Phase_6
previous: Phase_5
Here is the code of phase_6
00000000004010f4 <phase_6>: 4010f4: 41 56 push %r14 4010f6: 41 55 push %r13 4010f8: 41 54 push %r12 4010fa: 55 push %rbp 4010fb: 53 push %rbx 4010fc: 48 83 ec 50 sub $0x50,%rsp 401100: 49 89 e5 mov %rsp,%r13 401103: 48 89 e6 mov %rsp,%rsi 401106: e8 51 03 00 00 callq 40145c <read_six_numbers> 40110b: 49 89 e6 mov %rsp,%r14 40110e: 41 bc 00 00 00 00 mov $0x0,%r12d 401114: 4c 89 ed mov %r13,%rbp 401117: 41 8b 45 00 mov 0x0(%r13),%eax 40111b: 83 e8 01 sub $0x1,%eax 40111e: 83 f8 05 cmp $0x5,%eax 401121: 76 05 jbe 401128 <phase_6+0x34> 401123: e8 12 03 00 00 callq 40143a <explode_bomb> 401128: 41 83 c4 01 add $0x1,%r12d 40112c: 41 83 fc 06 cmp $0x6,%r12d 401130: 74 21 je 401153 <phase_6+0x5f> 401132: 44 89 e3 mov %r12d,%ebx 401135: 48 63 c3 movslq %ebx,%rax 401138: 8b 04 84 mov (%rsp,%rax,4),%eax 40113b: 39 45 00 cmp %eax,0x0(%rbp) 40113e: 75 05 jne 401145 <phase_6+0x51> 401140: e8 f5 02 00 00 callq 40143a <explode_bomb> 401145: 83 c3 01 add $0x1,%ebx 401148: 83 fb 05 cmp $0x5,%ebx 40114b: 7e e8 jle 401135 <phase_6+0x41> 40114d: 49 83 c5 04 add $0x4,%r13 401151: eb c1 jmp 401114 <phase_6+0x20> 401153: 48 8d 74 24 18 lea 0x18(%rsp),%rsi 401158: 4c 89 f0 mov %r14,%rax 40115b: b9 07 00 00 00 mov $0x7,%ecx 401160: 89 ca mov %ecx,%edx 401162: 2b 10 sub (%rax),%edx 401164: 89 10 mov %edx,(%rax) 401166: 48 83 c0 04 add $0x4,%rax 40116a: 48 39 f0 cmp %rsi,%rax 40116d: 75 f1 jne 401160 <phase_6+0x6c> 40116f: be 00 00 00 00 mov $0x0,%esi 401174: eb 21 jmp 401197 <phase_6+0xa3> 401176: 48 8b 52 08 mov 0x8(%rdx),%rdx 40117a: 83 c0 01 add $0x1,%eax 40117d: 39 c8 cmp %ecx,%eax 40117f: 75 f5 jne 401176 <phase_6+0x82> 401181: eb 05 jmp 401188 <phase_6+0x94> 401183: ba d0 32 60 00 mov $0x6032d0,%edx 401188: 48 89 54 74 20 mov %rdx,0x20(%rsp,%rsi,2) 40118d: 48 83 c6 04 add $0x4,%rsi 401191: 48 83 fe 18 cmp $0x18,%rsi 401195: 74 14 je 4011ab <phase_6+0xb7> 401197: 8b 0c 34 mov (%rsp,%rsi,1),%ecx 40119a: 83 f9 01 cmp $0x1,%ecx 40119d: 7e e4 jle 401183 <phase_6+0x8f> 40119f: b8 01 00 00 00 mov $0x1,%eax 4011a4: ba d0 32 60 00 mov $0x6032d0,%edx 4011a9: eb cb jmp 401176 <phase_6+0x82> 4011ab: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx 4011b0: 48 8d 44 24 28 lea 0x28(%rsp),%rax 4011b5: 48 8d 74 24 50 lea 0x50(%rsp),%rsi 4011ba: 48 89 d9 mov %rbx,%rcx 4011bd: 48 8b 10 mov (%rax),%rdx 4011c0: 48 89 51 08 mov %rdx,0x8(%rcx) 4011c4: 48 83 c0 08 add $0x8,%rax 4011c8: 48 39 f0 cmp %rsi,%rax 4011cb: 74 05 je 4011d2 <phase_6+0xde> 4011cd: 48 89 d1 mov %rdx,%rcx 4011d0: eb eb jmp 4011bd <phase_6+0xc9> 4011d2: 48 c7 42 08 00 00 00 movq $0x0,0x8(%rdx) 4011d9: 00 4011da: bd 05 00 00 00 mov $0x5,%ebp 4011df: 48 8b 43 08 mov 0x8(%rbx),%rax 4011e3: 8b 00 mov (%rax),%eax 4011e5: 39 03 cmp %eax,(%rbx) 4011e7: 7d 05 jge 4011ee <phase_6+0xfa> 4011e9: e8 4c 02 00 00 callq 40143a <explode_bomb> 4011ee: 48 8b 5b 08 mov 0x8(%rbx),%rbx 4011f2: 83 ed 01 sub $0x1,%ebp 4011f5: 75 e8 jne 4011df <phase_6+0xeb> 4011f7: 48 83 c4 50 add $0x50,%rsp 4011fb: 5b pop %rbx 4011fc: 5d pop %rbp 4011fd: 41 5c pop %r12 4011ff: 41 5d pop %r13 401201: 41 5e pop %r14 401203: c3 retq
Emm…… There are too many “goto”s and it looks like a pile of spaghetti… Well, we can change our minds and try to find some special elements like addresses or conditional judgments.
Then we can find this one:
4011a4: ba d0 32 60 00 mov $0x6032d0,%edx
Then we want to see what is there.
This structure is named node1. There may be more important information below.
Let’s try more.
You can see there are six nodes, and each node has four parts. The first and second elements are instant numbers. The third element records the address of the next node, which means that this memory space stores a single-linked list. You may ask why the last element is 0, and it seems useless. Because the compiler needs to align the data. So it fulfills 0 at the end of the structure.
So far, we have found the data structure of this program. It is a six-node and single-linked list.
What’s more, this phase asked us to enter six numbers, there may be some relation between the six nodes and 1 to 6 stored in these nodes.
Emm… We have to analyze the logic now.
It’s easier to read code with my comments.
00000000004010f4 <phase_6>:
4010f4: 41 56 push %r14
4010f6: 41 55 push %r13
4010f8: 41 54 push %r12
4010fa: 55 push %rbp
4010fb: 53 push %rbx
4010fc: 48 83 ec 50 sub $0x50,%rsp # prepare stack(50)
401100: 49 89 e5 mov %rsp,%r13 # store stack(50)
401103: 48 89 e6 mov %rsp,%rsi # store stack(50)
401106: e8 51 03 00 00 callq 40145c <read_six_numbers>
40110b: 49 89 e6 mov %rsp,%r14 # store stack(input)
40110e: 41 bc 00 00 00 00 mov $0x0,%r12d # r12d = 0
# %r13 = stack(50)
# %rsi = stack(50)
# %rsp = stack(input)
# %r14 = stack(input)
# loop1, for six input numbers Begin
# this loop makes sure every number you input
# There are no elements appear twice
# Every number is less ot equal to 6
401114: 4c 89 ed mov %r13,%rbp # store stack(50)[n]
401117: 41 8b 45 00 mov 0x0(%r13),%eax # eax = stack(50)[n]
40111b: 83 e8 01 sub $0x1,%eax # eax = stack(50)[n]-1
40111e: 83 f8 05 cmp $0x5,%eax # Every number is less ot equal to 6
401121: 76 05 jbe 401128 <phase_6+0x34> # (stack(50)[n]-1)<=5, skip explode_bomb
# %r12d = 0
# %rbp = store stack(50)[n]
# initialize counter and rbp
# bomb part
401123: e8 12 03 00 00 callq 40143a <explode_bomb>
#
5 4 8 2 7 1
401128: 41 83 c4 01 add $0x1,%r12d # r12d++
40112c: 41 83 fc 06 cmp $0x6,%r12d # r12d 6 if n is 6,break
401130: 74 21 je 401153 <phase_6+0x5f>
401132: 44 89 e3 mov %r12d,%ebx #
401135: 48 63 c3 movslq %ebx,%rax # rax = r12d
401138: 8b 04 84 mov (%rsp,%rax,4),%eax # eax = rax.th element in stack rsp
40113b: 39 45 00 cmp %eax,0x0(%rbp) # compare the rax.th element with the first element in stack
40113e: 75 05 jne 401145 <phase_6+0x51> # rbp!= eax , every number cannot be as same as the first one in stack
# bomb part
401140: e8 f5 02 00 00 callq 40143a <explode_bomb>
#
401145: 83 c3 01 add $0x1,%ebx # ebx++ ,ebx is the counter
401148: 83 fb 05 cmp $0x5,%ebx
40114b: 7e e8 jle 401135 <phase_6+0x41> # ebx<= 5,keep on the next number ,n++
40114d: 49 83 c5 04 add $0x4,%r13 # r13=&(stack(50)[0])+4
401151: eb c1 jmp 401114 <phase_6+0x20> # no numbers appear twice,compare one by one
# loop for six numbers input End
401153: 48 8d 74 24 18 lea 0x18(%rsp),%rsi # rsi = (stack(50)[0])+18??
401158: 4c 89 f0 mov %r14,%rax # rax = &(stack(input)[0])
40115b: b9 07 00 00 00 mov $0x7,%ecx # ecx = 7
# loop to change input numbers
401160: 89 ca mov %ecx,%edx # edx = 7
401162: 2b 10 sub (%rax),%edx # edx = 7- stack(input)[n]
401164: 89 10 mov %edx,(%rax) # stack(input)[n] = edx
401166: 48 83 c0 04 add $0x4,%rax # rax+=1,n++
40116a: 48 39 f0 cmp %rsi,%rax
40116d: 75 f1 jne 401160 <phase_6+0x6c> # rax!=rsi
# End
# initialize offest
40116f: be 00 00 00 00 mov $0x0,%esi # esi = 0
401174: eb 21 jmp 401197 <phase_6+0xa3>
# if ecx != eax, then find next until they are same
401176: 48 8b 52 08 mov 0x8(%rdx),%rdx # rdx+=8
40117a: 83 c0 01 add $0x1,%eax # eax++
40117d: 39 c8 cmp %ecx,%eax
40117f: 75 f5 jne 401176 <phase_6+0x82>
401181: eb 05 jmp 401188 <phase_6+0x94>
# they are same,but if rsi != 18, find the rsi.th in input number
401183: ba d0 32 60 00 mov $0x6032d0,%edx # edx is the beginning of stored list
401188: 48 89 54 74 20 mov %rdx,0x20(%rsp,%rsi,2) # (stack(input)[]+rsi*2+20)=rdx
40118d: 48 83 c6 04 add $0x4,%rsi # rsi=+4
401191: 48 83 fe 18 cmp $0x18,%rsi
401195: 74 14 je 4011ab <phase_6+0xb7> # rsi ==18, break
# first do this
401197: 8b 0c 34 mov (%rsp,%rsi,1),%ecx # ecx = *(stack(input)[]+rsi)
40119a: 83 f9 01 cmp $0x1,%ecx
40119d: 7e e4 jle 401183 <phase_6+0x8f> # ecx <= 1, go up
40119f: b8 01 00 00 00 mov $0x1,%eax # eax = 1
4011a4: ba d0 32 60 00 mov $0x6032d0,%edx # edx is the beginning of stored list
4011a9: eb cb jmp 401176 <phase_6+0x82>
# store the address of the list to stack
4011ab: 48 8b 5c 24 20 mov 0x20(%rsp),%rbx # rbx=*(stack(input)[]+20)
4011b0: 48 8d 44 24 28 lea 0x28(%rsp),%rax # rax=(stack(input)[]+28)
4011b5: 48 8d 74 24 50 lea 0x50(%rsp),%rsi # rsi=(stack(input)[]+50)
4011ba: 48 89 d9 mov %rbx,%rcx # rcx=*(stack(input)[]+20)
4011bd: 48 8b 10 mov (%rax),%rdx # rdx=*(stack(input)[]+28+(n)*8)
4011c0: 48 89 51 08 mov %rdx,0x8(%rcx) # (rcx+8)=*(stack(input)[]+20+n*8)
4011c4: 48 83 c0 08 add $0x8,%rax # rax=(stack(input)[]+28+n*8+8)
4011c8: 48 39 f0 cmp %rsi,%rax # (50) (36+n*8+8)
4011cb: 74 05 je 4011d2 <phase_6+0xde>
4011cd: 48 89 d1 mov %rdx,%rcx # rcx=rdx
4011d0: eb eb jmp 4011bd <phase_6+0xc9>
4011d2: 48 c7 42 08 00 00 00 movq $0x0,0x8(%rdx) # *(rdx+8)=0
4011d9: 00
# loop to make sure the next element in memeory rbx is greater or equal to current element
4011da: bd 05 00 00 00 mov $0x5,%ebp # ebp=5
4011df: 48 8b 43 08 mov 0x8(%rbx),%rax # rax=(rbx+8)
4011e3: 8b 00 mov (%rax),%eax # eax=(rax)
4011e5: 39 03 cmp %eax,(%rbx) # (rbx+8),(rbx)
4011e7: 7d 05 jge 4011ee <phase_6+0xfa> # (rbx+8)>=(rbx)
4011e9: e8 4c 02 00 00 callq 40143a <explode_bomb>
4011ee: 48 8b 5b 08 mov 0x8(%rbx),%rbx # rbx=(rbx+8)
4011f2: 83 ed 01 sub $0x1,%ebp # ebp--
4011f5: 75 e8 jne 4011df <phase_6+0xeb>
# loop End
4011f7: 48 83 c4 50 add $0x50,%rsp
4011fb: 5b pop %rbx
4011fc: 5d pop %rbp
4011fd: 41 5c pop %r12
4011ff: 41 5d pop %r13
401201: 41 5e pop %r14
401203: c3 retq
So we need to sort the nodes by the first element (greater) and regard the second element as its ID. In the end, use 7-ID and input the answer.
Congratulations!
I will not try to do secret_phase cause I need more knowledge about data structure.
And there may be a summary or not.
The key to phase 1: Border relations with Canada have never been better.
The key to phase 2: 1 2 4 8 16 32
The key to phase 3: 0 207
The key to phase 4: 0 0, 1 0, 3 0, 7 0
The key to phase 5: IONEFG , Y_^UVW , ionefg
The key to phase 6: 4 3 2 1 6 5
End
Views: 197