Skip to content

Instantly share code, notes, and snippets.

@hhc0null

hhc0null/qoobee.c

Last active August 29, 2015 14:17
Show Gist options
  • Save hhc0null/959ec53e8b210f3a5c75 to your computer and use it in GitHub Desktop.
Save hhc0null/959ec53e8b210f3a5c75 to your computer and use it in GitHub Desktop.
Download ZIP
[Memo] BCTF2015-qoobee-Exploit500
Raw
qoobee.c
int sub_400d5d(arg0)
{
rbp_18h = arg0;
rbp_08h = rbp_18h ^ 0xdead;
return rbp_08h;
}
void sub_400d79()
{
// Local variables.
char rbp_100h[0x98];
printf("Now you can leave me a message: ");
fflush(stdout);
scanf("%s", rbp_100h);
}
int sub_400de1()
{
// Local variables.
rbp_d8h;
rbp_d0h;
rbp_d8h = &rbp_d0h + 0x38h;
if(setjmp(rbp_d0h) == 1? 1: 0) {
puts("[-] Error, GG.");
return 0;
} else {
*rbp_d8h = sub_400d5d(sub_400d79);
longjmp(rbp_d0h, 1);
}
}
void sub_400e55()
{
puts("QooBee AA");
}
void sub_400e65(int arg0, arg1, arg2)
{
rbp_04h = arg0;
rbp_10h = arg1;
rbp_18h = arg2;
if(rbp_04h == SIGSEGV) {
puts("QooBee Like Donuts!");
exit(-1);
}
}
void sub_400e94(char *arg0)
{
char *rbp_18h;
char rbp_05h;
int rbp_04h;
// XXX: overflow!!
rbp_05h = getc(stdin);
for(rbp_04h = 0; rbp_05h != '\n', ; rbp_04h++) {
rbp_18h[rbp_04h] = rbp_05h;
rbp_05h = getc(stdin);
}
rbp_18h[rbp_04h] = '\0';
}
void sub_400efd()
{
// Local variables.
int rbp_101ch;
char rbp_1010h[0x1000];
memset(rbp_1010h, '\0', 0x1000);
printf("How many dounts you want? ");
fflush(stdout)
fgets(rbp_1010h, 0x1000, stdin);
if(sscanf(rbp_1010h, "%d", &rbp_101ch) == 1 && (rbp_1018h = malloc(rbp_101ch)) != NULL) {
printf("Remark: ");
fflush(stdout);
sub_400e94(rbp_1018h);
free(rbp_1018h); // unlink.
} else {
puts("[-] Error, GG.");
}
}
void sub_40101e()
{
// Local variables.
rbp_820h;
rbp_810h;
memset(rbp_810h, '\0', 0x800);
puts("In case you need to synchronize your system time with server, we provide this.");
printf("Input your local system timestamp: ");
fflush(stdout);
fgets(rbp_810h, 0x800, stdin);
if(sscanf(rbp_810h, "%lu", &rbp_820h) == 1 && rbp_820h != 0? 1: 0) {
rbp_818h = gmtime(&rbp_820h);
} else {
if(rbp_820h == 0) {
rbp_820h = time(&rbp_820h);
rbp_818h = gmtime(&rbp_820h);
}
}
printf("Response: 0x%08X\n", crc32(0, rbp_818h, 0xc));
fflush(stdout);
}
void sub_401176()
{
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);
}
int main(int argc, char *argv[])
{
// Local variables.
char **rbp_950h;
int rbp_944h;
sigset_t rbp_940h;
rbp_944h = argc;
rbp_950h = argv;
if((~sigemptyset(ebp_940h)) >> 0x1f) {
sigaddset(ebp_940h, SIGSEGV);
memset(rbp_8c0h, '\0', 8*0x13);
rbp_8c0h.offset_00h = sub_400e65;
rbp_8c0h.offset_88h = 4;
rbp_8c0h.offset_08h = rbp_940h.offset_00h;
rbp_8c0h.offset_10h = rbp_940h.offset_08h;
rbp_8c0h.offset_18h = rbp_940h.offset_10h;
rbp_8c0h.offset_20h = rbp_940h.offset_18h;
rbp_8c0h.offset_28h = rbp_940h.offset_20h;
rbp_8c0h.offset_30h = rbp_940h.offset_28h;
rbp_8c0h.offset_38h = rbp_940h.offset_30h;
rbp_8c0h.offset_40h = rbp_940h.offset_38h;
rbp_8c0h.offset_48h = rbp_940h.offset_40h;
rbp_8c0h.offset_50h = rbp_940h.offset_48h;
rbp_8c0h.offset_58h = rbp_940h.offset_50h;
rbp_8c0h.offset_60h = rbp_940h.offset_58h;
rbp_8c0h.offset_68h = rbp_940h.offset_60h;
rbp_8c0h.offset_70h = rbp_940h.offset_68h;
rbp_8c0h.offset_78h = rbp_940h.offset_70h;
rbp_8c0h.offset_80h = rbp_940h.offset_78h;
sigaction(SIGSEGV, &rbp_8c0h, NULL);
}
sub_400e55(); // checked
sub_401176();
memset(rbp_820h, '\0', 0x800);
puts("What CTF does QooBee like most?");
puts(" 1. Defcon ?");
puts(" 2. Plaid CTF ?");
puts(" 3. Codegate ?");
while(true) {
printf("# ");
if(fgets(rbp_820h, 0x500, stdin) == 0) {
return 0;
} else {
if(sscanf(rbp_820h, "%d", &rbp_8c0h) != 1) {
continue;
}
switch(rbp_8c0h) {
case 1:
sub_400efd(); // checked
break;
case 2:
sub_400de1(); // checked
break;
case 3:
sub_40101e(); // checked
break;
default:
return 0;
}
}
}
}
void sub_40144a(arg0, arg1)
{
// Local variables.
rbp_08h;
rbp_04h;
if(rbp_04h == 1 && rbp_08h == 0xffff) {
std::ios_base::Init::Init(bss_602119);
atexit(std::ios_base::Init::~Init, bss_602119, bss_6020f0);
}
}
void sub_401487()
{
sub_40144a(1, 0xffff);
}
Raw
qoobee.disas
qoobee-a53284060b93371c32322f8a522db98d: file format elf64-x86-64
Disassembly of section .init:
0000000000400aa0 <.init>:
400aa0: 48 83 ec 08 sub $0x8,%rsp
400aa4: 48 8b 05 4d 15 20 00 mov 0x20154d(%rip),%rax # 601ff8 <fflush@plt+0x201398>
400aab: 48 85 c0 test %rax,%rax
400aae: 74 05 je 400ab5 <printf@plt-0x1b>
400ab0: e8 3b 00 00 00 callq 400af0 <__gmon_start__@plt>
400ab5: 48 83 c4 08 add $0x8,%rsp
400ab9: c3 retq
Disassembly of section .plt:
0000000000400ac0 <printf@plt-0x10>:
400ac0: ff 35 42 15 20 00 pushq 0x201542(%rip) # 602008 <fflush@plt+0x2013a8>
400ac6: ff 25 44 15 20 00 jmpq *0x201544(%rip) # 602010 <fflush@plt+0x2013b0>
400acc: 0f 1f 40 00 nopl 0x0(%rax)
0000000000400ad0 <printf@plt>:
400ad0: ff 25 42 15 20 00 jmpq *0x201542(%rip) # 602018 <fflush@plt+0x2013b8>
400ad6: 68 00 00 00 00 pushq $0x0
400adb: e9 e0 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400ae0 <memset@plt>:
400ae0: ff 25 3a 15 20 00 jmpq *0x20153a(%rip) # 602020 <fflush@plt+0x2013c0>
400ae6: 68 01 00 00 00 pushq $0x1
400aeb: e9 d0 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400af0 <__gmon_start__@plt>:
400af0: ff 25 32 15 20 00 jmpq *0x201532(%rip) # 602028 <fflush@plt+0x2013c8>
400af6: 68 02 00 00 00 pushq $0x2
400afb: e9 c0 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b00 <puts@plt>:
400b00: ff 25 2a 15 20 00 jmpq *0x20152a(%rip) # 602030 <fflush@plt+0x2013d0>
400b06: 68 03 00 00 00 pushq $0x3
400b0b: e9 b0 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b10 <_setjmp@plt>:
400b10: ff 25 22 15 20 00 jmpq *0x201522(%rip) # 602038 <fflush@plt+0x2013d8>
400b16: 68 04 00 00 00 pushq $0x4
400b1b: e9 a0 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b20 <exit@plt>:
400b20: ff 25 1a 15 20 00 jmpq *0x20151a(%rip) # 602040 <fflush@plt+0x2013e0>
400b26: 68 05 00 00 00 pushq $0x5
400b2b: e9 90 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b30 <setvbuf@plt>:
400b30: ff 25 12 15 20 00 jmpq *0x201512(%rip) # 602048 <fflush@plt+0x2013e8>
400b36: 68 06 00 00 00 pushq $0x6
400b3b: e9 80 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b40 <std::ios_base::Init::Init()@plt>:
400b40: ff 25 0a 15 20 00 jmpq *0x20150a(%rip) # 602050 <fflush@plt+0x2013f0>
400b46: 68 07 00 00 00 pushq $0x7
400b4b: e9 70 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b50 <malloc@plt>:
400b50: ff 25 02 15 20 00 jmpq *0x201502(%rip) # 602058 <fflush@plt+0x2013f8>
400b56: 68 08 00 00 00 pushq $0x8
400b5b: e9 60 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b60 <__libc_start_main@plt>:
400b60: ff 25 fa 14 20 00 jmpq *0x2014fa(%rip) # 602060 <fflush@plt+0x201400>
400b66: 68 09 00 00 00 pushq $0x9
400b6b: e9 50 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b70 <gmtime@plt>:
400b70: ff 25 f2 14 20 00 jmpq *0x2014f2(%rip) # 602068 <fflush@plt+0x201408>
400b76: 68 0a 00 00 00 pushq $0xa
400b7b: e9 40 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b80 <__cxa_atexit@plt>:
400b80: ff 25 ea 14 20 00 jmpq *0x2014ea(%rip) # 602070 <fflush@plt+0x201410>
400b86: 68 0b 00 00 00 pushq $0xb
400b8b: e9 30 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400b90 <fgets@plt>:
400b90: ff 25 e2 14 20 00 jmpq *0x2014e2(%rip) # 602078 <fflush@plt+0x201418>
400b96: 68 0c 00 00 00 pushq $0xc
400b9b: e9 20 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400ba0 <std::ios_base::Init::~Init()@plt>:
400ba0: ff 25 da 14 20 00 jmpq *0x2014da(%rip) # 602080 <fflush@plt+0x201420>
400ba6: 68 0d 00 00 00 pushq $0xd
400bab: e9 10 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400bb0 <scanf@plt>:
400bb0: ff 25 d2 14 20 00 jmpq *0x2014d2(%rip) # 602088 <fflush@plt+0x201428>
400bb6: 68 0e 00 00 00 pushq $0xe
400bbb: e9 00 ff ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400bc0 <free@plt>:
400bc0: ff 25 ca 14 20 00 jmpq *0x2014ca(%rip) # 602090 <fflush@plt+0x201430>
400bc6: 68 0f 00 00 00 pushq $0xf
400bcb: e9 f0 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400bd0 <_IO_getc@plt>:
400bd0: ff 25 c2 14 20 00 jmpq *0x2014c2(%rip) # 602098 <fflush@plt+0x201438>
400bd6: 68 10 00 00 00 pushq $0x10
400bdb: e9 e0 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400be0 <crc32@plt>:
400be0: ff 25 ba 14 20 00 jmpq *0x2014ba(%rip) # 6020a0 <fflush@plt+0x201440>
400be6: 68 11 00 00 00 pushq $0x11
400beb: e9 d0 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400bf0 <sscanf@plt>:
400bf0: ff 25 b2 14 20 00 jmpq *0x2014b2(%rip) # 6020a8 <fflush@plt+0x201448>
400bf6: 68 12 00 00 00 pushq $0x12
400bfb: e9 c0 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400c00 <sigaction@plt>:
400c00: ff 25 aa 14 20 00 jmpq *0x2014aa(%rip) # 6020b0 <fflush@plt+0x201450>
400c06: 68 13 00 00 00 pushq $0x13
400c0b: e9 b0 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400c10 <sigaddset@plt>:
400c10: ff 25 a2 14 20 00 jmpq *0x2014a2(%rip) # 6020b8 <fflush@plt+0x201458>
400c16: 68 14 00 00 00 pushq $0x14
400c1b: e9 a0 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400c20 <__stack_chk_fail@plt>:
400c20: ff 25 9a 14 20 00 jmpq *0x20149a(%rip) # 6020c0 <fflush@plt+0x201460>
400c26: 68 15 00 00 00 pushq $0x15
400c2b: e9 90 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400c30 <longjmp@plt>:
400c30: ff 25 92 14 20 00 jmpq *0x201492(%rip) # 6020c8 <fflush@plt+0x201468>
400c36: 68 16 00 00 00 pushq $0x16
400c3b: e9 80 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400c40 <sigemptyset@plt>:
400c40: ff 25 8a 14 20 00 jmpq *0x20148a(%rip) # 6020d0 <fflush@plt+0x201470>
400c46: 68 17 00 00 00 pushq $0x17
400c4b: e9 70 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400c50 <time@plt>:
400c50: ff 25 82 14 20 00 jmpq *0x201482(%rip) # 6020d8 <fflush@plt+0x201478>
400c56: 68 18 00 00 00 pushq $0x18
400c5b: e9 60 fe ff ff jmpq 400ac0 <printf@plt-0x10>
0000000000400c60 <fflush@plt>:
400c60: ff 25 7a 14 20 00 jmpq *0x20147a(%rip) # 6020e0 <fflush@plt+0x201480>
400c66: 68 19 00 00 00 pushq $0x19
400c6b: e9 50 fe ff ff jmpq 400ac0 <printf@plt-0x10>
Disassembly of section .text:
0000000000400c70 <.text>:
400c70: 31 ed xor %ebp,%ebp
400c72: 49 89 d1 mov %rdx,%r9
400c75: 5e pop %rsi
400c76: 48 89 e2 mov %rsp,%rdx
400c79: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
400c7d: 50 push %rax
400c7e: 54 push %rsp
400c7f: 49 c7 c0 10 15 40 00 mov $0x401510,%r8
400c86: 48 c7 c1 a0 14 40 00 mov $0x4014a0,%rcx
400c8d: 48 c7 c7 b8 11 40 00 mov $0x4011b8,%rdi
400c94: e8 c7 fe ff ff callq 400b60 <__libc_start_main@plt>
400c99: f4 hlt
400c9a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
400ca0: b8 ff 20 60 00 mov $0x6020ff,%eax
400ca5: 55 push %rbp
400ca6: 48 2d f8 20 60 00 sub $0x6020f8,%rax
400cac: 48 83 f8 0e cmp $0xe,%rax
400cb0: 48 89 e5 mov %rsp,%rbp
400cb3: 77 02 ja 400cb7 <fflush@plt+0x57>
400cb5: 5d pop %rbp
400cb6: c3 retq
400cb7: b8 00 00 00 00 mov $0x0,%eax
400cbc: 48 85 c0 test %rax,%rax
400cbf: 74 f4 je 400cb5 <fflush@plt+0x55>
400cc1: 5d pop %rbp
400cc2: bf f8 20 60 00 mov $0x6020f8,%edi
400cc7: ff e0 jmpq *%rax
400cc9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
400cd0: b8 f8 20 60 00 mov $0x6020f8,%eax
400cd5: 55 push %rbp
400cd6: 48 2d f8 20 60 00 sub $0x6020f8,%rax
400cdc: 48 c1 f8 03 sar $0x3,%rax
400ce0: 48 89 e5 mov %rsp,%rbp
400ce3: 48 89 c2 mov %rax,%rdx
400ce6: 48 c1 ea 3f shr $0x3f,%rdx
400cea: 48 01 d0 add %rdx,%rax
400ced: 48 d1 f8 sar %rax
400cf0: 75 02 jne 400cf4 <fflush@plt+0x94>
400cf2: 5d pop %rbp
400cf3: c3 retq
400cf4: ba 00 00 00 00 mov $0x0,%edx
400cf9: 48 85 d2 test %rdx,%rdx
400cfc: 74 f4 je 400cf2 <fflush@plt+0x92>
400cfe: 5d pop %rbp
400cff: 48 89 c6 mov %rax,%rsi
400d02: bf f8 20 60 00 mov $0x6020f8,%edi
400d07: ff e2 jmpq *%rdx
400d09: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
400d10: 80 3d 01 14 20 00 00 cmpb $0x0,0x201401(%rip) # 602118 <stdout+0x8>
400d17: 75 11 jne 400d2a <fflush@plt+0xca>
400d19: 55 push %rbp
400d1a: 48 89 e5 mov %rsp,%rbp
400d1d: e8 7e ff ff ff callq 400ca0 <fflush@plt+0x40>
400d22: 5d pop %rbp
400d23: c6 05 ee 13 20 00 01 movb $0x1,0x2013ee(%rip) # 602118 <stdout+0x8>
400d2a: f3 c3 repz retq
400d2c: 0f 1f 40 00 nopl 0x0(%rax)
400d30: 48 83 3d c8 10 20 00 cmpq $0x0,0x2010c8(%rip) # 601e00 <fflush@plt+0x2011a0>
400d37: 00
400d38: 74 1e je 400d58 <fflush@plt+0xf8>
400d3a: b8 00 00 00 00 mov $0x0,%eax
400d3f: 48 85 c0 test %rax,%rax
400d42: 74 14 je 400d58 <fflush@plt+0xf8>
400d44: 55 push %rbp
400d45: bf 00 1e 60 00 mov $0x601e00,%edi
400d4a: 48 89 e5 mov %rsp,%rbp
400d4d: ff d0 callq *%rax
400d4f: 5d pop %rbp
400d50: e9 7b ff ff ff jmpq 400cd0 <fflush@plt+0x70>
400d55: 0f 1f 00 nopl (%rax)
400d58: e9 73 ff ff ff jmpq 400cd0 <fflush@plt+0x70>
int sub_400d5d(arg0)
{
400d5d: 55 push %rbp
400d5e: 48 89 e5 mov %rsp,%rbp
400d61: 48 89 7d e8 mov %rdi,-0x18(%rbp)
rbp_18h = arg0;
400d65: 48 8b 45 e8 mov -0x18(%rbp),%rax
400d69: 48 35 ad de 00 00 xor $0xdead,%rax
400d6f: 48 89 45 f8 mov %rax,-0x8(%rbp)
rbp_08h = rbp_18h ^ 0xdead;
400d73: 48 8b 45 f8 mov -0x8(%rbp),%rax
400d77: 5d pop %rbp
400d78: c3 retq
return rbp_08h;
}
void sub_400d79()
{
400d79: 55 push %rbp
400d7a: 48 89 e5 mov %rsp,%rbp
400d7d: 48 81 ec 00 01 00 00 sub $0x100,%rsp
// Local variables.
char rbp_100h[0x98];
400d84: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
400d8b: 00 00
400d8d: 48 89 45 f8 mov %rax,-0x8(%rbp)
400d91: 31 c0 xor %eax,%eax
400d93: bf 28 15 40 00 mov $0x401528,%edi
400d98: b8 00 00 00 00 mov $0x0,%eax
400d9d: e8 2e fd ff ff callq 400ad0 <printf@plt>
printf("Now you can leave me a message: ");
400da2: 48 8b 05 67 13 20 00 mov 0x201367(%rip),%rax # 602110 <stdout>
400da9: 48 89 c7 mov %rax,%rdi
400dac: e8 af fe ff ff callq 400c60 <fflush@plt>
fflush(stdout);
400db1: 48 8d 85 00 ff ff ff lea -0x100(%rbp),%rax
400db8: 48 89 c6 mov %rax,%rsi
400dbb: bf 49 15 40 00 mov $0x401549,%edi
400dc0: b8 00 00 00 00 mov $0x0,%eax
400dc5: e8 e6 fd ff ff callq 400bb0 <scanf@plt>
scanf("%s", rbp_100h);
400dca: 90 nop
400dcb: 48 8b 45 f8 mov -0x8(%rbp),%rax
400dcf: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
400dd6: 00 00
400dd8: 74 05 je 400ddf <fflush@plt+0x17f>
400dda: e8 41 fe ff ff callq 400c20 <__stack_chk_fail@plt>
400ddf: c9 leaveq
400de0: c3 retq
}
int sub_400de1()
{
400de1: 55 push %rbp
400de2: 48 89 e5 mov %rsp,%rbp
400de5: 48 81 ec e0 00 00 00 sub $0xe0,%rsp
// Local variables.
rbp_d8h;
rbp_d0h;
400dec: 48 8d 85 30 ff ff ff lea -0xd0(%rbp),%rax
400df3: 48 83 c0 38 add $0x38,%rax
400df7: 48 89 85 28 ff ff ff mov %rax,-0xd8(%rbp)
rbp_d8h = &rbp_d0h + 0x38h;
400dfe: 48 8d 85 30 ff ff ff lea -0xd0(%rbp),%rax
400e05: 48 89 c7 mov %rax,%rdi
400e08: e8 03 fd ff ff callq 400b10 <_setjmp@plt>
400e0d: 83 f8 01 cmp $0x1,%eax
400e10: 0f 94 c0 sete %al
400e13: 84 c0 test %al,%al
400e15: 74 11 je 400e28 <fflush@plt+0x1c8>
if(setjmp(rbp_d0h) == 1? 1: 0) {
400e17: bf 4c 15 40 00 mov $0x40154c,%edi
400e1c: e8 df fc ff ff callq 400b00 <puts@plt>
puts("[-] Error, GG.");
400e21: b8 00 00 00 00 mov $0x0,%eax
400e26: eb 2b jmp 400e53 <fflush@plt+0x1f3>
return 0;
} else {
400e28: b8 79 0d 40 00 mov $0x400d79,%eax
400e2d: 48 89 c7 mov %rax,%rdi
400e30: e8 28 ff ff ff callq 400d5d <fflush@plt+0xfd>
400e35: 48 8b 95 28 ff ff ff mov -0xd8(%rbp),%rdx
400e3c: 48 89 02 mov %rax,(%rdx)
*rbp_d8h = sub_400d5d(sub_400d79);
400e3f: 48 8d 85 30 ff ff ff lea -0xd0(%rbp),%rax
400e46: be 01 00 00 00 mov $0x1,%esi
400e4b: 48 89 c7 mov %rax,%rdi
400e4e: e8 dd fd ff ff callq 400c30 <longjmp@plt>
longjmp(rbp_d0h, 1);
}
400e53: c9 leaveq
400e54: c3 retq
}
void sub_400e55()
{
400e55: 55 push %rbp
400e56: 48 89 e5 mov %rsp,%rbp
400e59: bf 60 15 40 00 mov $0x401560,%edi
400e5e: e8 9d fc ff ff callq 400b00 <puts@plt>
puts("QooBee AA");
400e63: 5d pop %rbp
400e64: c3 retq
}
// sigaction.sa_handler
void sub_400e65(int arg0, arg1, arg2)
{
400e65: 55 push %rbp
400e66: 48 89 e5 mov %rsp,%rbp
400e69: 48 83 ec 20 sub $0x20,%rsp
400e6d: 89 7d fc mov %edi,-0x4(%rbp)
rbp_04h = arg0;
400e70: 48 89 75 f0 mov %rsi,-0x10(%rbp)
rbp_10h = arg1;
400e74: 48 89 55 e8 mov %rdx,-0x18(%rbp)
rbp_18h = arg2;
400e78: 83 7d fc 0b cmpl $0xb,-0x4(%rbp)
400e7c: 75 14 jne 400e92 <fflush@plt+0x232>
if(rbp_04h == SIGSEGV) {
400e7e: bf 3c 16 40 00 mov $0x40163c,%edi
400e83: e8 78 fc ff ff callq 400b00 <puts@plt>
puts("QooBee Like Donuts!");
400e88: bf ff ff ff ff mov $0xffffffff,%edi
400e8d: e8 8e fc ff ff callq 400b20 <exit@plt>
exit(-1);
}
400e92: c9 leaveq
400e93: c3 retq
}
void sub_400e94(char *arg0)
{
400e94: 55 push %rbp
400e95: 48 89 e5 mov %rsp,%rbp
400e98: 48 83 ec 20 sub $0x20,%rsp
400e9c: 48 89 7d e8 mov %rdi,-0x18(%rbp)
400ea0: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp)
400ea7: 48 8b 05 52 12 20 00 mov 0x201252(%rip),%rax # 602100 <stdin>
400eae: 48 89 c7 mov %rax,%rdi
400eb1: e8 1a fd ff ff callq 400bd0 <_IO_getc@plt>
400eb6: 88 45 fb mov %al,-0x5(%rbp)
rbp_05h = getc(stdin);
400eb9: eb 29 jmp 400ee4 <fflush@plt+0x284>
for(rbp_04h = 0; rbp_05h != '\n', ; rbp_04h++) {
400ebb: 8b 45 fc mov -0x4(%rbp),%eax
400ebe: 48 63 d0 movslq %eax,%rdx
400ec1: 48 8b 45 e8 mov -0x18(%rbp),%rax
400ec5: 48 01 c2 add %rax,%rdx
400ec8: 0f b6 45 fb movzbl -0x5(%rbp),%eax
400ecc: 88 02 mov %al,(%rdx)
rbp_18h[rbp_04h] = rbp_05h;
400ece: 48 8b 05 2b 12 20 00 mov 0x20122b(%rip),%rax # 602100 <stdin>
400ed5: 48 89 c7 mov %rax,%rdi
400ed8: e8 f3 fc ff ff callq 400bd0 <_IO_getc@plt>
400edd: 88 45 fb mov %al,-0x5(%rbp)
rbp_05h = getc(stdin);
400ee0: 83 45 fc 01 addl $0x1,-0x4(%rbp)
// ->>
400ee4: 80 7d fb 0a cmpb $0xa,-0x5(%rbp)
400ee8: 75 d1 jne 400ebb <fflush@plt+0x25b>
}
400eea: 8b 45 fc mov -0x4(%rbp),%eax
400eed: 48 63 d0 movslq %eax,%rdx
400ef0: 48 8b 45 e8 mov -0x18(%rbp),%rax
400ef4: 48 01 d0 add %rdx,%rax
400ef7: c6 00 00 movb $0x0,(%rax)
rbp_18h[rbp_04h] = '\0';
400efa: 90 nop
400efb: c9 leaveq
400efc: c3 retq
}
void sub_400efd()
{
400efd: 55 push %rbp
400efe: 48 89 e5 mov %rsp,%rbp
400f01: 48 81 ec 20 10 00 00 sub $0x1020,%rsp
// Local variables.
int rbp_101ch;
char rbp_1010h[0x1000];
400f08: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
400f0f: 00 00
400f11: 48 89 45 f8 mov %rax,-0x8(%rbp)
400f15: 31 c0 xor %eax,%eax
400f17: 48 8d 85 f0 ef ff ff lea -0x1010(%rbp),%rax
400f1e: ba 00 10 00 00 mov $0x1000,%edx
400f23: be 00 00 00 00 mov $0x0,%esi
400f28: 48 89 c7 mov %rax,%rdi
400f2b: e8 b0 fb ff ff callq 400ae0 <memset@plt>
memset(rbp_1010h, '\0', 0x1000);
400f30: bf 50 16 40 00 mov $0x401650,%edi
400f35: b8 00 00 00 00 mov $0x0,%eax
400f3a: e8 91 fb ff ff callq 400ad0 <printf@plt>
printf("How many dounts you want? ");
400f3f: 48 8b 05 ca 11 20 00 mov 0x2011ca(%rip),%rax # 602110 <stdout>
400f46: 48 89 c7 mov %rax,%rdi
400f49: e8 12 fd ff ff callq 400c60 <fflush@plt>
fflush(stdout)
400f4e: 48 8b 15 ab 11 20 00 mov 0x2011ab(%rip),%rdx # 602100 <stdin>
400f55: 48 8d 85 f0 ef ff ff lea -0x1010(%rbp),%rax
400f5c: be 00 10 00 00 mov $0x1000,%esi
400f61: 48 89 c7 mov %rax,%rdi
400f64: e8 27 fc ff ff callq 400b90 <fgets@plt>
fgets(rbp_1010h, 0x1000, stdin);
400f69: 48 8d 95 e4 ef ff ff lea -0x101c(%rbp),%rdx
400f70: 48 8d 85 f0 ef ff ff lea -0x1010(%rbp),%rax
400f77: be 6b 16 40 00 mov $0x40166b,%esi
400f7c: 48 89 c7 mov %rax,%rdi
400f7f: b8 00 00 00 00 mov $0x0,%eax
400f84: e8 67 fc ff ff callq 400bf0 <sscanf@plt>
400f89: 83 f8 01 cmp $0x1,%eax
400f8c: 75 28 jne 400fb6 <fflush@plt+0x356>
400f8e: 8b 85 e4 ef ff ff mov -0x101c(%rbp),%eax
400f94: 48 98 cltq
400f96: 48 89 c7 mov %rax,%rdi
400f99: e8 b2 fb ff ff callq 400b50 <malloc@plt>
400f9e: 48 89 85 e8 ef ff ff mov %rax,-0x1018(%rbp)
400fa5: 48 83 bd e8 ef ff ff cmpq $0x0,-0x1018(%rbp)
400fac: 00
400fad: 74 07 je 400fb6 <fflush@plt+0x356>
400faf: b8 01 00 00 00 mov $0x1,%eax
400fb4: eb 05 jmp 400fbb <fflush@plt+0x35b>
400fb6: b8 00 00 00 00 mov $0x0,%eax
400fbb: 84 c0 test %al,%al
400fbd: 74 3e je 400ffd <fflush@plt+0x39d>
if(sscanf(rbp_1010h, "%d", &rbp_101ch) == 1 && (rbp_1018h = malloc(rbp_101ch)) != NULL ? 1: 0) {
400fbf: bf 6e 16 40 00 mov $0x40166e,%edi
400fc4: b8 00 00 00 00 mov $0x0,%eax
400fc9: e8 02 fb ff ff callq 400ad0 <printf@plt>
printf("Remark: ");
400fce: 48 8b 05 3b 11 20 00 mov 0x20113b(%rip),%rax # 602110 <stdout>
400fd5: 48 89 c7 mov %rax,%rdi
400fd8: e8 83 fc ff ff callq 400c60 <fflush@plt>
fflush(stdout);
400fdd: 48 8b 85 e8 ef ff ff mov -0x1018(%rbp),%rax
400fe4: 48 89 c7 mov %rax,%rdi
400fe7: e8 a8 fe ff ff callq 400e94 <fflush@plt+0x234>
sub_400e94(rbp_1018h);
400fec: 48 8b 85 e8 ef ff ff mov -0x1018(%rbp),%rax
400ff3: 48 89 c7 mov %rax,%rdi
400ff6: e8 c5 fb ff ff callq 400bc0 <free@plt>
free(rbp_1018h);
400ffb: eb 0a jmp 401007 <fflush@plt+0x3a7>
} else {
400ffd: bf 4c 15 40 00 mov $0x40154c,%edi
401002: e8 f9 fa ff ff callq 400b00 <puts@plt>
puts("[-] Error, GG.");
}
401007: 90 nop
401008: 48 8b 45 f8 mov -0x8(%rbp),%rax
40100c: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
401013: 00 00
401015: 74 05 je 40101c <fflush@plt+0x3bc>
401017: e8 04 fc ff ff callq 400c20 <__stack_chk_fail@plt>
40101c: c9 leaveq
40101d: c3 retq
}
void sub_40101e()
{
40101e: 55 push %rbp
40101f: 48 89 e5 mov %rsp,%rbp
401022: 48 81 ec 20 08 00 00 sub $0x820,%rsp
// Local variables.
rbp_820h;
rbp_810h;
401029: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
401030: 00 00
401032: 48 89 45 f8 mov %rax,-0x8(%rbp)
401036: 31 c0 xor %eax,%eax
401038: 48 8d 85 f0 f7 ff ff lea -0x810(%rbp),%rax
40103f: ba 00 08 00 00 mov $0x800,%edx
401044: be 00 00 00 00 mov $0x0,%esi
401049: 48 89 c7 mov %rax,%rdi
40104c: e8 8f fa ff ff callq 400ae0 <memset@plt>
memset(rbp_810h, '\0', 0x800);
401051: bf 78 16 40 00 mov $0x401678,%edi
401056: e8 a5 fa ff ff callq 400b00 <puts@plt>
puts("In case you need to synchronize your system time with server, we provide this.");
40105b: bf c8 16 40 00 mov $0x4016c8,%edi
401060: b8 00 00 00 00 mov $0x0,%eax
401065: e8 66 fa ff ff callq 400ad0 <printf@plt>
printf("Input your local system timestamp: ");
40106a: 48 8b 05 9f 10 20 00 mov 0x20109f(%rip),%rax # 602110 <stdout>
401071: 48 89 c7 mov %rax,%rdi
401074: e8 e7 fb ff ff callq 400c60 <fflush@plt>
fflush(stdout);
401079: 48 8b 15 80 10 20 00 mov 0x201080(%rip),%rdx # 602100 <stdin>
401080: 48 8d 85 f0 f7 ff ff lea -0x810(%rbp),%rax
401087: be 00 08 00 00 mov $0x800,%esi
40108c: 48 89 c7 mov %rax,%rdi
40108f: e8 fc fa ff ff callq 400b90 <fgets@plt>
fgets(rbp_810h, 0x800, stdin);
401094: 48 8d 95 e0 f7 ff ff lea -0x820(%rbp),%rdx
40109b: 48 8d 85 f0 f7 ff ff lea -0x810(%rbp),%rax
4010a2: be ec 16 40 00 mov $0x4016ec,%esi
4010a7: 48 89 c7 mov %rax,%rdi
4010aa: b8 00 00 00 00 mov $0x0,%eax
4010af: e8 3c fb ff ff callq 400bf0 <sscanf@plt>
4010b4: 83 f8 01 cmp $0x1,%eax
4010b7: 75 13 jne 4010cc <fflush@plt+0x46c>
4010b9: 48 8b 85 e0 f7 ff ff mov -0x820(%rbp),%rax
4010c0: 48 85 c0 test %rax,%rax
4010c3: 74 07 je 4010cc <fflush@plt+0x46c>
4010c5: b8 01 00 00 00 mov $0x1,%eax
4010ca: eb 05 jmp 4010d1 <fflush@plt+0x471>
4010cc: b8 00 00 00 00 mov $0x0,%eax
4010d1: 84 c0 test %al,%al
4010d3: 74 18 je 4010ed <fflush@plt+0x48d>
if(sscanf(rbp_810h, "%lu", &rbp_820h) == 1 && rbp_820h != 0? 1: 0) {
4010d5: 48 8d 85 e0 f7 ff ff lea -0x820(%rbp),%rax
4010dc: 48 89 c7 mov %rax,%rdi
4010df: e8 8c fa ff ff callq 400b70 <gmtime@plt>
4010e4: 48 89 85 e8 f7 ff ff mov %rax,-0x818(%rbp)
rbp_818h = gmtime(&rbp_820h);
4010eb: eb 38 jmp 401125 <fflush@plt+0x4c5>
} else {
4010ed: 48 8b 85 e0 f7 ff ff mov -0x820(%rbp),%rax
4010f4: 48 85 c0 test %rax,%rax
4010f7: 75 2c jne 401125 <fflush@plt+0x4c5>
if(rbp_820h == 0) {
4010f9: 48 8d 85 e0 f7 ff ff lea -0x820(%rbp),%rax
401100: 48 89 c7 mov %rax,%rdi
401103: e8 48 fb ff ff callq 400c50 <time@plt>
401108: 48 89 85 e0 f7 ff ff mov %rax,-0x820(%rbp)
rbp_820h = time(&rbp_820h);
40110f: 48 8d 85 e0 f7 ff ff lea -0x820(%rbp),%rax
401116: 48 89 c7 mov %rax,%rdi
401119: e8 52 fa ff ff callq 400b70 <gmtime@plt>
40111e: 48 89 85 e8 f7 ff ff mov %rax,-0x818(%rbp)
rbp_818h = gmtime(&rbp_820h);
}
}
401125: 48 8b 85 e8 f7 ff ff mov -0x818(%rbp),%rax
40112c: ba 0c 00 00 00 mov $0xc,%edx
401131: 48 89 c6 mov %rax,%rsi
401134: bf 00 00 00 00 mov $0x0,%edi
401139: e8 a2 fa ff ff callq 400be0 <crc32@plt>
40113e: 48 89 c6 mov %rax,%rsi
401141: bf f0 16 40 00 mov $0x4016f0,%edi
401146: b8 00 00 00 00 mov $0x0,%eax
40114b: e8 80 f9 ff ff callq 400ad0 <printf@plt>
printf("Response: 0x%08X\n", crc32(0, rbp_818h, 0xc));
401150: 48 8b 05 b9 0f 20 00 mov 0x200fb9(%rip),%rax # 602110 <stdout>
401157: 48 89 c7 mov %rax,%rdi
40115a: e8 01 fb ff ff callq 400c60 <fflush@plt>
fflush(stdout);
40115f: 90 nop
401160: 48 8b 45 f8 mov -0x8(%rbp),%rax
401164: 64 48 33 04 25 28 00 xor %fs:0x28,%rax
40116b: 00 00
40116d: 74 05 je 401174 <fflush@plt+0x514>
40116f: e8 ac fa ff ff callq 400c20 <__stack_chk_fail@plt>
401174: c9 leaveq
401175: c3 retq
}
void sub_401176()
{
401176: 55 push %rbp
401177: 48 89 e5 mov %rsp,%rbp
40117a: 48 8b 05 7f 0f 20 00 mov 0x200f7f(%rip),%rax # 602100 <stdin>
401181: b9 00 00 00 00 mov $0x0,%ecx
401186: ba 02 00 00 00 mov $0x2,%edx
40118b: be 00 00 00 00 mov $0x0,%esi
401190: 48 89 c7 mov %rax,%rdi
401193: e8 98 f9 ff ff callq 400b30 <setvbuf@plt>
setvbuf(stdin, NULL, _IONBF, 0);
401198: 48 8b 05 71 0f 20 00 mov 0x200f71(%rip),%rax # 602110 <stdout>
40119f: b9 00 00 00 00 mov $0x0,%ecx
4011a4: ba 02 00 00 00 mov $0x2,%edx
4011a9: be 00 00 00 00 mov $0x0,%esi
4011ae: 48 89 c7 mov %rax,%rdi
4011b1: e8 7a f9 ff ff callq 400b30 <setvbuf@plt>
setvbuf(stdout, NULL, _IONBF, 0);
4011b6: 5d pop %rbp
4011b7: c3 retq
}
int main(int argc, char *argv[])
{
4011b8: 55 push %rbp
4011b9: 48 89 e5 mov %rsp,%rbp
4011bc: 53 push %rbx
4011bd: 48 81 ec 48 09 00 00 sub $0x948,%rsp
// Local variables.
char **rbp_950h;
int rbp_944h;
sigset_t rbp_940h;
4011c4: 89 bd bc f6 ff ff mov %edi,-0x944(%rbp)
rbp_944h = argc;
4011ca: 48 89 b5 b0 f6 ff ff mov %rsi,-0x950(%rbp)
rbp_950h = argv;
4011d1: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
4011d8: 00 00
4011da: 48 89 45 e8 mov %rax,-0x18(%rbp)
4011de: 31 c0 xor %eax,%eax
4011e0: 48 8d 85 c0 f6 ff ff lea -0x940(%rbp),%rax
4011e7: 48 89 c7 mov %rax,%rdi
4011ea: e8 51 fa ff ff callq 400c40 <sigemptyset@plt>
4011ef: f7 d0 not %eax
4011f1: c1 e8 1f shr $0x1f,%eax
4011f4: 84 c0 test %al,%al
4011f6: 0f 84 3c 01 00 00 je 401338 <fflush@plt+0x6d8>
if((~sigemptyset(ebp_940h)) >> 0x1f) {
4011fc: 48 8d 85 c0 f6 ff ff lea -0x940(%rbp),%rax
401203: be 0b 00 00 00 mov $0xb,%esi
401208: 48 89 c7 mov %rax,%rdi
40120b: e8 00 fa ff ff callq 400c10 <sigaddset@plt>
sigaddset(ebp_940h, SIGSEGV);
401210: 48 8d b5 40 f7 ff ff lea -0x8c0(%rbp),%rsi
401217: b8 00 00 00 00 mov $0x0,%eax
40121c: ba 13 00 00 00 mov $0x13,%edx
401221: 48 89 f7 mov %rsi,%rdi
401224: 48 89 d1 mov %rdx,%rcx
401227: f3 48 ab rep stos %rax,%es:(%rdi)
memset(rbp_8c0h, '\0', 8*0x13);
40122a: 48 c7 85 40 f7 ff ff movq $0x400e65,-0x8c0(%rbp)
401231: 65 0e 40 00
rbp_8c0h.offset_00h = sub_400e65;
401235: c7 85 c8 f7 ff ff 04 movl $0x4,-0x838(%rbp)
40123c: 00 00 00
rbp_8c0h.offset_88h = 4;
40123f: 48 8b 85 c0 f6 ff ff mov -0x940(%rbp),%rax
401246: 48 89 85 48 f7 ff ff mov %rax,-0x8b8(%rbp)
rbp_8c0h.offset_08h = rbp_940h.offset_00h;
40124d: 48 8b 85 c8 f6 ff ff mov -0x938(%rbp),%rax
401254: 48 89 85 50 f7 ff ff mov %rax,-0x8b0(%rbp)
rbp_8c0h.offset_10h = rbp_940h.offset_08h;
40125b: 48 8b 85 d0 f6 ff ff mov -0x930(%rbp),%rax
401262: 48 89 85 58 f7 ff ff mov %rax,-0x8a8(%rbp)
rbp_8c0h.offset_18h = rbp_940h.offset_10h;
401269: 48 8b 85 d8 f6 ff ff mov -0x928(%rbp),%rax
401270: 48 89 85 60 f7 ff ff mov %rax,-0x8a0(%rbp)
rbp_8c0h.offset_20h = rbp_940h.offset_18h;
401277: 48 8b 85 e0 f6 ff ff mov -0x920(%rbp),%rax
40127e: 48 89 85 68 f7 ff ff mov %rax,-0x898(%rbp)
rbp_8c0h.offset_28h = rbp_940h.offset_20h;
401285: 48 8b 85 e8 f6 ff ff mov -0x918(%rbp),%rax
40128c: 48 89 85 70 f7 ff ff mov %rax,-0x890(%rbp)
rbp_8c0h.offset_30h = rbp_940h.offset_28h;
401293: 48 8b 85 f0 f6 ff ff mov -0x910(%rbp),%rax
40129a: 48 89 85 78 f7 ff ff mov %rax,-0x888(%rbp)
rbp_8c0h.offset_38h = rbp_940h.offset_30h;
4012a1: 48 8b 85 f8 f6 ff ff mov -0x908(%rbp),%rax
4012a8: 48 89 85 80 f7 ff ff mov %rax,-0x880(%rbp)
rbp_8c0h.offset_40h = rbp_940h.offset_38h;
4012af: 48 8b 85 00 f7 ff ff mov -0x900(%rbp),%rax
4012b6: 48 89 85 88 f7 ff ff mov %rax,-0x878(%rbp)
rbp_8c0h.offset_48h = rbp_940h.offset_40h;
4012bd: 48 8b 85 08 f7 ff ff mov -0x8f8(%rbp),%rax
4012c4: 48 89 85 90 f7 ff ff mov %rax,-0x870(%rbp)
rbp_8c0h.offset_50h = rbp_940h.offset_48h;
4012cb: 48 8b 85 10 f7 ff ff mov -0x8f0(%rbp),%rax
4012d2: 48 89 85 98 f7 ff ff mov %rax,-0x868(%rbp)
rbp_8c0h.offset_58h = rbp_940h.offset_50h;
4012d9: 48 8b 85 18 f7 ff ff mov -0x8e8(%rbp),%rax
4012e0: 48 89 85 a0 f7 ff ff mov %rax,-0x860(%rbp)
rbp_8c0h.offset_60h = rbp_940h.offset_58h;
4012e7: 48 8b 85 20 f7 ff ff mov -0x8e0(%rbp),%rax
4012ee: 48 89 85 a8 f7 ff ff mov %rax,-0x858(%rbp)
rbp_8c0h.offset_68h = rbp_940h.offset_60h;
4012f5: 48 8b 85 28 f7 ff ff mov -0x8d8(%rbp),%rax
4012fc: 48 89 85 b0 f7 ff ff mov %rax,-0x850(%rbp)
rbp_8c0h.offset_70h = rbp_940h.offset_68h;
401303: 48 8b 85 30 f7 ff ff mov -0x8d0(%rbp),%rax
40130a: 48 89 85 b8 f7 ff ff mov %rax,-0x848(%rbp)
rbp_8c0h.offset_78h = rbp_940h.offset_70h;
401311: 48 8b 85 38 f7 ff ff mov -0x8c8(%rbp),%rax
401318: 48 89 85 c0 f7 ff ff mov %rax,-0x840(%rbp)
rbp_8c0h.offset_80h = rbp_940h.offset_78h;
40131f: 48 8d 85 40 f7 ff ff lea -0x8c0(%rbp),%rax
401326: ba 00 00 00 00 mov $0x0,%edx
40132b: 48 89 c6 mov %rax,%rsi
40132e: bf 0b 00 00 00 mov $0xb,%edi
401333: e8 c8 f8 ff ff callq 400c00 <sigaction@plt>
sigaction(SIGSEGV, &rbp_8c0h, NULL);
}
401338: e8 18 fb ff ff callq 400e55 <fflush@plt+0x1f5>
sub_400e55(); // checked
40133d: e8 34 fe ff ff callq 401176 <fflush@plt+0x516>
sub_401176(); // checked
401342: 48 8d 85 e0 f7 ff ff lea -0x820(%rbp),%rax
401349: ba 00 08 00 00 mov $0x800,%edx
40134e: be 00 00 00 00 mov $0x0,%esi
401353: 48 89 c7 mov %rax,%rdi
401356: e8 85 f7 ff ff callq 400ae0 <memset@plt>
memset(rbp_820h, '\0', 0x800);
40135b: bf 08 17 40 00 mov $0x401708,%edi
401360: e8 9b f7 ff ff callq 400b00 <puts@plt>
puts("What CTF does QooBee like most?");
401365: bf 28 17 40 00 mov $0x401728,%edi
40136a: e8 91 f7 ff ff callq 400b00 <puts@plt>
puts(" 1. Defcon ?");
40136f: bf 36 17 40 00 mov $0x401736,%edi
401374: e8 87 f7 ff ff callq 400b00 <puts@plt>
puts(" 2. Plaid CTF ?");
401379: bf 46 17 40 00 mov $0x401746,%edi
40137e: e8 7d f7 ff ff callq 400b00 <puts@plt>
puts(" 3. Codegate ?");
while(true) {
401383: bf 56 17 40 00 mov $0x401756,%edi
401388: b8 00 00 00 00 mov $0x0,%eax
40138d: e8 3e f7 ff ff callq 400ad0 <printf@plt>
printf("# ");
401392: 48 8b 15 67 0d 20 00 mov 0x200d67(%rip),%rdx # 602100 <stdin>
401399: 48 8d 85 e0 f7 ff ff lea -0x820(%rbp),%rax
4013a0: be 00 05 00 00 mov $0x500,%esi
4013a5: 48 89 c7 mov %rax,%rdi
4013a8: e8 e3 f7 ff ff callq 400b90 <fgets@plt>
4013ad: 48 85 c0 test %rax,%rax
4013b0: 0f 94 c0 sete %al
4013b3: 84 c0 test %al,%al
4013b5: 74 07 je 4013be <fflush@plt+0x75e>
if(fgets(rbp_820h, 0x500, stdin) == 0? 1: 0) {
4013b7: b8 00 00 00 00 mov $0x0,%eax
4013bc: eb 6e jmp 40142c <fflush@plt+0x7cc>
return 0;
} else {
4013be: 48 8d 95 40 f7 ff ff lea -0x8c0(%rbp),%rdx
4013c5: 48 8d 85 e0 f7 ff ff lea -0x820(%rbp),%rax
4013cc: be 6b 16 40 00 mov $0x40166b,%esi
4013d1: 48 89 c7 mov %rax,%rdi
4013d4: b8 00 00 00 00 mov $0x0,%eax
4013d9: e8 12 f8 ff ff callq 400bf0 <sscanf@plt>
4013de: 83 f8 01 cmp $0x1,%eax
4013e1: 0f 95 c0 setne %al
4013e4: 84 c0 test %al,%al
4013e6: 74 02 je 4013ea <fflush@plt+0x78a>
if(sscanf(rbp_820h, "%d", &rbp_8c0h) != 1? 0: 1) {
4013e8: eb 99 jmp 401383 <fflush@plt+0x723>
continue;
}
4013ea: 8b 85 40 f7 ff ff mov -0x8c0(%rbp),%eax
4013f0: 83 f8 01 cmp $0x1,%eax
4013f3: 75 07 jne 4013fc <fflush@plt+0x79c>
switch(rbp_8c0h) {
case 1:
4013f5: e8 03 fb ff ff callq 400efd <fflush@plt+0x29d>
sub_400efd(); // checked
4013fa: eb 2b jmp 401427 <fflush@plt+0x7c7>
break;
4013fc: 8b 85 40 f7 ff ff mov -0x8c0(%rbp),%eax
401402: 83 f8 02 cmp $0x2,%eax
401405: 75 07 jne 40140e <fflush@plt+0x7ae>
case 2:
401407: e8 d5 f9 ff ff callq 400de1 <fflush@plt+0x181>
sub_400de1(); // checked
40140c: eb 19 jmp 401427 <fflush@plt+0x7c7>
break;
40140e: 8b 85 40 f7 ff ff mov -0x8c0(%rbp),%eax
401414: 83 f8 03 cmp $0x3,%eax
401417: 75 07 jne 401420 <fflush@plt+0x7c0>
case 3:
401419: e8 00 fc ff ff callq 40101e <fflush@plt+0x3be>
sub_40101e(); // checked
40141e: eb 07 jmp 401427 <fflush@plt+0x7c7>
break;
default:
401420: b8 00 00 00 00 mov $0x0,%eax
401425: eb 05 jmp 40142c <fflush@plt+0x7cc>
return 0;
401427: e9 57 ff ff ff jmpq 401383 <fflush@plt+0x723>
}
}
}
40142c: 48 8b 5d e8 mov -0x18(%rbp),%rbx
401430: 64 48 33 1c 25 28 00 xor %fs:0x28,%rbx
401437: 00 00
401439: 74 05 je 401440 <fflush@plt+0x7e0>
40143b: e8 e0 f7 ff ff callq 400c20 <__stack_chk_fail@plt>
401440: 48 81 c4 48 09 00 00 add $0x948,%rsp
401447: 5b pop %rbx
401448: 5d pop %rbp
401449: c3 retq
}
void sub_40144a(arg0, arg1)
{
40144a: 55 push %rbp
40144b: 48 89 e5 mov %rsp,%rbp
40144e: 48 83 ec 10 sub $0x10,%rsp
// Local variables.
rbp_08h;
rbp_04h;
401452: 89 7d fc mov %edi,-0x4(%rbp)
401455: 89 75 f8 mov %esi,-0x8(%rbp)
401458: 83 7d fc 01 cmpl $0x1,-0x4(%rbp)
40145c: 75 27 jne 401485 <fflush@plt+0x825>
40145e: 81 7d f8 ff ff 00 00 cmpl $0xffff,-0x8(%rbp)
401465: 75 1e jne 401485 <fflush@plt+0x825>
if(rbp_04h == 1 && rbp_08h == 0xffff) {
401467: bf 19 21 60 00 mov $0x602119,%edi
40146c: e8 cf f6 ff ff callq 400b40 <std::ios_base::Init::Init()@plt>
std::ios_base::Init::Init(bss_602119);
401471: ba f0 20 60 00 mov $0x6020f0,%edx
401476: be 19 21 60 00 mov $0x602119,%esi
40147b: bf a0 0b 40 00 mov $0x400ba0,%edi
401480: e8 fb f6 ff ff callq 400b80 <__cxa_atexit@plt>
atexit(std::ios_base::Init::~Init, bss_602119, bss_6020f0);
}
401485: c9 leaveq
401486: c3 retq
}
void sub_401487()
{
401487: 55 push %rbp
401488: 48 89 e5 mov %rsp,%rbp
40148b: be ff ff 00 00 mov $0xffff,%esi
401490: bf 01 00 00 00 mov $0x1,%edi
401495: e8 b0 ff ff ff callq 40144a <fflush@plt+0x7ea>
sub_40144a(1, 0xffff);
40149a: 5d pop %rbp
40149b: c3 retq
40149c: 0f 1f 40 00 nopl 0x0(%rax)
}
4014a0: 41 57 push %r15
4014a2: 41 89 ff mov %edi,%r15d
4014a5: 41 56 push %r14
4014a7: 49 89 f6 mov %rsi,%r14
4014aa: 41 55 push %r13
4014ac: 49 89 d5 mov %rdx,%r13
4014af: 41 54 push %r12
4014b1: 4c 8d 25 30 09 20 00 lea 0x200930(%rip),%r12 # 601de8 <fflush@plt+0x201188>
4014b8: 55 push %rbp
4014b9: 48 8d 2d 38 09 20 00 lea 0x200938(%rip),%rbp # 601df8 <fflush@plt+0x201198>
4014c0: 53 push %rbx
4014c1: 4c 29 e5 sub %r12,%rbp
4014c4: 31 db xor %ebx,%ebx
4014c6: 48 c1 fd 03 sar $0x3,%rbp
4014ca: 48 83 ec 08 sub $0x8,%rsp
4014ce: e8 cd f5 ff ff callq 400aa0 <printf@plt-0x30>
4014d3: 48 85 ed test %rbp,%rbp
4014d6: 74 1e je 4014f6 <fflush@plt+0x896>
4014d8: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
4014df: 00
4014e0: 4c 89 ea mov %r13,%rdx
4014e3: 4c 89 f6 mov %r14,%rsi
4014e6: 44 89 ff mov %r15d,%edi
4014e9: 41 ff 14 dc callq *(%r12,%rbx,8)
4014ed: 48 83 c3 01 add $0x1,%rbx
4014f1: 48 39 eb cmp %rbp,%rbx
4014f4: 75 ea jne 4014e0 <fflush@plt+0x880>
4014f6: 48 83 c4 08 add $0x8,%rsp
4014fa: 5b pop %rbx
4014fb: 5d pop %rbp
4014fc: 41 5c pop %r12
4014fe: 41 5d pop %r13
401500: 41 5e pop %r14
401502: 41 5f pop %r15
401504: c3 retq
401505: 66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%rax,%rax,1)
40150c: 00 00 00 00
401510: f3 c3 repz retq
Disassembly of section .fini:
0000000000401514 <.fini>:
401514: 48 83 ec 08 sub $0x8,%rsp
401518: 48 83 c4 08 add $0x8,%rsp
40151c: c3 retq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment