1

Can somebody please explain to me what exactly these functions do? I have a breakpoint set at<+35> as indicated by the arrow, and this is where I get lost. So far, all I've figured out was that this phase takes a string with a length of 6. But I don't exactly know what is going on in the movsbl and movzbl functions. I'm not expecting an answer, but some insight would be greatly appreciated.

Please don't bash me if this question was answered before or redirecting me to another similar question. I've look at all of those and I still don't understand what's going on here. 

Dump of assembler code for function phase_5:
           0x08048edc <+0>:     push   %ebp
           0x08048edd <+1>:     mov    %esp,%ebp
           0x08048edf <+3>:     push   %edi
           0x08048ee0 <+4>:     push   %esi
           0x08048ee1 <+5>:     push   %ebx
           0x08048ee2 <+6>:     sub    $0x2c,%esp
           0x08048ee5 <+9>:     mov    0x8(%ebp),%eax
           0x08048ee8 <+12>:    mov    %eax,(%esp)
           0x08048eeb <+15>:    call   0x80490a0 <string_length>
           0x08048ef0 <+20>:    cmp    $0x6,%eax
           0x08048ef3 <+23>:    je     0x8048efa <phase_5+30>
           0x08048ef5 <+25>:    call   0x8049341 <explode_bomb>
           0x08048efa <+30>:    mov    $0x0,%eax
        => 0x08048eff <+35>:    lea    -0x1f(%ebp),%ecx
           0x08048f02 <+38>:    mov    $0x804a4e0,%edx
           0x08048f07 <+43>:    mov    0x8(%ebp),%ebx
           0x08048f0a <+46>:    movsbl (%ebx,%eax,1),%esi
           0x08048f0e <+50>:    and    $0xf,%esi
           0x08048f11 <+53>:    movzbl (%edx,%esi,1),%esi
           0x08048f15 <+57>:    mov    %esi,%ebx
           0x08048f17 <+59>:    mov    %bl,(%ecx,%eax,1)
           0x08048f1a <+62>:    add    $0x1,%eax
           0x08048f1d <+65>:    cmp    $0x6,%eax
           0x08048f20 <+68>:    jne    0x8048f07 <phase_5+43>
           0x08048f22 <+70>:    movb   $0x0,-0x19(%ebp)
           0x08048f26 <+74>:    movl   $0x804a4b7,0x4(%esp)
           0x08048f2e <+82>:    lea    -0x1f(%ebp),%eax
           0x08048f31 <+85>:    mov    %eax,(%esp)
           0x08048f34 <+88>:    call   0x80490bb <strings_not_equal>
           0x08048f39 <+93>:    test   %eax,%eax
           0x08048f3b <+95>:    je     0x8048f42 <phase_5+102>
           0x08048f3d <+97>:    call   0x8049341 <explode_bomb>
           0x08048f42 <+102>:   add    $0x2c,%esp
           0x08048f45 <+105>:   pop    %ebx
           0x08048f46 <+106>:   pop    %esi
           0x08048f47 <+107>:   pop    %edi
           0x08048f48 <+108>:   pop    %ebp
           0x08048f49 <+109>:   ret    
        End of assembler dump.
Peter Cordes
  • 328,167
  • 45
  • 605
  • 847
newbie programmer
  • 21
  • 1
  • 4
  • `movsbl` and `movzbl` are x86 assembly instructions, **not** functions. See Intel and/or AMD develop manuals (available in Internet) to find out what each instruciton does. – nrz Feb 26 '14 at 05:34
  • I have been doing that, but still no help. All they show is an example of how eax magically changed its address after movsbl is executed. It doesn't show me what it does (like for example, an arithmetic or if I take A+B, then it will equal C). That sort of thing. – newbie programmer Feb 26 '14 at 05:36
  • Related: http://stackoverflow.com/questions/7861095/what-does-movsbl-instruction-do/7861177#7861177 – nrz Feb 26 '14 at 12:09
  • Do you not know english? I said that this example doesn't really help me.... – newbie programmer Feb 26 '14 at 19:20
  • You haven't said **which** examples didn't help you. Raymond Chen's answer to the above mentioned question has a very clear example of both `movsbl` and `movzbl`: http://stackoverflow.com/questions/7861095/what-does-movsbl-instruction-do/7861187#7861187 . If that is not clear enough, it would help if you reworded your question to make it clearer **what** is it you don't understand in `movsbl` and `movzbl`. – nrz Feb 26 '14 at 19:44
  • So let's take my code: 0x08048f0a <+46>: movsbl (%ebx,%eax,1),%esi 0x08048f0e <+50>: and $0xf,%esi 0x08048f11 <+53>: movzbl (%edx,%esi,1),%esi I know that the address of ebx+eax is calculated and placed into esi at line 46, but I'm not sure what exactly movsbl does to the new address that is inside esi. Same can be said about movblz – newbie programmer Feb 26 '14 at 22:48

2 Answers2

3

This is a decompilation of the function.

/**
 *         + 8: arg0
 *         + 4: Return Address
 * EBP       0: Old EBP
 *         - 4: Saved EDI
 *         - 8: Saved ESI
 *         -12: Saved EBX
 * 
 *         -25: NUL character
 *         -31: Beginning of 6-char string
 * 
 * ESP+4 = -52: argument 1 for callees
 * ESP+0 = -56: argument 0 for callees
 */

u8 GBL0[16] = {,,,,,,,,,,,,,,,};/* ADDRESS 0x804a4e0 */
u8 GBL1[]   = {,,,,,,'\0'};     /* ADDRESS 0x804a4b7 */

phase_5(i8* arg0){
    i8   PAD0[12];/* ADDRESS EBP-0x18 */
    u8   LOC0[7]; /* ADDRESS EBP-0x1f */
    i8   PAD1[25];/* ADDRESS EBP-0x38 = ESP+0 */
                  /* The range [EBP-56, EBP-48) corresponds to
                     the range [ESP+0,  ESP+8)  and is used to
                     place arguments for function calls. */
    register int eax;/* In EAX */

    if(string_length(arg0) != 6){
        explode_bomb();
    }

    for(eax=0;eax<6;eax++){
        LOC0[eax] = GBL0[arg0[eax] & 0xF];
    }

    LOC0[6] = '\0';/* ADDRESS EBP-0x19 */

    if(eax = strings_not_equal(LOC0, GBL1)){
        explode_bomb();
    }

    return eax;/* Maybe? */
}

Essentially, it does not explode the bomb if and only if the argument is a 6-character "string" that is successfully substitution-decyphered into a 6-character string equal to some password.

Iwillnotexist Idonotexist
  • 13,297
  • 4
  • 43
  • 66
  • [Bomb lab phase 5 - 6 char string, movzbl load, and $0xf, %ecx, and index an array with that?](https://stackoverflow.com/q/29543031) is a similar lookup-table process. Jester's answer there describes how the low 4 bits of ASCII character codes get used as indices. – Peter Cordes Oct 28 '20 at 07:37
  • [Binary Bomb Phase 5](https://stackoverflow.com/a/14651462) has a more detailed description in words how it works. – Peter Cordes Dec 05 '20 at 18:31
1

movzbw: byte (8-bit) to word (16-bit)

movzwl: word (16-bit) to long (32-bit)

movzbl: byte (8-bit) to long (32-bit)

MangoTatsy
  • 173
  • 1
  • 13