binary bomb phase_6

Hello guys,

Im struggling solving the last phase of my project. I would appreciate if i can get some tips and any idea of whats happening here.

Dump of assembler code for function phase_6:
0x08048df1 <phase_6+0>: push   %ebp
0x08048df2 <phase_6+1>: mov    %esp,%ebp
0x08048df4 <phase_6+3>: sub    $0x18,%esp
0x08048df7 <phase_6+6>: movl   $0x0,0xc(%esp)
0x08048dff <phase_6+14>:        movl   $0xa,0x8(%esp)
0x08048e07 <phase_6+22>:        movl   $0x0,0x4(%esp)
0x08048e0f <phase_6+30>:        mov    0x8(%ebp),%eax
0x08048e12 <phase_6+33>:        mov    %eax,(%esp)
0x08048e15 <phase_6+36>:        call   0x8048744 <__strtol_internal@plt>
0x08048e1a <phase_6+41>:        mov    %eax,0x804a62c
0x08048e1f <phase_6+46>:        movl   $0x804a62c,(%esp)
0x08048e26 <phase_6+53>:        call   0x8048b38 <fun6>
0x08048e2b <phase_6+58>:        mov    $0x1,%edx
0x08048e30 <phase_6+63>:        mov    0x8(%eax),%eax
0x08048e33 <phase_6+66>:        add    $0x1,%edx
0x08048e36 <phase_6+69>:        cmp    $0x8,%edx
0x08048e39 <phase_6+72>:        jne    0x8048e30 <phase_6+63>
0x08048e3b <phase_6+74>:        mov    (%eax),%eax
0x08048e3d <phase_6+76>:        cmp    0x804a62c,%eax
0x08048e43 <phase_6+82>:        je     0x8048e4a <phase_6+89>
0x08048e45 <phase_6+84>:        call   0x80491b3 <explode_bomb>
---Type <return> to continue, or q <return> to quit---
0x08048e4a <phase_6+89>:        leave  
0x08048e4b <phase_6+90>:        ret    
End of assembler dump.

08048744 <__strtol_internal@plt>:
 8048744:      ff 25 0c a1 04 08          jmp    *0x804a10c
 804874a:      68 40 00 00 00             push   $0x40
 804874f:      e9 60 ff ff ff             jmp    80486b4 <_init+0x18>
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lecosAuthor Commented:
I failed to add this important info:

08048b38 <fun6>:
 8048b38:      55                         push   %ebp
 8048b39:      89 e5                      mov    %esp,%ebp
 8048b3b:      56                         push   %esi
 8048b3c:      53                         push   %ebx
 8048b3d:      8b 4d 08                   mov    0x8(%ebp),%ecx
 8048b40:      8b 59 08                   mov    0x8(%ecx),%ebx
 8048b43:      c7 41 08 00 00 00 00       movl   $0x0,0x8(%ecx)
 8048b4a:      89 ce                      mov    %ecx,%esi
 8048b4c:      89 c8                      mov    %ecx,%eax
 8048b4e:      89 ca                      mov    %ecx,%edx
 8048b50:      85 db                      test   %ebx,%ebx
 8048b52:      75 2a                      jne    8048b7e <fun6+0x46>
 8048b54:      eb 34                      jmp    8048b8a <fun6+0x52>
 8048b56:      89 d0                      mov    %edx,%eax
 8048b58:      8b 52 08                   mov    0x8(%edx),%edx
 8048b5b:      85 d2                      test   %edx,%edx
 8048b5d:      74 04                      je     8048b63 <fun6+0x2b>
 8048b5f:      39 0a                      cmp    %ecx,(%edx)
 8048b61:      7f f3                      jg     8048b56 <fun6+0x1e>
 8048b63:      39 d0                      cmp    %edx,%eax
 8048b65:      75 04                      jne    8048b6b <fun6+0x33>
 8048b67:      89 de                      mov    %ebx,%esi
 8048b69:      eb 03                      jmp    8048b6e <fun6+0x36>
 8048b6b:      89 58 08                   mov    %ebx,0x8(%eax)
 8048b6e:      8b 43 08                   mov    0x8(%ebx),%eax
 8048b71:      89 53 08                   mov    %edx,0x8(%ebx)
 8048b74:      89 c3                      mov    %eax,%ebx
 8048b76:      89 f2                      mov    %esi,%edx
 8048b78:      89 f0                      mov    %esi,%eax
 8048b7a:      85 db                      test   %ebx,%ebx
 8048b7c:      74 0c                      je     8048b8a <fun6+0x52>
 8048b7e:      85 d2                      test   %edx,%edx
 8048b80:      74 e1                      je     8048b63 <fun6+0x2b>
 8048b82:      8b 0b                      mov    (%ebx),%ecx
 8048b84:      39 0a                      cmp    %ecx,(%edx)
 8048b86:      7f ce                      jg     8048b56 <fun6+0x1e>
 8048b88:      eb d9                      jmp    8048b63 <fun6+0x2b>
 8048b8a:      89 f0                      mov    %esi,%eax
 8048b8c:      5b                         pop    %ebx
 8048b8d:      5e                         pop    %esi
 8048b8e:      5d                         pop    %ebp
 8048b8f:      90                         nop    
 8048b90:      c3                         ret    
Seeing as you got through 5 earlier phases, I'll assume you know the basics of interpreting assembler code. So I'll skip over the basic parts quickly :

>> 0x08048df7 <phase_6+6>: movl   $0x0,0xc(%esp)
>> 0x08048dff <phase_6+14>:        movl   $0xa,0x8(%esp)
>> 0x08048e07 <phase_6+22>:        movl   $0x0,0x4(%esp)
>> 0x08048e0f <phase_6+30>:        mov    0x8(%ebp),%eax
>> 0x08048e12 <phase_6+33>:        mov    %eax,(%esp)
>> 0x08048e15 <phase_6+36>:        call   0x8048744 <__strtol_internal@plt>

This is a standard call to strtol :

whose result is then passed to the fun6 function :

>> 0x08048e1a <phase_6+41>:        mov    %eax,0x804a62c
>> 0x08048e1f <phase_6+46>:        movl   $0x804a62c,(%esp)
>> 0x08048e26 <phase_6+53>:        call   0x8048b38 <fun6>

the data structure returned by the fun6 function, is then iterated over a few times :

>> 0x08048e2b <phase_6+58>:        mov    $0x1,%edx
>> 0x08048e30 <phase_6+63>:        mov    0x8(%eax),%eax
>> 0x08048e33 <phase_6+66>:        add    $0x1,%edx
>> 0x08048e36 <phase_6+69>:        cmp    $0x8,%edx
>> 0x08048e39 <phase_6+72>:        jne    0x8048e30 <phase_6+63>

to get to a certain value which has to match a given value in order for the bomb not to explode :

>> 0x08048e3b <phase_6+74>:        mov    (%eax),%eax
>> 0x08048e3d <phase_6+76>:        cmp    0x804a62c,%eax
>> 0x08048e43 <phase_6+82>:        je     0x8048e4a <phase_6+89>
>> 0x08048e45 <phase_6+84>:        call   0x80491b3 <explode_bomb>

That's in a nutshell what the phase_6 function does. Do you agree ? Is there anything you're not clear about ?

If the phase_6 function is sufficiently clear, we can move on to the fun6 function. Could I ask you to post your understanding of what happens in that function, and to explain what it is that you're unsure about ?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lecosAuthor Commented:
hi infinity,

the comments you made were helpful, i was able to diffuse this bomb. Ill probably need your help later with the buffer bomb.

Glad to hear that :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.