Reading Assembly Code (Bomb lab phase 5 help)

0

I have to decode this assembly language for the bomb lab:

Dump of assembler code for function phase_5:
0x08048e79 <+0>:    push   %ebx
0x08048e7a <+1>:    sub    $0x28,%esp
0x08048e7d <+4>:    lea    0x1c(%esp),%eax
0x08048e81 <+8>:    mov    %eax,0xc(%esp)
0x08048e85 <+12>:   lea    0x18(%esp),%eax
0x08048e89 <+16>:   mov    %eax,0x8(%esp)
0x08048e8d <+20>:   movl   $0x804a9de,0x4(%esp)
0x08048e95 <+28>:   mov    0x30(%esp),%eax
0x08048e99 <+32>:   mov    %eax,(%esp)
0x08048e9c <+35>:   call   0x8048940 <__isoc99_sscanf@plt>
0x08048ea1 <+40>:   cmp    $0x1,%eax
0x08048ea4 <+43>:   jg     0x8048eab <phase_5+50>
0x08048ea6 <+45>:   call   0x804961b <explode_bomb>
0x08048eab <+50>:   mov    0x18(%esp),%eax
0x08048eaf <+54>:   mov    %eax,%edx
0x08048eb1 <+56>:   and    $0xf,%edx
0x08048eb4 <+59>:   cmp    %edx,%eax
0x08048eb6 <+61>:   je     0x8048ebd <phase_5+68>
0x08048eb8 <+63>:   call   0x804961b <explode_bomb>
0x08048ebd <+68>:   mov    0x18(%esp),%ebx
0x08048ec1 <+72>:   mov    %ebx,%eax
0x08048ec3 <+74>:   mov    $0x0,%ecx
0x08048ec8 <+79>:   mov    $0x0,%edx
0x08048ecd <+84>:   add    $0x1,%edx
0x08048ed0 <+87>:   add    %eax,%ecx
0x08048ed2 <+89>:   mov    0x804a700(,%eax,4),%eax
0x08048ed9 <+96>:   cmp    %eax,%ebx
0x08048edb <+98>:   jne    0x8048ecd <phase_5+84>
0x08048edd <+100>:  cmp    0x1c(%esp),%edx
0x08048ee1 <+104>:  jne    0x8048ee8 <phase_5+111>
0x08048ee3 <+106>:  cmp    $0x41,%ecx
0x08048ee6 <+109>:  je     0x8048eed <phase_5+116>
0x08048ee8 <+111>:  call   0x804961b <explode_bomb>
0x08048eed <+116>:  add    $0x28,%esp
0x08048ef0 <+119>:  pop    %ebx
0x08048ef1 <+120>:  ret

I know that up till +68, it basically checks if I have at least 2 ints in the string I inputted.

After it exits the loop, edx must be 4 (at +100 I saw 0x1c(%esp) = 4) and ecx must be 65 (0x41 at +106). Can someone please help me figure out what's going on and what I'd need to input?

***Edit 4/18 (Content of array): It just becomes 0 after %eax = 24 so I think I hit the end. Starting when eax = 5 and traversing through 7 times to when eax = 11, %ecx will = 65 but when I enter "5 7" it doesn't work :(

%eax=0: 0x00000014 
1:  0x00000008
2:  0x00000010
3:  0x00000018
4:  0x00000005
5:  0x0000000a
6:  0x0000000e
7:  0x0000000d
8:  0x00000000
9:  0x00000004
10: 0x00000016
11: 0x00000002
12: 0x00000013
13: 0x00000017
14: 0x00000012
15: 0x00000015
16: 0x0000000f
17: 0x0000000c
18: 0x00000006
19: 0x00000011
20: 0x00000001
21: 0x0000000b
22: 0x00000009
23: 0x00000003
24: 0x00000007
25: 0x00000000
26: 0x00000000
27: 0x00000000
28: 0x00000000
29: 0x00000000...
assembly
x86
reverse-engineering
asked on Stack Overflow Apr 17, 2016 by Grshh • edited Apr 18, 2016 by Grshh

1 Answer

2

First, you obviously have the two input integers at 0x18(%esp) and 0x1c(%esp). Thus, your statement that "edx must be 4" is only valid if you entered 4 as second number. In general, the check is that edx must be equal to the second number.

The code has a linked list at address 0x804a700 which is traversed starting at the index given by the first input number. The loop exits if the value given by the first input is found. edx is used to keep track of the number of iterations, and that's what should match the second number.

ecx is used to keep track of the sum of all the values encountered during the search and that should be 0x41 in the end.

As such, you will need to identify which part of the linked list gives 0x41 as sum, and enter its starting point and length as the two inputs.


Remember that the exit condition is to find the first number. Starting at 5 will enter a loop with 0->20->1->8->0... so it will never exit. Incidentally that means you can't start at 0, 1 or 8 either. So let's try 2: 2 + 16 + 15 + 21 + 11 = 65 and we get back to 2 so the loop exits. Yay, that's our solution: 2 5.

answered on Stack Overflow Apr 17, 2016 by Jester • edited Apr 18, 2016 by Jester

User contributions licensed under CC BY-SA 3.0