Skip to content

Instantly share code, notes, and snippets.

@mrexcessive

mrexcessive/gist:16a335320fdb057bf542

Created December 6, 2015 13:49
Show Gist options
  • Save mrexcessive/16a335320fdb057bf542 to your computer and use it in GitHub Desktop.
Save mrexcessive/16a335320fdb057bf542 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
treewalker: file format elf64-x86-64
Disassembly of section .init:
00000000004006d8 <_init>:
4006d8: 48 83 ec 08 sub $0x8,%rsp
4006dc: 48 8b 05 05 0b 20 00 mov 0x200b05(%rip),%rax # 6011e8 <_DYNAMIC+0x1d0>
4006e3: 48 85 c0 test %rax,%rax
4006e6: 74 05 je 4006ed <_init+0x15>
4006e8: e8 93 00 00 00 callq 400780 <__gmon_start__@plt>
4006ed: 48 83 c4 08 add $0x8,%rsp
4006f1: c3 retq
Disassembly of section .plt:
0000000000400700 <fread@plt-0x10>:
400700: ff 35 f2 0a 20 00 pushq 0x200af2(%rip) # 6011f8 <_GLOBAL_OFFSET_TABLE_+0x8>
400706: ff 25 f4 0a 20 00 jmpq *0x200af4(%rip) # 601200 <_GLOBAL_OFFSET_TABLE_+0x10>
40070c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000400710 <fread@plt>:
400710: ff 25 f2 0a 20 00 jmpq *0x200af2(%rip) # 601208 <_GLOBAL_OFFSET_TABLE_+0x18>
400716: 68 00 00 00 00 pushq $0x0
40071b: e9 e0 ff ff ff jmpq 400700 <_init+0x28>
0000000000400720 <strlen@plt>:
400720: ff 25 ea 0a 20 00 jmpq *0x200aea(%rip) # 601210 <_GLOBAL_OFFSET_TABLE_+0x20>
400726: 68 01 00 00 00 pushq $0x1
40072b: e9 d0 ff ff ff jmpq 400700 <_init+0x28>
0000000000400730 <setbuf@plt>:
400730: ff 25 e2 0a 20 00 jmpq *0x200ae2(%rip) # 601218 <_GLOBAL_OFFSET_TABLE_+0x28>
400736: 68 02 00 00 00 pushq $0x2
40073b: e9 c0 ff ff ff jmpq 400700 <_init+0x28>
0000000000400740 <close@plt>:
400740: ff 25 da 0a 20 00 jmpq *0x200ada(%rip) # 601220 <_GLOBAL_OFFSET_TABLE_+0x30>
400746: 68 03 00 00 00 pushq $0x3
40074b: e9 b0 ff ff ff jmpq 400700 <_init+0x28>
0000000000400750 <read@plt>:
400750: ff 25 d2 0a 20 00 jmpq *0x200ad2(%rip) # 601228 <_GLOBAL_OFFSET_TABLE_+0x38>
400756: 68 04 00 00 00 pushq $0x4
40075b: e9 a0 ff ff ff jmpq 400700 <_init+0x28>
0000000000400760 <__libc_start_main@plt>:
400760: ff 25 ca 0a 20 00 jmpq *0x200aca(%rip) # 601230 <_GLOBAL_OFFSET_TABLE_+0x40>
400766: 68 05 00 00 00 pushq $0x5
40076b: e9 90 ff ff ff jmpq 400700 <_init+0x28>
0000000000400770 <calloc@plt>:
400770: ff 25 c2 0a 20 00 jmpq *0x200ac2(%rip) # 601238 <_GLOBAL_OFFSET_TABLE_+0x48>
400776: 68 06 00 00 00 pushq $0x6
40077b: e9 80 ff ff ff jmpq 400700 <_init+0x28>
0000000000400780 <__gmon_start__@plt>:
400780: ff 25 ba 0a 20 00 jmpq *0x200aba(%rip) # 601240 <_GLOBAL_OFFSET_TABLE_+0x50>
400786: 68 07 00 00 00 pushq $0x7
40078b: e9 70 ff ff ff jmpq 400700 <_init+0x28>
0000000000400790 <__printf_chk@plt>:
400790: ff 25 b2 0a 20 00 jmpq *0x200ab2(%rip) # 601248 <_GLOBAL_OFFSET_TABLE_+0x58>
400796: 68 08 00 00 00 pushq $0x8
40079b: e9 60 ff ff ff jmpq 400700 <_init+0x28>
00000000004007a0 <__fread_chk@plt>:
4007a0: ff 25 aa 0a 20 00 jmpq *0x200aaa(%rip) # 601250 <_GLOBAL_OFFSET_TABLE_+0x60>
4007a6: 68 09 00 00 00 pushq $0x9
4007ab: e9 50 ff ff ff jmpq 400700 <_init+0x28>
00000000004007b0 <open@plt>:
4007b0: ff 25 a2 0a 20 00 jmpq *0x200aa2(%rip) # 601258 <_GLOBAL_OFFSET_TABLE_+0x68>
4007b6: 68 0a 00 00 00 pushq $0xa
4007bb: e9 40 ff ff ff jmpq 400700 <_init+0x28>
00000000004007c0 <exit@plt>:
4007c0: ff 25 9a 0a 20 00 jmpq *0x200a9a(%rip) # 601260 <_GLOBAL_OFFSET_TABLE_+0x70>
4007c6: 68 0b 00 00 00 pushq $0xb
4007cb: e9 30 ff ff ff jmpq 400700 <_init+0x28>
00000000004007d0 <__fprintf_chk@plt>:
4007d0: ff 25 92 0a 20 00 jmpq *0x200a92(%rip) # 601268 <_GLOBAL_OFFSET_TABLE_+0x78>
4007d6: 68 0c 00 00 00 pushq $0xc
4007db: e9 20 ff ff ff jmpq 400700 <_init+0x28>
Disassembly of section .text:
00000000004007e0 <main>:
4007e0: 53 push %rbx
4007e1: 31 f6 xor %esi,%esi
4007e3: 48 81 ec 50 10 00 00 sub $0x1050,%rsp # space on stack for 0x1050...
4007ea: 48 8b 3d 97 0a 20 00 mov 0x200a97(%rip),%rdi # 601288 <stdin@@GLIBC_2.2.5>
4007f1: 48 8d 5c 24 10 lea 0x10(%rsp),%rbx space made + 0x10 -> ebx = big space
4007f6: e8 35 ff ff ff callq 400730 <setbuf@plt>
4007fb: 48 8b 3d 7e 0a 20 00 mov 0x200a7e(%rip),%rdi # 601280 <__TMC_END__>
400802: 31 f6 xor %esi,%esi
400804: e8 27 ff ff ff callq 400730 <setbuf@plt>
400809: 48 8b 3d 80 0a 20 00 mov 0x200a80(%rip),%rdi # 601290 <stderr@@GLIBC_2.2.5>
400810: 31 f6 xor %esi,%esi
400812: e8 19 ff ff ff callq 400730 <setbuf@plt> # presuming these things are removing buffering from stdin and stdout and stderr
400817: 31 c0 xor %eax,%eax
400819: b9 08 00 00 00 mov $0x8,%ecx
40081e: 48 89 df mov %rbx,%rdi address of big space == rbx -> rdi
400821: f3 48 ab rep stos %rax,%es:(%rdi) zero 8x QWord
400824: 48 89 de mov %rbx,%rsi rsi is buffer to store flag.txt contents
400827: bf 3f 00 00 00 mov $0x3f,%edi rdi is #bytes to read = 0x3f
40082c: e8 bf 02 00 00 callq 400af0 <read_flag> read_flag()
400831: 48 89 df mov %rbx,%rdi set rdi back to start of 8x QWord
400834: e8 07 02 00 00 callq 400a40 <construct_tree>
400839: be 49 0c 40 00 mov $0x400c49,%esi "%016llx\n"
40083e: 48 89 c2 mov %rax,%rdx
400841: bf 01 00 00 00 mov $0x1,%edi
400846: 31 c0 xor %eax,%eax
400848: e8 43 ff ff ff callq 400790 <__printf_chk@plt> printf_chk("%016llx\n",%rdx = %rax from construct_tree()
40084d: 48 b8 cc cc cc cc cc movabs $0xcccccccccccccccc,%rax # blat to 0xcc all the space where the flag was
400854: cc cc cc
400857: 48 89 44 24 10 mov %rax,0x10(%rsp)
40085c: 48 89 44 24 18 mov %rax,0x18(%rsp)
400861: 48 89 44 24 20 mov %rax,0x20(%rsp)
400866: 48 89 44 24 28 mov %rax,0x28(%rsp)
40086b: 48 89 44 24 30 mov %rax,0x30(%rsp)
400870: 48 89 44 24 38 mov %rax,0x38(%rsp)
400875: 48 89 44 24 40 mov %rax,0x40(%rsp)
40087a: 48 89 44 24 48 mov %rax,0x48(%rsp)
40087f: eb 3e jmp 4008bf <main+0xdf> --> while_
(align)
400881: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
do_:
400888: 4c 8b 05 f9 09 20 00 mov 0x2009f9(%rip),%r8 # 601288 <stdin@@GLIBC_2.2.5>
40088f: 48 8d 7c 24 50 lea 0x50(%rsp),%rdi
400894: ba 01 00 00 00 mov $0x1,%edx
400899: be 00 10 00 00 mov $0x1000,%esi
40089e: e8 fd fe ff ff callq 4007a0 <__fread_chk@plt> Read 0x1000 chars to esp_x50
4008a3: 48 39 44 24 08 cmp %rax,0x8(%rsp) # bytes read == number we were told with first 8 bytes
4008a8: 0f 85 81 00 00 00 jne 40092f <main+0x14f> Nope... -> ErrorWrongNumberBytes
4008ae: 48 8d 74 24 50 lea 0x50(%rsp),%rsi Point to the buffer
4008b3: bf 01 00 00 00 mov $0x1,%edi
4008b8: 31 c0 xor %eax,%eax
4008ba: e8 d1 fe ff ff callq 400790 <__printf_chk@plt> printf(buffer) Printf vuln
while_:
4008bf: 48 8b 0d c2 09 20 00 mov 0x2009c2(%rip),%rcx # 601288 <stdin@@GLIBC_2.2.5>
4008c6: 48 8d 7c 24 08 lea 0x8(%rsp),%rdi rsp_8 is input buffer
4008cb: ba 01 00 00 00 mov $0x1,%edx 1x
4008d0: be 08 00 00 00 mov $0x8,%esi 8 bytes
4008d5: e8 36 fe ff ff callq 400710 <fread@plt> fread()
4008da: 48 83 f8 01 cmp $0x1,%rax # eof or other problem if not exactly 8 bytes
4008de: 75 1e jne 4008fe <main+0x11e> NOT exactly 8 bytes read --> BadInput
4008e0: 48 8b 4c 24 08 mov 0x8(%rsp),%rcx read input as binary value to rcx
4008e5: 48 81 f9 00 10 00 00 cmp $0x1000,%rcx # == 0x1000
4008ec: 77 10 ja 4008fe <main+0x11e> > 0x1000 --> BadInput
4008ee: 48 85 c9 test %rcx,%rcx 0 ?
4008f1: 75 95 jne 400888 <main+0xa8> No ^^^do_ Now read the data^^^
4008f3: 48 81 c4 50 10 00 00 add $0x1050,%rsp if 0 then stop...
4008fa: 31 c0 xor %eax,%eax
4008fc: 5b pop %rbx
4008fd: c3 retq
BadInput:
4008fe: 41 b9 52 0c 40 00 mov $0x400c52,%r9d "Invalid input"
400904: 41 b8 4d 00 00 00 mov $0x4d,%r8d # line 77
ReportError:
40090a: 48 8b 3d 7f 09 20 00 mov 0x20097f(%rip),%rdi # 601290 <stderr@@GLIBC_2.2.5>
400911: b9 30 0c 40 00 mov $0x400c30,%ecx "vulnserver.c"
400916: ba 3d 0c 40 00 mov $0x400c3d,%edx "%s(%d): %s\n"
40091b: be 01 00 00 00 mov $0x1,%esi
400920: 31 c0 xor %eax,%eax
400922: e8 a9 fe ff ff callq 4007d0 <__fprintf_chk@plt> Report error fprintf()
400927: 83 cf ff or $0xffffffff,%edi
40092a: e8 91 fe ff ff callq 4007c0 <exit@plt> exit(-1)
ErrorWrongNumberBytes:
40092f: 41 b9 52 0c 40 00 mov $0x400c52,%r9d "Invalid input"
400935: 41 b8 55 00 00 00 mov $0x55,%r8d # line 85
40093b: eb cd jmp 40090a <main+0x12a> ^^^ReportError
000000000040093d <_start>:
40093d: 31 ed xor %ebp,%ebp
40093f: 49 89 d1 mov %rdx,%r9
400942: 5e pop %rsi
400943: 48 89 e2 mov %rsp,%rdx
400946: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
40094a: 50 push %rax
40094b: 54 push %rsp
40094c: 49 c7 c0 10 0c 40 00 mov $0x400c10,%r8
400953: 48 c7 c1 a0 0b 40 00 mov $0x400ba0,%rcx
40095a: 48 c7 c7 e0 07 40 00 mov $0x4007e0,%rdi &main
400961: e8 fa fd ff ff callq 400760 <__libc_start_main@plt> go!
400966: f4 hlt
400967: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
40096e: 00 00
0000000000400970 <deregister_tm_clones>:
400970: b8 87 12 60 00 mov $0x601287,%eax
400975: 55 push %rbp
400976: 48 2d 80 12 60 00 sub $0x601280,%rax
40097c: 48 83 f8 0e cmp $0xe,%rax
400980: 48 89 e5 mov %rsp,%rbp
400983: 76 1b jbe 4009a0 <deregister_tm_clones+0x30>
400985: b8 00 00 00 00 mov $0x0,%eax
40098a: 48 85 c0 test %rax,%rax
40098d: 74 11 je 4009a0 <deregister_tm_clones+0x30>
40098f: 5d pop %rbp
400990: bf 80 12 60 00 mov $0x601280,%edi
400995: ff e0 jmpq *%rax
400997: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1)
40099e: 00 00
4009a0: 5d pop %rbp
4009a1: c3 retq
4009a2: 66 66 66 66 66 2e 0f data32 data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
4009a9: 1f 84 00 00 00 00 00
00000000004009b0 <register_tm_clones>:
4009b0: be 80 12 60 00 mov $0x601280,%esi
4009b5: 55 push %rbp
4009b6: 48 81 ee 80 12 60 00 sub $0x601280,%rsi
4009bd: 48 c1 fe 03 sar $0x3,%rsi
4009c1: 48 89 e5 mov %rsp,%rbp
4009c4: 48 89 f0 mov %rsi,%rax
4009c7: 48 c1 e8 3f shr $0x3f,%rax
4009cb: 48 01 c6 add %rax,%rsi
4009ce: 48 d1 fe sar %rsi
4009d1: 74 15 je 4009e8 <register_tm_clones+0x38>
4009d3: b8 00 00 00 00 mov $0x0,%eax
4009d8: 48 85 c0 test %rax,%rax
4009db: 74 0b je 4009e8 <register_tm_clones+0x38>
4009dd: 5d pop %rbp
4009de: bf 80 12 60 00 mov $0x601280,%edi
4009e3: ff e0 jmpq *%rax
4009e5: 0f 1f 00 nopl (%rax)
4009e8: 5d pop %rbp
4009e9: c3 retq
4009ea: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
00000000004009f0 <__do_global_dtors_aux>:
4009f0: 80 3d a1 08 20 00 00 cmpb $0x0,0x2008a1(%rip) # 601298 <completed.6661>
4009f7: 75 11 jne 400a0a <__do_global_dtors_aux+0x1a>
4009f9: 55 push %rbp
4009fa: 48 89 e5 mov %rsp,%rbp
4009fd: e8 6e ff ff ff callq 400970 <deregister_tm_clones>
400a02: 5d pop %rbp
400a03: c6 05 8e 08 20 00 01 movb $0x1,0x20088e(%rip) # 601298 <completed.6661>
400a0a: f3 c3 repz retq
400a0c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000400a10 <frame_dummy>:
400a10: bf 10 10 60 00 mov $0x601010,%edi
400a15: 48 83 3f 00 cmpq $0x0,(%rdi)
400a19: 75 05 jne 400a20 <frame_dummy+0x10>
400a1b: eb 93 jmp 4009b0 <register_tm_clones>
400a1d: 0f 1f 00 nopl (%rax)
400a20: b8 00 00 00 00 mov $0x0,%eax
400a25: 48 85 c0 test %rax,%rax
400a28: 74 f1 je 400a1b <frame_dummy+0xb>
400a2a: 55 push %rbp
400a2b: 48 89 e5 mov %rsp,%rbp
400a2e: ff d0 callq *%rax
400a30: 5d pop %rbp
400a31: e9 7a ff ff ff jmpq 4009b0 <register_tm_clones>
400a36: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
400a3d: 00 00 00
0000000000400a40 <construct_tree>: # rdi points to flag.txt contents
400a40: 41 57 push %r15
400a42: 41 56 push %r14
400a44: be 18 00 00 00 mov $0x18,%esi Allocate 0x18 bytes
400a49: 41 55 push %r13
400a4b: 41 54 push %r12
400a4d: 49 89 fe mov %rdi,%r14 now r14 --> flag.txt contents
400a50: 55 push %rbp
400a51: 53 push %rbx
400a52: bf 01 00 00 00 mov $0x1,%edi
400a57: 45 31 ed xor %r13d,%r13d r13 = 0
400a5a: 48 83 ec 08 sub $0x8,%rsp
400a5e: e8 0d fd ff ff callq 400770 <calloc@plt> calloc() 0x18 bytes
400a63: 4c 89 f7 mov %r14,%rdi ptr -> flag.txt -> rdi
400a66: 49 89 c7 mov %rax,%r15 alloc'd space -> r15
400a69: 48 89 c5 mov %rax,%rbp alloc'd space -> rbp (for strlen)
400a6c: e8 af fc ff ff callq 400720 <strlen@plt> get strlen (rdi)
400a71: 49 39 c5 cmp %rax,%r13 strlen = r13
400a74: 73 62 jae 400ad8 <construct_tree+0x98> rax >= r13 --> FinishedTreeBuilding
(align) 400a76: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
400a7d: 00 00 00
Outer_While_:
400a80: 47 0f b6 24 2e movzbl (%r14,%r13,1),%r12d Get the r13th byte of flag.txt contents -> r12
400a85: bb 07 00 00 00 mov $0x7,%ebx 7 -> ebx (bit counter... ?
400a8a: eb 13 jmp 400a9f <construct_tree+0x5f> --> Inner_While_
(align) 400a8c: 0f 1f 40 00 nopl 0x0(%rax)
400a90: 83 eb 01 sub $0x1,%ebx
400a93: 48 89 45 08 mov %rax,0x8(%rbp)
400a97: 48 89 c5 mov %rax,%rbp
400a9a: 83 fb ff cmp $0xffffffff,%ebx reach bit -1 ?
400a9d: 74 28 je 400ac7 <construct_tree+0x87> Yes -> GoNextByte
Inner_While_:
400a9f: c6 45 00 49 movb $0x49,0x0(%rbp) Store 0x49 "I"
400aa3: be 18 00 00 00 mov $0x18,%esi
400aa8: bf 01 00 00 00 mov $0x1,%edi Allocate 0x18 bytes again
400aad: e8 be fc ff ff callq 400770 <calloc@plt> calloc()
400ab2: 41 0f a3 dc bt %ebx,%r12d Test bit $ebx of r12 (flag byte)
400ab6: 72 d8 jb 400a90 <construct_tree+0x50> Write a 0x49 for a zero bit ?
400ab8: 83 eb 01 sub $0x1,%ebx
400abb: 48 89 45 10 mov %rax,0x10(%rbp)
400abf: 48 89 c5 mov %rax,%rbp
400ac2: 83 fb ff cmp $0xffffffff,%ebx reach bit -1 ?
400ac5: 75 d8 jne 400a9f <construct_tree+0x5f> NO ^^^ Inner_While_
GoNextByte:
400ac7: 49 83 c5 01 add $0x1,%r13 incr. index to flag.txt data
400acb: 4c 89 f7 mov %r14,%rdi
400ace: e8 4d fc ff ff callq 400720 <strlen@plt> get length again
400ad3: 49 39 c5 cmp %rax,%r13 did we finish ?
400ad6: 72 a8 jb 400a80 <construct_tree+0x40> NO, ^^^ Outer_While_
FinishedTreeBuilding:
400ad8: c6 45 00 4c movb $0x4c,0x0(%rbp) # store a 0x4c "O" at the end
400adc: 48 83 c4 08 add $0x8,%rsp
400ae0: 4c 89 f8 mov %r15,%rax
400ae3: 5b pop %rbx
400ae4: 5d pop %rbp
400ae5: 41 5c pop %r12
400ae7: 41 5d pop %r13
400ae9: 41 5e pop %r14
400aeb: 41 5f pop %r15
400aed: c3 retq
(align)
400aee: 66 90 xchg %ax,%ax
0000000000400af0 <read_flag>: %rsi is buffer where we put flag, %rdi is bytes to read
400af0: 41 54 push %r12
400af2: 55 push %rbp
400af3: 31 c0 xor %eax,%eax
400af5: 53 push %rbx
400af6: 48 89 f5 mov %rsi,%rbp %rsi -> rbp
400af9: 48 89 fb mov %rdi,%rbx
400afc: 31 f6 xor %esi,%esi
400afe: bf 27 0c 40 00 mov $0x400c27,%edi "flag.txt"
400b03: 48 83 ec 10 sub $0x10,%rsp make space on stack for 0x10 bytes
400b07: e8 a4 fc ff ff callq 4007b0 <open@plt> open()
400b0c: 85 c0 test %eax,%eax handle ?
400b0e: 41 89 c4 mov %eax,%r12d handle -> %r12
400b11: 78 4f js 400b62 <read_flag+0x72> FAIL --> ReportError
400b13: 48 85 db test %rbx,%rbx More bytes to read (rbx != 0) ?
400b16: 75 1f jne 400b37 <read_flag+0x47> No --> MoreBytesToRead
400b18: eb 35 jmp 400b4f <read_flag+0x5f> Yes --> read_flag_Finished
(align)
400b1a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
ProcessFlag:
400b20: 0f b6 54 24 0f movzbl 0xf(%rsp),%edx byte read --zero extend--> edx
400b25: 80 fa 0a cmp $0xa,%dl was it \n ?
400b28: 74 25 je 400b4f <read_flag+0x5f> Yes --> read_flag_Finished
400b2a: 48 83 c5 01 add $0x1,%rbp No. So incr. flag buffer write pointer (rbp)
400b2e: 48 83 eb 01 sub $0x1,%rbx decrement flag length
400b32: 88 55 ff mov %dl,-0x1(%rbp) store byte read to previous rbp address (post incr.)
400b35: 74 18 je 400b4f <read_flag+0x5f> flag length zero ? --> read_flag_Finished
MoreBytesToRead:
400b37: 48 8d 74 24 0f lea 0xf(%rsp),%rsi pointer to single char buffer
400b3c: 31 c0 xor %eax,%eax
400b3e: ba 01 00 00 00 mov $0x1,%edx read length == 1 (one char at a time)
400b43: 44 89 e7 mov %r12d,%edi handle
400b46: e8 05 fc ff ff callq 400750 <read@plt> read() one byte
400b4b: 85 c0 test %eax,%eax Read ok ?
400b4d: 7f d1 jg 400b20 <read_flag+0x30> Yes ^^^ProcessFlag
read_flag_Finished:
400b4f: 44 89 e7 mov %r12d,%edi handle in %r12 -> edi
400b52: 31 c0 xor %eax,%eax
400b54: e8 e7 fb ff ff callq 400740 <close@plt> close()
400b59: 48 83 c4 10 add $0x10,%rsp
400b5d: 5b pop %rbx
400b5e: 5d pop %rbp
400b5f: 41 5c pop %r12
400b61: c3 retq
ReportError:
400b62: 48 8b 3d 27 07 20 00 mov 0x200727(%rip),%rdi # 601290 <stderr@@GLIBC_2.2.5>
400b69: 41 b9 24 0c 40 00 mov $0x400c24,%r9d "No flag.txt"
400b6f: 41 b8 2e 00 00 00 mov $0x2e,%r8d
400b75: b9 30 0c 40 00 mov $0x400c30,%ecx "vulnserver.c"
400b7a: ba 3d 0c 40 00 mov $0x400c3d,%edx "%s(%d): %s\n"
400b7f: be 01 00 00 00 mov $0x1,%esi
400b84: 31 c0 xor %eax,%eax
400b86: e8 45 fc ff ff callq 4007d0 <__fprintf_chk@plt>
400b8b: bf ff ff ff ff mov $0xffffffff,%edi
400b90: e8 2b fc ff ff callq 4007c0 <exit@plt>
400b95: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
400b9c: 00 00 00
400b9f: 90 nop
0000000000400ba0 <__libc_csu_init>:
400ba0: 41 57 push %r15
400ba2: 41 89 ff mov %edi,%r15d
400ba5: 41 56 push %r14
400ba7: 49 89 f6 mov %rsi,%r14
400baa: 41 55 push %r13
400bac: 49 89 d5 mov %rdx,%r13
400baf: 41 54 push %r12
400bb1: 4c 8d 25 48 04 20 00 lea 0x200448(%rip),%r12 # 601000 <__frame_dummy_init_array_entry>
400bb8: 55 push %rbp
400bb9: 48 8d 2d 48 04 20 00 lea 0x200448(%rip),%rbp # 601008 <__init_array_end>
400bc0: 53 push %rbx
400bc1: 4c 29 e5 sub %r12,%rbp
400bc4: 31 db xor %ebx,%ebx
400bc6: 48 c1 fd 03 sar $0x3,%rbp
400bca: 48 83 ec 08 sub $0x8,%rsp
400bce: e8 05 fb ff ff callq 4006d8 <_init>
400bd3: 48 85 ed test %rbp,%rbp
400bd6: 74 1e je 400bf6 <__libc_csu_init+0x56>
400bd8: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
400bdf: 00
400be0: 4c 89 ea mov %r13,%rdx
400be3: 4c 89 f6 mov %r14,%rsi
400be6: 44 89 ff mov %r15d,%edi
400be9: 41 ff 14 dc callq *(%r12,%rbx,8)
400bed: 48 83 c3 01 add $0x1,%rbx
400bf1: 48 39 eb cmp %rbp,%rbx
400bf4: 75 ea jne 400be0 <__libc_csu_init+0x40>
400bf6: 48 83 c4 08 add $0x8,%rsp
400bfa: 5b pop %rbx
400bfb: 5d pop %rbp
400bfc: 41 5c pop %r12
400bfe: 41 5d pop %r13
400c00: 41 5e pop %r14
400c02: 41 5f pop %r15
400c04: c3 retq
400c05: 66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%rax,%rax,1)
400c0c: 00 00 00 00
0000000000400c10 <__libc_csu_fini>:
400c10: f3 c3 repz retq
Disassembly of section .fini:
0000000000400c14 <_fini>:
400c14: 48 83 ec 08 sub $0x8,%rsp
400c18: 48 83 c4 08 add $0x8,%rsp
400c1c: c3 retq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment