Let's fire up the bomb inside of GDB and set a break point at
phase_2. We can run the program with our file of passwords and enter
an arbitrary test string when prompted for input. Similar to what we did
in phase one, let’s run
disas once we reach the
break-point to view the next instruction up for execution.
By the way, you can avoid tediously entering the password for each preceding phase by placing each password on a separate line in a file and invoking the bomb with the path to that file as a command line argument.
read_six_numbers is a dead giveaway. It's probably not too
much of a stretch to assume that this function...well...reads six
numbers! After reading six numbers, the function enters some type of
loop which starts by storing the first number we entered in the register
+32, then adds 5 to it at
+35 and compares that sum to the
value of the next number entered at
+38. The bomb explodes if these
two numbers are not equal. Otherwise, it jumps to the update section of
the loop at
+47 where it queues up the next element in our input list
and uses it to repeat the same tests.
This roughly translates to the following in C:
for(int i = 0; i < 6; ++i) if(input[i] + 5 != input[i + 1]) explode_bomb();
Let's test this out by entering the sequence: "5 10 15 20 25 30" as our input. Sure enough this solution works, and with that we're on to phase three!
Click here for Phase III