diffusing a binary bomb phase_3

>>      - 1, after line 8051a41:       83 f8 01                cmp    $0x1,%eax
         -This one jumps over only if eax is greater than 1.

The other way around ;) The jump is made if 1 is greater than eax.

>> So I'm guessing its supposed 2 or more numbers... and eax keeps track of them.

eax is the return value of the call to function 8051558.




>>          -I'm not sure about this jmp instruction... I think its an unconditional jump, so that explode_bomb is there just to mess with us?

jmp is an unconditional jump indeed.

The explode_bomb is not just there to mess with you though. Do you see where this instruction jumps to ?

>>  8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>



>>         -now, that's a jump when equal... so
>>  8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx  has to be true, and ebx is given at this instruction: 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx

Sure ...



>> So... ebx is one of the numbers I need, right?

Don't jump to conclusions just yet. But you're going in the right direction.

>>The explode_bomb is not just there to mess with you though. Do you see where this instruction jumps to ?

>>  8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>

Yes, it jumps to a call to explode_bomb near the end of the program...
8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>

That's a jump address instruction though... isn't that just like the jmp instruction??

>>Don't jump to conclusions just yet. But you're going in the right direction.

right direction... that's good to hear, so, what am I missing? the 2nd number? some calculation I didn't see?

>> Yes, it jumps to a call to explode_bomb near the end of the program...
>> 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>

More specifically the one you assumed was there just to mess with you ;)


>> That's a jump address instruction though... isn't that just like the jmp instruction??

ja == jump if above. It's like jg, but for unsigned integer values.


>> so, what am I missing? the 2nd number? some calculation I didn't see?

Well, first figure out where the two numbers that are read in are placed ... I assume that the call 8051558 is a call to the standard fscanf function, which would mean that its second argument ($0x805237e) is the format string. Check that to see which format string it is. The arguments after that will contain the values read from the user.

>>Well, first figure out where the two numbers that are read in are placed ... I assume that the call 8051558 is a call to the standard fscanf function, which would mean that its second argument ($0x805237e) is the format string. Check that to see which format string it is. The arguments after that will contain the values read from the user.

after $0x805237e, there's pushl  0x8(%ebp), so the numbers are getting stored in an array?

And I know numbers because our professor was kind enough to tell us what we need to be looking for, phase 6 has symbols... *oh joy...*

$0x805237e is the address is a string literal. You can use your debugger to find out which one.

>> after $0x805237e, there's pushl  0x8(%ebp), so the numbers are getting stored in an array?

Remember that function arguments are pushed in reverse order. 0x8(%ebp) is the first argument, $0x805237e is the second, etc.
Do you know how the fscanf function works ?

        http://cplusplus.com/reference/clibrary/cstdio/fscanf/


>> And I know numbers because our professor was kind enough to tell us what we need to be looking for

Good. You know you need two numbers. You just need to know where they are stored in memory (on the stack) ;)

>>Good. You know you need two numbers. You just need to know where they are stored in memory (on the stack) ;)

Isn't ebx one of them?

>>Do you know how the fscanf function works ?

Yeah, i've used fscanf before, it basically reads one line from a file, right?

now that I look at the code again... I am somewhat confused by this line:
8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4)

is that jumping to a function pointer?

Oh... and I realized what I thought was just there to mess us up, it was these lines:
 
 8051a8b:       eb 05                   jmp    8051a92 <phase_3+0x75>
 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>

jmp is an unconditional jump instruction... it just jumps to a certain location when the program reaches that line, correct?

>> Yeah, i've used fscanf before, it basically reads one line from a file, right?

It reads certain values from input depending on the format string. So, for example if the format string contains "%d %d", that means it'll try to read two integer values. Did you already check the format string ?

The locations where the values are read are given as extra parameters to the fscanf function.

>> Isn't ebx one of them?

No. ebx is not passed as argument to fscanf.


>> I am somewhat confused by this line:

Don't jump ahead. First know what you're dealing with. Where are the two numbers that the user gave ?

>> it just jumps to a certain location when the program reaches that line, correct?

Right. I've already confirmed that here : http:#24248071

so that call to bomb under jump was just to trick us, right?

It goes right over it and jumps to 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)

and if that's greater than 5, jumps to the explode bomb part...

and if its not, then it jumps to 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx

Since we know that ebx is set to 0 (8051a24:       bb 00 00 00 00          mov    $0x0,%ebx), we would just need to follow these calculations, right?
8051a5b:       81 c3 a9 01 00 00       add    $0x1a9,%ebx
 8051a61:       81 eb 7d 01 00 00       sub    $0x17d,%ebx
 8051a67:       81 c3 82 00 00 00       add    $0x82,%ebx
 8051a6d:       81 eb 69 02 00 00       sub    $0x269,%ebx
 8051a73:       81 c3 27 01 00 00       add    $0x127,%ebx
 8051a79:       81 eb b8 02 00 00       sub    $0x2b8,%ebx
 8051a7f:       81 c3 b8 02 00 00       add    $0x2b8,%ebx
 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx

So... to get past 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp), the number has to be less than or equal to 5.

And, since the jump instruction after 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx is a jump equal... we just need to figure out what one of them comes out to... and we got the solution?

first number is less than or equal to 5, and 2nd is whatever ebx is at 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx?

Or am I jumping too ahead again? lack of sleep + excitement over finally getting this bomb over with makes me jittery...

I just calculated what ebx is supposed to be at 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx, its -1134.

and no... apparently I did jump the gun... again.. what'd I do wrong?

>>Don't jump ahead. First know what you're dealing with. Where are the two numbers that the user gave ?

They would be in... 8051a36:       ff 75 08                pushl  0x8(%ebp), correct?

>>Remember that function arguments are pushed in reverse order. 0x8(%ebp) is the first argument, $0x805237e is the second, etc.

Wait... aren't word sizes usually 4? how come the 2nd number isn't 0x4(%ebp)?

maybe... I should sleep for a bit.. my mind starts to get a lil jumpy around 4:36 am... lol =(

>> so that call to bomb under jump was just to trick us, right?

No, it's not. As i said earlier, this jump instruction jumps to that line :

>>  8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>


>> >>Don't jump ahead. First know what you're dealing with. Where are the two numbers that the user gave ?
>> They would be in... 8051a36:       ff 75 08                pushl  0x8(%ebp), correct?

No. I already told you that that's NOT the numbers - it is the FIRST parameter of fscanf. What you are looking for are the parameters after the format. See here : http:#24248324

It's a bit hard if I have to repeat everything several times ;)

hm... ok

 8051a21:       83 ec 14                sub    $0x14,%esp
 8051a3e:       83 c4 10                add    $0x10,%esp

>>Good. You know you need two numbers. You just need to know where they are stored in memory (on the stack) ;)

those 2 statements leave a difference of 4... so the values the user enters are in that space?

But if they are... those values aren't getting moved to anything.. right? So what are they getting compared to?

Please re-read the last few lines of my previous post ...

>>No. I already told you that that's NOT the numbers - it is the FIRST parameter of fscanf. What you are looking for are the parameters after the format. See here : http:#24248324

Those? But you said the numbers were on the stack...

And.. 8051a31:       68 7e 23 05 08          push   $0x805237e gets pushed onto the stack?

fscanf (pFile, "%f", &f);... so... the numbers are right after 0x805237e gets pushed onto the stack?

wait... the stack is different from regular registers.. right? so each offset of the stack can store its values?

 8051a21:       83 ec 14                sub    $0x14,%esp
 8051a3e:       83 c4 10                add    $0x10,%esp

like I said in my previous post... there is a difference of 4 after those instructions are carried out... so, according to fscanf (pFile, "%f", &f); (which I got from the link you gave me), first variable is the file, 2nd the format, and the 3rd and 4th are the numbers?

It... kinda fits, right?

>> first variable is the file, 2nd the format, and the 3rd and 4th are the numbers?

Yes, so which ones are the numbers ?

The sub and add have nothing to do with it. If a function takes 4 parameters, then those 4 parameters are pushed onto the stack (in reverse order) before the function is called.

>>The sub and add have nothing to do with it. If a function takes 4 parameters, then those 4 parameters are pushed onto the stack (in reverse order) before the function is called.

Uh... could you please explain that?

If the sub and add have nothing to do with it... where are they getting stored? in ebp?

hm... it couldn't be in eax... could it?

8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax
 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax

???

>> Uh... could you please explain that?

Explain what ? Which part of that phrase wasn't clear ?


>> in ebp?

If you read back through all your threads about this, you'll find that it has been explained several times already that ebp is the base pointer, which points to the start of the current stack frame. It would make no sense to save a number in there.


>> hm... it couldn't be in eax... could it?

Again, if you read back, you'll find an explanation of how the lea instruction works ...

>>Explain what ? Which part of that phrase wasn't clear ?

You said that the numbers got pushed onto the stack in reverse order before the function was called... so how come sub and add don't have anything to do with it?

When I was doing phase 2... I thought you said subtracting the esp was the same as allocating memory?

>>Again, if you read back, you'll find an explanation of how the lea instruction works ..

LEA Load effective address LEA Dest,Source Dest := address of Source

It calculates the address and stores it in the register... right?

>> I thought you said subtracting the esp was the same as allocating memory?

Yes, but we're looking for the numbers now, not for a block of allocated memory.

>> It calculates the address and stores it in the register... right?

Yes, so ... continue that thought.

Am I right here?

 08051a1d <phase_3>:
 8051a1d:       55                      push   %ebp
 8051a1e:       89 e5                   mov    %esp,%ebp
 8051a20:       53                      push   %ebx

---------------------------------------------------------
Just pushing registers onto the stack, so far:
ebp = esp
ebx on the stack
---------------------------------------------------------

 8051a21:       83 ec 14                sub    $0x14,%esp

---------------------------------------------------------
esp - 14
---------------------------------------------------------

 8051a24:       bb 00 00 00 00          mov    $0x0,%ebx

---------------------------------------------------------
ebx = 0
---------------------------------------------------------

 8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax

---------------------------------------------------------
new address loaded into eax and eax is pushed onto the stack
---------------------------------------------------------

 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax

---------------------------------------------------------
new address loaded into eax and eax is pushed onto the stack
---------------------------------------------------------

 8051a31:       68 7e 23 05 08          push   $0x805237e
 8051a36:       ff 75 08                pushl  0x8(%ebp)

---------------------------------------------------------
$0x805237e and 0x8(%ebp) are pushed onto the stack
---------------------------------------------------------

 8051a39:       e8 1a fb ff ff          call   8051558 <_PROCEDURE_LINKAGE_TABLE_+0xb0>
 8051a3e:       83 c4 10                add    $0x10,%esp

---------------------------------------------------------
there's a call to <procedure_linkage_table>, that has nothing to do with this answer, tho right?
esp + 10
---------------------------------------------------------

 8051a41:       83 f8 01                cmp    $0x1,%eax
 8051a44:       7f 05                   jg     8051a4b <phase_3+0x2e>
 8051a46:       e8 61 07 00 00          call   80521ac <explode_bomb>

---------------------------------------------------------
As you had corrected... if 1 is greater than eax, so eax needs to be < 1?
---------------------------------------------------------

 8051a4b:       83 7d f4 07             cmpl   $0x7,0xfffffff4(%ebp)
 8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>

---------------------------------------------------------
I'm going to assume cmpl works the same way as cmp... so,
if $0x7 is greater than 0xfffffff4(%ebp), the jump will take place?
---------------------------------------------------------

 8051a51:       8b 45 f4                mov    0xfffffff4(%ebp),%eax
 8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4)

---------------------------------------------------------
eax = 0xfffffff4(%ebp)
and an unconditional jump takes place
---------------------------------------------------------

 8051a5b:       81 c3 a9 01 00 00       add    $0x1a9,%ebx
 8051a61:       81 eb 7d 01 00 00       sub    $0x17d,%ebx
 8051a67:       81 c3 82 00 00 00       add    $0x82,%ebx
 8051a6d:       81 eb 69 02 00 00       sub    $0x269,%ebx
 8051a73:       81 c3 27 01 00 00       add    $0x127,%ebx
 8051a79:       81 eb b8 02 00 00       sub    $0x2b8,%ebx
 8051a7f:       81 c3 b8 02 00 00       add    $0x2b8,%ebx
 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx
 8051a8b:       eb 05                   jmp    8051a92 <phase_3+0x75>
 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>

---------------------------------------------------------
A huge mess of calculations, and then an unconditional jump.
---------------------------------------------------------

 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)
 8051a96:       7f 05                   jg     8051a9d <phase_3+0x80>

---------------------------------------------------------
if 5 greater than 0xfffffff4(%ebp), the jump would take place?
---------------------------------------------------------

 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx
 8051a9b:       74 05                   je     8051aa2 <phase_3+0x85>

---------------------------------------------------------
that jump will only take place if 0xfffffff8(%ebp) and %ebx are equal
---------------------------------------------------------

 8051a9d:       e8 0a 07 00 00          call   80521ac <explode_bomb>
 8051aa2:       8b 5d fc                mov    0xfffffffc(%ebp),%ebx

---------------------------------------------------------
so... ebx is a return value?
---------------------------------------------------------

 8051aa5:       c9                      leave
 8051aa6:       c3                      ret

>>Yes, so ... continue that thought.

Uh... continue what now?

>>If you read back through all your threads about this, you'll find that it has been explained several times already that ebp is the base pointer, which points to the start of the current stack frame. It would make no sense to save a number in there.

The only place lea used is:

 8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax
 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax

are you saying that we calculate that number with 8051a1d being ebp?

so... you are saying that the numbers aren't stored at ebx... but they are stored at these addresses?
0xfffffff8(%ebp) and 0xfffffff4(%ebp)???

>> there's a call to <procedure_linkage_table>, that has nothing to do with this answer, tho right?

That's the call to fscanf ... The one we've been talking about all along ... So, it most certainly has got something to do with the "answer" ;)


>> The only place lea used is:

Yes ... And we were looking for the locations of the two numbers ... So ...

uhm... could I get a little more help mere? after the fscanf call... there's just the

 8051a3e:       83 c4 10                add    $0x10,%esp
 8051a41:       83 f8 01                cmp    $0x1,%eax

And...
 8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax
 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax

I can see that eax gets pushed onto the stack... but what is going on here?

hm... could you please tell me what 8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4) is doing?

>>Now we're getting somewhere :) So, the two numbers will be in 0xfffffff8(%ebp) and 0xfffffff4(%ebp) resp. The rest of the phase_3 function (after the fscanf call) will use these two numbers, and will check their values to see if they are correct.

Ok... but what does it check those numbers against?

I can see one of them is here... cmp    0xfffffff8(%ebp),%ebx

But where is the other one??

please help me out.. its due in about 5 hours.. and I got class in.. 35 mins =(

Are these the 2 numbers that are getting compared????

 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)
 8051a96:       7f 05                   jg     8051a9d <phase_3+0x80>
 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx
 8051a9b:       74 05                   je     8051aa2 <phase_3+0x85>

They certainly fit the addresses...

the first number has to be less than 5:
cmpl   $0x5,0xfffffff4(%ebp)

And the second one has to be equal to %ebx

Correct??

I know it kinda does sound like what I've been going on about from the start... but

>>Now we're getting somewhere :) So, the two numbers will be in 0xfffffff8(%ebp) and 0xfffffff4(%ebp) resp. The rest of the phase_3 function (after the fscanf call) will use these two numbers, and will check their values to see if they are correct.

???

>> Ok... but what does it check those numbers against?

That's what you need to find out next. Now that you know where the numbers are, you can easily follow the code along.

Follow the code line by line, and see what happens with those two numbers.

This is the part you're looking at now :

 8051a4b:       83 7d f4 07             cmpl   $0x7,0xfffffff4(%ebp)
 8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>
 8051a51:       8b 45 f4                mov    0xfffffff4(%ebp),%eax
 8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4)
 8051a5b:       81 c3 a9 01 00 00       add    $0x1a9,%ebx
 8051a61:       81 eb 7d 01 00 00       sub    $0x17d,%ebx
 8051a67:       81 c3 82 00 00 00       add    $0x82,%ebx
 8051a6d:       81 eb 69 02 00 00       sub    $0x269,%ebx
 8051a73:       81 c3 27 01 00 00       add    $0x127,%ebx
 8051a79:       81 eb b8 02 00 00       sub    $0x2b8,%ebx
 8051a7f:       81 c3 b8 02 00 00       add    $0x2b8,%ebx
 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx
 8051a8b:       eb 05                   jmp    8051a92 <phase_3+0x75>
 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>
 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)
 8051a96:       7f 05                   jg     8051a9d <phase_3+0x80>
 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx
 8051a9b:       74 05                   je     8051aa2 <phase_3+0x85>
 8051a9d:       e8 0a 07 00 00          call   80521ac <explode_bomb>

What does the first line do ? Once you know what it does, check the second line, etc.

The first line checks if 7 is greater than that offset of ebp (i'm not sure if its the first or 2nd, please help me out here)

2nd line jumps if 7 is greater than that offset of ebp

3rd line moves that offset of ebp into eax

4th, I've asked this several times, I'm not sure what this does exactly, I'm guessing its a call to a function pointer...

5-12, adds and subtracts various values into ebx

13, unconditional jump

the next 4 lines refer to my previous post http:#24255786

>> 4th, I've asked this several times, I'm not sure what this does exactly, I'm guessing its a call to a function pointer...

The best way to understand this is to use your debugger. You'll need it to find out what's at address 0x80522bc, but you also use it to follow the flow of the code ...

The other lines, you seem to understand.

Now it's just a matter of taking a step back, looking at these few instructions, and what they do, and finding out what two numbers the code expects ...

I need to go get some sleep now, but I'll be back tomorrow.