lea operator in Assembly using three argument arithmetic with registers

Question

Yet again, I am having issues finding answers to the most basic of questions. This time I am working on phase 2 of a binary bomb for a class assignment. I'll post the disassembled code below.

I am having a hard time understanding what is happening on line <+107>. From what I understand so far, it is trying to load the address from the arithmetic operation of ((4 * %edx) + %eax) into the %eax register. As of now, which I could very well be wrong, this is what is located in my registers where x, y, z are the three arguments entered in the call to scanf:

%eax: y

%edx: z

Thus, the program is trying to load the address of ((4*z)+y)? I don't know what this value would look like in order for it to be stored into %eax.

My question relates to a specific application of the lea instruction within a binary bomb. I had previously read through the post here: What's the purpose of the LEA instruction? but I still did not understand how it applied to my scenario.

   0x08048764 <+0>:     sub    $0x3c,%esp
   0x08048767 <+3>:     lea    0x2c(%esp),%eax
   0x0804876b <+7>:     mov    %eax,0x10(%esp)
   0x0804876f <+11>:    lea    0x28(%esp),%eax
   0x08048773 <+15>:    mov    %eax,0xc(%esp)
   0x08048777 <+19>:    lea    0x24(%esp),%eax
   0x0804877b <+23>:    mov    %eax,0x8(%esp)
   0x0804877f <+27>:    movl   $0x8048ba7,0x4(%esp)
   0x08048787 <+35>:    mov    0x804b040,%eax
   0x0804878c <+40>:    mov    %eax,(%esp)
   0x0804878f <+43>:    call   0x8048480 <__isoc99_fscanf@plt>
   0x08048794 <+48>:    cmp    $0x3,%eax
   0x08048797 <+51>:    je     0x80487a5 <phase_2_of_5+65>
   0x08048799 <+53>:    movl   $0x2,(%esp)
   0x080487a0 <+60>:    call   0x80486ef <explode>
   0x080487a5 <+65>:    mov    0x24(%esp),%edx
   0x080487a9 <+69>:    cmp    $0x4,%edx
   0x080487ac <+72>:    jg     0x80487ba <phase_2_of_5+86>
   0x080487ae <+74>:    movl   $0x2,(%esp)
   0x080487b5 <+81>:    call   0x80486ef <explode>
   0x080487ba <+86>:    mov    0x28(%esp),%eax
   0x080487be <+90>:    cmp    $0xa,%eax
   0x080487c1 <+93>:    jle    0x80487cf <phase_2_of_5+107>
   0x080487c3 <+95>:    movl   $0x2,(%esp)
   0x080487ca <+102>:   call   0x80486ef <explode>
   0x080487cf <+107>:   lea    (%eax,%edx,4),%eax
   0x080487d2 <+110>:   cmp    0x2c(%esp),%eax
   0x080487d6 <+114>:   je     0x80487e4 <phase_2_of_5+128>
   0x080487d8 <+116>:   movl   $0x2,(%esp)
   0x080487df <+123>:   call   0x80486ef <explode>
   0x080487e4 <+128>:   add    $0x3c,%esp
   0x080487e7 <+131>:   ret

Line 107 does indeed do `eax = eax + edx*4` - nothing more, nothing less. — 500 - Internal Server Error, Feb 25 '16 at 01:26
Okay, so are you telling me that after the operation, eax will contain the value of that calculation and not the address? E.g. if eax contains 4 and edx contains 5, then eax will become 24? — Lance_P, Feb 25 '16 at 01:38
I have attempted my theory, and I haven't succeeded as of yet. It would be good to hear back. From what I've analyzed so far, unless I've messed up somewhere, in order to avoid the call to explode, (where x, y, z are inputs from scanf) z must be greater than 4, y < 10 and x == y + z*4. I must be incorrect, because I tried z=2, y=12, x=20 to no avail. — Lance_P, Feb 25 '16 at 02:00
You may want to give [**Chapter 4 - The Art of Assembly**](https://courses.engr.illinois.edu/ece390/books/artofasm/CH04/CH04-2.html#HEADING2-1) a good read for addressing questions. — David C. Rankin, Feb 25 '16 at 02:00
LEA just does the math of an effective address, but doesn't dereference it. 500's comment is exactly correct. And yes, in your example, eax will become 24. See http://stackoverflow.com/a/7071164/224132 for details. Possible duplicate of [What's the purpose of the LEA instruction?](http://stackoverflow.com/questions/1658294/whats-the-purpose-of-the-lea-instruction) — Peter Cordes, Feb 25 '16 at 02:05
While we're here, does anyone have a clue as to what I am doing wrong here? I know it wasn't my question, but I would rather ask while it is here than make a new question. I've gone through it three times and I don't see where I am going wrong. — Lance_P, Feb 25 '16 at 02:39
Since when is `12 <= 10`? Also, you got x and z swapped. `20, 10, 90` is a working example. — Jester, Feb 25 '16 at 17:09
Ah, someone must have edited my post. I originally thought that z had to be less than 4 and y >= 10. I was looking at the comparison backwards. I also did have x and z swapped. Thanks. — Lance_P, Feb 25 '16 at 17:17
I'm a rookie to this whole assembly thing, and his answer seemed to make sense to me. I had already solved my problem at that point, and he was the only answer so I thought I would give him credit. I have unaccepted his answer. — Lance_P, Feb 25 '16 at 20:02

score -2 · Answer 1 · answered Feb 25 '16 at 15:44

-2

Okay, so are you telling me that after the operation, eax will contain the value of that calculation and not the address? E.g. if eax contains 4 and edx contains 5, then eax will become 24?

The value becomes 24, but it is the address of that value that is in EAX, not the value itself. So when you do a register dump you'll see in EAX a value something like 0x12345678 and not 0x00000018. It's essentially a pointer.

That said, if you're trying to avoid the call at <+123>, the address you load into EAX via LEA has to equal the address at ESP+2c for the jump condition to be met. Do a register and stack dump to see where ESP is at that point. At that point it comes down to just adjusting your offset accordingly.

Hope this helps

answered Feb 25 '16 at 15:44

X0r

113
5

2

Unfortunately this has been accepted by OP, but it's wrong. `if eax contains 4 and edx contains 5, then eax will become 24` is **true** and `So when you do a register dump you'll see in EAX a value something like 0x12345678 and not 0x00000018` is totally **wrong**. The second paragraph about looking at `esp` makes no sense either. You don't need to know the value of `esp` at all. – Jester Feb 25 '16 at 17:20
Alright Jester, thanks for making me feel like crap. I appreciate it. – X0r Feb 25 '16 at 18:22
3

It's not about making you feel in any way. It's about getting rid of wrong information. Try it in a debugger if you don't believe us. `mov eax, 4; mov edx, 5, lea eax, [eax+edx*4]`. `eax` will be 24. – Jester Feb 25 '16 at 18:27
I appreciate the help X0r. If it makes you feel any better, your answer convinced me, haha. – Lance_P Feb 25 '16 at 20:05

lea operator in Assembly using three argument arithmetic with registers

1 Answers1