What should be the inputs of phase_2 in bomb lab and how should I write this inp

Question

What should be the inputs of phase_2 in bomb lab and how should I write this inputs as like 1, 2, 3, 4, 5, 6 or 1 2 3 4 5 6 ? Thanks

Dump of assembler code for function phase_2:

0x0000000000400f49 <+0>: push %rbp

0x0000000000400f4a <+1>: push %rbx

0x0000000000400f4b <+2>: sub $0x28,%rsp

0x0000000000400f4f <+6>: mov %fs:0x28,%rax

0x0000000000400f58 <+15>: mov %rax,0x18(%rsp)

0x0000000000400f5d <+20>: xor %eax,%eax

0x0000000000400f5f <+22>: mov %rsp,%rsi

0x0000000000400f62 <+25>: callq 0x4017cf <read_six_numbers>

0x0000000000400f67 <+30>: cmpl $0x0,(%rsp)

0x0000000000400f6b <+34>: jne 0x400f74 <phase_2+43>

0x0000000000400f6d <+36>: cmpl $0x1,0x4(%rsp)

0x0000000000400f72 <+41>: je 0x400f79 <phase_2+48>

0x0000000000400f74 <+43>: callq 0x401799 <explode_bomb>

0x0000000000400f79 <+48>: mov %rsp,%rbx

0x0000000000400f7c <+51>: lea 0x10(%rsp),%rbp

0x0000000000400f81 <+56>: mov 0x4(%rbx),%eax

0x0000000000400f84 <+59>: add (%rbx),%eax

0x0000000000400f86 <+61>: cmp %eax,0x8(%rbx)

0x0000000000400f89 <+64>: je 0x400f90 <phase_2+71>

0x0000000000400f8b <+66>: callq 0x401799 <explode_bomb>

0x0000000000400f90 <+71>: add $0x4,%rbx

0x0000000000400f94 <+75>: cmp %rbp,%rbx

---Type <return> to continue, or q <return> to quit---

0x0000000000400f97 <+78>: jne 0x400f81 <phase_2+56>

0x0000000000400f99 <+80>: mov 0x18(%rsp),%rax

0x0000000000400f9e <+85>: xor %fs:0x28,%rax

0x0000000000400fa7 <+94>: je 0x400fae <phase_2+101>

0x0000000000400fa9 <+96>: callq 0x400b90 <__stack_chk_fail@plt>

0x0000000000400fae <+101>: add $0x28,%rsp

0x0000000000400fb2 <+105>: pop %rbx

0x0000000000400fb3 <+106>: pop %rbp

0x0000000000400fb4 <+107>: retq

End of assembler dump.

(gdb) disas read_six_numbers

Dump of assembler code for function read_six_numbers:

0x00000000004017cf <+0>: sub $0x8,%rsp

0x00000000004017d3 <+4>: mov %rsi,%rdx

0x00000000004017d6 <+7>: lea 0x4(%rsi),%rcx

0x00000000004017da <+11>: lea 0x14(%rsi),%rax

0x00000000004017de <+15>: push %rax

0x00000000004017df <+16>: lea 0x10(%rsi),%rax

0x00000000004017e3 <+20>: push %rax

0x00000000004017e4 <+21>: lea 0xc(%rsi),%r9

0x00000000004017e8 <+25>: lea 0x8(%rsi),%r8

0x00000000004017ec <+29>: mov $0x402a6b,%esi

0x00000000004017f1 <+34>: mov $0x0,%eax

0x00000000004017f6 <+39>: callq 0x400c40 <__isoc99_sscanf@plt>

0x00000000004017fb <+44>: add $0x10,%rsp

0x00000000004017ff <+48>: cmp $0x5,%eax

0x0000000000401802 <+51>: jg 0x401809 <read_six_numbers+58>

0x0000000000401804 <+53>: callq 0x401799 <explode_bomb>

0x0000000000401809 <+58>: add $0x8,%rsp

0x000000000040180d <+62>: retq

End of assembler dump.

Explanation / Answer

You should take on the problem one step a time.

First let's start by removing useless stuff from the dump (extra addresses that only add verbosity); I also like my assembly to be in Intel syntax, the memory accesses and the compares/subtractions read way more nicely.

From a quick glance, we can immediately observe:

Also, we can reasonably assume that the function takes no parameters and returns no value, as it doesn't look at the initial state of rsi or to addresses above (=higher than) the initial value of rsp, and doesn't seem to leave rax in a particularly meaningful state.1

Now, let's rewrite this in C, leaving the jumps as gotos for now, and leaving register names in lieu of meaningful variables names. We'll ignore completely fs:0x28 and rsp+0x18, as they are just canaries for the gcc-injected stack smashing protection.

The first trivial step is to rewrite the "short jumps" over the bomb explosions as ifs (inverting the condition), and the final goto as a do...while:

Related Questions

Navigate

• Browse (All)
• Browse W
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.