This is the disassembly of phase_6:
08048dbf <phase_6>:
8048dbf: 55 push %ebp
8048dc0: 89 e5 mov %esp,%ebp
8048dc2: 83 ec 18 sub $0x18,%esp
8048dc5: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp)
8048dcc: 00
8048dcd: c7 44 24 08 0a 00 00 movl $0xa,0x8(%esp)
8048dd4: 00
8048dd5: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp)
8048ddc: 00
8048ddd: 8b 45 08 mov 0x8(%ebp),%eax
8048de0: 89 04 24 mov %eax,(%esp)
8048de3: e8 0c fa ff ff call 80487f4 <__strtol_internal@plt>
8048de8: a3 4c b5 04 08 mov %eax,0x804b54c
8048ded: c7 04 24 4c b5 04 08 movl $0x804b54c,(%esp)
8048df4: e8 76 ff ff ff call 8048d6f <fun6>
8048df9: ba 01 00 00 00 mov $0x1,%edx
8048dfe: 8b 40 08 mov 0x8(%eax),%eax
8048e01: 42 inc %edx //HERE
8048e02: 83 fa 06 cmp $0x6,%edx//HERE
8048e05: 7e f7 jle 8048dfe <phase_6+0x3f>
8048e07: 8b 00 mov (%eax),%eax
8048e09: 3b 05 4c b5 04 08 cmp 0x804b54c,%eax
8048e0f: 74 05 je 8048e16 <phase_6+0x57>
8048e11: e8 2d 06 00 00 call 8049443 <explode_bomb>
8048e16: c9 leave
8048e17: c3 ret
And the dissasembly of fun6:
08048d6f <fun6>:
8048d6f: 55 push %ebp
8048d70: 89 e5 mov %esp,%ebp
8048d72: 56 push %esi
8048d73: 53 push %ebx
8048d74: 8b 75 08 mov 0x8(%ebp),%esi
8048d77: 8b 5e 08 mov 0x8(%esi),%ebx
8048d7a: c7 46 08 00 00 00 00 movl $0x0,0x8(%esi)
8048d81: 85 db test %ebx,%ebx
8048d83: 74 34 je 8048db9 <fun6+0x4a>
8048d85: 89 f2 mov %esi,%edx
8048d87: 89 f1 mov %esi,%ecx
8048d89: 85 f6 test %esi,%esi
8048d8b: 74 15 je 8048da2 <fun6+0x33>
8048d8d: 8b 06 mov (%esi),%eax
8048d8f: 3b 03 cmp (%ebx),%eax
8048d91: 7e 0f jle 8048da2 <fun6+0x33>
8048d93: 89 d1 mov %edx,%ecx
8048d95: 8b 52 08 mov 0x8(%edx),%edx
8048d98: 85 d2 test %edx,%edx
8048d9a: 74 06 je 8048da2 <fun6+0x33>
8048d9c: 8b 02 mov (%edx),%eax
8048d9e: 3b 03 cmp (%ebx),%eax
8048da0: 7f f1 jg 8048d93 <fun6+0x24>
8048da2: 39 d1 cmp %edx,%ecx
8048da4: 74 05 je 8048dab <fun6+0x3c>
8048da6: 89 59 08 mov %ebx,0x8(%ecx)
8048da9: eb 02 jmp 8048dad <fun6+0x3e>
8048dab: 89 de mov %ebx,%esi
8048dad: 8b 4b 08 mov 0x8(%ebx),%ecx
8048db0: 89 53 08 mov %edx,0x8(%ebx)
8048db3: 89 cb mov %ecx,%ebx
8048db5: 85 c9 test %ecx,%ecx
8048db7: 75 cc jne 8048d85 <fun6+0x16>
8048db9: 89 f0 mov %esi,%eax
8048dbb: 5b pop %ebx
8048dbc: 5e pop %esi
8048dbd: 5d pop %ebp
8048dbe: c3 ret
I know that this phase is a linked list, but I am not sure how many inputs to use. The two places I indicated in phase_6 make me think that there needs to be 6 inputs, but there are 9 nodes that look like this:
0x804b510 <node5>: 0x000003e3 0x00000005 0x804b528 (995)
0x804b528 <node3>: 0x000003d2 0x00000003 0x0804b51c (978)
0x804b51c <node4>: 0x00000365 0x00000004 0x0804b504 (869)
0x804b504 <node6>: 0x000002ff 0x00000006 0x0804b4e0 (767)
0x804b4e0 <node9>: 0x00000280 0x00000009 0x0804b534 (640)
0x804b534 <node2>: 0x000001b6 0x00000002 0x0804b4f8 (438)
0x804b4f8 <node7>: 0x00000106 0x00000007 0x0804b540 (262)
0x804b540 <node1>: 0x000000c6 0x00000001 0x0804b4ec (198)
0x804b4ec <node8>: 0x00000052 0x00000008 0x0804b54c (82)
Where the numbers in the parenthesis are the conversions from hex to decimal of the numbers in the first column. What is peculiar to me is that these nodes appear to be in descending order. I have tried the input of 5 3 4 6 9 2 7 1 8 and it did not work (also did it reversed).
My question is how do I know how many inputs to expect? I believe it is 6, but why would there be 9 nodes?
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 爷、活的狠高调 的文章《Binary bomb- phase 6》','https://www.manongdao.com/article-511150.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}