ipp - 1 year ago 1063
C Question

# Bomb lab phase 4 func4

I'm having trouble with the password for phase_4 of my binary bomb.

So far, I understand...
the inputs must be 2 integers (line 29)

and the second integer should <= than or equal to 2 when 2 is subtracted from it (lines 38-44). Which means it should be a number 2-4

Then, it calls func4, and compares the output of func4 to rsp (which I've done some testing and rsp is always 0) so i need to find a number that returns 0 when inputed into func4.

Whats confusing me is: if the result of func4 needs to be 0, that means it's input should be 0. Taking into account line 38 in phase_4 where it subtracts 2 from my input, that should mean my second # should be 2...? However I have tried that and it makes it explode in line 46 as it doesn't satisfy the first comparison.

I have tried numbers like (0 2) (2 0) (0 1) (0 3) and they all failed. Any suggestions to point me in the right direction? Thanks!

``````phase_4:
0x000000000040101e <+0>: sub    \$0x18,%rsp
0x0000000000401022 <+4>: lea    0xc(%rsp),%rcx
0x0000000000401027 <+9>: lea    0x8(%rsp),%rdx
0x000000000040102c <+14>:    mov    \$0x4027cd,%esi
0x0000000000401031 <+19>:    mov    \$0x0,%eax
0x0000000000401036 <+24>:    callq  0x400c30 <__isoc99_sscanf@plt>
0x000000000040103b <+29>:    cmp    \$0x2,%eax        //check if 2 inputs
0x000000000040103e <+32>:    jne    0x40104c <phase_4+46>
0x0000000000401040 <+34>:    mov    0xc(%rsp),%eax
=> 0x0000000000401044 <+38>:    sub    \$0x2,%eax
0x0000000000401047 <+41>:    cmp    \$0x2,%eax
0x000000000040104a <+44>:    jbe    0x401051 <phase_4+51>//if unsigned eax <= 2
0x000000000040104c <+46>:    callq  0x401554 <explode_bomb>
0x0000000000401051 <+51>:    mov    0xc(%rsp),%esi
0x0000000000401055 <+55>:    mov    \$0x7,%edi
0x000000000040105a <+60>:    callq  0x400fe6 <func4>
0x000000000040105f <+65>:    cmp    0x8(%rsp),%eax  //comparing eax to 0
0x0000000000401063 <+69>:    je     0x40106a <phase_4+76>
0x0000000000401065 <+71>:    callq  0x401554 <explode_bomb> //explode if output != 0
0x000000000040106e <+80>:    retq
``````

``````Func4
0x0000000000400fe6 <+0>: push   %r12
0x0000000000400fe8 <+2>: push   %rbp
0x0000000000400fe9 <+3>: push   %rbx
0x0000000000400fea <+4>: mov    %edi,%ebx
0x0000000000400fec <+6>: test   %edi,%edi
0x0000000000400fee <+8>: jle    0x401014 <func4+46> //if input <= 0
0x0000000000400ff0 <+10>:    mov    %esi,%ebp
0x0000000000400ff2 <+12>:    mov    %esi,%eax
0x0000000000400ff4 <+14>:    cmp    \$0x1,%edi
0x0000000000400ff7 <+17>:    je     0x401019 <func4+51>
0x0000000000400ff9 <+19>:    lea    -0x1(%rdi),%edi
0x0000000000400ffc <+22>:    callq  0x400fe6 <func4>
0x0000000000401001 <+27>:    lea    (%rax,%rbp,1),%r12d
0x0000000000401005 <+31>:    lea    -0x2(%rbx),%edi
0x0000000000401008 <+34>:    mov    %ebp,%esi
0x000000000040100a <+36>:    callq  0x400fe6 <func4>
0x0000000000401012 <+44>:    jmp    0x401019 <func4+51>
0x0000000000401014 <+46>:    mov    \$0x0,%eax  //make return val 0
0x0000000000401019 <+51>:    pop    %rbx
0x000000000040101a <+52>:    pop    %rbp
0x000000000040101b <+53>:    pop    %r12
0x000000000040101d <+55>:    retq
``````

This is incorrect. The output of `func4` is compared with `[rsp + 8]`, in which the first number was stored.
If we write the desired input as `(a, b)`, then we have `a = func4 (7, b)` and `2 <= b <= 4`.
Now you need to figure out what `func4 (x, y)` does. A hint: It depends on `y` and on the value of the Fibonacci series at an index that depends on `x`.
To understand `func4` I recommend that you convert it to C. See my answer to this question for an illustration. Note that you would have understood `phase_4` correctly if you had converted it to C as well.