redearthite
asked on
How do I utilize this array in Binary Bomb Phase 5?
I have been struggling with this phase. I seem to be missing something crucial in this code.
I know that this phase requires %d %d. I think I have a pretty good understanding of what most of the code is doing. I see there is an array of integers...I am trying to figure out how to use them appropriately to solve this problem. I have listed code below. It
seems like it has to loop 10 times in order to get the value of $ecx
which I believe is the 2nd number to be used as input. I've tried
different combos of numbers for input but nothing has worked so far.
Any insight would be greatly
appreciated! What am I missing?
I know that this phase requires %d %d. I think I have a pretty good understanding of what most of the code is doing. I see there is an array of integers...I am trying to figure out how to use them appropriately to solve this problem. I have listed code below. It
seems like it has to loop 10 times in order to get the value of $ecx
which I believe is the 2nd number to be used as input. I've tried
different combos of numbers for input but nothing has worked so far.
Any insight would be greatly
appreciated! What am I missing?
0x08048d4f <phase_5+0>: push %ebp
0x08048d50 <phase_5+1>: mov %esp,%ebp
0x08048d52 <phase_5+3>: sub $0x28,%esp
0x08048d55 <phase_5+6>: lea -0x8(%ebp),%eax
0x08048d58 <phase_5+9>: mov %eax,0xc(%esp)
0x08048d5c <phase_5+13>: lea -0x4(%ebp),%eax
0x08048d5f <phase_5+16>: mov %eax,0x8(%esp)
0x08048d63 <phase_5+20>: movl $0x8049ca5,0x4(%esp) // %d %d requires 2 ints
0x08048d6b <phase_5+28>: mov 0x8(%ebp),%eax
0x08048d6e <phase_5+31>: mov %eax,(%esp)
0x08048d71 <phase_5+34>: call 0x80489d4 <sscanf@plt> //scansinput
0x08048d76 <phase_5+39>: cmp $0x1,%eax //compare 1 to input
0x08048d79 <phase_5+42>: jg 0x8048d80 <phase_5+49> //if > 1 int jump to 0x8048d80
0x08048d7b <phase_5+44>: call 0x80493e1 <explode_bomb>
0x08048d80 <phase_5+49>: mov -0x4(%ebp),%eax
0x08048d83 <phase_5+52>: and $0xf,%eax // eax & 15
0x08048d86 <phase_5+55>: mov %eax,-0x4(%ebp)
0x08048d89 <phase_5+58>: cmp $0xf,%eax //eax:15
0x08048d8c <phase_5+61>: je 0x8048dba <phase_5+107> //if equal jump to explode bomb
0x08048d8e <phase_5+63>: mov $0x0,%edx //edx=0
0x08048d93 <phase_5+68>: mov $0x0,%ecx //ecx=0
0x08048d98 <phase_5+73>: add $0x1,%edx //edx=1 beginning of loop...edx is the counter
0x08048d9b <phase_5+76>: mov 0x8049ae0(,%eax,4),%eax //0x8049ae0 is an array(contents displayed below)
0x08048da2 <phase_5+83>: add %eax,%ecx //ecx += eax
0x08048da4 <phase_5+85>: cmp $0xf,%eax //compare 15 to eax
0x08048da7 <phase_5+88>: jne 0x8048d98 <phase_5+73> //if not equal jump back to loop 0x08048d98
0x08048da9 <phase_5+90>: movl $0xf,-0x4(%ebp)
0x08048db0 <phase_5+97>: cmp $0xa,%edx //compare 10 to edx
0x08048db3 <phase_5+100>: jne 0x8048dba <phase_5+107> //if edx != 10, jump to explode bomb
0x08048db5 <phase_5+102>: cmp %ecx,-0x8(%ebp)
0x08048db8 <phase_5+105>: je 0x8048dbf <phase_5+112>
0x08048dba <phase_5+107>: call 0x80493e1 <explode_bomb>
0x08048dbf <phase_5+112>: leave
0x08048dc0 <phase_5+113>: ret
End of assembler dump.
HERE IS THE ARRAY:
(gdb) x/16wd 0x8049ae0
0x8049ae0 <array.3022>: 10 2 14 7
0x8049af0 <array.3022+16>: 8 12 15 11
0x8049b00 <array.3022+32>: 0 4 1 13
0x8049b10 <array.3022+48>: 3 9 6ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>> I went into the scanf function.
No need to analyze the function itself. It's a standard C function, which is described here :
http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/
That pages lists all you need to know about the function :)
No need to analyze the function itself. It's a standard C function, which is described here :
http://www.cplusplus.com/reference/clibrary/cstdio/sscanf/
That pages lists all you need to know about the function :)
ASKER
Ok. I guess I was trying to figure out the important question you raised about where does scanf place these values?
i thought it placed the first value into $eax. Then used it in equation 0x8049ae0 + $eax*4, which replaces the value in eax.
0x08048d9b <phase_5+76>: mov 0x8049ae0(,%eax,4),%eax
Does it mean that for the first loop cycle it takes the first element in the array + my first input value * 4?
Then that would give the new value of $eax which would be used in the equation in the second pass through the loop and so on?
Is my second input value inconsequential until I find the value of %ecx after the 10 loops?
I am at work now, so I don't get try out this theory until later!!
i thought it placed the first value into $eax. Then used it in equation 0x8049ae0 + $eax*4, which replaces the value in eax.
0x08048d9b <phase_5+76>: mov 0x8049ae0(,%eax,4),%eax
Does it mean that for the first loop cycle it takes the first element in the array + my first input value * 4?
Then that would give the new value of $eax which would be used in the equation in the second pass through the loop and so on?
Is my second input value inconsequential until I find the value of %ecx after the 10 loops?
I am at work now, so I don't get try out this theory until later!!
>> i thought it placed the first value into $eax.
Not really no. I'll give you a hint : sscanf takes 4 parameters in this case : the source string, the format string, and two addresses where the two values are placed. Before the function call, these 4 parameters are pushed onto the stack (in reverse order).
>> Does it mean that for the first loop cycle it takes the first element in the array + my first input value * 4?
0x8049ae0(,%eax,4) is an addressing mode of the form base(offset, index, size). The address is calculated as follows :
base + offset + (index * size)
Now, you have to keep in mind that 0x8049ae0 refers to an array of 32bit integer values. 32 bits == 4 bytes.
>> Then that would give the new value of $eax which would be used in the equation in the second pass through the loop and so on?
Right.
>> Is my second input value inconsequential until I find the value of %ecx after the 10 loops?
Indeed. The second input value is only used to compare it to the ecx value at the end.
Not really no. I'll give you a hint : sscanf takes 4 parameters in this case : the source string, the format string, and two addresses where the two values are placed. Before the function call, these 4 parameters are pushed onto the stack (in reverse order).
>> Does it mean that for the first loop cycle it takes the first element in the array + my first input value * 4?
0x8049ae0(,%eax,4) is an addressing mode of the form base(offset, index, size). The address is calculated as follows :
base + offset + (index * size)
Now, you have to keep in mind that 0x8049ae0 refers to an array of 32bit integer values. 32 bits == 4 bytes.
>> Then that would give the new value of $eax which would be used in the equation in the second pass through the loop and so on?
Right.
>> Is my second input value inconsequential until I find the value of %ecx after the 10 loops?
Indeed. The second input value is only used to compare it to the ecx value at the end.
ASKER
Thank you for your concise instructions. You were a great help in breaking the problem down step by step in order to understand what was really going on.
ASKER
0x080489d4 <sscanf@plt+0>: jmp *0x804a16c //below is the jump table
0x080489da <sscanf@plt+6>: push $0xf0 //pushes 240 onto stack and then what?
0x080489df <sscanf@plt+11>: jmp 0x80487e4 <_init+48> //when i examine this address it gives me another address but it won't let me access it
(gdb) x/16wd 0x804a16c //how do i read this?
0x804a16c <_GLOBAL_OFFSET_TABLE_+132
0x804a17c: 0 0 0 134520844
0x804a18c <p.5841+4>: 0 0 0 0
0x804a19c <p.5841+20>: 0 51 0 0
(gdb) x 0x80487e4
0x80487e4 <_init+48>: 0xa0ec35ff //can't access this address
Thank you for your assistance.