Phase 5:
We know the drill by now!
Let's take a look at the assembly.
08048dda <phase_5>:
8048dda: 83 ec 2c sub $0x2c,%esp
8048ddd: 8d 44 24 1c lea 0x1c(%esp),%eax
8048de1: 89 44 24 0c mov %eax,0xc(%esp)
8048de5: 8d 44 24 18 lea 0x18(%esp),%eax
8048de9: 89 44 24 08 mov %eax,0x8(%esp)
8048ded: c7 44 24 04 a9 a7 04 movl $0x804a7a9,0x4(%esp)
8048df4: 08
8048df5: 8b 44 24 30 mov 0x30(%esp),%eax
8048df9: 89 04 24 mov %eax,(%esp)
8048dfc: e8 ff fa ff ff call 8048900 <__isoc99_sscanf@plt>
8048e01: 83 f8 01 cmp $0x1,%eax
8048e04: 7f 05 jg 8048e0b <phase_5+0x31>
8048e06: e8 0a 07 00 00 call 8049515 <explode_bomb>
8048e0b: 83 7c 24 18 07 cmpl $0x7,0x18(%esp)
8048e10: 77 66 ja 8048e78 <phase_5+0x9e>
8048e12: 8b 44 24 18 mov 0x18(%esp),%eax
8048e16: ff 24 85 98 a5 04 08 jmp *0x804a598(,%eax,4)
8048e1d: b8 00 00 00 00 mov $0x0,%eax
8048e22: eb 05 jmp 8048e29 <phase_5+0x4f>
8048e24: b8 e1 03 00 00 mov $0x3e1,%eax
8048e29: 2d 0b 01 00 00 sub $0x10b,%eax
8048e2e: eb 05 jmp 8048e35 <phase_5+0x5b>
8048e30: b8 00 00 00 00 mov $0x0,%eax
8048e35: 05 b8 00 00 00 add $0xb8,%eax
8048e3a: eb 05 jmp 8048e41 <phase_5+0x67>
8048e3c: b8 00 00 00 00 mov $0x0,%eax
8048e41: 2d 25 01 00 00 sub $0x125,%eax
8048e46: eb 05 jmp 8048e4d <phase_5+0x73>
8048e48: b8 00 00 00 00 mov $0x0,%eax
8048e4d: 05 25 01 00 00 add $0x125,%eax
8048e52: eb 05 jmp 8048e59 <phase_5+0x7f>
8048e54: b8 00 00 00 00 mov $0x0,%eax
8048e59: 2d 25 01 00 00 sub $0x125,%eax
8048e5e: eb 05 jmp 8048e65 <phase_5+0x8b>
8048e60: b8 00 00 00 00 mov $0x0,%eax
8048e65: 05 25 01 00 00 add $0x125,%eax
8048e6a: eb 05 jmp 8048e71 <phase_5+0x97>
8048e6c: b8 00 00 00 00 mov $0x0,%eax
8048e71: 2d 25 01 00 00 sub $0x125,%eax
8048e76: eb 0a jmp 8048e82 <phase_5+0xa8>
8048e78: e8 98 06 00 00 call 8049515 <explode_bomb>
8048e7d: b8 00 00 00 00 mov $0x0,%eax
8048e82: 83 7c 24 18 05 cmpl $0x5,0x18(%esp)
8048e87: 7f 06 jg 8048e8f <phase_5+0xb5>
8048e89: 3b 44 24 1c cmp 0x1c(%esp),%eax
8048e8d: 74 05 je 8048e94 <phase_5+0xba>
8048e8f: e8 81 06 00 00 call 8049515 <explode_bomb>
8048e94: 83 c4 2c add $0x2c,%esp
8048e97: c3 ret
Off the top of my head, none of this really makes sense to me. There's a lot of calls to <phase_5+0xba> or some other call. There are many comparison and jump calls. I do however, see a call to scanf.
I will head to gdb to test my "test string" and see what happens there
0x08048dda <+0>: sub $0x2c,%esp
0x08048ddd <+3>: lea 0x1c(%esp),%eax
0x08048de1 <+7>: mov %eax,0xc(%esp)
0x08048de5 <+11>: lea 0x18(%esp),%eax
0x08048de9 <+15>: mov %eax,0x8(%esp)
0x08048ded <+19>: movl $0x804a7a9,0x4(%esp)
0x08048df5 <+27>: mov 0x30(%esp),%eax
0x08048df9 <+31>: mov %eax,(%esp)
0x08048dfc <+34>: call 0x8048900 <__isoc99_sscanf@plt>
0x08048e01 <+39>: cmp $0x1,%eax
0x08048e04 <+42>: jg 0x8048e0b <phase_5+49>
0x08048e06 <+44>: call 0x8049515 <explode_bomb>
0x08048e0b <+49>: cmpl $0x7,0x18(%esp)
0x08048e10 <+54>: ja 0x8048e78 <phase_5+158>
0x08048e12 <+56>: mov 0x18(%esp),%eax
0x08048e16 <+60>: jmp *0x804a598(,%eax,4)
0x08048e1d <+67>: mov $0x0,%eax
0x08048e22 <+72>: jmp 0x8048e29 <phase_5+79>
0x08048e24 <+74>: mov $0x3e1,%eax
0x08048e29 <+79>: sub $0x10b,%eax
0x08048e2e <+84>: jmp 0x8048e35 <phase_5+91>
0x08048e30 <+86>: mov $0x0,%eax
0x08048e35 <+91>: add $0xb8,%eax
0x08048e3a <+96>: jmp 0x8048e41 <phase_5+103>
0x08048e3c <+98>: mov $0x0,%eax
0x08048e41 <+103>: sub $0x125,%eax
0x08048e46 <+108>: jmp 0x8048e4d <phase_5+115>
0x08048e48 <+110>: mov $0x0,%eax
0x08048e4d <+115>: add $0x125,%eax
0x08048e52 <+120>: jmp 0x8048e59 <phase_5+127>
0x08048e54 <+122>: mov $0x0,%eax
0x08048e59 <+127>: sub $0x125,%eax
0x08048e5e <+132>: jmp 0x8048e65 <phase_5+139>
0x08048e60 <+134>: mov $0x0,%eax
0x08048e65 <+139>: add $0x125,%eax
0x08048e6a <+144>: jmp 0x8048e71 <phase_5+151>
0x08048e6c <+146>: mov $0x0,%eax
0x08048e71 <+151>: sub $0x125,%eax
0x08048e76 <+156>: jmp 0x8048e82 <phase_5+168>
0x08048e78 <+158>: call 0x8049515 <explode_bomb>
0x08048e7d <+163>: mov $0x0,%eax
0x08048e82 <+168>: cmpl $0x5,0x18(%esp)
0x08048e87 <+173>: jg 0x8048e8f <phase_5+181>
0x08048e89 <+175>: cmp 0x1c(%esp),%eax
0x08048e8d <+179>: je 0x8048e94 <phase_5+186>
0x08048e8f <+181>: call 0x8049515 <explode_bomb>
0x08048e94 <+186>: add $0x2c,%esp
0x08048e97 <+189>: ret
Note the following:
(gdb) x/s $eax
0x804d960 <input_strings+320>: "test string"
(gdb) x/s 0x804a7a9
0x804a7a9: "%d %d"
(gdb)
This gives us a good idea of the format required for this phase: Two numbers:
I may have gotten a bit lucky with this one. I randomly guessed two because it was greater than 1, as can see by the
0x08048e01 <+39>: cmp $0x1,%eax
statement. But the other guess took some work. I again, worked my way through a random number in gdb, until i kept seeing eax with 0xffffc3 or some address like it and the integer -109 next to it.
Then I re-examined the disas code. There was:
0x08048e30 <+86>: mov $0x0,%eax
0x08048e35 <+91>: add $0xb8,%eax
This was also paired with many add $0x125 and sub $0x125, but ultimately each canceled out till all was left with sub $0x125. Subtraction of 0xb8-0x125 gives the integer -109, which works with this phase.
So the answer: 2 -109
