Bomb Lab (Phase_2)

Last time we finished phase1. Now let’s move on.

We set breakpoint before explode_bomb() for safety.

Move to the assembly code of phase_2.

0000000000400efc <phase_2>:
  400efc:	55                   	push   %rbp
  400efd:	53                   	push   %rbx
  400efe:	48 83 ec 28          	sub    $0x28,%rsp
  400f02:	48 89 e6             	mov    %rsp,%rsi
  400f05:	e8 52 05 00 00       	callq  40145c <read_six_numbers>
  400f0a:	83 3c 24 01          	cmpl   $0x1,(%rsp)
  400f0e:	74 20                	je     400f30 <phase_2+0x34>
  400f10:	e8 25 05 00 00       	callq  40143a <explode_bomb>
  400f15:	be 19                	jmp    400f30 <phase_2+0x34>
  400f17:	8b 43 fc             	mov    -0x4(%rbx),%eax
  400f1a:	01 c0                	add    %eax,%eax
  400f1c:	39 03                	cmp    %eax,(%rbx)
  400f1e:	74 05                	je     400f25 <phase_2+0x29>
  400f20:	e8 15 05 00 00       	callq  40143a <explode_bomb>
  400f25:	48 83 c3 04          	add    $0x4,%rbx
  400f29:	48 39 eb             	cmp    %rbp,%rbx
  400f2c:	75 e9                	jne    400f17 <phase_2+0x1b>
  400f2e:	be 0c                	jmp    400f3c <phase_2+0x40>
  400f30:	48 8d 5c 24 04       	lea    0x4(%rsp),%rbx
  400f35:	48 8d 6c 24 18       	lea    0x18(%rsp),%rbp
  400f3a:	be db                	jmp    400f17 <phase_2+0x1b>
  400f3c:	48 83 c4 28          	add    $0x28,%rsp
  400f40:	5b                   	pop    %rbx
  400f41:	5d                   	pop    %rbp
  400f42:	c3                   	retq   

This function calls two functions. One is read_six_numbers, the other is explode_bomb. We also need to know how “read_six_numbers()” works.

000000000040145c <read_six_numbers>:
  40145c:	48 83 ec 18          	sub    $0x18,%rsp
  401460:	48 89 f2             	mov    %rsi,%rdx
  401463:	48 8d 4e 04          	lea    0x4(%rsi),%rcx
  401467:	48 8d 46 14          	lea    0x14(%rsi),%rax
  40146b:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  401470:	48 8d 46 10          	lea    0x10(%rsi),%rax
  401474:	48 89 04 24          	mov    %rax,(%rsp)
  401478:	4c 8d 4e 0c          	lea    0xc(%rsi),%r9
  40147c:	4c 8d 46 08          	lea    0x8(%rsi),%r8
  401480:	be c3 25 40 00       	mov    $0x4025c3,%esi
  401485:	b8 00 00 00 00       	mov    $0x0,%eax
  40148a:	e8 61 f7 ff ff       	callq  400bf0 <__isoc99_sscanf@plt>
  40148f:	83 f8 05             	cmp    $0x5,%eax
  401492:	7f 05                	jg     401499 <read_six_numbers+0x3d>
  401494:	e8 a1 ff ff ff       	callq  40143a <explode_bomb>
  401499:	48 83 c4 18          	add    $0x18,%rsp
  40149d:	c3                   	retq   

It calls “scanf()” and gets 6 numbers. If it gets less than 6 numbers, it will call “explode_bomb()”. So come back to “phase_2”. To avoid exploding the bomb, (%rsp) must be 1. Then it jumps to “400f30”. Since this function uses %rsp, it means that it uses the stack to store these 6 numbers.

Then we analyze the rest of the phase_2.

%rbx=0x4+%rsp =4+%rsp

%rbp=0x18+%rsp=24+%rsp

Then it jumps to 400f17.

400f17:
%eax=(%rbx-4)

%eax*=2

compare %eax with (%rbx)

    if equal, to 400f25(skip explode_bomb)
    else bomb!!!!
%rbx-=4

compare %rbx with %rbp

    if equal, return

    else back to 400f17

So far, we can find that this is a loop structure! %rsp can not only store the address of these 6 numbers but also be the counter of the loop. And the %eax is a temporary variable. It uses %eax, and %rbx to test whether the latter number is twice the number. And we have already known the first number is 1. So, our input is 1,2,4,8,16,32. Let’s try!

Yes! We are right! Keep going!

The key of phase 1: Border relations with Canada have never been better.

The key of phase 2: 1 2 4 8 16 32

Bye!

Next: Phase_3

Views: 116