So I have annotated what I think it means next to each instruction and have put a (?) next to each instruction which I am unsure of/not quite certain it does that function. There are probably a lot more of ones I am unsure of than I have marked, but they are mostly the same type of instruction.
0x0000000000401251 <+0>: sub $0x8,%rsp
0x0000000000401255 <+4>: cmp $0x1,%rdi #compare num of inputs (?)
0x0000000000401259 <+8>: jg 0x40126c <phase_3+27> #blow up if not >1
0x000000000040125b <+10>: callq 0x401c01 <bomb_ignition>
0x0000000000401260 <+15>: mov $0xffffffffffffffff,%rax
0x0000000000401267 <+22>: jmpq 0x40136c <phase_3+283>
0x000000000040126c <+27>: lea 0x16(%rdi),%rax #rax = rdi[22] (?)
0x0000000000401270 <+31>: sub $0x4b,%rsi #rsi -= 75
0x0000000000401274 <+35>: cmp $0x2b,%rsi #rsi == 43
0x0000000000401278 <+39>: ja 0x40133a <phase_3+233> bomb_ignition #rsi>43 -> blow up (?)
0x000000000040127e <+45>: jmpq *0x4027b0(,%rsi,8) # (?)
0x0000000000401285 <+52>: mov %rdi,%rax #rax = rdi
0x0000000000401288 <+55>: neg %rax #rax = -rax (flip bits)
0x000000000040128b <+58>: sub $0x7,%rax #rax -= 7
0x000000000040128f <+62>: lea 0x14(%rax,%rax,2),%rdi #rdi = rax*3+20
0x0000000000401294 <+67>: jmpq 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401299 <+72>: sar %rax #rax /= 2
0x000000000040129c <+75>: mov %rax,%rdi #rdi = rax
0x000000000040129f <+78>: jmpq 0x401351 <phase_3+256 #goto <256>/ compare rdi == 120
0x00000000004012a4 <+83>: lea 0x0(,%rax,8),%rdi #rdi = rax+8
0x00000000004012ac <+91>: jmpq 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012b1 <+96>: sar $0x2,%rax #rax /= 4
0x00000000004012b5 <+100>: mov %rax,%rdi #rdi = rax
0x00000000004012b8 <+103>: jmpq 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012bd <+108>: callq 0x401c01 <bomb_ignition> #bomb_ignition
0x00000000004012c2 <+113>: mov $0xfffffffffffffffe,%rax
0x00000000004012c9 <+120>: jmpq 0x40136c <phase_3+283> #exit (2 bomb explosions in a row?)
0x00000000004012ce <+125>: callq 0x401c01 <bomb_ignition> #bomb_ignition
0x00000000004012d3 <+130>: mov $0xfffffffffffffffd,%rax
0x00000000004012da <+137>: jmpq 0x40136c <phase_3+283> #exit
0x00000000004012df <+142>: lea (%rax,%rax,1),%rdi #rdi = rax*2
0x00000000004012e3 <+146>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012e5 <+148>: lea 0x0(,%rax,4),%rdi #rdi = rax*4
0x00000000004012ed <+156>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012ef <+158>: lea (%rax,%rax,8),%rdi #rdi = rax*9
0x00000000004012f3 <+162>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x00000000004012f5 <+164>: lea 0xb(,%rax,4),%rax #rax = rax*4+11
0x00000000004012fd <+172>: sub $0xb,%rax #rax -= 11
0x0000000000401301 <+176>: add $0x15,%rax #rax += 21
0x0000000000401305 <+180>: lea 0x14(%rax,%rax,4),%rdi #rdi = rax*5
0x000000000040130a <+185>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x000000000040130c <+187>: lea 0xb(%rax,%rax,1),%rdi #rdi = rax*2+11
0x0000000000401311 <+192>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401313 <+194>: lea 0x13(,%rax,8),%rdi #rdi = rax*8+19
0x000000000040131b <+202>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x000000000040131d <+204>: lea (%rax,%rax,4),%rdi #rdi = rax*5
0x0000000000401321 <+208>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401323 <+210>: add $0x24,%rdi #rdi += 36
0x0000000000401327 <+214>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401329 <+216>: mov $0x11,%edi #edi = 17
0x000000000040132e <+221>: sub %rax,%rdi #rdi -= rax
0x0000000000401331 <+224>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x0000000000401333 <+226>: lea 0x15(%rax,%rax,8),%rdi #rdi = rax*9+21
0x0000000000401338 <+231>: jmp 0x401351 <phase_3+256> #goto <256> / compare rdi == 120
0x000000000040133a <+233>: callq 0x401c01 <bomb_ignition> #bomb
0x000000000040133f <+238>: mov $0xffffffffffffffff,%rax
0x0000000000401346 <+245>: jmp 0x40136c <phase_3+283> #exit
0x0000000000401348 <+247>: lea (%rax,%rax,2),%rax #rax = rax*3
0x000000000040134c <+251>: lea 0x8(%rax,%rax,4),%rdi #rdi = rax*5+8
0x0000000000401351 <+256>: cmp $0x78,%rdi #rdi == 120
0x0000000000401355 <+260>: sete %al
0x0000000000401358 <+263>: movzbl %al,%eax
0x000000000040135b <+266>: cmp %rdx,%rdi #rdi == rdx
0x000000000040135e <+269>: je 0x40136c <phase_3+283> #exit if rdi == rdx
0x0000000000401360 <+271>: callq 0x401c01 <bomb_ignition>
0x0000000000401365 <+276>: mov $0xffffffffffffffff,%rax
0x000000000040136c <+283>: add $0x8,%rsp
0x0000000000401370 <+287>: retq
What i think it does is takes 2 inputs. rax then becomes the item at the 22nd index of rdi. This is where Im already uncertain as I thought rdi is number of inputs. Also, im not sure if thats how lea works. Then it does some math on rsi and if its greater than 43, then blow up. So rsi should be 118, quick maths. Although could it be any number smaller than 118? Seeing as subtracting 75 will make it smaller than 43? Anyway. It then jmpq. Which is again where I am uncertain. This is a lookup table, correct? So I put into gdb and got the following:
(gdb) x/8a 0x4027b0
0x4027b0: 0x4012bd <phase_3+108> 0x401299 <phase_3+72>
0x4027c0: 0x40133a <phase_3+233> 0x40130c <phase_3+187>
0x4027d0: 0x4012df <phase_3+142> 0x401333 <phase_3+226>
0x4027e0: 0x401301 <phase_3+176> 0x4012df <phase_3+142>
So the 8th one is <phase_3+142>. So does this just jump to that position? And skip everything between it? Im hoping and assuming so, as there is a lot of calculations that happen if you dont. Have I looked at the correct thing in gdb? If so, then it goes to <+142> which changes rdi to rax*2. Is that what lea does, have I correctly assumed what that instruction is doing? Then it immediately jumps to <+256> which compared rdi to 120. And then rdx should also be the same.
So working backwords, rdx = rdi = 120. Then rdi = rax*2, so rax = 60. But, rax = rdi[22], again assuming thats what lea is doing. But if rdi is number of inputs, how can it have 22 characters? Then assuming its not number of inputs, how can the 22nd character be a 2 digit number?
Based on previous phase (you can see my history if you like), I think that %rdi contains the number of inputs. I could be wrong though. Here is the actual working in bomb.c
k = sscanf(input, "%d %d", &a, &b);
status = phase_3(k, a, b);
phase_defused(status);
So based on that, I assume &a and &b are the inputs, and are registers %rsi and %rdx respectively. I tried 118 120 but it blew up.
![Prime Path[POJ3126] [SPFA/BFS]](https://oscimg.oschina.net/oscnet/e1200f32e838bf1d387d671dc8e6894c37d.jpg "Prime Path[POJ3126] [SPFA/BFS]")
