Analyzing gdb disassembly

Question

DISCLAIMER: This is a homework problem so I do not want you to just tell me the answer. Rather I need help understanding how this code works. If this is not allowed then that is fine I can take this down or whatever is required by me. What I am trying to do is understand x86(Intel). I am just learning it and there is so much going on that I often find myself staring at the screen making no progress. What will help me is asking ME questions that lead to the answer rather than giving me the answer. I know this is not a discussion forum so maybe someone can point me to place that would be glad to help me with a problem such as this.

What I understand so far is that space is allocated on the stack by the sub instruction. then whatever is in eax is moved to the stack. then the combinations of mov and lea confuses me. My intuition tells me that pointers are being stored on the stack to be used later. Or that it might be some kind of mathematical function being performed on the number I provided. In the beginning of the function I found that eax had the number I inputted. Another thing I found is that doing x/s 0x804a819 gave me "%d %d %d %d %d %d". Is this moving six numbers to 0x4(%esp)? I found the address 0x804a819 from the movl instruction. Just before the call to sscanf there is mov %eax,(%esp) I assume the program is saving the position of the stack pointer for later use? One thing I have tried is after the call 0x80488d0 <__isoc99_sscanf@plt> is executed I did p $eax = 0x7 so that the instruction cmp $0x5,%eax would set the right flags so that the instruction jg 0x80495b5 would skip over calling explode_bomb. But no matter what explode_bomb gets called. So I'm sure there is something I am missing and its probably not even in this function.

Some other questions. A functions local variables are stored on the stack correct?

sub    $0x2c,%esp
mov    0x34(%esp),%eax
lea    0x14(%eax),%edx
mov    %edx,0x1c(%esp)
lea    0x10(%eax),%edx
mov    %edx,0x18(%esp)
lea    0xc(%eax),%edx
mov    %edx,0x14(%esp)
lea    0x8(%eax),%edx
mov    %edx,0x10(%esp)
lea    0x4(%eax),%edx
mov    %edx,0xc(%esp)
mov    %eax,0x8(%esp)
movl   $0x804a819,0x4(%esp)
mov    0x30(%esp),%eax
mov    %eax,(%esp)
call   0x80488d0 <__isoc99_sscanf@plt>
cmp    $0x5,%eax
jg     0x80495b5 <read_six_numbers+76>
call   0x804941c <explode_bomb>
add    $0x2c,%esp
ret 

Answer 1

It will probably be helpful to remember that on i386, function arguments are passed on the stack. On function entry, if you read the word of memory at the stack pointer's address, you'll find the caller's return address.

It looks like your mystery function here takes two arguments. So when it says

sub    $0x2c,%esp
mov    0x34(%esp),%eax

Once 0x2c has been subtracted from the stack pointer, we can find the caller's saved eip at *(esp + 0x2c), we can find the first argument at *(esp + 0x30) and we can find the second argument at *(esp + 0x34). You can see a reference to that second argument here,

movl   $0x804a819,0x4(%esp)
mov    0x30(%esp),%eax
mov    %eax,(%esp)
call   0x80488d0 <__isoc99_sscanf@plt>

This stores the address of your format string at address (0x804a819) at *(esp+4) - so that is going to be the 2nd argument to sscanf(). Then it loads the first argument to your mystery function (at *(esp + 0x30)) and stores it at *(esp) - so it will be the 1st argument to sscanf().

Hopefully that's enough help to understand the function without being too helpful. :)