Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
792 views
in Technique[技术] by (71.8m points)

assembly - Bomb lab phase 5 - 6 char string, movzbl load, and $0xf, %ecx, and index an array with that?

Alright so this is the ever so popular bomb lab and I am currently on phase 5 and I'm only stuck on two lines. Here's the assembly code:

Dump of assembler code for function phase_5:
   0x08048e29 <+0>: push   %ebx
   0x08048e2a <+1>: sub    $0x18,%esp
   0x08048e2d <+4>: mov    0x20(%esp),%ebx
   0x08048e31 <+8>: mov    %ebx,(%esp)
   0x08048e34 <+11>:    call   0x804908b <string_length>
   0x08048e39 <+16>:    cmp    $0x6,%eax
   0x08048e3c <+19>:    je     0x8048e43 <phase_5+26>
   0x08048e3e <+21>:    call   0x80493a5 <explode_bomb>
   0x08048e43 <+26>:    mov    $0x0,%edx
   0x08048e48 <+31>:    mov    $0x0,%eax
   0x08048e4d <+36>:    movzbl (%ebx,%eax,1),%ecx
   0x08048e51 <+40>:    and    $0xf,%ecx
   0x08048e54 <+43>:    add    0x804a4a0(,%ecx,4),%edx
   0x08048e5b <+50>:    add    $0x1,%eax
   0x08048e5e <+53>:    cmp    $0x6,%eax
   0x08048e61 <+56>:    jne    0x8048e4d <phase_5+36>
=> 0x08048e63 <+58>:    cmp    $0x42,%edx
   0x08048e66 <+61>:    je     0x8048e6d <phase_5+68>
   0x08048e68 <+63>:    call   0x80493a5 <explode_bomb>
   0x08048e6d <+68>:    add    $0x18,%esp
   0x08048e70 <+71>:    pop    %ebx
   0x08048e71 <+72>:    ret    
---Type <return> to continue, or q <return> to quit---
End of assembler dump.

Here's a barebones look when I run it through a decompiler:

void phase_5(__size8 *param1) {
__size32 eax; // r24
int eax_1; // r24{48}
unsigned int ecx; // r25
__size32 edx; // r26
eax = string_length(param1);
if (eax != 6) {
explode_bomb();
}
edx = 0;
eax = 0;
do {
eax_1 = eax;
ecx = *(unsigned char*)(param1 + eax_1);
edx += array.3142[(ecx & 0xf)];
eax = eax_1 + 1;
} while (eax_1 + 1 != 6);
if (edx != 66) {
explode_bomb();
}
return;
}

So the general synopsis of this phase is that the string input needs to be 6 characters, then it goes through a do while loop where it takes the string and turns it into a number through its algorithm and then compares it if it's 66 at the end. My questions is what do these two lines do:

ecx = (unsigned char)(param1 + eax_1); edx += array.3142[(ecx & 0xf)];

More specifically the first one. The second line &s the value of the first line with 15 which essentially gives the last 4 bits of ecx but what does adding the string (param1) with the loop counter (eax_1) do? Also is this the line that converts each character in the string into a number? Any help would be greatly appreciated!

Question&Answers:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

what does adding the string (param1) with the loop counter (eax_1) do?

That's just array indexing. It gives you the address of the appropriate character. ecx = *(unsigned char*)(param1 + eax_1) is basically ecx = param1[eax_1].

As you say, the code loops through all 6 letters, keeps the low 4 bits of the ascii code and uses that to index a hardcoded lookup table. The selected values from said lookup table are summed up, and that's your result which has to be 0x42.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...