0

Doing some basic reverse engineering of x86 assembly code into C, but I am struggling to understand what this particular function, named phase2, is doing at the start.

Click here to see the assembly code (sorry cant post images yet)

Specifically this part right here:

call   0x5555555550b0 <<__isoc99_sscanf@plt>>                                                                                                                                                                                                                 
cmp    $0x2,%eax  
jne    0x555555555761 <phase2+86>

my best guess is that this translates to

if (scanf() == 2) {

At first I thought that maybe this was checking if the return value of scanf() == 2 but that doesn't really make sense in this context since the result never seems to be 2.

RTT
  • 5
  • 3
  • 2
    Yes, it's checking the number of successful conversions. If it's not returning `2`, then enter text for that phase of the bomb that matches the format string, e.g. two numbers if it's `"%d%d"` or something. It's always a good idea to check the return value of `scanf` / `sscanf` before using the results, otherwise it might not have written all the variables. – Peter Cordes Oct 01 '22 at 01:21
  • You should be able to answer that using a reference to standard library function `scanf`. – Erik Eidt Oct 01 '22 at 01:24
  • Isn't that `sscanf`, not `scanf`? It's parsing from a string, not from `stdin` (though I suppose `scanf` could conceivably be implemented as `sscanf` against the internal buffer for `stdin`...). – ShadowRanger Oct 01 '22 at 01:25
  • @PeterCordes Could u elaborate on what u mean by successfull conversions? After printing out %rsi I found `%d %[^\n]` which looks like the format string. Would this mean I am to pass just 1 number? – RTT Oct 01 '22 at 01:26
  • @ShadowRanger oh ur right, i didnt know sscanf was a real thing. But what string is it parsing and how would I know? I have printed out all the registers before but all I have found was `%d %[^\n]` from %rsi – RTT Oct 01 '22 at 01:28
  • 1
    [How do we test the return values from the scanf() function?](https://stackoverflow.com/q/10084224) is another duplicate that explains in general. `%[` is another conversion, for a string matching a character-set. In this case, negated, so matching a string of non-newline characters, separated from the number by whitespace. Found another duplicate for [How does scanf(" %\[^\n\]", str); work in C Programming?](https://stackoverflow.com/q/40038538) if looking up `%[` in the scanf documentation didn't help. – Peter Cordes Oct 01 '22 at 01:28
  • 1
    @PeterCordes Thank u, with ur advice I solved the puzzle! – RTT Oct 01 '22 at 01:44

0 Answers0