What 2 values are being compared in this Assembly cmp instruction?

Question

I have a puzzle where i must reverse-engineer a function to decipher what the correct function inputs are (in order to proceed to the next function). While debugging, I used the following as my function input:

6 d 358

Now I'm stepping through gdb debugger to see if the input was correct.

---

When running gdb in AT&T syntax, I've run in to the following cmp instruction:

0x0040107b <+315>:   movzbl -0x19(%ebp),%eax
0x0040107f <+319>:   cmp    %al,-0x9(%ebp)
0x00401082 <+322>:   je     0x401089 <phase_3+329>

This cmp instruction is theoretically comparing one of my inputs (either 6 , d , or 358 ) to %al .

I ran:

(gdb) i r al
al             0x64     100

...to find that the value at %al was 100 .

So whatever value is at -0x9(%ebp) is being compared to 100 . But how do I determine what value is stored at -0x9(%ebp) ?

I tried seeing what decimal value/string value was stored at %ebp with the following commands:

(gdb) i r ebp
ebp            0xbfffef58    0xbfffef58
(gdb) x/d 0xbfffef58
0xbfffef58:    -104
(gdb) x/s 0xbfffef58
0xbfffef58:    "\230\357\377\277\003\016@"

...but neither -104 nor \\230\\357\\377\\277\\003\\016@ are inputs I entered into the function.

I assume the -0x9 prefix is referring to another address to get the value. I'm thinking I need to use the other register values/addresses to help me:

(gdb) i r
eax            0x64    100
ecx            0xbfffea00    -1073747456
edx            0xbfffef40    -1073746112
ebx            0x405000    4214784
esp            0xbfffef30    0xbfffef30
ebp            0xbfffef58    0xbfffef58
esi            0xbfffefb0    -1073746000
edi            0xb7fb8000    -1208254464
eip            0x401084    0x401084 <phase_3+324>
eflags         0x206    [ PF IF ]
cs             0x73    115
ss             0x7b    123
ds             0x7b    123
es             0x7b    123
fs             0x0    0
gs             0x33    51

Any help figuring out what this value is would be greatly appreciated!

Answer 1

As stated here:

https://www.cs.uaf.edu/2015/fall/cs301/lecture/09_16_stack.html

al and ah are the 8-bit, "char" size parts of the register.

So, %al refers to a 'char' in the register. Therefore, this cmp statement is comparing 2 char 's.

Let's refer to the ir al command's output:

(gdb) i r al
al             0x64     100

To determine the char value of al , we need to take the provided hex value and refer to a hex-to-ASCII chart . The 0x64 hex value for al in our case, according to the hex-to-ASCII chart, corresponds to the char d . Hey, that's one of our inputs!

So, we know our input of d is being compared to -0x9(%ebp) .

To find -0x9(%ebp) 's value, we need to go to the memory address of %ebp , subtract 0x9 from that address' value, and, finally, de-reference that address. This is the command to find that value:

(gdb) x/b $ebp-9

This gives the output of 118 (decimal), which is 0x76 in hex. Refer to the hex-to-ASCII chart once more to find that 0x76 corresponds to the char v .

In summary: Our [incorrect] input of d was being compared to the [correct] input of v .

SOLUTION: Our input of d should be changed to v .