1

I'm working on the common bomblab project that many are probably familiar with.

This is the assembly dump:

Breakpoint 1, 0x0000000000400f26 in phase_2 ()
(gdb) disas
Dump of assembler code for function phase_2:
=> 0x0000000000400f26 <+0>: push   %rbx
   0x0000000000400f27 <+1>: sub    $0x20,%rsp
   0x0000000000400f2b <+5>: mov    %rsp,%rsi
   0x0000000000400f2e <+8>: callq  0x40158d <read_six_numbers>
   0x0000000000400f33 <+13>:    cmpl   $0x0,(%rsp)
   0x0000000000400f37 <+17>:    js     0x400f40 <phase_2+26>
   0x0000000000400f39 <+19>:    mov    $0x1,%ebx
   0x0000000000400f3e <+24>:    jmp    0x400f51 <phase_2+43>
   0x0000000000400f40 <+26>:    callq  0x401557 <explode_bomb>
   0x0000000000400f45 <+31>:    jmp    0x400f39 <phase_2+19>
   0x0000000000400f47 <+33>:    add    $0x1,%rbx
   0x0000000000400f4b <+37>:    cmp    $0x6,%rbx
   0x0000000000400f4f <+41>:    je     0x400f63 <phase_2+61>
   0x0000000000400f51 <+43>:    mov    %ebx,%eax
   0x0000000000400f53 <+45>:    add    -0x4(%rsp,%rbx,4),%eax
   0x0000000000400f57 <+49>:    cmp    %eax,(%rsp,%rbx,4)
   0x0000000000400f5a <+52>:    je     0x400f47 <phase_2+33>
   0x0000000000400f5c <+54>:    callq  0x401557 <explode_bomb>
   0x0000000000400f61 <+59>:    jmp    0x400f47 <phase_2+33>
   0x0000000000400f63 <+61>:    add    $0x20,%rsp
   0x0000000000400f67 <+65>:    pop    %rbx
   0x0000000000400f68 <+66>:    retq   
End of assembler dump.

So far, I've managed to translate the above assembly into this pseudo code:

def phase_2():
    rbx = 0
    user_input = read_six_numbers()
    if user_input[0] < 0:
        detonate_bomb()
    else:
        ebx = 1
        while rbx < 6:
            eax = ebx
            eax += user_input[rbx - 1] # is equivalent to add -0x4(%rsp, %rbx, 4), %eax assuming rsp points to base address of user_input?
            if eax != user_input[rbx]:
                detonate_bomb()
            rbx += 1

        return

In my code, rbx = 0 because when I set a break point at phase_2 and checked the contents of rbx, it shows that rbx = 0:

(gdb) i r
rax            0x6049d0 6310352
rbx            0x0  0

but if rbx is initially 0, when we first access user_input in the while loop, user_input[rbx - 1] will give us user_input[-1] which is out of bounds.

I've ran over the assembly many times and I cannot seem to understand what I've got wrong, can someone please help me walk through my mistake?

Ietpt123
  • 97
  • 7
  • [Don't post pictures of text](https://idownvotedbecau.se/imageofcode). Copy/paste so people can search if they have the same code. Other than that your question looks good, and you've already made a solid attempt, so let me know when you fix that problem and I'll change my vote. – Peter Cordes Mar 17 '20 at 21:46
  • @PeterCordes You're right, I changed it. – Ietpt123 Mar 17 '20 at 21:48
  • 3
    As your own pseudocode shows `ebx = 1`. You do know that `ebx` is the low 32 bits of `rbx`, right? So by that assignment `rbx = 1` as well. – Jester Mar 17 '20 at 22:45
  • @Jester Oh geez man – Ietpt123 Mar 17 '20 at 22:53

0 Answers0