Reputation:
Understanding disassembled c code (particularly things like var_28 = dword ptr -28h) (binary bomb lab)
So I'm disassembling some code (binary bomb lab) and need some help figuring out what's going on.
Here's an IDA screen shot:
(there's some jump table stuff and another comparison below, but I feel a bit more comfortable about that stuff (I think))
Now, I think I know what's going on in this phase, as I've read:
http://teamterradactyl.blogspot.com/2007/10/binary-bomb.html (scroll down to phase 3)
However, I'm used to a different form of the assembly.
The biggest thing I don't understand is all this var_28 = dword ptr -28h stuff at the top.
When sscanf gets called, how does it know where to put each token? And there are only going to be three tokens (which is what the link above says, although I see a %d, %d... so maybe two, I think three though). Basically, can anyone tell me what each of these var_x (and arg_0) will point to after sscanf is called?
They are just relative addressing to the stack pointer right...? But how are these addresses getting filled with the tokens from sscanf?
NOTE: This is homework, but it says not to add the homework tag, because it's obsolete or something. The homework is to figure out the secret phrase to enter via the command line to get past each phase.
NOTE2: I don't really know how to use IDA, my friend just told me to open the bomb file in IDA. Perhaps there's an easy way for me to experiment and figure it out in IDA, but I don't know how.
Upvotes: 2
Views: 4349
Answers (1)
Reputation: 43708
Local variables are stored just below the frame pointer. Arguments are above the frame pointer. x86 uses BP/EBP/RBP as a frame pointer.
A naïve disassembly would just disassemble lea eax, [ebp+var_10] as lea eax, [ebp-10h]. This instruction is referencing a local variable whose address is 10h (16 bytes) below where the frame pointer points. LEA means Load Effective Address: it's loading the address of the variable at [ebp - 10h] in eax, so eax now contains a pointer to that variable.
IDA apparently is trying to give meaningful names to local variables, but since apparently there is no debug info available it ends up using dummy names. Anyway:
var_10= dword ptr -10h
is just IDA's way of telling that it has created an alias var_10 for -10.
Upvotes: 4
Related Questions
- Difficulty understanding logic in disassembled binary bomb phase 3
- How do I interpret this disassembled code in IDA?
- Understanding disassembled C code: dec %eax and movl $0x0,-0x8(%ebp)
- Can't understand disassembled code, any ideas?
- How to interpret disassembed C code
- Need help explaining the following program
- What is happening in this disassembled code, and what would it look like in C?
- Understand the assembly code generated by a simple C program
- C Code represented as Assembler Code - How to interpret?
- reverse engineering c programs