I'm having a really hard time understanding what to do here. I thought one of the numbers I would be able to work with was going to be 85 but it seems I am wrong with this. I know I should only get 2 decimals out of it but I just cant seem to do it. Help would be very appreciated.

phase_4

Dump of assembler code for function phase_4:
0x08048cd1 <+0>:    push   %ebp
0x08048cd2 <+1>:    mov    %esp,%ebp
0x08048cd4 <+3>:    sub    $0x28,%esp
0x08048cd7 <+6>:    lea    -0xc(%ebp),%eax
0x08048cda <+9>:    mov    %eax,0xc(%esp)
0x08048cde <+13>:   lea    -0x10(%ebp),%eax
0x08048ce1 <+16>:   mov    %eax,0x8(%esp)
0x08048ce5 <+20>:   movl   $0x804a5d7,0x4(%esp)
0x08048ced <+28>:   mov    0x8(%ebp),%eax
0x08048cf0 <+31>:   mov    %eax,(%esp)
0x08048cf3 <+34>:   call   0x8048860 <__isoc99_sscanf@plt>
0x08048cf8 <+39>:   cmp    $0x2,%eax
0x08048cfb <+42>:   jne    0x8048d03 <phase_4+50>
0x08048cfd <+44>:   cmpl   $0xe,-0x10(%ebp)
0x08048d01 <+48>:   jbe    0x8048d08 <phase_4+55>
0x08048d03 <+50>:   call   0x80491d7 <explode_bomb>
0x08048d08 <+55>:   movl   $0xe,0x8(%esp)
0x08048d10 <+63>:   movl   $0x0,0x4(%esp)
0x08048d18 <+71>:   mov    -0x10(%ebp),%eax
0x08048d1b <+74>:   mov    %eax,(%esp)
0x08048d1e <+77>:   call   0x8048c80 <func4>
0x08048d23 <+82>:   test   %eax,%eax
0x08048d25 <+84>:   jne    0x8048d2d <phase_4+92>
0x08048d27 <+86>:   cmpl   $0x0,-0xc(%ebp)
0x08048d2b <+90>:   je     0x8048d32 <phase_4+97>
0x08048d2d <+92>:   call   0x80491d7 <explode_bomb>
0x08048d32 <+97>:   leave  
0x08048d33 <+98>:   ret   

function 4:

Dump of assembler code for function func4:
0x08048c80 <+0>:    push   %ebp
0x08048c81 <+1>:    mov    %esp,%ebp
0x08048c83 <+3>:    sub    $0x18,%esp
0x08048c86 <+6>:    mov    0x8(%ebp),%edx
0x08048c89 <+9>:    mov    0xc(%ebp),%eax
0x08048c8c <+12>:   mov    0x10(%ebp),%ecx
0x08048c8f <+15>:   sub    %eax,%ecx
0x08048c91 <+17>:   shr    %ecx
0x08048c93 <+19>:   add    %eax,%ecx
0x08048c95 <+21>:   cmp    %edx,%ecx
0x08048c97 <+23>:   jbe    0x8048cae <func4+46>
0x08048c99 <+25>:   dec    %ecx
0x08048c9a <+26>:   mov    %ecx,0x8(%esp)
0x08048c9e <+30>:   mov    %eax,0x4(%esp)
0x08048ca2 <+34>:   mov    %edx,(%esp)
0x08048ca5 <+37>:   call   0x8048c80 <func4>
0x08048caa <+42>:   add    %eax,%eax
0x08048cac <+44>:   jmp    0x8048ccf <func4+79>
0x08048cae <+46>:   mov    $0x0,%eax
0x08048cb3 <+51>:   cmp    %edx,%ecx
0x08048cb5 <+53>:   jae    0x8048ccf <func4+79>
0x08048cb7 <+55>:   mov    0x10(%ebp),%eax
0x08048cba <+58>:   mov    %eax,0x8(%esp)
0x08048cbe <+62>:   inc    %ecx
0x08048cbf <+63>:   mov    %ecx,0x4(%esp)
0x08048cc3 <+67>:   mov    %edx,(%esp)
0x08048cc6 <+70>:   call   0x8048c80 <func4>
0x08048ccb <+75>:   lea    0x1(%eax,%eax,1),%eax
0x08048ccf <+79>:   leave  
0x08048cd0 <+80>:   ret   

Obviously the second number has to be zero, since that's what the code checks at 0x08048d27.

The first number has to be chosen such that the return value of func4 is also zero (see 0x08048d23). If you look into func4 you can see that it is a binary search (explanation of a similar code here). When the item is found, it returns zero. Otherwise if it falls into the lower half, it returns 2*func4(). Finally if it is in the higher half, it returns 2*func4()+1.

Given that in this case the result has to be zero, that means the number has to be found while only traversing the lower ranges, since otherwise a +1 would creep into the result. Zero itself is a trivial solution since that will certainly be found at the bottom.

For sake of completeness, here is a walkthrough for the other possibilities. The first guess will be the midpoint in the range [0, 14], which is 7. For the next step, we know the number must be less than 7 to get range [0, 6] and that means midpoint 3. Similarly, the next range is [0, 2] with midpoint 1. Finally we arrive at [0, 0], the trivial result.

TL;DR: The possible inputs are 0 0, 1 0, 3 0 and 7 0.

Since there are versions of this with other expected results, here is some additional help: The return value actually spells out the low-high choices in binary, starting from the least significant bit. In the above example, we had all 0 bits, so all low choices. Suppose we have a result of 4 that is 100 in binary. Reading from the right, that means we need a lower, another lower and a final upper recursion. Following through the ranges, those map to [0, 6], [0, 2] and [2, 2]. So in this case 2 would be the solution.