0

I'm trying to understand the following assembly code. I know the function takes 6 DWORDs as arguments.

sub rsp, 8            
mov rdx, rsi                :move first DWORD in rdx
lea rcx, [rsi + 4]          ;load effective address in rcx using 2nd DWORD
lea rax, [rsi + 20]         ;same as above using 6th DWORD
push rax                    ;push rax on stack
lea rax, [rsi + 16]         
push rax
lea r9, [rsi + 12]          ;load eff add using 4th DWORD
lea r8, [rsi + 8]           ;same as above using 3rd DWORD
mov esi, "\0x25\0x64\0x20"  ;move that stuff in esi
mov eax, 0                  ;mov 0 in eax
call __isoc99_sscanf        ;call sscanf

I basically tried to translate it already but I'm stuck on what exactly happens when sscanf is called. I've been at this for over three hours and it's driving me crazy. Needless to say I'm a relative assembly beginner which makes this even more difficult.

EDIT: thanks for your answers so far, as mentioned being a relative beginner means my comments might not be super useful. I didn't disassemble the file myself, I used IDA

S. L.
  • 630
  • 8
  • 19
  • The thing moved into `esi` is a pointer to the format string, you disassembled that wrong. The two `lea rcx` are also suspicious, the latter is overwriting the former. Also, `rsi + 16` is missing (`rsi + 12` might be a 8 byte value). Anyway, given that this is a `sscanf` there isn't much magic happening, it's just parsing a bunch of values. – Jester Nov 07 '17 at 14:08
  • 1
    the reason why you don't get understand is because your comments are useless. They simply explain what the code does already. Try writing comments that explain *why* something is happening. It's obvious a DWORD is being moved, and 0 loaded into eax, but why is what the comments should answer to give the code context. – Rafael Nov 07 '17 at 14:12
  • 3
    It's barely more than `sscanf(foo, fmt, &a[0], &a[1], &a[2], &a[3], &a[4], &a[5])`. This isn't the `read_six_numbers` from the bomb lab by accident, is it? :) – Jester Nov 07 '17 at 14:26
  • @Jester that's exactly the one :D CS ETH? – S. L. Nov 07 '17 at 14:39
  • (every common answerer in assembly on SO knows bomblab ... not because it's being taught everywhere around world, but because there's usually at least one new SO question per week, or more ... although you seem to be stuck very early, which looks to me like you are actually truly trying to work it out, how it really works, many others probably sort of guesstimate correct answers for the early easier ones, and hit serious problems later, so keep it up ... the purpose of the challenge sort of eludes to me, it's hard to break it without proper asm knowledge, yet people rush through it like mad) – Ped7g Nov 07 '17 at 14:43
  • Yeah I don't see the point of guesstimating, it really is about understanding what is happening and learn to apply that to real-life challenges... – S. L. Nov 07 '17 at 14:48
  • Ok, so just make sure you understand what's the mentioned difference of `mov esi,"..."` (the real instruction is like `mov esi,0x12345` loading 32 bit memory address into `esi`, the displayed disassembly shows instead the memory content pointed to by the pointer, but actually it uses weird `\0xXX` encoding of perfectly printable ASCII chars (it's `"%d "`), not sure why IDA chosen that `\#` encoding, maybe it expects UTF-16 for strings and those are not valid glyphs). Make sure you control your tools (IDA, gdb, ...) enough to view both variants, machine code, and memory. Rest is clear now? – Ped7g Nov 07 '17 at 15:29
  • 1
    You can look up what `sscanf` (the C function) does. This code is just calling it with 6 stack addresses. `al` = number of FP args in xmm register (= 0 here) is required for variadic functions in the x86-64 System V calling convention (which this is using) – Peter Cordes Nov 07 '17 at 15:49
  • 1
    [sscanf documentation](http://en.cppreference.com/w/c/io/fscanf) – Peter Cordes Nov 07 '17 at 15:55

0 Answers0