Wuzhou Du

CSAPP Bomb Lab - 2

2024-07-04T00:00:00-07:00

Phase 4

Dump of assembler code for function phase_4:

   0x000000000040100c <+0>:	sub    $0x18,%rsp
   0x0000000000401010 <+4>:	lea    0xc(%rsp),%rcx
   0x0000000000401015 <+9>:	lea    0x8(%rsp),%rdx
   0x000000000040101a <+14>:	mov    $0x4025cf,%esi
   0x000000000040101f <+19>:	mov    $0x0,%eax
   0x0000000000401024 <+24>:	callq  0x400bf0 <__isoc99_sscanf@plt>
   0x0000000000401029 <+29>:	cmp    $0x2,%eax
   0x000000000040102c <+32>:	jne    0x401035 
   0x000000000040102e <+34>:	cmpl   $0xe,0x8(%rsp)
   0x0000000000401033 <+39>:	jbe    0x40103a 
   0x0000000000401035 <+41>:	callq  0x40143a 
   0x000000000040103a <+46>:	mov    $0xe,%edx
   0x000000000040103f <+51>:	mov    $0x0,%esi
   0x0000000000401044 <+56>:	mov    0x8(%rsp),%edi
   0x0000000000401048 <+60>:	callq  0x400fce 
   0x000000000040104d <+65>:	test   %eax,%eax
   0x000000000040104f <+67>:	jne    0x401058 
   0x0000000000401051 <+69>:	cmpl   $0x0,0xc(%rsp)
   0x0000000000401056 <+74>:	je     0x40105d 
   0x0000000000401058 <+76>:	callq  0x40143a 
   0x000000000040105d <+81>:	add    $0x18,%rsp
   0x0000000000401061 <+85>:	retq   

The codes before line +41 are not interesting, which indicates the first input must be below or eqaul to 0xe. Then, prepare three arguments for func4 procedure. The first argument is the first input. The second argument is 0, and the third is 0xe. The procedure func4 must return 0 otherwise the bomb explodes.

After returning from the procedure, it checks whether the second input is 0. So, the answer is 7 0.

func4

Dump of assembler code for function func4:

   0x0000000000400fce <+0>:	sub    $0x8,%rsp
   0x0000000000400fd2 <+4>:	mov    %edx,%eax
   0x0000000000400fd4 <+6>:	sub    %esi,%eax
   0x0000000000400fd6 <+8>:	mov    %eax,%ecx
   0x0000000000400fd8 <+10>:	shr    $0x1f,%ecx
   0x0000000000400fdb <+13>:	add    %ecx,%eax
   0x0000000000400fdd <+15>:	sar    %eax
   0x0000000000400fdf <+17>:	lea    (%rax,%rsi,1),%ecx
   0x0000000000400fe2 <+20>:	cmp    %edi,%ecx
   0x0000000000400fe4 <+22>:	jle    0x400ff2 
   0x0000000000400fe6 <+24>:	lea    -0x1(%rcx),%edx
   0x0000000000400fe9 <+27>:	callq  0x400fce 
   0x0000000000400fee <+32>:	add    %eax,%eax
   0x0000000000400ff0 <+34>:	jmp    0x401007 
   0x0000000000400ff2 <+36>:	mov    $0x0,%eax
   0x0000000000400ff7 <+41>:	cmp    %edi,%ecx
   0x0000000000400ff9 <+43>:	jge    0x401007 
   0x0000000000400ffb <+45>:	lea    0x1(%rcx),%esi
   0x0000000000400ffe <+48>:	callq  0x400fce 
   0x0000000000401003 <+53>:	lea    0x1(%rax,%rax,1),%eax
   0x0000000000401007 <+57>:	add    $0x8,%rsp
   0x000000000040100b <+61>:	retq   

This is a recursive function and we want it to return 0. After the simulation, we find that it is close to binary searching process, which searches the first argument between the range of the second and third arguments. If it returns 0, the first argument can be the middle of the second and the third, which is \(\frac{0 + e}{2} = 7\).

Phase 5

Dump of assembler code for function phase_5:

   0x0000000000401062 <+0>:	push   %rbx
   0x0000000000401063 <+1>:	sub    $0x20,%rsp
   0x0000000000401067 <+5>:	mov    %rdi,%rbx
   0x000000000040106a <+8>:	mov    %fs:0x28,%rax
   0x0000000000401073 <+17>:	mov    %rax,0x18(%rsp)
   0x0000000000401078 <+22>:	xor    %eax,%eax
   0x000000000040107a <+24>:	callq  0x40131b 
   0x000000000040107f <+29>:	cmp    $0x6,%eax
   0x0000000000401082 <+32>:	je     0x4010d2 
   0x0000000000401084 <+34>:	callq  0x40143a 
   0x0000000000401089 <+39>:	jmp    0x4010d2 
   0x000000000040108b <+41>:	movzbl (%rbx,%rax,1),%ecx
   0x000000000040108f <+45>:	mov    %cl,(%rsp)
   0x0000000000401092 <+48>:	mov    (%rsp),%rdx
   0x0000000000401096 <+52>:	and    $0xf,%edx
   0x0000000000401099 <+55>:	movzbl 0x4024b0(%rdx),%edx
   0x00000000004010a0 <+62>:	mov    %dl,0x10(%rsp,%rax,1)
   0x00000000004010a4 <+66>:	add    $0x1,%rax
   0x00000000004010a8 <+70>:	cmp    $0x6,%rax
   0x00000000004010ac <+74>:	jne    0x40108b 
   0x00000000004010ae <+76>:	movb   $0x0,0x16(%rsp)
   0x00000000004010b3 <+81>:	mov    $0x40245e,%esi
---Type  to continue, or q  to quit---
   0x00000000004010b8 <+86>:	lea    0x10(%rsp),%rdi
   0x00000000004010bd <+91>:	callq  0x401338 
   0x00000000004010c2 <+96>:	test   %eax,%eax
   0x00000000004010c4 <+98>:	je     0x4010d9 
   0x00000000004010c6 <+100>:	callq  0x40143a 
   0x00000000004010cb <+105>:	nopl   0x0(%rax,%rax,1)
   0x00000000004010d0 <+110>:	jmp    0x4010d9 
   0x00000000004010d2 <+112>:	mov    $0x0,%eax
   0x00000000004010d7 <+117>:	jmp    0x40108b 
   0x00000000004010d9 <+119>:	mov    0x18(%rsp),%rax
   0x00000000004010de <+124>:	xor    %fs:0x28,%rax
   0x00000000004010e7 <+133>:	je     0x4010ee 
   0x00000000004010e9 <+135>:	callq  0x400b30 <__stack_chk_fail@plt>
   0x00000000004010ee <+140>:	add    $0x20,%rsp
   0x00000000004010f2 <+144>:	pop    %rbx
   0x00000000004010f3 <+145>:	retq   

When encountering line +8, I have no idea what is mov %fs:0x28,%rax. I have to check all I have learnt. I find this may help. Anyway, it seems to not relate to the bomb. So I will continue.

In the following few lines, it ensures that the length of the input string is 6. The core part begins from line +41, which transforms the input string character by character. The conversion is line +52, which only stores the lower 1 byte of the character as the offset. In line +55, the offset plus the base address 0x4024b0 is the target characters. The base address have the string “maduiersnfotvbyl”, which is the alphabet of the target string. The output string is line +81, “fliyer”. So, to construct this output string using the alphabet, the offset should be 9, f, e, 5, 6, 7. So, the characters of the input string must have the lower bytes in the offset series. After quering the ASCII table, one of the answer is ionuvw.

Phase 6

Dump of assembler code for function phase_6:

   0x00000000004010f4 <+0>:	push   %r14
   0x00000000004010f6 <+2>:	push   %r13
   0x00000000004010f8 <+4>:	push   %r12
   0x00000000004010fa <+6>:	push   %rbp
   0x00000000004010fb <+7>:	push   %rbx
   0x00000000004010fc <+8>:	sub    $0x50,%rsp
   0x0000000000401100 <+12>:	mov    %rsp,%r13
   0x0000000000401103 <+15>:	mov    %rsp,%rsi
   0x0000000000401106 <+18>:	callq  0x40145c 
   0x000000000040110b <+23>:	mov    %rsp,%r14
   0x000000000040110e <+26>:	mov    $0x0,%r12d
   0x0000000000401114 <+32>:	mov    %r13,%rbp
   0x0000000000401117 <+35>:	mov    0x0(%r13),%eax
   0x000000000040111b <+39>:	sub    $0x1,%eax
   0x000000000040111e <+42>:	cmp    $0x5,%eax
   0x0000000000401121 <+45>:	jbe    0x401128 
   0x0000000000401123 <+47>:	callq  0x40143a 
   0x0000000000401128 <+52>:	add    $0x1,%r12d
   0x000000000040112c <+56>:	cmp    $0x6,%r12d
   0x0000000000401130 <+60>:	je     0x401153 
   0x0000000000401132 <+62>:	mov    %r12d,%ebx
   0x0000000000401135 <+65>:	movslq %ebx,%rax
---Type  to continue, or q  to quit---
   0x0000000000401138 <+68>:	mov    (%rsp,%rax,4),%eax
   0x000000000040113b <+71>:	cmp    %eax,0x0(%rbp)
   0x000000000040113e <+74>:	jne    0x401145 
   0x0000000000401140 <+76>:	callq  0x40143a 
   0x0000000000401145 <+81>:	add    $0x1,%ebx
   0x0000000000401148 <+84>:	cmp    $0x5,%ebx
   0x000000000040114b <+87>:	jle    0x401135 
   0x000000000040114d <+89>:	add    $0x4,%r13
   0x0000000000401151 <+93>:	jmp    0x401114 
   0x0000000000401153 <+95>:	lea    0x18(%rsp),%rsi
   0x0000000000401158 <+100>:	mov    %r14,%rax
   0x000000000040115b <+103>:	mov    $0x7,%ecx
   0x0000000000401160 <+108>:	mov    %ecx,%edx
   0x0000000000401162 <+110>:	sub    (%rax),%edx
   0x0000000000401164 <+112>:	mov    %edx,(%rax)
   0x0000000000401166 <+114>:	add    $0x4,%rax
   0x000000000040116a <+118>:	cmp    %rsi,%rax
   0x000000000040116d <+121>:	jne    0x401160 
   0x000000000040116f <+123>:	mov    $0x0,%esi
   0x0000000000401174 <+128>:	jmp    0x401197 
   0x0000000000401176 <+130>:	mov    0x8(%rdx),%rdx
   0x000000000040117a <+134>:	add    $0x1,%eax
   0x000000000040117d <+137>:	cmp    %ecx,%eax
---Type  to continue, or q  to quit---
   0x000000000040117f <+139>:	jne    0x401176 
   0x0000000000401181 <+141>:	jmp    0x401188 
   0x0000000000401183 <+143>:	mov    $0x6032d0,%edx
   0x0000000000401188 <+148>:	mov    %rdx,0x20(%rsp,%rsi,2)
   0x000000000040118d <+153>:	add    $0x4,%rsi
   0x0000000000401191 <+157>:	cmp    $0x18,%rsi
   0x0000000000401195 <+161>:	je     0x4011ab 
   0x0000000000401197 <+163>:	mov    (%rsp,%rsi,1),%ecx
   0x000000000040119a <+166>:	cmp    $0x1,%ecx
   0x000000000040119d <+169>:	jle    0x401183 
   0x000000000040119f <+171>:	mov    $0x1,%eax
   0x00000000004011a4 <+176>:	mov    $0x6032d0,%edx
   0x00000000004011a9 <+181>:	jmp    0x401176 
   0x00000000004011ab <+183>:	mov    0x20(%rsp),%rbx
   0x00000000004011b0 <+188>:	lea    0x28(%rsp),%rax
   0x00000000004011b5 <+193>:	lea    0x50(%rsp),%rsi
   0x00000000004011ba <+198>:	mov    %rbx,%rcx
   0x00000000004011bd <+201>:	mov    (%rax),%rdx
   0x00000000004011c0 <+204>:	mov    %rdx,0x8(%rcx)
   0x00000000004011c4 <+208>:	add    $0x8,%rax
   0x00000000004011c8 <+212>:	cmp    %rsi,%rax
   0x00000000004011cb <+215>:	je     0x4011d2 
   0x00000000004011cd <+217>:	mov    %rdx,%rcx
---Type  to continue, or q  to quit---
   0x00000000004011d0 <+220>:	jmp    0x4011bd 
   0x00000000004011d2 <+222>:	movq   $0x0,0x8(%rdx)
   0x00000000004011da <+230>:	mov    $0x5,%ebp
   0x00000000004011df <+235>:	mov    0x8(%rbx),%rax
   0x00000000004011e3 <+239>:	mov    (%rax),%eax
   0x00000000004011e5 <+241>:	cmp    %eax,(%rbx)
   0x00000000004011e7 <+243>:	jge    0x4011ee 
   0x00000000004011e9 <+245>:	callq  0x40143a 
   0x00000000004011ee <+250>:	mov    0x8(%rbx),%rbx
   0x00000000004011f2 <+254>:	sub    $0x1,%ebp
   0x00000000004011f5 <+257>:	jne    0x4011df 
   0x00000000004011f7 <+259>:	add    $0x50,%rsp
   0x00000000004011fb <+263>:	pop    %rbx
   0x00000000004011fc <+264>:	pop    %rbp
   0x00000000004011fd <+265>:	pop    %r12
   0x00000000004011ff <+267>:	pop    %r13
   0x0000000000401201 <+269>:	pop    %r14
   0x0000000000401203 <+271>:	retq   

The codes before line +18 aim to store the six integer from the beginning of the stack pointer. The codes from line +32 to +93 aim to check all the numbers are different, and they must be below or equal to 6. The codes from line +95 to +121 aim to replace each input number with the 7-x where x is each number.

line +123 - +181: for every 7-x, if it is equal to 1 (i.e. x = 6), put 0x6032d0 into 0x20 + %rsp + 8 * index of this element. So, every element now sits on 8 bytes starting from addresss 0x20 + %rsp. If it is larger than 1, calculate the difference of 7-x and 1 as y. There is a linked list in the stack, which starting from the address 0x6032d0, since the following memory dump:

   (gdb) x/2wx 0x6032d8
   0x6032d8 :	0x006032e0	0x00000000
   (gdb) x/2wx 0x6032e8
   0x6032e8 :	0x006032f0	0x00000000
   (gdb) x/2wx 0x6032f8
   0x6032f8 :	0x00603300	0x00000000
   (gdb) x/2wx 0x603308
   0x603308 :	0x00603310	0x00000000
   (gdb) x/2wx 0x603318
   0x603318 :	0x00603320	0x00000000
   (gdb) x/2wx 0x603328
   0x603328 :	0x00000000	0x00000000

The code will store the pointer to the linked list node at the 0x20 + %rsp + 8 * index of this element. The node index is y for every element.

line +183 - +222: starting from 0x20 + %rsp, for every pointer, set the ith pointer’s next (in the memory) as the (i+1)th pointer. And set the 6th pointer’s next as 0x0.

line +230 - end: the value stored at the first pointer to the sixth pointer should be descending. So, we must check the values stored at each pointer.

(gdb) x/wx 0x6032d0
0x6032d0 :	0x0000014c
(gdb) x/wx 0x6032e0
0x6032e0 :	0x000000a8
(gdb) x/wx 0x6032f0
0x6032f0 :	0x0000039c
(gdb) x/wx 0x603300
0x603300 :	0x000002b3
(gdb) x/wx 0x603310
0x603310 :	0x000001dd
(gdb) x/wx 0x603320
0x603320 :	0x000001bb

node3 > node4 > node5 > node6 > node1 > node2
So, the first element has difference 2, the node4 pointer has difference 3, …
So, \(7 - x - 1 = 2 => x = 4\), \(7 - x - 1 = 3 => x = 3\), … The answer is 4 3 2 1 6 5.

Finally

This lab is so painful… Tortures my mind and eyes to decode the assembly language.
But congratulations to myself!

CSAPP Bomb Lab - 1

2024-07-02T00:00:00-07:00

Recently I begin to write some posts to record my efforts (and pain) during the study.

Preparation

get the bomb lab resource from CMU CSAPP official website. I download the README.md, Writeup and Self-Study Handout. The hints in the Writeup pdf is helpful, which directs me to browse some useful tools’ handbook in this lab, e.g. 2-pages GDB handbook.
If you are a self-studier and non-CMU student like me, you can skip most of the README instructions about how CMU students should get their unique bomb and submit their project. For others, the only thing you have to do is to decompress the handout, find the binary exe file, and begin to defuse the bomb.

Try

After opening the bomb.c file and browsing the code structure, I find that the bomb has 6 phases, which menas 6 sub-challenges to conquer. So let’s do it step by step.

Phase 1

For every phase, the first thing to do is gdb bomb to enter gdb mode. Then, disas phase_{x} to disassemble the phase_x function and decode it.

Dump of assembler code for function phase_1:

   0x0000000000400ee0 <+0>:     sub    $0x8,%rsp
   0x0000000000400ee4 <+4>:     mov    $0x402400,%esi
   0x0000000000400ee9 <+9>:     callq  0x401338 
   0x0000000000400eee <+14>:    test   %eax,%eax
   0x0000000000400ef0 <+16>:    je     0x400ef7 
   0x0000000000400ef2 <+18>:    callq  0x40143a 
   0x0000000000400ef7 <+23>:    add    $0x8,%rsp
   0x0000000000400efb <+27>:    retq   

We can see the core part is the strings_not_equal function. If the return value of the function is zero, phase 1 will pass. So, lets dive into strings_not_equal.

Q: Why does the stack pointer deduced by 8 at first?
A: For memory alignment. Every time before calling procedure, you have to ensure the stack pointer is 16x. We assume that before entering phase_1, the stack pointer is aligned. After calling phase_1, the %rsp will be deduced by 8 because the returning address is pushed into stack. So, we need to deduct another 8 to align it.

strings_not_eqaul

Dump of assembler code for function strings_not_equal:

   0x0000000000401338 <+0>:     push   %r12
   0x000000000040133a <+2>:     push   %rbp
   0x000000000040133b <+3>:     push   %rbx
   0x000000000040133c <+4>:     mov    %rdi,%rbx
   0x000000000040133f <+7>:     mov    %rsi,%rbp
   0x0000000000401342 <+10>:    callq  0x40131b 
   0x0000000000401347 <+15>:    mov    %eax,%r12d
   0x000000000040134a <+18>:    mov    %rbp,%rdi
   0x000000000040134d <+21>:    callq  0x40131b 
   0x0000000000401352 <+26>:    mov    $0x1,%edx
   0x0000000000401357 <+31>:    cmp    %eax,%r12d
   0x000000000040135a <+34>:    jne    0x40139b 
   0x000000000040135c <+36>:    movzbl (%rbx),%eax
   0x000000000040135f <+39>:    test   %al,%al
   0x0000000000401361 <+41>:    je     0x401388 
   0x0000000000401363 <+43>:    cmp    0x0(%rbp),%al
   0x0000000000401366 <+46>:    je     0x401372 
   0x0000000000401368 <+48>:    jmp    0x40138f 
   0x000000000040136a <+50>:    cmp    0x0(%rbp),%al
   0x000000000040136d <+53>:    nopl   (%rax)
   0x0000000000401370 <+56>:    jne    0x401396 
   0x0000000000401372 <+58>:    add    $0x1,%rbx
   0x0000000000401376 <+62>:    add    $0x1,%rbp
   0x000000000040137a <+66>:    movzbl (%rbx),%eax
   0x000000000040137d <+69>:    test   %al,%al
   0x000000000040137f <+71>:    jne    0x40136a 
   0x0000000000401381 <+73>:    mov    $0x0,%edx
   0x0000000000401386 <+78>:    jmp    0x40139b 
   0x0000000000401388 <+80>:    mov    $0x0,%edx
   0x000000000040138d <+85>:    jmp    0x40139b 
   0x000000000040138f <+87>:    mov    $0x1,%edx
   0x0000000000401394 <+92>:    jmp    0x40139b 
   0x0000000000401396 <+94>:    mov    $0x1,%edx
   0x000000000040139b <+99>:    mov    %edx,%eax
   0x000000000040139d <+101>:   pop    %rbx
   0x000000000040139e <+102>:   pop    %rbp
   0x000000000040139f <+103>:   pop    %r12
   0x00000000004013a1 <+105>:   retq   

From the name of the function, we can guess it compares two strings. One parameter must be the string in %rsi, the other must be the string in %rdi.

For the string_length function, we can guess it calculates the length of the string.

If the length of strings are not equal, return 1.

Then come to line +36: move the memory content in %rbx to %eax and zero-extended to 64 bits. Now %rax lies the firs 4 characters of the input string. The following code is just to ensure the input is not a \n, and the input must be the same as the string located at 0x402400, which is indicated in the second line of phase_1.

Answer: “Border relations with Canada have never been better.”

string_length

Dump of assembler code for function string_length:

   0x000000000040131b <+0>:     cmpb   $0x0,(%rdi)
   0x000000000040131e <+3>:     je     0x401332 
   0x0000000000401320 <+5>:     mov    %rdi,%rdx
   0x0000000000401323 <+8>:     add    $0x1,%rdx
   0x0000000000401327 <+12>:    mov    %edx,%eax
   0x0000000000401329 <+14>:    sub    %edi,%eax
   0x000000000040132b <+16>:    cmpb   $0x0,(%rdx)
   0x000000000040132e <+19>:    jne    0x401323 
   0x0000000000401330 <+21>:    repz retq 
   0x0000000000401332 <+23>:    mov    $0x0,%eax
   0x0000000000401337 <+28>:    retq   

%rdi must store the address of the beginning character of the string, because the memory accessing method. If this is a null ending in C, procedure ends and return 0. The following code is a loop, counting the number of non-null characters and returning the count.

Phase 2

Dump of assembler code for function phase_2:

   0x0000000000400efc <+0>:	push   %rbp
   0x0000000000400efd <+1>:	push   %rbx
   0x0000000000400efe <+2>:	sub    $0x28,%rsp
   0x0000000000400f02 <+6>:	mov    %rsp,%rsi
   0x0000000000400f05 <+9>:	callq  0x40145c 
   0x0000000000400f0a <+14>:	cmpl   $0x1,(%rsp)
   0x0000000000400f0e <+18>:	je     0x400f30 
   0x0000000000400f10 <+20>:	callq  0x40143a 
   0x0000000000400f15 <+25>:	jmp    0x400f30 
   0x0000000000400f17 <+27>:	mov    -0x4(%rbx),%eax
   0x0000000000400f1a <+30>:	add    %eax,%eax
   0x0000000000400f1c <+32>:	cmp    %eax,(%rbx)
   0x0000000000400f1e <+34>:	je     0x400f25 
   0x0000000000400f20 <+36>:	callq  0x40143a 
   0x0000000000400f25 <+41>:	add    $0x4,%rbx
   0x0000000000400f29 <+45>:	cmp    %rbp,%rbx
   0x0000000000400f2c <+48>:	jne    0x400f17 
   0x0000000000400f2e <+50>:	jmp    0x400f3c 
   0x0000000000400f30 <+52>:	lea    0x4(%rsp),%rbx
   0x0000000000400f35 <+57>:	lea    0x18(%rsp),%rbp
   0x0000000000400f3a <+62>:	jmp    0x400f17 
   0x0000000000400f3c <+64>:	add    $0x28,%rsp
---Type  to continue, or q  to quit---
   0x0000000000400f40 <+68>:	pop    %rbx
   0x0000000000400f41 <+69>:	pop    %rbp
   0x0000000000400f42 <+70>:	retq   

Now we have to be familiar with some registers. The %rdi register is responsible for passing the argument, so other 5 registers! Here, the %rsi is the second argument, so we can dive into the read_six_numbers procedure to see how the stack pointer works.

After that, the only thing we need to do is simulation, and I find that the wanted input is 1 2 4 8 16 32.

read_six_numbers

Dump of assembler code for function read_six_numbers:

   0x000000000040145c <+0>:	sub    $0x18,%rsp
   0x0000000000401460 <+4>:	mov    %rsi,%rdx
   0x0000000000401463 <+7>:	lea    0x4(%rsi),%rcx
   0x0000000000401467 <+11>:	lea    0x14(%rsi),%rax
   0x000000000040146b <+15>:	mov    %rax,0x8(%rsp)
   0x0000000000401470 <+20>:	lea    0x10(%rsi),%rax
   0x0000000000401474 <+24>:	mov    %rax,(%rsp)
   0x0000000000401478 <+28>:	lea    0xc(%rsi),%r9
   0x000000000040147c <+32>:	lea    0x8(%rsi),%r8
   0x0000000000401480 <+36>:	mov    $0x4025c3,%esi
   0x0000000000401485 <+41>:	mov    $0x0,%eax
   0x000000000040148a <+46>:	callq  0x400bf0 <__isoc99_sscanf@plt>
   0x000000000040148f <+51>:	cmp    $0x5,%eax
   0x0000000000401492 <+54>:	jg     0x401499 
   0x0000000000401494 <+56>:	callq  0x40143a 
   0x0000000000401499 <+61>:	add    $0x18,%rsp
   0x000000000040149d <+65>:	retq   

The core part of this procedure is to understand what is sscanf in C. Here, we should pass 8 parameters to it. However, when the number of arugments is over 6, we have to store the extra parameters into the stack, like line +15 and +24. You can find all the arguments based on the image above, accoridng to ABI (Application Binary Interface), the traditional usage of registers.

So, read_six_numbers procedure just parse 6 decimal numbers from the input string and stores them in the stack. After decoding what this procedure is about, we can go back to phase_2 procedure.

Phase 3

Dump of assembler code for function phase_3:

   0x0000000000400f43 <+0>:	sub    $0x18,%rsp
   0x0000000000400f47 <+4>:	lea    0xc(%rsp),%rcx
   0x0000000000400f4c <+9>:	lea    0x8(%rsp),%rdx
   0x0000000000400f51 <+14>:	mov    $0x4025cf,%esi
   0x0000000000400f56 <+19>:	mov    $0x0,%eax
   0x0000000000400f5b <+24>:	callq  0x400bf0 <__isoc99_sscanf@plt>
   0x0000000000400f60 <+29>:	cmp    $0x1,%eax
   0x0000000000400f63 <+32>:	jg     0x400f6a 
   0x0000000000400f65 <+34>:	callq  0x40143a 
   0x0000000000400f6a <+39>:	cmpl   $0x7,0x8(%rsp)
   0x0000000000400f6f <+44>:	ja     0x400fad 
   0x0000000000400f71 <+46>:	mov    0x8(%rsp),%eax
   0x0000000000400f75 <+50>:	jmpq   *0x402470(,%rax,8)
   0x0000000000400f7c <+57>:	mov    $0xcf,%eax
   0x0000000000400f81 <+62>:	jmp    0x400fbe 
   0x0000000000400f83 <+64>:	mov    $0x2c3,%eax
   0x0000000000400f88 <+69>:	jmp    0x400fbe 
   0x0000000000400f8a <+71>:	mov    $0x100,%eax
   0x0000000000400f8f <+76>:	jmp    0x400fbe 
   0x0000000000400f91 <+78>:	mov    $0x185,%eax
   0x0000000000400f96 <+83>:	jmp    0x400fbe 
   0x0000000000400f98 <+85>:	mov    $0xce,%eax
---Type  to continue, or q  to quit---
   0x0000000000400f9d <+90>:	jmp    0x400fbe 
   0x0000000000400f9f <+92>:	mov    $0x2aa,%eax
   0x0000000000400fa4 <+97>:	jmp    0x400fbe 
   0x0000000000400fa6 <+99>:	mov    $0x147,%eax
   0x0000000000400fab <+104>:	jmp    0x400fbe 
   0x0000000000400fad <+106>:	callq  0x40143a 
   0x0000000000400fb2 <+111>:	mov    $0x0,%eax
   0x0000000000400fb7 <+116>:	jmp    0x400fbe 
   0x0000000000400fb9 <+118>:	mov    $0x137,%eax
   0x0000000000400fbe <+123>:	cmp    0xc(%rsp),%eax
   0x0000000000400fc2 <+127>:	je     0x400fc9 
   0x0000000000400fc4 <+129>:	callq  0x40143a 
   0x0000000000400fc9 <+134>:	add    $0x18,%rsp
   0x0000000000400fcd <+138>:	retq   

This phase is interesting. The code before line +24 is easy to understand, which is parsing two decimal from the input and storing them in the stack. The most interesting part is line +50, where the code unconditionally jumps to an address according to the first input number! I was stuck for quite a while to thinking. After some trials like the first number is 0, 1, …, I find that there are multiple groups of input leading to a valid result.

Have a quick browse on how this phase is defused successfully, we can find that there are many ways jumping to line +123, which compares the second input with %eax. What’s more, there are many lines moving immediate number to %eax like line +57, +64, etc. We can guess the interesting line +50 is to jump to one of the line.

After trying (gdb) x/w 0x402470: 0x00400f7c, it refers to line +57, which means the base of the jumping is line +57. So, one of the answers: 1 311 comes out naturally.