Skip to content

Instantly share code, notes, and snippets.

@mrexcessive

mrexcessive/gist:85d75b8725d07c0afbaa

Last active October 4, 2015 16:20
Show Gist options
  • Save mrexcessive/85d75b8725d07c0afbaa to your computer and use it in GitHub Desktop.
Save mrexcessive/85d75b8725d07c0afbaa to your computer and use it in GitHub Desktop.
Download ZIP
objdump output with added comments for DCTFU CTF exploit 300
Raw
gistfile1.txt
See article on https://whitehatters.academy/
e300: file format elf64-x86-64
Disassembly of section .init:
00000000000007c8 <.init>:
7c8: 48 83 ec 08 sub $0x8,%rsp
7cc: 48 8b 05 0d 08 20 00 mov 0x20080d(%rip),%rax # 200fe0 <rand@plt+0x200730>
7d3: 48 85 c0 test %rax,%rax
7d6: 74 05 je 7dd <puts@plt-0x23>
7d8: e8 73 00 00 00 callq 850 <__gmon_start__@plt>
7dd: 48 83 c4 08 add $0x8,%rsp
7e1: c3 retq
Disassembly of section .plt:
00000000000007f0 <puts@plt-0x10>:
7f0: ff 35 12 08 20 00 pushq 0x200812(%rip) # 201008 <rand@plt+0x200758>
7f6: ff 25 14 08 20 00 jmpq *0x200814(%rip) # 201010 <rand@plt+0x200760>
7fc: 0f 1f 40 00 nopl 0x0(%rax)
0000000000000800 <puts@plt>:
800: ff 25 12 08 20 00 jmpq *0x200812(%rip) # 201018 <rand@plt+0x200768>
806: 68 00 00 00 00 pushq $0x0
80b: e9 e0 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000810 <strlen@plt>:
810: ff 25 0a 08 20 00 jmpq *0x20080a(%rip) # 201020 <rand@plt+0x200770>
816: 68 01 00 00 00 pushq $0x1
81b: e9 d0 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000820 <printf@plt>:
820: ff 25 02 08 20 00 jmpq *0x200802(%rip) # 201028 <rand@plt+0x200778>
826: 68 02 00 00 00 pushq $0x2
82b: e9 c0 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000830 <__libc_start_main@plt>:
830: ff 25 fa 07 20 00 jmpq *0x2007fa(%rip) # 201030 <rand@plt+0x200780>
836: 68 03 00 00 00 pushq $0x3
83b: e9 b0 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000840 <srand@plt>:
840: ff 25 f2 07 20 00 jmpq *0x2007f2(%rip) # 201038 <rand@plt+0x200788>
846: 68 04 00 00 00 pushq $0x4
84b: e9 a0 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000850 <__gmon_start__@plt>:
850: ff 25 ea 07 20 00 jmpq *0x2007ea(%rip) # 201040 <rand@plt+0x200790>
856: 68 05 00 00 00 pushq $0x5
85b: e9 90 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000860 <memcpy@plt>:
860: ff 25 e2 07 20 00 jmpq *0x2007e2(%rip) # 201048 <rand@plt+0x200798>
866: 68 06 00 00 00 pushq $0x6
86b: e9 80 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000870 <time@plt>:
870: ff 25 da 07 20 00 jmpq *0x2007da(%rip) # 201050 <rand@plt+0x2007a0>
876: 68 07 00 00 00 pushq $0x7
87b: e9 70 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000880 <atoi@plt>:
880: ff 25 d2 07 20 00 jmpq *0x2007d2(%rip) # 201058 <rand@plt+0x2007a8>
886: 68 08 00 00 00 pushq $0x8
88b: e9 60 ff ff ff jmpq 7f0 <puts@plt-0x10>
0000000000000890 <exit@plt>:
890: ff 25 ca 07 20 00 jmpq *0x2007ca(%rip) # 201060 <rand@plt+0x2007b0>
896: 68 09 00 00 00 pushq $0x9
89b: e9 50 ff ff ff jmpq 7f0 <puts@plt-0x10>
00000000000008a0 <__cxa_finalize@plt>:
8a0: ff 25 c2 07 20 00 jmpq *0x2007c2(%rip) # 201068 <rand@plt+0x2007b8>
8a6: 68 0a 00 00 00 pushq $0xa
8ab: e9 40 ff ff ff jmpq 7f0 <puts@plt-0x10>
00000000000008b0 <rand@plt>:
8b0: ff 25 ba 07 20 00 jmpq *0x2007ba(%rip) # 201070 <rand@plt+0x2007c0>
8b6: 68 0b 00 00 00 pushq $0xb
8bb: e9 30 ff ff ff jmpq 7f0 <puts@plt-0x10>
Disassembly of section .text:
00000000000008c0 <.text>:
8c0: 31 ed xor %ebp,%ebp
8c2: 49 89 d1 mov %rdx,%r9
8c5: 5e pop %rsi
8c6: 48 89 e2 mov %rsp,%rdx
8c9: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
8cd: 50 push %rax
8ce: 54 push %rsp
8cf: 4c 8d 05 9a 02 00 00 lea 0x29a(%rip),%r8 # b70 <rand@plt+0x2c0>
8d6: 48 8d 0d 23 02 00 00 lea 0x223(%rip),%rcx # b00 <rand@plt+0x250>
8dd: 48 8d 3d 4a 01 00 00 lea 0x14a(%rip),%rdi # a2e <rand@plt+0x17e>
8e4: e8 47 ff ff ff callq 830 <__libc_start_main@plt>
8e9: f4 hlt
8ea: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)
8f0: 48 8d 05 98 07 20 00 lea 0x200798(%rip),%rax # 20108f <_edata+0x7>
8f7: 48 8d 3d 8a 07 20 00 lea 0x20078a(%rip),%rdi # 201088 <_edata>
8fe: 55 push %rbp
8ff: 48 29 f8 sub %rdi,%rax
902: 48 89 e5 mov %rsp,%rbp
905: 48 83 f8 0e cmp $0xe,%rax
909: 77 02 ja 90d <rand@plt+0x5d>
90b: 5d pop %rbp
90c: c3 retq
90d: 48 8b 05 c4 06 20 00 mov 0x2006c4(%rip),%rax # 200fd8 <rand@plt+0x200728>
914: 48 85 c0 test %rax,%rax
917: 74 f2 je 90b <rand@plt+0x5b>
919: 5d pop %rbp
91a: ff e0 jmpq *%rax
91c: 0f 1f 40 00 nopl 0x0(%rax)
920: 48 8d 05 61 07 20 00 lea 0x200761(%rip),%rax # 201088 <_edata>
927: 48 8d 3d 5a 07 20 00 lea 0x20075a(%rip),%rdi # 201088 <_edata>
92e: 55 push %rbp
92f: 48 29 f8 sub %rdi,%rax
932: 48 89 e5 mov %rsp,%rbp
935: 48 c1 f8 03 sar $0x3,%rax
939: 48 89 c2 mov %rax,%rdx
93c: 48 c1 ea 3f shr $0x3f,%rdx
940: 48 01 d0 add %rdx,%rax
943: 48 d1 f8 sar %rax
946: 75 02 jne 94a <rand@plt+0x9a>
948: 5d pop %rbp
949: c3 retq
94a: 48 8b 15 9f 06 20 00 mov 0x20069f(%rip),%rdx # 200ff0 <rand@plt+0x200740>
951: 48 85 d2 test %rdx,%rdx
954: 74 f2 je 948 <rand@plt+0x98>
956: 5d pop %rbp
957: 48 89 c6 mov %rax,%rsi
95a: ff e2 jmpq *%rdx
95c: 0f 1f 40 00 nopl 0x0(%rax)
960: 80 3d 21 07 20 00 00 cmpb $0x0,0x200721(%rip) # 201088 <_edata>
967: 75 27 jne 990 <rand@plt+0xe0>
969: 48 83 3d 87 06 20 00 cmpq $0x0,0x200687(%rip) # 200ff8 <rand@plt+0x200748>
970: 00
971: 55 push %rbp
972: 48 89 e5 mov %rsp,%rbp
975: 74 0c je 983 <rand@plt+0xd3>
977: 48 8b 3d 02 07 20 00 mov 0x200702(%rip),%rdi # 201080 <rand@plt+0x2007d0>
97e: e8 1d ff ff ff callq 8a0 <__cxa_finalize@plt>
983: e8 68 ff ff ff callq 8f0 <rand@plt+0x40>
988: 5d pop %rbp
989: c6 05 f8 06 20 00 01 movb $0x1,0x2006f8(%rip) # 201088 <_edata>
990: f3 c3 repz retq
992: 66 66 66 66 66 2e 0f data32 data32 data32 data32 nopw %cs:0x0(%rax,%rax,1)
999: 1f 84 00 00 00 00 00
9a0: 48 83 3d 58 04 20 00 cmpq $0x0,0x200458(%rip) # 200e00 <rand@plt+0x200550>
9a7: 00
9a8: 74 26 je 9d0 <rand@plt+0x120>
9aa: 48 8b 05 37 06 20 00 mov 0x200637(%rip),%rax # 200fe8 <rand@plt+0x200738>
9b1: 48 85 c0 test %rax,%rax
9b4: 74 1a je 9d0 <rand@plt+0x120>
9b6: 55 push %rbp
9b7: 48 8d 3d 42 04 20 00 lea 0x200442(%rip),%rdi # 200e00 <rand@plt+0x200550>
9be: 48 89 e5 mov %rsp,%rbp
9c1: ff d0 callq *%rax
9c3: 5d pop %rbp
9c4: e9 57 ff ff ff jmpq 920 <rand@plt+0x70>
9c9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax)
9d0: e9 4b ff ff ff jmpq 920 <rand@plt+0x70>
9d5: 55 push %rbp
9d6: 48 89 e5 mov %rsp,%rbp
9d9: 48 8d 3d a4 01 00 00 lea 0x1a4(%rip),%rdi # b84 <rand@plt+0x2d4>
9e0: e8 1b fe ff ff callq 800 <puts@plt>
9e5: bf 00 00 00 00 mov $0x0,%edi
9ea: e8 a1 fe ff ff callq 890 <exit@plt>
9ef: 55 push %rbp # sub called with %rdi = ^second param ("3333333333333" etc)
9f0: 48 89 e5 mov %rsp,%rbp
9f3: 48 81 ec 40 01 00 00 sub $0x140,%rsp
9fa: 48 89 bd c8 fe ff ff mov %rdi,-0x138(%rbp)
================= START OF EASILY CALLED BLOCK
a01: 48 8b 85 c8 fe ff ff mov -0x138(%rbp),%rax
a08: 48 89 c7 mov %rax,%rdi
a0b: e8 00 fe ff ff callq 810 <strlen@plt> # call strlen on it
a10: 48 89 c2 mov %rax,%rdx
a13: 48 8b 8d c8 fe ff ff mov -0x138(%rbp),%rcx
a1a: 48 8d 85 d0 fe ff ff lea -0x130(%rbp),%rax
a21: 48 89 ce mov %rcx,%rsi # memcpy with strlen bytes (rdx)
a24: 48 89 c7 mov %rax,%rdi # onto stack - but where is stack !
a27: e8 34 fe ff ff callq 860 <memcpy@plt>
a2c: c9 leaveq
a2d: c3 retq
a2e: 55 push %rbp
a2f: 48 89 e5 mov %rsp,%rbp
a32: 48 83 ec 20 sub $0x20,%rsp
a36: 89 7d ec mov %edi,-0x14(%rbp)
a39: 48 89 75 e0 mov %rsi,-0x20(%rbp)
a3d: 48 8d 45 f0 lea -0x10(%rbp),%rax
a41: 48 89 c7 mov %rax,%rdi
a44: b8 00 00 00 00 mov $0x0,%eax
a49: e8 22 fe ff ff callq 870 <time@plt>
a4e: 89 c7 mov %eax,%edi
a50: e8 eb fd ff ff callq 840 <srand@plt> # srand(time()) - so gets same rand() for a second...
a55: e8 56 fe ff ff callq 8b0 <rand@plt>
a5a: 89 c1 mov %eax,%ecx
a5c: ba 67 66 66 66 mov $0x66666667,%edx
a61: 89 c8 mov %ecx,%eax
a63: f7 ea imul %edx
a65: d1 fa sar %edx
a67: 89 c8 mov %ecx,%eax
a69: c1 f8 1f sar $0x1f,%eax
a6c: 29 c2 sub %eax,%edx
a6e: 89 d0 mov %edx,%eax
a70: c1 e0 02 shl $0x2,%eax
a73: 01 d0 add %edx,%eax
a75: 29 c1 sub %eax,%ecx
a77: 89 ca mov %ecx,%edx
a79: 66 89 55 fe mov %dx,-0x2(%rbp)
a7d: 83 7d ec 02 cmpl $0x2,-0x14(%rbp)
a81: 7e 49 jle acc <rand@plt+0x21c>
a83: 48 8b 45 e0 mov -0x20(%rbp),%rax # get argv[]
a87: 48 83 c0 08 add $0x8,%rax # get first arg[] I guess... Hmmm oh is 8 byte DWORD values
a8b: 48 8b 00 mov (%rax),%rax
a8e: 48 89 c7 mov %rax,%rdi
a91: e8 ea fd ff ff callq 880 <atoi@plt> # turn to number
a96: 0f b7 55 fe movzwl -0x2(%rbp),%edx
a9a: 39 d0 cmp %edx,%eax
a9c: 75 15 jne ab3 <rand@plt+0x203> --> SHOULD_HAVE_BEEN
a9e: 48 8b 45 e0 mov -0x20(%rbp),%rax # get argv[]
aa2: 48 83 c0 10 add $0x10,%rax
aa6: 48 8b 00 mov (%rax),%rax # get 2nd arg
aa9: 48 89 c7 mov %rax,%rdi
aac: e8 3e ff ff ff callq 9ef <rand@plt+0x13f> # ? do something with it, param in rdi
ab1: eb 3b jmp aee <rand@plt+0x23e> # --> EXIT
SHOULD_HAVE_BEEN:
ab3: 0f b7 45 fe movzwl -0x2(%rbp),%eax
ab7: 89 c6 mov %eax,%esi
ab9: 48 8d 3d df 00 00 00 lea 0xdf(%rip),%rdi # b9f <rand@plt+0x2ef> "Should have been %i"
ac0: b8 00 00 00 00 mov $0x0,%eax
ac5: e8 56 fd ff ff callq 820 <printf@plt>
aca: eb 22 jmp aee <rand@plt+0x23e>
acc: 48 8b 45 e0 mov -0x20(%rbp),%rax # get argv[]
ad0: 48 8b 00 mov (%rax),%rax @208 get zeroth arg
ad3: 48 89 c6 mov %rax,%rsi @211
ad6: 48 8d 3d d8 00 00 00 lea 0xd8(%rip),%rdi # bb5 <rand@plt+0x305> "<number> <something>" @214 ($rip + 0xd8 = 0xbae)
add: b8 00 00 00 00 mov $0x0,%eax
ae2: e8 39 fd ff ff callq 820 <printf@plt>
ae7: b8 01 00 00 00 mov $0x1,%eax # exit(1)
aec: eb 05 jmp af3 <rand@plt+0x243>
EXIT
aee: b8 00 00 00 00 mov $0x0,%eax # exit(0) if fail rand() compare
af3: c9 leaveq
af4: c3 retq
af5: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1)
afc: 00 00 00
aff: 90 nop
========================================== END OF EASILY CALLED BLOCK
b00: 41 57 push %r15
b02: 41 89 ff mov %edi,%r15d
b05: 41 56 push %r14
b07: 49 89 f6 mov %rsi,%r14
b0a: 41 55 push %r13
b0c: 49 89 d5 mov %rdx,%r13
b0f: 41 54 push %r12
b11: 4c 8d 25 d8 02 20 00 lea 0x2002d8(%rip),%r12 # 200df0 <rand@plt+0x200540>
b18: 55 push %rbp
b19: 48 8d 2d d8 02 20 00 lea 0x2002d8(%rip),%rbp # 200df8 <rand@plt+0x200548>
b20: 53 push %rbx
b21: 4c 29 e5 sub %r12,%rbp
b24: 31 db xor %ebx,%ebx
b26: 48 c1 fd 03 sar $0x3,%rbp
b2a: 48 83 ec 08 sub $0x8,%rsp
b2e: e8 95 fc ff ff callq 7c8 <puts@plt-0x38>
b33: 48 85 ed test %rbp,%rbp
b36: 74 1e je b56 <rand@plt+0x2a6>
b38: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
b3f: 00
b40: 4c 89 ea mov %r13,%rdx
b43: 4c 89 f6 mov %r14,%rsi
b46: 44 89 ff mov %r15d,%edi
b49: 41 ff 14 dc callq *(%r12,%rbx,8)
b4d: 48 83 c3 01 add $0x1,%rbx
b51: 48 39 eb cmp %rbp,%rbx
b54: 75 ea jne b40 <rand@plt+0x290>
b56: 48 83 c4 08 add $0x8,%rsp
b5a: 5b pop %rbx
b5b: 5d pop %rbp
b5c: 41 5c pop %r12
b5e: 41 5d pop %r13
b60: 41 5e pop %r14
b62: 41 5f pop %r15
b64: c3 retq
b65: 66 66 2e 0f 1f 84 00 data32 nopw %cs:0x0(%rax,%rax,1)
b6c: 00 00 00 00
b70: f3 c3 repz retq
Disassembly of section .fini:
0000000000000b74 <.fini>:
b74: 48 83 ec 08 sub $0x8,%rsp
b78: 48 83 c4 08 add $0x8,%rsp
b7c: c3 retq 99
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment