0

I have given assignment to read binary bomb. I am confused as far as how func4 and phase_4 linked together.

the following are the code.

===================
Dump of assembler code for function phase_4:

   0x08048d3a <+0>:     push   %ebp
   0x08048d3b <+1>:     mov    %esp,%ebp
   0x08048d3d <+3>:     sub    $0x28,%esp
   0x08048d40 <+6>:     lea    -0x10(%ebp),%eax
   0x08048d43 <+9>:     mov    %eax,0xc(%esp)
   0x08048d47 <+13>:    lea    -0xc(%ebp),%eax
   0x08048d4a <+16>:    mov    %eax,0x8(%esp)
   0x08048d4e <+20>:    movl   $0x804a1aa,0x4(%esp)** //input format
                                              //(gdb) x /s0x804a1aa => “%d %d”
   0x08048d56 <+28>:    mov    0x8(%ebp),%eax
   0x08048d59 <+31>:    mov    %eax,(%esp)
   0x08048d5c <+34>:    call   0x804870c <__isoc99_sscanf@plt>
   0x08048d61 <+39>:    cmp    $0x2,%eax   // if not == 2 , bomb
   0x08048d64 <+42>:    jne    0x8048d72 <phase_4+56>
   0x08048d66 <+44>:    mov    -0xc(%ebp),%eax      // 
   0x08048d69 <+47>:    test   %eax,%eax
   0x08048d6b <+49>:    js     0x8048d72 <phase_4+56>
   0x08048d6d <+51>:    cmp    $0xe,%eax          // if <= 14 ,  ok 
   0x08048d70 <+54>:    jle    0x8048d77 <phase_4+61>
   0x08048d72 <+56>:    call   0x8049138 <explode_bomb>
   0x08048d77 <+61>:    movl   $0xe,0x8(%esp)       
   0x08048d7f <+69>:    movl   $0x0,0x4(%esp)      
   0x08048d87 <+77>:    mov    -0xc(%ebp),%eax
   0x08048d8a <+80>:    mov    %eax,(%esp)         
   0x08048d8d <+83>:    call   0x8048a80 <func4>
   0x08048d92 <+88>:    cmp    $0x1f,%eax             // compare output of func4 with 31 ( ? )  
   0x08048d95 <+91>:    jne    0x8048d9d <phase_4+99>
   0x08048d97 <+93>:    cmpl   $0x1f,-0x10(%ebp)      // output of fun4 must == 0x1f
                             // (gdb) p /d 0x1f => 31
   0x08048d9b <+97>:    je     0x8048da2 <phase_4+104>
   0x08048d9d <+99>:    call   0x8049138 <explode_bomb>
   0x08048da2 <+104>:   leave  
   0x08048da3 <+105>:   ret 


====================

Dump of assembler code for function func4:

   0x08048a80 <+0>:    push   %ebp
   0x08048a81 <+1>:    mov    %esp,%ebp
   0x08048a83 <+3>:    sub    $0x18,%esp
   0x08048a86 <+6>:    mov    %ebx,-0x8(%ebp)
   0x08048a89 <+9>:     mov    %esi,-0x4(%ebp)
   0x08048a8c <+12>:    mov    0x8(%ebp),%eax
   0x08048a8f <+15>:    mov    0xc(%ebp),%edx
   0x08048a92 <+18>:    mov    0x10(%ebp),%esi
   0x08048a95 <+21>:    mov    %esi,%ecx
   0x08048a97 <+23>:    sub    %edx,%ecx
   0x08048a99 <+25>:    mov    %ecx,%ebx
   0x08048a9b <+27>:    shr    $0x1f,%ebx
   0x08048a9e <+30>:    lea    (%ebx,%ecx,1),%ecx
   0x08048aa1 <+33>:    sar    %ecx
   0x08048aa3 <+35>:    lea    (%ecx,%edx,1),%ebx
   0x08048aa6 <+38>:    cmp    %eax,%ebx
   0x08048aa8 <+40>:    jle    0x8048ac1 <func4+65>
   0x08048aaa <+42>:    lea    -0x1(%ebx),%ecx
   0x08048aad <+45>:    mov    %ecx,0x8(%esp)
   0x08048ab1 <+49>:    mov    %edx,0x4(%esp)
   0x08048ab5 <+53>:    mov    %eax,(%esp)
   0x08048ab8 <+56>:    call   0x8048a80 <func4>
   0x08048abd <+61>:    add    %eax,%ebx
   0x08048abf <+63>:    jmp    0x8048ada <func4+90>
   0x08048ac1 <+65>:    cmp    %eax,%ebx
   0x08048ac3 <+67>:    jge    0x8048ada <func4+90>
   0x08048ac5 <+69>:    mov    %esi,0x8(%esp)
   0x08048ac9 <+73>:    lea    0x1(%ebx),%edx
   0x08048acc <+76>:    mov    %edx,0x4(%esp)
   0x08048ad0 <+80>:    mov    %eax,(%esp)
   0x08048ad3 <+83>:    call   0x8048a80 <func4>
   0x08048ad8 <+88>:    add    %eax,%ebx
   0x08048ada <+90>:    mov    %ebx,%eax
   0x08048adc <+92>:    mov    -0x8(%ebp),%ebx
   0x08048adf <+95>:    mov    -0x4(%ebp),%esi
   0x08048ae2 <+98>:    mov    %ebp,%esp
   0x08048ae4 <+100>:   pop    %ebp
   0x08048ae5 <+101>:   ret

=================================

    1. line 20, I assume my input must be (%d , %d)
    2. line 39, the first input must x = 2 ?
    3. line 51, the second input must y <= 14 ?
    4. then call func4(x,y)
    5. line 88, compare output of func4(x,y) or %eax = 31 ?
    6. line 93, what do I have to compare -0x10(%ebp) = 31 ? what is exactly -0x10(%ebp) when the output should already be %eax on line 88 ? why do I have to check for this value ?
    7. when I try to find the answer of %d %d , since I already now the first one is (2,y) , can I just keep doing (2,0) then (2,1) ... (2,14) until I got the correct answer which is break at line 88 and run each answer until I got %eax = 31 ? Is this the correct approach to defused the bomb ? I'm so lost .. if not what would possibly be my approach, if I can not read what func4 is actually doing.

I'm so confused. Am I interpret this correct ?

Thank you

Steve Summit
  • 45,437
  • 7
  • 70
  • 103
JPC
  • 5,063
  • 20
  • 71
  • 100
  • 2
    If it were me, I would edit that list and make the lines of interest bold, and/or copy that to a text editor and manually insert line numbers (or write a script to do it) and post it with those line numbers. It's hard enough for people to actually debug the problem without having to manually count lines to figure out the lines you're discussing. – clearlight Oct 05 '15 at 18:39
  • 2
    Another possibility is to discuss lines in terms of their offset such as `<+77>` instead of by line number. – clearlight Oct 05 '15 at 18:40
  • I see you have found the duplicate yourself ;) – Jester Oct 05 '15 at 18:42
  • @Jester Hi Jester, I have .. but still not understand it, the code is so different. first of all, I have to say that I am so happy you see this, I saw your answers in a lot of questions :) . but mine bomb is different from the other guy was having. and I have already spend a week. on this. still not getting it. I would really appreciated if you can take a look. – JPC Oct 05 '15 at 18:49
  • The only difference I see is that you need a result of `0x1f` instead of `0x25`. – Jester Oct 05 '15 at 18:55
  • @Jester you are correct, that is the same in phase_4 the only different is the comparing answer, mine is 31 vs 37 in the example. But func4 mine is not same as the example, ( or i might be wrong ) .. his was doing (high-low)/2 some average pattern.. ... mine is doing something else . that I still can't crack it open, so lost.. :( I'm trying to do step by step using gdb, but I don't see any pattern. – JPC Oct 05 '15 at 19:15
  • Yours is doing exactly the same. Heck, you can almost match it up line by line. You just have to follow the steps I outlined in the third paragraph. `31 - 7 = 24` which is more than `7 * 3` so go up to `11`. `24 - 11 = 13` and boom, that's our result. – Jester Oct 05 '15 at 22:12
  • thank you so much ,I found the other way around it by kept gdb to get %eax until I match the value. But do it your way is waaayyyyyyy better and smarter. I'll try harder. thanks again. – JPC Oct 06 '15 at 00:40

0 Answers0