Binary Bomb phase 3 stuck

Question

I am honestly very confused on this due to my bomb phase 3 not looking like any of my classmates or the example given to me by my professor. Any help would be greatly apprec

Answer 1

The first comparison you have mentioned (the one at +39) is comparing %eax which holds the return value from sscanf. As such it's just testing how many arguments could be converted. This code requires 2, thus that code is doing if (sscanf() > 1) goto ok; explode_bomb();

The comparison at +49 is checking the first number, it does if ((unsigned)x > 7) explode_bomb(); I hope that's obvious.

Next, at +60, you have the single most important instruction in this piece of code: jmp *0x804a4c0(,%eax,4). That is a jump through a jump table. It will take you to different locations depending on the value in %eax, which at that point is holding your first input. We know the input is between 0 and 7 so you have 8 entries in that table. You should be able to examine them with x/8a 0x804a4c0. It's a fair guess that they are various addresses in the following code block and the flow rejoins at +163. This pattern is commonly used by compilers to implement a switch statement.

Line +168 further restricts the first number to between 0 and 5, and line +174 compares the second number to the current value of %eax and explodes the bomb on mismatch. What this tells us is that the valid inputs form 6 pairs. We can pick an arbitrary first number, follow through the jump table and see what value will be placed in %eax and input that as second number.