Decoding Assembly Language with GDB

Question

Alright, so I have been trying to follow this assembly code for quite some time and I can't seem to figure the pattern that it produces. Here's the code along with their initials values.

   0x08048c74 <+0>: push   %esi
   0x08048c75 <+1>: push   %ebx
=> 0x08048c76 <+2>: sub    $0x34,%esp
   0x08048c79 <+5>: lea    0x18(%esp),%eax
   0x08048c7d <+9>: mov    %eax,0x4(%esp)
   0x08048c81 <+13>:    mov    0x40(%esp),%eax
   0x08048c85 <+17>:    mov    %eax,(%esp)
   0x08048c88 <+20>:    call   0x80494d4 <read_six_numbers>
   0x08048c8d <+25>:    cmpl   $0x0,0x18(%esp)
   0x08048c92 <+30>:    jne    0x8048c9b <phase_2+39>
   0x08048c94 <+32>:    cmpl   $0x1,0x1c(%esp)
   0x08048c99 <+37>:    je     0x8048cba <phase_2+70>
   0x08048c9b <+39>:    call   0x8049495 <explode_bomb>
   0x08048ca0 <+44>:    jmp    0x8048cba <phase_2+70>
   0x08048ca2 <+46>:    mov    -0x8(%ebx),%eax
   0x08048ca5 <+49>:    add    -0x4(%ebx),%eax
   0x08048ca8 <+52>:    cmp    %eax,(%ebx)
   0x08048caa <+54>:    je     0x8048cb1 <phase_2+61>
   0x08048cac <+56>:    call   0x8049495 <explode_bomb>
   0x08048cb1 <+61>:    add    $0x4,%ebx
   0x08048cb4 <+64>:    cmp    %esi,%ebx
   0x08048cb6 <+66>:    jne    0x8048ca2 <phase_2+46>
---Type <return> to continue, or q <return> to quit---
   0x08048cb8 <+68>:    jmp    0x8048cc4 <phase_2+80>
   0x08048cba <+70>:    lea    0x20(%esp),%ebx
   0x08048cbe <+74>:    lea    0x30(%esp),%esi
   0x08048cc2 <+78>:    jmp    0x8048ca2 <phase_2+46>
   0x08048cc4 <+80>:    add    $0x34,%esp
   0x08048cc7 <+83>:    pop    %ebx
   0x08048cc8 <+84>:    pop    %esi
   0x08048cc9 <+85>:    ret    
End of assembler dump.
(gdb) i r
eax            0x804c870    134531184
ecx            0xc  12
edx            0x2  2
ebx            0x2  2
esp            0xffffd054   0xffffd054
ebp            0xffffd078   0xffffd078
esi            0xffffd114   -12012
edi            0x0  0
eip            0x8048c76    0x8048c76 <phase_2+2>
eflags         0x286    [ PF SF IF ]
cs             0x23 35
ss             0x2b 43
ds             0x2b 43
es             0x2b 43
fs             0x0  0
gs             0x63 99
(gdb) x/d $esp
0xffffd054: 2
(gdb) 

The original values I plugged in were: 1 2 3 4 5 6

read_six_numbers is just a function that checks if you have 6 numbers however there are some lines that I want to double check if I understand them right. For example:

cmpl   $0x0,0x18(%esp)

From what I know checks to see if esp register is equal to zero. If it is not, then the bomb blows up. Since this is the first comparison, does that mean the first number should be zero?

Other lines such as:

add    -0x4(%ebx),%eax

and

add    $0x4,%ebx

I feel like I need to pay attention to since they change the values of the numbers inside the register. I know there is suppose to be a pattern to the numbers such as *3 or +3, etc. However I think the pattern has to do with 4 since both the adds or changing the value by 4. I've managed to get the code on ODA to help visualize the jumping here's the link: http://www2.onlinedisassembler.com/odaweb/J0tDzn/0

Just click on phase_2 in the symbols section. I only need to know how to get to get the first 2 numbers as from there the third number should be straight forward and pattern should be clear. I do apologize if this is a long post, but I've been trying to understand this for quite some time and am getting stuck trying to find the clues that give away the patter. Any help would be greatly appreciated! Thanks in advance!

Answer 1

cmpl   $0x0,0x18(%esp)

From what I know checks to see if esp register is equal to zero.

No, it compares the value in memory at address %esp+0x18 .

does that mean the first number should be zero?

But this happens to be true :)

However I think the pattern has to do with 4 since both the adds or changing the value by 4.

No. Notice that the 4 applies to memory address, not the value. That is because integers are 4 byte. add -0x4(%ebx),%eax will add the number from memory at address %ebx-4 to %eax .

I only need to know how to get to get the first 2 numbers

Well, you already know the first has to be zero. Since the numbers are in memory from address %esp+0x18 and each is 4 bytes, the instruction cmpl $0x1,0x1c(%esp) checks the second number.

You should revisit whatever material you have to get some basic things right. Otherwise you will have a hard time with the subsequent phases.