szaba
asked on
Binary Bomb Phase 2
Hey,
I have seen help with this on several occasions here but I cant figure my bomb out. Please help I must be over-thinking something. I need to find six number in order for the bomb not to explode. Here is what I got so far.
Here is the dump:
Dump of assembler code for function phase_2:
0x08048db1 <phase_2+0>: push %ebp
0x08048db2 <phase_2+1>: mov %esp,%ebp
0x08048db4 <phase_2+3>: push %esi
0x08048db5 <phase_2+4>: push %ebx
0x08048db6 <phase_2+5>: sub $0x30,%esp
0x08048db9 <phase_2+8>: lea -0x20(%ebp),%eax
0x08048dbc <phase_2+11>: mov %eax,0x4(%esp)
0x08048dc0 <phase_2+15>: mov 0x8(%ebp),%eax
0x08048dc3 <phase_2+18>: mov %eax,(%esp)
0x08048dc6 <phase_2+21>: call 0x8048f76 <read_six_numbers>
0x08048dcb <phase_2+26>: cmpl $0x1,-0x20(%ebp)
0x08048dcf <phase_2+30>: je 0x8048dd6 <phase_2+37>
0x08048dd1 <phase_2+32>: call 0x8048f4c <explode_bomb>
0x08048dd6 <phase_2+37>: mov $0x2,%ebx
0x08048ddb <phase_2+42>: lea -0x20(%ebp),%esi
0x08048dde <phase_2+45>: mov %ebx,%eax
0x08048de0 <phase_2+47>: imul -0x8(%esi,%ebx,4),%eax
0x08048de5 <phase_2+52>: cmp %eax,-0x4(%esi,%ebx,4)
0x08048de9 <phase_2+56>: je 0x8048df0 <phase_2+63>
0x08048deb <phase_2+58>: call 0x8048f4c <explode_bomb>
0x08048df0 <phase_2+63>: add $0x1,%ebx
0x08048df3 <phase_2+66>: cmp $0x7,%ebx
---Type <return> to continue, or q <return> to quit---c
0x08048df6 <phase_2+69>: jne 0x8048dde <phase_2+45>
0x08048df8 <phase_2+71>: add $0x30,%esp
0x08048dfb <phase_2+74>: pop %ebx
0x08048dfc <phase_2+75>: pop %esi
0x08048dfd <phase_2+76>: pop %ebp
0x08048dfe <phase_2+77>: ret
End of assembler dump.
I know that my entered values are stored in %esi. %ebx is 2 and is being incremented by one for each loop. I believe all the magic happens here:
0x08048de0 <phase_2+47>: imul -0x8(%esi,%ebx,4),%eax
0x08048de5 <phase_2+52>: cmp %eax,-0x4(%esi,%ebx,4)
0x08048de9 <phase_2+56>: je 0x8048df0 <phase_2+63>
0x08048deb <phase_2+58>: call 0x8048f4c <explode_bomb>
0x08048df0 <phase_2+63>: add $0x1,%ebx
0x08048df3 <phase_2+66>: cmp $0x7,%ebx
I have seen infinity08 explain the imul does (%esi + (%ebx*4) - 8)
but how does that ever equal to (%esi + (%ebx*4) - 4). Or I got something wrong.
%esi is user input ebx is 2,3,4,5,6 respectively...
This code just increments ebx to rotate through the array created in read six numbers.
0x08048df0 <phase_2+63>: add $0x1,%ebx
0x08048df3 <phase_2+66>: cmp $0x7,%ebx
Also I know by stepping through the number 1 works.
Ok i need desperate help understanding this line:
imul -0x8(%esi,%ebx,4),%eax
I have seen help with this on several occasions here but I cant figure my bomb out. Please help I must be over-thinking something. I need to find six number in order for the bomb not to explode. Here is what I got so far.
Here is the dump:
Dump of assembler code for function phase_2:
0x08048db1 <phase_2+0>: push %ebp
0x08048db2 <phase_2+1>: mov %esp,%ebp
0x08048db4 <phase_2+3>: push %esi
0x08048db5 <phase_2+4>: push %ebx
0x08048db6 <phase_2+5>: sub $0x30,%esp
0x08048db9 <phase_2+8>: lea -0x20(%ebp),%eax
0x08048dbc <phase_2+11>: mov %eax,0x4(%esp)
0x08048dc0 <phase_2+15>: mov 0x8(%ebp),%eax
0x08048dc3 <phase_2+18>: mov %eax,(%esp)
0x08048dc6 <phase_2+21>: call 0x8048f76 <read_six_numbers>
0x08048dcb <phase_2+26>: cmpl $0x1,-0x20(%ebp)
0x08048dcf <phase_2+30>: je 0x8048dd6 <phase_2+37>
0x08048dd1 <phase_2+32>: call 0x8048f4c <explode_bomb>
0x08048dd6 <phase_2+37>: mov $0x2,%ebx
0x08048ddb <phase_2+42>: lea -0x20(%ebp),%esi
0x08048dde <phase_2+45>: mov %ebx,%eax
0x08048de0 <phase_2+47>: imul -0x8(%esi,%ebx,4),%eax
0x08048de5 <phase_2+52>: cmp %eax,-0x4(%esi,%ebx,4)
0x08048de9 <phase_2+56>: je 0x8048df0 <phase_2+63>
0x08048deb <phase_2+58>: call 0x8048f4c <explode_bomb>
0x08048df0 <phase_2+63>: add $0x1,%ebx
0x08048df3 <phase_2+66>: cmp $0x7,%ebx
---Type <return> to continue, or q <return> to quit---c
0x08048df6 <phase_2+69>: jne 0x8048dde <phase_2+45>
0x08048df8 <phase_2+71>: add $0x30,%esp
0x08048dfb <phase_2+74>: pop %ebx
0x08048dfc <phase_2+75>: pop %esi
0x08048dfd <phase_2+76>: pop %ebp
0x08048dfe <phase_2+77>: ret
End of assembler dump.
I know that my entered values are stored in %esi. %ebx is 2 and is being incremented by one for each loop. I believe all the magic happens here:
0x08048de0 <phase_2+47>: imul -0x8(%esi,%ebx,4),%eax
0x08048de5 <phase_2+52>: cmp %eax,-0x4(%esi,%ebx,4)
0x08048de9 <phase_2+56>: je 0x8048df0 <phase_2+63>
0x08048deb <phase_2+58>: call 0x8048f4c <explode_bomb>
0x08048df0 <phase_2+63>: add $0x1,%ebx
0x08048df3 <phase_2+66>: cmp $0x7,%ebx
I have seen infinity08 explain the imul does (%esi + (%ebx*4) - 8)
but how does that ever equal to (%esi + (%ebx*4) - 4). Or I got something wrong.
%esi is user input ebx is 2,3,4,5,6 respectively...
This code just increments ebx to rotate through the array created in read six numbers.
0x08048df0 <phase_2+63>: add $0x1,%ebx
0x08048df3 <phase_2+66>: cmp $0x7,%ebx
Also I know by stepping through the number 1 works.
Ok i need desperate help understanding this line:
imul -0x8(%esi,%ebx,4),%eax
ASKER
Thanks for the quick response. I was actually looking for you infinity08 you seem to be the assembly master. I actually figured out the solution late yesterday or early this morning i should say by stepping through and watching the registers but I need to understand the imul function, just to make sure I understand.
%esi = 0xbffe8f8
%ebx = 2
%eax = 2
(0xbfffe8f8 + (2*4)-8) that equals address 0xbfffe8f8
So i take the dereferenced value of 0xbfffe8f8 and multiply by dereferenced %eax.
You rock Infinity08
%esi = 0xbffe8f8
%ebx = 2
%eax = 2
(0xbfffe8f8 + (2*4)-8) that equals address 0xbfffe8f8
So i take the dereferenced value of 0xbfffe8f8 and multiply by dereferenced %eax.
You rock Infinity08
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again. I might have a couple more for you. I really appreciate your dedication to helping others. Thanks Infinity08
It's my pleasure :)
-0x8(%esi,%ebx,4) is a memory address calculation. The calculated memory address is indeed (%esi + (%ebx*4) - 8).
But, then the imul operation still needs to do its work :
imul (address), %eax
where 'address' is the calculated memory address, and () means to dereference the address (ie. get the value stored at that address).
So, %eax is multiplied with whatever value is stored at the memory address (%esi + (%ebx*4) - 8).
The cmp line after that then compares the resulting %eax with another value stored at another memory address.
Does that get you going ?