I have been trying to figure out the values for this stage for days but I just can't seem to get it.
What I know is that there are 3 input values required: %rsi, %rdx, %rcx.
The values for %rdx and %rcx has to be equal.
Much help is greatly appreciated.
Dump of assembler code for function phase_2:
=> 0x00000000004011dd <+0>: sub $0x8,%rsp
0x00000000004011e1 <+4>: cmp $0x3,%rdi // %rdi = 3
0x00000000004011e5 <+8>: jne 0x401207 <phase_2+42>
0x00000000004011e7 <+10>: not %rsi
0x00000000004011ea <+13>: or %rsi,%rcx
0x00000000004011ed <+16>: xor $0xfffffffffffffff2,%rcx // -14, %rcx
0x00000000004011f1 <+20>: add $0x51,%rcx // 81, %rcx
0x00000000004011f5 <+24>: cmp $0xfffffffffffffe53,%rcx // -429, $rcx
0x00000000004011fc <+31>: sete %al
0x00000000004011ff <+34>: movzbl %al,%eax
0x0000000000401202 <+37>: cmp %rdx,%rcx // %rdx = %rcx
0x0000000000401205 <+40>: je 0x401213 <phase_2+54>
0x0000000000401207 <+42>: callq 0x401af5 <bomb_blast>
0x000000000040120c <+47>: mov $0xffffffffffffffff,%rax
0x0000000000401213 <+54>: add $0x8,%rsp
0x0000000000401217 <+58>: retq
The equivalent C code is:
int64_t phase_2(int64_t rdi, int64_t rsi, int64_t rcx, int64_t rdx)
{
if (rdi != 3)
{
bomb_blast();
return -1;
}
rsi = !rsi;
rcx |= rsi;
rcx ^= 0xfffffffffffffff2;
rcx += 0x51;
if (rdx != rcx) {
bomb_blast();
return -1;
}
return (rcx == 0xfffffffffffffe53);
}
Assume the expected return value for this function is 1. (only in this way the value of %rdx is a constant number), as rcx equals to rdx at last, rdx should be 0xfffffffffffffe53(-429).
Then we need to do some inverse calculation to find out the value of rcx.
rcx + 0x51 = 0xfffffffffffffe53
rcx = 0xfffffffffffffe02
XOR's inverse operation is XOR itself. That is, if a ^ b = c, then a = b ^ c and b = a ^ c.
rcx ^ 0xfffffffffffffff2 = 0xfffffffffffffe02
rcx = 0xfffffffffffffe02 ^ 0xfffffffffffffff2
rcx = 0x1f0
As the value of rsi is defined by us, we can use the simplest situation x | 0 = x. So the value of rcx is 0x1f0(496) and rsi is -1.