Analyzing assembly code EX "mov %eax,0x8(%ebx)"

StackOverflow https://stackoverflow.com/questions/15752058

Question

This is a hw problem. I am not asking for the answer to not have 'explode_bomb' ever run. I am asking for clarification/guidance on what is happening in a small segment of code.

This is what I'm trying to figure out (what is happening at the [0x8(%ebx)] code below)? Doesn't 0x8(%register) mean its accessing the value at the memory address %register+0x8? It doesn't look like a memory address is being stored there... I know it is a vague question. I marked the lines I don't understand as LINEXXX-HexAddress** in the psuedoesque code. [The LINEXXX - are the line numbers from ddd-it didn't let me copy from ddd so I used objdump...]

Thank you so much, Any small tips are appreciated.

8048efa:    8b 5c 24 10             mov    0x10(%esp),%ebx
8048efe:    8b 44 24 14             mov    0x14(%esp),%eax
8048f02:    89 43 08                mov    %eax,0x8(%ebx)
8048f05:    8b 54 24 18             mov    0x18(%esp),%edx
8048f09:    89 50 08                mov    %edx,0x8(%eax)
8048f0c:    8b 44 24 1c             mov    0x1c(%esp),%eax
8048f10:    89 42 08                mov    %eax,0x8(%edx)
8048f13:    8b 54 24 20             mov    0x20(%esp),%edx
8048f17:    89 50 08                mov    %edx,0x8(%eax)
8048f1a:    8b 44 24 24             mov    0x24(%esp),%eax
8048f1e:    89 42 08                mov    %eax,0x8(%edx)
8048f21:    c7 40 08 00 00 00 00    movl   $0x0,0x8(%eax)
8048f28:    be 05 00 00 00          mov    $0x5,%esi
8048f2d:    8b 43 08                mov    0x8(%ebx),%eax
8048f30:    8b 10                   mov    (%eax),%edx
8048f32:    39 13                   cmp    %edx,(%ebx)
8048f34:    7d 05                   jge    8048f3b <phase_6+0xca>
8048f36:    e8 d3 03 00 00          call   804930e <explode_bomb>
8048f3b:    8b 5b 08                mov    0x8(%ebx),%ebx
8048f3e:    83 ee 01                sub    $0x1,%esi

Some pseudo code I made to help me better see what is happening:

example input-> "6 89 79 69 59 49"
eax = "6 89 79 69 59 49"
stuff
after stuff (read_six_numbers)
eax = 6
0x28(esp,edi*4)
edi=0 -> 6
edi=1 -> 89
edi=2 -> 79
edi=3 -> 69
edi=4 -> 59
edi=5 -> 49

naming this as array[]
----------------
edi=0;
esi=0;
Line31:
eax = array[edi];
eax--;
if((unsigned int)eax > 5) explodebomb();
esi=1+edi;
if(esi==6)goto Line109
ebx=esi;
Line58:
eax=array[ebx];
if(eax == array[esi-1]) explodebomb();
ebx++;
edi=esi;
if(5<=ebx)goto Line58;
else goto Line31;
Line85:
edx = *edx + 8;
eax++;
if(ecx != eax)goto Line85;
Line85:
array2[esi]=edx;
ebx++;
if(6 != ebx) goto Line114;
goto Line137
ebx = 0;
esi=ebx;
ecx=array[ebx];
eax = 1;
edx=0x804c154;
if(1>ecx)goto Line85;
goto Line95;
ebx=array2[0];
eax=array2[1];
LINE145-0x08048f02**** 0x8(ebx)=eax;
edx=array2[2];
LINE152-0x08048f09**** 0x8(eax)=edx;
eax=array2[3];
LINE159-0x08048f10**** 0x8(edx)=eax;
edx=array2[4];
LINE166-0x08048f17**** 0x8(eax)=edx;
eax=array2[5];
LINE173-0x08048f1e**** 0x8(edx)=eax;
LINE176-0x08048f21**** 0x8(eax)=eax;
esi=5;
Line188:
LINE188-0x08048f2d**** eax=0x8(ebx);
edx=(eax);
if(!(edx >= (ebx))) explodebomb();
LINE202-0x08048f3b**** ebx=0x8(ebx);
esi--;
if(edx != (ebx)) goto Line188;
esp+=0x40;
return eax;

Assembly code:

08048e71 <phase_6>:
8048e71:    57                      push   %edi
8048e72:    56                      push   %esi
8048e73:    53                      push   %ebx
8048e74:    83 ec 40                sub    $0x40,%esp
8048e77:    8d 44 24 28             lea    0x28(%esp),%eax
8048e7b:    89 44 24 04             mov    %eax,0x4(%esp)
8048e7f:    8b 44 24 50             mov    0x50(%esp),%eax
8048e83:    89 04 24                mov    %eax,(%esp)
8048e86:    e8 ce 05 00 00          call   8049459 <read_six_numbers>
8048e8b:    bf 00 00 00 00          mov    $0x0,%edi
8048e90:    8b 44 bc 28             mov    0x28(%esp,%edi,4),%eax
8048e94:    83 e8 01                sub    $0x1,%eax
8048e97:    83 f8 05                cmp    $0x5,%eax
8048e9a:    76 05                   jbe    8048ea1 <phase_6+0x30>
8048e9c:    e8 6d 04 00 00          call   804930e <explode_bomb>
8048ea1:    8d 77 01                lea    0x1(%edi),%esi
8048ea4:    83 fe 06                cmp    $0x6,%esi
8048ea7:    74 35                   je     8048ede <phase_6+0x6d>
8048ea9:    89 f3                   mov    %esi,%ebx
8048eab:    8b 44 9c 28             mov    0x28(%esp,%ebx,4),%eax
8048eaf:    39 44 b4 24             cmp    %eax,0x24(%esp,%esi,4)
8048eb3:    75 05                   jne    8048eba <phase_6+0x49>
8048eb5:    e8 54 04 00 00          call   804930e <explode_bomb>
8048eba:    83 c3 01                add    $0x1,%ebx
8048ebd:    89 f7                   mov    %esi,%edi
8048ebf:    83 fb 05                cmp    $0x5,%ebx
8048ec2:    7e e7                   jle    8048eab <phase_6+0x3a>
8048ec4:    eb ca                   jmp    8048e90 <phase_6+0x1f>
8048ec6:    8b 52 08                mov    0x8(%edx),%edx
8048ec9:    83 c0 01                add    $0x1,%eax
8048ecc:    39 c8                   cmp    %ecx,%eax
8048ece:    75 f6                   jne    8048ec6 <phase_6+0x55>
8048ed0:    89 54 b4 10             mov    %edx,0x10(%esp,%esi,4)
8048ed4:    83 c3 01                add    $0x1,%ebx
8048ed7:    83 fb 06                cmp    $0x6,%ebx
8048eda:    75 07                   jne    8048ee3 <phase_6+0x72>
8048edc:    eb 1c                   jmp    8048efa <phase_6+0x89>
8048ede:    bb 00 00 00 00          mov    $0x0,%ebx
8048ee3:    89 de                   mov    %ebx,%esi
8048ee5:    8b 4c 9c 28             mov    0x28(%esp,%ebx,4),%ecx
8048ee9:    b8 01 00 00 00          mov    $0x1,%eax
8048eee:    ba 54 c1 04 08          mov    $0x804c154,%edx
8048ef3:    83 f9 01                cmp    $0x1,%ecx
8048ef6:    7f ce                   jg     8048ec6 <phase_6+0x55>
8048ef8:    eb d6                   jmp    8048ed0 <phase_6+0x5f>
8048efa:    8b 5c 24 10             mov    0x10(%esp),%ebx
8048efe:    8b 44 24 14             mov    0x14(%esp),%eax
8048f02:    89 43 08                mov    %eax,0x8(%ebx)
8048f05:    8b 54 24 18             mov    0x18(%esp),%edx
8048f09:    89 50 08                mov    %edx,0x8(%eax)
8048f0c:    8b 44 24 1c             mov    0x1c(%esp),%eax
8048f10:    89 42 08                mov    %eax,0x8(%edx)
8048f13:    8b 54 24 20             mov    0x20(%esp),%edx
8048f17:    89 50 08                mov    %edx,0x8(%eax)
8048f1a:    8b 44 24 24             mov    0x24(%esp),%eax
8048f1e:    89 42 08                mov    %eax,0x8(%edx)
8048f21:    c7 40 08 00 00 00 00    movl   $0x0,0x8(%eax)
8048f28:    be 05 00 00 00          mov    $0x5,%esi
8048f2d:    8b 43 08                mov    0x8(%ebx),%eax
8048f30:    8b 10                   mov    (%eax),%edx
8048f32:    39 13                   cmp    %edx,(%ebx)
8048f34:    7d 05                   jge    8048f3b <phase_6+0xca>
8048f36:    e8 d3 03 00 00          call   804930e <explode_bomb>
8048f3b:    8b 5b 08                mov    0x8(%ebx),%ebx
8048f3e:    83 ee 01                sub    $0x1,%esi
8048f41:    75 ea                   jne    8048f2d <phase_6+0xbc>
8048f43:    83 c4 40                add    $0x40,%esp
8048f46:    5b                      pop    %ebx
8048f47:    5e                      pop    %esi
8048f48:    5f                      pop    %edi
8048f49:    c3                      ret
Was it helpful?

Solution

I don't want to reveal too much, but here are some hints:

  1. In the code in addresses 0x8048ec6 through 0x8048ef8, an array of six pointers (esp+0x10 - esp+0x28) is populated with pointers that are taken from some global data. This data seems to start from offset 0x804c154 (see offset 0x8048eee in your listing)

  2. later on, starting from offset 0x8048efa in your listing, the array mentioned in #1 is referenced, this is how I understand it (this is psuedo code...):

    struct s { 
    int value; 
    int ??;
    struct s * next;
};
// in esp+0x10
struct s *point_arr[6];
point_arr[0]->next = &point_arr[1];
point_arr[1]->next = &point_arr[2];
point_arr[2]->next = &point_arr[3];
point_arr[3]->next = &point_arr[4];
point_arr[4]->next = &point_arr[5];
point_arr[5]->next = NULL;

  3. After this, there is a check (in a loop) that (point_arr[i]->value > point_arr[i-1]->value)

So, when you say no memory address is stored in %ebx, it is not accurate. The memory address is stored in %esp+0x10 and %esp+0x10 is stored in %ebx.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top