Skip to content

Instantly share code, notes, and snippets.

@hhc0null

hhc0null/login.c

Last active August 29, 2015 14:17
Show Gist options
  • Save hhc0null/78dd6b838b41e9934422 to your computer and use it in GitHub Desktop.
Save hhc0null/78dd6b838b41e9934422 to your computer and use it in GitHub Desktop.
Download ZIP
0CTF 2015 Quals Exploit-Login-300pts
Raw
login.c
// [0CTF 2015 Quals] Exploit-Login-300pts
int sub_cb5(char *arg0, int arg1)
{
// Local variables.
int rbp_1ch;
char *rbp_18h;
rbp_18h = arg0;
rbp_1ch = arg1;
if(rbp_1ch <= 0) {
return 0;
}
for(rbp_08h = 0; rbp_08h < rbp_1ch - 1; rbp_08h++) {
rbp_04h = read(STDIN_FILENO, &rbp_18h[rbp_08h], 1);
if(rbp_04h <= 0 || rbp_18h[rbp_08h] == '\n') break;
// ->>
}
rbp_18h[rbp_08h] = '\0';
return rbp_08h;
}
int sub_d3a()
{
// Local variables.
char rbp_20h[10];
scanf("%10s", rbp_20h);
return atoi(rbp_20h);
}
void sub_d8b()
{
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stdin, NULL, _IONBF, 0);
alarm(60);
}
int sub_ddd()
{
puts("== 0CTF Login System ==");
puts("1. Show Profile");
puts("2. Login as User");
puts("3. Logout");
puts("=======================");
return sub_d3a();
}
sub_e3a()
{
// Local variables.
char rbp_80h[0x20];
char rbp_40h[0x20];
scanf("%32s", rbp_80h);
scanf("%32s", rbp_40h);
if(strcmp(rbp_80h, "guest") || strcmp(rbp_40h, "guest123")) {
puts("Invalid username or password.");
exit(EXIT_SUCCESS);
}
strcpy(bss_202040, rbp_80h);
bss_202040->offset_100h = 1;
}
void sub_f24()
{
}
void sub_f7a()
{
scanf("%256s", bss_202040->offset_00h);
puts("Done.");
}
void sub_fb3()
{
// Local variables.
int rbp_118h;
int rbp_114h;
char rbp_110h[0x100];
rbp_118h = open("flag", O_RDONLY);
rbp_114h = read(rbp_118h, rbp_110h, 0x100);
if(rbp_114h > 0) {
write(STDOUT_FILENO, rbp_110h, rbp_114h);
}
exit(EXIT_SUCCESS);
}
void sub_103b()
{
// Local variables.
char rbp_220h[0x100];
char rbp_210h[0x100];
char rbp_110h[0x100];
sub_cb5(rbp_210h, 0x100);
sub_cb5(rbp_110h, 0x100);
MD5(rbp_110h, strlen(rbp_110h), rbp_220h);
if(!strcmp(rbp_210h, "root") && !memcmp(rbp_220h, rbp_220h)) {
sub_fb3();
} else {
printf(rbp_210h); // XXX: FSB
puts("login failed.");
puts("1 chance remaining.");
sub_cb5(rbp_210h, 0x100);
sub_cb5(rbp_110h, 0x100);
MD5(rbp_110h, strlen(rbp_110h), rbp_220h);
if(strcmp(rbp_210h, "root") || memcmp(rbp_220h, "0ops{secret_MD5}")) {
sub_fb3();
} else {
printf(rbp_210h); // XXX: FSB
puts("login failed.");
puts("Threat detected. System shutdown.");
exit(EXIT_FAILURE);
}
}
}
int main()
{
// Local variables.
int rbp_04h
sub_d8b();
sub_e3a();
while(true) {
rbp_04h = sub_ddd();
switch(rbp_04h) {
case 1:
sub_f24();
break;
case 2:
sub_f7a();
break;
case 3:
puts("Bye");
return 0;
case 4:
if(bss_202040->offset_100h == 0) {
sub_103b();
break;
}
default:
puts("Invalid!");
}
}
}
Raw
login.disas
login: file format elf64-x86-64
Disassembly of section .init:
0000000000000a38 <.init>:
a38: 48 83 ec 08 sub $0x8,%rsp
a3c: 48 8b 05 85 15 20 00 mov 0x201585(%rip),%rax # 201fc8 <open@plt+0x201438>
a43: 48 85 c0 test %rax,%rax
a46: 74 05 je a4d <printf@plt-0x23>
a48: e8 33 00 00 00 callq a80 <__gmon_start__@plt>
a4d: 48 83 c4 08 add $0x8,%rsp
a51: c3 retq
Disassembly of section .plt:
0000000000000a60 <printf@plt-0x10>:
a60: ff 35 ba 14 20 00 pushq 0x2014ba(%rip) # 201f20 <open@plt+0x201390>
a66: ff 25 bc 14 20 00 jmpq *0x2014bc(%rip) # 201f28 <open@plt+0x201398>
a6c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000000a70 <printf@plt>:
a70: ff 25 ba 14 20 00 jmpq *0x2014ba(%rip) # 201f30 <open@plt+0x2013a0>
a76: 68 00 00 00 00 pushq $0x0
a7b: e9 e0 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000a80 <__gmon_start__@plt>:
a80: ff 25 b2 14 20 00 jmpq *0x2014b2(%rip) # 201f38 <open@plt+0x2013a8>
a86: 68 01 00 00 00 pushq $0x1
a8b: e9 d0 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000a90 <puts@plt>:
a90: ff 25 aa 14 20 00 jmpq *0x2014aa(%rip) # 201f40 <open@plt+0x2013b0>
a96: 68 02 00 00 00 pushq $0x2
a9b: e9 c0 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000aa0 <exit@plt>:
aa0: ff 25 a2 14 20 00 jmpq *0x2014a2(%rip) # 201f48 <open@plt+0x2013b8>
aa6: 68 03 00 00 00 pushq $0x3
aab: e9 b0 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000ab0 <setvbuf@plt>:
ab0: ff 25 9a 14 20 00 jmpq *0x20149a(%rip) # 201f50 <open@plt+0x2013c0>
ab6: 68 04 00 00 00 pushq $0x4
abb: e9 a0 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000ac0 <MD5@plt>:
ac0: ff 25 92 14 20 00 jmpq *0x201492(%rip) # 201f58 <open@plt+0x2013c8>
ac6: 68 05 00 00 00 pushq $0x5
acb: e9 90 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000ad0 <read@plt>:
ad0: ff 25 8a 14 20 00 jmpq *0x20148a(%rip) # 201f60 <open@plt+0x2013d0>
ad6: 68 06 00 00 00 pushq $0x6
adb: e9 80 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000ae0 <__libc_start_main@plt>:
ae0: ff 25 82 14 20 00 jmpq *0x201482(%rip) # 201f68 <open@plt+0x2013d8>
ae6: 68 07 00 00 00 pushq $0x7
aeb: e9 70 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000af0 <strlen@plt>:
af0: ff 25 7a 14 20 00 jmpq *0x20147a(%rip) # 201f70 <open@plt+0x2013e0>
af6: 68 08 00 00 00 pushq $0x8
afb: e9 60 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000b00 <__cxa_finalize@plt>:
b00: ff 25 72 14 20 00 jmpq *0x201472(%rip) # 201f78 <open@plt+0x2013e8>
b06: 68 09 00 00 00 pushq $0x9
b0b: e9 50 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000b10 <atoi@plt>:
b10: ff 25 6a 14 20 00 jmpq *0x20146a(%rip) # 201f80 <open@plt+0x2013f0>
b16: 68 0a 00 00 00 pushq $0xa
b1b: e9 40 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000b20 <alarm@plt>:
b20: ff 25 62 14 20 00 jmpq *0x201462(%rip) # 201f88 <open@plt+0x2013f8>
b26: 68 0b 00 00 00 pushq $0xb
b2b: e9 30 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000b30 <__stack_chk_fail@plt>:
b30: ff 25 5a 14 20 00 jmpq *0x20145a(%rip) # 201f90 <open@plt+0x201400>
b36: 68 0c 00 00 00 pushq $0xc
b3b: e9 20 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000b40 <strcmp@plt>:
b40: ff 25 52 14 20 00 jmpq *0x201452(%rip) # 201f98 <open@plt+0x201408>
b46: 68 0d 00 00 00 pushq $0xd
b4b: e9 10 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000b50 <strcpy@plt>:
b50: ff 25 4a 14 20 00 jmpq *0x20144a(%rip) # 201fa0 <open@plt+0x201410>
b56: 68 0e 00 00 00 pushq $0xe
b5b: e9 00 ff ff ff jmpq a60 <printf@plt-0x10>
0000000000000b60 <__isoc99_scanf@plt>:
b60: ff 25 42 14 20 00 jmpq *0x201442(%rip) # 201fa8 <open@plt+0x201418>
b66: 68 0f 00 00 00 pushq $0xf
b6b: e9 f0 fe ff ff jmpq a60 <printf@plt-0x10>
0000000000000b70 <memcmp@plt>:
b70: ff 25 3a 14 20 00 jmpq *0x20143a(%rip) # 201fb0 <open@plt+0x201420>
b76: 68 10 00 00 00 pushq $0x10
b7b: e9 e0 fe ff ff jmpq a60 <printf@plt-0x10>
0000000000000b80 <write@plt>:
b80: ff 25 32 14 20 00 jmpq *0x201432(%rip) # 201fb8 <open@plt+0x201428>
b86: 68 11 00 00 00 pushq $0x11
b8b: e9 d0 fe ff ff jmpq a60 <printf@plt-0x10>
0000000000000b90 <open@plt>:
b90: ff 25 2a 14 20 00 jmpq *0x20142a(%rip) # 201fc0 <open@plt+0x201430>
b96: 68 12 00 00 00 pushq $0x12
b9b: e9 c0 fe ff ff jmpq a60 <printf@plt-0x10>
Disassembly of section .text:
0000000000000ba0 <.text>:
ba0: 31 ed xor %ebp,%ebp
ba2: 49 89 d1 mov %rdx,%r9
ba5: 5e pop %rsi
ba6: 48 89 e2 mov %rsp,%rdx
ba9: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
bad: 50 push %rax
bae: 54 push %rsp
baf: 4c 8d 05 ba 07 00 00 lea 0x7ba(%rip),%r8 # 1370 <open@plt+0x7e0>
bb6: 48 8d 0d 43 07 00 00 lea 0x743(%rip),%rcx # 1300 <open@plt+0x770>
bbd: 48 8d 3d 80 06 00 00 lea 0x680(%rip),%rdi # 1244 <open@plt+0x6b4>
bc4: e8 17 ff ff ff callq ae0 <__libc_start_main@plt>
bc9: f4 hlt
bca: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
bd0: 48 8d 05 40 14 20 00 lea 0x201440(%rip),%rax # 202017 <_edata+0x7>
bd7: 48 8d 3d 32 14 20 00 lea 0x201432(%rip),%rdi # 202010 <_edata>
bde: 55 push %rbp
bdf: 48 29 f8 sub %rdi,%rax
be2: 48 89 e5 mov %rsp,%rbp
be5: 48 83 f8 0e cmp $0xe,%rax
be9: 77 02 ja bed <open@plt+0x5d>
beb: 5d pop %rbp
bec: c3 retq
bed: 48 8b 05 e4 13 20 00 mov 0x2013e4(%rip),%rax # 201fd8 <open@plt+0x201448>
bf4: 48 85 c0 test %rax,%rax
bf7: 74 f2 je beb <open@plt+0x5b>
bf9: 5d pop %rbp
bfa: ff e0 jmpq *%rax
bfc: 0f 1f 40 00 nopl 0x0(%rax)
c00: 48 8d 05 09 14 20 00 lea 0x201409(%rip),%rax # 202010 <_edata>
c07: 48 8d 3d 02 14 20 00 lea 0x201402(%rip),%rdi # 202010 <_edata>
c0e: 55 push %rbp
c0f: 48 29 f8 sub %rdi,%rax
c12: 48 89 e5 mov %rsp,%rbp
c15: 48 c1 f8 03 sar $0x3,%rax
c19: 48 89 c2 mov %rax,%rdx
c1c: 48 c1 ea 3f shr $0x3f,%rdx
c20: 48 01 d0 add %rdx,%rax
c23: 48 d1 f8 sar %rax
c26: 75 02 jne c2a <open@plt+0x9a>
c28: 5d pop %rbp
c29: c3 retq
c2a: 48 8b 15 af 13 20 00 mov 0x2013af(%rip),%rdx # 201fe0 <open@plt+0x201450>
c31: 48 85 d2 test %rdx,%rdx
c34: 74 f2 je c28 <open@plt+0x98>
c36: 5d pop %rbp
c37: 48 89 c6 mov %rax,%rsi
c3a: ff e2 jmpq *%rdx
c3c: 0f 1f 40 00 nopl 0x0(%rax)
c40: 80 3d d9 13 20 00 00 cmpb $0x0,0x2013d9(%rip) # 202020 <_edata+0x10>
c47: 75 27 jne c70 <open@plt+0xe0>
c49: 48 83 3d 97 13 20 00 cmpq $0x0,0x201397(%rip) # 201fe8 <open@plt+0x201458>
c50: 00
c51: 55 push %rbp
c52: 48 89 e5 mov %rsp,%rbp
c55: 74 0c je c63 <open@plt+0xd3>
c57: 48 8b 3d aa 13 20 00 mov 0x2013aa(%rip),%rdi # 202008 <open@plt+0x201478>
c5e: e8 9d fe ff ff callq b00 <__cxa_finalize@plt>
c63: e8 68 ff ff ff callq bd0 <open@plt+0x40>
c68: 5d pop %rbp
c69: c6 05 b0 13 20 00 01 movb $0x1,0x2013b0(%rip) # 202020 <_edata+0x10>
c70: f3 c3 repz retq
c72: 66 66 66 66 66 2e 0f data32 data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
c79: 1f 84 00 00 00 00 00
c80: 48 83 3d 88 10 20 00 cmpq $0x0,0x201088(%rip) # 201d10 <open@plt+0x201180>
c87: 00
c88: 74 26 je cb0 <open@plt+0x120>
c8a: 48 8b 05 3f 13 20 00 mov 0x20133f(%rip),%rax # 201fd0 <open@plt+0x201440>
c91: 48 85 c0 test %rax,%rax
c94: 74 1a je cb0 <open@plt+0x120>
c96: 55 push %rbp
c97: 48 8d 3d 72 10 20 00 lea 0x201072(%rip),%rdi # 201d10 <open@plt+0x201180>
c9e: 48 89 e5 mov %rsp,%rbp
ca1: ff d0 callq *%rax
ca3: 5d pop %rbp
ca4: e9 57 ff ff ff jmpq c00 <open@plt+0x70>
ca9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
cb0: e9 4b ff ff ff jmpq c00 <open@plt+0x70>
int sub_cb5(char *arg0, int arg1)
{
cb5: 55 push %rbp
cb6: 48 89 e5 mov %rsp,%rbp
cb9: 48 83 ec 20 sub $0x20,%rsp
// Local variables.
int rbp_1ch;
char *rbp_18h;
cbd: 48 89 7d e8 mov %rdi,-0x18(%rbp)
rbp_18h = arg0;
cc1: 89 75 e4 mov %esi,-0x1c(%rbp)
rbp_1ch = arg1;
cc4: 83 7d e4 00 cmpl $0x0,-0x1c(%rbp)
cc8: 7f 07 jg cd1 <open@plt+0x141>
if(rbp_1ch <= 0) {
cca: b8 00 00 00 00 mov $0x0,%eax
ccf: eb 67 jmp d38 <open@plt+0x1a8>
return 0;
}
cd1: c7 45 f8 00 00 00 00 movl $0x0,-0x8(%rbp)
cd8: eb 40 jmp d1a <open@plt+0x18a>
for(rbp_08h = 0; rbp_08h < rbp_1ch - 1; rbp_08h++) {
cda: 8b 45 f8 mov -0x8(%rbp),%eax
cdd: 48 63 d0 movslq %eax,%rdx
ce0: 48 8b 45 e8 mov -0x18(%rbp),%rax
ce4: 48 01 d0 add %rdx,%rax
ce7: ba 01 00 00 00 mov $0x1,%edx
cec: 48 89 c6 mov %rax,%rsi
cef: bf 00 00 00 00 mov $0x0,%edi
cf4: e8 d7 fd ff ff callq ad0 <read@plt>
cf9: 89 45 fc mov %eax,-0x4(%rbp)
rbp_04h = read(STDIN_FILENO, &rbp_18h[rbp_08h], 1);
cfc: 83 7d fc 00 cmpl $0x0,-0x4(%rbp)
d00: 7e 23 jle d25 <open@plt+0x195>
d02: 8b 45 f8 mov -0x8(%rbp),%eax
d05: 48 63 d0 movslq %eax,%rdx
d08: 48 8b 45 e8 mov -0x18(%rbp),%rax
d0c: 48 01 d0 add %rdx,%rax
d0f: 0f b6 00 movzbl (%rax),%eax
d12: 3c 0a cmp $0xa,%al
d14: 74 0f je d25 <open@plt+0x195>
if(rbp_04h <= 0 || rbp_18h[rbp_08h] == '\n') break;
d16: 83 45 f8 01 addl $0x1,-0x8(%rbp)
// ->>
d1a: 8b 45 e4 mov -0x1c(%rbp),%eax
d1d: 83 e8 01 sub $0x1,%eax
d20: 3b 45 f8 cmp -0x8(%rbp),%eax
d23: 7f b5 jg cda <open@plt+0x14a>
}
d25: 8b 45 f8 mov -0x8(%rbp),%eax
d28: 48 63 d0 movslq %eax,%rdx
d2b: 48 8b 45 e8 mov -0x18(%rbp),%rax
d2f: 48 01 d0 add %rdx,%rax
d32: c6 00 00 movb $0x0,(%rax)
rbp_18h[rbp_08h] = '\0';
d35: 8b 45 f8 mov -0x8(%rbp),%eax
d38: c9 leaveq
d39: c3 retq
return rbp_08h;
}
int sub_d3a()
{
d3a: 55 push %rbp
d3b: 48 89 e5 mov %rsp,%rbp
d3e: 48 83 ec 20 sub $0x20,%rsp
// Local variables.
char rbp_20h[10];
d42: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
d49: 00 00
d4b: 48 89 45 f8 mov %rax,-0x8(%rbp)
d4f: 31 c0 xor %eax,%eax
d51: 48 8d 45 e0 lea -0x20(%rbp),%rax
d55: 48 89 c6 mov %rax,%rsi
d58: 48 8d 3d 29 06 00 00 lea 0x629(%rip),%rdi # 1388 <open@plt+0x7f8>
d5f: b8 00 00 00 00 mov $0x0,%eax
d64: e8 f7 fd ff ff callq b60 <__isoc99_scanf@plt>
scanf("%10s", rbp_20h);
d69: 48 8d 45 e0 lea -0x20(%rbp),%rax
d6d: 48 89 c7 mov %rax,%rdi
d70: e8 9b fd ff ff callq b10 <atoi@plt>
d75: 48 8b 55 f8 mov -0x8(%rbp),%rdx
d79: 64 48 33 14 25 28 00 xor %fs:0x28,%rdx
d80: 00 00
d82: 74 05 je d89 <open@plt+0x1f9>
d84: e8 a7 fd ff ff callq b30 <__stack_chk_fail@plt>
d89: c9 leaveq
d8a: c3 retq
return atoi(rbp_20h);
}
void sub_d8b()
{
d8b: 55 push %rbp
d8c: 48 89 e5 mov %rsp,%rbp
d8f: 48 8b 05 5a 12 20 00 mov 0x20125a(%rip),%rax # 201ff0 <open@plt+0x201460>
d96: 48 8b 00 mov (%rax),%rax
d99: b9 00 00 00 00 mov $0x0,%ecx
d9e: ba 02 00 00 00 mov $0x2,%edx
da3: be 00 00 00 00 mov $0x0,%esi
da8: 48 89 c7 mov %rax,%rdi
dab: e8 00 fd ff ff callq ab0 <setvbuf@plt>
setvbuf(stdout, NULL, _IONBF, 0);
db0: 48 8b 05 41 12 20 00 mov 0x201241(%rip),%rax # 201ff8 <open@plt+0x201468>
db7: 48 8b 00 mov (%rax),%rax
dba: b9 00 00 00 00 mov $0x0,%ecx
dbf: ba 02 00 00 00 mov $0x2,%edx
dc4: be 00 00 00 00 mov $0x0,%esi
dc9: 48 89 c7 mov %rax,%rdi
dcc: e8 df fc ff ff callq ab0 <setvbuf@plt>
setvbuf(stdin, NULL, _IONBF, 0);
dd1: bf 3c 00 00 00 mov $0x3c,%edi
dd6: e8 45 fd ff ff callq b20 <alarm@plt>
alarm(60);
ddb: 5d pop %rbp
ddc: c3 retq
}
int sub_ddd()
{
ddd: 55 push %rbp
dde: 48 89 e5 mov %rsp,%rbp
de1: 48 8d 3d a5 05 00 00 lea 0x5a5(%rip),%rdi # 138d <open@plt+0x7fd>
de8: e8 a3 fc ff ff callq a90 <puts@plt>
puts("== 0CTF Login System ==");
ded: 48 8d 3d b1 05 00 00 lea 0x5b1(%rip),%rdi # 13a5 <open@plt+0x815>
df4: e8 97 fc ff ff callq a90 <puts@plt>
puts("1. Show Profile");
df9: 48 8d 3d b5 05 00 00 lea 0x5b5(%rip),%rdi # 13b5 <open@plt+0x825>
e00: e8 8b fc ff ff callq a90 <puts@plt>
puts("2. Login as User");
e05: 48 8d 3d ba 05 00 00 lea 0x5ba(%rip),%rdi # 13c6 <open@plt+0x836>
e0c: e8 7f fc ff ff callq a90 <puts@plt>
puts("3. Logout");
e11: 48 8d 3d b8 05 00 00 lea 0x5b8(%rip),%rdi # 13d0 <open@plt+0x840>
e18: e8 73 fc ff ff callq a90 <puts@plt>
puts("=======================");
e1d: 48 8d 3d c4 05 00 00 lea 0x5c4(%rip),%rdi # 13e8 <open@plt+0x858>
e24: b8 00 00 00 00 mov $0x0,%eax
e29: e8 42 fc ff ff callq a70 <printf@plt>
printf("Your choice: ");
e2e: b8 00 00 00 00 mov $0x0,%eax
e33: e8 02 ff ff ff callq d3a <open@plt+0x1aa>
e38: 5d pop %rbp
e39: c3 retq
return sub_d3a();
}
sub_e3a()
{
e3a: 55 push %rbp
e3b: 48 89 e5 mov %rsp,%rbp
e3e: 48 83 c4 80 add $0xffffffffffffff80,%rsp
// Local variables.
char rbp_80h[0x20];
char rbp_40h[0x20];
e42: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
e49: 00 00
e4b: 48 89 45 f8 mov %rax,-0x8(%rbp)
e4f: 31 c0 xor %eax,%eax
e51: 48 8d 3d 9e 05 00 00 lea 0x59e(%rip),%rdi # 13f6 <open@plt+0x866>
e58: b8 00 00 00 00 mov $0x0,%eax
e5d: e8 0e fc ff ff callq a70 <printf@plt>
printf("Login: ");
e62: 48 8d 45 80 lea -0x80(%rbp),%rax
e66: 48 89 c6 mov %rax,%rsi
e69: 48 8d 3d 8e 05 00 00 lea 0x58e(%rip),%rdi # 13fe <open@plt+0x86e>
e70: b8 00 00 00 00 mov $0x0,%eax
e75: e8 e6 fc ff ff callq b60 <__isoc99_scanf@plt>
scanf("%32s", rbp_80h);
e7a: 48 8d 3d 82 05 00 00 lea 0x582(%rip),%rdi # 1403 <open@plt+0x873>
e81: b8 00 00 00 00 mov $0x0,%eax
e86: e8 e5 fb ff ff callq a70 <printf@plt>
printf("Password: ");
e8b: 48 8d 45 c0 lea -0x40(%rbp),%rax
e8f: 48 89 c6 mov %rax,%rsi
e92: 48 8d 3d 65 05 00 00 lea 0x565(%rip),%rdi # 13fe <open@plt+0x86e>
e99: b8 00 00 00 00 mov $0x0,%eax
e9e: e8 bd fc ff ff callq b60 <__isoc99_scanf@plt>
scanf("%32s", rbp_40h);
ea3: 48 8d 45 80 lea -0x80(%rbp),%rax
ea7: 48 8d 35 60 05 00 00 lea 0x560(%rip),%rsi # 140e <open@plt+0x87e>
eae: 48 89 c7 mov %rax,%rdi
eb1: e8 8a fc ff ff callq b40 <strcmp@plt>
eb6: 85 c0 test %eax,%eax
eb8: 75 17 jne ed1 <open@plt+0x341>
eba: 48 8d 45 c0 lea -0x40(%rbp),%rax
ebe: 48 8d 35 4f 05 00 00 lea 0x54f(%rip),%rsi # 1414 <open@plt+0x884>
ec5: 48 89 c7 mov %rax,%rdi
ec8: e8 73 fc ff ff callq b40 <strcmp@plt>
ecd: 85 c0 test %eax,%eax
ecf: 74 16 je ee7 <open@plt+0x357>
if(strcmp(rbp_80h, "guest") || strcmp(rbp_40h, "guest123")) {
ed1: 48 8d 3d 45 05 00 00 lea 0x545(%rip),%rdi # 141d <open@plt+0x88d>
ed8: e8 b3 fb ff ff callq a90 <puts@plt>
puts("Invalid username or password.");
edd: bf 00 00 00 00 mov $0x0,%edi
ee2: e8 b9 fb ff ff callq aa0 <exit@plt>
exit(EXIT_SUCCESS);
}
ee7: 48 8d 45 80 lea -0x80(%rbp),%rax
eeb: 48 89 c6 mov %rax,%rsi
eee: 48 8d 05 4b 11 20 00 lea 0x20114b(%rip),%rax # 202040 <_edata+0x30>
ef5: 48 89 c7 mov %rax,%rdi
ef8: e8 53 fc ff ff callq b50 <strcpy@plt>
strcpy(bss_202040, rbp_80h);
efd: 48 8d 05 3c 11 20 00 lea 0x20113c(%rip),%rax # 202040 <_edata+0x30>
f04: c7 80 00 01 00 00 01 movl $0x1,0x100(%rax)
f0b: 00 00 00
bss_202040->offset_100h = 1;
f0e: 48 8b 45 f8 mov -0x8(%rbp),%rax
f12: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
f19: 00 00
f1b: 74 05 je f22 <open@plt+0x392>
f1d: e8 0e fc ff ff callq b30 <__stack_chk_fail@plt>
f22: c9 leaveq
f23: c3 retq
}
void sub_f24()
{
f24: 55 push %rbp
f25: 48 89 e5 mov %rsp,%rbp
f28: 48 8d 05 11 11 20 00 lea 0x201111(%rip),%rax # 202040 <_edata+0x30>
f2f: 48 89 c6 mov %rax,%rsi
f32: 48 8d 3d 02 05 00 00 lea 0x502(%rip),%rdi # 143b <open@plt+0x8ab>
f39: b8 00 00 00 00 mov $0x0,%eax
f3e: e8 2d fb ff ff callq a70 <printf@plt>
printf("Username: %s\n", bss_202040->offset_00h);
f43: 48 8d 05 f6 10 20 00 lea 0x2010f6(%rip),%rax # 202040 <_edata+0x30>
f4a: 8b 80 00 01 00 00 mov 0x100(%rax),%eax
f50: 85 c0 test %eax,%eax
f52: 74 09 je f5d <open@plt+0x3cd>
f54: 48 8d 05 ee 04 00 00 lea 0x4ee(%rip),%rax # 1449 <open@plt+0x8b9>
f5b: eb 07 jmp f64 <open@plt+0x3d4>
f5d: 48 8d 05 eb 04 00 00 lea 0x4eb(%rip),%rax # 144f <open@plt+0x8bf>
f64: 48 89 c6 mov %rax,%rsi
f67: 48 8d 3d ed 04 00 00 lea 0x4ed(%rip),%rdi # 145b <open@plt+0x8cb>
f6e: b8 00 00 00 00 mov $0x0,%eax
f73: e8 f8 fa ff ff callq a70 <printf@plt>
printf("Level: %s\n", bss_202040->offset_100h? "Guest", "Normal User");
f78: 5d pop %rbp
f79: c3 retq
}
void sub_f7a()
{
f7a: 55 push %rbp
f7b: 48 89 e5 mov %rsp,%rbp
f7e: 48 8d 3d e1 04 00 00 lea 0x4e1(%rip),%rdi # 1466 <open@plt+0x8d6>
f85: e8 06 fb ff ff callq a90 <puts@plt>
puts("Enter your new username:");
f8a: 48 8d 05 af 10 20 00 lea 0x2010af(%rip),%rax # 202040 <_edata+0x30>
f91: 48 89 c6 mov %rax,%rsi
f94: 48 8d 3d e4 04 00 00 lea 0x4e4(%rip),%rdi # 147f <open@plt+0x8ef>
f9b: b8 00 00 00 00 mov $0x0,%eax
fa0: e8 bb fb ff ff callq b60 <__isoc99_scanf@plt>
scanf("%256s", bss_202040->offset_00h);
fa5: 48 8d 3d d9 04 00 00 lea 0x4d9(%rip),%rdi # 1485 <open@plt+0x8f5>
fac: e8 df fa ff ff callq a90 <puts@plt>
puts("Done.");
fb1: 5d pop %rbp
fb2: c3 retq
}
void sub_fb3()
{
fb3: 55 push %rbp
fb4: 48 89 e5 mov %rsp,%rbp
fb7: 48 81 ec 20 01 00 00 sub $0x120,%rsp
// Local variables.
int rbp_118h;
int rbp_114h;
char rbp_110h[0x100];
fbe: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
fc5: 00 00
fc7: 48 89 45 f8 mov %rax,-0x8(%rbp)
fcb: 31 c0 xor %eax,%eax
fcd: be 00 00 00 00 mov $0x0,%esi
fd2: 48 8d 3d b2 04 00 00 lea 0x4b2(%rip),%rdi # 148b <open@plt+0x8fb>
fd9: b8 00 00 00 00 mov $0x0,%eax
fde: e8 ad fb ff ff callq b90 <open@plt>
fe3: 89 85 e8 fe ff ff mov %eax,-0x118(%rbp)
rbp_118h = open("flag", O_RDONLY);
fe9: 48 8d 8d f0 fe ff ff lea -0x110(%rbp),%rcx
ff0: 8b 85 e8 fe ff ff mov -0x118(%rbp),%eax
ff6: ba 00 01 00 00 mov $0x100,%edx
ffb: 48 89 ce mov %rcx,%rsi
ffe: 89 c7 mov %eax,%edi
1000: e8 cb fa ff ff callq ad0 <read@plt>
1005: 89 85 ec fe ff ff mov %eax,-0x114(%rbp)
rbp_114h = read(rbp_118h, rbp_110h, 0x100);
100b: 83 bd ec fe ff ff 00 cmpl $0x0,-0x114(%rbp)
1012: 7e 1d jle 1031 <open@plt+0x4a1>
if(rbp_114h > 0) {
1014: 8b 85 ec fe ff ff mov -0x114(%rbp),%eax
101a: 48 63 d0 movslq %eax,%rdx
101d: 48 8d 85 f0 fe ff ff lea -0x110(%rbp),%rax
1024: 48 89 c6 mov %rax,%rsi
1027: bf 01 00 00 00 mov $0x1,%edi
102c: e8 4f fb ff ff callq b80 <write@plt>
write(STDOUT_FILENO, rbp_110h, rbp_114h);
}
1031: bf 00 00 00 00 mov $0x0,%edi
1036: e8 65 fa ff ff callq aa0 <exit@plt>
exit(EXIT_SUCCESS);
}
void sub_103b()
{
103b: 55 push %rbp
103c: 48 89 e5 mov %rsp,%rbp
103f: 48 81 ec 20 02 00 00 sub $0x220,%rsp
// Local variables.
char rbp_220h[0x100];
char rbp_210h[0x100];
char rbp_110h[0x100];
1046: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
104d: 00 00
104f: 48 89 45 f8 mov %rax,-0x8(%rbp)
1053: 31 c0 xor %eax,%eax
1055: 48 8d 3d 9a 03 00 00 lea 0x39a(%rip),%rdi # 13f6 <open@plt+0x866>
105c: b8 00 00 00 00 mov $0x0,%eax
1061: e8 0a fa ff ff callq a70 <printf@plt>
printf("Login: ");
1066: 48 8d 85 f0 fd ff ff lea -0x210(%rbp),%rax
106d: be 00 01 00 00 mov $0x100,%esi
1072: 48 89 c7 mov %rax,%rdi
1075: e8 3b fc ff ff callq cb5 <open@plt+0x125>
sub_cb5(rbp_210h, 0x100);
107a: 48 8d 3d 82 03 00 00 lea 0x382(%rip),%rdi # 1403 <open@plt+0x873>
1081: b8 00 00 00 00 mov $0x0,%eax
1086: e8 e5 f9 ff ff callq a70 <printf@plt>
printf("Password: ");
108b: 48 8d 85 f0 fe ff ff lea -0x110(%rbp),%rax
1092: be 00 01 00 00 mov $0x100,%esi
1097: 48 89 c7 mov %rax,%rdi
109a: e8 16 fc ff ff callq cb5 <open@plt+0x125>
sub_cb5(rbp_110h, 0x100);
109f: 48 8d 85 f0 fe ff ff lea -0x110(%rbp),%rax
10a6: 48 89 c7 mov %rax,%rdi
10a9: e8 42 fa ff ff callq af0 <strlen@plt>
10ae: 48 89 c1 mov %rax,%rcx
10b1: 48 8d 95 e0 fd ff ff lea -0x220(%rbp),%rdx
10b8: 48 8d 85 f0 fe ff ff lea -0x110(%rbp),%rax
10bf: 48 89 ce mov %rcx,%rsi
10c2: 48 89 c7 mov %rax,%rdi
10c5: e8 f6 f9 ff ff callq ac0 <MD5@plt>
MD5(rbp_110h, strlen(rbp_110h), rbp_220h);
10ca: 48 8d 85 f0 fd ff ff lea -0x210(%rbp),%rax
10d1: 48 8d 35 b8 03 00 00 lea 0x3b8(%rip),%rsi # 1490 <open@plt+0x900>
10d8: 48 89 c7 mov %rax,%rdi
10db: e8 60 fa ff ff callq b40 <strcmp@plt>
10e0: 85 c0 test %eax,%eax
10e2: 75 2e jne 1112 <open@plt+0x582>
10e4: 48 8d 85 e0 fd ff ff lea -0x220(%rbp),%rax
10eb: ba 10 00 00 00 mov $0x10,%edx
10f0: 48 8d 35 9e 03 00 00 lea 0x39e(%rip),%rsi # 1495 <open@plt+0x905>
10f7: 48 89 c7 mov %rax,%rdi
10fa: e8 71 fa ff ff callq b70 <memcmp@plt>
10ff: 85 c0 test %eax,%eax
1101: 75 0f jne 1112 <open@plt+0x582>
if(!strcmp(rbp_210h, "root") && !memcmp(rbp_220h, rbp_220h)) {
1103: b8 00 00 00 00 mov $0x0,%eax
1108: e8 a6 fe ff ff callq fb3 <open@plt+0x423>
sub_fb3();
110d: e9 1c 01 00 00 jmpq 122e <open@plt+0x69e>
} else {
1112: 48 8d 85 f0 fd ff ff lea -0x210(%rbp),%rax
1119: 48 89 c7 mov %rax,%rdi
111c: b8 00 00 00 00 mov $0x0,%eax
1121: e8 4a f9 ff ff callq a70 <printf@plt>
printf(rbp_210h);
1126: 48 8d 3d 79 03 00 00 lea 0x379(%rip),%rdi # 14a6 <open@plt+0x916>
112d: e8 5e f9 ff ff callq a90 <puts@plt>
puts("login failed.");
1132: 48 8d 3d 7c 03 00 00 lea 0x37c(%rip),%rdi # 14b5 <open@plt+0x925>
1139: e8 52 f9 ff ff callq a90 <puts@plt>
puts("1 chance remaining.");
113e: 48 8d 3d b1 02 00 00 lea 0x2b1(%rip),%rdi # 13f6 <open@plt+0x866>
1145: b8 00 00 00 00 mov $0x0,%eax
114a: e8 21 f9 ff ff callq a70 <printf@plt>
printf("Login: ");
114f: 48 8d 85 f0 fd ff ff lea -0x210(%rbp),%rax
1156: be 00 01 00 00 mov $0x100,%esi
115b: 48 89 c7 mov %rax,%rdi
115e: e8 52 fb ff ff callq cb5 <open@plt+0x125>
sub_cb5(rbp_210h, 0x100);
1163: 48 8d 3d 99 02 00 00 lea 0x299(%rip),%rdi # 1403 <open@plt+0x873>
116a: b8 00 00 00 00 mov $0x0,%eax
116f: e8 fc f8 ff ff callq a70 <printf@plt>
printf("Password: ");
1174: 48 8d 85 f0 fe ff ff lea -0x110(%rbp),%rax
117b: be 00 01 00 00 mov $0x100,%esi
1180: 48 89 c7 mov %rax,%rdi
1183: e8 2d fb ff ff callq cb5 <open@plt+0x125>
sub_cb5(rbp_110h, 0x100);
1188: 48 8d 85 f0 fe ff ff lea -0x110(%rbp),%rax
118f: 48 89 c7 mov %rax,%rdi
1192: e8 59 f9 ff ff callq af0 <strlen@plt>
1197: 48 89 c1 mov %rax,%rcx
119a: 48 8d 95 e0 fd ff ff lea -0x220(%rbp),%rdx
11a1: 48 8d 85 f0 fe ff ff lea -0x110(%rbp),%rax
11a8: 48 89 ce mov %rcx,%rsi
11ab: 48 89 c7 mov %rax,%rdi
11ae: e8 0d f9 ff ff callq ac0 <MD5@plt>
MD5(rbp_110h, strlen(rbp_110h), rbp_220h);
11b3: 48 8d 85 f0 fd ff ff lea -0x210(%rbp),%rax
11ba: 48 8d 35 cf 02 00 00 lea 0x2cf(%rip),%rsi # 1490 <open@plt+0x900>
11c1: 48 89 c7 mov %rax,%rdi
11c4: e8 77 f9 ff ff callq b40 <strcmp@plt>
11c9: 85 c0 test %eax,%eax
11cb: 75 2b jne 11f8 <open@plt+0x668>
11cd: 48 8d 85 e0 fd ff ff lea -0x220(%rbp),%rax
11d4: ba 10 00 00 00 mov $0x10,%edx
11d9: 48 8d 35 b5 02 00 00 lea 0x2b5(%rip),%rsi # 1495 <open@plt+0x905>
11e0: 48 89 c7 mov %rax,%rdi
11e3: e8 88 f9 ff ff callq b70 <memcmp@plt>
11e8: 85 c0 test %eax,%eax
11ea: 75 0c jne 11f8 <open@plt+0x668>
if(strcmp(rbp_210h, "root") || memcmp(rbp_220h, "0ops{secret_MD5}")) {
11ec: b8 00 00 00 00 mov $0x0,%eax
11f1: e8 bd fd ff ff callq fb3 <open@plt+0x423>
sub_fb3();
11f6: eb 36 jmp 122e <open@plt+0x69e>
} else {
11f8: 48 8d 85 f0 fd ff ff lea -0x210(%rbp),%rax
11ff: 48 89 c7 mov %rax,%rdi
1202: b8 00 00 00 00 mov $0x0,%eax
1207: e8 64 f8 ff ff callq a70 <printf@plt>
printf(rbp_210h);
120c: 48 8d 3d 93 02 00 00 lea 0x293(%rip),%rdi # 14a6 <open@plt+0x916>
1213: e8 78 f8 ff ff callq a90 <puts@plt>
puts("login failed.");
1218: 48 8d 3d b1 02 00 00 lea 0x2b1(%rip),%rdi # 14d0 <open@plt+0x940>
121f: e8 6c f8 ff ff callq a90 <puts@plt>
puts("Threat detected. System shutdown.");
1224: bf 01 00 00 00 mov $0x1,%edi
1229: e8 72 f8 ff ff callq aa0 <exit@plt>
exit(EXIT_FAILURE);
}
}
122e: 48 8b 45 f8 mov -0x8(%rbp),%rax
1232: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
1239: 00 00
123b: 74 05 je 1242 <open@plt+0x6b2>
123d: e8 ee f8 ff ff callq b30 <__stack_chk_fail@plt>
1242: c9 leaveq
1243: c3 retq
}
int main()
{
1244: 55 push %rbp
1245: 48 89 e5 mov %rsp,%rbp
1248: 48 83 ec 10 sub $0x10,%rsp
// Local variables.
int rbp_04h
124c: b8 00 00 00 00 mov $0x0,%eax
1251: e8 35 fb ff ff callq d8b <open@plt+0x1fb>
sub_d8b();
1256: b8 00 00 00 00 mov $0x0,%eax
125b: e8 da fb ff ff callq e3a <open@plt+0x2aa>
sub_e3a();
while(true) {
1260: b8 00 00 00 00 mov $0x0,%eax
1265: e8 73 fb ff ff callq ddd <open@plt+0x24d>
126a: 89 45 fc mov %eax,-0x4(%rbp)
rbp_04h = sub_ddd();
126d: 8b 45 fc mov -0x4(%rbp),%eax
1270: 83 f8 02 cmp $0x2,%eax
1273: 74 24 je 1299 <open@plt+0x709>
1275: 83 f8 02 cmp $0x2,%eax
1278: 7f 07 jg 1281 <open@plt+0x6f1>
127a: 83 f8 01 cmp $0x1,%eax
127d: 74 0e je 128d <open@plt+0x6fd>
127f: eb 62 jmp 12e3 <open@plt+0x753>
1281: 83 f8 03 cmp $0x3,%eax
1284: 74 1f je 12a5 <open@plt+0x715>
1286: 83 f8 04 cmp $0x4,%eax
1289: 74 2d je 12b8 <open@plt+0x728>
128b: eb 56 jmp 12e3 <open@plt+0x753>
switch(rbp_04h) {
case 1:
128d: b8 00 00 00 00 mov $0x0,%eax
1292: e8 8d fc ff ff callq f24 <open@plt+0x394>
sub_f24();
1297: eb 57 jmp 12f0 <open@plt+0x760>
break;
case 2:
1299: b8 00 00 00 00 mov $0x0,%eax
129e: e8 d7 fc ff ff callq f7a <open@plt+0x3ea>
sub_f7a();
12a3: eb 4b jmp 12f0 <open@plt+0x760>
break;
case 3:
12a5: 48 8d 3d 46 02 00 00 lea 0x246(%rip),%rdi # 14f2 <open@plt+0x962>
12ac: e8 df f7 ff ff callq a90 <puts@plt>
puts("Bye");
12b1: b8 00 00 00 00 mov $0x0,%eax
12b6: eb 3d jmp 12f5 <open@plt+0x765>
return 0;
case 4:
12b8: 48 8d 05 81 0d 20 00 lea 0x200d81(%rip),%rax # 202040 <_edata+0x30>
12bf: 8b 80 00 01 00 00 mov 0x100(%rax),%eax
12c5: 85 c0 test %eax,%eax
12c7: 75 0c jne 12d5 <open@plt+0x745>
if(bss_202040->offset_100h == 0) {
12c9: b8 00 00 00 00 mov $0x0,%eax
12ce: e8 68 fd ff ff callq 103b <open@plt+0x4ab>
sub_103b();
12d3: eb 1b jmp 12f0 <open@plt+0x760>
break;
}
12d5: 48 8d 3d 1a 02 00 00 lea 0x21a(%rip),%rdi # 14f6 <open@plt+0x966>
12dc: e8 af f7 ff ff callq a90 <puts@plt>
puts("Invalid!");
12e1: eb 0d jmp 12f0 <open@plt+0x760>
default:
12e3: 48 8d 3d 0c 02 00 00 lea 0x20c(%rip),%rdi # 14f6 <open@plt+0x966>
12ea: e8 a1 f7 ff ff callq a90 <puts@plt>
puts("Invalid!");
12ef: 90 nop
}
12f0: e9 6b ff ff ff jmpq 1260 <open@plt+0x6d0>
}
12f5: c9 leaveq
12f6: c3 retq
12f7: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
}
12fe: 00 00
1300: 41 57 push %r15
1302: 41 89 ff mov %edi,%r15d
1305: 41 56 push %r14
1307: 49 89 f6 mov %rsi,%r14
130a: 41 55 push %r13
130c: 49 89 d5 mov %rdx,%r13
130f: 41 54 push %r12
1311: 4c 8d 25 e8 09 20 00 lea 0x2009e8(%rip),%r12 # 201d00 <open@plt+0x201170>
1318: 55 push %rbp
1319: 48 8d 2d e8 09 20 00 lea 0x2009e8(%rip),%rbp # 201d08 <open@plt+0x201178>
1320: 53 push %rbx
1321: 4c 29 e5 sub %r12,%rbp
1324: 31 db xor %ebx,%ebx
1326: 48 c1 fd 03 sar $0x3,%rbp
132a: 48 83 ec 08 sub $0x8,%rsp
132e: e8 05 f7 ff ff callq a38 <printf@plt-0x38>
1333: 48 85 ed test %rbp,%rbp
1336: 74 1e je 1356 <open@plt+0x7c6>
1338: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
133f: 00
1340: 4c 89 ea mov %r13,%rdx
1343: 4c 89 f6 mov %r14,%rsi
1346: 44 89 ff mov %r15d,%edi
1349: 41 ff 14 dc callq *(%r12,%rbx,8)
134d: 48 83 c3 01 add $0x1,%rbx
1351: 48 39 eb cmp %rbp,%rbx
1354: 75 ea jne 1340 <open@plt+0x7b0>
1356: 48 83 c4 08 add $0x8,%rsp
135a: 5b pop %rbx
135b: 5d pop %rbp
135c: 41 5c pop %r12
135e: 41 5d pop %r13
1360: 41 5e pop %r14
1362: 41 5f pop %r15
1364: c3 retq
1365: 66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%rax,%rax,1)
136c: 00 00 00 00
1370: f3 c3 repz retq
Disassembly of section .fini:
0000000000001374 <.fini>:
1374: 48 83 ec 08 sub $0x8,%rsp
1378: 48 83 c4 08 add $0x8,%rsp
137c: c3 retq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment