Rookie Assembly Bomb Defusal cmp Operator

Question

I'm new to assembly and really have no idea what is going on.

I'm trying to complete a homework assignment in which we have to defuse a bomb by finding out the correct input to five phases of a program.

I've tried looking online for the answer to my question but I really have no idea what to search to find the answer I'm looking for.

I believe I understand everything in the code below from <+0> to <+35> . At <+40> the cmp operator is called to compare the $0x2 , and what is stored in the %eax register. At the time of the comparison I believe %eax is still storing a function call to scanf (correct me if I'm wrong).

Through use of gdb I do know that the scanf function was called as follows: scanf("%d %d", &x, &y);

So what exactly is $0x2 referring to in this case (is it just the value 2?) and what is happening when comparing the two items?

I believe this is GAS Syntax.

   0x0804870a <+0>:     sub    $0x2c,%esp
   0x0804870d <+3>:     lea    0x1c(%esp),%eax
   0x08048711 <+7>:     mov    %eax,0xc(%esp)
   0x08048715 <+11>:    lea    0x18(%esp),%eax
   0x08048719 <+15>:    mov    %eax,0x8(%esp)
   0x0804871d <+19>:    movl   $0x8048baa,0x4(%esp)
   0x08048725 <+27>:    mov    0x804b040,%eax
   0x0804872a <+32>:    mov    %eax,(%esp)
   0x0804872d <+35>:    call   0x8048480 <__isoc99_fscanf@plt>
   0x08048732 <+40>:    cmp    $0x2,%eax
   0x08048735 <+43>:    je     0x8048743 <phase_1_of_5+57>
   0x08048737 <+45>:    movl   $0x1,(%esp)
   0x0804873e <+52>:    call   0x80486ef <explode>
   0x08048743 <+57>:    mov    0x18(%esp),%eax
   0x08048747 <+61>:    mov    %eax,%edx
   0x08048749 <+63>:    shl    $0x5,%edx
   0x0804874c <+66>:    add    %edx,%eax
   0x0804874e <+68>:    cmp    0x1c(%esp),%eax
   0x08048752 <+72>:    je     0x8048760 <phase_1_of_5+86>
   0x08048754 <+74>:    movl   $0x1,(%esp)
   0x0804875b <+81>:    call   0x80486ef <explode>
   0x08048760 <+86>:    add    $0x2c,%esp
   0x08048763 <+89>:    ret

Answer 1

Common confusion with the JE and related instructions. I would recommend getting a debugger to visualize what the code is doing.

cmp is internally subtracting but really its checking if eax == 2. If eax == 2 JE (JUMP IF EQUAL) it jumps so EIP register (the next instruction executed) becomes 0x08048743 (the memory address of "phase_1_of_5+57"). If eax != 2, it steps over JE ignoring it.

SPOILER DO NOT READ THIS UNTIL YOU PRACTISE YOURSELF AND GET STUCK AGAIN:

So we look at http://www.tutorialspoint.com/c_standard_library/c_function_fscanf.htm . What fscanf does. We see that a return value of 2 means it expects 2 terms of input. Now we assume we enter two terms and now we follow the JE.

We see (this is why you need a debugger, to visualize this)

mov    0x18(%esp),%eax
...
cmp    0x1c(%esp),%eax

0x18 == 6th value on the stack
0x1c == 7th value on the stack
safe to assume these are the two input terms.

0x08048743 <+57>:    mov    0x18(%esp),%eax
0x08048747 <+61>:    mov    %eax,%edx
0x08048749 <+63>:    shl    $0x5,%edx
0x0804874c <+66>:    add    %edx,%eax

Here we can assume the way to defuse the bomb is to enter the left shift by 5 of the first term, added to the first term. To the second term.

So 0 0 should defuse it.