Phase 2 Solution
Let’s get started by creating both a breakpoint for
phase_2. This second phase deals with numbers so let’s try to enter the array of numbers
0 1 2 3 4 5. It is important to step the test numbers in some way so you know which order they are in.
Phase 1 defused. How about the next one? 0 1 2 3 4 5
Breakpoint 2, 0x0000000000400e49 in phase_2 ()
Let’s do the standard
disas command to see the assembly of the function.
(gdb) disas Dump of assembler code for function phase_2: => 0x0000000000400e49 <+0>: push %rbp 0x0000000000400e4a <+1>: push %rbx 0x0000000000400e4b <+2>: sub $0x28,%rsp 0x0000000000400e4f <+6>: mov %rsp,%rsi 0x0000000000400e52 <+9>: callq 0x401420
Also run the command
i r to see what the values of the variables are.
(gdb) i r rax 0x603bf0 6306800 rbx 0x0 0 rcx 0xb 11 rdx 0x603bf0 6306800 rsi 0x1 1 rdi 0x603bf0 6306800 rbp 0x402140 0x402140 <__libc_csu_init> rsp 0x7fffffffdea8 0x7fffffffdea8 r8 0x60567c 6313596 r9 0x7ffff7fe8500 140737354040576 r10 0x7ffff7fe8500 140737354040576 r11 0x246 582 r12 0x400c00 4197376 r13 0x7fffffffdf90 140737488347024 r14 0x0 0 r15 0x0 0 rip 0x400e49 0x400e49
It also might be easier to visualize the operations by using an online disambler like https://onlinedisassembler.com/ to see a full graph.
As we can see, it is fairly obvious that there is a loop somewhere in this function (by following the arrows). In the first block of code, the function
read_six_numbers is called which essentially confirms that it is six numbers which are seperated by a space (as we entered in the first part of this phase). If that function fails, it calls
explode_bomb to the left. If the function succeeds, it follows the green arrow on the right to the third box.
In order to determine the comparisons used, it will be useful to look up or know “Jumps Based on Signed Comparisons”.