For Loops in Assembly - (Clarification)


This is just a clip of the file. THis is one of the levels in a bomb. each level is defused by an input by the user. We're supposed to interpret the disassembled code to figure out what that input should be. In this specific level the user has to input 5 numbers. Once the 5 numbers are provided they are checked in this disassembled code. If they don't work then the bomb explodes. I've worked through it and came up wit a few rules for the numbers but there are parts that I have trouble interpreting. Mainly when it comes to the loops.

Here's the disassembled code for reference:

8048eae:       55                      push   %ebp
8048eaf:       89 e5                   mov    %esp,%ebp
8048eb1:       83 ec 28                sub    $0x28,%esp
8048eb4:       c7 45 f8 00 00 00 00    movl   $0x0,0xfffffff8(%ebp)
8048ebb:       8d 45 e4                lea    0xffffffe4(%ebp),%eax
8048ebe:       89 44 24 04             mov    %eax,0x4(%esp)
8048ec2:       8b 45 08                mov    0x8(%ebp),%eax
8048ec5:       89 04 24                mov    %eax,(%esp)
8048ec8:       e8 69 06 00 00          call   8049536 <read_five_numbers>
8048ecd:       8b 45 e4                mov    0xffffffe4(%ebp),%eax
8048ed0:       83 f8 1a                cmp    $0x1a,%eax
8048ed3:       74 05                   je     8048eda <level_3+0x2c>
8048ed5:       e8 a6 10 00 00          call   8049f80 <explode_bomb>
8048eda:       c7 45 fc 00 00 00 00    movl   $0x0,0xfffffffc(%ebp)
8048ee1:       eb 2c                   jmp    8048f0f <level_3+0x61>
8048ee3:       8b 45 fc                mov    0xfffffffc(%ebp),%eax
8048ee6:       8b 54 85 e4             mov    0xffffffe4(%ebp,%eax,4),%edx
8048eea:       8b 45 fc                mov    0xfffffffc(%ebp),%eax
8048eed:       83 c0 01                add    $0x1,%eax
8048ef0:       8b 44 85 e4             mov    0xffffffe4(%ebp,%eax,4),%eax
8048ef4:       39 c2                   cmp    %eax,%edx
8048ef6:       7f 05                   jg     8048efd <level_3+0x4f>
8048ef8:       e8 83 10 00 00          call   8049f80 <explode_bomb>
8048efd:       8b 45 fc                mov    0xfffffffc(%ebp),%eax
8048f00:       8b 44 85 e4             mov    0xffffffe4(%ebp,%eax,4),%eax
8048f04:       0f af 45 fc             imul   0xfffffffc(%ebp),%eax
8048f08:       01 45 f8                add    %eax,0xfffffff8(%ebp)
8048f0b:       83 45 fc 01             addl   $0x1,0xfffffffc(%ebp)
8048f0f:       83 7d fc 03             cmpl   $0x3,0xfffffffc(%ebp)
8048f13:       7e ce                   jle    8048ee3 <level_3+0x35>
8048f15:       8b 45 f4                mov    0xfffffff4(%ebp),%eax
8048f18:       f7 d8                   neg    %eax
8048f1a:       3b 45 f8                cmp    0xfffffff8(%ebp),%eax
8048f1d:       74 05                   je     8048f24 <level_3+0x76>
8048f1f:       e8 5c 10 00 00          call   8049f80 <explode_bomb>
8048f24:       c9                      leave  
8048f25:       c3                      ret   

So far i have the following rules to find the numbers:

  • the first number should be 26 because of the comparison to 0x1a.

  • there is a for loop that iterates 4 times and makes sure that each number is less than the number at the current index Here are the rules that I'm unsure about

  • the sum of the first four numbers should be less than equal to something.
  • the last number should be the negative of the first number


Based on the beginning of the function, you can view the stack layout as this:

int v[5], c0, c1;

ebp e4 | v1
ebp e8 | v2
ebp ec | v3
ebp f0 | v4
ebp f4 | v5
ebp f8 | c0
ebp fc | c1

I've transcribed the code into pseudocode, which should answer your questions. Of course the goto can be converted into a do/while loop for readability, once you understand what's going on.

8048eae push  
By : DCoder

This video can help you solving your question :)
By: admin