        +0x000001b3 -> 435
        +0x000002da -> 730
        +
        + +

        Missing Notes

        + +

        To re-arrange this linked list in descending order, we would arrange it as follows:

        + +
        Node 2 -> Node 6 -> Node 5 -> Node 3 -> Node 1 -> Node 4
        +
        + +

        Since we also need to apply the transformation: 7 - x:

        + +
        (7-2) -> (7-6) -> ... -> (7-4) 
        +
        + +

        Final answer: 5 1 2 4 6 3

        + +

        Let us try the answer:

        + +
        ...
        +That's number 2.  Keep going!
        +Halfway there!
        +So you got that one.  Try this one.
        +Good work!  On to the next...
        +5 1 2 4 6 3
        +
        +Breakpoint 1, 0x0000555555555899 in phase_6 ()
        +(gdb) continue
        +Continuing.
        +Congratulations! You've defused the bomb!
        +Your instructor has been notified and will verify your solution.
        +[Inferior 1 (process 1754) exited normally]
        +
        + +

        But, what about the secret phase?

        ]]> diff --git a/docs/index.html b/docs/index.html index f743eee..9b60636 100644 --- a/docs/index.html +++ b/docs/index.html @@ -59,9 +59,9 @@
          -
        • Bomb Lab Phases 1-5
        • +
        • Bomb Lab
          • -
          • Introduction, Phases 1-5 of Bomb Lab for CSCI 2400 Lab - 2
          • +
          • Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2
          • Published On: 2023-10-04 13:12
          • Tags: diff --git a/docs/posts/2023-10-04-bomb-lab.html b/docs/posts/2023-10-04-bomb-lab.html index 26c1e53..226487f 100644 --- a/docs/posts/2023-10-04-bomb-lab.html +++ b/docs/posts/2023-10-04-bomb-lab.html @@ -6,16 +6,16 @@ - Bomb Lab Phases 1-5 + Bomb Lab - - - - - + + + + + @@ -54,134 +54,153 @@
            -

            Bomb Lab Phases 1-5

            +

            Bomb Lab

            Introduction

            -

            Lab 2 for CSCI 2400 - Computer Systems.

            +

            Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems

            -

            I like using objdump to disassemble the code and see a broad overview of what is happening.

            +
            +

            The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.

            +
            + +
            +

            There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!

            +
            + +

            I like using objdump to disassemble the code and get a broad overview of what is happening before I start.

            objdump -d bomb > dis.txt

            +

            Note: I am not sure about the history of the bomb lab. I think it started at CMU.

            +

            Phase 1

            -
            jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb 
            -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
            -Copyright (C) 2022 Free Software Foundation, Inc.
            -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
            +
            +
            joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb 
            +GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
            +Copyright (C) 2022 Free Software Foundation, Inc.
            +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
             This is free software: you are free to change and redistribute it.
             There is NO WARRANTY, to the extent permitted by law.
            -Type "show copying" and "show warranty" for details.
            -This GDB was configured as "x86_64-linux-gnu".
            -Type "show configuration" for configuration details.
            +Type "show copying" and "show warranty" for details.
            +This GDB was configured as "x86_64-linux-gnu".
            +Type "show configuration" for configuration details.
             For bug reporting instructions, please see:
             <https://www.gnu.org/software/gdb/bugs/>.
             Find the GDB manual and other documentation resources online at:
                 <http://www.gnu.org/software/gdb/documentation/>.
             
            -For help, type "help".
            -Type "apropos word" to search for commands related to "word"...
            +For help, type "help".
            +Type "apropos word" to search for commands related to "word"...
             Reading symbols from ./bomb...
            -Breakpoint 1 at 0x15c7
            -Breakpoint 2 at 0x1d4a
            -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb 
            -[Thread debugging using libthread_db enabled]
            -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
            -Welcome to my fiendish little bomb. You have 6 phases with
            +Breakpoint 1 at 0x15c7
            +Breakpoint 2 at 0x1d4a
            +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb 
            +[Thread debugging using libthread_db enabled]
            +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
            +Welcome to my fiendish little bomb. You have 6 phases with
             which to blow yourself up. Have a nice day!
            -test string
            -
            -Breakpoint 1, 0x00005555555555c7 in phase_1 ()
            -(gdb) dias phase_1
            -Undefined command: "dias".  Try "help".
            -(gdb) disas phase_1
            -Dump of assembler code for function phase_1:
            -=> 0x00005555555555c7 <+0>:     endbr64 
            -   0x00005555555555cb <+4>:     sub    $0x8,%rsp
            -   0x00005555555555cf <+8>:     lea    0x1b7a(%rip),%rsi        # 0x555555557150
            +test string
            +
            +Breakpoint 1, 0x00005555555555c7 in phase_1 ()
            +(gdb) dias phase_1
            +Undefined command: "dias".  Try "help".
            +(gdb) disas phase_1
            +Dump of assembler code for function phase_1:
            +=> 0x00005555555555c7 <+0>:     endbr64 
            +   0x00005555555555cb <+4>:     sub    $0x8,%rsp
            +   0x00005555555555cf <+8>:     lea    0x1b7a(%rip),%rsi        # 0x555555557150
                0x00005555555555d6 <+15>:    call   0x555555555b31 <strings_not_equal>
            -   0x00005555555555db <+20>:    test   %eax,%eax
            +   0x00005555555555db <+20>:    test   %eax,%eax
                0x00005555555555dd <+22>:    jne    0x5555555555e4 <phase_1+29>
            -   0x00005555555555df <+24>:    add    $0x8,%rsp
            +   0x00005555555555df <+24>:    add    $0x8,%rsp
                0x00005555555555e3 <+28>:    ret    
                0x00005555555555e4 <+29>:    call   0x555555555d4a <explode_bomb>
                0x00005555555555e9 <+34>:    jmp    0x5555555555df <phase_1+24>
             End of assembler dump.
            -(gdb) print 0x555555557150
            -$1 = 93824992244048
            -(gdb) x/1s 0x555555557150
            -0x555555557150: "Controlling complexity is the essence of computer programming."
            -(gdb) 
            +(gdb) print 0x555555557150
            +$1 = 93824992244048
            +(gdb) x/1s 0x555555557150
            +0x555555557150: "Controlling complexity is the essence of computer programming."
            +(gdb) 
             
            +

            Phase 2

            -
            Phase 1 defused. How about the next one?
            -1 2 3 4 5 6
            +
            +
            Phase 1 defused. How about the next one?
            +1 2 3 4 5 6
             
            -Breakpoint 1, 0x00005555555555eb in phase_2 ()
            -(gdb) disas
            -Dump of assembler code for function phase_2:
            -=> 0x00005555555555eb <+0>:     endbr64 
            +Breakpoint 1, 0x00005555555555eb in phase_2 ()
            +(gdb) disas
            +Dump of assembler code for function phase_2:
            +=> 0x00005555555555eb <+0>:     endbr64 
                0x00005555555555ef <+4>:     push   %rbp
                0x00005555555555f0 <+5>:     push   %rbx
            -   0x00005555555555f1 <+6>:     sub    $0x28,%rsp
            +   0x00005555555555f1 <+6>:     sub    $0x28,%rsp
                0x00005555555555f5 <+10>:    mov    %rsp,%rsi
                0x00005555555555f8 <+13>:    call   0x555555555d97 <read_six_numbers>
            -   0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
            +   0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
                0x0000555555555601 <+22>:    js     0x55555555560d <phase_2+34>
                0x0000555555555603 <+24>:    mov    %rsp,%rbp
            -   0x0000555555555606 <+27>:    mov    $0x1,%ebx
            +   0x0000555555555606 <+27>:    mov    $0x1,%ebx
                0x000055555555560b <+32>:    jmp    0x555555555620 <phase_2+53>
                0x000055555555560d <+34>:    call   0x555555555d4a <explode_bomb>
                0x0000555555555612 <+39>:    jmp    0x555555555603 <phase_2+24>
            -   0x0000555555555614 <+41>:    add    $0x1,%ebx
            -   0x0000555555555617 <+44>:    add    $0x4,%rbp
            -   0x000055555555561b <+48>:    cmp    $0x6,%ebx
            +   0x0000555555555614 <+41>:    add    $0x1,%ebx
            +   0x0000555555555617 <+44>:    add    $0x4,%rbp
            +   0x000055555555561b <+48>:    cmp    $0x6,%ebx
                0x000055555555561e <+51>:    je     0x555555555631 <phase_2+70>
                0x0000555555555620 <+53>:    mov    %ebx,%eax
            -   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
            -   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
            +   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
            +   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
                0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
                0x000055555555562a <+63>:    call   0x555555555d4a <explode_bomb>
                0x000055555555562f <+68>:    jmp    0x555555555614 <phase_2+41>
            -   0x0000555555555631 <+70>:    add    $0x28,%rsp
            +   0x0000555555555631 <+70>:    add    $0x28,%rsp
                0x0000555555555635 <+74>:    pop    %rbx
                0x0000555555555636 <+75>:    pop    %rbp
                0x0000555555555637 <+76>:    ret    
             End of assembler dump.
            -(gdb) 
            +(gdb) 
             
            +
            -
               0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
            +
            +
               0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
                0x0000555555555601 <+22>:    js     0x55555555560d <phase_2+34>
             ...
                0x000055555555560d <+34>:    call   0x555555555d4a <explode_bomb>
             
            +
            -

            The program first compares if the first number is not 0. If the number is not 0, then the cmpl instruction returns a negative value. The js instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called.

            - -
               0x0000555555555603 <+24>:    mov    %rsp,%rbp
            -   0x0000555555555606 <+27>:    mov    $0x1,%ebx
            -
            +

            The program first compares if the first number is not 0. If the number is not 0, then the cmpl instruction returns a negative value. The js instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called. +

            +
            0x0000555555555603 <+24>:    mov    %rsp,%rbp
            +   0x0000555555555606 <+27>:    mov    $0x1,%ebx
            +   
            +

            %rsp in x86-64 asm, is the stack pointer i.e. it points to the top of the current stack frame. Since the program just read six numbers, the top of the stack (%rsp) contains the address of the first number.

            By executing mov %rsp,%rbp we are setting the base pointer (%rbp) to point to this address.

            -

            Now, for the second instruction mov $0x1,%ebx, we are initalising the %ebx register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop.

            - -
               0x000055555555560b <+32>:    jmp    0x555555555620 <phase_2+53>
            -
            - -

            The program now jumps to

            - -
               0x0000555555555620 <+53>:    mov    %ebx,%eax
            -   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
            -   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
            +

            Now, for the second instruction mov $0x1,%ebx, we are initalising the %ebx register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop. +

            +
            0x000055555555560b <+32>:    jmp    0x555555555620 <phase_2+53>
            +   
            +

            + +

            The program now jumps to +

            +
            0x0000555555555620 <+53>:    mov    %ebx,%eax
            +   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
            +   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
                0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
            -
            +
            +

            Here, the value from %ebx is copied to the %eax register. For this iteration, the value should be 1.

            @@ -189,17 +208,18 @@ End of assembler dump.

            cmp %eax,0x4(%rbp) - The instruction compares the value in %eax to the value at the memory address %rbp + 4. Since Integers in this context are stored using a word of memory of 4 bytes, this indicates it checks against the second number in the sequence.

            -

            je 0x555555555614 <phase_2+41> - The program will jump to phase_2+41 if the previous cmp instruction determined the values as equal.

            - -
               0x0000555555555614 <+41>:    add    $0x1,%ebx
            -   0x0000555555555617 <+44>:    add    $0x4,%rbp
            -   0x000055555555561b <+48>:    cmp    $0x6,%ebx
            -   0x000055555555561e <+51>:    je     0x555555555631 <phase_2+70>
            +

            je 0x555555555614 <phase_2+41> - The program will jump to phase_2+41 if the previous cmp instruction determined the values as equal. +

            +
            0x0000555555555614 <+41>:    add    $0x1,%ebx
            +   0x0000555555555617 <+44>:    add    $0x4,%rbp
            +   0x000055555555561b <+48>:    cmp    $0x6,%ebx
            +   0x000055555555561e <+51>:    je     0x555555555631 <phase2+70>
                0x0000555555555620 <+53>:    mov    %ebx,%eax
            -   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
            -   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
            -   0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
            -
            + 0x0000555555555622 <+55>: add 0x0(%rbp),%eax + 0x0000555555555625 <+58>: cmp %eax,0x4(%rbp) + 0x0000555555555628 <+61>: je 0x555555555614 <phase2+41> +
            +

            Here, we can see that the program increments %ebx by 1, adds a 4 byte offset to %rbp (the number we will be matching now), and checks if %ebx is equal to 6. If it is, it breaks the loop and jumps to <phase_2+70> succesfully finishing this stage.

            @@ -214,208 +234,223 @@ End of assembler dump.
          • 6th number = 10 (prev value) + 5 = 15
          -
          ...
          -Phase 1 defused. How about the next one?
          -0 1 3 6 10 15
          +
          +
          ...
          +Phase 1 defused. How about the next one?
          +0 1 3 6 10 15
           
          -Breakpoint 1, 0x00005555555555eb in phase_2 ()
          -(gdb) continue
          +Breakpoint 1, 0x00005555555555eb in phase_2 ()
          +(gdb) continue
           Continuing.
          -That's number 2.  Keep going!
          +That's number 2.  Keep going!
           
          +

          Phase 3

          Let us look at the disassembled code first

          -
          0000000000001638 <phase_3>:
          -    1638:   f3 0f 1e fa             endbr64 
          -    163c:   48 83 ec 18             sub    $0x18,%rsp
          -    1640:   48 8d 4c 24 07          lea    0x7(%rsp),%rcx
          -    1645:   48 8d 54 24 0c          lea    0xc(%rsp),%rdx
          -    164a:   4c 8d 44 24 08          lea    0x8(%rsp),%r8
          -    164f:   48 8d 35 60 1b 00 00    lea    0x1b60(%rip),%rsi        # 31b6 <_IO_stdin_used+0x1b6>
          -    1656:   b8 00 00 00 00          mov    $0x0,%eax
          -    165b:   e8 80 fc ff ff          call   12e0 <__isoc99_sscanf@plt>
          -    1660:   83 f8 02                cmp    $0x2,%eax
          -    1663:   7e 20                   jle    1685 <phase_3+0x4d>
          -    1665:   83 7c 24 0c 07          cmpl   $0x7,0xc(%rsp)
          -    166a:   0f 87 0d 01 00 00       ja     177d <phase_3+0x145>
          -    1670:   8b 44 24 0c             mov    0xc(%rsp),%eax
          -    1674:   48 8d 15 55 1b 00 00    lea    0x1b55(%rip),%rdx        # 31d0 <_IO_stdin_used+0x1d0>
          -    167b:   48 63 04 82             movslq (%rdx,%rax,4),%rax
          -    167f:   48 01 d0                add    %rdx,%rax
          -    1682:   3e ff e0                notrack jmp *%rax
          -    1685:   e8 c0 06 00 00          call   1d4a <explode_bomb>
          -    168a:   eb d9                   jmp    1665 <phase_3+0x2d>
          -    168c:   b8 63 00 00 00          mov    $0x63,%eax
          -    1691:   81 7c 24 08 3d 02 00    cmpl   $0x23d,0x8(%rsp)
          -    1698:   00 
          -    1699:   0f 84 e8 00 00 00       je     1787 <phase_3+0x14f>
          -    169f:   e8 a6 06 00 00          call   1d4a <explode_bomb>
          -    16a4:   b8 63 00 00 00          mov    $0x63,%eax
          -    16a9:   e9 d9 00 00 00          jmp    1787 <phase_3+0x14f>
          -    16ae:   b8 61 00 00 00          mov    $0x61,%eax
          -    16b3:   81 7c 24 08 27 01 00    cmpl   $0x127,0x8(%rsp)
          -    16ba:   00 
          -    16bb:   0f 84 c6 00 00 00       je     1787 <phase_3+0x14f>
          -    16c1:   e8 84 06 00 00          call   1d4a <explode_bomb>
          -    16c6:   b8 61 00 00 00          mov    $0x61,%eax
          -    16cb:   e9 b7 00 00 00          jmp    1787 <phase_3+0x14f>
          -    16d0:   b8 78 00 00 00          mov    $0x78,%eax
          -    16d5:   81 7c 24 08 e7 02 00    cmpl   $0x2e7,0x8(%rsp)
          -    16dc:   00 
          -    16dd:   0f 84 a4 00 00 00       je     1787 <phase_3+0x14f>
          -    16e3:   e8 62 06 00 00          call   1d4a <explode_bomb>
          -    16e8:   b8 78 00 00 00          mov    $0x78,%eax
          -    16ed:   e9 95 00 00 00          jmp    1787 <phase_3+0x14f>
          -    16f2:   b8 64 00 00 00          mov    $0x64,%eax
          -    16f7:   81 7c 24 08 80 02 00    cmpl   $0x280,0x8(%rsp)
          -    16fe:   00 
          -    16ff:   0f 84 82 00 00 00       je     1787 <phase_3+0x14f>
          -    1705:   e8 40 06 00 00          call   1d4a <explode_bomb>
          -    170a:   b8 64 00 00 00          mov    $0x64,%eax
          -    170f:   eb 76                   jmp    1787 <phase_3+0x14f>
          -    1711:   b8 6d 00 00 00          mov    $0x6d,%eax
          -    1716:   81 7c 24 08 ff 02 00    cmpl   $0x2ff,0x8(%rsp)
          -    171d:   00 
          -    171e:   74 67                   je     1787 <phase_3+0x14f>
          -    1720:   e8 25 06 00 00          call   1d4a <explode_bomb>
          -    1725:   b8 6d 00 00 00          mov    $0x6d,%eax
          -    172a:   eb 5b                   jmp    1787 <phase_3+0x14f>
          -    172c:   b8 71 00 00 00          mov    $0x71,%eax
          -    1731:   81 7c 24 08 75 03 00    cmpl   $0x375,0x8(%rsp)
          -    1738:   00 
          -    1739:   74 4c                   je     1787 <phase_3+0x14f>
          -    173b:   e8 0a 06 00 00          call   1d4a <explode_bomb>
          -    1740:   b8 71 00 00 00          mov    $0x71,%eax
          -    1745:   eb 40                   jmp    1787 <phase_3+0x14f>
          -    1747:   b8 79 00 00 00          mov    $0x79,%eax
          -    174c:   81 7c 24 08 94 02 00    cmpl   $0x294,0x8(%rsp)
          -    1753:   00 
          -    1754:   74 31                   je     1787 <phase_3+0x14f>
          -    1756:   e8 ef 05 00 00          call   1d4a <explode_bomb>
          -    175b:   b8 79 00 00 00          mov    $0x79,%eax
          -    1760:   eb 25                   jmp    1787 <phase_3+0x14f>
          -    1762:   b8 79 00 00 00          mov    $0x79,%eax
          -    1767:   81 7c 24 08 88 02 00    cmpl   $0x288,0x8(%rsp)
          -    176e:   00 
          -    176f:   74 16                   je     1787 <phase_3+0x14f>
          -    1771:   e8 d4 05 00 00          call   1d4a <explode_bomb>
          -    1776:   b8 79 00 00 00          mov    $0x79,%eax
          -    177b:   eb 0a                   jmp    1787 <phase_3+0x14f>
          -    177d:   e8 c8 05 00 00          call   1d4a <explode_bomb>
          -    1782:   b8 68 00 00 00          mov    $0x68,%eax
          -    1787:   38 44 24 07             cmp    %al,0x7(%rsp)
          -    178b:   75 05                   jne    1792 <phase_3+0x15a>
          -    178d:   48 83 c4 18             add    $0x18,%rsp
          -    1791:   c3                      ret    
          -    1792:   e8 b3 05 00 00          call   1d4a <explode_bomb>
          -    1797:   eb f4                   jmp    178d <phase_3+0x155>
          +
          +
          0000000000001638 <phase_3>:
          +    1638:   f3 0f 1e fa             endbr64 
          +    163c:   48 83 ec 18             sub    $0x18,%rsp
          +    1640:   48 8d 4c 24 07          lea    0x7(%rsp),%rcx
          +    1645:   48 8d 54 24 0c          lea    0xc(%rsp),%rdx
          +    164a:   4c 8d 44 24 08          lea    0x8(%rsp),%r8
          +    164f:   48 8d 35 60 1b 00 00    lea    0x1b60(%rip),%rsi        # 31b6 <_IO_stdin_used+0x1b6>
          +    1656:   b8 00 00 00 00          mov    $0x0,%eax
          +    165b:   e8 80 fc ff ff          call   12e0 <__isoc99_sscanf@plt>
          +    1660:   83 f8 02                cmp    $0x2,%eax
          +    1663:   7e 20                   jle    1685 <phase_3+0x4d>
          +    1665:   83 7c 24 0c 07          cmpl   $0x7,0xc(%rsp)
          +    166a:   0f 87 0d 01 00 00       ja     177d <phase_3+0x145>
          +    1670:   8b 44 24 0c             mov    0xc(%rsp),%eax
          +    1674:   48 8d 15 55 1b 00 00    lea    0x1b55(%rip),%rdx        # 31d0 <_IO_stdin_used+0x1d0>
          +    167b:   48 63 04 82             movslq (%rdx,%rax,4),%rax
          +    167f:   48 01 d0                add    %rdx,%rax
          +    1682:   3e ff e0                notrack jmp *%rax
          +    1685:   e8 c0 06 00 00          call   1d4a <explode_bomb>
          +    168a:   eb d9                   jmp    1665 <phase_3+0x2d>
          +    168c:   b8 63 00 00 00          mov    $0x63,%eax
          +    1691:   81 7c 24 08 3d 02 00    cmpl   $0x23d,0x8(%rsp)
          +    1698:   00 
          +    1699:   0f 84 e8 00 00 00       je     1787 <phase_3+0x14f>
          +    169f:   e8 a6 06 00 00          call   1d4a <explode_bomb>
          +    16a4:   b8 63 00 00 00          mov    $0x63,%eax
          +    16a9:   e9 d9 00 00 00          jmp    1787 <phase_3+0x14f>
          +    16ae:   b8 61 00 00 00          mov    $0x61,%eax
          +    16b3:   81 7c 24 08 27 01 00    cmpl   $0x127,0x8(%rsp)
          +    16ba:   00 
          +    16bb:   0f 84 c6 00 00 00       je     1787 <phase_3+0x14f>
          +    16c1:   e8 84 06 00 00          call   1d4a <explode_bomb>
          +    16c6:   b8 61 00 00 00          mov    $0x61,%eax
          +    16cb:   e9 b7 00 00 00          jmp    1787 <phase_3+0x14f>
          +    16d0:   b8 78 00 00 00          mov    $0x78,%eax
          +    16d5:   81 7c 24 08 e7 02 00    cmpl   $0x2e7,0x8(%rsp)
          +    16dc:   00 
          +    16dd:   0f 84 a4 00 00 00       je     1787 <phase_3+0x14f>
          +    16e3:   e8 62 06 00 00          call   1d4a <explode_bomb>
          +    16e8:   b8 78 00 00 00          mov    $0x78,%eax
          +    16ed:   e9 95 00 00 00          jmp    1787 <phase_3+0x14f>
          +    16f2:   b8 64 00 00 00          mov    $0x64,%eax
          +    16f7:   81 7c 24 08 80 02 00    cmpl   $0x280,0x8(%rsp)
          +    16fe:   00 
          +    16ff:   0f 84 82 00 00 00       je     1787 <phase_3+0x14f>
          +    1705:   e8 40 06 00 00          call   1d4a <explode_bomb>
          +    170a:   b8 64 00 00 00          mov    $0x64,%eax
          +    170f:   eb 76                   jmp    1787 <phase_3+0x14f>
          +    1711:   b8 6d 00 00 00          mov    $0x6d,%eax
          +    1716:   81 7c 24 08 ff 02 00    cmpl   $0x2ff,0x8(%rsp)
          +    171d:   00 
          +    171e:   74 67                   je     1787 <phase_3+0x14f>
          +    1720:   e8 25 06 00 00          call   1d4a <explode_bomb>
          +    1725:   b8 6d 00 00 00          mov    $0x6d,%eax
          +    172a:   eb 5b                   jmp    1787 <phase_3+0x14f>
          +    172c:   b8 71 00 00 00          mov    $0x71,%eax
          +    1731:   81 7c 24 08 75 03 00    cmpl   $0x375,0x8(%rsp)
          +    1738:   00 
          +    1739:   74 4c                   je     1787 <phase_3+0x14f>
          +    173b:   e8 0a 06 00 00          call   1d4a <explode_bomb>
          +    1740:   b8 71 00 00 00          mov    $0x71,%eax
          +    1745:   eb 40                   jmp    1787 <phase_3+0x14f>
          +    1747:   b8 79 00 00 00          mov    $0x79,%eax
          +    174c:   81 7c 24 08 94 02 00    cmpl   $0x294,0x8(%rsp)
          +    1753:   00 
          +    1754:   74 31                   je     1787 <phase_3+0x14f>
          +    1756:   e8 ef 05 00 00          call   1d4a <explode_bomb>
          +    175b:   b8 79 00 00 00          mov    $0x79,%eax
          +    1760:   eb 25                   jmp    1787 <phase_3+0x14f>
          +    1762:   b8 79 00 00 00          mov    $0x79,%eax
          +    1767:   81 7c 24 08 88 02 00    cmpl   $0x288,0x8(%rsp)
          +    176e:   00 
          +    176f:   74 16                   je     1787 <phase_3+0x14f>
          +    1771:   e8 d4 05 00 00          call   1d4a <explode_bomb>
          +    1776:   b8 79 00 00 00          mov    $0x79,%eax
          +    177b:   eb 0a                   jmp    1787 <phase_3+0x14f>
          +    177d:   e8 c8 05 00 00          call   1d4a <explode_bomb>
          +    1782:   b8 68 00 00 00          mov    $0x68,%eax
          +    1787:   38 44 24 07             cmp    %al,0x7(%rsp)
          +    178b:   75 05                   jne    1792 <phase_3+0x15a>
          +    178d:   48 83 c4 18             add    $0x18,%rsp
          +    1791:   c3                      ret    
          +    1792:   e8 b3 05 00 00          call   1d4a <explode_bomb>
          +    1797:   eb f4                   jmp    178d <phase_3+0x155>
           
          +
          -
          ...
          -    165b:   e8 80 fc ff ff          call   12e0 <__isoc99_sscanf@plt>
          +
          +
          ...
          +    165b:   e8 80 fc ff ff          call   12e0 <__isoc99_sscanf@plt>
           ...
           
          +

          We can see that scanf is being called which means we need to figure out what datatype(s) the program is expecting.

          Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.

          -
          jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
          -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
          -Copyright (C) 2022 Free Software Foundation, Inc.
          -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
          +
          +
          joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
          +GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
          +Copyright (C) 2022 Free Software Foundation, Inc.
          +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
           This is free software: you are free to change and redistribute it.
           There is NO WARRANTY, to the extent permitted by law.
          -Type "show copying" and "show warranty" for details.
          -This GDB was configured as "x86_64-linux-gnu".
          -Type "show configuration" for configuration details.
          +Type "show copying" and "show warranty" for details.
          +This GDB was configured as "x86_64-linux-gnu".
          +Type "show configuration" for configuration details.
           For bug reporting instructions, please see:
           <https://www.gnu.org/software/gdb/bugs/>.
           Find the GDB manual and other documentation resources online at:
               <http://www.gnu.org/software/gdb/documentation/>.
           
          -For help, type "help".
          -Type "apropos word" to search for commands related to "word"...
          +For help, type "help".
          +Type "apropos word" to search for commands related to "word"...
           Reading symbols from ./bomb...
          -Breakpoint 1 at 0x1638
          -Breakpoint 2 at 0x1d4a
          -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
          -[Thread debugging using libthread_db enabled]
          -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
          -Welcome to my fiendish little bomb. You have 6 phases with
          +Breakpoint 1 at 0x1638
          +Breakpoint 2 at 0x1d4a
          +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
          +[Thread debugging using libthread_db enabled]
          +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
          +Welcome to my fiendish little bomb. You have 6 phases with
           which to blow yourself up. Have a nice day!
          -Phase 1 defused. How about the next one?
          -That's number 2.  Keep going!
          +Phase 1 defused. How about the next one?
          +That's number 2.  Keep going!
           random string
           
          -Breakpoint 1, 0x0000555555555638 in phase_3 ()
          -(gdb) disas
          -Dump of assembler code for function phase_3:
          -=> 0x0000555555555638 <+0>:     endbr64 
          -   0x000055555555563c <+4>:     sub    $0x18,%rsp
          -   0x0000555555555640 <+8>:     lea    0x7(%rsp),%rcx
          -   0x0000555555555645 <+13>:    lea    0xc(%rsp),%rdx
          -   0x000055555555564a <+18>:    lea    0x8(%rsp),%r8
          -   0x000055555555564f <+23>:    lea    0x1b60(%rip),%rsi        # 0x5555555571b6
          -   0x0000555555555656 <+30>:    mov    $0x0,%eax
          +Breakpoint 1, 0x0000555555555638 in phase_3 ()
          +(gdb) disas
          +Dump of assembler code for function phase_3:
          +=> 0x0000555555555638 <+0>:     endbr64 
          +   0x000055555555563c <+4>:     sub    $0x18,%rsp
          +   0x0000555555555640 <+8>:     lea    0x7(%rsp),%rcx
          +   0x0000555555555645 <+13>:    lea    0xc(%rsp),%rdx
          +   0x000055555555564a <+18>:    lea    0x8(%rsp),%r8
          +   0x000055555555564f <+23>:    lea    0x1b60(%rip),%rsi        # 0x5555555571b6
          +   0x0000555555555656 <+30>:    mov    $0x0,%eax
              0x000055555555565b <+35>:    call   0x5555555552e0 <__isoc99_sscanf@plt>
          -   0x0000555555555660 <+40>:    cmp    $0x2,%eax
          +   0x0000555555555660 <+40>:    cmp    $0x2,%eax
              0x0000555555555663 <+43>:    jle    0x555555555685 <phase_3+77>
          -   0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
          +   0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
              0x000055555555566a <+50>:    ja     0x55555555577d <phase_3+325>
          -   0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
          -   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
          -   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
          +   0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
          +   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
          +   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
              0x000055555555567f <+71>:    add    %rdx,%rax
              0x0000555555555682 <+74>:    notrack jmp *%rax
              0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
              0x000055555555568a <+82>:    jmp    0x555555555665 <phase_3+45>
          -   0x000055555555568c <+84>:    mov    $0x63,%eax
          -   0x0000555555555691 <+89>:    cmpl   $0x23d,0x8(%rsp)
          +   0x000055555555568c <+84>:    mov    $0x63,%eax
          +   0x0000555555555691 <+89>:    cmpl   $0x23d,0x8(%rsp)
              0x0000555555555699 <+97>:    je     0x555555555787 <phase_3+335>
              0x000055555555569f <+103>:   call   0x555555555d4a <explode_bomb>
          -   0x00005555555556a4 <+108>:   mov    $0x63,%eax
          +   0x00005555555556a4 <+108>:   mov    $0x63,%eax
              0x00005555555556a9 <+113>:   jmp    0x555555555787 <phase_3+335>
          ---Type <RET> for more, q to quit, c to continue without paging--
          +--Type <RET> for more, q to quit, c to continue without paging--
           
          +

          gdb has thankfully marked the address which is being passed to scanf. We can access the value:

          -
          (gdb) x/1s 0x5555555571b6
          -0x5555555571b6: "%d %c %d"
          -(gdb) 
          +
          +
          (gdb) x/1s 0x5555555571b6
          +0x5555555571b6: "%d %c %d"
          +(gdb) 
           
          +

          BINGO! The program expects an integer, character, and another integer. Onwards.

          -
             0x0000555555555660 <+40>:    cmp    $0x2,%eax
          +
          +
             0x0000555555555660 <+40>:    cmp    $0x2,%eax
              0x0000555555555663 <+43>:    jle    0x555555555685 <phase_3+77>
           ...
              0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
           
          +

          The program checks whether scanf returns a value <= 2, if it does then it calls the explode_bomb function.

          Note: scanf returns the number of fields that were succesfully converted and assigned

          -
             0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
          +
          +
             0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
              0x000055555555566a <+50>:    ja     0x55555555577d <phase_3+325>
           ...
              0x000055555555577d <+325>:   call   0x555555555d4a <explode_bomb>
           
          +
          -

          Similarly, the program checks and ensures the returned value is not > 7.

          - -
             0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
          -   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
          -   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
          +

          Similarly, the program checks and ensures the returned value is not > 7. +

          +
          0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
          +   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
          +   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
              0x000055555555567f <+71>:    add    %rdx,%rax
              0x0000555555555682 <+74>:    notrack jmp *%rax
              0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
          -
          +
          +

          • 0x0000555555555670 <+56>: mov 0xc(%rsp),%eax - Moves value located at 0xc (12 in Decimal) bytes above the stack pointer to %eax register.
          • @@ -445,137 +480,151 @@ $1 = 3

            Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to

            -

            We can see that this makes us jump to <phase_3+186> (Continue to step through the code by using ni)

            - -
               0x00005555555556f2 <+186>:   mov    $0x64,%eax
            -   0x00005555555556f7 <+191>:   cmpl   $0x280,0x8(%rsp)
            -   0x00005555555556ff <+199>:   je     0x555555555787 <phase_3+335>
            -   0x0000555555555705 <+205>:   call   0x555555555d4a <explode_bomb>
            -
            - -

            We see that 0x64 (Decimal 100) is being stored in %eax. Then, the program compares 0x280 (Decimal 640) with memory address 0x8 bytes above the stack pointer (%rsp). If the values are equal, then it jumps to <phase_3+335>, otherwise explode_bomb is called.

            - -
               0x0000555555555787 <+335>:   cmp    %al,0x7(%rsp)
            -   0x000055555555578b <+339>:   jne    0x555555555792 <phase_3+346>
            -   0x000055555555578d <+341>:   add    $0x18,%rsp
            -   0x0000555555555791 <+345>:   ret    
            -   0x0000555555555792 <+346>:   call   0x555555555d4a <explode_bomb>
            -
            +

            We can see that this makes us jump to <phase_3+186> (Continue to step through the code by using ni) +

            +
            0x00005555555556f2 <+186>:   mov    $0x64,%eax
            +   0x00005555555556f7 <+191>:   cmpl   $0x280,0x8(%rsp)
            +   0x00005555555556ff <+199>:   je     0x555555555787 <phase3+335>
            +   0x0000555555555705 <+205>:   call   0x555555555d4a <explodebomb>
            +   
            +

            + +

            We see that 0x64 (Decimal 100) is being stored in %eax. Then, the program compares 0x280 (Decimal 640) with memory address 0x8 bytes above the stack pointer (%rsp). If the values are equal, then it jumps to <phase_3+335>, otherwise explode_bomb is called. +

            +
            0x0000555555555787 <+335>:   cmp    %al,0x7(%rsp)
            +   0x000055555555578b <+339>:   jne    0x555555555792 <phase3+346>
            +   0x000055555555578d <+341>:   add    $0x18,%rsp
            +   0x0000555555555791 <+345>:   ret 
            + 0x0000555555555792 <+346>: call 0x555555555d4a <explode
            bomb> +
            +

            Here, the program is comparing the value of our given character to the value stored in %al (lower 8 bits of EAX), and checks if they are not equal.

            Knowing that the character is stored at an offset of 7 bytes to %rsp, we can print and check the value by running:

            -
            (gdb) x/1cw $rsp+7
            +
            +
            (gdb) x/1cw $rsp+7
             c
            -(gdb) print $al
            -$1 = 100
            +(gdb) print $al
            +$1 = 100
             
            +

            We can simply lookup the ASCII table, and see that 100 in decimal stands for the character d. Let us try this answer:

            -
            ...
            -That's number 2.  Keep going!
            -3 d 640
            +
            +
            ...
            +That's number 2.  Keep going!
            +3 d 640
             
            -Breakpoint 1, 0x0000555555555638 in phase_3 ()
            -(gdb) continue
            +Breakpoint 1, 0x0000555555555638 in phase_3 ()
            +(gdb) continue
             Continuing.
             Halfway there!
             
            +

            Phase 4

            -
            jovyan@jupyter-nach6988:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
            -GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
            -Copyright (C) 2022 Free Software Foundation, Inc.
            -License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
            +
            +
            joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
            +GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
            +Copyright (C) 2022 Free Software Foundation, Inc.
            +License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
             This is free software: you are free to change and redistribute it.
             There is NO WARRANTY, to the extent permitted by law.
            -Type "show copying" and "show warranty" for details.
            -This GDB was configured as "x86_64-linux-gnu".
            -Type "show configuration" for configuration details.
            +Type "show copying" and "show warranty" for details.
            +This GDB was configured as "x86_64-linux-gnu".
            +Type "show configuration" for configuration details.
             For bug reporting instructions, please see:
             <https://www.gnu.org/software/gdb/bugs/>.
             Find the GDB manual and other documentation resources online at:
                 <http://www.gnu.org/software/gdb/documentation/>.
             
            -For help, type "help".
            -Type "apropos word" to search for commands related to "word"...
            +For help, type "help".
            +Type "apropos word" to search for commands related to "word"...
             Reading symbols from ./bomb...
            -Breakpoint 1 at 0x17d3
            -Breakpoint 2 at 0x1d4a
            -Starting program: /home/jovyan/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
            -[Thread debugging using libthread_db enabled]
            -Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
            -Welcome to my fiendish little bomb. You have 6 phases with
            +Breakpoint 1 at 0x17d3
            +Breakpoint 2 at 0x1d4a
            +Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
            +[Thread debugging using libthread_db enabled]
            +Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
            +Welcome to my fiendish little bomb. You have 6 phases with
             which to blow yourself up. Have a nice day!
            -Phase 1 defused. How about the next one?
            -That's number 2.  Keep going!
            +Phase 1 defused. How about the next one?
            +That's number 2.  Keep going!
             Halfway there!
            -test string
            -
            -Breakpoint 1, 0x00005555555557d3 in phase_4 ()
            -(gdb) disas phase_4
            -Dump of assembler code for function phase_4:
            -=> 0x00005555555557d3 <+0>:     endbr64 
            -   0x00005555555557d7 <+4>:     sub    $0x18,%rsp
            -   0x00005555555557db <+8>:     lea    0x8(%rsp),%rcx
            -   0x00005555555557e0 <+13>:    lea    0xc(%rsp),%rdx
            -   0x00005555555557e5 <+18>:    lea    0x1bba(%rip),%rsi        # 0x5555555573a6
            -   0x00005555555557ec <+25>:    mov    $0x0,%eax
            +test string
            +
            +Breakpoint 1, 0x00005555555557d3 in phase_4 ()
            +(gdb) disas phase_4
            +Dump of assembler code for function phase_4:
            +=> 0x00005555555557d3 <+0>:     endbr64 
            +   0x00005555555557d7 <+4>:     sub    $0x18,%rsp
            +   0x00005555555557db <+8>:     lea    0x8(%rsp),%rcx
            +   0x00005555555557e0 <+13>:    lea    0xc(%rsp),%rdx
            +   0x00005555555557e5 <+18>:    lea    0x1bba(%rip),%rsi        # 0x5555555573a6
            +   0x00005555555557ec <+25>:    mov    $0x0,%eax
                0x00005555555557f1 <+30>:    call   0x5555555552e0 <__isoc99_sscanf@plt>
            -   0x00005555555557f6 <+35>:    cmp    $0x2,%eax
            +   0x00005555555557f6 <+35>:    cmp    $0x2,%eax
                0x00005555555557f9 <+38>:    jne    0x555555555802 <phase_4+47>
            -   0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
            +   0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
                0x0000555555555800 <+45>:    jbe    0x555555555807 <phase_4+52>
                0x0000555555555802 <+47>:    call   0x555555555d4a <explode_bomb>
            -   0x0000555555555807 <+52>:    mov    $0xe,%edx
            -   0x000055555555580c <+57>:    mov    $0x0,%esi
            -   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
            +   0x0000555555555807 <+52>:    mov    $0xe,%edx
            +   0x000055555555580c <+57>:    mov    $0x0,%esi
            +   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
                0x0000555555555815 <+66>:    call   0x555555555799 <func4>
            -   0x000055555555581a <+71>:    cmp    $0x2,%eax
            +   0x000055555555581a <+71>:    cmp    $0x2,%eax
                0x000055555555581d <+74>:    jne    0x555555555826 <phase_4+83>
            -   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
            +   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
                0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
                0x0000555555555826 <+83>:    call   0x555555555d4a <explode_bomb>
            -   0x000055555555582b <+88>:    add    $0x18,%rsp
            +   0x000055555555582b <+88>:    add    $0x18,%rsp
                0x000055555555582f <+92>:    ret    
             End of assembler dump.
            -(gdb) 
            +(gdb) 
             
            +

            Again, gdb has marked the string being passed to scanf

            -
            (gdb) x/1s 0x5555555573a6
            -0x5555555573a6: "%d %d"
            +
            +
            (gdb) x/1s 0x5555555573a6
            +0x5555555573a6: "%d %d"
             
            +
            -

            Okay, so this time we are supposed to enter 2 numbers.

            - -
               0x00005555555557f6 <+35>:    cmp    $0x2,%eax
            +

            Okay, so this time we are supposed to enter 2 numbers. +

            +
            0x00005555555557f6 <+35>:    cmp    $0x2,%eax
                0x00005555555557f9 <+38>:    jne    0x555555555802 <phase_4+47>
            -
            +
            +

            -

            Checks if there were 2 values read from calling scanf, if not -> jump to <phase_4+47> which calls <explode_bomb>.

            - -
               0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
            +

            Checks if there were 2 values read from calling scanf, if not -> jump to <phase_4+47> which calls <explode_bomb>. +

            +
            0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
                0x0000555555555800 <+45>:    jbe    0x555555555807 <phase_4+52>
            -
            +
            +

            Compare 0xe (14 in Decimal) and value stored at $rsp + 0xc bytes (Decimal 12). If this condition is met (<= 14), jump to <phase_4+52>. If not, then explode bomb.

            -
            ...
            -   0x0000555555555807 <+52>:    mov    $0xe,%edx
            -   0x000055555555580c <+57>:    mov    $0x0,%esi
            -   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
            +
            +
            ...
            +   0x0000555555555807 <+52>:    mov    $0xe,%edx
            +   0x000055555555580c <+57>:    mov    $0x0,%esi
            +   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
                0x0000555555555815 <+66>:    call   0x555555555799 <func4>
            -   0x000055555555581a <+71>:    cmp    $0x2,%eax
            +   0x000055555555581a <+71>:    cmp    $0x2,%eax
                0x000055555555581d <+74>:    jne    0x555555555826 <phase_4+83>
            -   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
            +   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
                0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
                0x0000555555555826 <+83>:    call   0x555555555d4a <explode_bomb>
             
            +
            • 0x0000555555555815 <+66>: call 0x555555555799 <func4> calls another function called func4
            • @@ -584,55 +633,59 @@ End of assembler dump.

              Let us look into func4

              -
              (gdb) disas func4
              -Dump of assembler code for function func4:
              +
              +
              (gdb) disas func4
              +Dump of assembler code for function func4:
                  0x0000555555555799 <+0>:     endbr64 
              -   0x000055555555579d <+4>:     sub    $0x8,%rsp
              +   0x000055555555579d <+4>:     sub    $0x8,%rsp
                  0x00005555555557a1 <+8>:     mov    %edx,%ecx
                  0x00005555555557a3 <+10>:    sub    %esi,%ecx
                  0x00005555555557a5 <+12>:    shr    %ecx
                  0x00005555555557a7 <+14>:    add    %esi,%ecx
                  0x00005555555557a9 <+16>:    cmp    %edi,%ecx
                  0x00005555555557ab <+18>:    ja     0x5555555557b9 <func4+32>
              -   0x00005555555557ad <+20>:    mov    $0x0,%eax
              +   0x00005555555557ad <+20>:    mov    $0x0,%eax
                  0x00005555555557b2 <+25>:    jb     0x5555555557c5 <func4+44>
              -   0x00005555555557b4 <+27>:    add    $0x8,%rsp
              +   0x00005555555557b4 <+27>:    add    $0x8,%rsp
                  0x00005555555557b8 <+31>:    ret    
              -   0x00005555555557b9 <+32>:    lea    -0x1(%rcx),%edx
              +   0x00005555555557b9 <+32>:    lea    -0x1(%rcx),%edx
                  0x00005555555557bc <+35>:    call   0x555555555799 <func4>
                  0x00005555555557c1 <+40>:    add    %eax,%eax
                  0x00005555555557c3 <+42>:    jmp    0x5555555557b4 <func4+27>
              -   0x00005555555557c5 <+44>:    lea    0x1(%rcx),%esi
              +   0x00005555555557c5 <+44>:    lea    0x1(%rcx),%esi
                  0x00005555555557c8 <+47>:    call   0x555555555799 <func4>
              -   0x00005555555557cd <+52>:    lea    0x1(%rax,%rax,1),%eax
              +   0x00005555555557cd <+52>:    lea    0x1(%rax,%rax,1),%eax
                  0x00005555555557d1 <+56>:    jmp    0x5555555557b4 <func4+27>
               
              +

              This looks like a recursive function :( (I hate recursive functions)

              Let's annotate the instructions.

              -
              endbr64
              -sub $0x8,%rsp  // subtract 8 bytes from the stack pointer
              -mov %edx,%ecx  // Move the value in register %edx to %ecx
              -sub %esi,%ecx  // Subtract the value in %esi from %ecx
              -shr %ecx       // Right shift the value in %ecx by one bit (dividing the value by 2)
              -add %esi,%ecx  // Add the value in %esi to %ecx
              +
              +
              endbr64
              +sub $0x8,%rsp  // subtract 8 bytes from the stack pointer
              +mov %edx,%ecx  // Move the value in register %edx to %ecx
              +sub %esi,%ecx  // Subtract the value in %esi from %ecx
              +shr %ecx       // Right shift the value in %ecx by one bit (dividing the value by 2)
              +add %esi,%ecx  // Add the value in %esi to %ecx
               cmp %edi,%ecx  // Compare
               ja 0x5555555557b9 <func4+32> // If %ecx > %edi -> jump to instruction at offset +32
              -mov $0x0,%eax  // Move 0 to %eax
              +mov $0x0,%eax  // Move 0 to %eax
               jb 0x5555555557c5 <func4+44> // If %ecx < %edi -> jump to instruction at offset +44.
              -add $0x8,%rsp  // add 8 bytes to the stack pointer
              -ret            // return
              -lea -0x1(%rcx),%edx // LEA of $rxc - 1 into $edx
              +add $0x8,%rsp  // add 8 bytes to the stack pointer
              +ret            // return
              +lea -0x1(%rcx),%edx // LEA of $rxc - 1 into $edx
               call 0x555555555799 <func4> // Call itself
              -add %eax,%eax  // Double the value in %eax
              +add %eax,%eax  // Double the value in %eax
               jmp 0x5555555557b4 <func4+27> // jump to the instruction at offset +27
              -lea 0x1(%rcx),%esi
              +lea 0x1(%rcx),%esi
               call 0x555555555799 <func4>
              -lea 0x1(%rax,%rax,1),%eax // LEA of %rax * 2 + 1 into $eax 
              +lea 0x1(%rax,%rax,1),%eax // LEA of %rax * 2 + 1 into $eax 
               jmp 0x5555555557b4 <func4+27>
               
              +

              We can either try to compute the values by hand, or write a simple script in Python to get the answer.

              @@ -657,57 +710,61 @@ jmp 0x5555555557b4 <func4+27>

              Okay, so we know that the number needed to be passed to func4 is 5. But, what about the second digit?

              -

              If we go back to the code for <phase_4>, we can see that:

              - -
                 0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
              +

              If we go back to the code for <phase_4>, we can see that: +

              +
              0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
                  0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
              -
              +
              +

              The value at $rsp+8 should be equal to 2. So, let us try passing 5 2 as our input.

              -
              ...
              -Phase 1 defused. How about the next one?
              -That's number 2.  Keep going!
              +
              +
              ...
              +Phase 1 defused. How about the next one?
              +That's number 2.  Keep going!
               Halfway there!
              -5 2
              +5 2
               
              -Breakpoint 1, 0x00005555555557d3 in phase_4 ()
              -(gdb) continue
              +Breakpoint 1, 0x00005555555557d3 in phase_4 ()
              +(gdb) continue
               Continuing.
               So you got that one.  Try this one.
               
              +

              Phase 5

              -
              So you got that one.  Try this one.
              -test string
              +
              +
              So you got that one.  Try this one.
              +test string
               
              -Breakpoint 1, 0x0000555555555830 in phase_5 ()
              -(gdb) disas phase_5
              -Dump of assembler code for function phase_5:
              -=> 0x0000555555555830 <+0>:     endbr64 
              +Breakpoint 1, 0x0000555555555830 in phase_5 ()
              +(gdb) disas phase_5
              +Dump of assembler code for function phase_5:
              +=> 0x0000555555555830 <+0>:     endbr64 
                  0x0000555555555834 <+4>:     push   %rbx
              -   0x0000555555555835 <+5>:     sub    $0x10,%rsp
              +   0x0000555555555835 <+5>:     sub    $0x10,%rsp
                  0x0000555555555839 <+9>:     mov    %rdi,%rbx
                  0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
              -   0x0000555555555841 <+17>:    cmp    $0x6,%eax
              +   0x0000555555555841 <+17>:    cmp    $0x6,%eax
                  0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
              -   0x0000555555555846 <+22>:    mov    $0x0,%eax
              -   0x000055555555584b <+27>:    lea    0x199e(%rip),%rcx        # 0x5555555571f0 <array.0>
              -   0x0000555555555852 <+34>:    movzbl (%rbx,%rax,1),%edx
              -   0x0000555555555856 <+38>:    and    $0xf,%edx
              -   0x0000555555555859 <+41>:    movzbl (%rcx,%rdx,1),%edx
              -   0x000055555555585d <+45>:    mov    %dl,0x9(%rsp,%rax,1)
              -   0x0000555555555861 <+49>:    add    $0x1,%rax
              -   0x0000555555555865 <+53>:    cmp    $0x6,%rax
              +   0x0000555555555846 <+22>:    mov    $0x0,%eax
              +   0x000055555555584b <+27>:    lea    0x199e(%rip),%rcx        # 0x5555555571f0 <array.0>
              +   0x0000555555555852 <+34>:    movzbl (%rbx,%rax,1),%edx
              +   0x0000555555555856 <+38>:    and    $0xf,%edx
              +   0x0000555555555859 <+41>:    movzbl (%rcx,%rdx,1),%edx
              +   0x000055555555585d <+45>:    mov    %dl,0x9(%rsp,%rax,1)
              +   0x0000555555555861 <+49>:    add    $0x1,%rax
              +   0x0000555555555865 <+53>:    cmp    $0x6,%rax
                  0x0000555555555869 <+57>:    jne    0x555555555852 <phase_5+34>
              -   0x000055555555586b <+59>:    movb   $0x0,0xf(%rsp)
              -   0x0000555555555870 <+64>:    lea    0x9(%rsp),%rdi
              -   0x0000555555555875 <+69>:    lea    0x1943(%rip),%rsi        # 0x5555555571bf
              +   0x000055555555586b <+59>:    movb   $0x0,0xf(%rsp)
              +   0x0000555555555870 <+64>:    lea    0x9(%rsp),%rdi
              +   0x0000555555555875 <+69>:    lea    0x1943(%rip),%rsi        # 0x5555555571bf
                  0x000055555555587c <+76>:    call   0x555555555b31 <strings_not_equal>
              -   0x0000555555555881 <+81>:    test   %eax,%eax
              +   0x0000555555555881 <+81>:    test   %eax,%eax
                  0x0000555555555883 <+83>:    jne    0x555555555892 <phase_5+98>
              -   0x0000555555555885 <+85>:    add    $0x10,%rsp
              +   0x0000555555555885 <+85>:    add    $0x10,%rsp
                  0x0000555555555889 <+89>:    pop    %rbx
                  0x000055555555588a <+90>:    ret    
                  0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
              @@ -715,17 +772,20 @@ Dump of assembler code for function phase_5:
                  0x0000555555555892 <+98>:    call   0x555555555d4a <explode_bomb>
                  0x0000555555555897 <+103>:   jmp    0x555555555885 <phase_5+85>
               End of assembler dump.
              -(gdb) 
              +(gdb) 
               
              +
              -
              ...
              +
              +
              ...
                  0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
              -   0x0000555555555841 <+17>:    cmp    $0x6,%eax
              +   0x0000555555555841 <+17>:    cmp    $0x6,%eax
                  0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
               ...
                  0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
               ...
               
              +

              First things first, these instructions check to make sure the passed string is of length 6, otherwise explode_bomb is called.

              @@ -749,12 +809,14 @@ End of assembler dump.

              We can check the reference string we need, which gdb has marked as # 0x5555555571bf, and the lookup table marked as # 0x5555555571f0 <array.0>

              -
              (gdb) x/s 0x5555555571bf
              -0x5555555571bf: "bruins"
              -(gdb) x/s 0x5555555571f0
              -0x5555555571f0 <array.0>:       "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
              -(gdb) 
              +
              +
              (gdb) x/s 0x5555555571bf
              +0x5555555571bf: "bruins"
              +(gdb) x/s 0x5555555571f0
              +0x5555555571f0 <array.0>:       "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
              +(gdb) 
               
              +

              To summarize the transformation process:

              @@ -786,115 +848,118 @@ s -> g

              Let us try out this answer:

              -
              ...
              -That's number 2.  Keep going!
              +
              +
              ...
              +That's number 2.  Keep going!
               Halfway there!
               So you got that one.  Try this one.
               mfcdhg
               
              -Breakpoint 1, 0x0000555555555830 in phase_5 ()
              -(gdb) continue
              +Breakpoint 1, 0x0000555555555830 in phase_5 ()
              +(gdb) continue
               Continuing.
               Good work!  On to the next...
               
              +

              Awesome!

              Phase 6

              -
              Good work!  On to the next...
              -test string
              +
              +
              Good work!  On to the next...
              +test string
               
              -Breakpoint 1, 0x0000555555555899 in phase_6 ()
              -(gdb) disas phase_6
              -Dump of assembler code for function phase_6:
              -=> 0x0000555555555899 <+0>:     endbr64 
              +Breakpoint 1, 0x0000555555555899 in phase_6 ()
              +(gdb) disas phase_6
              +Dump of assembler code for function phase_6:
              +=> 0x0000555555555899 <+0>:     endbr64 
                  0x000055555555589d <+4>:     push   %r15
                  0x000055555555589f <+6>:     push   %r14
                  0x00005555555558a1 <+8>:     push   %r13
                  0x00005555555558a3 <+10>:    push   %r12
                  0x00005555555558a5 <+12>:    push   %rbp
                  0x00005555555558a6 <+13>:    push   %rbx
              -   0x00005555555558a7 <+14>:    sub    $0x68,%rsp
              -   0x00005555555558ab <+18>:    lea    0x40(%rsp),%rax
              +   0x00005555555558a7 <+14>:    sub    $0x68,%rsp
              +   0x00005555555558ab <+18>:    lea    0x40(%rsp),%rax
                  0x00005555555558b0 <+23>:    mov    %rax,%r14
              -   0x00005555555558b3 <+26>:    mov    %rax,0x8(%rsp)
              +   0x00005555555558b3 <+26>:    mov    %rax,0x8(%rsp)
                  0x00005555555558b8 <+31>:    mov    %rax,%rsi
                  0x00005555555558bb <+34>:    call   0x555555555d97 <read_six_numbers>
                  0x00005555555558c0 <+39>:    mov    %r14,%r12
              -   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
              +   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
                  0x00005555555558c9 <+48>:    mov    %r14,%r13
                  0x00005555555558cc <+51>:    jmp    0x555555555997 <phase_6+254>
                  0x00005555555558d1 <+56>:    call   0x555555555d4a <explode_bomb>
                  0x00005555555558d6 <+61>:    jmp    0x5555555559a9 <phase_6+272>
              -   0x00005555555558db <+66>:    add    $0x1,%rbx
              -   0x00005555555558df <+70>:    cmp    $0x5,%ebx
              +   0x00005555555558db <+66>:    add    $0x1,%rbx
              +   0x00005555555558df <+70>:    cmp    $0x5,%ebx
                  0x00005555555558e2 <+73>:    jg     0x55555555598f <phase_6+246>
              -   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
              -   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
              +   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
              +   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
                  0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66>
                  0x00005555555558f2 <+89>:    call   0x555555555d4a <explode_bomb>
                  0x00005555555558f7 <+94>:    jmp    0x5555555558db <phase_6+66>
              -   0x00005555555558f9 <+96>:    mov    0x8(%rsp),%rdx
              -   0x00005555555558fe <+101>:   add    $0x18,%rdx
              -   0x0000555555555902 <+105>:   mov    $0x7,%ecx
              +   0x00005555555558f9 <+96>:    mov    0x8(%rsp),%rdx
              +   0x00005555555558fe <+101>:   add    $0x18,%rdx
              +   0x0000555555555902 <+105>:   mov    $0x7,%ecx
                  0x0000555555555907 <+110>:   mov    %ecx,%eax
              -   0x0000555555555909 <+112>:   sub    (%r12),%eax
              -   0x000055555555590d <+116>:   mov    %eax,(%r12)
              -   0x0000555555555911 <+120>:   add    $0x4,%r12
              +   0x0000555555555909 <+112>:   sub    (%r12),%eax
              +   0x000055555555590d <+116>:   mov    %eax,(%r12)
              +   0x0000555555555911 <+120>:   add    $0x4,%r12
                  0x0000555555555915 <+124>:   cmp    %r12,%rdx
                  0x0000555555555918 <+127>:   jne    0x555555555907 <phase_6+110>
              -   0x000055555555591a <+129>:   mov    $0x0,%esi
              -   0x000055555555591f <+134>:   mov    0x40(%rsp,%rsi,4),%ecx
              -   0x0000555555555923 <+138>:   mov    $0x1,%eax
              -   0x0000555555555928 <+143>:   lea    0x3d01(%rip),%rdx        # 0x555555559630 <node1>
              ---Type <RET> for more, q to quit, c to continue without paging--
              -   0x000055555555592f <+150>:   cmp    $0x1,%ecx
              +   0x000055555555591a <+129>:   mov    $0x0,%esi
              +   0x000055555555591f <+134>:   mov    0x40(%rsp,%rsi,4),%ecx
              +   0x0000555555555923 <+138>:   mov    $0x1,%eax
              +   0x0000555555555928 <+143>:   lea    0x3d01(%rip),%rdx        # 0x555555559630 <node1>
              +--Type <RET> for more, q to quit, c to continue without paging--
              +   0x000055555555592f <+150>:   cmp    $0x1,%ecx
                  0x0000555555555932 <+153>:   jle    0x55555555593f <phase_6+166>
              -   0x0000555555555934 <+155>:   mov    0x8(%rdx),%rdx
              -   0x0000555555555938 <+159>:   add    $0x1,%eax
              +   0x0000555555555934 <+155>:   mov    0x8(%rdx),%rdx
              +   0x0000555555555938 <+159>:   add    $0x1,%eax
                  0x000055555555593b <+162>:   cmp    %ecx,%eax
                  0x000055555555593d <+164>:   jne    0x555555555934 <phase_6+155>
              -   0x000055555555593f <+166>:   mov    %rdx,0x10(%rsp,%rsi,8)
              -   0x0000555555555944 <+171>:   add    $0x1,%rsi
              -   0x0000555555555948 <+175>:   cmp    $0x6,%rsi
              +   0x000055555555593f <+166>:   mov    %rdx,0x10(%rsp,%rsi,8)
              +   0x0000555555555944 <+171>:   add    $0x1,%rsi
              +   0x0000555555555948 <+175>:   cmp    $0x6,%rsi
                  0x000055555555594c <+179>:   jne    0x55555555591f <phase_6+134>
              -   0x000055555555594e <+181>:   mov    0x10(%rsp),%rbx
              -   0x0000555555555953 <+186>:   mov    0x18(%rsp),%rax
              -   0x0000555555555958 <+191>:   mov    %rax,0x8(%rbx)
              -   0x000055555555595c <+195>:   mov    0x20(%rsp),%rdx
              -   0x0000555555555961 <+200>:   mov    %rdx,0x8(%rax)
              -   0x0000555555555965 <+204>:   mov    0x28(%rsp),%rax
              -   0x000055555555596a <+209>:   mov    %rax,0x8(%rdx)
              -   0x000055555555596e <+213>:   mov    0x30(%rsp),%rdx
              -   0x0000555555555973 <+218>:   mov    %rdx,0x8(%rax)
              -   0x0000555555555977 <+222>:   mov    0x38(%rsp),%rax
              -   0x000055555555597c <+227>:   mov    %rax,0x8(%rdx)
              -   0x0000555555555980 <+231>:   movq   $0x0,0x8(%rax)
              -   0x0000555555555988 <+239>:   mov    $0x5,%ebp
              +   0x000055555555594e <+181>:   mov    0x10(%rsp),%rbx
              +   0x0000555555555953 <+186>:   mov    0x18(%rsp),%rax
              +   0x0000555555555958 <+191>:   mov    %rax,0x8(%rbx)
              +   0x000055555555595c <+195>:   mov    0x20(%rsp),%rdx
              +   0x0000555555555961 <+200>:   mov    %rdx,0x8(%rax)
              +   0x0000555555555965 <+204>:   mov    0x28(%rsp),%rax
              +   0x000055555555596a <+209>:   mov    %rax,0x8(%rdx)
              +   0x000055555555596e <+213>:   mov    0x30(%rsp),%rdx
              +   0x0000555555555973 <+218>:   mov    %rdx,0x8(%rax)
              +   0x0000555555555977 <+222>:   mov    0x38(%rsp),%rax
              +   0x000055555555597c <+227>:   mov    %rax,0x8(%rdx)
              +   0x0000555555555980 <+231>:   movq   $0x0,0x8(%rax)
              +   0x0000555555555988 <+239>:   mov    $0x5,%ebp
                  0x000055555555598d <+244>:   jmp    0x5555555559c4 <phase_6+299>
              -   0x000055555555598f <+246>:   add    $0x1,%r15
              -   0x0000555555555993 <+250>:   add    $0x4,%r14
              +   0x000055555555598f <+246>:   add    $0x1,%r15
              +   0x0000555555555993 <+250>:   add    $0x4,%r14
                  0x0000555555555997 <+254>:   mov    %r14,%rbp
              -   0x000055555555599a <+257>:   mov    (%r14),%eax
              -   0x000055555555599d <+260>:   sub    $0x1,%eax
              -   0x00005555555559a0 <+263>:   cmp    $0x5,%eax
              +   0x000055555555599a <+257>:   mov    (%r14),%eax
              +   0x000055555555599d <+260>:   sub    $0x1,%eax
              +   0x00005555555559a0 <+263>:   cmp    $0x5,%eax
                  0x00005555555559a3 <+266>:   ja     0x5555555558d1 <phase_6+56>
              -   0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
              +   0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
                  0x00005555555559ad <+276>:   jg     0x5555555558f9 <phase_6+96>
                  0x00005555555559b3 <+282>:   mov    %r15,%rbx
                  0x00005555555559b6 <+285>:   jmp    0x5555555558e8 <phase_6+79>
              -   0x00005555555559bb <+290>:   mov    0x8(%rbx),%rbx
              -   0x00005555555559bf <+294>:   sub    $0x1,%ebp
              +   0x00005555555559bb <+290>:   mov    0x8(%rbx),%rbx
              +   0x00005555555559bf <+294>:   sub    $0x1,%ebp
                  0x00005555555559c2 <+297>:   je     0x5555555559d5 <phase_6+316>
              -   0x00005555555559c4 <+299>:   mov    0x8(%rbx),%rax
              -   0x00005555555559c8 <+303>:   mov    (%rax),%eax
              -   0x00005555555559ca <+305>:   cmp    %eax,(%rbx)
              ---Type <RET> for more, q to quit, c to continue without paging--
              +   0x00005555555559c4 <+299>:   mov    0x8(%rbx),%rax
              +   0x00005555555559c8 <+303>:   mov    (%rax),%eax
              +   0x00005555555559ca <+305>:   cmp    %eax,(%rbx)
              +--Type <RET> for more, q to quit, c to continue without paging--
                  0x00005555555559cc <+307>:   jge    0x5555555559bb <phase_6+290>
                  0x00005555555559ce <+309>:   call   0x555555555d4a <explode_bomb>
                  0x00005555555559d3 <+314>:   jmp    0x5555555559bb <phase_6+290>
              -   0x00005555555559d5 <+316>:   add    $0x68,%rsp
              +   0x00005555555559d5 <+316>:   add    $0x68,%rsp
                  0x00005555555559d9 <+320>:   pop    %rbx
                  0x00005555555559da <+321>:   pop    %rbp
                  0x00005555555559db <+322>:   pop    %r12
              @@ -903,19 +968,21 @@ Dump of assembler code for function phase_6:
                  0x00005555555559e1 <+328>:   pop    %r15
                  0x00005555555559e3 <+330>:   ret    
               End of assembler dump.
              -(gdb) 
              +(gdb) 
               
              +

              Again, we see the familiar read_six_digits function.

              -

              Let us analyse this function in chunks:

              - -
                 0x00005555555558bb <+34>:    call   0x555555555d97 <read_six_numbers>
              +

              Let us analyse this function in chunks: +

              +
              0x00005555555558bb <+34>:    call   0x555555555d97 <readsixnumbers>
                  0x00005555555558c0 <+39>:    mov    %r14,%r12
              -   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
              +   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
                  0x00005555555558c9 <+48>:    mov    %r14,%r13
                  0x00005555555558cc <+51>:    jmp    0x555555555997 <phase_6+254>
              -
              +
              +

              1. Read six numbers
              2. @@ -923,18 +990,17 @@ End of assembler dump. 2.1. mov %r14,%r12: %r14 should be pointing to the location of the stack where the numbers were read into. This address is copied onto %r12 2.2. mov $0x1,%r15d: The value 1 is moved into %r15 register (probably acting like a counter) 2.3. mov %r14,%r13: The value is also copied to %r13 -
              3. Jump to start of loop:
              4. -
              +
            • Jump to start of loop:

              -
                 0x0000555555555997 <+254>:   mov    %r14,%rbp
              -   0x000055555555599a <+257>:   mov    (%r14),%eax
              -   0x000055555555599d <+260>:   sub    $0x1,%eax
              -   0x00005555555559a0 <+263>:   cmp    $0x5,%eax
              -   0x00005555555559a3 <+266>:   ja     0x5555555558d1 <phase_6+56>
              +
              +
              0x0000555555555997 <+254>:   mov    %r14,%rbp
              +0x000055555555599a <+257>:   mov    (%r14),%eax
              +0x000055555555599d <+260>:   sub    $0x1,%eax
              +0x00005555555559a0 <+263>:   cmp    $0x5,%eax
              +0x00005555555559a3 <+266>:   ja     0x5555555558d1 <phase_6+56>
               
              - -
                -
              1. Initialise register and point to first number in sequence
              2. +
            • +
            • Initialise register and point to first number in sequence

            • Adjust number(s): 2.1. mov (%r14),%eax -> load the current number in the sequence 2.2. sub $0x1,%eax -> decrement number by 1
            • @@ -943,36 +1009,40 @@ End of assembler dump. 3.2. ja 0x5555555558d1 <phase_6+56>: jump if given value is > 5 or < 0 -

              => All numbers should be between 1 and 6.

              - -
                 0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
              +

              => All numbers should be between 1 and 6. +

              +
              0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
                  0x00005555555559ad <+276>:   jg     0x5555555558f9 <phase_6+96>
              -
              +
              +

              -

              This checks if the value stored in %r15 is > 5, if it is then it jumps somewhere else. This validates our assumption that %r15 is acting as a counter.

              - -
                 0x00005555555559b3 <+282>:   mov    %r15,%rbx
              +

              This checks if the value stored in %r15 is > 5, if it is then it jumps somewhere else. This validates our assumption that %r15 is acting as a counter. +

              +
              0x00005555555559b3 <+282>:   mov    %r15,%rbx
                  0x00005555555559b6 <+285>:   jmp    0x5555555558e8 <phase_6+79>
              -
              - -

              Let us jump to +79

              - -
                 0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
              -   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
              -   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66>
              -   0x00005555555558f2 <+89>:    call   0x555555555d4a <explode_bomb>
              +   
              +

              + +

              Let us jump to +79 +

              +
              0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
              +   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
              +   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase6+66>
              +   0x00005555555558f2 <+89>:    call   0x555555555d4a <explodebomb>
                  0x00005555555558f7 <+94>:    jmp    0x5555555558db <phase_6+66>
              -
              - -

              This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique

              - -
                 0x00005555555558db <+66>:    add    $0x1,%rbx // Increments by 1
              -   0x00005555555558df <+70>:    cmp    $0x5,%ebx 
              -   0x00005555555558e2 <+73>:    jg     0x55555555598f <phase_6+246> // Jump if > 5 (Loop iterations are complete)
              -   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax 
              -   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
              -   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66> // Again, check if the number being seen is unique
              -
              +
              +

              + +

              This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique +

              +
              0x00005555555558db <+66>:    add    $0x1,%rbx // Increments by 1
              +   0x00005555555558df <+70>:    cmp    $0x5,%ebx 
              +   0x00005555555558e2 <+73>:    jg     0x55555555598f <phase6+246> // Jump if > 5 (Loop iterations are complete)
              +   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax 
              +   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
              +   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase6+66> // Again, check if the number being seen is unique
              +   
              +

              Now we know that the numbers are unique, between 1-6 (inclusive).

              @@ -982,7 +1052,8 @@ End of assembler dump.

              Let us try to figure out what 0x0000555555555928 <+143>: lea 0x3d01(%rip),%rdx # 0x555555559630 <node1> is:

              -
              (gdb) x/30wx 0x555555559630
              +
              +
              (gdb) x/30wx 0x555555559630
               0x555555559630 <node1>: 0x000000d9      0x00000001      0x55559640      0x00005555
               0x555555559640 <node2>: 0x000003ab      0x00000002      0x55559650      0x00005555
               0x555555559650 <node3>: 0x0000014f      0x00000003      0x55559660      0x00005555
              @@ -991,7 +1062,7 @@ End of assembler dump.
               0x555555559680 <host_table>:    0x555573f5      0x00005555      0x5555740f      0x00005555
               0x555555559690 <host_table+16>: 0x55557429      0x00005555      0x00000000      0x00000000
               0x5555555596a0 <host_table+32>: 0x00000000      0x00000000
              -(gdb) x/30wx 0x555555559120
              +(gdb) x/30wx 0x555555559120
               0x555555559120 <node6>: 0x000002da      0x00000006      0x00000000      0x00000000
               0x555555559130: 0x00000000      0x00000000      0x00000000      0x00000000
               0x555555559140 <userid>:        0x61767861      0x38383535      0x00000000      0x00000000
              @@ -1000,8 +1071,9 @@ End of assembler dump.
               0x555555559170 <userid+48>:     0x00000000      0x00000000      0x00000000      0x00000000
               0x555555559180 <userid+64>:     0x00000000      0x00000000      0x00000000      0x00000000
               0x555555559190 <userid+80>:     0x00000000      0x00000000
              -(gdb) 
              +(gdb) 
               
              +

              It appears that this is a linked list. With roughly the following structure:

              @@ -1014,7 +1086,48 @@ End of assembler dump.
              -

              Let us convert the values into decimal

              +

              Let us convert the values into decimal:

              + +
              0x000000d9 -> 217
              +0x000003ab -> 939
              +0x0000014f -> 335
              +0x000000a1 -> 161
              +0x000001b3 -> 435
              +0x000002da -> 730
              +
              + +

              Missing Notes

              + +

              To re-arrange this linked list in descending order, we would arrange it as follows:

              + +
              Node 2 -> Node 6 -> Node 5 -> Node 3 -> Node 1 -> Node 4
              +
              + +

              Since we also need to apply the transformation: 7 - x:

              + +
              (7-2) -> (7-6) -> ... -> (7-4) 
              +
              + +

              Final answer: 5 1 2 4 6 3

              + +

              Let us try the answer:

              + +
              ...
              +That's number 2.  Keep going!
              +Halfway there!
              +So you got that one.  Try this one.
              +Good work!  On to the next...
              +5 1 2 4 6 3
              +
              +Breakpoint 1, 0x0000555555555899 in phase_6 ()
              +(gdb) continue
              +Continuing.
              +Congratulations! You've defused the bomb!
              +Your instructor has been notified and will verify your solution.
              +[Inferior 1 (process 1754) exited normally]
              +
              + +

              But, what about the secret phase?

              If you have scrolled this far, consider subscribing to my mailing list here. You can subscribe to either a specific type of post you are interested in, or subscribe to everything with the "Everything" list.