0

I'm having a bit of trouble understanding the following assembly code for the bomb lab. Running through it so far, I've figured out that the answer is supposed to be two decimal values. If not it will explode the bomb. Then, function 4 is making sure that the first value inputted is between 0 and 30. (0x1e) Then it jumps to func4 where it does something to my number. I understand up to the 

sub %esi,%eax

then I don't completely understand what is going on in the function. I've tried plugging in values and checking them in the registry but I still don't understand what is going in function 4.

My attempt at understanding it is that, first its setting registers equal to each other. Then its doing an arithmetic right shift by 31 (0x1f). Then its subtracting by 1 and adding it to eax. So, from what I understand its taking a number. Subtracting it by 1 and then adding them together? Such that the simplified formula would be (x-1)*x ?

Func_4

00000000004010b2 <func4>:
  4010b2:   55                      push   %rbp
  4010b3:   48 89 e5                mov    %rsp,%rbp
  4010b6:   89 d0                   mov    %edx,%eax
  4010b8:   29 f0                   sub    %esi,%eax
  4010ba:   89 c1                   mov    %eax,%ecx
  4010bc:   c1 e9 1f                shr    $0x1f,%ecx
  4010bf:   01 c8                   add    %ecx,%eax
  4010c1:   d1 f8                   sar    %eax
  4010c3:   8d 0c 30                lea    (%rax,%rsi,1),%ecx
  4010c6:   39 f9                   cmp    %edi,%ecx
  4010c8:   7e 0c                   jle    4010d6 <func4+0x24>
  4010ca:   8d 51 ff                lea    -0x1(%rcx),%edx
  4010cd:   e8 e0 ff ff ff          callq  4010b2 <func4>
  4010d2:   01 c0                   add    %eax,%eax
  4010d4:   eb 15                   jmp    4010eb <func4+0x39>
  4010d6:   b8 00 00 00 00          mov    $0x0,%eax
  4010db:   39 f9                   cmp    %edi,%ecx
  4010dd:   7d 0c                   jge    4010eb <func4+0x39>
  4010df:   8d 71 01                lea    0x1(%rcx),%esi
  4010e2:   e8 cb ff ff ff          callq  4010b2 <func4>
  4010e7:   8d 44 00 01             lea    0x1(%rax,%rax,1),%eax
  4010eb:   5d                      pop    %rbp
  4010ec:   c3                      retq

Phase_4

00000000004010ed <phase_4>:
  4010ed:   55                      push   %rbp
  4010ee:   48 89 e5                mov    %rsp,%rbp
  4010f1:   48 83 ec 10             sub    $0x10,%rsp
  4010f5:   48 8d 4d fc             lea    -0x4(%rbp),%rcx
  4010f9:   48 8d 55 f8             lea    -0x8(%rbp),%rdx
  4010fd:   be 6d 2a 40 00          mov    $0x402a6d,%esi
  401102:   b8 00 00 00 00          mov    $0x0,%eax
  401107:   e8 a4 fb ff ff          callq  400cb0 <__isoc99_sscanf@plt>
  40110c:   83 f8 02                cmp    $0x2,%eax
  40110f:   75 0b                   jne    40111c <phase_4+0x2f>
  401111:   8b 45 f8                mov    -0x8(%rbp),%eax
  401114:   83 e8 20                sub    $0x20,%eax
  401117:   83 f8 1e                cmp    $0x1e,%eax
  40111a:   76 05                   jbe    401121 <phase_4+0x34>
  40111c:   e8 b4 05 00 00          callq  4016d5 <explode_bomb>
  401121:   ba 3e 00 00 00          mov    $0x3e,%edx
  401126:   be 20 00 00 00          mov    $0x20,%esi
  40112b:   8b 7d f8                mov    -0x8(%rbp),%edi
  40112e:   e8 7f ff ff ff          callq  4010b2 <func4>
  401133:   83 f8 0e                cmp    $0xe,%eax
  401136:   75 06                   jne    40113e <phase_4+0x51>
  401138:   83 7d fc 0e             cmpl   $0xe,-0x4(%rbp)
  40113c:   74 05                   je     401143 <phase_4+0x56>
  40113e:   e8 92 05 00 00          callq  4016d5 <explode_bomb>
  401143:   c9                      leaveq 
  401144:   c3                      retq
Elliot Troy
  • 1
  • 2
  • The [linked question](https://stackoverflow.com/questions/32948514/having-trouble-with-bomb-lab-phase-4) is a 32 bit version of this (with slightly different numbers). For the initial part of `func4` see [this answer](https://stackoverflow.com/questions/19640148/binary-bomb-phase-4/19646901). – Jester Oct 08 '17 at 23:05
  • @Jester: I think a better dup target is https://stackoverflow.com/questions/19640148/binary-bomb-phase-4, the other question mentioned in a comment on the one you linked. That has the same pattern of `shr` by 31 to get the sign bit on its own at the bottom of a register. @ Elliot: have a look at the answer there. It may apply to yours, too. I checked the first few shifts / lea / cmp, and I think it's doing the same thing as yours, but I didn't look at the rest. – Peter Cordes Oct 09 '17 at 00:13
  • No, that one is doing a different calculation. The duplicate is doing the 2x/2x+1 thing that this does. But yeah, OP didn't get that far so in that sense that might be a better first step. – Jester Oct 09 '17 at 01:01

0 Answers0