?
Solved

diffusing a binary bomb phase_3

Posted on 2009-04-25
45
Medium Priority
?
1,197 Views
Last Modified: 2012-05-06
Hey, I need to diffuse a binary bomb, I'm pretty sure this thing has a switch statement in it, and needs 2 numbers, but beyond that, I'm kinda drawing a blank... so any help would be appreciated =)

08051a1d <phase_3>:
 8051a1d:       55                      push   %ebp
 8051a1e:       89 e5                   mov    %esp,%ebp
 8051a20:       53                      push   %ebx
 8051a21:       83 ec 14                sub    $0x14,%esp
 8051a24:       bb 00 00 00 00          mov    $0x0,%ebx
 8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax
 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax
 8051a31:       68 7e 23 05 08          push   $0x805237e
 8051a36:       ff 75 08                pushl  0x8(%ebp)
 8051a39:       e8 1a fb ff ff          call   8051558 <_PROCEDURE_LINKAGE_TABLE_+0xb0>
 8051a3e:       83 c4 10                add    $0x10,%esp
 8051a41:       83 f8 01                cmp    $0x1,%eax
 8051a44:       7f 05                   jg     8051a4b <phase_3+0x2e>
 8051a46:       e8 61 07 00 00          call   80521ac <explode_bomb>
 8051a4b:       83 7d f4 07             cmpl   $0x7,0xfffffff4(%ebp)
 8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>
 8051a51:       8b 45 f4                mov    0xfffffff4(%ebp),%eax
 8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4)
 8051a5b:       81 c3 a9 01 00 00       add    $0x1a9,%ebx
 8051a61:       81 eb 7d 01 00 00       sub    $0x17d,%ebx
 8051a67:       81 c3 82 00 00 00       add    $0x82,%ebx
 8051a6d:       81 eb 69 02 00 00       sub    $0x269,%ebx
 8051a73:       81 c3 27 01 00 00       add    $0x127,%ebx
 8051a79:       81 eb b8 02 00 00       sub    $0x2b8,%ebx
 8051a7f:       81 c3 b8 02 00 00       add    $0x2b8,%ebx
 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx
 8051a8b:       eb 05                   jmp    8051a92 <phase_3+0x75>
 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>
 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)
 8051a96:       7f 05                   jg     8051a9d <phase_3+0x80>
 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx
 8051a9b:       74 05                   je     8051aa2 <phase_3+0x85>
 8051a9d:       e8 0a 07 00 00          call   80521ac <explode_bomb>
 8051aa2:       8b 5d fc                mov    0xfffffffc(%ebp),%ebx
 8051aa5:       c9                      leave
 8051aa6:       c3                      ret

0
Comment
Question by:errang
  • 30
  • 15
45 Comments
 

Author Comment

by:errang
ID: 24247960
This is what I figured out about phase_3...

There are 3 calls to explode bomb.
     - 1, after line 8051a41:       83 f8 01                cmp    $0x1,%eax
         -This one jumps over only if eax is greater than 1.  So I'm guessing its supposed 2 or more numbers... and eax keeps track of them.
     - 2, after line 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx
         -I'm not sure about this jmp instruction... I think its an unconditional jump, so that explode_bomb is there just to mess with us?
     - 3, after this line  8051a9b:       74 05                   je     8051aa2 <phase_3+0x85>
        -now, that's a jump when equal... so
 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx  has to be true, and ebx is given at this instruction: 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx

So... ebx is one of the numbers I need, right? and according to... these two lines:
8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)
 8051a96:       7f 05                   jg     8051a9d <phase_3+0x80>

I would say the other number has to be greater than 5?

did I at least manage to get something right?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24248071
>>      - 1, after line 8051a41:       83 f8 01                cmp    $0x1,%eax
         -This one jumps over only if eax is greater than 1.

The other way around ;) The jump is made if 1 is greater than eax.

>> So I'm guessing its supposed 2 or more numbers... and eax keeps track of them.

eax is the return value of the call to function 8051558.




>>          -I'm not sure about this jmp instruction... I think its an unconditional jump, so that explode_bomb is there just to mess with us?

jmp is an unconditional jump indeed.

The explode_bomb is not just there to mess with you though. Do you see where this instruction jumps to ?

>>  8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>



>>         -now, that's a jump when equal... so
>>  8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx  has to be true, and ebx is given at this instruction: 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx

Sure ...



>> So... ebx is one of the numbers I need, right?

Don't jump to conclusions just yet. But you're going in the right direction.
0
 

Author Comment

by:errang
ID: 24248114
>>The explode_bomb is not just there to mess with you though. Do you see where this instruction jumps to ?

>>  8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>

Yes, it jumps to a call to explode_bomb near the end of the program...
8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>

That's a jump address instruction though... isn't that just like the jmp instruction??

>>Don't jump to conclusions just yet. But you're going in the right direction.

right direction... that's good to hear, so, what am I missing? the 2nd number? some calculation I didn't see?

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 53

Expert Comment

by:Infinity08
ID: 24248231
>> Yes, it jumps to a call to explode_bomb near the end of the program...
>> 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>

More specifically the one you assumed was there just to mess with you ;)


>> That's a jump address instruction though... isn't that just like the jmp instruction??

ja == jump if above. It's like jg, but for unsigned integer values.


>> so, what am I missing? the 2nd number? some calculation I didn't see?

Well, first figure out where the two numbers that are read in are placed ... I assume that the call 8051558 is a call to the standard fscanf function, which would mean that its second argument ($0x805237e) is the format string. Check that to see which format string it is. The arguments after that will contain the values read from the user.
0
 

Author Comment

by:errang
ID: 24248283
>>Well, first figure out where the two numbers that are read in are placed ... I assume that the call 8051558 is a call to the standard fscanf function, which would mean that its second argument ($0x805237e) is the format string. Check that to see which format string it is. The arguments after that will contain the values read from the user.

after $0x805237e, there's pushl  0x8(%ebp), so the numbers are getting stored in an array?

And I know numbers because our professor was kind enough to tell us what we need to be looking for, phase 6 has symbols... *oh joy...*
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24248324
$0x805237e is the address is a string literal. You can use your debugger to find out which one.

>> after $0x805237e, there's pushl  0x8(%ebp), so the numbers are getting stored in an array?

Remember that function arguments are pushed in reverse order. 0x8(%ebp) is the first argument, $0x805237e is the second, etc.
Do you know how the fscanf function works ?

        http://cplusplus.com/reference/clibrary/cstdio/fscanf/


>> And I know numbers because our professor was kind enough to tell us what we need to be looking for

Good. You know you need two numbers. You just need to know where they are stored in memory (on the stack) ;)
0
 

Author Comment

by:errang
ID: 24248393
>>Good. You know you need two numbers. You just need to know where they are stored in memory (on the stack) ;)

Isn't ebx one of them?

>>Do you know how the fscanf function works ?

Yeah, i've used fscanf before, it basically reads one line from a file, right?
0
 

Author Comment

by:errang
ID: 24248400
now that I look at the code again... I am somewhat confused by this line:
8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4)

is that jumping to a function pointer?
0
 

Author Comment

by:errang
ID: 24248406
Oh... and I realized what I thought was just there to mess us up, it was these lines:
 
 8051a8b:       eb 05                   jmp    8051a92 <phase_3+0x75>
 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>

jmp is an unconditional jump instruction... it just jumps to a certain location when the program reaches that line, correct?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24248411
>> Yeah, i've used fscanf before, it basically reads one line from a file, right?

It reads certain values from input depending on the format string. So, for example if the format string contains "%d %d", that means it'll try to read two integer values. Did you already check the format string ?

The locations where the values are read are given as extra parameters to the fscanf function.

>> Isn't ebx one of them?

No. ebx is not passed as argument to fscanf.


>> I am somewhat confused by this line:

Don't jump ahead. First know what you're dealing with. Where are the two numbers that the user gave ?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24248414
>> it just jumps to a certain location when the program reaches that line, correct?

Right. I've already confirmed that here : http:#24248071
0
 

Author Comment

by:errang
ID: 24248443
so that call to bomb under jump was just to trick us, right?

It goes right over it and jumps to 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)

and if that's greater than 5, jumps to the explode bomb part...

and if its not, then it jumps to 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx

Since we know that ebx is set to 0 (8051a24:       bb 00 00 00 00          mov    $0x0,%ebx), we would just need to follow these calculations, right?
8051a5b:       81 c3 a9 01 00 00       add    $0x1a9,%ebx
 8051a61:       81 eb 7d 01 00 00       sub    $0x17d,%ebx
 8051a67:       81 c3 82 00 00 00       add    $0x82,%ebx
 8051a6d:       81 eb 69 02 00 00       sub    $0x269,%ebx
 8051a73:       81 c3 27 01 00 00       add    $0x127,%ebx
 8051a79:       81 eb b8 02 00 00       sub    $0x2b8,%ebx
 8051a7f:       81 c3 b8 02 00 00       add    $0x2b8,%ebx
 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx

So... to get past 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp), the number has to be less than or equal to 5.

And, since the jump instruction after 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx is a jump equal... we just need to figure out what one of them comes out to... and we got the solution?

first number is less than or equal to 5, and 2nd is whatever ebx is at 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx?

Or am I jumping too ahead again? lack of sleep + excitement over finally getting this bomb over with makes me jittery...
0
 

Author Comment

by:errang
ID: 24248470
I just calculated what ebx is supposed to be at 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx, its -1134.

0
 

Author Comment

by:errang
ID: 24248525
and no... apparently I did jump the gun... again.. what'd I do wrong?
0
 

Author Comment

by:errang
ID: 24248532
>>Don't jump ahead. First know what you're dealing with. Where are the two numbers that the user gave ?

They would be in... 8051a36:       ff 75 08                pushl  0x8(%ebp), correct?

>>Remember that function arguments are pushed in reverse order. 0x8(%ebp) is the first argument, $0x805237e is the second, etc.

Wait... aren't word sizes usually 4? how come the 2nd number isn't 0x4(%ebp)?
0
 

Author Comment

by:errang
ID: 24248655
maybe... I should sleep for a bit.. my mind starts to get a lil jumpy around 4:36 am... lol =(
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24248832
>> so that call to bomb under jump was just to trick us, right?

No, it's not. As i said earlier, this jump instruction jumps to that line :

>>  8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>


>> >>Don't jump ahead. First know what you're dealing with. Where are the two numbers that the user gave ?
>> They would be in... 8051a36:       ff 75 08                pushl  0x8(%ebp), correct?

No. I already told you that that's NOT the numbers - it is the FIRST parameter of fscanf. What you are looking for are the parameters after the format. See here : http:#24248324

It's a bit hard if I have to repeat everything several times ;)
0
 

Author Comment

by:errang
ID: 24254448
hm... ok

 8051a21:       83 ec 14                sub    $0x14,%esp
 8051a3e:       83 c4 10                add    $0x10,%esp

>>Good. You know you need two numbers. You just need to know where they are stored in memory (on the stack) ;)

those 2 statements leave a difference of 4... so the values the user enters are in that space?

But if they are... those values aren't getting moved to anything.. right? So what are they getting compared to?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24254518
Please re-read the last few lines of my previous post ...
0
 

Author Comment

by:errang
ID: 24254665
>>No. I already told you that that's NOT the numbers - it is the FIRST parameter of fscanf. What you are looking for are the parameters after the format. See here : http:#24248324

Those? But you said the numbers were on the stack...

And.. 8051a31:       68 7e 23 05 08          push   $0x805237e gets pushed onto the stack?

fscanf (pFile, "%f", &f);... so... the numbers are right after 0x805237e gets pushed onto the stack?
0
 

Author Comment

by:errang
ID: 24254792
wait... the stack is different from regular registers.. right? so each offset of the stack can store its values?

 8051a21:       83 ec 14                sub    $0x14,%esp
 8051a3e:       83 c4 10                add    $0x10,%esp

like I said in my previous post... there is a difference of 4 after those instructions are carried out... so, according to fscanf (pFile, "%f", &f); (which I got from the link you gave me), first variable is the file, 2nd the format, and the 3rd and 4th are the numbers?

It... kinda fits, right?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24255018
>> first variable is the file, 2nd the format, and the 3rd and 4th are the numbers?

Yes, so which ones are the numbers ?

The sub and add have nothing to do with it. If a function takes 4 parameters, then those 4 parameters are pushed onto the stack (in reverse order) before the function is called.
0
 

Author Comment

by:errang
ID: 24255130
>>The sub and add have nothing to do with it. If a function takes 4 parameters, then those 4 parameters are pushed onto the stack (in reverse order) before the function is called.

Uh... could you please explain that?
0
 

Author Comment

by:errang
ID: 24255157
If the sub and add have nothing to do with it... where are they getting stored? in ebp?
0
 

Author Comment

by:errang
ID: 24255209
hm... it couldn't be in eax... could it?

8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax
 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax

???
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24255268
>> Uh... could you please explain that?

Explain what ? Which part of that phrase wasn't clear ?


>> in ebp?

If you read back through all your threads about this, you'll find that it has been explained several times already that ebp is the base pointer, which points to the start of the current stack frame. It would make no sense to save a number in there.


>> hm... it couldn't be in eax... could it?

Again, if you read back, you'll find an explanation of how the lea instruction works ...
0
 

Author Comment

by:errang
ID: 24255329
>>Explain what ? Which part of that phrase wasn't clear ?

You said that the numbers got pushed onto the stack in reverse order before the function was called... so how come sub and add don't have anything to do with it?

When I was doing phase 2... I thought you said subtracting the esp was the same as allocating memory?
0
 

Author Comment

by:errang
ID: 24255354
>>Again, if you read back, you'll find an explanation of how the lea instruction works ..

LEA Load effective address LEA Dest,Source Dest := address of Source

It calculates the address and stores it in the register... right?
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24255471
>> I thought you said subtracting the esp was the same as allocating memory?

Yes, but we're looking for the numbers now, not for a block of allocated memory.

>> It calculates the address and stores it in the register... right?

Yes, so ... continue that thought.
0
 

Author Comment

by:errang
ID: 24255509
Am I right here?

 08051a1d <phase_3>:
 8051a1d:       55                      push   %ebp
 8051a1e:       89 e5                   mov    %esp,%ebp
 8051a20:       53                      push   %ebx

---------------------------------------------------------
Just pushing registers onto the stack, so far:
ebp = esp
ebx on the stack
---------------------------------------------------------

 8051a21:       83 ec 14                sub    $0x14,%esp

---------------------------------------------------------
esp - 14
---------------------------------------------------------

 8051a24:       bb 00 00 00 00          mov    $0x0,%ebx

---------------------------------------------------------
ebx = 0
---------------------------------------------------------

 8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax

---------------------------------------------------------
new address loaded into eax and eax is pushed onto the stack
---------------------------------------------------------

 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax

---------------------------------------------------------
new address loaded into eax and eax is pushed onto the stack
---------------------------------------------------------

 8051a31:       68 7e 23 05 08          push   $0x805237e
 8051a36:       ff 75 08                pushl  0x8(%ebp)

---------------------------------------------------------
$0x805237e and 0x8(%ebp) are pushed onto the stack
---------------------------------------------------------

 8051a39:       e8 1a fb ff ff          call   8051558 <_PROCEDURE_LINKAGE_TABLE_+0xb0>
 8051a3e:       83 c4 10                add    $0x10,%esp

---------------------------------------------------------
there's a call to <procedure_linkage_table>, that has nothing to do with this answer, tho right?
esp + 10
---------------------------------------------------------

 8051a41:       83 f8 01                cmp    $0x1,%eax
 8051a44:       7f 05                   jg     8051a4b <phase_3+0x2e>
 8051a46:       e8 61 07 00 00          call   80521ac <explode_bomb>

---------------------------------------------------------
As you had corrected... if 1 is greater than eax, so eax needs to be < 1?
---------------------------------------------------------

 8051a4b:       83 7d f4 07             cmpl   $0x7,0xfffffff4(%ebp)
 8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>

---------------------------------------------------------
I'm going to assume cmpl works the same way as cmp... so,
if $0x7 is greater than 0xfffffff4(%ebp), the jump will take place?
---------------------------------------------------------

 8051a51:       8b 45 f4                mov    0xfffffff4(%ebp),%eax
 8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4)

---------------------------------------------------------
eax = 0xfffffff4(%ebp)
and an unconditional jump takes place
---------------------------------------------------------

 8051a5b:       81 c3 a9 01 00 00       add    $0x1a9,%ebx
 8051a61:       81 eb 7d 01 00 00       sub    $0x17d,%ebx
 8051a67:       81 c3 82 00 00 00       add    $0x82,%ebx
 8051a6d:       81 eb 69 02 00 00       sub    $0x269,%ebx
 8051a73:       81 c3 27 01 00 00       add    $0x127,%ebx
 8051a79:       81 eb b8 02 00 00       sub    $0x2b8,%ebx
 8051a7f:       81 c3 b8 02 00 00       add    $0x2b8,%ebx
 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx
 8051a8b:       eb 05                   jmp    8051a92 <phase_3+0x75>
 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>

---------------------------------------------------------
A huge mess of calculations, and then an unconditional jump.
---------------------------------------------------------

 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)
 8051a96:       7f 05                   jg     8051a9d <phase_3+0x80>

---------------------------------------------------------
if 5 greater than 0xfffffff4(%ebp), the jump would take place?
---------------------------------------------------------

 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx
 8051a9b:       74 05                   je     8051aa2 <phase_3+0x85>

---------------------------------------------------------
that jump will only take place if 0xfffffff8(%ebp) and %ebx are equal
---------------------------------------------------------

 8051a9d:       e8 0a 07 00 00          call   80521ac <explode_bomb>
 8051aa2:       8b 5d fc                mov    0xfffffffc(%ebp),%ebx

---------------------------------------------------------
so... ebx is a return value?
---------------------------------------------------------

 8051aa5:       c9                      leave
 8051aa6:       c3                      ret

0
 

Author Comment

by:errang
ID: 24255550
>>Yes, so ... continue that thought.

Uh... continue what now?

>>If you read back through all your threads about this, you'll find that it has been explained several times already that ebp is the base pointer, which points to the start of the current stack frame. It would make no sense to save a number in there.

The only place lea used is:

 8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax
 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax

are you saying that we calculate that number with 8051a1d being ebp?
0
 

Author Comment

by:errang
ID: 24255594
so... you are saying that the numbers aren't stored at ebx... but they are stored at these addresses?
0xfffffff8(%ebp) and 0xfffffff4(%ebp)???
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24255618
>> there's a call to <procedure_linkage_table>, that has nothing to do with this answer, tho right?

That's the call to fscanf ... The one we've been talking about all along ... So, it most certainly has got something to do with the "answer" ;)


>> The only place lea used is:

Yes ... And we were looking for the locations of the two numbers ... So ...
0
 
LVL 53

Accepted Solution

by:
Infinity08 earned 2000 total points
ID: 24255632
>> but they are stored at these addresses? 0xfffffff8(%ebp) and 0xfffffff4(%ebp)???

Now we're getting somewhere :) So, the two numbers will be in 0xfffffff8(%ebp) and 0xfffffff4(%ebp) resp. The rest of the phase_3 function (after the fscanf call) will use these two numbers, and will check their values to see if they are correct.

So, just follow what's happening, starting just after the fscanf call ...
0
 

Author Comment

by:errang
ID: 24255665
uhm... could I get a little more help mere? after the fscanf call... there's just the

 8051a3e:       83 c4 10                add    $0x10,%esp
 8051a41:       83 f8 01                cmp    $0x1,%eax

And...
 8051a29:       8d 45 f8                lea    0xfffffff8(%ebp),%eax
 8051a2c:       50                      push   %eax
 8051a2d:       8d 45 f4                lea    0xfffffff4(%ebp),%eax
 8051a30:       50                      push   %eax

I can see that eax gets pushed onto the stack... but what is going on here?
0
 

Author Comment

by:errang
ID: 24255692
hm... could you please tell me what 8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4) is doing?
0
 

Author Comment

by:errang
ID: 24255699
>>Now we're getting somewhere :) So, the two numbers will be in 0xfffffff8(%ebp) and 0xfffffff4(%ebp) resp. The rest of the phase_3 function (after the fscanf call) will use these two numbers, and will check their values to see if they are correct.

Ok... but what does it check those numbers against?

I can see one of them is here... cmp    0xfffffff8(%ebp),%ebx

But where is the other one??
0
 

Author Comment

by:errang
ID: 24255769
please help me out.. its due in about 5 hours.. and I got class in.. 35 mins =(
0
 

Author Comment

by:errang
ID: 24255786
Are these the 2 numbers that are getting compared????

 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)
 8051a96:       7f 05                   jg     8051a9d <phase_3+0x80>
 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx
 8051a9b:       74 05                   je     8051aa2 <phase_3+0x85>

They certainly fit the addresses...
0
 

Author Comment

by:errang
ID: 24255798
the first number has to be less than 5:
cmpl   $0x5,0xfffffff4(%ebp)

And the second one has to be equal to %ebx

Correct??

I know it kinda does sound like what I've been going on about from the start... but

>>Now we're getting somewhere :) So, the two numbers will be in 0xfffffff8(%ebp) and 0xfffffff4(%ebp) resp. The rest of the phase_3 function (after the fscanf call) will use these two numbers, and will check their values to see if they are correct.

???
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24255803
>> Ok... but what does it check those numbers against?

That's what you need to find out next. Now that you know where the numbers are, you can easily follow the code along.

Follow the code line by line, and see what happens with those two numbers.

This is the part you're looking at now :

 8051a4b:       83 7d f4 07             cmpl   $0x7,0xfffffff4(%ebp)
 8051a4f:       77 3c                   ja     8051a8d <phase_3+0x70>
 8051a51:       8b 45 f4                mov    0xfffffff4(%ebp),%eax
 8051a54:       ff 24 85 bc 22 05 08    jmp    *0x80522bc(,%eax,4)
 8051a5b:       81 c3 a9 01 00 00       add    $0x1a9,%ebx
 8051a61:       81 eb 7d 01 00 00       sub    $0x17d,%ebx
 8051a67:       81 c3 82 00 00 00       add    $0x82,%ebx
 8051a6d:       81 eb 69 02 00 00       sub    $0x269,%ebx
 8051a73:       81 c3 27 01 00 00       add    $0x127,%ebx
 8051a79:       81 eb b8 02 00 00       sub    $0x2b8,%ebx
 8051a7f:       81 c3 b8 02 00 00       add    $0x2b8,%ebx
 8051a85:       81 eb da 03 00 00       sub    $0x3da,%ebx
 8051a8b:       eb 05                   jmp    8051a92 <phase_3+0x75>
 8051a8d:       e8 1a 07 00 00          call   80521ac <explode_bomb>
 8051a92:       83 7d f4 05             cmpl   $0x5,0xfffffff4(%ebp)
 8051a96:       7f 05                   jg     8051a9d <phase_3+0x80>
 8051a98:       3b 5d f8                cmp    0xfffffff8(%ebp),%ebx
 8051a9b:       74 05                   je     8051aa2 <phase_3+0x85>
 8051a9d:       e8 0a 07 00 00          call   80521ac <explode_bomb>

What does the first line do ? Once you know what it does, check the second line, etc.
0
 

Author Comment

by:errang
ID: 24255834
The first line checks if 7 is greater than that offset of ebp (i'm not sure if its the first or 2nd, please help me out here)

2nd line jumps if 7 is greater than that offset of ebp

3rd line moves that offset of ebp into eax

4th, I've asked this several times, I'm not sure what this does exactly, I'm guessing its a call to a function pointer...

5-12, adds and subtracts various values into ebx

13, unconditional jump

the next 4 lines refer to my previous post http:#24255786
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24255878
>> 4th, I've asked this several times, I'm not sure what this does exactly, I'm guessing its a call to a function pointer...

The best way to understand this is to use your debugger. You'll need it to find out what's at address 0x80522bc, but you also use it to follow the flow of the code ...

The other lines, you seem to understand.

Now it's just a matter of taking a step back, looking at these few instructions, and what they do, and finding out what two numbers the code expects ...
0
 
LVL 53

Expert Comment

by:Infinity08
ID: 24255890
I need to go get some sleep now, but I'll be back tomorrow.
0
 

Author Comment

by:errang
ID: 24268094
after some trial and error, I did manage to get this phase =)

The final answer was 0 and -1134 =)
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re thinking to yourself “That description sounds a lot like two people doing the work that one could accomplish,” you’re not alone.
What do responsible coders do? They don't take detrimental shortcuts. They do take reasonable security precautions, create important automation, implement sufficient logging, fix things they break, and care about users.
Viewers will learn how to properly install Eclipse with the necessary JDK, and will take a look at an introductory Java program. Download Eclipse installation zip file: Extract files from zip file: Download and install JDK 8: Open Eclipse and …
Loops Section Overview

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question