understanding assembly code for binary bomb phase 2

Question

I am working on the binary bomb project. I am working on this code and I am trying to understand parts of the assembly code. So I get through phase1 easily, and for phase 2 I need to input 4 characters.

For example: phase-2: x y z d

In the example below I used the input: a b c d as my four characters

When I run this in the gdp and inspect the assembly code I get the following:

Dump of assembler code for function phase2:
   0x080487d6 <+0>: push   %ebp
   0x080487d7 <+1>: mov    %esp,%ebp
   0x080487d9 <+3>: sub    $0xc,%esp
=> 0x080487dc <+6>: mov    0x8(%ebp),%ecx
   0x080487df <+9>: mov    0xc(%ebp),%edx
   0x080487e2 <+12>:    mov    0x10(%ebp),%eax
   0x080487e5 <+15>:    mov    %cl,-0x4(%ebp)
   0x080487e8 <+18>:    mov    %dl,-0x8(%ebp)
   0x080487eb <+21>:    mov    %al,-0xc(%ebp)
   0x080487ee <+24>:    cmpb   $0x77,-0x4(%ebp)
   0x080487f2 <+28>:    jne    0x8048807 <phase2+49>
   0x080487f4 <+30>:    cmpb   $0x62,-0x8(%ebp)
   0x080487f8 <+34>:    jne    0x8048807 <phase2+49>
   0x080487fa <+36>:    cmpb   $0x79,-0xc(%ebp)
   0x080487fe <+40>:    jne    0x8048807 <phase2+49>
   0x08048800 <+42>:    mov    $0x1,%eax
   0x08048805 <+47>:    jmp    0x804880c <phase2+54>
   0x08048807 <+49>:    mov    $0x0,%eax
   0x0804880c <+54>:    leave  
   0x0804880d <+55>:    ret    
End of assembler dump.

What I really what to understand is

   0x080487ee <+24>:    cmpb   $0x77,-0x4(%ebp)

What is going on here? I think that it is comparing the value $0x77 to the value in ebp. Does that make sense? When how do I know what is stored in ebp?

I run the code up until the above line, and ebp and I get the following:

ebp            0xbffff6e8   0xbffff6e8

So to sum it up, I want to know what that compare line is really doing, just so I can understand the code a little better. And how I can find out what that value in ebp is without going to the leave state.

Answer 1

%ebp usually used as the stack frame pointer -- the -0x4 is an offset from the address stored in %ebp -- and values below (negative offset) %ebp are typically local variables (if compiled from C code) and values above (positive offset) are usually function parameters. This code appears to be code produced from compiling C code, and the %ebp usage is typical. -0x4(%ebp) would refer to the first local variable of the function. It appears to have been set a few statements earlier with mov %cl,-0x4(%ebp). That raises the question of where the value in the %cl value came frome, and if we trace further back, we can see that it was mov 0x8(%ebp),%cx that set %cl. Notice that the cmpb instruction has a b prefix, meaning that it is a byte-compare. (As opposed to a 16-bit or 32-bit compare.) This matches the observation that the value there was set using only %cl, which is also an 8-bit value.

All of this tells us that the line you are asking about is doing an 8-bit compare with the hex value 0x77. If you look at an ASCII table, you can see 0x77 is lowercase 'w'. The next instruction jumps if the byte isn't equal to that value. This leads me to conclude we are checking the first parameter passed to the function to see if it is a 'w' character.

Answer 2

As far as I know, this bomb thing is usually given to students. I have a feeling you are missing basic knowledge that you should have already learned. You should revisit whatever course material you have.

Anyway, some quick hints:

• x(%ebp) is indirect addressing, it accesses memory at address x+%ebp
• Function arguments are passed on the stack. Stack contents after line +1 starting from %ebp: saved ebp, return address, arg1, arg2, arg3
• Line +6 loads 8(%ebp) (which is the first argument) into %ecx.
• Line +15 then saves the low 8 bits of this into a local variable at -4(%ebp).
• Line +24 then compares this value to 0x77.

Note that you claim you need 4 numbers. While that may be true in the caller, this phase2 only uses 3 arguments.