Despite looking at textbooks trying to grasp this, I'm having trouble.
0x08048b29 <func+0>: push %ebp
0x08048b2a <func+1>: mov %esp,%ebp
0x08048b2c <func+3>: push %ebx
...
0x08048b30 <phase_2+7>: lea -0x28(%ebp),%eax
In the lea instruction, I understand that %eax gets the value at 0x28 before %ebp, but where is that exactly? Is it 0x8048b29 - 0x28 (0x28 before the beginning of the function) or what?
The ebp register is typically used within a function to access any arguments passed to the function. Before this function is called, any arguments not passed by register are pushed onto the stack. At the start of this function, the calling function's base pointer is saved.
(1) 0x08048b29 <func+0>: push %ebp
The new top of the stack is copied into ebp to serve as the base pointer in this function.
(2) 0x08048b2a <func+1>: mov %esp,%ebp
Finally, ebx is saved, which was likely a variable passed to the function in a register.
(3) 0x08048b2c <func+3>: push %ebx
After all of this function entry code, the ebp register is pointing into the middle of the stack. Above it on the stack (toward the newest pushed items) is the ebx value that was pushed in #3 above. Below it on the stack are the old ebp from the calling function (saved in #1 above) and MOST importantly... any arguments passed to this function via the stack (done before the function was called).
(4) lea -0x28(%ebp),%eax
The final instruction is referring to one of those arguments passed by the stack. ebp ends up pointing into the stack, not at any of the functions code addresses. This is pretty normal for ebp, it is most often used as a pointer into the stack.