The Bomb Lab - Phase 5 Question. Need help understanding how the cipher in it works

Question

So I am currently working through the Bomb Lab and am on the 5th phase. Everywhere I look online my bomb seems to be different from those online so I cannot figure out this cipher. I know the answer to the cipher is "devils" but there doesn't seem to be a consistent key for me to decipher with, and as such I have no clue what to do. I am just starting to learn assembly so this has been pretty difficult for me.

Here is the code for phase_5

Dump of assembler code for function phase_5:
   0x0000555555557809 <+0>: endbr64
   0x000055555555780d <+4>: push   %rbx
   0x000055555555780e <+5>: sub    $0x10,%rsp
   0x0000555555557812 <+9>: mov    %rdi,%rbx
   0x0000555555557815 <+12>: mov    %fs:0x28,%rax
   0x000055555555781e <+21>: mov    %rax,0x8(%rsp)
   0x0000555555557823 <+26>: xor    %eax,%eax
   0x0000555555557825 <+28>: callq  0x555555557b2e <string_length>
   0x000055555555782a <+33>: cmp    $0x6,%eax
   0x000055555555782d <+36>: jne    0x55555555788d <phase_5+132>
   0x000055555555782f <+38>: mov    %rbx,%rdi
   0x0000555555557832 <+41>: lea    0x1(%rsp),%rax
   0x0000555555557837 <+46>: lea    -0x5(%rsp),%rsi
   0x000055555555783c <+51>: lea    0x198d(%rip),%rcx        # 0x5555555591d0 <array.3483>
   0x0000555555557843 <+58>: movzbl (%rdi),%edx
   0x0000555555557846 <+61>: and    $0xf,%edx
   0x0000555555557849 <+64>: movzbl (%rcx,%rdx,1),%edx
   0x000055555555784d <+68>: mov    %dl,0x5(%rax)
   0x0000555555557850 <+71>: add    $0x1,%rdi
   0x0000555555557854 <+75>: sub    $0x1,%rax
   0x0000555555557858 <+79>: cmp    %rsi,%rax
   0x000055555555785b <+82>: jne    0x555555557843 <phase_5+58>
   0x000055555555785d <+84>: movb   $0x0,0x7(%rsp)
   0x0000555555557862 <+89>: lea    0x1(%rsp),%rdi
   0x0000555555557867 <+94>: lea    0x1938(%rip),%rsi        # 0x5555555591a6
   0x000055555555786e <+101>: callq  0x555555557b4f <strings_not_equal>
   0x0000555555557873 <+106>: test   %eax,%eax
   0x0000555555557875 <+108>: jne    0x555555557894 <phase_5+139>
   0x0000555555557877 <+110>: mov    0x8(%rsp),%rax
   0x000055555555787c <+115>: xor    %fs:0x28,%rax
   0x0000555555557885 <+124>: jne    0x55555555789b <phase_5+146>
   0x0000555555557887 <+126>: add    $0x10,%rsp
   0x000055555555788b <+130>: pop    %rbx
   0x000055555555788c <+131>: retq  
   0x000055555555788d <+132>: callq  0x555555557e99 <explode_bomb>
   0x0000555555557892 <+137>: jmp    0x55555555782f <phase_5+38>
   0x0000555555557894 <+139>: callq  0x555555557e99 <explode_bomb>
   0x0000555555557899 <+144>: jmp    0x555555557877 <phase_5+110>
   0x000055555555789b <+146>: callq  0x555555557270 <__stack_chk_fail@plt>

here is the code for strings_not_equal

Dump of assembler code for function strings_not_equal:
   0x0000555555557b4f <+0>: endbr64
   0x0000555555557b53 <+4>: push   %r12
   0x0000555555557b55 <+6>: push   %rbp
   0x0000555555557b56 <+7>: push   %rbx
   0x0000555555557b57 <+8>: mov    %rdi,%rbx
   0x0000555555557b5a <+11>: mov    %rsi,%rbp
   0x0000555555557b5d <+14>: callq  0x555555557b2e <string_length>
   0x0000555555557b62 <+19>: mov    %eax,%r12d
   0x0000555555557b65 <+22>: mov    %rbp,%rdi
   0x0000555555557b68 <+25>: callq  0x555555557b2e <string_length>
   0x0000555555557b6d <+30>: mov    %eax,%edx
   0x0000555555557b6f <+32>: mov    $0x1,%eax
   0x0000555555557b74 <+37>: cmp    %edx,%r12d
   0x0000555555557b77 <+40>: jne    0x555555557baa <strings_not_equal+91>
   0x0000555555557b79 <+42>: movzbl (%rbx),%edx
   0x0000555555557b7c <+45>: test   %dl,%dl
   0x0000555555557b7e <+47>: je     0x555555557b9e <strings_not_equal+79>
   0x0000555555557b80 <+49>: mov    $0x0,%eax
   0x0000555555557b85 <+54>: cmp    %dl,0x0(%rbp,%rax,1)
   0x0000555555557b89 <+58>: jne    0x555555557ba5 <strings_not_equal+86>
   0x0000555555557b8b <+60>: add    $0x1,%rax
   0x0000555555557b8f <+64>: movzbl (%rbx,%rax,1),%edx
   0x0000555555557b93 <+68>: test   %dl,%dl
   0x0000555555557b95 <+70>: jne    0x555555557b85 <strings_not_equal+54>
   0x0000555555557b97 <+72>: mov    $0x0,%eax
   0x0000555555557b9c <+77>: jmp    0x555555557baa <strings_not_equal+91>
   0x0000555555557b9e <+79>: mov    $0x0,%eax
   0x0000555555557ba3 <+84>: jmp    0x555555557baa <strings_not_equal+91>
   0x0000555555557ba5 <+86>: mov    $0x1,%eax
   0x0000555555557baa <+91>: pop    %rbx
   0x0000555555557bab <+92>: pop    %rbp
   0x0000555555557bac <+93>: pop    %r12
   0x0000555555557bae <+95>: retq

Any insight would be amazing. Thank you for your time.

Same as [Bomb lab phase 5 - 6 char string, movzbl load, and $0xf, %ecx, and index an array with that?](https://stackoverflow.com/q/29543031), but it's storing the sequence of lookup results instead of adding them. — Peter Cordes, Oct 28 '20 at 07:22
The substitution table is an array in static storage, `lea 0x198d(%rip),%rcx # 0x5555555591d0 `, and the required "key" is `lea 0x1938(%rip),%rsi # 0x5555555591a6`. Use GDB's `x` command to dump the memory at those places. — Peter Cordes, Oct 28 '20 at 07:38

The Bomb Lab - Phase 5 Question. Need help understanding how the cipher in it works

0 Answers0