summaryrefslogtreecommitdiff
path: root/Content/posts/2023-10-04-bomb-lab.md
blob: 91f8f9ff9ccab9423a34be0b0b24f1b901518472 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
---
date: 2023-10-04 13:12
description: Walkthrough of Phases 1-6 of Bomb Lab for CSCI 2400 Computer Systems Lab 2
tags: gdb, Reverse-Engineering, C++, CSCI2400, Assembly
---

# Bomb Lab

## Introduction

Lab 2 for CSCI 2400 @ CU Boulder - Computer Systems

> The nefarious Dr. Evil has planted a slew of “binary bombs” on our class machines. A binary bomb is a program that consists of a sequence of phases. Each phase expects you to type a particular string on stdin. If you type the correct string, then the phase is defused and the bomb proceeds to the next phase. Otherwise, the bomb explodes by printing "BOOM!!!" and then terminating. The bomb is defused when every phase has been defused.
<br><br>
There are too many bombs for us to deal with, so we are giving each student a bomb to defuse. Your mission, which you have no choice but to accept, is to defuse your bomb before the due date. Good luck, and welcome to the bomb squad!
<cite>Bomb Lab Handout</cite>

I like using objdump to disassemble the code and get a broad overview of what is happening before I start. 

`objdump -d bomb > dis.txt`

*Note: I am not sure about the history of the bomb lab. I think it started at CMU.*

## Phase 1

```shell
joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_1' -ex 'break explode_bomb' -ex 'run' ./bomb 
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bomb...
Breakpoint 1 at 0x15c7
Breakpoint 2 at 0x1d4a
Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb 
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
test string

Breakpoint 1, 0x00005555555555c7 in phase_1 ()
(gdb) dias phase_1
Undefined command: "dias".  Try "help".
(gdb) disas phase_1
Dump of assembler code for function phase_1:
=> 0x00005555555555c7 <+0>:     endbr64 
   0x00005555555555cb <+4>:     sub    $0x8,%rsp
   0x00005555555555cf <+8>:     lea    0x1b7a(%rip),%rsi        # 0x555555557150
   0x00005555555555d6 <+15>:    call   0x555555555b31 <strings_not_equal>
   0x00005555555555db <+20>:    test   %eax,%eax
   0x00005555555555dd <+22>:    jne    0x5555555555e4 <phase_1+29>
   0x00005555555555df <+24>:    add    $0x8,%rsp
   0x00005555555555e3 <+28>:    ret    
   0x00005555555555e4 <+29>:    call   0x555555555d4a <explode_bomb>
   0x00005555555555e9 <+34>:    jmp    0x5555555555df <phase_1+24>
End of assembler dump.
(gdb) print 0x555555557150
$1 = 93824992244048
(gdb) x/1s 0x555555557150
0x555555557150: "Controlling complexity is the essence of computer programming."
(gdb) 
```

## Phase 2

```shell
Phase 1 defused. How about the next one?
1 2 3 4 5 6

Breakpoint 1, 0x00005555555555eb in phase_2 ()
(gdb) disas
Dump of assembler code for function phase_2:
=> 0x00005555555555eb <+0>:     endbr64 
   0x00005555555555ef <+4>:     push   %rbp
   0x00005555555555f0 <+5>:     push   %rbx
   0x00005555555555f1 <+6>:     sub    $0x28,%rsp
   0x00005555555555f5 <+10>:    mov    %rsp,%rsi
   0x00005555555555f8 <+13>:    call   0x555555555d97 <read_six_numbers>
   0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
   0x0000555555555601 <+22>:    js     0x55555555560d <phase_2+34>
   0x0000555555555603 <+24>:    mov    %rsp,%rbp
   0x0000555555555606 <+27>:    mov    $0x1,%ebx
   0x000055555555560b <+32>:    jmp    0x555555555620 <phase_2+53>
   0x000055555555560d <+34>:    call   0x555555555d4a <explode_bomb>
   0x0000555555555612 <+39>:    jmp    0x555555555603 <phase_2+24>
   0x0000555555555614 <+41>:    add    $0x1,%ebx
   0x0000555555555617 <+44>:    add    $0x4,%rbp
   0x000055555555561b <+48>:    cmp    $0x6,%ebx
   0x000055555555561e <+51>:    je     0x555555555631 <phase_2+70>
   0x0000555555555620 <+53>:    mov    %ebx,%eax
   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
   0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
   0x000055555555562a <+63>:    call   0x555555555d4a <explode_bomb>
   0x000055555555562f <+68>:    jmp    0x555555555614 <phase_2+41>
   0x0000555555555631 <+70>:    add    $0x28,%rsp
   0x0000555555555635 <+74>:    pop    %rbx
   0x0000555555555636 <+75>:    pop    %rbp
   0x0000555555555637 <+76>:    ret    
End of assembler dump.
(gdb) 
```

```shell
   0x00005555555555fd <+18>:    cmpl   $0x0,(%rsp)
   0x0000555555555601 <+22>:    js     0x55555555560d <phase_2+34>
...
   0x000055555555560d <+34>:    call   0x555555555d4a <explode_bomb>
```

The program first compares if the first number is not 0. If the number is not 0, then the `cmpl` instruction returns a negative value. The `js` instruction stands for jump if sign -> causing a jump to the specified address if the sign bit is set. This would result in the explode_bomb function being called.


```shell
   0x0000555555555603 <+24>:    mov    %rsp,%rbp
   0x0000555555555606 <+27>:    mov    $0x1,%ebx
```

`%rsp` in x86-64 asm, is the stack pointer i.e. it points to the top of the current stack frame. Since the program just read six numbers, the top of the stack (`%rsp`) contains the address of the first number.


By executing `mov %rsp,%rbp` we are setting the base pointer (`%rbp`) to point to this address.

Now, for the second instruction `mov $0x1,%ebx`, we are initialising the `%ebx` register with the value 1. Based on the assembly code, you can see that this is being used as a counter/index for the loop.


```shell
   0x000055555555560b <+32>:    jmp    0x555555555620 <phase_2+53>
```

The program now jumps to <phase_2+53>

```shell
   0x0000555555555620 <+53>:    mov    %ebx,%eax
   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
   0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
``` 

Here, the value from `%ebx` is copied to the `%eax` register. For this iteration, the value should be 1.

Then, the value at the memory location pointed by `%rbp` is added to the value in `%eax`. For now, 0 is added (the first number that we read).

`cmp %eax,0x4(%rbp)` - The instruction compares the value in %eax to the value at the memory address `%rbp + 4`. Since Integers in this context are stored using a word of memory of 4 bytes, this indicates it checks against the second number in the sequence.

`je 0x555555555614 <phase_2+41>` - The program will jump to `phase_2+41` if the previous `cmp` instruction determined the values as equal. 

```shell
   0x0000555555555614 <+41>:    add    $0x1,%ebx
   0x0000555555555617 <+44>:    add    $0x4,%rbp
   0x000055555555561b <+48>:    cmp    $0x6,%ebx
   0x000055555555561e <+51>:    je     0x555555555631 <phase_2+70>
   0x0000555555555620 <+53>:    mov    %ebx,%eax
   0x0000555555555622 <+55>:    add    0x0(%rbp),%eax
   0x0000555555555625 <+58>:    cmp    %eax,0x4(%rbp)
   0x0000555555555628 <+61>:    je     0x555555555614 <phase_2+41>
```

Here, we can see that the program increments `%ebx` by 1, adds a 4 byte offset to `%rbp` (the number we will be matching now), and checks if `%ebx` is equal to 6. If it is, it breaks the loop and jumps to `<phase_2+70>` successfully finishing this stage.

Now, given that we know the first two numbers in the sequence are `0 1`, we can calculate the other numbers by following the pattern of adding the counter and the value of the previous number.

Thus,

* 3rd number = 1 (previous value) + 2 = 3
* 4th number = 3 (prev value) + 3 = 6
* 5th number = 6 (prev value) + 4 = 10
* 6th number = 10 (prev value) + 5 = 15


```shell
...
Phase 1 defused. How about the next one?
0 1 3 6 10 15

Breakpoint 1, 0x00005555555555eb in phase_2 ()
(gdb) continue
Continuing.
That's number 2.  Keep going!
```

## Phase 3

Let us look at the disassembled code first

```shell
0000000000001638 <phase_3>:
    1638:	f3 0f 1e fa          	endbr64 
    163c:	48 83 ec 18          	sub    $0x18,%rsp
    1640:	48 8d 4c 24 07       	lea    0x7(%rsp),%rcx
    1645:	48 8d 54 24 0c       	lea    0xc(%rsp),%rdx
    164a:	4c 8d 44 24 08       	lea    0x8(%rsp),%r8
    164f:	48 8d 35 60 1b 00 00 	lea    0x1b60(%rip),%rsi        # 31b6 <_IO_stdin_used+0x1b6>
    1656:	b8 00 00 00 00       	mov    $0x0,%eax
    165b:	e8 80 fc ff ff       	call   12e0 <__isoc99_sscanf@plt>
    1660:	83 f8 02             	cmp    $0x2,%eax
    1663:	7e 20                	jle    1685 <phase_3+0x4d>
    1665:	83 7c 24 0c 07       	cmpl   $0x7,0xc(%rsp)
    166a:	0f 87 0d 01 00 00    	ja     177d <phase_3+0x145>
    1670:	8b 44 24 0c          	mov    0xc(%rsp),%eax
    1674:	48 8d 15 55 1b 00 00 	lea    0x1b55(%rip),%rdx        # 31d0 <_IO_stdin_used+0x1d0>
    167b:	48 63 04 82          	movslq (%rdx,%rax,4),%rax
    167f:	48 01 d0             	add    %rdx,%rax
    1682:	3e ff e0             	notrack jmp *%rax
    1685:	e8 c0 06 00 00       	call   1d4a <explode_bomb>
    168a:	eb d9                	jmp    1665 <phase_3+0x2d>
    168c:	b8 63 00 00 00       	mov    $0x63,%eax
    1691:	81 7c 24 08 3d 02 00 	cmpl   $0x23d,0x8(%rsp)
    1698:	00 
    1699:	0f 84 e8 00 00 00    	je     1787 <phase_3+0x14f>
    169f:	e8 a6 06 00 00       	call   1d4a <explode_bomb>
    16a4:	b8 63 00 00 00       	mov    $0x63,%eax
    16a9:	e9 d9 00 00 00       	jmp    1787 <phase_3+0x14f>
    16ae:	b8 61 00 00 00       	mov    $0x61,%eax
    16b3:	81 7c 24 08 27 01 00 	cmpl   $0x127,0x8(%rsp)
    16ba:	00 
    16bb:	0f 84 c6 00 00 00    	je     1787 <phase_3+0x14f>
    16c1:	e8 84 06 00 00       	call   1d4a <explode_bomb>
    16c6:	b8 61 00 00 00       	mov    $0x61,%eax
    16cb:	e9 b7 00 00 00       	jmp    1787 <phase_3+0x14f>
    16d0:	b8 78 00 00 00       	mov    $0x78,%eax
    16d5:	81 7c 24 08 e7 02 00 	cmpl   $0x2e7,0x8(%rsp)
    16dc:	00 
    16dd:	0f 84 a4 00 00 00    	je     1787 <phase_3+0x14f>
    16e3:	e8 62 06 00 00       	call   1d4a <explode_bomb>
    16e8:	b8 78 00 00 00       	mov    $0x78,%eax
    16ed:	e9 95 00 00 00       	jmp    1787 <phase_3+0x14f>
    16f2:	b8 64 00 00 00       	mov    $0x64,%eax
    16f7:	81 7c 24 08 80 02 00 	cmpl   $0x280,0x8(%rsp)
    16fe:	00 
    16ff:	0f 84 82 00 00 00    	je     1787 <phase_3+0x14f>
    1705:	e8 40 06 00 00       	call   1d4a <explode_bomb>
    170a:	b8 64 00 00 00       	mov    $0x64,%eax
    170f:	eb 76                	jmp    1787 <phase_3+0x14f>
    1711:	b8 6d 00 00 00       	mov    $0x6d,%eax
    1716:	81 7c 24 08 ff 02 00 	cmpl   $0x2ff,0x8(%rsp)
    171d:	00 
    171e:	74 67                	je     1787 <phase_3+0x14f>
    1720:	e8 25 06 00 00       	call   1d4a <explode_bomb>
    1725:	b8 6d 00 00 00       	mov    $0x6d,%eax
    172a:	eb 5b                	jmp    1787 <phase_3+0x14f>
    172c:	b8 71 00 00 00       	mov    $0x71,%eax
    1731:	81 7c 24 08 75 03 00 	cmpl   $0x375,0x8(%rsp)
    1738:	00 
    1739:	74 4c                	je     1787 <phase_3+0x14f>
    173b:	e8 0a 06 00 00       	call   1d4a <explode_bomb>
    1740:	b8 71 00 00 00       	mov    $0x71,%eax
    1745:	eb 40                	jmp    1787 <phase_3+0x14f>
    1747:	b8 79 00 00 00       	mov    $0x79,%eax
    174c:	81 7c 24 08 94 02 00 	cmpl   $0x294,0x8(%rsp)
    1753:	00 
    1754:	74 31                	je     1787 <phase_3+0x14f>
    1756:	e8 ef 05 00 00       	call   1d4a <explode_bomb>
    175b:	b8 79 00 00 00       	mov    $0x79,%eax
    1760:	eb 25                	jmp    1787 <phase_3+0x14f>
    1762:	b8 79 00 00 00       	mov    $0x79,%eax
    1767:	81 7c 24 08 88 02 00 	cmpl   $0x288,0x8(%rsp)
    176e:	00 
    176f:	74 16                	je     1787 <phase_3+0x14f>
    1771:	e8 d4 05 00 00       	call   1d4a <explode_bomb>
    1776:	b8 79 00 00 00       	mov    $0x79,%eax
    177b:	eb 0a                	jmp    1787 <phase_3+0x14f>
    177d:	e8 c8 05 00 00       	call   1d4a <explode_bomb>
    1782:	b8 68 00 00 00       	mov    $0x68,%eax
    1787:	38 44 24 07          	cmp    %al,0x7(%rsp)
    178b:	75 05                	jne    1792 <phase_3+0x15a>
    178d:	48 83 c4 18          	add    $0x18,%rsp
    1791:	c3                   	ret    
    1792:	e8 b3 05 00 00       	call   1d4a <explode_bomb>
    1797:	eb f4                	jmp    178d <phase_3+0x155>
```

```shell
...
    165b:	e8 80 fc ff ff       	call   12e0 <__isoc99_sscanf@plt>
...
```

We can see that `scanf` is being called which means we need to figure out what datatype(s) the program is expecting.

Because I do not want to enter the solutions to phases 1 and 2 again and again, I am goig to pass a file which has these solutions.

```shell
joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_3' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bomb...
Breakpoint 1 at 0x1638
Breakpoint 2 at 0x1d4a
Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2.  Keep going!
random string

Breakpoint 1, 0x0000555555555638 in phase_3 ()
(gdb) disas
Dump of assembler code for function phase_3:
=> 0x0000555555555638 <+0>:     endbr64 
   0x000055555555563c <+4>:     sub    $0x18,%rsp
   0x0000555555555640 <+8>:     lea    0x7(%rsp),%rcx
   0x0000555555555645 <+13>:    lea    0xc(%rsp),%rdx
   0x000055555555564a <+18>:    lea    0x8(%rsp),%r8
   0x000055555555564f <+23>:    lea    0x1b60(%rip),%rsi        # 0x5555555571b6
   0x0000555555555656 <+30>:    mov    $0x0,%eax
   0x000055555555565b <+35>:    call   0x5555555552e0 <__isoc99_sscanf@plt>
   0x0000555555555660 <+40>:    cmp    $0x2,%eax
   0x0000555555555663 <+43>:    jle    0x555555555685 <phase_3+77>
   0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
   0x000055555555566a <+50>:    ja     0x55555555577d <phase_3+325>
   0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
   0x000055555555567f <+71>:    add    %rdx,%rax
   0x0000555555555682 <+74>:    notrack jmp *%rax
   0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
   0x000055555555568a <+82>:    jmp    0x555555555665 <phase_3+45>
   0x000055555555568c <+84>:    mov    $0x63,%eax
   0x0000555555555691 <+89>:    cmpl   $0x23d,0x8(%rsp)
   0x0000555555555699 <+97>:    je     0x555555555787 <phase_3+335>
   0x000055555555569f <+103>:   call   0x555555555d4a <explode_bomb>
   0x00005555555556a4 <+108>:   mov    $0x63,%eax
   0x00005555555556a9 <+113>:   jmp    0x555555555787 <phase_3+335>
--Type <RET> for more, q to quit, c to continue without paging--
```


`gdb` has thankfully marked the address which is being passed to `scanf`. We can access the value:

```shell
(gdb) x/1s 0x5555555571b6
0x5555555571b6: "%d %c %d"
(gdb) 
```

BINGO! The program expects an integer, character, and another integer. Onwards.

```shell
   0x0000555555555660 <+40>:    cmp    $0x2,%eax
   0x0000555555555663 <+43>:    jle    0x555555555685 <phase_3+77>
...
   0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
```

The program checks whether `scanf` returns a value <= 2, if it does then it calls the `explode_bomb` function. 

*Note: `scanf` returns the number of fields that were successfully converted and assigned*

```shell
   0x0000555555555665 <+45>:    cmpl   $0x7,0xc(%rsp)
   0x000055555555566a <+50>:    ja     0x55555555577d <phase_3+325>
...
   0x000055555555577d <+325>:   call   0x555555555d4a <explode_bomb>
```

Similarly, the program checks and ensures the returned value is not > 7. 


```shell
   0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax
   0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0
   0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax
   0x000055555555567f <+71>:    add    %rdx,%rax
   0x0000555555555682 <+74>:    notrack jmp *%rax
   0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>
```

* `0x0000555555555670 <+56>:    mov    0xc(%rsp),%eax` - Moves value located at `0xc` (12 in Decimal) bytes above the stack pointer to `%eax` register. 
* `0x0000555555555674 <+60>:    lea    0x1b55(%rip),%rdx        # 0x5555555571d0` - This instruction calculates an effective address by adding `0x1b55` to the current instruction pointer (`%rip`). The result is stored in the `%rdx` register. 
* `0x000055555555567b <+67>:    movslq (%rdx,%rax,4),%rax`
   * `movslq` stands for "move with sign-extension from a 32-bit value to a 64-bit value." (if the 32-bit value is negative, the 64-bit result will have all its upper 32 bits set to 1; otherwise, they'll be set to 0). 
   * `(%rdx,%rax,4)` - First start with the value in the %rdx register, then add to it the value in the %rax register multiplied by 4.
   * `%rax` - Destination Register
* `0x000055555555567f <+71>:    add    %rdx,%rax` - Adds base address in `%rdx` to the offset in `%rax` 
* `0x0000555555555682 <+74>:    notrack jmp *%rax` - Jumps to the address stored in `%rax`
* `0x0000555555555685 <+77>:    call   0x555555555d4a <explode_bomb>` - If we are unable to jump to the specified instruction, call `explode_bomb`

Let us try to run the program again with a valid input for the first number and see what the program is computing for the address.

I used the input: `3 c 123`.

To check what is the computed address, we can switch to the asm layout by running `layout asm`, and then going through instructions `ni` or `si` until we reach the line `movslq (%rdx,%rax,4),%rax`

`%rax` should hold the value 3.

```
(gdb) print $rax
$1 = 3
```

![Screenshot of GDB terminal depicting us checking the value of the instruction to be jumped to](/assets/bomb-lab/phase-3.png)

We can see that this makes us jump to `<phase_3+186>` (Continue to step through the code by using `ni`)

```shell
   0x00005555555556f2 <+186>:   mov    $0x64,%eax
   0x00005555555556f7 <+191>:   cmpl   $0x280,0x8(%rsp)
   0x00005555555556ff <+199>:   je     0x555555555787 <phase_3+335>
   0x0000555555555705 <+205>:   call   0x555555555d4a <explode_bomb>
```

We see that `0x64` (Decimal 100) is being stored in `%eax`. Then, the program compares `0x280` (Decimal 640) with memory address `0x8` bytes above the stack pointer (`%rsp`). If the values are equal, then it jumps to `<phase_3+335>`, otherwise `explode_bomb` is called.

```shell
   0x0000555555555787 <+335>:   cmp    %al,0x7(%rsp)
   0x000055555555578b <+339>:   jne    0x555555555792 <phase_3+346>
   0x000055555555578d <+341>:   add    $0x18,%rsp
   0x0000555555555791 <+345>:   ret    
   0x0000555555555792 <+346>:   call   0x555555555d4a <explode_bomb>
```

Here, the program is comparing the value of our given character to the value stored in `%al` (lower 8 bits of `EAX`), and checks if they are not equal.

Knowing that the character is stored at an offset of 7 bytes to `%rsp`, we can print and check the value by running:

```shell
(gdb) x/1cw $rsp+7
c
(gdb) print $al
$1 = 100
```

We can simply lookup the [ASCII table](https://www.cs.cmu.edu/~pattis/15-1XX/common/handouts/ascii.html), and see that 100 in decimal stands for the character `d`. Let us try this answer:

```shell
...
That's number 2.  Keep going!
3 d 640

Breakpoint 1, 0x0000555555555638 in phase_3 ()
(gdb) continue
Continuing.
Halfway there!
```

## Phase 4

```shell
joxxxn@jupyter-nxxh6xx8:~/lab2-bomblab-navanchauhan/bombbomb$ gdb -ex 'break phase_4' -ex 'break explode_bomb' -ex 'run' -args ./bomb sol.txt 
GNU gdb (Ubuntu 12.1-0ubuntu1~22.04) 12.1
Copyright (C) 2022 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./bomb...
Breakpoint 1 at 0x17d3
Breakpoint 2 at 0x1d4a
Starting program: /home/joxxxn/lab2-bomblab-navanchauhan/bombbomb/bomb sol.txt
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Welcome to my fiendish little bomb. You have 6 phases with
which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2.  Keep going!
Halfway there!
test string

Breakpoint 1, 0x00005555555557d3 in phase_4 ()
(gdb) disas phase_4
Dump of assembler code for function phase_4:
=> 0x00005555555557d3 <+0>:     endbr64 
   0x00005555555557d7 <+4>:     sub    $0x18,%rsp
   0x00005555555557db <+8>:     lea    0x8(%rsp),%rcx
   0x00005555555557e0 <+13>:    lea    0xc(%rsp),%rdx
   0x00005555555557e5 <+18>:    lea    0x1bba(%rip),%rsi        # 0x5555555573a6
   0x00005555555557ec <+25>:    mov    $0x0,%eax
   0x00005555555557f1 <+30>:    call   0x5555555552e0 <__isoc99_sscanf@plt>
   0x00005555555557f6 <+35>:    cmp    $0x2,%eax
   0x00005555555557f9 <+38>:    jne    0x555555555802 <phase_4+47>
   0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
   0x0000555555555800 <+45>:    jbe    0x555555555807 <phase_4+52>
   0x0000555555555802 <+47>:    call   0x555555555d4a <explode_bomb>
   0x0000555555555807 <+52>:    mov    $0xe,%edx
   0x000055555555580c <+57>:    mov    $0x0,%esi
   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
   0x0000555555555815 <+66>:    call   0x555555555799 <func4>
   0x000055555555581a <+71>:    cmp    $0x2,%eax
   0x000055555555581d <+74>:    jne    0x555555555826 <phase_4+83>
   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
   0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
   0x0000555555555826 <+83>:    call   0x555555555d4a <explode_bomb>
   0x000055555555582b <+88>:    add    $0x18,%rsp
   0x000055555555582f <+92>:    ret    
End of assembler dump.
(gdb) 
```

Again, `gdb` has marked the string being passed to `scanf`

```shell
(gdb) x/1s 0x5555555573a6
0x5555555573a6: "%d %d"
```

Okay, so this time we are supposed to enter 2 numbers.

```shell
   0x00005555555557f6 <+35>:    cmp    $0x2,%eax
   0x00005555555557f9 <+38>:    jne    0x555555555802 <phase_4+47>
```

Checks if there were 2 values read from calling `scanf`, if not -> jump to `<phase_4+47>` which calls `<explode_bomb>`.

```shell
   0x00005555555557fb <+40>:    cmpl   $0xe,0xc(%rsp)
   0x0000555555555800 <+45>:    jbe    0x555555555807 <phase_4+52>
```

Compare `0xe` (14 in Decimal) and value stored at `$rsp` + `0xc` bytes (Decimal 12). If this condition is met (<= 14), jump to `<phase_4+52>`. If not, then explode bomb.

```shell
...
   0x0000555555555807 <+52>:    mov    $0xe,%edx
   0x000055555555580c <+57>:    mov    $0x0,%esi
   0x0000555555555811 <+62>:    mov    0xc(%rsp),%edi
   0x0000555555555815 <+66>:    call   0x555555555799 <func4>
   0x000055555555581a <+71>:    cmp    $0x2,%eax
   0x000055555555581d <+74>:    jne    0x555555555826 <phase_4+83>
   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
   0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
   0x0000555555555826 <+83>:    call   0x555555555d4a <explode_bomb>
```

* `   0x0000555555555815 <+66>:    call   0x555555555799 <func4>` calls another function called `func4`
* The returned value is compared with `0x2`, if they are not equal then the program jumps to call `<explode_bomb>`. This tells us that `func4` should return 2.

Let us look into `func4`

```shell
(gdb) disas func4
Dump of assembler code for function func4:
   0x0000555555555799 <+0>:     endbr64 
   0x000055555555579d <+4>:     sub    $0x8,%rsp
   0x00005555555557a1 <+8>:     mov    %edx,%ecx
   0x00005555555557a3 <+10>:    sub    %esi,%ecx
   0x00005555555557a5 <+12>:    shr    %ecx
   0x00005555555557a7 <+14>:    add    %esi,%ecx
   0x00005555555557a9 <+16>:    cmp    %edi,%ecx
   0x00005555555557ab <+18>:    ja     0x5555555557b9 <func4+32>
   0x00005555555557ad <+20>:    mov    $0x0,%eax
   0x00005555555557b2 <+25>:    jb     0x5555555557c5 <func4+44>
   0x00005555555557b4 <+27>:    add    $0x8,%rsp
   0x00005555555557b8 <+31>:    ret    
   0x00005555555557b9 <+32>:    lea    -0x1(%rcx),%edx
   0x00005555555557bc <+35>:    call   0x555555555799 <func4>
   0x00005555555557c1 <+40>:    add    %eax,%eax
   0x00005555555557c3 <+42>:    jmp    0x5555555557b4 <func4+27>
   0x00005555555557c5 <+44>:    lea    0x1(%rcx),%esi
   0x00005555555557c8 <+47>:    call   0x555555555799 <func4>
   0x00005555555557cd <+52>:    lea    0x1(%rax,%rax,1),%eax
   0x00005555555557d1 <+56>:    jmp    0x5555555557b4 <func4+27>
```

This looks like a recursive function :(  (I hate recursive functions)

Let's annotate the instructions.

```shell
endbr64
sub $0x8,%rsp  // subtract 8 bytes from the stack pointer
mov %edx,%ecx  // Move the value in register %edx to %ecx
sub %esi,%ecx  // Subtract the value in %esi from %ecx
shr %ecx       // Right shift the value in %ecx by one bit (dividing the value by 2)
add %esi,%ecx  // Add the value in %esi to %ecx
cmp %edi,%ecx  // Compare
ja 0x5555555557b9 <func4+32> // If %ecx > %edi -> jump to instruction at offset +32
mov $0x0,%eax  // Move 0 to %eax
jb 0x5555555557c5 <func4+44> // If %ecx < %edi -> jump to instruction at offset +44.
add $0x8,%rsp  // add 8 bytes to the stack pointer
ret            // return
lea -0x1(%rcx),%edx // LEA of $rxc - 1 into $edx
call 0x555555555799 <func4> // Call itself
add %eax,%eax  // Double the value in %eax
jmp 0x5555555557b4 <func4+27> // jump to the instruction at offset +27
lea 0x1(%rcx),%esi
call 0x555555555799 <func4>
lea 0x1(%rax,%rax,1),%eax // LEA of %rax * 2 + 1 into $eax 
jmp 0x5555555557b4 <func4+27>
```

We can either try to compute the values by hand, or write a simple script in Python to get the answer.

```python
def func4(edi, esi=0, edx=20):
    ecx = (edx - esi) // 2 + esi
    if ecx > edi:
        return 2 * func4(edi, esi, ecx - 1)
    elif ecx < edi:
        return 2 * func4(edi, ecx + 1, edx) + 1
    else:
        return 0

for x in range(15): # We can limit to 14
   if func4(x) == 2:
      print(f"answer is {x}")
      break
```

Running this code, we get: `answer is 5`

Okay, so we know that the number needed to be passed to `func4` is 5. But, what about the second digit?

If we go back to the code for `<phase_4>`, we can see that:

```shell
   0x000055555555581f <+76>:    cmpl   $0x2,0x8(%rsp)
   0x0000555555555824 <+81>:    je     0x55555555582b <phase_4+88>
```

The value at `$rsp+8` should be equal to 2. So, let us try passing `5 2` as our input.

```shell
...
Phase 1 defused. How about the next one?
That's number 2.  Keep going!
Halfway there!
5 2

Breakpoint 1, 0x00005555555557d3 in phase_4 ()
(gdb) continue
Continuing.
So you got that one.  Try this one.
```

## Phase 5

```shell
So you got that one.  Try this one.
test string

Breakpoint 1, 0x0000555555555830 in phase_5 ()
(gdb) disas phase_5
Dump of assembler code for function phase_5:
=> 0x0000555555555830 <+0>:     endbr64 
   0x0000555555555834 <+4>:     push   %rbx
   0x0000555555555835 <+5>:     sub    $0x10,%rsp
   0x0000555555555839 <+9>:     mov    %rdi,%rbx
   0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
   0x0000555555555841 <+17>:    cmp    $0x6,%eax
   0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
   0x0000555555555846 <+22>:    mov    $0x0,%eax
   0x000055555555584b <+27>:    lea    0x199e(%rip),%rcx        # 0x5555555571f0 <array.0>
   0x0000555555555852 <+34>:    movzbl (%rbx,%rax,1),%edx
   0x0000555555555856 <+38>:    and    $0xf,%edx
   0x0000555555555859 <+41>:    movzbl (%rcx,%rdx,1),%edx
   0x000055555555585d <+45>:    mov    %dl,0x9(%rsp,%rax,1)
   0x0000555555555861 <+49>:    add    $0x1,%rax
   0x0000555555555865 <+53>:    cmp    $0x6,%rax
   0x0000555555555869 <+57>:    jne    0x555555555852 <phase_5+34>
   0x000055555555586b <+59>:    movb   $0x0,0xf(%rsp)
   0x0000555555555870 <+64>:    lea    0x9(%rsp),%rdi
   0x0000555555555875 <+69>:    lea    0x1943(%rip),%rsi        # 0x5555555571bf
   0x000055555555587c <+76>:    call   0x555555555b31 <strings_not_equal>
   0x0000555555555881 <+81>:    test   %eax,%eax
   0x0000555555555883 <+83>:    jne    0x555555555892 <phase_5+98>
   0x0000555555555885 <+85>:    add    $0x10,%rsp
   0x0000555555555889 <+89>:    pop    %rbx
   0x000055555555588a <+90>:    ret    
   0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
   0x0000555555555890 <+96>:    jmp    0x555555555846 <phase_5+22>
   0x0000555555555892 <+98>:    call   0x555555555d4a <explode_bomb>
   0x0000555555555897 <+103>:   jmp    0x555555555885 <phase_5+85>
End of assembler dump.
(gdb) 
```

```shell
...
   0x000055555555583c <+12>:    call   0x555555555b10 <string_length>
   0x0000555555555841 <+17>:    cmp    $0x6,%eax
   0x0000555555555844 <+20>:    jne    0x55555555588b <phase_5+91>
...
   0x000055555555588b <+91>:    call   0x555555555d4a <explode_bomb>
...
```

First things first, these instructions check to make sure the passed string is of length 6, otherwise `explode_bomb` is called.

We can also see a similar pattern compared to Phase 2, where we had a loop:

* The looping part:
   * `mov $0x0,%eax` - Initialise `%eax` and set it to 0 (our counter/iterator)
   * `movzbl (%rbx,%rax,1),%edx` - Access `%rbx + 1 * %rax` and store it in `%edx`
   * `and $0xf,%edx` - Take the least significant 4 bits of the byte.
   * `movzbl (%rcx,%rdx,1),%edx` - Use the 4 bits as an index into another array and load the corresponding byte into `%edx`
   * `mov %dl,0x9(%rsp,%rax,1)` - Store the transformed byte into a buffer on the stack
   * `add $0x1,%rax` - Increment `%rax`
   * `cmp    $0x6,%rax` - If the index is not yet 6, loop again
* `movb $0x0,0xf(%rsp)` - Null-terminate the transformed string
* `lea 0x9(%rsp),%rdi` and `lea 0x1943(%rip),%rsi` 
* `all 0x555555555b31 <strings_not_equal>` check if the two strings loaded up just before this are equal or not.

We can check the reference string we need, which `gdb` has marked as `# 0x5555555571bf`, and the lookup table marked as `# 0x5555555571f0 <array.0>`

```shell
(gdb) x/s 0x5555555571bf
0x5555555571bf: "bruins"
(gdb) x/s 0x5555555571f0
0x5555555571f0 <array.0>:       "maduiersnfotvbylSo you think you can stop the bomb with ctrl-c, do you?"
(gdb) 
```

To summarize the transformation process:

* The function takes each byte of the string
* It keeps only the least significant 4 bits of each byte
* It uses these 4 bits as an index into the lookup table (`array.0`)
* The value from the array is then stored in a buffer

Here's how the transformation process can be reversed for each character in "bruins":
1. Find the index of `b` in the lookup table (in our case, it is 13 since we index starting 0)
2. Calculate binary representation of this index (in our case 13 can be written as 1101 in binary)
3. Find ASCII character whose least significant 4 bits match (in our case, `m` has binary representation `01101101`)

Repeat for all 6 characters

*Hint: Using an [ASCII - Binary Table](http://sticksandstones.kstrom.com/appen.html) can save you time.* 

Thus, we can have the following transformation:

```
b -> m
r -> f 
u -> c
i -> d
n -> h
s -> g
```


Let us try out this answer:

```shell
...
That's number 2.  Keep going!
Halfway there!
So you got that one.  Try this one.
mfcdhg

Breakpoint 1, 0x0000555555555830 in phase_5 ()
(gdb) continue
Continuing.
Good work!  On to the next...
```

Awesome!

## Phase 6

```shell
Good work!  On to the next...
test string

Breakpoint 1, 0x0000555555555899 in phase_6 ()
(gdb) disas phase_6
Dump of assembler code for function phase_6:
=> 0x0000555555555899 <+0>:     endbr64 
   0x000055555555589d <+4>:     push   %r15
   0x000055555555589f <+6>:     push   %r14
   0x00005555555558a1 <+8>:     push   %r13
   0x00005555555558a3 <+10>:    push   %r12
   0x00005555555558a5 <+12>:    push   %rbp
   0x00005555555558a6 <+13>:    push   %rbx
   0x00005555555558a7 <+14>:    sub    $0x68,%rsp
   0x00005555555558ab <+18>:    lea    0x40(%rsp),%rax
   0x00005555555558b0 <+23>:    mov    %rax,%r14
   0x00005555555558b3 <+26>:    mov    %rax,0x8(%rsp)
   0x00005555555558b8 <+31>:    mov    %rax,%rsi
   0x00005555555558bb <+34>:    call   0x555555555d97 <read_six_numbers>
   0x00005555555558c0 <+39>:    mov    %r14,%r12
   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
   0x00005555555558c9 <+48>:    mov    %r14,%r13
   0x00005555555558cc <+51>:    jmp    0x555555555997 <phase_6+254>
   0x00005555555558d1 <+56>:    call   0x555555555d4a <explode_bomb>
   0x00005555555558d6 <+61>:    jmp    0x5555555559a9 <phase_6+272>
   0x00005555555558db <+66>:    add    $0x1,%rbx
   0x00005555555558df <+70>:    cmp    $0x5,%ebx
   0x00005555555558e2 <+73>:    jg     0x55555555598f <phase_6+246>
   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66>
   0x00005555555558f2 <+89>:    call   0x555555555d4a <explode_bomb>
   0x00005555555558f7 <+94>:    jmp    0x5555555558db <phase_6+66>
   0x00005555555558f9 <+96>:    mov    0x8(%rsp),%rdx
   0x00005555555558fe <+101>:   add    $0x18,%rdx
   0x0000555555555902 <+105>:   mov    $0x7,%ecx
   0x0000555555555907 <+110>:   mov    %ecx,%eax
   0x0000555555555909 <+112>:   sub    (%r12),%eax
   0x000055555555590d <+116>:   mov    %eax,(%r12)
   0x0000555555555911 <+120>:   add    $0x4,%r12
   0x0000555555555915 <+124>:   cmp    %r12,%rdx
   0x0000555555555918 <+127>:   jne    0x555555555907 <phase_6+110>
   0x000055555555591a <+129>:   mov    $0x0,%esi
   0x000055555555591f <+134>:   mov    0x40(%rsp,%rsi,4),%ecx
   0x0000555555555923 <+138>:   mov    $0x1,%eax
   0x0000555555555928 <+143>:   lea    0x3d01(%rip),%rdx        # 0x555555559630 <node1>
--Type <RET> for more, q to quit, c to continue without paging--
   0x000055555555592f <+150>:   cmp    $0x1,%ecx
   0x0000555555555932 <+153>:   jle    0x55555555593f <phase_6+166>
   0x0000555555555934 <+155>:   mov    0x8(%rdx),%rdx
   0x0000555555555938 <+159>:   add    $0x1,%eax
   0x000055555555593b <+162>:   cmp    %ecx,%eax
   0x000055555555593d <+164>:   jne    0x555555555934 <phase_6+155>
   0x000055555555593f <+166>:   mov    %rdx,0x10(%rsp,%rsi,8)
   0x0000555555555944 <+171>:   add    $0x1,%rsi
   0x0000555555555948 <+175>:   cmp    $0x6,%rsi
   0x000055555555594c <+179>:   jne    0x55555555591f <phase_6+134>
   0x000055555555594e <+181>:   mov    0x10(%rsp),%rbx
   0x0000555555555953 <+186>:   mov    0x18(%rsp),%rax
   0x0000555555555958 <+191>:   mov    %rax,0x8(%rbx)
   0x000055555555595c <+195>:   mov    0x20(%rsp),%rdx
   0x0000555555555961 <+200>:   mov    %rdx,0x8(%rax)
   0x0000555555555965 <+204>:   mov    0x28(%rsp),%rax
   0x000055555555596a <+209>:   mov    %rax,0x8(%rdx)
   0x000055555555596e <+213>:   mov    0x30(%rsp),%rdx
   0x0000555555555973 <+218>:   mov    %rdx,0x8(%rax)
   0x0000555555555977 <+222>:   mov    0x38(%rsp),%rax
   0x000055555555597c <+227>:   mov    %rax,0x8(%rdx)
   0x0000555555555980 <+231>:   movq   $0x0,0x8(%rax)
   0x0000555555555988 <+239>:   mov    $0x5,%ebp
   0x000055555555598d <+244>:   jmp    0x5555555559c4 <phase_6+299>
   0x000055555555598f <+246>:   add    $0x1,%r15
   0x0000555555555993 <+250>:   add    $0x4,%r14
   0x0000555555555997 <+254>:   mov    %r14,%rbp
   0x000055555555599a <+257>:   mov    (%r14),%eax
   0x000055555555599d <+260>:   sub    $0x1,%eax
   0x00005555555559a0 <+263>:   cmp    $0x5,%eax
   0x00005555555559a3 <+266>:   ja     0x5555555558d1 <phase_6+56>
   0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
   0x00005555555559ad <+276>:   jg     0x5555555558f9 <phase_6+96>
   0x00005555555559b3 <+282>:   mov    %r15,%rbx
   0x00005555555559b6 <+285>:   jmp    0x5555555558e8 <phase_6+79>
   0x00005555555559bb <+290>:   mov    0x8(%rbx),%rbx
   0x00005555555559bf <+294>:   sub    $0x1,%ebp
   0x00005555555559c2 <+297>:   je     0x5555555559d5 <phase_6+316>
   0x00005555555559c4 <+299>:   mov    0x8(%rbx),%rax
   0x00005555555559c8 <+303>:   mov    (%rax),%eax
   0x00005555555559ca <+305>:   cmp    %eax,(%rbx)
--Type <RET> for more, q to quit, c to continue without paging--
   0x00005555555559cc <+307>:   jge    0x5555555559bb <phase_6+290>
   0x00005555555559ce <+309>:   call   0x555555555d4a <explode_bomb>
   0x00005555555559d3 <+314>:   jmp    0x5555555559bb <phase_6+290>
   0x00005555555559d5 <+316>:   add    $0x68,%rsp
   0x00005555555559d9 <+320>:   pop    %rbx
   0x00005555555559da <+321>:   pop    %rbp
   0x00005555555559db <+322>:   pop    %r12
   0x00005555555559dd <+324>:   pop    %r13
   0x00005555555559df <+326>:   pop    %r14
   0x00005555555559e1 <+328>:   pop    %r15
   0x00005555555559e3 <+330>:   ret    
End of assembler dump.
(gdb) 
```

Again, we see the familiar `read_six_digits` function.

Let us analyse this function in chunks:

```shell
   0x00005555555558bb <+34>:    call   0x555555555d97 <read_six_numbers>
   0x00005555555558c0 <+39>:    mov    %r14,%r12
   0x00005555555558c3 <+42>:    mov    $0x1,%r15d
   0x00005555555558c9 <+48>:    mov    %r14,%r13
   0x00005555555558cc <+51>:    jmp    0x555555555997 <phase_6+254>
```

1. Read six numbers
2. Initialise Registers:
   2.1. `mov %r14,%r12`: `%r14` should be pointing to the location of the stack where the numbers were read into. This address is copied onto `%r12`
   2.2. `mov $0x1,%r15d`: The value `1` is moved into `%r15` register (probably acting like a counter)
   2.3. `mov %r14,%r13`: The value is also copied to `%r13`
3. Jump to start of loop:

```shell
   0x0000555555555997 <+254>:   mov    %r14,%rbp
   0x000055555555599a <+257>:   mov    (%r14),%eax
   0x000055555555599d <+260>:   sub    $0x1,%eax
   0x00005555555559a0 <+263>:   cmp    $0x5,%eax
   0x00005555555559a3 <+266>:   ja     0x5555555558d1 <phase_6+56>
```

1. Initialise register and point to first number in sequence
2. Adjust number(s):
   2.1. `mov (%r14),%eax` -> load the current number in the sequence
   2.2. `sub $0x1,%eax` -> decrement number by 1
3. Validation
   3.1. `cmp $0x5,%eax`: This compares the adjusted value in `%eax` with 5.
   3.2. `ja 0x5555555558d1 <phase_6+56>`: jump if given value is > 5 or < 0

=> All numbers should be between 1 and 6.

```shell
   0x00005555555559a9 <+272>:   cmp    $0x5,%r15d
   0x00005555555559ad <+276>:   jg     0x5555555558f9 <phase_6+96>
```

This checks if the value stored in `%r15` is > 5, if it is then it jumps somewhere else. This validates our assumption that `%r15` is acting as a counter.

```shell
   0x00005555555559b3 <+282>:   mov    %r15,%rbx
   0x00005555555559b6 <+285>:   jmp    0x5555555558e8 <phase_6+79>
```

Let us jump to +79

```shell
   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax
   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66>
   0x00005555555558f2 <+89>:    call   0x555555555d4a <explode_bomb>
   0x00005555555558f7 <+94>:    jmp    0x5555555558db <phase_6+66>
```

This section deals with checking if all the numbers in the sequence are unique or not. Thus, we need to ensure out 6 digits are unique

```shell
   0x00005555555558db <+66>:    add    $0x1,%rbx // Increments by 1
   0x00005555555558df <+70>:    cmp    $0x5,%ebx 
   0x00005555555558e2 <+73>:    jg     0x55555555598f <phase_6+246> // Jump if > 5 (Loop iterations are complete)
   0x00005555555558e8 <+79>:    mov    0x0(%r13,%rbx,4),%eax 
   0x00005555555558ed <+84>:    cmp    %eax,0x0(%rbp)
   0x00005555555558f0 <+87>:    jne    0x5555555558db <phase_6+66> // Again, check if the number being seen is unique
```

Now we know that the numbers are unique, between 1-6 (inclusive).

After stepping through the instructions, we can also see that the numbers are being transformed:
* By subtracting it from 7 (mov $0x7,%ecx followed by sub (%r12),%eax)
* This effectively maps the numbers as follows: 1 to 6, 2 to 5, 3 to 4, 4 to 3, 5 to 2, and 6 to 1.

Let us try to figure out what `   0x0000555555555928 <+143>:   lea    0x3d01(%rip),%rdx        # 0x555555559630 <node1>` is:

```shell
(gdb) x/30wx 0x555555559630
0x555555559630 <node1>: 0x000000d9      0x00000001      0x55559640      0x00005555
0x555555559640 <node2>: 0x000003ab      0x00000002      0x55559650      0x00005555
0x555555559650 <node3>: 0x0000014f      0x00000003      0x55559660      0x00005555
0x555555559660 <node4>: 0x000000a1      0x00000004      0x55559670      0x00005555
0x555555559670 <node5>: 0x000001b3      0x00000005      0x55559120      0x00005555
0x555555559680 <host_table>:    0x555573f5      0x00005555      0x5555740f      0x00005555
0x555555559690 <host_table+16>: 0x55557429      0x00005555      0x00000000      0x00000000
0x5555555596a0 <host_table+32>: 0x00000000      0x00000000
(gdb) x/30wx 0x555555559120
0x555555559120 <node6>: 0x000002da      0x00000006      0x00000000      0x00000000
0x555555559130: 0x00000000      0x00000000      0x00000000      0x00000000
0x555555559140 <userid>:        0x61767861      0x38383535      0x00000000      0x00000000
0x555555559150 <userid+16>:     0x00000000      0x00000000      0x00000000      0x00000000
0x555555559160 <userid+32>:     0x00000000      0x00000000      0x00000000      0x00000000
0x555555559170 <userid+48>:     0x00000000      0x00000000      0x00000000      0x00000000
0x555555559180 <userid+64>:     0x00000000      0x00000000      0x00000000      0x00000000
0x555555559190 <userid+80>:     0x00000000      0x00000000
(gdb) 
```

It appears that this is a linked list. With roughly the following structure:

```cpp
struct node {
    int value;
    int index;
    struct node *next;
};
```

Let us convert the values into decimal:

```
0x000000d9 -> 217
0x000003ab -> 939
0x0000014f -> 335
0x000000a1 -> 161
0x000001b3 -> 435
0x000002da -> 730
```

**Missing Notes**

To re-arrange this linked list in descending order, we would arrange it as follows:

```
Node 2 -> Node 6 -> Node 5 -> Node 3 -> Node 1 -> Node 4
```

Since we also need to apply the transformation: `7 - x`:

```
(7-2) -> (7-6) -> ... -> (7-4) 
```

Final answer: `5 1 2 4 6 3`

Let us try the answer:

```
...
That's number 2.  Keep going!
Halfway there!
So you got that one.  Try this one.
Good work!  On to the next...
5 1 2 4 6 3

Breakpoint 1, 0x0000555555555899 in phase_6 ()
(gdb) continue
Continuing.
Congratulations! You've defused the bomb!
Your instructor has been notified and will verify your solution.
[Inferior 1 (process 1754) exited normally]
```

But, what about the secret phase?