Edit: actually, been really tired... mixing up arguments and local vars isn't usually an error I make ...
Corrected reverse engineering:
Still only parts of this, for phase4()
:
0x08048f47 <+6>: lea -0x10(%ebp),%eax
0x08048f4a <+9>: mov %eax,0xc(%esp) <== arg3 (&(int l)) sscanf()
0x08048f4e <+13>: lea -0xc(%ebp),%eax
0x08048f51 <+16>: mov %eax,0x8(%esp) <== arg2 (&(int m)) sscanf()
0x08048f55 <+20>: movl $0x804a64c,0x4(%esp) <== arg0 (fmt) sscanf()
0x08048f5d <+28>: mov 0x8(%ebp),%eax
0x08048f60 <+31>: mov %eax,(%esp) <== arg0 --> arg1 sscanf()
0x08048f63 <+34>: call 0x8048894 <__isoc99_sscanf@plt>
0x08048f68 <+39>: cmp $0x2,%eax
0x08048f6b <+42>: jne 0x8048f79 <phase_4+56> <== if (sscanf(...) != 2)
0x08048f6d <+44>: mov -0xc(%ebp),%eax explode_bomb();
0x08048f70 <+47>: test %eax,%eax
0x08048f72 <+49>: js 0x8048f79 <phase_4+56> <== if (m < 0) // signed
0x08048f74 <+51>: cmp $0xe,%eax explode_bomb();
0x08048f77 <+54>: jle 0x8048f7e <phase_4+61> <== if (!(m <= 14))
0x08048f79 <+56>: call 0x80493e1 <explode_bomb> explode_bomb();
[ ... ]
0x08048f94 <+83>: call 0x8048c80 <func4>
0x08048f99 <+88>: cmp $0x12,%eax <== if (func4(...) != 18)
0x08048f9c <+91>: jne 0x8048fa4 <phase_4+99> explode_bomb();
0x08048f9e <+93>: cmpl $0x12,-0x10(%ebp) <== if (l != 18)
0x08048fa2 <+97>: je 0x8048fad <phase_4+108> explode_bomb();
0x08048fa4 <+99>: lea 0x0(%esi,%eiz,1),%esi
0x08048fa8 <+103>: call 0x80493e1 <explode_bomb>
0x08048fad <+108>: leave
So this calls sscanf()
with the format string stored at 0x804a64c
(likely "%d %d"
), giving the argument to phase4()
as string-to-parse; i.e. in C source, it's sscanf("%d "%d", phase4_arg, &l, &m);
with l
and m
being local int
vars. It tests that two numbers have sucessfully been parsed, and later checks their values.