From 951d697b3540edd43365d701dc9cc835259a0c1a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E2=80=9CAqua=E2=80=9D?= <2863896505@qq.com>
Date: Thu, 2 Nov 2023 23:28:47 +0800
Subject: [PATCH] bomblab

---
 README.MD    | 971 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 bomb         | Bin 0 -> 30912 bytes
 bomb.c       | 115 +++++++
 password.txt |   7 +
 4 files changed, 1093 insertions(+)
 create mode 100644 README.MD
 create mode 100755 bomb
 create mode 100644 bomb.c
 create mode 100644 password.txt

diff --git a/README.MD b/README.MD
new file mode 100644
index 0000000..fe198aa
--- /dev/null
+++ b/README.MD
@@ -0,0 +1,971 @@
+# All
+This is bomb 121.
+
+It belongs to 10225501432 (10225501432@stu.ecnu.edu.cn)
+
+
+# phase_1
+
+## 查看phase_1汇编
+
+~~~python
+=> 0x0000555555401204 <+0>: sub    $0x8,%rsp
+   0x0000555555401208 <+4>: lea    0x1801(%rip),%rsi        # 0x555555402a10
+   0x000055555540120f <+11>: call   0x55555540172b <strings_not_equal>
+   0x0000555555401214 <+16>: test   %eax,%eax
+   0x0000555555401216 <+18>: jne    0x55555540121d <phase_1+25>
+   0x0000555555401218 <+20>: add    $0x8,%rsp
+   0x000055555540121c <+24>: ret    
+   0x000055555540121d <+25>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401222 <+30>: jmp    0x555555401218 <phase_1+20>
+~~~
+
+<+0>行进行了压栈操作
+<+4>行将内存地址0x555555402a10赋予了寄存器%rsi
+<+11>行调用了函数<strings_not_equal>,从名称来看，是用于判断字符串是否相等,这串字符串就是密码
+
+进入函数<strings_not_equal>查看,只看前几行
+
+## 查看strings_not_equal汇编
+
+~~~python
+=> 0x000055555540172b <+0>: push   %r12
+   0x000055555540172d <+2>: push   %rbp
+   0x000055555540172e <+3>: push   %rbx
+   0x000055555540172f <+4>: mov    %rdi,%rbx
+   0x0000555555401732 <+7>: mov    %rsi,%rbp
+   0x0000555555401735 <+10>: call   0x55555540170e <string_length>
+~~~
+
+发现调用了函数<string_length>，进入查看
+
+## 查看string_length汇编
+
+~~~python
+=> 0x000055555540170e <+0>: cmpb   $0x0,(%rdi)
+   0x0000555555401711 <+3>: je     0x555555401725 <string_length+23>
+   0x0000555555401713 <+5>: mov    %rdi,%rdx
+   0x0000555555401716 <+8>: add    $0x1,%rdx
+   0x000055555540171a <+12>: mov    %edx,%eax
+   0x000055555540171c <+14>: sub    %edi,%eax
+   0x000055555540171e <+16>: cmpb   $0x0,(%rdx)
+   0x0000555555401721 <+19>: jne    0x555555401716 <string_length+8>
+   0x0000555555401723 <+21>: repz ret 
+   0x0000555555401725 <+23>: mov    $0x0,%eax
+   0x000055555540172a <+28>: ret
+~~~
+
+<0> <3>行用于判断是否是空地址，是的话返回0并退出
+
+<5> 到 <19>行使用了循环的方式判断字符串有几位
+首先将%rdi地址赋予%rdx,并且进入循环
+随后进入循环,每次循环%rdx地址后后移一位
+每完成一次循环,%eax就加一
+跳出条件是 %rdx的地址指向的内存位置所储存的数据为0
+
+故%rdi寄存器储存的是用户输入字符串的起始地址
+
+## 继续查看strings_not_equal的后续部分
+
+~~~python
+=> 0x000055555540172b <+0>: push   %r12
+   0x000055555540172d <+2>: push   %rbp
+   0x000055555540172e <+3>: push   %rbx
+   0x000055555540172f <+4>: mov    %rdi,%rbx
+   0x0000555555401732 <+7>: mov    %rsi,%rbp
+   0x0000555555401735 <+10>: call   0x55555540170e <string_length>
+   0x000055555540173a <+15>: mov    %eax,%r12d
+   0x000055555540173d <+18>: mov    %rbp,%rdi
+   0x0000555555401740 <+21>: call   0x55555540170e <string_length>
+   0x0000555555401745 <+26>: mov    $0x1,%edx
+   0x000055555540174a <+31>: cmp    %eax,%r12d
+   0x000055555540174d <+34>: je     0x555555401756 <strings_not_equal+43>
+   0x000055555540174f <+36>: mov    %edx,%eax
+   0x0000555555401751 <+38>: pop    %rbx
+   0x0000555555401752 <+39>: pop    %rbp
+   0x0000555555401753 <+40>: pop    %r12
+   0x0000555555401755 <+42>: ret    
+~~~
+
+这一段实现了检查输入字符串和密码字符串的长度是否相等
+可以锁定进入<strings_not_equal>函数前的%rsi寄存器就是密码部分
+
+## 结论
+
+使用命令'x/s 0x555555402a10'直接查看
+发现密码为"I am not part of the problem. I am a Republican."
+
+# phase_2
+
+## 查看phase_2汇编
+
+首先查看部分汇编
+
+~~~python
+=> 0x0000555555401224 <+0>: push   %rbp
+   0x0000555555401225 <+1>: push   %rbx
+   0x0000555555401226 <+2>: sub    $0x28,%rsp
+   0x000055555540122a <+6>: mov    %fs:0x28,%rax
+   0x0000555555401233 <+15>: mov    %rax,0x18(%rsp)
+   0x0000555555401238 <+20>: xor    %eax,%eax
+   0x000055555540123a <+22>: mov    %rsp,%rsi
+   0x000055555540123d <+25>: call   0x555555401a22 <read_six_numbers>
+~~~
+
+可以发现其中途调用了函数<read_six_numbers>,其密码必然是六个数字
+进入函数<read_six_numbers>查看
+
+## 查看read_six_numbers汇编
+
+~~~python
+=> 0x0000555555401a22 <+0>: sub    $0x8,%rsp
+   0x0000555555401a26 <+4>: mov    %rsi,%rdx
+   0x0000555555401a29 <+7>: lea    0x4(%rsi),%rcx
+   0x0000555555401a2d <+11>: lea    0x14(%rsi),%rax
+   0x0000555555401a31 <+15>: push   %rax
+   0x0000555555401a32 <+16>: lea    0x10(%rsi),%rax
+   0x0000555555401a36 <+20>: push   %rax
+   0x0000555555401a37 <+21>: lea    0xc(%rsi),%r9
+   0x0000555555401a3b <+25>: lea    0x8(%rsi),%r8
+   0x0000555555401a3f <+29>: lea    0x12a3(%rip),%rsi        # 0x555555402ce9
+   0x0000555555401a46 <+36>: mov    $0x0,%eax
+   0x0000555555401a4b <+41>: call   0x555555400ee0 <__isoc99_sscanf@plt>
+   0x0000555555401a50 <+46>: add    $0x10,%rsp
+   0x0000555555401a54 <+50>: cmp    $0x5,%eax
+   0x0000555555401a57 <+53>: jle    0x555555401a5e <read_six_numbers+60>
+   0x0000555555401a59 <+55>: add    $0x8,%rsp
+   0x0000555555401a5d <+59>: ret    
+   0x0000555555401a5e <+60>: call   0x5555554019e6 <explode_bomb>
+~~~
+
+显然其判断起始地址储存在%rsi的数组中的数据
+而由phase_2汇编可知,%rsi储存的地址由%rsp赋值而来
+则%rsp含有用户输入数组的储存地址
+
+## 继续查看phase_2汇编
+
+### 进入循环
+
+~~~python
+   0x0000555555401242 <+30>: cmpl   $0x0,(%rsp)
+   0x0000555555401246 <+34>: jne    0x55555540124f <phase_2+43>
+   0x0000555555401248 <+36>: cmpl   $0x1,0x4(%rsp)
+   0x000055555540124d <+41>: je     0x555555401254 <phase_2+48>
+   0x000055555540124f <+43>: call   0x5555554019e6 <explode_bomb>
+~~~
+
+判断数组第一位是否为0,不是则引爆炸弹
+判断数组第二位是否为1,是则跳转至<48>行
+
+~~~python
+   0x0000555555401254 <+48>: mov    %rsp,%rbx
+   0x0000555555401257 <+51>: lea    0x10(%rbx),%rbp
+   0x000055555540125b <+55>: jmp    0x555555401266 <phase_2+66>
+   0x000055555540125d <+57>: add    $0x4,%rbx
+   0x0000555555401261 <+61>: cmp    %rbp,%rbx
+   0x0000555555401264 <+64>: je     0x555555401277 <phase_2+83>
+   0x0000555555401266 <+66>: mov    0x4(%rbx),%eax
+   0x0000555555401269 <+69>: add    (%rbx),%eax
+   0x000055555540126b <+71>: cmp    %eax,0x8(%rbx)
+   0x000055555540126e <+74>: je     0x55555540125d <phase_2+57>
+   0x0000555555401270 <+76>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401275 <+81>: jmp    0x55555540125d <phase_2+57>
+~~~
+
+将%rsp的地址赋予%rbx,%rsp地址+16赋予%rbp
+随后跳转至<66>行
+%eax储存%rbx+4地址所指向的值,并将其与%rbx所指向的值相加
+随后%eax与%rbx+8地址所指向的值比较
+相等则跳转至<57>行,%rbx的地址+4,如果%rsp+16与%rbx+4相等,则跳转至83行
+
+从实际效果看,循环执行4次
+每次将三元组,前两位相加与最后一位比较
+相等则继续循环,不相等则爆炸
+
+由上文可知,前两位分别为 0 1
+
+~~~python
+第一次循环: 0 + 1 = 1
+第二次循环: 1 + 1 = 2
+第三次循环: 1 + 2 = 3
+第四次循环: 2 + 3 = 5
+~~~
+
+故整个六位数字应该为 0 1 1 2 3 5
+
+### 跳出循环&返回数值
+
+~~~python
+   0x0000555555401277 <+83>: mov    0x18(%rsp),%rax
+   0x000055555540127c <+88>: xor    %fs:0x28,%rax
+   0x0000555555401285 <+97>: jne    0x55555540128e <phase_2+106>
+   0x0000555555401287 <+99>: add    $0x28,%rsp
+   0x000055555540128b <+103>: pop    %rbx
+   0x000055555540128c <+104>: pop    %rbp
+   0x000055555540128d <+105>: ret    
+   0x000055555540128e <+106>: call   0x555555400e40 <__stack_chk_fail@plt>
+~~~
+
+实际效果来看,跳转到<83>行后,循环跳出,函数收尾并正常返回
+
+### 结论
+
+故整个六位数字应该为 0 1 1 2 3 5
+
+# phase_3
+
+## 查看部分汇编
+
+~~~python
+   0x0000555555401293 <+0>: sub    $0x18,%rsp
+   0x0000555555401297 <+4>: mov    %fs:0x28,%rax
+   0x00005555554012a0 <+13>: mov    %rax,0x8(%rsp)
+   0x00005555554012a5 <+18>: xor    %eax,%eax
+   0x00005555554012a7 <+20>: lea    0x4(%rsp),%rcx
+   0x00005555554012ac <+25>: mov    %rsp,%rdx
+   0x00005555554012af <+28>: lea    0x1a3f(%rip),%rsi        # 0x555555402cf5
+   0x00005555554012b6 <+35>: call   0x555555400ee0 <__isoc99_sscanf@plt>
+   0x00005555554012bb <+40>: cmp    $0x1,%eax
+   0x00005555554012be <+43>: jle    0x5555554012dd <phase_3+74>
+   0x00005555554012c0 <+45>: cmpl   $0x7,(%rsp)
+   0x00005555554012c4 <+49>: ja     0x555555401363 <phase_3+208>
+~~~
+
+可以看出phase_3调用了函数sscanf,其返回值为输入字符的个数
+输入命令 `x/s 0x555555402cf5`显示"%d %d",可知sscanf输入两个字符,其返回值为2
+<45><49>判断第一个数字是否小于0x7,故第一个数字应设置小于7
+
+## 随意设置数字并带入
+
+设置输入数据为5 32
+随后断点设置在phase_3,使用nexti单步调试
+查看汇编,并一路nexti
+
+~~~python
+   0x00005555554012ca <+55>: mov    (%rsp),%eax
+   0x00005555554012cd <+58>: lea    0x17ac(%rip),%rdx        # 0x555555402a80
+   0x00005555554012d4 <+65>: movslq (%rdx,%rax,4),%rax
+   0x00005555554012d8 <+69>: add    %rdx,%rax
+   0x00005555554012db <+72>: jmp    *%rax
+   0x00005555554012dd <+74>: call   0x5555554019e6 <explode_bomb>
+~~~
+
+发现执行完`jmp    *%rax`后,跳转至`0x000055555540134e`
+
+## 继续查看汇编
+
+继续nexti
+
+~~~python
+   0x00005555554012e2 <+79>: jmp    0x5555554012c0 <phase_3+45>
+   0x00005555554012e4 <+81>: mov    $0x2ca,%eax
+   0x00005555554012e9 <+86>: jmp    0x5555554012f0 <phase_3+93>
+   0x00005555554012eb <+88>: mov    $0x0,%eax
+   0x00005555554012f0 <+93>: sub    $0xf2,%eax
+   0x00005555554012f5 <+98>: add    $0x14a,%eax
+   0x00005555554012fa <+103>: sub    $0x162,%eax
+   0x00005555554012ff <+108>: add    $0x162,%eax
+   0x0000555555401304 <+113>: sub    $0x162,%eax
+   0x0000555555401309 <+118>: add    $0x162,%eax
+   0x000055555540130e <+123>: sub    $0x162,%eax
+   0x0000555555401313 <+128>: cmpl   $0x5,(%rsp)
+   0x0000555555401317 <+132>: jg     0x55555540131f <phase_3+140>
+   0x0000555555401319 <+134>: cmp    %eax,0x4(%rsp)
+   0x000055555540131d <+138>: je     0x555555401324 <phase_3+145>
+   0x000055555540131f <+140>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401324 <+145>: mov    0x8(%rsp),%rax
+   0x0000555555401329 <+150>: xor    %fs:0x28,%rax
+   0x0000555555401332 <+159>: jne    0x55555540136f <phase_3+220>
+   0x0000555555401334 <+161>: add    $0x18,%rsp
+   0x0000555555401338 <+165>: ret    
+   0x0000555555401339 <+166>: mov    $0x0,%eax
+   0x000055555540133e <+171>: jmp    0x5555554012f5 <phase_3+98>
+   0x0000555555401340 <+173>: mov    $0x0,%eax
+   0x0000555555401345 <+178>: jmp    0x5555554012fa <phase_3+103>
+   0x0000555555401347 <+180>: mov    $0x0,%eax
+   0x000055555540134c <+185>: jmp    0x5555554012ff <phase_3+108>
+   0x000055555540134e <+187>: mov    $0x0,%eax
+   0x0000555555401353 <+192>: jmp    0x555555401304 <phase_3+113>
+   0x0000555555401355 <+194>: mov    $0x0,%eax
+   0x000055555540135a <+199>: jmp    0x555555401309 <phase_3+118>
+   0x000055555540135c <+201>: mov    $0x0,%eax
+   0x0000555555401361 <+206>: jmp    0x55555540130e <phase_3+123>
+   0x0000555555401363 <+208>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401368 <+213>: mov    $0x0,%eax
+   0x000055555540136d <+218>: jmp    0x555555401313 <phase_3+128>
+   0x000055555540136f <+220>: call   0x555555400e40 <__stack_chk_fail@plt>
+~~~
+
+发现其跳转至`0x0000555555401304`
+
+~~~python
+   0x0000555555401313 <+128>: cmpl   $0x5,(%rsp)
+   0x0000555555401317 <+132>: jg     0x55555540131f <phase_3+140>
+~~~
+
+ 判断第一个数字是否小于等于5，不是则引爆
+
+~~~python
+   0x0000555555401319 <+134>: cmp    %eax,0x4(%rsp)
+   0x000055555540131d <+138>: je     0x555555401324 <phase_3+145>
+   0x000055555540131f <+140>: call   0x5555554019e6 <explode_bomb>
+~~~
+
+判断第二个数字是否和eax寄存器中数据相等
+此时查看寄存器eax中数值`p $eax`,返回数据为-354,故第二个数据为-354
+
+## 结论
+
+phase_3第一个数据要求小于等于5,第二个数据要求为-354
+
+# phase_4
+
+## 查看部分汇编代码
+
+~~~python
+   0x00005555554013ad <+0>: sub    $0x18,%rsp
+   0x00005555554013b1 <+4>: mov    %fs:0x28,%rax
+   0x00005555554013ba <+13>: mov    %rax,0x8(%rsp)
+   0x00005555554013bf <+18>: xor    %eax,%eax
+   0x00005555554013c1 <+20>: mov    %rsp,%rcx
+   0x00005555554013c4 <+23>: lea    0x4(%rsp),%rdx
+   0x00005555554013c9 <+28>: lea    0x1925(%rip),%rsi        # 0x555555402cf5
+   0x00005555554013d0 <+35>: call   0x555555400ee0 <__isoc99_sscanf@plt>
+   0x00005555554013d5 <+40>: cmp    $0x2,%eax
+   0x00005555554013d8 <+43>: jne    0x5555554013e5 <phase_4+56>
+~~~
+
+可以看到`0x00005555554013c9 <+28>: lea    0x1925(%rip),%rsi        # 0x555555402cf5`
+输入`x/s 0x555555402cf5`,显示为`%d %d`,因此输入数据为两个整形
+
+随意输入两个整数,例如`114 514`
+
+~~~python
+p *(int*)$rsp
+p *(int*)($rsp+4)
+
+$1 = 514
+$2 = 114
+~~~
+
+所以rsp存储第二个数字的地址,rsp+4存储第一个数字的地址
+
+## 继续查看部分汇编代码
+
+~~~python
+   0x00005555554013da <+45>: mov    (%rsp),%eax
+   0x00005555554013dd <+48>: sub    $0x2,%eax
+   0x00005555554013e0 <+51>: cmp    $0x2,%eax
+   0x00005555554013e3 <+54>: jbe    0x5555554013ea <phase_4+61>
+   0x00005555554013e5 <+56>: call   0x5555554019e6 <explode_bomb>
+   0x00005555554013ea <+61>: mov    (%rsp),%esi
+   0x00005555554013ed <+64>: mov    $0x9,%edi
+   0x00005555554013f2 <+69>: call   0x555555401374 <func4>
+   0x00005555554013f7 <+74>: cmp    %eax,0x4(%rsp)
+   0x00005555554013fb <+78>: je     0x555555401402 <phase_4+85>
+   0x00005555554013fd <+80>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401402 <+85>: mov    0x8(%rsp),%rax
+   0x0000555555401407 <+90>: xor    %fs:0x28,%rax
+   0x0000555555401410 <+99>: jne    0x555555401417 <phase_4+106>
+   0x0000555555401412 <+101>: add    $0x18,%rsp
+   0x0000555555401416 <+105>: ret    
+   0x0000555555401417 <+106>: call   0x555555400e40 <__stack_chk_fail@plt>
+~~~
+
+<+45> <+48> <+51> <+54> 要求输入的第二个数据小于等于4
+
+不妨让输入数据变为`114 4`再次单步调试
+一路nexti，直至,<+69>执行完毕
+
+显然<+74> <+78>判断第一个数据是否和函数 func4 返回值是否相同
+输入`p $eax`查看，显示为352
+
+## 结论
+
+因此,可行的一组数据为`352 4`
+
+# phase_5
+
+## 查看部分汇编代码
+
+~~~python
+   0x000055555540141c <+0>: sub    $0x18,%rsp
+   0x0000555555401420 <+4>: mov    %fs:0x28,%rax
+   0x0000555555401429 <+13>: mov    %rax,0x8(%rsp)
+   0x000055555540142e <+18>: xor    %eax,%eax
+   0x0000555555401430 <+20>: lea    0x4(%rsp),%rcx
+   0x0000555555401435 <+25>: mov    %rsp,%rdx
+   0x0000555555401438 <+28>: lea    0x18b6(%rip),%rsi        # 0x555555402cf5
+   0x000055555540143f <+35>: call   0x555555400ee0 <__isoc99_sscanf@plt>
+   0x0000555555401444 <+40>: cmp    $0x1,%eax
+   0x0000555555401447 <+43>: jle    0x5555554014a3 <phase_5+135>
+~~~
+
+<+28>行可以看到`0x555555402cf5`
+输入`x/s 0x555555402cf5`显示`%d %d`
+故输入两个十进制整数
+
+## 进入循环
+
+### 循环起点
+
+~~~python
+   0x0000555555401449 <+45>: mov    (%rsp),%eax
+   0x000055555540144c <+48>: and    $0xf,%eax
+   0x000055555540144f <+51>: mov    %eax,(%rsp)
+   0x0000555555401452 <+54>: cmp    $0xf,%eax
+   0x0000555555401455 <+57>: je     0x555555401489 <phase_5+109>
+   0x0000555555401457 <+59>: mov    $0x0,%ecx
+   0x000055555540145c <+64>: mov    $0x0,%edx
+   0x0000555555401461 <+69>: lea    0x1638(%rip),%rsi        # 0x555555402aa0 <array.3415>
+~~~
+
+发现有一个数组array.3415
+查看后发现数组为{10, 2, 14, 7, 8, 12, 15, 11, 0, 4, 1, 13, 3, 9, 6, 5}
+
+### 进入循环
+
+~~~python
+   0x0000555555401468 <+76>: add    $0x1,%edx
+   0x000055555540146b <+79>: cltq
+   0x000055555540146d <+81>: mov    (%rsi,%rax,4),%eax
+   0x0000555555401470 <+84>: add    %eax,%ecx
+   0x0000555555401472 <+86>: cmp    $0xf,%eax
+   0x0000555555401475 <+89>: jne    0x555555401468 <phase_5+76>
+   0x0000555555401477 <+91>: movl   $0xf,(%rsp)
+   0x000055555540147e <+98>: cmp    $0xf,%edx
+=> 0x0000555555401481 <+101>: jne    0x555555401489 <phase_5+109>
+   0x0000555555401483 <+103>: cmp    %ecx,0x4(%rsp)
+   0x0000555555401487 <+107>: je     0x55555540148e <phase_5+114>
+~~~
+
+当寄存器%edx与%eax同时为0xf时,循环跳出
+因为%edx初始值为0,进入循环加1,则循环必定15次
+故可逆推最开始进入循环时%eax的值
+逆推得%eax为5
+此时输入%ecx计算得结果为115
+
+### 退出循环
+
+正常检查栈金丝雀值
+
+~~~python
+   0x0000555555401489 <+109>: call   0x5555554019e6 <explode_bomb>
+   0x000055555540148e <+114>: mov    0x8(%rsp),%rax
+   0x0000555555401493 <+119>: xor    %fs:0x28,%rax
+   0x000055555540149c <+128>: jne    0x5555554014aa <phase_5+142>
+   0x000055555540149e <+130>: add    $0x18,%rsp
+   0x00005555554014a2 <+134>: ret
+   0x00005555554014a3 <+135>: call   0x5555554019e6 <explode_bomb>
+   0x00005555554014a8 <+140>: jmp    0x555555401449 <phase_5+45>
+   0x00005555554014aa <+142>: call   0x555555400e40 <__stack_chk_fail@plt>
+~~~
+
+## 结论
+
+密码为`5 115`
+
+# phase_6
+
+## 读取数据
+
+~~~python
+=> 0x00005555554014af <+0>: push   %r14
+   0x00005555554014b1 <+2>: push   %r13
+   0x00005555554014b3 <+4>: push   %r12
+   0x00005555554014b5 <+6>: push   %rbp
+   0x00005555554014b6 <+7>: push   %rbx
+   0x00005555554014b7 <+8>: sub    $0x60,%rsp
+   0x00005555554014bb <+12>: mov    %fs:0x28,%rax
+   0x00005555554014c4 <+21>: mov    %rax,0x58(%rsp)
+   0x00005555554014c9 <+26>: xor    %eax,%eax
+   0x00005555554014cb <+28>: mov    %rsp,%r13
+   0x00005555554014ce <+31>: mov    %r13,%rsi
+   0x00005555554014d1 <+34>: call   0x555555401a22 <read_six_numbers>
+   0x00005555554014d6 <+39>: mov    %r13,%r12
+   0x00005555554014d9 <+42>: mov    $0x0,%r14d
+   0x00005555554014df <+48>: jmp    0x555555401506 <phase_6+87>
+~~~
+
+这段开辟了一个栈空间并且设置了一个金丝雀值
+将%rsp赋予%r13,%rsi,%r12
+将0x0赋予%r14d
+随后跳转到87行
+
+## 第一个循环
+
+~~~python
+   0x00005555554014e1 <+50>: call   0x5555554019e6 <explode_bomb>
+   0x00005555554014e6 <+55>: jmp    0x555555401515 <phase_6+102>
+   0x00005555554014e8 <+57>: add    $0x1,%ebx
+   0x00005555554014eb <+60>: cmp    $0x5,%ebx
+   0x00005555554014ee <+63>: jg     0x555555401502 <phase_6+83>
+   0x00005555554014f0 <+65>: movslq %ebx,%rax
+   0x00005555554014f3 <+68>: mov    (%rsp,%rax,4),%eax
+   0x00005555554014f6 <+71>: cmp    %eax,0x0(%rbp)
+   0x00005555554014f9 <+74>: jne    0x5555554014e8 <phase_6+57>
+   0x00005555554014fb <+76>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401500 <+81>: jmp    0x5555554014e8 <phase_6+57>
+   0x0000555555401502 <+83>: add    $0x4,%r13
+   0x0000555555401506 <+87>: mov    %r13,%rbp
+   0x0000555555401509 <+90>: mov    0x0(%r13),%eax
+   0x000055555540150d <+94>: sub    $0x1,%eax
+   0x0000555555401510 <+97>: cmp    $0x5,%eax
+   0x0000555555401513 <+100>: ja     0x5555554014e1 <phase_6+50>
+   0x0000555555401515 <+102>: add    $0x1,%r14d
+   0x0000555555401519 <+106>: cmp    $0x6,%r14d
+   0x000055555540151d <+110>: je     0x555555401524 <phase_6+117>
+   0x000055555540151f <+112>: mov    %r14d,%ebx
+   0x0000555555401522 <+115>: jmp    0x5555554014f0 <phase_6+65>
+~~~
+
+分析可知,进入循环得初始处理是将%r13存储的%rsp地址赋给%rbp
+随后比较(%rsp)即第一个数字,减去1后与0x5比较,如果小于等于5才不会引爆
+相当于每个输入的数据都必须小于等于6
+并且由于是ja，故数字还必须-1后大于等于0,故数字大于等于1
+
+%r14d初始值为0x0,每完成一次循环都+1,等于6的时候跳出,则循环执行6次,恰好遍历六个数字
+%r14d未达到0x6时,会将当前值给%ebx,随后跳转到65行
+执行等价于%eax等于第n个数字的操作
+
+随后%eax与%rbp指向的数字比较,不相等则%ebx+1，继续判断%eax与%rbp指向的数字,直到%ebx大于5
+随后%r13后移一位,继续进入最开始的循环
+
+### 第一个循环结论
+
+等效于数组各数字不能相等,并且都需要大于等于1，小于等于6
+
+## 第二个与第三个循环
+
+~~~python
+   0x0000555555401524 <+117>: lea    0x18(%r12),%rcx
+   0x0000555555401529 <+122>: mov    $0x7,%edx
+   0x000055555540152e <+127>: mov    %edx,%eax
+   0x0000555555401530 <+129>: sub    (%r12),%eax
+   0x0000555555401534 <+133>: mov    %eax,(%r12)
+   0x0000555555401538 <+137>: add    $0x4,%r12
+   0x000055555540153c <+141>: cmp    %r12,%rcx
+   0x000055555540153f <+144>: jne    0x55555540152e <phase_6+127>
+   0x0000555555401541 <+146>: mov    $0x0,%esi
+   0x0000555555401546 <+151>: jmp    0x555555401562 <phase_6+179>
+   0x0000555555401548 <+153>: mov    0x8(%rdx),%rdx
+   0x000055555540154c <+157>: add    $0x1,%eax
+   0x000055555540154f <+160>: cmp    %ecx,%eax
+   0x0000555555401551 <+162>: jne    0x555555401548 <phase_6+153>
+   0x0000555555401553 <+164>: mov    %rdx,0x20(%rsp,%rsi,8)
+   0x0000555555401558 <+169>: add    $0x1,%rsi
+   0x000055555540155c <+173>: cmp    $0x6,%rsi
+   0x0000555555401560 <+177>: je     0x555555401578 <phase_6+201>
+   0x0000555555401562 <+179>: mov    (%rsp,%rsi,4),%ecx
+   0x0000555555401565 <+182>: mov    $0x1,%eax
+   0x000055555540156a <+187>: lea    0x202cbf(%rip),%rdx        # 0x555555604230 <node1>
+   0x0000555555401571 <+194>: cmp    $0x1,%ecx
+   0x0000555555401574 <+197>: jg     0x555555401548 <phase_6+153>
+   0x0000555555401576 <+199>: jmp    0x555555401553 <phase_6+164>
+~~~
+
+跳出第一个循环后,进入第二个循环
+%rcx被赋予等价为%rsp+0x18的地址,这个地址并不存放数组的数据
+%edx被赋予0x7的值
+令%eax = 7，随后7-(%rsp)
+%r12储存地址+4,等价%rsp+4
+比较%r12与%rcx的地址,不一致则跳转到127行,127行继续进行上述操作
+最终结果是%r12地址移动至%rsp+0x18,数组内每个数字都变为7-该数字,随后将%esi置0x0,跳转至179行
+
+进入第三个循环
+%ecx被赋予(%rsp)的值
+%eax被置1
+%rdx被赋予一个节点地址
+并且判断%ecx的值是否大于1
+
+如果是跳转到153行,(%rdx地址+0x8)赋给rdx,可以猜测,%rdx原先赋给的node1是个结构体,前八字节储存的是数据,后八字节储存的是地址
+输入`x/128x 0x555555604230`即可查看
+因此应该为一个链表,并且每次循环都向后移动一位
+随后%eax+1,使得%ecx和%eax比较
+循环,直至%ecx与%eax相等
+
+如果不是大于1
+跳转到164行
+将节点地址赋给%rsp对应位置
+
+最终效果为
+数字为7-n对应第n个节点
+节点地址在栈中存储顺序和数字输入顺序一致
+
+完成后跳转到201行
+
+## 第三个循环
+
+~~~python
+   0x0000555555401578 <+201>: mov    0x20(%rsp),%rbx
+   0x000055555540157d <+206>: mov    0x28(%rsp),%rax
+   0x0000555555401582 <+211>: mov    %rax,0x8(%rbx)
+   0x0000555555401586 <+215>: mov    0x30(%rsp),%rdx
+   0x000055555540158b <+220>: mov    %rdx,0x8(%rax)
+   0x000055555540158f <+224>: mov    0x38(%rsp),%rax
+   0x0000555555401594 <+229>: mov    %rax,0x8(%rdx)
+   0x0000555555401598 <+233>: mov    0x40(%rsp),%rdx
+   0x000055555540159d <+238>: mov    %rdx,0x8(%rax)
+   0x00005555554015a1 <+242>: mov    0x48(%rsp),%rax
+   0x00005555554015a6 <+247>: mov    %rax,0x8(%rdx)
+   0x00005555554015aa <+251>: movq   $0x0,0x8(%rax)
+   0x00005555554015b2 <+259>: mov    $0x5,%ebp
+   0x00005555554015b7 <+264>: jmp    0x5555554015c2 <phase_6+275>
+   0x00005555554015b9 <+266>: mov    0x8(%rbx),%rbx
+   0x00005555554015bd <+270>: sub    $0x1,%ebp
+   0x00005555554015c0 <+273>: je     0x5555554015d3 <phase_6+292>
+   0x00005555554015c2 <+275>: mov    0x8(%rbx),%rax
+   0x00005555554015c6 <+279>: mov    (%rax),%eax
+   0x00005555554015c8 <+281>: cmp    %eax,(%rbx)
+   0x00005555554015ca <+283>: jge    0x5555554015b9 <phase_6+266>
+   0x00005555554015cc <+285>: call   0x5555554019e6 <explode_bomb>
+   0x00005555554015d1 <+290>: jmp    0x5555554015b9 <phase_6+266>
+~~~
+
+显然%rbx存储第一个数字对应的节点地址
+%rax存储第二个数字对应的节点地址
+0x8(%rbx)取出第一个数字对应节点储存的下一个节点的地址,这个地址被%rax中的地址取代
+%rdx储存第三个数字对应的节点地址
+0x8(%rax)取出第二个数字对应节点储存的下一个节点的地址,这个地址被%rdx中的地址取代
+%rax被第四个数字对应的节点地址覆盖
+0x8(%rdx)取出第三个数字对应节点储存的下一个节点的地址,这个地址被%rax中的地址取代,即第四个数字对应的节点地址
+%rdx被第五个数字对应的节点地址覆盖
+0x8(%rax)取出第四个数字对应下一个节点的地址,这个地址被%rdx中的地址取代,即第五个数字对应的节点地址
+%rax被第六个数字对应节点的地址覆盖
+0x8(%rdx)取出第五个数字对应下一个节点的地址,这个地址被%rdx中的地址取代,即第六个数字对应的节点地址
+随后给%rax储存地址处赋予Null指针
+
+综合结果即将原有链表顺序重新排列
+效果为输入顺序为i，数值为k的一组数据
+第7-k个节点被移动至第i位
+
+然后置%ebp为5,跳转至275行
+%rbx储存第一个节点的地址,赋予%rax第二个节点的地址
+将第二个节点的数据赋给%eax
+比较第二个节点的数据b和第一个节点的数据a
+如果a>=b
+则继续循环,跳转到266行,%rbx移动至下一个节点,同时%ebp-1,并且如果%ebp = 1时,就跳出循环到292行
+故进行了5次循环,每次效果都是判断相邻节点是否上一个的数据大于下一个
+
+## 收尾
+
+~~~python
+   0x00005555554015d1 <+290>: jmp    0x5555554015b9 <phase_6+266>
+   0x00005555554015d3 <+292>: mov    0x58(%rsp),%rax
+   0x00005555554015d8 <+297>: xor    %fs:0x28,%rax
+   0x00005555554015e1 <+306>: jne    0x5555554015f0 <phase_6+321>
+   0x00005555554015e3 <+308>: add    $0x60,%rsp
+   0x00005555554015e7 <+312>: pop    %rbx
+   0x00005555554015e8 <+313>: pop    %rbp
+   0x00005555554015e9 <+314>: pop    %r12
+   0x00005555554015eb <+316>: pop    %r13
+   0x00005555554015ed <+318>: pop    %r14
+   0x00005555554015ef <+320>: ret    
+   0x00005555554015f0 <+321>: call   0x555555400e40 <__stack_chk_fail@plt>
+~~~
+
+简单的探测金丝雀值变化并返回
+
+## 安排密码
+输入`x/128x 0x555555604230`查看各个节点
+
+~~~python
+0x555555604230 <node1>: 0x3b 0x03 0x00 0x00 0x01 0x00 0x00 0x00
+0x555555604238 <node1+8>: 0x40 0x42 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604240 <node2>: 0x1c 0x02 0x00 0x00 0x02 0x00 0x00 0x00
+0x555555604248 <node2+8>: 0x50 0x42 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604250 <node3>: 0x0f 0x02 0x00 0x00 0x03 0x00 0x00 0x00
+0x555555604258 <node3+8>: 0x60 0x42 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604260 <node4>: 0xea 0x00 0x00 0x00 0x04 0x00 0x00 0x00
+0x555555604268 <node4+8>: 0x70 0x42 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604270 <node5>: 0x83 0x00 0x00 0x00 0x05 0x00 0x00 0x00
+0x555555604278 <node5+8>: 0x10 0x41 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604280 <host_table>: 0x4f 0x2d 0x40 0x55 0x55 0x55 0x00 0x00
+0x555555604288 <host_table+8>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604290 <host_table+16>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604298 <host_table+24>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x5555556042a0 <host_table+32>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x5555556042a8 <host_table+40>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+~~~
+
+node1的数据是0x0000033b
+node2的数据是0x0000021c
+node3的数据是0x0000020f
+node4的数据时0x000000ea
+node5的数据是0x00000083
+注意到node6储存在node5的地址处,和这五个node不是连续储存
+输入`x/64x 0x555555604110`
+node6的数据是0x000001e2
+
+按照需要的，相邻数据成降序
+则是 node1 node2 node3 node6 node4 node5
+对应为 1 2 3 6 4 5
+但是是用7-n得到的
+所以实际顺序是 6 5 4 1 3 2
+
+# secret_phase
+
+查询资料得其在phase_defused中被调用
+
+## 查看phase_defused汇编
+
+~~~python
+=> 0x0000555555401ba7 <+0>: sub    $0x78,%rsp
+   0x0000555555401bab <+4>: mov    %fs:0x28,%rax
+   0x0000555555401bb4 <+13>: mov    %rax,0x68(%rsp)
+   0x0000555555401bb9 <+18>: xor    %eax,%eax
+   0x0000555555401bbb <+20>: mov    $0x1,%edi
+   0x0000555555401bc0 <+25>: call   0x5555554018c2 <send_msg>
+   0x0000555555401bc5 <+30>: cmpl   $0x6,0x202ae0(%rip)        # 0x5555556046ac <num_input_strings>
+   0x0000555555401bcc <+37>: je     0x555555401be7 <phase_defused+64>
+   0x0000555555401bce <+39>: mov    0x68(%rsp),%rax
+   0x0000555555401bd3 <+44>: xor    %fs:0x28,%rax
+   0x0000555555401bdc <+53>: jne    0x555555401c66 <phase_defused+191>
+   0x0000555555401be2 <+59>: add    $0x78,%rsp
+   0x0000555555401be6 <+63>: ret    
+   0x0000555555401be7 <+64>: lea    0xc(%rsp),%rcx
+   0x0000555555401bec <+69>: lea    0x8(%rsp),%rdx
+   0x0000555555401bf1 <+74>: lea    0x10(%rsp),%r8
+   0x0000555555401bf6 <+79>: lea    0x1142(%rip),%rsi        # 0x555555402d3f
+   0x0000555555401bfd <+86>: lea    0x202bac(%rip),%rdi        # 0x5555556047b0 <input_strings+240>
+   0x0000555555401c04 <+93>: mov    $0x0,%eax
+   0x0000555555401c09 <+98>: call   0x555555400ee0 <__isoc99_sscanf@plt>
+   0x0000555555401c0e <+103>: cmp    $0x3,%eax
+   0x0000555555401c11 <+106>: je     0x555555401c2d <phase_defused+134>
+   0x0000555555401c13 <+108>: lea    0xfe6(%rip),%rdi        # 0x555555402c00
+   0x0000555555401c1a <+115>: call   0x555555400e20 <puts@plt>
+   0x0000555555401c1f <+120>: lea    0x100a(%rip),%rdi        # 0x555555402c30
+   0x0000555555401c26 <+127>: call   0x555555400e20 <puts@plt>
+   0x0000555555401c2b <+132>: jmp    0x555555401bce <phase_defused+39>
+   0x0000555555401c2d <+134>: lea    0x10(%rsp),%rdi
+   0x0000555555401c32 <+139>: lea    0x110f(%rip),%rsi        # 0x555555402d48
+   0x0000555555401c39 <+146>: call   0x55555540172b <strings_not_equal>
+   0x0000555555401c3e <+151>: test   %eax,%eax
+   0x0000555555401c40 <+153>: jne    0x555555401c13 <phase_defused+108>
+   0x0000555555401c42 <+155>: lea    0xf57(%rip),%rdi        # 0x555555402ba0
+   0x0000555555401c49 <+162>: call   0x555555400e20 <puts@plt>
+   0x0000555555401c4e <+167>: lea    0xf73(%rip),%rdi        # 0x555555402bc8
+   0x0000555555401c55 <+174>: call   0x555555400e20 <puts@plt>
+   0x0000555555401c5a <+179>: mov    $0x0,%eax
+   0x0000555555401c5f <+184>: call   0x555555401634 <secret_phase>
+   0x0000555555401c64 <+189>: jmp    0x555555401c13 <phase_defused+108>
+   0x0000555555401c66 <+191>: call   0x555555400e40 <__stack_chk_fail@plt>
+~~~
+
+直奔`secret_phase`,向上寻找跳转,发现只有当`test %eax %eax`设置`ZF=1`时才能执行到`secret_phase`
+而%eax的值由`strings_not_equal`决定,从phase_1中可知,`strings_not_equal`使用的用来当“标准”的字符串储存在寄存器%rsi的地址指向的地方
+而上一步%rsi储存地址为`0x555555402d48`
+输入`x/s 0x555555402d48`显示为`DrEvil`
+
+下一步是寻找触发条件
+
+继续向上看,发现<+93> <+98> <+103> <+106>行出现
+
+~~~python
+   0x0000555555401c04 <+93>: mov    $0x0,%eax
+   0x0000555555401c09 <+98>: call   0x555555400ee0 <__isoc99_sscanf@plt>
+   0x0000555555401c0e <+103>: cmp    $0x3,%eax
+   0x0000555555401c11 <+106>: je     0x555555401c2d <phase_defused+134>
+~~~
+
+即判断sscanf函数接收的字符串是否为3个,是才能跳转到`strings_not_equal`
+
+继续向上看,能跳转到`__isoc99_sscanf@plt`部分,而非ret退出,需要一个jmp指令
+
+~~~python
+ 0x0000555555401bc5 <+30>: cmpl   $0x6,0x202ae0(%rip)        # 0x5555556046ac <num_input_strings>
+~~~
+
+这段意思为完成六个phase,先决条件
+只能在`__isoc99_sscanf@plt`上面和`ret`下面寻找,即
+
+~~~python
+   0x0000555555401be7 <+64>: lea    0xc(%rsp),%rcx
+   0x0000555555401bec <+69>: lea    0x8(%rsp),%rdx
+   0x0000555555401bf1 <+74>: lea    0x10(%rsp),%r8
+   0x0000555555401bf6 <+79>: lea    0x1142(%rip),%rsi        # 0x555555402d3f
+   0x0000555555401bfd <+86>: lea    0x202bac(%rip),%rdi        # 0x5555556047b0 <input_strings+240>
+~~~
+
+输入`x/s 0x555555402d3f`得`"%d %d %s"`,结合之前拆弹经历,这是表示sscanf字符串的输入顺序
+输入`x/s 0x5555556047b0`得`352 4`
+
+显然为phase_4触发
+
+故在phase_4输入时改为`352 4 DrEvil`
+
+## 正式拆弹
+
+### 查看secret_phase汇编
+
+~~~python
+=> 0x0000555555401634 <+0>: push   %rbx
+   0x0000555555401635 <+1>: call   0x555555401a63 <read_line>
+   0x000055555540163a <+6>: mov    $0xa,%edx
+   0x000055555540163f <+11>: mov    $0x0,%esi
+   0x0000555555401644 <+16>: mov    %rax,%rdi
+   0x0000555555401647 <+19>: call   0x555555400ec0 <strtol@plt>
+   0x000055555540164c <+24>: mov    %rax,%rbx
+   0x000055555540164f <+27>: lea    -0x1(%rax),%eax
+   0x0000555555401652 <+30>: cmp    $0x3e8,%eax
+   0x0000555555401657 <+35>: ja     0x555555401684 <secret_phase+80>
+   0x0000555555401659 <+37>: mov    %ebx,%esi
+   0x000055555540165b <+39>: lea    0x202aee(%rip),%rdi        # 0x555555604150 <n1>
+   0x0000555555401662 <+46>: call   0x5555554015f5 <fun7>
+   0x0000555555401667 <+51>: cmp    $0x2,%eax
+   0x000055555540166a <+54>: je     0x555555401671 <secret_phase+61>
+   0x000055555540166c <+56>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401671 <+61>: lea    0x13d0(%rip),%rdi        # 0x555555402a48
+   0x0000555555401678 <+68>: call   0x555555400e20 <puts@plt>
+   0x000055555540167d <+73>: call   0x555555401ba7 <phase_defused>
+   0x0000555555401682 <+78>: pop    %rbx
+   0x0000555555401683 <+79>: ret    
+   0x0000555555401684 <+80>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401689 <+85>: jmp    0x555555401659 <secret_phase+37>
+~~~
+
+strtol函数将字符串里的10进制整数提取出来
+其返回值为对应的整数
+
+将返回值减1后于0x3e8比较,如果小于等于就不引爆炸弹
+随后令%esi也等于%ebx，即%rax最开始返回的整数
+然后给%rdi赋给一个地址,从注释名称来看也为一个节点
+随后进入`fun7`函数
+
+查看`fun7`函数前先看看节点的结构
+输入`x/256x 0x555555604150`
+
+~~~python
+0x555555604150 <n1>: 0x24 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604158 <n1+8>: 0x70 0x41 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604160 <n1+16>: 0x90 0x41 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604168: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604170 <n21>: 0x08 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604178 <n21+8>: 0xf0 0x41 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604180 <n21+16>: 0xb0 0x41 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604188: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604190 <n22>: 0x32 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604198 <n22+8>: 0xd0 0x41 0x60 0x55 0x55 0x55 0x00 0x00
+0x5555556041a0 <n22+16>: 0x10 0x42 0x60 0x55 0x55 0x55 0x00 0x00
+0x5555556041a8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x5555556041b0 <n32>: 0x16 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x5555556041b8 <n32+8>: 0xb0 0x40 0x60 0x55 0x55 0x55 0x00 0x00
+0x5555556041c0 <n32+16>: 0x70 0x40 0x60 0x55 0x55 0x55 0x00 0x00
+0x5555556041c8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x5555556041d0 <n33>: 0x2d 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x5555556041d8 <n33+8>: 0x10 0x40 0x60 0x55 0x55 0x55 0x00 0x00
+0x5555556041e0 <n33+16>: 0xd0 0x40 0x60 0x55 0x55 0x55 0x00 0x00
+0x5555556041e8: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x5555556041f0 <n31>: 0x06 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x5555556041f8 <n31+8>: 0x30 0x40 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604200 <n31+16>: 0x90 0x40 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604208: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604210 <n34>: 0x6b 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+0x555555604218 <n34+8>: 0x50 0x40 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604220 <n34+16>: 0xf0 0x40 0x60 0x55 0x55 0x55 0x00 0x00
+0x555555604228: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
+~~~
+
+显然这是一棵二叉树
+前8字节储存数据
+中8字节储存左子节点地址
+后8字节储存右子节点地址
+
+则%rdi的地址实际上是二叉树的根的地址
+
+## 查看fun7函数汇编
+
+~~~python
+=> 0x00005555554015f5 <+0>: test   %rdi,%rdi
+   0x00005555554015f8 <+3>: je     0x55555540162e <fun7+57>
+   0x00005555554015fa <+5>: sub    $0x8,%rsp
+   0x00005555554015fe <+9>: mov    (%rdi),%edx
+   0x0000555555401600 <+11>: cmp    %esi,%edx
+   0x0000555555401602 <+13>: jg     0x555555401612 <fun7+29>
+   0x0000555555401604 <+15>: mov    $0x0,%eax
+   0x0000555555401609 <+20>: cmp    %esi,%edx
+   0x000055555540160b <+22>: jne    0x55555540161f <fun7+42>
+   0x000055555540160d <+24>: add    $0x8,%rsp
+   0x0000555555401611 <+28>: ret    
+   0x0000555555401612 <+29>: mov    0x8(%rdi),%rdi
+   0x0000555555401616 <+33>: call   0x5555554015f5 <fun7>
+   0x000055555540161b <+38>: add    %eax,%eax
+   0x000055555540161d <+40>: jmp    0x55555540160d <fun7+24>
+   0x000055555540161f <+42>: mov    0x10(%rdi),%rdi
+   0x0000555555401623 <+46>: call   0x5555554015f5 <fun7>
+   0x0000555555401628 <+51>: lea    0x1(%rax,%rax,1),%eax
+   0x000055555540162c <+55>: jmp    0x55555540160d <fun7+24>
+   0x000055555540162e <+57>: mov    $0xffffffff,%eax
+   0x0000555555401633 <+62>: ret    
+~~~
+
+<+0> <+3>行判断%rdi是否等于0,是的话就跳转至<+57>行,让%eax等于-1并返回,不是则继续
+<+5> 行压栈
+<+9> 行读取根节点数据,赋给%edx
+<+11> <+13>行比较%esi和%edx,%esi即提取的整数,如果%edx大于%esi,则跳转至<+29>行
+看看<+29>行结果
+<+29> 行即读取左子节点数据并赋给%rdi自身
+<+33> 行调用自身`fun7`函数
+<+38> 行如果`fun7`函数执行完毕,令%eax*2
+随后jmp至<+24>行,弹出栈并返回%eax
+
+如果%edx小于等于%esi
+<+15> 行令%eax为0
+<+20> 行比较%esi %edx是否相等,相等则让%rsp+8，弹出栈,并返回,不相等则跳转到<+42行>
+顺着分支
+<+42> 行即读取右子节点数据并赋给%rdi自身
+<+46> 行调用自身`fun7`函数
+<+51> 行如果`fun7`函数执行完毕,令%eax = 2*%eax + 1
+随后jmp至<+24>行,弹出栈并返回%eax
+
+整体运行效果是提取出的整数%esi
+大于该节点数据,则向左子节点找
+等于就弹出
+小于该节点数据,就向右子节点找
+并且如果节点数据有0立刻返回-1
+
+## 回看secret_phase汇编
+
+~~~python
+   0x0000555555401662 <+46>: call   0x5555554015f5 <fun7>
+   0x0000555555401667 <+51>: cmp    $0x2,%eax
+   0x000055555540166a <+54>: je     0x555555401671 <secret_phase+61>
+   0x000055555540166c <+56>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401671 <+61>: lea    0x13d0(%rip),%rdi        # 0x555555402a48
+   0x0000555555401678 <+68>: call   0x555555400e20 <puts@plt>
+   0x000055555540167d <+73>: call   0x555555401ba7 <phase_defused>
+   0x0000555555401682 <+78>: pop    %rbx
+   0x0000555555401683 <+79>: ret    
+   0x0000555555401684 <+80>: call   0x5555554019e6 <explode_bomb>
+   0x0000555555401689 <+85>: jmp    0x555555401659 <secret_phase+37>
+~~~
+
+如果`fun7`最终返回数据为2就收尾并解除炸弹
+如果不是就引爆炸弹
+
+## 逆推数据
+
+### 什么样才能返回2
+
+显然,改变%rax只有四种方式
+
+1. 节点储存数据为0,返回-1
+2. 节点右子节点等于该输入数据,返回2*%eax+1
+3. 节点左子节点等于该输入数据,返回2*%eax
+4. 当节点数据小于等于输入数据时,令%eax = 0
+
+故组合一下,有
+
+1. 最后一次搜索: 当节点数据小于等于输入数据时,令%eax = 0,此时恰好相等，返回,完成一次搜索
+2. 倒数第二次搜索: 最后一次搜索由右子节点搜索进入,返回的是%eax = 0,随后返回2*%eax+1 = 1
+3. 倒数第三次搜索: 倒数第二次搜索由左子节点搜索进入,返回的是%eax = 1,随后返回2*%eax = 2
+4. 进入左子节点搜索是因为父节点数据大于用户输入的数据
+   
+推测进入方式为 n1->n21->n32
+n32数据为0x16,转换成10进制为22
+
+可以推测用户输入字段包括22即可
+
+### 总结
+
+输入22+string即可,如22nn
diff --git a/bomb b/bomb
new file mode 100755
index 0000000000000000000000000000000000000000..c7a60c798ec7620a4663c3a53c436474f97aca34
GIT binary patch
literal 30912
zcmeHwd3;;Nwf|hnvSlTam5n$Ha1&&30Lx44B!-w+j_q87lemdP!V(l&mTfh*<Z8)6
zffyXqs75s1XkH(sp|m_o%WLT4(U2dDgF_O!rtoOf(w0D3<eDWAmaqi>zGv=?e5Kf3
ze!t&;Kki4;ne&}9XJ*cvnLBsx=-%yhjrAr)Ve&Au%NTKc@^qwHMs&*nW7TXi%f;_`
zY#z%7oP}?-h|Z*^glb8xLe30I=@y%GAd}7!a+1mt619l9vB<u19hH<Zl>?NH%6ei6
zXF*jSkaSnBj&F46RHmciQ94#7@G4ag2zo*kOj21tsvCWqMg1~qt*(VhO0sk`y%KGu
z@KzUR&!BTeev-;`pF=ucPCeN_{FT*QE%F=BE)Hra9FmIcS#f8eWnp=7XKPVsAQ;<P
zv~}^qqJ`zINXS*j>rMJecKOP+l$?<oVG15UO<)v%^&_8uymsTO&(`h!>jM|gxo;@{
zyREO0yoxXB;Pp~e)}uH~gw4g5j`?TbHm7Z^*HQUSzjPBl!ti?-;VA}Q27AWAJCUI(
zg$#7&IP&Yp!AqcLtbDH>NB+5S@b|{Szd8<n&N%sAKaPCUIQaA9;6EA%-#L!mBIC%D
zZN{?C;&E_w9K38Cd}tiJXdGM{2ft$+{9EJH_v3NoX^5SNxXj}b0Aty~F-|*97)Sp5
zz$deO)>E${#F!k1x)3IOR|fuTf$zz{8Tz%4y75953HdhpqpYp1GZyJ!k!aZ0y^VQ1
z-Qhqm+UD_fY-0Yc0mO&8{XyUX$X8Z+A`zcA*v5RJV9@W2vPhsk=<Q_Pv1kM`k*L?V
ziIRHSyn#;WYz+iSb2QY++S>hG#vcv`L!Qo%&l?Sdf-LO!wjyPlAzLI1#i9Va{9Rq4
z&3;}MkH;6?*6sJSP*Mh6{@`ZH0P2{x(;Mz0tRobOwrmS}yZn;lVP9t`;%AXgzrPz=
zeOtYrwg5^UxZY1?HstK_ka?&Y;i#v}i^6XS2cmwqys@EXnWxOPAQf7a3N3Jzr^2J5
zGFJujG&Ha9pn(4NKqTr9H?LUM84CKFy)B)TZ+llLD01@XqGJl89Zh^>rC$@qS)IyX
zIzLd@f>AdU%Qj#NB;ayPo)@MD0+VRuT?mk{8JxGUYQaZm25`pAVwVek8jm-#D+M2$
zMe!!K5j-98JS+WjkI3khI1fu)o`0>?Do-bI$**^(<K2San1SyS{MHQogy4HJ@V$cH
zoq-<}{GJTlQKK?C_PJFess6TClzYIf5}d-j1%Aw}5}d*v0zd9n2~Och1%Aq{5}d+I
z1kObM(muNco}Ym?30%#<PY8T*23{?AEdy^7{Q3-hqu@I-@NU6x&A=UQm8!#fGVoP2
zFylD3ROOV;`DPx{e~ue)8Uy8#G~m*ADei;;pCyGsPZ@CIq(P3GG`Ca@@^aiHe69hP
z<0j$r47gS3&jF?waEAdm8Ss1qF6VL-tr~FSe7Dem8|Ql^2AuMi$6^C6eTCwx4Y-*4
z@+6u8w@D?SO$L0T0bg&xF<_*QjRxGFLK*8Y;NlX4$95a=$p-nY27HPE?=j$04fsw2
zPIF9o>@wifB?!9PfS+Z+_ZaXQ2K+t)o^QbS8gQB`%444apDjVq0Rw)v0Y75E&oSUf
z4fweRT<d+^s`XpWE>oG-HxM<A9MyUcS_e}SBNbChRW?#E4ZnHkRwG1w2gMH^AHh*z
zBc5D!=qTq+#FL8-4RHRW67bX&hxT&*9pcGVhxTy(Z^V;}4(;OnOT?3F4)t*UkHnKp
z4s~<>8RE$mhc<Hl=fsl>4mEN9N#e=%hN?NgpLpu>LnWO5De>fjLn`O*C!Sny$ieyV
z5l=2R#5n(L;>p#9PJ9ZW;A_M?h(FHxFB3nR_@kV^g?Mtcp#jccPdvHU&|c1mi6_?@
z+Qa$J6HhKRw2SjC#FHxx^>F@b;>m@Ex;ej^cygVgjhw%ncygJcrd0a2UEujq`bI<i
zx7TU$m$crOPc$_*CM+Kzt(KV7%SqL%kQ$kO7IeIucWy1kRQ+(F%GPQL%iW+_<tZ)x
zN^~Y%<Zs2gi%i-ua=guzckT|Zf5RYo#VC*T0ZNysXyIz+e~R?lfltj^{DgKOxl~gQ
zX}|q6nh%8!3WXC%;duIbs@%}SV#Qi-)t8U}B|~{8YW-DT2A7<K7D;OOIb@j$IfaVT
zLj^lI2$iT0iEkKcgT$KN5hZWODa2{<lf5IRyuP{cTCM*kD+>GJ491cru%8yU{GozZ
zG;hZXkWD@SS45?*g}IW&ry-E2+C|~>5KemGcUt^#@*|Sm4W~ow_bApvvCBm4Clq_V
z9{V(9^x7wgEfBFQP>STWhS;YmHb=xZpeH3S(_^=i<{we)5d5F={Wis_dhDH~IYF_%
z5V3jabx9Lq_n`pnnnBq7&*dr-THXg4nhT?7{a2v-PbCY$<({B!oSccWKS3QVxs>YL
ze->g-$ylx``98AIMdpwQjUkB&g^D)=J-KfnX5phq@*w){@Vjf*K%%f!>(44Egjy|L
z>&!15(BiKqk0ZW!iIc^0dT(%MDN#%EYe2O4U$w+0$8fIJJD8<a4o4^VFUvBUE0<ZL
zZzR7!Dqq$5p`%q>plgifAiKhAHVh^o_?Q<5QHIQ{$Sl$5%%Wb9s91{Ad9nZ%=sl&}
zbT)F&$@|j3p;-M{PAxJ0$FQR2%eqBVj*c8pW>IE;+V^vqdDz0MUi1z`Ei`K_YQc|%
zelkK(Y1y7#S?kO~eV!!uL1C?<g}oGo%^&32hW}e9|D}@$b@CIPJfM>wC2xWbJ^cOT
zFFzU?;o-iKn{whO;L|bF$w7DX+BNR@yYY_`+eearM!VJ|E>;s?{InJ}{xw)7dCdm*
zwS#DeGc6N;QA;$#IEjh^j3UViuwd^gQ)~k4(VH|OxY?5Y1g+X%?tB7H$&xohp{U)<
zz%yz`EuTM_bfTPNW;fap59dSKosgr3xSFy%o)^dOsk~^}BglyDryrDSF`TdWNk!Y;
zpLMHp0P(T64`(@PNbdb8FP2@2riG=~pIMfPdRZ<*%<y-UU;S`o#C@fEEg1_%+nDAf
z>q`e3;;%Hu-%K__dPV$o_v4iNa6yum3x|t(2bJEBE!(GPzQO*i9hG$~_D1qmoW+J;
zZRmX}t1<qDyT6Y0CY9b(mMy<@_a0K*y`N@BEw%BJ!@q1mo%8p@m00|!`=TtT8?|ic
zJ($&4`C{x1J)2ot|7vURfKquR_MR4Repl6?LL(Jt^-p|gAN5N(=MxvJtoK7@`!mDO
zYyH<cRWf~{7GH)g-0UpT;!OzDIu~p48je&;MB~WeYU<SNG1P~lZ}nee?R`UuPS*OD
zS^HU~`NlVr(|LtR$NEusodhFpB=>P|a9=l=yy6rZwr?a_4ij4YXH>qk-Ol~7@}1Ze
zNLn$<Y_}%=NKQ8}{3aMj@>gIIwM-d)VIM*xgKLuWk<oq(OpMo_MzScWjSnWON2-z-
zwzgap{|m;_H!oCK@^++w8={G0hyi*OXVc_8A7G>_KwYjGOl|-^{A(%@VlT(JHQ9&Q
zCxBwSB*lq}r*MYl!y7MbvVze5s>kUZl8dlD@@?m`Rd+)+xr{W>X+Bv=DCv%W1Vy){
zD|(&8_+U8&Vm(V)bPCDAUE@dRpX#}U#ZI2o`#SHWTKr=z{$BEbP$hT#pca2C`80z2
zseRp*2ctRhqr9W$J#5}F5WV0MxY>LRg7Ac=6djwmxQ<0%=Lv?N;T>f77dknpgO6!9
zzrJ2&%;4QSoEiWc1S^i=6!!#8&XUi*PX>SO@oHk~Q45UP^R>hc&g$eaW<z}gTT8Wm
zJ>{q`EYog2NXiFc=ULPWXG4o#{i#qv14%V<*@h-C82d;{=uL!@x%fFb$on8{dOGjn
z4Q$8r(Q}fMNdqdX<vkAfX7AUoSJc>xyuC2^@-6`X!YD72CW@B2R1DS@Cy~UG9__$u
zS(@^e)<69$Adfdu&HnTrRdbN$wiC(E`e1I<^l2@AjJy@v*1%v6Siv1Xm1Z+5u+oA4
zibF*zOVp2OyS2nLWbqP4N(*6{@}ze70MzN@u@?XRJO8Q0k7yrY20h@@su=8)_oZ7=
zh`PRk#>AwXU@s)y4$_!cdju!B)mPT`TShLR!cY1F;Qf^3abD5*3%Z|9f~^`8JDd*0
z@G((~{}BehmnW+F8A!6;4!ykx9cZy7)M8Zb(H5&li&5=x_D@uNcXC?0l)yH6<6TKs
zN<8YM0wf#W1<Y_HmjX^+4OVomW0=+^FC;!u^&ExINr^s8bEia=A2}qggz`S|sZ1Mx
zM@y`P<?5$3;m6U`m{>WnF;P#`hI^n$uk0=^eb9k1^d>QZ=!JPHb6vnpnV=;@{S_q`
z3N_y$Lz|QlGFF>>@LR2SNa_7>W!_hQgjyl2`JU!!v(TQ$F)cWZb~$+wB|mj2%gQkH
z#w&h9d|ba8!o=zO#8z4!1BuQ?MbD<{zx9q@9#uD&gUX+%dYNpHbyC{kBZQ#9$Msom
z0MRS6kY-MO19^SLRL4Zs1C;Dn(5NdLq-2Sz0YZNUwBJ&Nq=_aaKE0e&?bbF8z?Rc5
zCFb!9FT5}sjs<<%6W*x56&%W5Zqnj6n5@aAWVPPcw;H^=*4a@yppSW{X(m*490P4O
zP4f|xa-O`t9k3UCYb%_m(K(U2x3w`*>vW*mYEUqg@5ib7JcB~^o-#*g0euxG=cGc`
zNmSV|h$i2Adt_wzZW>-FZ5~zX4V?MW6MqYlbtL`_L=cWp_z=Rnm5$=1J^VoOIf{fI
z=zSnD{S_$HdrE)ROq5+0{s~!+`cJYCq13rP{&7S6-G=z@+>i0Tl?XYs-j9?m6Nfh@
ztDv`caaODyGt9n$?JDnrTKvuaOOsziRGiSQe}K!a(&C$}!++5F*I4r&w$b>m#n)JI
z!iNaX<%)Y}qjRL^LtAvB8$(!w@2SSh6XE;ahq9auOzQNh9Uh<&Lrf-7{Ykv!?%vZ%
z?3v+XGWs{}b*a+d{QA~Cj5Wkh$7yEZ#E{wObTr0mooXXOxRAQjxfcSB{f|2Lff`zQ
zhqD7f>A>My=Msj4pC`E0^i#k9Y6u71Spl=)Y}AOe(XURx&cJqj0a#<A6T>-D*HCKE
z%Zaujuu>=0CiKCkX<C1EJ~eIaBXn7<^_L{?fSR@gzp}Q)JDoNA=`4zwRc-vW<Y`1u
zmN!CugJJY+jAKN8fd<fDYajfMxc(cQ)_4B1A$~+K4vPG__Q5lP&wuAX8|Oc%&HuTU
zsNH-TKc+9rF_)BUiElVJR@0z~sRp+(2I!O8kHnBIG9!IjoR1HEPv`Aen$1|kjR7}m
zR<y*AxdIKN@5UY|gvARR9{a-xD#LK~bT4JHuPz)8g)dQ;Y5O|^{$Ny%1smcy4e@nW
zZ67VetI?3E?f2mxMAWZF8sf_xh|6~$Uar!;kv0UJQMQjfV(8l_XG&kKwtwXsH4qtF
zU)UcBb#C^nQlGXj;ty~3hgB~S6-o<RTf<!Y#gT~n&~g_e)Bp5M^eLWIu`#Q)+Ww#@
zYO3g}xcj2*rwT+nMzf-#Q)ayA{xFoE&y}xDDSw9MXwojLwf+7`tTU=cqABIL{nHM$
zAt=Xfm3F_&P>+Tn*(%~k+?usDD;k<tQ;lG=LT#UCg?oL?+IsYa<t0>~m)?-|@gU2F
zynCLC%&py7hnDZcd}&Z=tUQ^wqYG87#mvc_sQ%rOip_thjSuu5f1x+&UNUp@Gwz;K
zYIGx_jxX_Swt>sd>-!0G)#W`rfK&2Sm<H{q)0h}&Zg3Xr!^~DxHt%8GEs!Avz3`Bo
zb(o{=aJKNE3B@oEMPctlb?hQ4(@;B@2IVPj{!`KOwfNsej~ITP_qgq^Bp*ZwV^LmT
zDO{^Deq#6;t?&7~o#%n8jkh|R(C?a28dUHGCr19|4syx$TH+z+MpaB6l2*F@MF+dR
zk=zr5_7dI^HWKqFm!sJP_vb{#c63+0MrXm6wHW)CxNkmn1X<+u_3-p}@+4ZK$PZB(
z4w@dJNwtQ_dHk)D_vU?TU=G`X(IO6MF?9ZghLM};>JQ`TZ&RM|_j?H4q*FWm<iEU!
zX!~$mE26fA;U!(%;rwCg3GlfR?sG2=O9!})3M+l?@8`ttx552JbK?FDpC<j(chHfz
z`dd=!smuS9>Ul-l0;Eh-Bod{HwZf&tR3FqPRguHXOQ_#cUn<x0w5RgyN1ly|+eA}M
zI@^XK9Db6zFZagAxHvz)jug}z{^xJP7{krdBe<XNR!P21moR+;H+f|o(kDNMB$V{u
zK=o!#RP`XA#`veBP5aFObcPR(Y5m{eClkyKrtw9byuNRe(QiITCntG&b9)B=6+7WJ
z=%}5dv54B`k3_Wn-gZB?l(dt!Pk2D8>%TT6TfP+rNo6_iXoKNQ+aJa4)`;rG04<wF
z4Rm(;+r6C_Z9-uTwcRNn)Ar#WH6Il*dUtrkUSHIYbR`&x7E^Oohh1>P8tx}orwa3X
zJ_i<khF^^03|x(SA0ts`A-;<n`x~7ljp%2E7+$W&&@#r1e>Pep{knoqi<ra4f1&jb
zV`Mw1YVkie(%DJHX<NU5#yHXULv;P2XYrG~FNu@vNVH%LE;e!HOIKgGMqtU~gg?)x
zmw62zC%+2znn8W>2y-h8v!56y54E&Lr%x6z4&r(n(mH!KvEN8%`@m*SFT5}eo$K#`
zJg&eJRp(*}B)JKae1`D?U|Ji-utpc8>~I}?kLDG1C~O-Rc#M;a8?#b#i%Xz@<{+j^
zgM4Oz*;@RC<oAJ6X0(3->{G8n$PFc{u5cfs4D=}g?2iSo1rvn}XOj!Vp!}LU<wj`(
z2v%zNq-)I6IcCBXixWC#W8#cn>y)ST;aw?}Y3K7XRF0m}rAp&D9m**Oc~-A=^3!^)
z(?vCX{#Dr*&Ou+m`u-zW6M=h0FqcUmF<#Th`u#8s(%q9v_bS{r83nthF+SM$bZiDK
z?^v*u5nIr9*u3hBL(5DoeuQ5@(iSnph5cJdloH|EhmX0NR^wuKH3S>5;vfGImnfHm
zc|3S26{~7CN|!u`E;n(>I(+{wn&>vfe^0A&jfsN0rtw=3MMSZndAcF~e&hUCXyUIO
zIBia@dWC%Fji_4syu4q~82_j-{(f!zE%(T@Kk=oK%0I{c2IaW4*O#m?DD4`(KXG!9
znjHEdfgtX&npl_>L@rU~R4x?jYz<xzRcTv_S`e|ZwGoU+mmsKKvm_A2P896!==5K<
z!N!_9ywM9HYB1K-g4tJ@OI5GH77(>PgelHkrg=Ntws^PE`6cY1%a(^it?HIgc+*@}
zT@{oQtDt{t)a7!qb^cCYsEbb+ySAxqm`t_?A{}aHAR5IqvL)2j;!>{)#ncWjCVmUm
z?hee7BI=evw1YYg7R)*Vz7A5_(iz&KZVSc25r1c!8tZnc8YS_n!GO=NwtBbC<?>CW
zKrK~U{cW*`zZFtQ=54{g7=AvaVyU5^e<>Hn&zcY^Mb#+Y%i~bp<}g(c^HhksxM+jw
z?NWn~>c$oqHPptnb%#Tk40mCsN3mXYwZA*o(iy-;A3YILt_y9MOBK8TWff)ONh5yD
z2x<O^Hqc8hOQh3Q^m`go9>I42-^2L+8sF#e{S&@4rqJ+010b!y(tM7tQgD^YCg4j4
z=7{hE#%P=~<4ddDa9O@jRMZ=l3~u5UK%r5ZP&Y3fwF_?q)fWwS7Wpn#Te+Q<vW8$F
z8lWved>4|6T|{)9usRkD()2eJ#ED3repK33q+V0H0a>!T)vH&nzC>*xKSMrzvJCrT
zzAR?TB!mN|3adDw;i}&k#n}tZskZpxv9Nsr?$atPyNnzmaxoR1OxqTU1zU}V<&Ffy
z)*w4<TEc#+b~O-1=~`8~$dGK<uYMthol0tJpsfw=9OO=max4o4+r!>ytdrL>GG-f+
zm1Nuf!*cVix8TgIVj>o3+s1vF$`YgPT)d-nQioY}g-gApXg&<R8D?(PdjxgYF)eSS
z7~xmgcGle)YW26Wg4RpW^Z75c)vQ{zV(#3z=+t_D(@l!r6r^4RSvCE`#DLKh_IJSm
zuu$EqdTLpHSK9K`?%Fy}&8ihOQc!PGY<Hzzj^>2rq}B+l4cBePj<(X$5?6VNt8_u7
ztE{XX_H7D>VBan^8tC%3s?<HbZP@EYWkJ^n1zS-sIz(Z#=H@0f?EgZ{50|1na!5pj
zgzkVyMdKLBFRyD>iwh#fkyuMtAR2accNQ<jKoAbJRux3fr%?A69_;kC5P~xluHz`A
zr>N42N*NZHx=JS5Ch>xZa;%ltl=4!Nh9<gjq@q&+3JMBJ%GNUss$|t`yhYc$i>_BU
zFlbqI1+%%=Hm_P;w`Of)vu6!10#`0a&Nha!lrdk#+uhBS+2%`W5A!_e>Ud#fgmxh0
zzc@0o3$ze)F=*LKBO~{L-uBm#kt3i#27MWH_RAw94h#yPfL;t*fz!%*(C>prK^Nh)
zwhQz|oGFiiJ_>pYbSlP^d<+mF(2GIu0Idf7FVJStS(xzjfIb0wC+Gpty`Z0f9s|7`
zQ#%@Lf|#=}2E8A&5p)=|8?+c#VYh*v1icURJX~i!3i<-*C!i`8$Z4m<6`(sno3S>w
z5A+D=anQxM>MEpx3kO!<`Jr6Dnkicy%It|b)?G@DgK*lnl!VPL(na|1*z$}yh5RYp
zRon~PF}tJQo_~4Xge}${wsh8|7cOwlBL$Sc7T+G|r7>0>l-ITR-g10o<Z4RqwmW)F
zW~SKeRyPLVd_Xtg`zYE>1!c8%N3)141iKsG0mOwU4ry;Sx$XJA=30BT$!oLc195Xj
zq~{>MX0-W>BwK4&O?T^xNY8P6k07oRlr`HOw~?M(&2GEeo8{qpYV1^Q(lZg|d=9ca
zPtxPp^-x?P;tJtMUq_hdaf=>Db+1L-cM(?)%4+P6+f6n0{Dis2uHKgAwin)NaobCJ
zvuo|U6!XQXe+e+;4;jcJcQOZWo7<57JMc|@@@=p?*6=K@<>e!L{uuF(B7Pmhx;;%R
z^-}12Eq{sllZYp~lRatu?KrSY;olb+uy=v21V$5jI>=5|`1v|u?F67)Mmza*gY%-2
zEy^MLHOT&eWS85ISDQBQVo-ifh?|Xm1i}yUqgF7vz%Ua`Z%Z{STax?RZIGJ-xs_+g
znd+oqIpQ9ITn*%$sE2Nc<@P;2iYa2huSap)_afLxz;!n1CAxiHM>-e!^b*n!`=~_G
zKd%JlrZBKZdw!i=-C%b#=$57WIw2E*47D@Km~I@6qjBKhF%FOqBCbdIq8>-KxE68C
zFb0(9aSqD28<+>!qlAs?E2bT`F?^&0NoZVo9_iiWv`GII^0nK^*AiJZ_QKo9*KW;r
z+ZXrdEVu7HU^0Iv+h$)35KadngVUKOD)xN`Obzyd1EyO05&AiLz+~d7^!_j>3;AKK
zn2#5A)PH^O)<H(~p>ga9#O1=Knf^kZ^dp;HMNdON)jgd2pc84nf!iDWM8wAf-ETTb
zP7T<}X0`Z!19Hb9=SSF3N3@HmqegYqsE#Y_)#0(K$M+up33}+B6czEa<1-6<W`WNv
z@R<cZv%qH-_{;+Tss-f#j^zK0XevmDq_nm~#{exR;Shv9M3ZYAGj)>sKhtc%(=?8b
zSvq0ze@$})FXP|)RKG0QEhaO#?Bj<+T=xmWj)-`Db%3!4MFHs=gASU{(t+J<X$Pj2
z{5Wx$%Bh?)b&G(!PNcOoI<Q@qA5B8B#Q6?=#K>|dMS5CWqeJF@j?Sj!aQ}i|cA>aD
zDb}VrZxxEL#x3J{O6(`#{F5SMTnckumP@Gre@Cj+F?GE!8akU68gZN@==p*!6trH@
zD+O&6bhDth3VMg2_X_&3poawgouID@`o5sqc_M#7&lhx|p!I@YDQKIZn+3g9P+iME
z|11ArSNIQ-$bK@Om~XrYfuHve;-&wMCno)Oy!hhrA_P7pJIFY4FQJ0650XgKA82SQ
z+ZtM@E%TOr-oMtZt>u^P6{Ter6_q6mN=nPwHiIsw2zR?x9@-@+XYeEY(+Pp^&4@1(
zf=2}||7R#*hON~6*jue~+AXM#VlTT0I0Sw)BVN|6MBuwJ;x~!(O#(lW5q~M{r$9#j
zPjC*#1sWRU{{!>Dkcs900{@0EF5j5^KVUDyH0C+nDt;N0|NG<2XFs1=;4=&Se`SH?
z%a&cD7OriH1*0)_k*mU0QnVn(xzd|T7rRQz=j$lD7-rGuAo>t`Kdmz1;EU3FFzxp>
zh|$1<Ay@e$5>7l9KgTe1jg`=J9^}l&7Spda=Sm`q_2&>an{r%4vU0BBU^cDInoX9s
zL9((e*kytQmMw@g(U~jjwg3gokX2TKf);DG^>$FRlKm`_<WSgpH$ulO@6Cc#?mZ;*
zehYqCE}gn9AMeDkHTMn*e?nnL?h*)EPE$BPw+Mr)<x>i)xs##CGD6`(+fE8Ig_sgs
zEq*NuXBOM;C&t8?YMYzHvN)sJo+7;#&NSIBCnlRS>um=}%&Kevw$VmYSc^^Zf$6YO
z1uPSl7Lab+S`u?`CTjZ)#Y|DULAKf+Cgv=q9;C<iF^SDkn!(&+yO3h?l>oH$+E!7_
z9Az7rowjEwra<{3$SxaYZ7EW21+&{m3(po8XZF}O5mU^W`)pxiN;tFEMrtf&3Y`M?
z**1{s1-xtnwjPS9P_}~{WTqb=Dm&-f5SwrZNqyV;4#N4CJ(OuK-BGgKO+l7RcMB}v
zqncZD>F$Z;-WI?PmTe`eY%A%QNG74ICz1OQS^$QlUy<lkW;Y{w-Zs*)R3SXih966{
z9;VfBi<^hDt=|Nbvk$Qj`k8#1*e_8TCWnzcXD1KF!RN$z@LZtQSuGHo_&88nCY{1^
z-UXTb-xM{Q5O`@A67cTNflPfKKgzr^I8&~9Z@mhR3Qit5tq`E%YyptjQ<OU=!^x*V
z2Ps{EQcb5jZHkj(`oW%cKC$PMA5y_*%m7ZCz3GtGR!ZF=<dJ^?qPC-eGv5~RQ2?`)
zwYg?(zMep&m+`6e_1WmzJpF%A`qP=|cc!PO?do)-(yyqO>3>7%XN&k${`=C?7iFez
zzE!6GfYMiHraxV%XDG^lMP~YI4$1U1D9v1#nSOS9{(;Q&-fT>vc>R}C`dDWAWP189
zWu|Yhm+3>4{_C0PFHBGWgou~de9EGJnf_ap{`Vr@Z{_W$l+IF`bIpg+jqsunk{8g*
zWk;owK~nP3m`eVdQZoCfXytC?@)nZvOb*KUInv3#i0C;cq3l*-Y=ZeJG13?ABt|ug
z6$<7*C`L9p7rV?TRxg;Jl9+5+E_SU^tW_|Nk(g{iE_S_9>=wZsAu-ubTx_>dY>!}`
zC9xj}hQww|v;GClX-w|Xf0V^+X4Vwl0}0k4bnl(O_`O0?TML5ba`d-z*1`CuHfn-%
znR?k>Oa9L{GTGSNE_4SUz7rXR)Z)8}{)K%_Hl|*D*M<M=#wJM5z3be+yMqfNQ|@x4
zZ{q@X!CeLa#BL~E|KHv8Wn=T6gdOQ?S~u^0)R?|G$$2jUp>J;Pybcih=33`{)5I8k
zZCUerfY3L0;=Jzwp|8y{?*}0CwPnwH0EE7_oO%BZLSLJ8-eVy2wdI~iLp6OTw3(PP
zSt+njonW@lwog{3<T$W)VmgbN?UzirbV9>aG_;dVm~a{5F)I;4xP>JTC`NrEB$abM
zBVwJZnC%lLP+A3S?xd8W#gMiM*3vMQ*a<QlG`XTQOr;c)=0Z;~BJER=bP4)<Ub(IV
ziI&bJz_EyDHCf=uUdN}*g-xa!Q4_|TX)a~yOuaT2%xsuSRjkhcR?SSxY`P^?JQJ#Y
z)@WK{XPm8+a{2WWuHv=Hx3JQw6f-k^ivqKiLdC2v--1nq`CqL;R<k8cy61ply3E<>
zMNlV{^W4uF%^lr`hDUWFRN+Z6E=Dy9+Vx@wVflIK5O#;80T|HO_uxGyR)Akc`Pe=Q
zzY4;1xvdn(BH`jd(AODj^%vt=d!B{m;=z0E!B}xi08h^1B6vJial6lVrpO|hT9^B~
zs*34BT0)@^WQ=cN^r1M6_D6-vTpd&}gt03NVYnhsrNbyjAfyND8yf2n!U><JLlEb_
z$hL?FTk1OT+$&uw66@{`g^9tTZ;sT%NCahiswFM4Kxecl5WI|};F~5nLoqv*!Y99K
zo@9MF%VaKCpQV_+*63BeV9q8cu%CygQ@C3X+bO)6hc{*^4^#ZrS;}Kq^<HQGU)!Td
zc!|{oi6$$BOYTB&o%I$xi$PKJ$ARGiU7@x%51vBSu*yUK8t`;S!wgR%^U@Q|@Z>Ox
zigch(EwMH(ROTtg<Gkp3Wb`<%RUY7;7Hr~Vw2_SOCc_qXdR!W|e9?6US4z9h3<896
z>)^3reBUSIds%~_(PCiZDZox|JD#^Da^a9K7WVkC3$Kfw)n<I8S*Wv>suIDY-U30|
z84DuzKH_O=*!suyba}&@{9)dPPyof$uAXi@8jf@PZyDSK)U-iV61AtAa}%Ujj8aFi
zr&X^#J+5t&C~+C{bYWv33dmbJ5cKfp#=&a*d2dK3jEERRw!D6bBu%14sC4qlblstd
z(czE>uS<lb%uRn0V8tESzgw(ddlpl@v0JS;684EIkm)^}`JW1;xu_zdKq#L_e;l6Z
zCw!wZgC(}ogX&=4h2=(P;SHZM1h0Unt&2pvy{)A>fi;L*pp$Z);Hh!3Ano`qqqZPB
z<3CuNg;SIYS|;cMLCXcL5Og6oUJIVZ7wgtr0ZM%ItWI@VX{mm}trm4fV?lpayC1C?
z@PYM)eH~T$b3WCg_V(5mwP;nTTGYlL>Q{t4!cjc%FBC4qo>tl#$sdnLRn&ch*I4hj
z7;{BHVQXd3L_-~pEOt^^`(4RR7bpZ}a8a6|<oKQ~B!{33%9R0KBUe7g&s>2itXT#Z
zrl2)4D9b~-n#U+zvn-v=RAFl}Gg~hJPfC5$W)Zw`6#9k;{`)BOQxSY*6gnz`zaNF(
z6v6jKArVTEOGRk8pxNvlnggD3$aq-=$n}mT=NBozASmP>8cVKM#D8T}?xnHh?iTS6
zjLKOsQ#s>!LLk2o6#32^OYYAierQy#W-K|`ctygsY%F#4@?DWMMWn+ujmpZ4lrv;g
ziN+3K7iH@C$3_WyhGR2MsF{ZuXVK`GcoviQ6OC!iSP_!<5!3N(Chs?<<2g*;hfBw;
zOy0js$8+^3c^N^3&CJH+{X}Dw89Vmnebsb)B0Dbbzop}o*e+TW%Q(#VH-LOTwK2+!
ze+9_<wCT8m4HOy?J#5C4QRQ=%jj?8|pX@F+B2s>8>b|cr){Nb=@_uhRj=QsC+;24F
zE{?oEn=X%;X|-yEc-V})tv&T);qqcSJ&8FrzGmXH(*ePm`L5M7qs;o%;u#TUChz*D
zN11U6nR!qz$zpGhWa6|IV?sL~&1hfDlsV2fy&4kD6}Y@_FQXPApuj%&3Hyj%$!O(K
z8KYgggdVvMK<e4X<<D&2-N45xKlSyo@cXzP2irsIoH(laFZP&&jwSyXaI!=HS-Rl0
zLjLJ-<ewAr|4ys2I3Cpr>N>XmzXDg_&kxZOW5zL7dEVwSQ_t{cIsq!Q+aSZACvbzG
zX}5DYerEro|3)ig`2TX?Q(%X^qMyoPZk@oRbajPerB2wj92bm%bPM_a5Uzeu#N7mZ
zGIl$haH|{<>ewyg=-C5Ym*nE9pGUc#(f%k;Cv~{MQE4|tb$TjVUZLkN4+#IP#u^PB
zN1;co(ddBqrT;fjIgh$kj>vK*$C3Yt%b)pt=Sj$SEd45Q2lQu-Cl~N?&S2fu>G@tH
z@S_=cvA}m_;0pwPA_M=NLghJgd|m|kvC6rI>&a(77Iwo$BR~9H-p=Ms)A_Fpyi4GV
zgu%e_qgUXS0+&;u+XcRkFNk6LxoF5c1pakVs27Evy96#5)>MJtEAZDu|Ghxqw6~r7
zd9XkS`2K1H2RJT-4CL8y@K=G8Kgj#*ViA<l9{92B_USnI+3?S?<V!eiXRnG=$r4ef
zD&UlFNsY=8neQ^-<Ug5y-o*77DkOrf<KWwYlYY4`K<e)sM}7}*y(H;*(DNR~s@EXL
z?d&}aS#&Jb2|EIOGFE`B!aoJfo+BJJlk)`WZ!dFv2HWLUxoE0C3S2(N7=t@MP6DTP
zk51M3N}aF|g?y7+<%rbtiIBI$q;v>(#3G@tr&^4Ma;iOx<GQTz*EJ5_0G#aXs8PAN
z%y)&r_qx;Z(~xptylPsZ<6!yGAj&D{T^9-bb39)=D;NI1PT<#Z{rODZT$1CYU&wC~
z=dThW9~1a)(O;zgTYyt}GRLdix&9e!v0LRD<h`A53O#aVNM4W8<5|Y?lZS+!CgBg#
zKKlf|Hv^~tbMbzWfe&!~cIFe;v;03MDA~`2ydy*Y*Fydx(eCZM7Wlt}z#kC)6B2lm
z<AO1ekA?hC#CRw#e$5stCu$?wu}P$v0G#~umtvrb2%Mh#N%)h(0Q^5Wh*Jgb6vmU~
zDdf1JAR_1<2VVo6>{jbmxg?6sk88$}?<RTl)690iVI28y0at}iBYBYYAYZv(Nsco=
z6S&-`ByoDWBFU?6U7Hv_*e`&O<v)KB@(v*{_0W?w=NStk!qa$rjd2}>c>&pfp70;H
zke>{k%F`|MOaGiM<i95T=LbT*fa8KOkjuE9e6~lNPi23kKl+bVudZ=$<_kw7(O6rX
z%ZLBt$~O{tqFo-mL?MV(V~?jb<Z15=wRk%{tym6<c)YQ#4F8Sq?!-G8T3w44RxTb}
zh+eu7@OZ;v?=}zqpd8-D+VIa=zo#|U)kQC!FmN7PqD&JN%Wh)n*oRdysBtYQFRfs5
zZ5b<hfp$*^{u<qhmCV*~0DoqswPha*2SR)emsVS`-07)b?Osvmsasj=!7^idURYeM
zy=tX<MZ>c682(BKKv+Zb)M-M4R=b*cmN%}daW{Ha)z`17YxXp|Yp`w#LFDZ7_#!c0
zYZloQ=oT-nsIHc8lc0A*q_6e{7tq=uR{acb$Viv}d+(Ic*HP2uu~>)KdZc5)1z0%5
z3p>(Lqz(krA-=Mg4te~o-l&%a%ggayh;JFb)Zl!TF!kz>(L|7ob-~8;Tn7FB@{!bP
zWyV6Zhd(xpVPQ773HHOvxcK+8NFbLxOR<8@|5Wbb*5m8h9=*NwSAmS?PA2AW|44^|
zScP7|SK!m}Gv5D^9?f52k`9Ugs_P5sq?Q_xOr*csL%bg)Jx$t+O46f91D1e|Z$23n
zpf`<Vyf*|E#k*BTMX0`QvEU*qL?k3S178j1&Fi6+Wfm+eWAsb|4`1yjc^_J-6bsJu
zI0H|oKiH1PRv28E+DW`8COxZ+x5A7@E@Ht2(76Ds*!%$zsg~k5Aka^}o#C!jU*)}>
z{z1=g19(~@5n(<3AMawR*>G25G$XP}upHTyFTl6da91T*j-i3q2sbQ3Q4juf@5PI1
z=(!r6a{b=HsG8BPi1*_7@W2FLhZsRTxV?ba++Ydc(-mnK>C23-mr2(`@61U@Xz20;
zS}{iQSLUQgdOUb7Oll}Hyai`ej5j;IN=A;xX)lr?k3k>AZ#g4#;g&)qg2$M&>hHT5
zRYO%IG29$Tdj(Fq1ivd432gP~4^4@{S*W{Z+%Ph}i)S?b0&&Y?6rnuR-mo(oMYYo3
zKs1VxICDj|b-^(~;oF>c$Pn();JF9Ph353T+%*kFc<PAYaGTUcH<en8U}+a|Xy^{+
zYTXuuKAqwQ9*@C!AwsVnGBO^-h5emgN+3erol)lEu8*fLL|u5a3Ufv2evgYzWDpAR
zq0r^;5T~w=Rw$92o>V`F=_zCwIe5DQK9q?@QWw0Pxp4mM!Z{I`za`cVNpG+nCtJbd
zzFkO$y)7+a|7OYYQBp|3N+~$xGt3SCZ-TVUqTq|mPJS#F0ZGL)U&QLNDF%V_@Xf(j
zrkCs9lB$R^9&+9&u~Gz#>E-&kq)sU)XlD9a;CR3m?StZnTt}C*MBtdt@k7p=1k2Z>
zu-73~e!1Q*sfOz&IxwB$c9QAkJnl;1BqH;d>++I5NX9iB87#XFarB=Wnf^&K1`bK<
zb(ZhBr=XORbQ3W8kB;Q!I=`eFDG`p$^6MyL*CRkSmFYV~1tpdL8_Kkwtp5&?zD6jN
z_YEYK|68K;bcva1zuSS4O{jcy$omVDis`W)iQmljj{`HNm-itgrCp!KL(cCdrQ3DJ
z^zwd%q_VtHhvX&wPDXlpeJ$yfj3s`Vuhe%>MtXVwL(*I+C}?K=e<;$+_LJ)$lG5`@
zjE8Du5PlF}s=rJx@25yA-%}}*W#<1xMtXVQMN+!{G#=7!5~Fo;x@RD|S?d0be4k~e
zyyPW)4r%EYgiJ5*<D3!;VNwnv{E)n)F9Idslj&3I<5jx+3E@A|KV>@Ej=Ld7A~L<a
zFLXleadC+By0%gOmwM>`HOBO*b-8LiMUTu_C{P8J<OBkwOXlArt`B?ab%~?@ApLs~
zqx?&B@zk$OKR<=&0a+bMKLsqqM$sRN{4@1t%1#21iIJW^i1fqKP(pd8?96e}A6%s;
zIFgYdgJl<tlm52P>FMvyNRYv@1tNWBJ<HbU>6gfc$tb_nbD2mlqEjSDCl(xU$&RVB
zXV{ALWQcIdjaTUjj#B5sF&E!O_)2ri@tek%j3NSoKXh=yZqD!@S#CX+);7jY|6ov;
LXvj#A!Lt7iM%+|)

literal 0
HcmV?d00001

diff --git a/bomb.c b/bomb.c
new file mode 100644
index 0000000..5a39ab4
--- /dev/null
+++ b/bomb.c
@@ -0,0 +1,115 @@
+/***************************************************************************
+ * Dr. Evil's Insidious Bomb, Version 1.1
+ * Copyright 2011, Dr. Evil Incorporated. All rights reserved.
+ *
+ * LICENSE:
+ *
+ * Dr. Evil Incorporated (the PERPETRATOR) hereby grants you (the
+ * VICTIM) explicit permission to use this bomb (the BOMB).  This is a
+ * time limited license, which expires on the death of the VICTIM.
+ * The PERPETRATOR takes no responsibility for damage, frustration,
+ * insanity, bug-eyes, carpal-tunnel syndrome, loss of sleep, or other
+ * harm to the VICTIM.  Unless the PERPETRATOR wants to take credit,
+ * that is.  The VICTIM may not distribute this bomb source code to
+ * any enemies of the PERPETRATOR.  No VICTIM may debug,
+ * reverse-engineer, run "strings" on, decompile, decrypt, or use any
+ * other technique to gain knowledge of and defuse the BOMB.  BOMB
+ * proof clothing may not be worn when handling this program.  The
+ * PERPETRATOR will not apologize for the PERPETRATOR's poor sense of
+ * humor.  This license is null and void where the BOMB is prohibited
+ * by law.
+ ***************************************************************************/
+
+#include <stdio.h>
+#include <stdlib.h>
+#include "support.h"
+#include "phases.h"
+
+/* 
+ * Note to self: Remember to erase this file so my victims will have no
+ * idea what is going on, and so they will all blow up in a
+ * spectaculary fiendish explosion. -- Dr. Evil 
+ */
+
+FILE *infile;
+
+int main(int argc, char *argv[])
+{
+    char *input;
+
+    /* Note to self: remember to port this bomb to Windows and put a 
+     * fantastic GUI on it. */
+
+    /* When run with no arguments, the bomb reads its input lines 
+     * from standard input. */
+    if (argc == 1) {  
+	infile = stdin;
+    } 
+
+    /* When run with one argument <file>, the bomb reads from <file> 
+     * until EOF, and then switches to standard input. Thus, as you 
+     * defuse each phase, you can add its defusing string to <file> and
+     * avoid having to retype it. */
+    else if (argc == 2) {
+	if (!(infile = fopen(argv[1], "r"))) {
+	    printf("%s: Error: Couldn't open %s\n", argv[0], argv[1]);
+	    exit(8);
+	}
+    }
+
+    /* You can't call the bomb with more than 1 command line argument. */
+    else {
+	printf("Usage: %s [<input_file>]\n", argv[0]);
+	exit(8);
+    }
+
+    /* Do all sorts of secret stuff that makes the bomb harder to defuse. */
+    initialize_bomb();
+
+    printf("Welcome to my fiendish little bomb. You have 6 phases with\n");
+    printf("which to blow yourself up. Have a nice day!\n");
+
+    /* Hmm...  Six phases must be more secure than one phase! */
+    input = read_line();             /* Get input                   */
+    phase_1(input);                  /* Run the phase               */
+    phase_defused();                 /* Drat!  They figured it out!
+				      * Let me know how they did it. */
+    printf("Phase 1 defused. How about the next one?\n");
+
+    /* The second phase is harder.  No one will ever figure out
+     * how to defuse this... */
+    input = read_line();
+    phase_2(input);
+    phase_defused();
+    printf("That's number 2.  Keep going!\n");
+
+    /* I guess this is too easy so far.  Some more complex code will
+     * confuse people. */
+    input = read_line();
+    phase_3(input);
+    phase_defused();
+    printf("Halfway there!\n");
+
+    /* Oh yeah?  Well, how good is your math?  Try on this saucy problem! */
+    input = read_line();
+    phase_4(input);
+    phase_defused();
+    printf("So you got that one.  Try this one.\n");
+    
+    /* Round and 'round in memory we go, where we stop, the bomb blows! */
+    input = read_line();
+    phase_5(input);
+    phase_defused();
+    printf("Good work!  On to the next...\n");
+
+    /* This phase will never be used, since no one will get past the
+     * earlier ones.  But just in case, make this one extra hard. */
+    input = read_line();
+    phase_6(input);
+    phase_defused();
+
+    /* Wow, they got it!  But isn't something... missing?  Perhaps
+     * something they overlooked?  Mua ha ha ha ha! */
+    
+    return 0;
+}
diff --git a/password.txt b/password.txt
new file mode 100644
index 0000000..a0d15c8
--- /dev/null
+++ b/password.txt
@@ -0,0 +1,7 @@
+I am not part of the problem. I am a Republican.
+0 1 1 2 3 5
+5 -354info
+352 4 DrEvil
+5 115
+6 5 4 1 3 2
+22nn