0

This question comes from a very popular assignment to teach assembly and the use of the GNU debugger. I am currently on phase 4 and here is the disassembled code:

Dump of assembler code for function phase_4:
0x08048f52 <+0>:    push   %ebp
0x08048f53 <+1>:    mov    %esp,%ebp
0x08048f55 <+3>:    sub    $0x28,%esp
0x08048f58 <+6>:    lea    -0xc(%ebp),%eax
0x08048f5b <+9>:    mov    %eax,0xc(%esp)
0x08048f5f <+13>:   lea    -0x10(%ebp),%eax
0x08048f62 <+16>:   mov    %eax,0x8(%esp)
0x08048f66 <+20>:   movl   $0x804a64c,0x4(%esp)
0x08048f6e <+28>:   mov    0x8(%ebp),%eax
0x08048f71 <+31>:   mov    %eax,(%esp)
0x08048f74 <+34>:   call   0x8048894 <__isoc99_sscanf@plt>
0x08048f79 <+39>:   cmp    $0x2,%eax
0x08048f7c <+42>:   jne    0x8048f8b <phase_4+57>
0x08048f7e <+44>:   mov    -0xc(%ebp),%eax
0x08048f81 <+47>:   cmp    $0x1,%eax
0x08048f84 <+50>:   jle    0x8048f8b <phase_4+57>
0x08048f86 <+52>:   cmp    $0x4,%eax
0x08048f89 <+55>:   jle    0x8048f95 <phase_4+67>
0x08048f8b <+57>:   nop
0x08048f8c <+58>:   lea    0x0(%esi,%eiz,1),%esi
0x08048f90 <+62>:   call   0x80493e1 <explode_bomb>
0x08048f95 <+67>:   mov    -0xc(%ebp),%eax
0x08048f98 <+70>:   mov    %eax,0x4(%esp)
0x08048f9c <+74>:   movl   $0x9,(%esp)
0x08048fa3 <+81>:   call   0x8048c80 <func4>
0x08048fa8 <+86>:   cmp    -0x10(%ebp),%eax
0x08048fab <+89>:   je     0x8048fb2 <phase_4+96>
0x08048fad <+91>:   call   0x80493e1 <explode_bomb>
0x08048fb2 <+96>:   leave  
0x08048fb3 <+97>:   ret    
End of assembler dump.

What I have figured out so far is that it is expecting two numerical inputs that get passed to sscan. It is then checking if this is correct and continuing on.

Here is the code for func4 that gets called on line 81:

Dump of assembler code for function func4:
0x08048c80 <+0>:    push   %ebp
0x08048c81 <+1>:    mov    %esp,%ebp
0x08048c83 <+3>:    sub    $0x28,%esp
0x08048c86 <+6>:    mov    %ebx,-0xc(%ebp)
0x08048c89 <+9>:    mov    %esi,-0x8(%ebp)
0x08048c8c <+12>:   mov    %edi,-0x4(%ebp)
0x08048c8f <+15>:   mov    0x8(%ebp),%esi
0x08048c92 <+18>:   mov    0xc(%ebp),%ebx
0x08048c95 <+21>:   test   %esi,%esi
0x08048c97 <+23>:   jg     0x8048ca0 <func4+32>
0x08048c99 <+25>:   mov    $0x0,%ebx
0x08048c9e <+30>:   jmp    0x8048cc9 <func4+73>
0x08048ca0 <+32>:   cmp    $0x1,%esi
0x08048ca3 <+35>:   je     0x8048cc9 <func4+73>
0x08048ca5 <+37>:   mov    %ebx,0x4(%esp)
0x08048ca9 <+41>:   lea    -0x1(%esi),%eax
0x08048cac <+44>:   mov    %eax,(%esp)
0x08048caf <+47>:   call   0x8048c80 <func4>
0x08048cb4 <+52>:   mov    %eax,%edi
0x08048cb6 <+54>:   mov    %ebx,0x4(%esp)
0x08048cba <+58>:   sub    $0x2,%esi
0x08048cbd <+61>:   mov    %esi,(%esp)
0x08048cc0 <+64>:   call   0x8048c80 <func4>
0x08048cc5 <+69>:   add    %eax,%edi
0x08048cc7 <+71>:   add    %edi,%ebx
0x08048cc9 <+73>:   mov    %ebx,%eax
0x08048ccb <+75>:   mov    -0xc(%ebp),%ebx
0x08048cce <+78>:   mov    -0x8(%ebp),%esi
0x08048cd1 <+81>:   mov    -0x4(%ebp),%edi
0x08048cd4 <+84>:   mov    %ebp,%esp
0x08048cd6 <+86>:   pop    %ebp
0x08048cd7 <+87>:   ret    
End of assembler dump.

Func4 seems to be the Fibonacci sequence called recursively. What I am having an issue with is the inputs that it is looking for, namely the comparison on line +86 because I know that if the values are equal it will jump to the solution. Any help from some assembly gurus would be appreciated.

Jester
  • 56,577
  • 4
  • 81
  • 125
SciGuy
  • 59
  • 1
  • 6
  • It's similar to Fibonacci but it isn't quite that. The no-brainer solution is to put a breakpoint on that comparison and see what the value is and next time enter that as input. The expected solution is probably to trace through the code yourself :) – Jester Mar 09 '15 at 19:56
  • Could you possibly elaborate a bit more or offer an answer? I am having a hard time tracing the code. For instance, in line +47...+52, is it checking to see if my first input is between 1 and 4? I know I can add a breakpoint at +86, but how can I get the value that eax is being compared to? – SciGuy Mar 09 '15 at 21:21
  • The value compared is the first number you entered. `if (func4(9, second_number) != first_number) explode_bomb();` – Jester Mar 09 '15 at 21:38

0 Answers0