I tried like for 3 days but still not able to figure out the number. I guess second number is going to be 14. as i saw that it by last cmp statement in the assembly code.

code for phase 4 is as below :

08048f0f : 8048f0f 8048f12: 65 a1 14 00 00 00 mov 8048f18:89 44 24 0c 8048f1o: 8048f1e: 8048f22: 8048f23: 8048f27: 8048f28: 8048f2d 8048f31: 8048f36: 8048f39: 8048f3c: 8048f3e: 8048f43: 8048f47: 8048f4a: 8048f4e: 8048f51: 8048f53: 8048f58: 8048f5d 8048f60: 8b 04 85 00 a4 04 08 mov 8048f67: 8048f69:83 f8 Of 8048f6c: 8048f6e: c7 44 24 04 Of 00 00 movl 8048f75: 8048f76: 83 fa 0e 8048f79: 8048f7b: 8048f7f: 8048f81: 8048f86: 8048f8a: 8048f91: 74 05 8048f93: e8 68 f8 ff ff 8048f98: 8048f9b: sub $0x1c,%esp mov %eax,0xc(%esp) lea 0x8(%esp),%eax lea 0x8(%esp),%eax %gs:0x14,%eax xor %eax,%eax push %eax push %eax 8d 44 24 08 8d 44 24 08 68 21 a6 04 08 ff 74 24 2c e8 7a f9 ff ff push 0x804a621 pushl 0x2c(%esp) call 80488b0<_isoc99_ sscanf> add $0x10,%esp cmp $0x1,%eax 801239 83 f8 01 jg 8048f43 e8 27 05 00 00 8b 44 24 04 call 804946a 89 44 24 04 83 f8 Of je 8048f81 $0x0,%ecx $0x0,%edx $0x1,%edx 0x804a400(,%eax,4),%eax b9 00 00 00 00 ba 00 00 00 00 mov mov add add %eax,%ecx Cmp $0xf,%eax 8048f5d ne $0xf,0x4(%esp) 8048f81 0x81%esp),%ecx 8048f86 call 804946a e4 04 00 00 8b 44 24 0c 65 33 05 14 00 00 00 xor %gs:0x14,%eax je 8048f98 call 8048800 <_stack chk fail plt> add $0x1c,%esp 08048f0f : 8048f0f 8048f12: 65 a1 14 00 00 00 mov 8048f18:89 44 24 0c 8048f1o: 8048f1e: 8048f22: 8048f23: 8048f27: 8048f28: 8048f2d 8048f31: 8048f36: 8048f39: 8048f3c: 8048f3e: 8048f43: 8048f47: 8048f4a: 8048f4e: 8048f51: 8048f53: 8048f58: 8048f5d 8048f60: 8b 04 85 00 a4 04 08 mov 8048f67: 8048f69:83 f8 Of 8048f6c: 8048f6e: c7 44 24 04 Of 00 00 movl 8048f75: 8048f76: 83 fa 0e 8048f79: 8048f7b: 8048f7f: 8048f81: 8048f86: 8048f8a: 8048f91: 74 05 8048f93: e8 68 f8 ff ff 8048f98: 8048f9b: sub $0x1c,%esp mov %eax,0xc(%esp) lea 0x8(%esp),%eax lea 0x8(%esp),%eax %gs:0x14,%eax xor %eax,%eax push %eax push %eax 8d 44 24 08 8d 44 24 08 68 21 a6 04 08 ff 74 24 2c e8 7a f9 ff ff push 0x804a621 pushl 0x2c(%esp) call 80488b0<_isoc99_ sscanf> add $0x10,%esp cmp $0x1,%eax 801239 83 f8 01 jg 8048f43 e8 27 05 00 00 8b 44 24 04 call 804946a 89 44 24 04 83 f8 Of je 8048f81 $0x0,%ecx $0x0,%edx $0x1,%edx 0x804a400(,%eax,4),%eax b9 00 00 00 00 ba 00 00 00 00 mov mov add add %eax,%ecx Cmp $0xf,%eax 8048f5d ne $0xf,0x4(%esp) 8048f81 0x81%esp),%ecx 8048f86 call 804946a e4 04 00 00 8b 44 24 0c 65 33 05 14 00 00 00 xor %gs:0x14,%eax je 8048f98 call 8048800 <_stack chk fail plt> add $0x1c,%esp