I am working on the binary bomb project. I am working on this code and I am trying to understand parts of the assembly code. So I get through phase1 easily, and for phase 2 I need to input 4 characters.
For example: phase-2: x y z d
In the example below I used the input: a b c d as my four characters
When I run this in the gdp and inspect the assembly code I get the following:
Dump of assembler code for function phase2:
0x080487d6 <+0>: push %ebp
0x080487d7 <+1>: mov %esp,%ebp
0x080487d9 <+3>: sub $0xc,%esp
=> 0x080487dc <+6>: mov 0x8(%ebp),%ecx
0x080487df <+9>: mov 0xc(%ebp),%edx
0x080487e2 <+12>: mov 0x10(%ebp),%eax
0x080487e5 <+15>: mov %cl,-0x4(%ebp)
0x080487e8 <+18>: mov %dl,-0x8(%ebp)
0x080487eb <+21>: mov %al,-0xc(%ebp)
0x080487ee <+24>: cmpb $0x77,-0x4(%ebp)
0x080487f2 <+28>: jne 0x8048807 <phase2+49>
0x080487f4 <+30>: cmpb $0x62,-0x8(%ebp)
0x080487f8 <+34>: jne 0x8048807 <phase2+49>
0x080487fa <+36>: cmpb $0x79,-0xc(%ebp)
0x080487fe <+40>: jne 0x8048807 <phase2+49>
0x08048800 <+42>: mov $0x1,%eax
0x08048805 <+47>: jmp 0x804880c <phase2+54>
0x08048807 <+49>: mov $0x0,%eax
0x0804880c <+54>: leave
0x0804880d <+55>: ret
End of assembler dump.
What I really what to understand is
0x080487ee <+24>: cmpb $0x77,-0x4(%ebp)
What is going on here? I think that it is comparing the value $0x77 to the value in ebp. Does that make sense? When how do I know what is stored in ebp?
I run the code up until the above line, and ebp and I get the following:
ebp 0xbffff6e8 0xbffff6e8
So to sum it up, I want to know what that compare line is really doing, just so I can understand the code a little better. And how I can find out what that value in ebp is without going to the leave state.
%ebp usually used as the stack frame pointer -- the -0x4 is an offset from the address stored in %ebp -- and values below (negative offset) %ebp are typically local variables (if compiled from C code) and values above (positive offset) are usually function parameters. This code appears to be code produced from compiling C code, and the %ebp usage is typical. -0x4(%ebp) would refer to the first local variable of the function. It appears to have been set a few statements earlier with mov %cl,-0x4(%ebp). That raises the question of where the value in the %cl value came frome, and if we trace further back, we can see that it was mov 0x8(%ebp),%cx that set %cl. Notice that the cmpb instruction has a b prefix, meaning that it is a byte-compare. (As opposed to a 16-bit or 32-bit compare.) This matches the observation that the value there was set using only %cl, which is also an 8-bit value.
All of this tells us that the line you are asking about is doing an 8-bit compare with the hex value 0x77. If you look at an ASCII table, you can see 0x77 is lowercase 'w'. The next instruction jumps if the byte isn't equal to that value. This leads me to conclude we are checking the first parameter passed to the function to see if it is a 'w' character.