This is a hw problem. I am not asking for the answer to not have 'explode_bomb' ever run. I am asking for clarification/guidance on what is happening in a small segment of code.
This is what I'm trying to figure out (what is happening at the [0x8(%ebx)] code below)? Doesn't 0x8(%register) mean its accessing the value at the memory address %register+0x8? It doesn't look like a memory address is being stored there... I know it is a vague question. I marked the lines I don't understand as LINEXXX-HexAddress** in the psuedoesque code. [The LINEXXX - are the line numbers from ddd-it didn't let me copy from ddd so I used objdump...]
Thank you so much, Any small tips are appreciated.
Some pseudo code I made to help me better see what is happening:
example input-> "6 89 79 69 59 49"
eax = "6 89 79 69 59 49"
after stuff (read_six_numbers)
eax = 6
edi=0 -> 6
edi=1 -> 89
edi=2 -> 79
edi=3 -> 69
edi=4 -> 59
edi=5 -> 49
naming this as array[]
eax = array[edi];
if((unsigned int)eax > 5) explodebomb();
if(esi==6)goto Line109
if(eax == array[esi-1]) explodebomb();
if(5<=ebx)goto Line58;
else goto Line31;
edx = *edx + 8;
if(ecx != eax)goto Line85;
if(6 != ebx) goto Line114;
goto Line137
ebx = 0;
eax = 1;
if(1>ecx)goto Line85;
goto Line95;
LINE145-0x08048f02**** 0x8(ebx)=eax;
LINE152-0x08048f09**** 0x8(eax)=edx;
LINE159-0x08048f10**** 0x8(edx)=eax;
LINE166-0x08048f17**** 0x8(eax)=edx;
LINE173-0x08048f1e**** 0x8(edx)=eax;
LINE176-0x08048f21**** 0x8(eax)=eax;
LINE188-0x08048f2d**** eax=0x8(ebx);
if(!(edx >= (ebx))) explodebomb();
LINE202-0x08048f3b**** ebx=0x8(ebx);
if(edx != (ebx)) goto Line188;
return eax;
Assembly code:
08048e71 <phase_6>:
8048e71: 57 push %edi
8048e72: 56 push %esi
8048e73: 53 push %ebx
8048e74: 83 ec 40 sub $0x40,%esp
8048e77: 8d 44 24 28 lea 0x28(%esp),%eax
8048e7b: 89 44 24 04 mov %eax,0x4(%esp)
8048e7f: 8b 44 24 50 mov 0x50(%esp),%eax
8048e83: 89 04 24 mov %eax,(%esp)
8048e86: e8 ce 05 00 00 call 8049459 <read_six_numbers>
8048e8b: bf 00 00 00 00 mov $0x0,%edi
8048e90: 8b 44 bc 28 mov 0x28(%esp,%edi,4),%eax
8048e94: 83 e8 01 sub $0x1,%eax
8048e97: 83 f8 05 cmp $0x5,%eax
8048e9a: 76 05 jbe 8048ea1 <phase_6+0x30>
8048e9c: e8 6d 04 00 00 call 804930e <explode_bomb>
8048ea1: 8d 77 01 lea 0x1(%edi),%esi
8048ea4: 83 fe 06 cmp $0x6,%esi
8048ea7: 74 35 je 8048ede <phase_6+0x6d>
8048ea9: 89 f3 mov %esi,%ebx
8048eab: 8b 44 9c 28 mov 0x28(%esp,%ebx,4),%eax
8048eaf: 39 44 b4 24 cmp %eax,0x24(%esp,%esi,4)
8048eb3: 75 05 jne 8048eba <phase_6+0x49>
8048eb5: e8 54 04 00 00 call 804930e <explode_bomb>
8048eba: 83 c3 01 add $0x1,%ebx
8048ebd: 89 f7 mov %esi,%edi
8048ebf: 83 fb 05 cmp $0x5,%ebx
8048ec2: 7e e7 jle 8048eab <phase_6+0x3a>
8048ec4: eb ca jmp 8048e90 <phase_6+0x1f>
8048ec6: 8b 52 08 mov 0x8(%edx),%edx
8048ec9: 83 c0 01 add $0x1,%eax
8048ecc: 39 c8 cmp %ecx,%eax
8048ece: 75 f6 jne 8048ec6 <phase_6+0x55>
8048ed0: 89 54 b4 10 mov %edx,0x10(%esp,%esi,4)
8048ed4: 83 c3 01 add $0x1,%ebx
8048ed7: 83 fb 06 cmp $0x6,%ebx
8048eda: 75 07 jne 8048ee3 <phase_6+0x72>
8048edc: eb 1c jmp 8048efa <phase_6+0x89>
8048ede: bb 00 00 00 00 mov $0x0,%ebx
8048ee3: 89 de mov %ebx,%esi
8048ee5: 8b 4c 9c 28 mov 0x28(%esp,%ebx,4),%ecx
8048ee9: b8 01 00 00 00 mov $0x1,%eax
8048eee: ba 54 c1 04 08 mov $0x804c154,%edx
8048ef3: 83 f9 01 cmp $0x1,%ecx
8048ef6: 7f ce jg 8048ec6 <phase_6+0x55>
8048ef8: eb d6 jmp 8048ed0 <phase_6+0x5f>
8048efa: 8b 5c 24 10 mov 0x10(%esp),%ebx
8048efe: 8b 44 24 14 mov 0x14(%esp),%eax
8048f02: 89 43 08 mov %eax,0x8(%ebx)
8048f05: 8b 54 24 18 mov 0x18(%esp),%edx
8048f09: 89 50 08 mov %edx,0x8(%eax)
8048f0c: 8b 44 24 1c mov 0x1c(%esp),%eax
8048f10: 89 42 08 mov %eax,0x8(%edx)
8048f13: 8b 54 24 20 mov 0x20(%esp),%edx
8048f17: 89 50 08 mov %edx,0x8(%eax)
8048f1a: 8b 44 24 24 mov 0x24(%esp),%eax
8048f1e: 89 42 08 mov %eax,0x8(%edx)
8048f21: c7 40 08 00 00 00 00 movl $0x0,0x8(%eax)
8048f28: be 05 00 00 00 mov $0x5,%esi
8048f2d: 8b 43 08 mov 0x8(%ebx),%eax
8048f30: 8b 10 mov (%eax),%edx
8048f32: 39 13 cmp %edx,(%ebx)
8048f34: 7d 05 jge 8048f3b <phase_6+0xca>
8048f36: e8 d3 03 00 00 call 804930e <explode_bomb>
8048f3b: 8b 5b 08 mov 0x8(%ebx),%ebx
8048f3e: 83 ee 01 sub $0x1,%esi
8048f41: 75 ea jne 8048f2d <phase_6+0xbc>
8048f43: 83 c4 40 add $0x40,%esp
8048f46: 5b pop %ebx
8048f47: 5e pop %esi
8048f48: 5f pop %edi
8048f49: c3 ret
I don't want to reveal too much, but here are some hints:
- esp+0x28
) is populated with pointers that are taken from some global data. This data seems to start from offset 0x804c154 (see offset 0x8048eee in your listing)later on, starting from offset 0x8048efa in your listing, the array mentioned in #1 is referenced, this is how I understand it (this is psuedo code...):
struct s {
int value;
int ??;
struct s * next;
// in esp+0x10
struct s *point_arr[6];
point_arr[0]->next = &point_arr[1];
point_arr[1]->next = &point_arr[2];
point_arr[2]->next = &point_arr[3];
point_arr[3]->next = &point_arr[4];
point_arr[4]->next = &point_arr[5];
point_arr[5]->next = NULL;
After this, there is a check (in a loop) that (point_arr[i]->value > point_arr[i-1]->value
So, when you say no memory address is stored in %ebx, it is not accurate. The memory address is stored in %esp+0x10
and %esp+0x10
is stored in %ebx