The assembly language for cars() is:
(gdb) disass cars
Dump of assembler code for function vanilla:
0x00000000004004cd <+0>: push %rbp
0x00000000004004ce <+1>: mov %rsp,%rbp
0x00000000004004d1 <+4>: mov %edi,-0x14(%rbp)
0x00000000004004d4 <+7>: mov -0x14(%rbp),%eax
0x00000000004004d7 <+10>: add %eax,%eax
0x00000000004004d9 <+12>: mov %eax,-0x4(%rbp)
0x00000000004004dc <+15>: mov -0x4(%rbp),%eax
0x00000000004004df <+18>: mov -0x14(%rbp),%edx
0x00000000004004e2 <+21>: add %edx,%eax
0x00000000004004e4 <+23>: pop %rbp
0x00000000004004e5 <+24>: retq
End of assembler dump.
Give a 1-2 sentence description of the purpose of each instruction.
Instruction: |
Purpose: |
push %rbp |
|
mov %rsp,%rbp |
|
mov %edi,-0x14(%rbp) |
|
mov -0x14(%rbp),%eax |
|
add %eax,%eax |
|
mov %eax,-0x4(%rbp) |
|
mov -0x4(%rbp),%eax |
|
mov -0x14(%rbp),%edx |
|
add %edx,%eax |
|
pop %rbp |
|
retq |
Write a C function that does what
cars() does.
You won't be able to figure out the names of my parameters var(s)
and local var(s); just make up your own name(s).
1)
push %rbp :
rbp is the frame pointer.It contains the return address of the
function(caller) which called this function(callee). So it must be
saved first on stack otherwise it does not go back to the function
which called him. It is important when nested function calls are
made and each called function must return to its base/parent
function(prolog assembly function).
mov %rsp, %rbp :
this line sets the stack for the current function, where passed
arguments can be accessed through %rbp register.the argument can be
accessed through %rsp also. %rsp always points to top of the stack
where %rbp always points to bottom of the stack.if this is not done
then if some space is allocated on stack(for local variables) it
will overwrite return address and arguments of the function. also
%rbp is easy manipulation for push/pop operations.
mov %edi,-0x14(%rbp) :
Here we are fetching the first argument of the function and copying
it on local variable(stack rbp - 20). On x86 architectures, all the
arguments are passed through stack but on x86_64 architectures,
these are first done using registers(for saving memory) and then
stack. %edi,%esi,%edx,%ecx, %rdi,%rsi,%rdx... for 64 bit.So here
passed argument is the type of int which takes only 4 byte but it
is allocated as 8 byte, so %edi. -0x14(-20 in decimal). so %rbp
contains base address and then arguments by their
sizes(byte,word,dword,qword etc). so there are two variables in
bar() function, one is function argument and another is local
variable.
mov -0x14(%rbp),%eax :
Here we are copying value of the first argument into %eax register
from stack frame(rbp - 20).This is opposite to above operation just
in another register.
add %eax,%eax :
adding values of eax = eax+eax, which is first argument of the
function bar().
mov %eax,-0x4(%rbp) :
Assign result of the above operation(add %eax,%eax) to local
variable(rbp - 4). see following C program.
mov -0x4(%rbp),%eax :
Assign local variable value to %eax register for return value of
the function bar().
pop %rbp :
Restore the base/return adress of the function.
retq :
Returning the quad word(unsigned int,char*,unsigned
long) depends on compiler implementation. Only ret is also possible
because any ret jump to the base address.
2)
Here's the C program for cars(), where return type and
local/argument type can be(int,unsigned int,unsigned long, long
int, char * etc.) In assembly there is nothing like
signed/unsigned. everything is signed and unsigned is checked by
the sign bit which compiling C program.
int cars(int x)
{
int y;
y = x+x;
return y;
}
Understanding assembly language: The assembly language for cars() is: (gdb) disass cars Dump of assembler code...
Binary Bomb phase 4 Dump of assembler code for function phase_4: > 0x0000000000400fe7 <+0>: sub $0x18,%rsp 0x0000000000400feb <+4>: lea 0x8(%rsp),%rcx 0x0000000000400ff0 <+9>: lea 0xc(%rsp),%rdx 0x0000000000400ff5 <+14>: mov $0x40290d,%esi 0x0000000000400ffa <+19>: mov $0x0,%eax 0x0000000000400fff <+24>: callq 0x400c00 <__isoc99_sscanf@plt> 0x0000000000401004 <+29>: cmp $0x2,%eax 0x0000000000401007 <+32>: jne 0x401010 <phase_4+41> 0x0000000000401009 <+34>: cmpl $0xe,0xc(%rsp) 0x000000000040100e <+39>: jbe 0x401015 <phase_4+46> 0x0000000000401010 <+41>: callq 0x401662 <explode_bomb> 0x0000000000401015 <+46>: mov $0xe,%edx 0x000000000040101a <+51>: mov $0x0,%esi...
This is phase_5 of defusing a binary bomb. (Disass in x86 on a Linux system.) I am having trouble "debugging" this and figuring out what I need to enter to defuse this phase, but I am relatively sure I will need 6 inputs. Thanks in advance. Dump of assembler code for function phase_5: 0x00000000004011bf <+0>: push %rbx 0x00000000004011c0 <+1>: mov %rdi,%rbx 0x00000000004011c3 <+4>: callq 0x401414 <string_length> 0x00000000004011c8 <+9>: cmp $0x6,%eax //eax = 6? jump over explode 0x00000000004011cb <+12>: je 0x4011d2...
The following problem concerns the following, low-quality code: void foo(int x) { int a[3]; char buf[1]; a[1] = x; a[2] = 0xA0B1C2D3; gets(buf); printf("a[0] = 0x%x, a[2] = 0x%x, buf = %s\n", a[0], a[2], buf); } In a program containing this code, procedure foo has the following disassembled form on an x86/64 machine: 000000000040057d <foo>: 40057d: push %rbp 40057e: mov %rsp,%rbp 400581: sub $0x30,%rsp 400585: mov %edi,-0x24(%rbp) 400588: mov -0x24(%rbp),%eax 40058b: mov %eax,-0xc(%rbp) 40058e: movl $0xa0b1c2d3,-0x8(%rbp) 400595: lea -0x11(%rbp),%rax 400599:...
X86 Assembly Language Help to implement the CipherChar Procedure at the end of the given code INCLUDE Irvine32.inc .data KeyPrompt BYTE "Enter the passphrase: ",0 TextPrompt BYTE "Enter the plaintest: ",0 str1 BYTE "The passphrase has length:",0 str2 BYTE "The plaintest has length:",0 KeyIs BYTE "The passphrase: ",0 PlainTextIs BYTE "The plaintext: ",0 CipherTextIs BYTE "The ciphertext: ",0 KMAX = 64 ; passphrase buffer maximum size BMAX = 128 ; test...
And also when recursive(5). Consider the following funtion int recursive(int n) f The assembly code equivalent of the above function is: recursive push %ebp mov %esp,%ebp push %ebx sub $0x14,%esp cmpl $0x1,0x8(%ebp) je L1 cmpl $0x2,0x8(%ebp) jne L2 L1 mov 0x8 (%ebp),%eax jmp L3 L2 mov 0x8 (%ebp),%eax sub $0x1,%eax mov %eax, (%esp call recursive mov %eax,%ebx mov ox8(%ebp),%eax sub $0x2,%eax mov %eax, (%esp call recursive imul %ebx,%eax L3 add $0x14,%esp pop %ebx pop %ebp ret
Exercise 3 [Conditionals] Consider the following assembly code for a function F3 with two integer arguments: F3: push EBP mov EBP, ESP mov EDX, DWORD PTR [ebp+12] mov EAX, DWORD PTR [ebp+8] cmp EAX, EDX # setup stack #if # goto .L1 #EAX- mov EAX, EDX # ignore for now mov DWORD PTR [EBP-4], EAX mov ESP, EBP pop EBE ret # cleanup stack To the right of each instruction, show the contents of the register whose value changes as...
You know the following assembly code snippet is from a recursive function in C. You also know that the stack contents at a particular point in time when we are in the recursive function are shown on the next page. Answer the following questions: a) how many Foo stack frames are on the stack? b) what is the return address back to the function that called Foo for the first time? c) what is the return address back into the...
I need help finding the input that wont result in explode_bomb in this assembly 08048cd3 <phase_4>: 8048cd3: 57 push %edi 8048cd4: 56 push %esi 8048cd5: 53 push %ebx 8048cd6: 83 ec 10 sub $0x10,%esp 8048cd9: 8b 74 24 20 mov 0x20(%esp),%esi 8048cdd: 89 34 24 mov %esi,(%esp) 8048ce0: e8 f6 03 00 00 call 80490db <string_length> 8048ce5: 83 c0 01 add $0x1,%eax 8048ce8: 89 04 24 mov %eax,(%esp) 8048ceb: e8 10 fb ff ff call 8048800 <malloc@plt> 8048cf0: 89 c7...
This is the bomb lab phase2, I just have no idea on how to solve it. I know the answer is a six number array, I want to know what numbers they are? 6x00000000004015d7<+136> : pop %rbx 0x00000000004015d8 <+137>: retq of assembler dump. b) stepi 00401572 in phase2 ) db) disas mp of assenbler code for function phase2: %rbx $0x20,%rsp %fs:0x28,%rax %rax,0x18(%rsp) %eax , %eax %rsp,Krst 0x000000000040154f <+0>: 0x0000000000401550 <+1>: 0x0000000000401554 <+5>: push sub nov 6x000000000040155d <+14s: <+19> : 21ยป:...
Below is the disassembled code. PLease help me to defuse the binary bomb phase_4 so the right input should be 6 numbers with a certain pattern 08048cdb <phase_4>: 8048cdb: 53 push %ebx 8048cdc: 83 ec 38 sub $0x38,%esp 8048cdf: 8d 44 24 18 lea 0x18(%esp),%eax 8048ce3: 89 44 24 04 mov %eax,0x4(%esp) 8048ce7: 8b 44 24 40 mov 0x40(%esp),%eax 8048ceb: 89 04 24 mov %eax,(%esp) 8048cee: e8 11 07 00 00 call 8049404 <read_six_numbers> 8048cf3: 83 7c 24 18 00 cmpl...