1

I try disassemble ropasaurusrex. this is CTF's Question.you can download Executable file from follow link. I use Hopper for disassemble. here

enter image description here

The picture above is main routine of this program.

Please look at red line on the above picture.

It seems that declaration of the array is here.

lea eax, dword [ss:ebp+var_88] =====> char buffer[128];

Why? I can not understand 128bytes?

Improve this question
4
  • 2
    The allocation happens just a bit before, in mov esp, 0x98. Besides allocating 0x80 for the buffer, it also allocates 0x18 for other variables in that scope. The lea instruction is just to determine the address of buffer on the stack. Commented Dec 9, 2015 at 9:06
  • Thak you comment! i see. Commented Dec 9, 2015 at 9:25
  • Thak you comment! i see. but, I still don't understand.sorry. why allocating 0x80 for the buffer? why do you find 0x80. Thank you! Commented Dec 9, 2015 at 9:32
  • @stackosiete: 0x80 is the hexadecimal representation of 128. Commented Dec 9, 2015 at 9:33

1 Answer 1

Reset to default
4

In general, there is no direct correspondence between individual assembly instructions and C constructs. A single instruction may be just a single "brick" from a larger construct. If optimisations are turned on, tracing things this way becomes even harder.

Considering the first routine, here is an instruction-by-instruction walkthrough:

  • push ebp saves the old "stack base pointer" on the stack, so that it can restored after leaving the function and the caller can be confident that it hasn't changed;

  • mov ebp, esp loads the value of the "base pointer" with the current value of the "stack pointer". Any further references to variables within the stack frame of that function can be made relative to this newly assigned base pointer;

  • sub esp, 0x98 subtracts the value 152 from the stack pointer. This effectively "allocates" space on the stack. Any variables with automatic storage can be now accommodated between the addresses pointed to by ebp and esp. This probably includes your buffer array.

  • mov dword[ss:esp + 8], 0x100 puts the value 256 at the address pointed to by esp + 8. That might correspond to an assignment to an automatic variable/array.

  • lea eax, dword[ss:ebp + var_88] computes an address that is the result of the base pointer plus some constant offset, and stores it into eax. This probably corresponds to a pointer to the beginning of the automatic array.

  • eax is then moved to the stack as an argument to the following call to j_read. 0 is also passed as the first argument. The function is then called, the leave instruction restores the old base pointer and the control is returned to the caller via the ret instruction.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.