4

I am having trouble understanding how this code knows when to stop looping. I am supposed to figure out what values are put into %edi. But I can't figure out how many times it loops.

0x40106e      movl   $0x2b,0xffffffdc(%ebp)
0x401075      movl   $0x31,0xffffffe4(%ebp)
0x40107c      movl   $0x74,0xffffffec(%ebp)
0x401083      movl   $0x19,0xffffffe8(%ebp)
0x40108a      movl   $0x7,0xffffffd8(%ebp)
0x401091      movl   $0x14,0xffffffe0(%ebp)
0x401098      mov    $0xdead,%edi
0x40109d      mov    $0x2,%ecx
0x4010a2      mov    %ecx,%esi
0x4010a4      mov    $0x3,%ecx
0x4010a9      mov    $0x2,%ebx
0x4010ae      sub    %esi,%ebx
0x4010b0      imul   $0xc,%ebx,%ebx
0x4010b3      mov    $0x3,%edx
0x4010b8      sub    %ecx,%edx
0x4010ba      lea    0xffffffd8(%ebp),%eax
0x4010bd      lea    (%ebx,%edx,4),%ebx
0x4010c0      add    %ebx,%eax
0x4010c2      mov    (%eax),%edi
0x4010c4      loop   0x4010a9
0x4010c6      mov    %esi,%ecx
0x4010c8      loop   0x4010a2
0x4010ca      mov    $0xbeef,%edi

Edit: I now understand the looping logic. However I am having a hard time following all the values getting moved around. I am stuck here lea 0xffffffd8(%ebp),%eax How do I know what %ebp is?

duder
  • 81
  • 5
  • 1
    I suggest you write new question regarding yr edit –  Aug 12 '13 at 03:34
  • 1
    "lea 0xffffffd8(%ebp),%eax" -> eax=ebp+0xffffffd8, or "eax=ebp-0x28". ebp will have been set earlier in the function. It often looks like "mov %esp,%ebp / sub $,%esp", so ebp points to the return address for the caller, and below ebp is space for local variables. It's physical value can be determined only by a debugger at runtime. It's relative value can be determined by looking earlier in the disassembly. – peter ferrie Aug 12 '13 at 15:34

1 Answers1

3

there are 2 loops in the code:

0x40109d mov $0x2,%ecx
0x4010a2 mov %ecx,%esi
0x4010a4 mov $0x3,%ecx
0x4010a9 mov $0x2,%ebx
...
first loop
...
0x4010c4 loop 0x4010a9
0x4010c6 mov %esi,%ecx
second loop
0x4010c8 loop 0x4010a2

  • first goes three times as 3 was moved into %ecx at 0x4010a4
  • second loop will go two times as 2 was moved into %ecx at 0x40109d and saved at %esi before %ecx was used further inside the first loop.

In addition here is information about LOOP opcode

0x4010ba lea 0xffffffd8(%ebp),%eax

This mean that %eax got the address from calculating %ebp+0xffffffd8

0x4010bd lea (%ebx,%edx,4),%ebx

This one is where %ebx = %ebx + %edx * 4

0x4010c0 add %ebx,%eax

Here %ebx is added to %eax

0x4010c2 mov (%eax),%edi

Finally %edi gets the data that %eax points to.

A small asm reference.

PhoeniX
  • 3,052
  • 16
  • 30
  • Thanks that is a good start for me! But I am now having trouble figuring out what values are put into %edi. Can you explain what happens here: lea 0xffffffd8(%ebp),%eax – duder Aug 11 '13 at 21:07