Last active
August 29, 2015 14:25
-
-
Save hhc0null/82f7e21ae5089d3699d0 to your computer and use it in GitHub Desktop.
pwn100 decompile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class Tag { | |
| public: | |
| short int offset_00h; // tag?? | |
| offset_04h; | |
| } | |
| class Mem { | |
| public: | |
| void *offset_00h; // origin | |
| void *offset_04h; // limit | |
| } | |
| Tag::Tag(Tag* const this) | |
| { | |
| this.offset_00h = NULL; | |
| this.offset_04h = NULL; | |
| } | |
| Mem *bss_804a04ch; | |
| int main() | |
| { | |
| bss_804a04ch.offset_00h = malloc(0x2800); | |
| bss_804a04ch.offset_04h = &bss_804a04ch[0x2800]; | |
| memset(esp_1ch, '\0', 0x400); | |
| read(STDIN_FILENO, esp_1ch, 0x400); | |
| esp_14h = bss_804a04ch.Mem::get_mem(0xc); | |
| esp_14h.set_tag_content(esp_1ch); | |
| memset(esp_1ch, '\0', 0x400); | |
| read(STDIN_FILENO, esp_1ch, 0x400); | |
| esp_18h = bss_804a04ch.get_mem(0xc); | |
| esp_18h.set_tag_content(esp_1ch); | |
| while(true) { | |
| write(STDOUT_FILENO, "========\n", 0x9); | |
| write(STDOUT_FILENO, "T1", 0x2); | |
| esp_14h.use_tag(); | |
| write(STDOUT_FILENO, "T2", 0x2); | |
| esp_18h.use_tag(); | |
| } | |
| } | |
| char *Mem::get_mem(Mem* const this, unsigned int arg_0) | |
| { | |
| char *ebp_04h; | |
| if(&this.offset_00h[arg_0] > this.offset_04h) return 0; | |
| ebp_04h = this.offset_00h; | |
| this.offset_00h = this.offset_00h[arg_0]; // set origin to new offset. | |
| return ebp_04h; | |
| } | |
| void Tag::set_tag_content(Tag* const this, char *arg_0) | |
| { | |
| int i; | |
| if(strlen(arg_0) > 0x201) { | |
| return 0; | |
| } | |
| if(this.offset_08h == NULL) { | |
| this.offset_08h = bss_804a04ch.get_mem(0x200); | |
| } | |
| memset(this.offset_08h, '\0', strlen(this.offset_08h)); | |
| memcpy(this.offset_08h, arg_0, strlen(arg_0)); | |
| for(i = 0; i < strlen(arg_0); i++) { | |
| if(arg_0[i] == '%') { | |
| this.offset_00h = 0x0; | |
| break; | |
| } | |
| } | |
| if(i == strlen(arg_0)) this.offset_00h = 0x1; | |
| } | |
| Tag::use_tag(Tag* const this) | |
| { | |
| char ebp_80ch[0x400]; | |
| char ebp_40ch[0x400]; | |
| memset(ebp_80ch, '\0', 0x400); | |
| sprintf(ebp_80ch, "Verify %x\n", this->offset_00h); | |
| write(STDOUT_FILENO, ebp_80ch, 0x14); | |
| memset(ebp_80ch, '\0', 0x400); | |
| if(this->offset_00h == 0x1) { | |
| sprintf(ebp_80ch, this->offset_08h); | |
| write(STDOUT_FILENO, ebp_80ch, 0x400); | |
| write(STDOUT_FILENO, "\n", 0x1); | |
| } else { | |
| write(STDOUT_FILENO, this->offset_08h, strlen(this->offset_08h)); | |
| write(STDOUT_FILENO, "\n", 0x1); | |
| write(STDOUT_FILENO, "Not verify , content?\n", 0x17); | |
| memset(ebp_40ch, '\0', 0x400); | |
| read(STDIN_FILENO, ebp_40ch, 0x400); | |
| this->set_tag_content(ebp_40ch); | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment