Continuing from Stage2, now I’m on Stage3.
![](https://www.dejadk.com/wp-content/uploads/2019/03/Beginning-1.png)
It’s getting user input with a call to fgets
and then passing that user input to a call to vsscanf
using the format-control string "%d %d %d %d %d"
. Right after the call to vsscanf
there’s a cmp eax,5
. vsscanf
returns the number of fields that are successfully assigned. To appease this comparison I need to input five integers separated with spaces.
Next it will compare the first integer, which is at [ebp-14]
, with 6
and return early if the first integer is greater than six. Now I know the first integer must be any number less than six.
After this, it’s going to loop through the remaining integers doing some arithmetic and checking their values.
![](https://www.dejadk.com/wp-content/uploads/2019/03/ArithmeticCheck.png)
It’s taking an integer stored in [eax+4]
and adds it to the previous integer with add ecx,[eax]
. Then it takes that result and multiplies it by two with add ecx,ecx
. Next it checks to see if the result of that arithmetic is equal to the following number at [eax+8]
.
Here’s some pseudocode of what’s happening.
previousNumber + currentNumber * 2 = nextNumber
Now that I know what it’s expecting I can just plug in the numbers. I started with 1 because it was simple. Plugging that value in I got 1 + 1 * 2 = 4, then 1 + 4 * 2 = 10, and finally 4 + 10 * 2 = 28. So one of the many possible answers to Stage3 is 1 1 4 10 28
.
![](https://www.dejadk.com/wp-content/uploads/2019/04/Defused.png)