It will probably be helpful to remember that on i386, function arguments are passed on the stack. On function entry, if you read the word of memory at the stack pointer's address, you'll find the caller's return address.
It looks like your mystery function here takes two arguments. So when it says
sub $0x2c,%esp
mov 0x34(%esp),%eax
Once 0x2c has been subtracted from the stack pointer, we can find the caller's saved eip at *(esp + 0x2c)
, we can find the first argument at *(esp + 0x30)
and we can find the second argument at *(esp + 0x34)
. You can see a reference to that second argument here,
movl $0x804a819,0x4(%esp)
mov 0x30(%esp),%eax
mov %eax,(%esp)
call 0x80488d0 <__isoc99_sscanf@plt>
This stores the address of your format string at address (0x804a819) at *(esp+4) - so that is going to be the 2nd argument to sscanf()
. Then it loads the first argument to your mystery function (at *(esp + 0x30)
) and stores it at *(esp)
- so it will be the 1st argument to sscanf()
.
Hopefully that's enough help to understand the function without being too helpful. :)