So I have been working through this binary bomb lab, and phase_5 is the only part I do not really understand. I have solved it, but there are a few lines that I hope someone can help me with.
0x08048db1 <+0>: push %ebp
0x08048db2 <+1>: mov %esp,%ebp
0x08048db4 <+3>: push %ebx
=> 0x08048db5 <+4>: sub $0x14,%esp
0x08048db8 <+7>: mov 0x8(%ebp),%ebx
0x08048dbb <+10>: mov %ebx,(%esp)
0x08048dbe <+13>: call 0x8049009 <string_length>
0x08048dc3 <+18>: cmp $0x6,%eax
0x08048dc6 <+21>: je 0x8048dcd <phase_5+28>
0x08048dc8 <+23>: call 0x8049231 <explode_bomb>
0x08048dcd <+28>: mov $0x0,%edx
0x08048dd2 <+33>: mov $0x0,%eax
0x08048dd7 <+38>: mov (%ebx,%eax,1),%cl
0x08048dda <+41>: and $0xf,%ecx
0x08048ddd <+44>: add 0x804a460(,%ecx,4),%edx
0x08048de4 <+51>: inc %eax
0x08048de5 <+52>: cmp $0x6,%eax
0x08048de8 <+55>: jne 0x8048dd7 <phase_5+38>
0x08048dea <+57>: cmp $0x36,%edx
0x08048ded <+60>: je 0x8048df4 <phase_5+67>
0x08048def <+62>: call 0x8049231 <explode_bomb>
0x08048df4 <+67>: add $0x14,%esp
0x08048df7 <+70>: pop %ebx
0x08048df8 <+71>: pop %ebp
0x08048df9 <+72>: ret
Here I'll explain how I came up with a solution. I realize I wrote a lot so if you wish to skip it I am having trouble understanding line <+44>.
It was pretty easy to see that the input was 6 characters, so I entered a random guess: "hither"
Moving to line 38 I see that %eax + %ebx is being moved into the %cl register, which as I understand it is the first 8 bytes if %ecx. I noticed that my string was stored in %ebx, so seeing as %eax is incremented from 0 to 5 while this line is being called I assumed that it is storing the decimal value of the ascii character at the %eax element of my string in %cl.
Moving to the next line that was correct. And-ing ecx with 0xf (0x1111) was putting a mask on and reducing %ecx down to the first 4 bytes, aka a number between 0 and 15.
Line 44 is where I got confused.
As I understand add, the line should set %edx += %ecx*4 + value_at(0x804a460). When I inspected the 0x804a460 address it contained the value 2. For the first iteration of my loop masking the character "h" left me with the decimal number 8. So I assumed that edx would be set to 34, yet after that line it was set to 4.
So this line is increasing %edx 6 times based on the masked value of my character. Seeing the cmp on line 57 0x36 and %edx I knew at the end I needed to end up with 54.
The i, which was masked to 9, increased my edx by 7. The t, h and r increased my edx by 12, 16, and 6 respectively.
So given 54/6 = 9, and given I have no idea what this add line is doing, I decided to run another string through and see if I could find a masked character that increased my %edx by 9.
I looked at an ascii table and decided to put in: kwsqfm which when masked equals (11)(7)(3)(1)(6)(13) in decimal. I then just went through each step of the loop and checked how much each decimal value was increasing %edx.
To my pleasant surprise, f ended up increasing %edx by +9. So I simply put in "ffffff" as my password and defused the phase.
I'm not entirely satisfied with how I found this answer because of the "brute force" method I used. Even though there were really only 15 masked values to check I would rather understand what exactly is going on here.
Line <+44> is undoubtedly what is causing me trouble. If anyone could help me understand that add statement I would be very grateful.
