Created
September 23, 2019 16:03
-
-
Save lionaneesh/66cbb9aa0743558991c59ce267027025 to your computer and use it in GitHub Desktop.
rms-fixed, make_request, from DragonCTF 2019
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| signed __int64 __fastcall make_request(const struct sockaddr *a1, socklen_t a2, char *a3, char *a4, void **a5, _QWORD *a6) | |
| { | |
| int *v6; // rax | |
| signed __int64 result; // rax | |
| int *v8; // rax | |
| size_t v9; // rax | |
| int *v10; // rax | |
| size_t v11; // rax | |
| int *v12; // rax | |
| int *v13; // rax | |
| int *v14; // rax | |
| _QWORD *v15; // [rsp+0h] [rbp-A0h] | |
| void **v16; // [rsp+8h] [rbp-98h] | |
| char *s; // [rsp+10h] [rbp-90h] | |
| char *v18; // [rsp+18h] [rbp-88h] | |
| unsigned int fd; // [rsp+3Ch] [rbp-64h] | |
| signed __int64 v20; // [rsp+40h] [rbp-60h] | |
| ssize_t v21; // [rsp+48h] [rbp-58h] | |
| __int64 optval; // [rsp+50h] [rbp-50h] | |
| __int64 v23; // [rsp+58h] [rbp-48h] | |
| __int64 v24; // [rsp+60h] [rbp-40h] | |
| __int64 v25; // [rsp+68h] [rbp-38h] | |
| __int64 v26; // [rsp+70h] [rbp-30h] | |
| __int64 v27; // [rsp+78h] [rbp-28h] | |
| __int64 v28; // [rsp+80h] [rbp-20h] | |
| __int64 v29; // [rsp+88h] [rbp-18h] | |
| __int16 v30; // [rsp+90h] [rbp-10h] | |
| char v31; // [rsp+92h] [rbp-Eh] | |
| unsigned __int64 v32; // [rsp+98h] [rbp-8h] | |
| v18 = a3; | |
| s = a4; | |
| v16 = a5; | |
| v15 = a6; | |
| v32 = __readfsqword(0x28u); | |
| fd = socket(a1->sa_family, 1, 0); | |
| optval = 10LL; | |
| v23 = 0LL; | |
| setsockopt(fd, 1, 21, &optval, 0x10u); | |
| setsockopt(fd, 1, 20, &optval, 0x10u); | |
| if ( (fd & 0x80000000) == 0 ) | |
| { | |
| if ( connect(fd, a1, a2) ) | |
| { | |
| v8 = __errno_location(); | |
| *v16 = strerror(*v8); | |
| result = 0LL; | |
| } | |
| else if ( sendall(fd, "GET ", 4LL, 0x8000LL) ^ 1 | |
| || (v9 = strlen(s), sendall(fd, s, v9, 0x8000LL) ^ 1) | |
| || sendall(fd, " HTTP/1.1\r\n", 11LL, 0x8000LL) ^ 1 ) | |
| { | |
| v10 = __errno_location(); | |
| *v16 = strerror(*v10); | |
| result = 0LL; | |
| } | |
| else if ( sendall(fd, "Host: ", 6LL, 0x8000LL) ^ 1 | |
| || (v11 = strlen(v18), sendall(fd, v18, v11, 0x8000LL) ^ 1) | |
| || sendall(fd, "\r\n", 2LL, 0x8000LL) ^ 1 ) | |
| { | |
| v12 = __errno_location(); | |
| *v16 = strerror(*v12); | |
| result = 0LL; | |
| } | |
| else | |
| { | |
| v24 = 'E-tpeccA'; | |
| v25 = ':gnidocn'; | |
| v26 = 'lp/txet '; | |
| v27 = 'noC\n\rnia'; | |
| v28 = ':noitcen'; | |
| v29 = '\n\resolc '; | |
| v30 = '\n\r'; | |
| v31 = 0; | |
| if ( sendall(fd, &v24, 50LL, 0LL) ^ 1 ) | |
| { | |
| v13 = __errno_location(); | |
| *v16 = strerror(*v13); | |
| result = 0LL; | |
| } | |
| else | |
| { | |
| *v16 = malloc(0x800uLL); | |
| v20 = 2048LL; | |
| *v15 = 0LL; | |
| do | |
| { | |
| if ( !*v16 ) | |
| __assert_fail("*rbuf", "task/main.c", 0x50u, "make_request"); | |
| v21 = recv(fd, *v16 + *v15, v20 - *v15, 0); | |
| if ( v21 < 0 ) | |
| { | |
| free(*v16); | |
| v14 = __errno_location(); | |
| *v16 = strerror(*v14); | |
| return 0LL; | |
| } | |
| *v15 += v21; | |
| if ( (v20 - *v15) <= 0x3FF ) | |
| { | |
| if ( (v20 + 1024) > 0x300000 ) | |
| { | |
| puts("memory limit exceeded"); | |
| abort(); | |
| } | |
| *v16 = realloc(*v16, v20 + 1024); | |
| v20 += 1024LL; | |
| } | |
| } | |
| while ( v21 ); | |
| *(*v16 + *v15) = 0; | |
| result = 1LL; | |
| } | |
| } | |
| } | |
| else | |
| { | |
| v6 = __errno_location(); | |
| *v16 = strerror(*v6); | |
| result = 0LL; | |
| } | |
| return result; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment