1

Having some trouble figuring what a specific segment in the binary bomb lab in x86 does. 

0x08048ce8 <+0>:    sub    $0x1c,%esp
0x08048ceb <+3>:    movl   $0x804a4e4,(%esp)
0x08048cf2 <+10>:   call   0x804917b <string_length>
0x08048cf7 <+15>:   add    $0x1,%eax
0x08048cfa <+18>:   mov    %eax,(%esp)
0x08048cfd <+21>:   call   0x8048870 <malloc@plt>
0x08048d02 <+26>:   movl   $0x776f7242,(%eax)
0x08048d08 <+32>:   movl   $0x2c65696e,0x4(%eax)
0x08048d0f <+39>:   movl   $0x756f7920,0x8(%eax)
0x08048d16 <+46>:   movl   $0x65726120,0xc(%eax)
0x08048d1d <+53>:   movl   $0x696f6420,0x10(%eax)
0x08048d24 <+60>:   movl   $0x6120676e,0x14(%eax)
0x08048d2b <+67>:   movl   $0x63656820,0x18(%eax)
0x08048d32 <+74>:   movl   $0x666f206b,0x1c(%eax)
0x08048d39 <+81>:   movl   $0x6a206120,0x20(%eax)
0x08048d40 <+88>:   movl   $0x2e626f,0x24(%eax)
0x08048d47 <+95>:   movb   $0x62,0xc(%eax)

I'm not sure what the movl instructions after the malloc does. When I try to check what's in those addresses in gdb, I get "Cannot access memory at...". What is the point of those moves then?

EDIT

Thanks for the help on that malloc part. I'm still stuck though, this is the segment directly after the above.

mov    %eax,0x4(%esp)  <== moves string loaded into malloc to esp
mov    0x20(%esp),%eax   <== takes user input and move to eax
mov    %eax,(%esp)       <== moves that user input back into esp? 
call   0x804919a <strings_not_equal>
Steve Summit
  • 45,437
  • 7
  • 70
  • 103
user5523001
  • 11
  • 3
  • 1
    `%eax` holds the pointer returned by _malloc_. All those moves are moving immediate data values into the malloc'ed memory area. The values appear to be text encoded as 32 bit integers. 4 bytes of text can fit in a 32bit value. `movl $0x776f7242,(%eax)` for example appears to be moving the ascii characters of 0x42, 0x72, 0x6f, 0x77 (remember we are little endian so the order is reversed) to the first 4 bytes of the malloc'ed memory area. – Michael Petch Nov 04 '15 at 04:51
  • `mov %eax,0x4(%esp)` moves the 32 bit value in `%eax` to the memory location starting at 0x04+%esp . `mov 0x20(%esp),%eax` moves the 32-bit value starting at memory location %esp+0x20 and puts them in %eax. `mov %eax,(%esp)` moves the value in %eax to the memory location starting at 0x00+%esp. I recommend you look at some documentation about [80386 addressing modes](https://en.wikipedia.org/wiki/X86#Addressing_modes) and maybe https://cs.nyu.edu/courses/fall10/V22.0201-002/addressing_modes.pdf – Michael Petch Nov 04 '15 at 08:25

1 Answers1

0

After malloc, EAX holds the base pointer to the recently malloced memory. Every subsequent movl is moving the double word constant to the EAX with its appropriate offset. So clearly the movl's are just loading data into the recently malloc'd area.

twahlfeld
  • 21
  • 2