Working on a binary bomb assignment where we are given on object file (no source code) and have to use gdb to determine what the stdin input should be for six functions phase 1 to phase 6. I am currently on phase 4. The disassembly code for phase_4 is below.
Dump of assembler code for function phase_4:
0x0000555555555499 <+0>: sub $0x18,%rsp
0x000055555555549d <+4>: mov %fs:0x28,%rax
0x00005555555554a6 <+13>: mov %rax,0x8(%rsp)
0x00005555555554ab <+18>: xor %eax,%eax
0x00005555555554ad <+20>: lea 0x4(%rsp),%rcx
0x00005555555554b2 <+25>: mov %rsp,%rdx
0x00005555555554b5 <+28>: lea 0x1999(%rip),%rsi # 0x555555556e55
0x00005555555554bc <+35>: callq 0x555555554f30 <__isoc99_sscanf@plt>
0x00005555555554c1 <+40>: cmp $0x2,%eax
0x00005555555554c4 <+43>: jne 0x5555555554cc <phase_4+51>
0x00005555555554c6 <+45>: cmpl $0xe,(%rsp)
0x00005555555554ca <+49>: jbe 0x5555555554d1 <phase_4+56>
0x00005555555554cc <+51>: callq 0x555555555b10 <explode_bomb>
0x00005555555554d1 <+56>: mov $0xe,%edx
0x00005555555554d6 <+61>: mov $0x0,%esi
0x00005555555554db <+66>: mov (%rsp),%edi
0x00005555555554de <+69>: callq 0x55555555545a <func4>
0x00005555555554e3 <+74>: cmp $0x3,%eax
0x00005555555554e6 <+77>: jne 0x5555555554ef <phase_4+86>
0x00005555555554e8 <+79>: cmpl $0x3,0x4(%rsp)
0x00005555555554ed <+84>: je 0x5555555554f4 <phase_4+91>
0x00005555555554ef <+86>: callq 0x555555555b10 <explode_bomb>
0x00005555555554f4 <+91>: mov 0x8(%rsp),%rax
0x00005555555554f9 <+96>: xor %fs:0x28,%rax
0x0000555555555502 <+105>: jne 0x555555555509 <phase_4+112>
0x0000555555555504 <+107>: add $0x18,%rsp
0x0000555555555508 <+111>: retq
0x0000555555555509 <+112>: callq 0x555555554e90 <__stack_chk_fail@plt>
Dump of assembler code for function func4:
0x000055555555545a <+0>: sub $0x8,%rsp
0x000055555555545e <+4>: mov %edx,%eax
=> 0x0000555555555460 <+6>: sub %esi,%eax
0x0000555555555462 <+8>: mov %eax,%ecx
0x0000555555555464 <+10>: shr $0x1f,%ecx
0x0000555555555467 <+13>: add %eax,%ecx
0x0000555555555469 <+15>: sar %ecx
0x000055555555546b <+17>: add %esi,%ecx
0x000055555555546d <+19>: cmp %edi,%ecx
0x000055555555546f <+21>: jg 0x55555555547f <func4+37>
0x0000555555555471 <+23>: mov $0x0,%eax
0x0000555555555476 <+28>: cmp %edi,%ecx
0x0000555555555478 <+30>: jl 0x55555555548b <func4+49>
0x000055555555547a <+32>: add $0x8,%rsp
0x000055555555547e <+36>: retq
0x000055555555547f <+37>: lea -0x1(%rcx),%edx
0x0000555555555482 <+40>: callq 0x55555555545a <func4>
0x0000555555555487 <+45>: add %eax,%eax
0x0000555555555489 <+47>: jmp 0x55555555547a <func4+32>
0x000055555555548b <+49>: lea 0x1(%rcx),%esi
0x000055555555548e <+52>: callq 0x55555555545a <func4>
0x0000555555555493 <+57>: lea 0x1(%rax,%rax,1),%eax
0x0000555555555497 <+61>: jmp 0x55555555547a <func4+32>
End of assembler dump.
I know that my input needs to be two integers "%d %d" from lines <+28> to <+40>. My confusion is with func4 on line <+69>. I thought that the function took 3 inputs, %edx = 14 %esi = 0 and %edi which is the first of the two integers from the input. When I display the contents of the register before the function call they are
0x00005555555554de in phase_4 ()
1: $eax = 2
2: $edx = 14
3: $esi = 0
But when I display them when I step into func4 they change to this.
Single stepping until exit from function func4,
which has no line number information.
Breakpoint 2, 0x000055555555545a in func4 ()
1: $eax = 14
2: $edx = 6
3: $esi = 0
I know that the output of func4 needs to be equal to 0x3 from line <+74>. I've tried to trace through func4 to find what it does, but I don't know where the 6 comes from (my test inputs were 5 and 3). Can someone help me figure out what func4 does?
