Binary Bomb Phase 5 - Looking for two ints as input

Question

I'm currently working on the binary bomb project and am stuck on phase 5. My version appears to be a little different than the other walkthroughs and tutorials I've searched for. This is x86-64 assembly. I've figured out that it is looking for two integers as input. Here is the phase_5 assembly:

40105c: 55                      push   %rbp
40105d: 53                      push   %rbx
40105e: 48 81 ec b8 01 00 00    sub    $0x1b8,%rsp
401065: c7 84 24 90 01 00 00    movl   $0x4,0x190(%rsp)
40106c: 04 00 00 00 
401070: 48 c7 84 24 98 01 00    movq   $0x0,0x198(%rsp)
401077: 00 00 00 00 00 
40107c: 48 c7 84 24 a8 01 00    movq   $0x0,0x1a8(%rsp)
401083: 00 00 00 00 00 
401088: c7 84 24 70 01 00 00    movl   $0x2,0x170(%rsp)
40108f: 02 00 00 00 
401093: 4c 8d 9c 24 90 01 00    lea    0x190(%rsp),%r11
40109a: 00 
40109b: 4c 89 9c 24 78 01 00    mov    %r11,0x178(%rsp)
4010a2: 00 
4010a3: 48 c7 84 24 88 01 00    movq   $0x0,0x188(%rsp)
4010aa: 00 00 00 00 00 
4010af: c7 84 24 50 01 00 00    movl   $0x1,0x150(%rsp)
4010b6: 01 00 00 00 
4010ba: 48 8d 84 24 70 01 00    lea    0x170(%rsp),%rax
4010c1: 00 
4010c2: 48 89 84 24 58 01 00    mov    %rax,0x158(%rsp)
4010c9: 00 
4010ca: 4c 89 9c 24 68 01 00    mov    %r11,0x168(%rsp)
4010d1: 00 
4010d2: c7 84 24 30 01 00 00    movl   $0xfffffffe,0x130(%rsp)
4010d9: fe ff ff ff 
4010dd: 48 8d 94 24 50 01 00    lea    0x150(%rsp),%rdx
4010e4: 00 
4010e5: 48 89 94 24 38 01 00    mov    %rdx,0x138(%rsp)
4010ec: 00 
4010ed: 48 89 84 24 48 01 00    mov    %rax,0x148(%rsp)
4010f4: 00 
4010f5: c7 84 24 10 01 00 00    movl   $0xfffffffb,0x110(%rsp)
4010fc: fb ff ff ff 
401100: 48 8d 8c 24 30 01 00    lea    0x130(%rsp),%rcx
401107: 00 
401108: 48 89 8c 24 18 01 00    mov    %rcx,0x118(%rsp)
40110f: 00 
401110: 48 89 94 24 28 01 00    mov    %rdx,0x128(%rsp)
401117: 00 
401118: c7 84 24 f0 00 00 00    movl   $0x8,0xf0(%rsp)
40111f: 08 00 00 00 
401123: 48 8d b4 24 10 01 00    lea    0x110(%rsp),%rsi
40112a: 00 
40112b: 48 89 b4 24 f8 00 00    mov    %rsi,0xf8(%rsp)
401132: 00 
401133: 48 89 8c 24 08 01 00    mov    %rcx,0x108(%rsp)
40113a: 00 
40113b: c7 84 24 d0 00 00 00    movl   $0xffffffff,0xd0(%rsp)
401142: ff ff ff ff 
401146: 4c 8d 84 24 f0 00 00    lea    0xf0(%rsp),%r8
40114d: 00 
40114e: 4c 89 84 24 d8 00 00    mov    %r8,0xd8(%rsp)
401155: 00 
401156: 48 89 b4 24 e8 00 00    mov    %rsi,0xe8(%rsp)
40115d: 00 
40115e: c7 84 24 b0 00 00 00    movl   $0xb,0xb0(%rsp)
401165: 0b 00 00 00 
401169: 4c 8d 8c 24 d0 00 00    lea    0xd0(%rsp),%r9
401170: 00 
401171: 4c 89 8c 24 b8 00 00    mov    %r9,0xb8(%rsp)
401178: 00 
401179: 4c 89 84 24 c8 00 00    mov    %r8,0xc8(%rsp)
401180: 00 
401181: c7 84 24 90 00 00 00    movl   $0x5,0x90(%rsp)
401188: 05 00 00 00 
40118c: 4c 8d 94 24 b0 00 00    lea    0xb0(%rsp),%r10
401193: 00 
401194: 4c 89 94 24 98 00 00    mov    %r10,0x98(%rsp)
40119b: 00 
40119c: 4c 89 8c 24 a8 00 00    mov    %r9,0xa8(%rsp)
4011a3: 00 
4011a4: c7 44 24 70 0d 00 00    movl   $0xd,0x70(%rsp)
4011ab: 00 
4011ac: 48 8d 9c 24 90 00 00    lea    0x90(%rsp),%rbx
4011b3: 00 
4011b4: 48 89 5c 24 78          mov    %rbx,0x78(%rsp)
4011b9: 48 c7 84 24 80 00 00    movq   $0x0,0x80(%rsp)
4011c0: 00 00 00 00 00 
4011c5: 4c 89 94 24 88 00 00    mov    %r10,0x88(%rsp)
4011cc: 00 
4011cd: 48 89 84 24 a0 01 00    mov    %rax,0x1a0(%rsp)
4011d4: 00 
4011d5: 48 89 94 24 80 01 00    mov    %rdx,0x180(%rsp)
4011dc: 00 
4011dd: 48 89 8c 24 60 01 00    mov    %rcx,0x160(%rsp)
4011e4: 00 
4011e5: 48 89 b4 24 40 01 00    mov    %rsi,0x140(%rsp)
4011ec: 00 
4011ed: 4c 89 84 24 20 01 00    mov    %r8,0x120(%rsp)
4011f4: 00 
4011f5: 4c 89 8c 24 00 01 00    mov    %r9,0x100(%rsp)
4011fc: 00 
4011fd: 4c 89 94 24 e0 00 00    mov    %r10,0xe0(%rsp)
401204: 00 
401205: 48 89 9c 24 c0 00 00    mov    %rbx,0xc0(%rsp)
40120c: 00 
40120d: 48 8d 6c 24 70          lea    0x70(%rsp),%rbp
401212: 48 89 ac 24 a0 00 00    mov    %rbp,0xa0(%rsp)
401219: 00 
40121a: 48 c7 44 24 10 00 00    movq   $0x0,0x10(%rsp)
401221: 00 00 
401223: 48 89 6c 24 18          mov    %rbp,0x18(%rsp)
401228: 48 89 5c 24 20          mov    %rbx,0x20(%rsp)
40122d: 4c 89 54 24 28          mov    %r10,0x28(%rsp)
401232: 4c 89 4c 24 30          mov    %r9,0x30(%rsp)
401237: 4c 89 44 24 38          mov    %r8,0x38(%rsp)
40123c: 48 89 74 24 40          mov    %rsi,0x40(%rsp)
401241: 48 89 4c 24 48          mov    %rcx,0x48(%rsp)
401246: 48 89 54 24 50          mov    %rdx,0x50(%rsp)
40124b: 48 89 44 24 58          mov    %rax,0x58(%rsp)
401250: 4c 89 5c 24 60          mov    %r11,0x60(%rsp)
401255: 48 8d 4c 24 08          lea    0x8(%rsp),%rcx
40125a: 48 8d 54 24 0c          lea    0xc(%rsp),%rdx
40125f: be 0d 29 40 00          mov    $0x40290d,%esi
401264: b8 00 00 00 00          mov    $0x0,%eax
401269: e8 92 f9 ff ff          callq  400c00 <__isoc99_sscanf@plt>
40126e: 83 f8 01                cmp    $0x1,%eax
401271: 7f 05                   jg     401278 <phase_5+0x21c>
401273: e8 09 04 00 00          callq  401681 <explode_bomb>
401278: 83 7c 24 0c 0a          cmpl   $0xa,0xc(%rsp)
40127d: 76 05                   jbe    401284 <phase_5+0x228>
40127f: e8 fd 03 00 00          callq  401681 <explode_bomb>
401284: 48 63 44 24 0c          movslq 0xc(%rsp),%rax
401289: 48 8b 44 c4 10          mov    0x10(%rsp,%rax,8),%rax
40128e: 48 85 c0                test   %rax,%rax
401291: 74 12                   je     4012a5 <phase_5+0x249>
401293: ba 00 00 00 00          mov    $0x0,%edx
401298: 03 10                   add    (%rax),%edx
40129a: 48 8b 40 18             mov    0x18(%rax),%rax
40129e: 48 85 c0                test   %rax,%rax
4012a1: 75 f5                   jne    401298 <phase_5+0x23c>
4012a3: eb 05                   jmp    4012aa <phase_5+0x24e>
4012a5: ba 00 00 00 00          mov    $0x0,%edx
4012aa: 39 54 24 08             cmp    %edx,0x8(%rsp)
4012ae: 74 05                   je     4012b5 <phase_5+0x259>
4012b0: e8 cc 03 00 00          callq  401681 <explode_bomb>
4012b5: 48 81 c4 b8 01 00 00    add    $0x1b8,%rsp
4012bc: 5b                      pop    %rbx
4012bd: 5d                      pop    %rbp
4012be: c3                      retq  

Running gdb and p (char *) 0x40290d returns "%d %d" which is how I know it's scanning for two ints. I try to follow the compare and jump statements but get lost soon after. Any assistance would be appreciated. Thank you.

Answer 1

Obviously line 401278 is checking that the first number is less than or equal to 10. Then some calculations are done and the next check that can explode the bomb is at 4012aa. That is comparing the result of the calculation to the second number entered. Since you are using gdb you can simply put a breakpoint on that instruction and let the program run. Enter a valid first number followed by an arbitrary second. When stopped at the breakpoint print the value in edx. That will be the correct match for the first number entered.

Another approach is spotting the condition on line 40128e. This skips the whole calculation and simply compares the second number to zero. You will need to find the correct value to trigger this which fulfills 0x10(%rsp,%rax,8) == 0. Given that line 40121a does movq $0x0,0x10(%rsp) two zeroes trivially solve the problem.

Finally, you could reverse engineer the whole thing. Notice it is summing up elements of a linked list created on the stack in the first part of the code. The summing starts with the item specified by the first number and stops when the node with value zero is reached. The second number entered should match the calculated sum.

Answer 2

i think the second number needs to be negativ. in my case it was -15, i had the numbers 5 -15. up there you have sub (subtraction) and i think that determines if it's a negative number or not. you go through the loop 15 times and how not to get to a number that will end up being 15 in 15 iteration is making it negativ, kinda like going through it from -15 to 0 and 0 doesn't jump to bomb_explode.

*edit: You'll have to print out the arraylist with the x/16wd (adress) command, then you'll see that the array only goes up to 15 (highest number), after add all the numbers together except the last as this is not called this became in my case 115. Then there's a cmp between %edx,0x8(%rsp) try the i r rsp command that'll give u an address which u then can print out, it printed out -15 in my case.