TechQA.

bomb lab assignment, at phase_3 in debugging how go further?

87 views Asked by At

In GDB, with nexti , info registers , and disassemble phase_3 commands I was able to come this far.

Dump of assembler code for function phase_3:
   0x000055555555564d <+0>:     repz nop %edx
   0x0000555555555651 <+4>:     sub    $0x28,%rsp
   0x0000555555555655 <+8>:     mov    %fs:0x28,%rax
   0x000055555555565e <+17>:    mov    %rax,0x18(%rsp)
   0x0000555555555663 <+22>:    xor    %eax,%eax
   0x0000555555555665 <+24>:    lea    0xf(%rsp),%rcx
   0x000055555555566a <+29>:    lea    0x10(%rsp),%rdx
   0x000055555555566f <+34>:    lea    0x14(%rsp),%r8
   0x0000555555555674 <+39>:    lea    0x1b63(%rip),%rsi        # 0x5555555571de
   0x000055555555567b <+46>:    callq  0x5555555552d0
   0x0000555555555680 <+51>:    cmp    $0x2,%eax
   0x0000555555555683 <+54>:    jle    0x5555555556a5 <phase_3+88>
   0x0000555555555685 <+56>:    cmpl   $0x7,0x10(%rsp)
   0x000055555555568a <+61>:    ja     0x55555555579a <phase_3+333>
   0x0000555555555690 <+67>:    mov    0x10(%rsp),%eax
   0x0000555555555694 <+71>:    lea    0x1b55(%rip),%rdx        # 0x5555555571f0
   0x000055555555569b <+78>:    movslq (%rdx,%rax,4),%rax
   0x000055555555569f <+82>:    add    %rdx,%rax
   0x00005555555556a2 <+85>:    ds
   0x00005555555556a3 <+86>:    jmpq   *%rax
   0x00005555555556a5 <+88>:    callq  0x555555555e26 <explode_bomb>
   0x00005555555556aa <+93>:    jmp    0x555555555685 <phase_3+56>
   0x00005555555556ac <+95>:    mov    $0x6d,%eax
   0x00005555555556b1 <+100>:   cmpl   $0x3d3,0x14(%rsp)
   0x00005555555556b9 <+108>:   je     0x5555555557a4 <phase_3+343>
   0x00005555555556bf <+114>:   callq  0x555555555e26 <explode_bomb>
   0x00005555555556c4 <+119>:   mov    $0x6d,%eax
   0x00005555555556c9 <+124>:   jmpq   0x5555555557a4 <phase_3+343>
   0x00005555555556ce <+129>:   mov    $0x74,%eax
   0x00005555555556d3 <+134>:   cmpl   $0x152,0x14(%rsp)
   0x00005555555556db <+142>:   je     0x5555555557a4 <phase_3+343>
   0x00005555555556e1 <+148>:   callq  0x555555555e26 <explode_bomb>
   0x00005555555556e6 <+153>:   mov    $0x74,%eax
   0x00005555555556eb <+158>:   jmpq   0x5555555557a4 <phase_3+343>
   0x00005555555556f0 <+163>:   mov    $0x7a,%eax
   0x00005555555556f5 <+168>:   cmpl   $0x69,0x14(%rsp)
   0x00005555555556fa <+173>:   je     0x5555555557a4 <phase_3+343>
   0x0000555555555700 <+179>:   callq  0x555555555e26 <explode_bomb>
   0x0000555555555705 <+184>:   mov    $0x7a,%eax
   0x000055555555570a <+189>:   jmpq   0x5555555557a4 <phase_3+343>
   0x000055555555570f <+194>:   mov    $0x78,%eax
   0x0000555555555714 <+199>:   cmpl   $0x3e1,0x14(%rsp)
   0x000055555555571c <+207>:   je     0x5555555557a4 <phase_3+343>
**=> 0x0000555555555722 <+213>:   callq  0x555555555e26 <explode_bomb>**
   0x0000555555555727 <+218>:   mov    $0x78,%eax
   0x000055555555572c <+223>:   jmp    0x5555555557a4 <phase_3+343>
   0x000055555555572e <+225>:   mov    $0x66,%eax
   0x0000555555555733 <+230>:   cmpl   $0xc0,0x14(%rsp)
   0x000055555555573b <+238>:   je     0x5555555557a4 <phase_3+343>
   0x000055555555573d <+240>:   callq  0x555555555e26 <explode_bomb>
   0x0000555555555742 <+245>:   mov    $0x66,%eax
   0x0000555555555747 <+250>:   jmp    0x5555555557a4 <phase_3+343>
   0x0000555555555749 <+252>:   mov    $0x68,%eax
   0x000055555555574e <+257>:   cmpl   $0x24b,0x14(%rsp)
   0x0000555555555756 <+265>:   je     0x5555555557a4 <phase_3+343>
   0x0000555555555758 <+267>:   callq  0x555555555e26 <explode_bomb>
---Type <return> to continue, or q <return> to quit---r
   0x000055555555575d <+272>:   mov    $0x68,%eax
   0x0000555555555762 <+277>:   jmp    0x5555555557a4 <phase_3+343>
   0x0000555555555764 <+279>:   mov    $0x62,%eax
   0x0000555555555769 <+284>:   cmpl   $0x183,0x14(%rsp)
   0x0000555555555771 <+292>:   je     0x5555555557a4 <phase_3+343>
   0x0000555555555773 <+294>:   callq  0x555555555e26 <explode_bomb>
   0x0000555555555778 <+299>:   mov    $0x62,%eax
   0x000055555555577d <+304>:   jmp    0x5555555557a4 <phase_3+343>
   0x000055555555577f <+306>:   mov    $0x71,%eax
   0x0000555555555784 <+311>:   cmpl   $0x27d,0x14(%rsp)
   0x000055555555578c <+319>:   je     0x5555555557a4 <phase_3+343>
   0x000055555555578e <+321>:   callq  0x555555555e26 <explode_bomb>
   0x0000555555555793 <+326>:   mov    $0x71,%eax
   0x0000555555555798 <+331>:   jmp    0x5555555557a4 <phase_3+343>
   0x000055555555579a <+333>:   callq  0x555555555e26 <explode_bomb>
   0x000055555555579f <+338>:   mov    $0x6b,%eax
   0x00005555555557a4 <+343>:   cmp    %al,0xf(%rsp)
   0x00005555555557a8 <+347>:   jne    0x5555555557bf <phase_3+370>
   0x00005555555557aa <+349>:   mov    0x18(%rsp),%rax
   0x00005555555557af <+354>:   xor    %fs:0x28,%rax
   0x00005555555557b8 <+363>:   jne    0x5555555557c6 <phase_3+377>
   0x00005555555557ba <+365>:   add    $0x28,%rsp
   0x00005555555557be <+369>:   retq
   0x00005555555557bf <+370>:   callq  0x555555555e26 <explode_bomb>
   0x00005555555557c4 <+375>:   jmp    0x5555555557aa <phase_3+349>
   0x00005555555557c6 <+377>:   callq  0x555555555230
End of assembler dump.

But after that point, I used nexti command again and I lost the arrow. I don't understand the reason. Is it because of the explode_bomb instruction? If it is, before that step I also encounter with this instructions many times, what is the difference now? How can I go forward after this step in order to find correct input for that phase_3?

NOTE: Also if you can explain how can I fully understand the number of expected inputs for that phase and how can I separate them from each other (for example after every explode instruction ???) I would appreciate it. Thank you!

assembly x86-64 binary-bomb
Original Q&A
0

There are 0 answers

Related Questions in ASSEMBLY

Related Questions in X86-64

Related Questions in BINARY-BOMB

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions