Gdb Assembly code

[tnau]

Hi,


I have tried looking for similar bombs with similar assembly and I cant seem to find one. I am having trouble with this phase specifically what is going on at line <70>. Here is my assembly and below are my findings:



[

Code:

     0x00000000004011f1 <+0>:    sub    $0x18,%rsp
       0x00000000004011f5 <+4>:    lea    0xc(%rsp),%rcx
       0x00000000004011fa <+9>:    lea    0x8(%rsp),%rdx
       0x00000000004011ff <+14>:    mov    $0x402af1,%esi
       0x0000000000401204 <+19>:    mov    $0x0,%eax
       0x0000000000401209 <+24>:    callq  0x400cb0 <__isoc99_sscanf@plt>
       0x000000000040120e <+29>:    cmp    $0x1,%eax
       0x0000000000401211 <+32>:    jg     0x401218 <phase_5+39>
       0x0000000000401213 <+34>:    callq  0x401785 <explode_bomb>
       0x0000000000401218 <+39>:    mov    0x8(%rsp),%eax
       0x000000000040121c <+43>:    and    $0xf,%eax
       0x000000000040121f <+46>:    mov    %eax,0x8(%rsp)
       0x0000000000401223 <+50>:    cmp    $0xf,%eax
       0x0000000000401226 <+53>:    je     0x401254 <phase_5+99>
       0x0000000000401228 <+55>:    mov    $0x0,%ecx
       0x000000000040122d <+60>:    mov    $0x0,%edx
       0x0000000000401232 <+65>:    add    $0x1,%edx
       0x0000000000401235 <+68>:    cltq   
       0x0000000000401237 <+70>:    mov    0x402820(,%rax,4),%eax
       0x000000000040123e <+77>:    add    %eax,%ecx
       0x0000000000401240 <+79>:    cmp    $0xf,%eax
       0x0000000000401243 <+82>:    jne    0x401232 <phase_5+65>
       0x0000000000401245 <+84>:    mov    %eax,0x8(%rsp)
       0x0000000000401249 <+88>:    cmp    $0xf,%edx
       0x000000000040124c <+91>:    jne    0x401254 <phase_5+99>
       0x000000000040124e <+93>:    cmp    0xc(%rsp),%ecx
       0x0000000000401252 <+97>:    je     0x401259 <phase_5+104>
       0x0000000000401254 <+99>:    callq  0x401785 <explode_bomb>
       0x0000000000401259 <+104>:    add    $0x18,%rsp
       0x000000000040125d <+108>:    retq enter code here]

I know that the function taking two integers. The first one entered is at rdx and the second one is at rcx. It then puts the first integer into eax <39> after it makes sure two numbers were inputted.


<43> It then takes the least significant bit of eax with a bitwise and and stores it in eax


<46> the new value of eax is then stored in the original location of the first integer.


<50> eax is compared with 15 and if its less than 15 the program continue


<55,60> ecx and edx are now 0


<65> we start a loop edx is the index and 1 is added to it before starting the loop.


<70> I am not sure what exactly is happening here mov 0x402820(,%rax,4),%eax but i know that it is changing the value of eax


<77> adds the summ of eax and ecx (im not sure how ecx ever gets a value as it was already set at 0 <55> and there is no change up until this instruction


<79>checks if eax = 15 if it doesnt the loop reruns


<88>when eax is 15 it then checks if the loop counter edx has been run 15 times


<93> compares the second int entered to ecx which i beleive eax would equal to eax from line <77>


any help or guidance is greatly appreciated.

[Salem]

https://en.wikipedia.org/wiki/X86#Addressing_modes

> mov 0x402820(,%rax,4),%eax
It looks like 0x402820 is a statically declared const array (it's only 5K away from the code, so I'm guessing it too is read-only).
%rax is your index, and 4 means each array element is 4 bytes wide.

Study how this simple loop compiles to code.

Code:

#include <stdio.h>
const int arr[10] = { 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 };
int main( void )
{
  int sum = 0;
  for ( int i = 0 ; i < 10 ; i++ ) {
    sum += arr[i];
  }
  printf("%d\n",sum);
  return 0;
}

Compiles to

Code:

$ gcc -S -std=c99 foo.c
$ more foo.s
        .file   "foo.c"
        .globl  arr
        .section        .rodata
        .align 32
        .type   arr, @object
        .size   arr, 40
arr:
        .long   1
        .long   2
        .long   3
        .long   4
        .long   5
        .long   6
        .long   7
        .long   8
        .long   9
        .long   0
.LC0:
        .string "%d\n"
        .text
        .globl  main
        .type   main, @function
main:
.LFB0:
        .cfi_startproc
        pushq   %rbp
        .cfi_def_cfa_offset 16
        .cfi_offset 6, -16
        movq    %rsp, %rbp
        .cfi_def_cfa_register 6
        subq    $16, %rsp
        movl    $0, -8(%rbp)
        movl    $0, -4(%rbp)
        jmp     .L2
.L3:
        movl    -4(%rbp), %eax
        cltq
        movl    arr(,%rax,4), %eax
        addl    %eax, -8(%rbp)
        addl    $1, -4(%rbp)
.L2:
        cmpl    $9, -4(%rbp)
        jle     .L3
        movl    $.LC0, %eax
        movl    -8(%rbp), %edx
        movl    %edx, %esi
        movq    %rax, %rdi
        movl    $0, %eax
        call    printf
        movl    $0, %eax
        leave
        .cfi_def_cfa 7, 8
        ret
        .cfi_endproc

[tnau]

Thanks for the guidance, I figured out my mistake i wasnt adding those correctly