Permalink
Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
275 lines (274 sloc) 8.01 KB
get_pc_thunk_bx: 0x8048450
.init:
:
8048378: PUSH EBX
8048379: SUB ESP, 0x8 ; ESP -= 0x8;
804837c: CALL 8048450 <__x86.get_pc_thunk.bx> ; EBX = 0x8048381
8048381: ADD EBX, 0x1c7f ; EBX += 0x1c7f; ; EBX = 0x804a000
8048387: MOV EAX, [EBX-0x4] ; EAX = [EBX-0x4];
804838d: TEST EAX, EAX ;
804838f: JZ 0x8048396 ; if(EAX) {
8048391: CALL 8048410 <sub_8048410>
; }
8048396: ADD ESP, 0x8 ; ESP += 0x8;
8048399: POP EBX ; POP EBX
804839a: RET
.plt:
:
80483a0: PUSH DWORD [0x804a004]
80483a6: JMP DWORD [0x804a008] ; goto
80483ac: ADD [EAX], AL ; [EAX] += AL;
80483ae: ADD [EAX], AL ; [EAX] += AL;
setbuf:
80483b0: JMP DWORD [0x804a00c] ; goto
80483b6: PUSH DWORD 0x0
80483bb: JMP 0x80483a0 ; goto
getchar:
80483c0: JMP DWORD [0x804a010] ; goto
80483c6: PUSH DWORD 0x8 ; '\x08'
80483cb: JMP 0x80483a0 ; goto
fgets:
80483d0: JMP DWORD [0x804a014] ; goto
80483d6: PUSH DWORD 0x10 ; '\x10'
80483db: JMP 0x80483a0 ; goto
alarm:
80483e0: JMP DWORD [0x804a018] ; goto
80483e6: PUSH DWORD 0x18 ; '\x18'
80483eb: JMP 0x80483a0 ; goto
puts:
80483f0: JMP DWORD [0x804a01c] ; goto
80483f6: PUSH DWORD 0x20 ; ' '
80483fb: JMP 0x80483a0 ; goto
__libc_start_main:
8048400: JMP DWORD [0x804a020] ; goto
8048406: PUSH DWORD 0x28 ; '('
804840b: JMP 0x80483a0 ; goto
.text:
:
8048420: XOR EBP, EBP ; EBP = 0
8048422: POP ESI ; POP ESI
8048423: MOV ECX, ESP ; ECX = ESP;
8048425: AND ESP, -0x10 ; ESP &= -0x10;
8048428: PUSH EAX
8048429: PUSH ESP
804842a: PUSH EDX
804842b: PUSH DWORD 0x8048650 ; '\xf3\xc3'
8048430: PUSH DWORD 0x80485f0 ; 'UWVS\xe8W\xfe\xff\xff\x81\xc3\x07\x1a'
8048435: PUSH ECX
8048436: PUSH ESI
8048437: PUSH DWORD 0x804855c ; '\x8dL$\x04\x83\xe4\xf0\xffq\xfcU\x89\xe5Q\x81\xec\x14\x04'
804843c: CALL 8048400 <__libc_start_main>
8048441: HLT ;
8048442: NOP
8048444: NOP
8048446: NOP
8048448: NOP
804844a: NOP
804844c: NOP
804844e: NOP
__x86.get_pc_thunk.bx:
8048450: MOV EBX, [ESP] ; EBX = [ESP];
8048453: RET
8048454: NOP
8048456: NOP
8048458: NOP
804845a: NOP
804845c: NOP
804845e: NOP
deregister_tm_clones:
8048460: MOV EAX, 0x804a02f ; EAX = 0x804a02f;
8048465: SUB EAX, 0x804a02c ; EAX -= 0x804a02c;
804846a: CMP EAX, 0x6 ;
804846d: JBE 0x8048489 ; if(EAX > 0x6) {
804846f: MOV EAX, 0x0 ; EAX = 0x0;
8048474: TEST EAX, EAX ;
8048476: JZ 0x8048489 ; if(EAX) {
8048478: PUSH EBP
8048479: MOV EBP, ESP ; EBP = ESP;
804847b: SUB ESP, 0x14 ; ESP -= 0x14;
804847e: PUSH DWORD 0x804a02c
8048483: CALL EAX ; *EAX(RDI)
8048485: ADD ESP, 0x10 ; ESP += 0x10;
8048488: LEAVE ; leave
; }
8048489: RET
804848b: NOP
804848c: LEA ESI, [ESI+0x0]
register_tm_clones:
8048490: MOV EAX, 0x804a02c ; EAX = 0x804a02c;
8048495: SUB EAX, 0x804a02c ; EAX -= 0x804a02c;
804849a: SAR EAX, 0x2 ; EAX >>= 0x2;
804849d: MOV EDX, EAX ; EDX = EAX;
804849f: SHR EDX, 0x1f ; EDX >>= 0x1f;
80484a2: ADD EAX, EDX ; EAX += EDX;
80484a4: SAR EAX, 0x1 ; EAX >>= 0x1;
80484a6: JZ 0x80484c3
80484a8: MOV EDX, 0x0 ; EDX = 0x0;
80484ad: TEST EDX, EDX ;
80484af: JZ 0x80484c3 ; if(EDX) {
80484b1: PUSH EBP
80484b2: MOV EBP, ESP ; EBP = ESP;
80484b4: SUB ESP, 0x10 ; ESP -= 0x10;
80484b7: PUSH EAX
80484b8: PUSH DWORD 0x804a02c
80484bd: CALL EDX ; *EDX(RDI)
80484bf: ADD ESP, 0x10 ; ESP += 0x10;
80484c2: LEAVE ; leave
; }
80484c3: RET
80484c5: LEA ESI, [ESI+0x0]
80484c9: LEA EDI, [EDI+0x0]
__do_global_dtors_aux:
80484d0: CMP BYTE [0x804a048], 0x0 ;
80484d7: JNZ 0x80484ec ; if(BYTE [0x804a048] == 0x0) {
80484d9: PUSH EBP
80484da: MOV EBP, ESP ; EBP = ESP;
80484dc: SUB ESP, 0x8 ; ESP -= 0x8;
80484df: CALL 8048460 <deregister_tm_clones>
80484e4: MOV BYTE [0x804a048], 0x1 ; '\x01'
80484eb: LEAVE ; leave
; }
80484ec: RET
80484ee: NOP
frame_dummy:
80484f0: MOV EAX, 0x8049f10 ; ''
80484f5: MOV EDX, [EAX] ; EDX = [EAX];
80484f7: TEST EDX, EDX ;
80484f9: JNZ 0x8048500 ; if(!EDX) {
80484fb: JMP 0x8048490 ; goto
80484fd: LEA ESI, [ESI+0x0]
; }
8048500: MOV EDX, 0x0 ; EDX = 0x0;
8048505: TEST EDX, EDX ;
8048507: JZ 0x80484fb ; } while(!EDX)
8048509: PUSH EBP
804850a: MOV EBP, ESP ; EBP = ESP;
804850c: SUB ESP, 0x14 ; ESP -= 0x14;
804850f: PUSH EAX
8048510: CALL EDX ; *EDX(RDI)
8048512: ADD ESP, 0x10 ; ESP += 0x10;
8048515: LEAVE ; leave
8048516: JMP 0x8048490 ; goto
never_called:
804851b: PUSH EBP
804851c: MOV EBP, ESP ; EBP = ESP;
804851e: SUB ESP, 0x18 ; ESP -= 0x18;
8048521: LEA EAX, [EBP-0xc]
8048524: MOV [EBP-0xc], EAX ; [EBP-0xc] = EAX;
8048527: MOV EAX, [EBP-0xc] ; EAX = [EBP-0xc];
804852a: CALL EAX ; *EAX(RDI)
804852c: NOP
804852d: LEAVE ; leave
804852e: RET
vulnerable:
804852f: PUSH EBP
8048530: MOV EBP, ESP ; EBP = ESP;
8048532: SUB ESP, 0x3db8 ; ESP -= 0x3db8;
8048538: MOV EAX, [0x804a040] ; EAX = [0x804a040];
804853d: SUB ESP, 0x4 ; ESP -= 0x4;
8048540: PUSH EAX
8048541: PUSH DWORD 0x41a4
8048546: LEA EAX, [EBP-0x3dac]
804854c: PUSH EAX
; fgets(buf, 0x41a4, file)
804854d: CALL 80483d0 <fgets>
8048552: ADD ESP, 0x10 ; ESP += 0x10;
8048555: MOV EAX, 0x0 ; EAX = 0x0;
804855a: LEAVE ; leave
804855b: RET ; return 0x0;
main:
804855c: LEA ECX, [ESP+0x4]
8048560: AND ESP, -0x10 ; ESP &= -0x10;
8048563: PUSH DWORD [ECX-0x4]
8048566: PUSH EBP
8048567: MOV EBP, ESP ; EBP = ESP;
8048569: PUSH ECX
804856a: SUB ESP, 0x414 ; ESP -= 0x414;
8048570: SUB ESP, 0xc ; ESP -= 0xc;
8048573: PUSH 0xa
8048575: CALL 80483e0 <alarm>
804857a: ADD ESP, 0x10 ; ESP += 0x10;
804857d: MOV EAX, [0x804a040] ; EAX = [0x804a040];
8048582: SUB ESP, 0x8 ; ESP -= 0x8;
8048585: PUSH 0x0
8048587: PUSH EAX
8048588: CALL 80483b0 <setbuf>
804858d: ADD ESP, 0x10 ; ESP += 0x10;
8048590: MOV EAX, [0x804a044] ; EAX = [0x804a044];
8048595: SUB ESP, 0x8 ; ESP -= 0x8;
8048598: PUSH 0x0
804859a: PUSH EAX
804859b: CALL 80483b0 <setbuf>
80485a0: ADD ESP, 0x10 ; ESP += 0x10;
80485a3: CALL 80483c0 <getchar>
80485a8: MOV [EBP-0x9], AL ; [EBP-0x9] = AL;
80485ab: CMP BYTE [EBP-0x9], 0x6b ;
80485af: JNZ 0x80485c8 ; if(BYTE [EBP-0x9] == 0x6b) {
80485b1: SUB ESP, 0xc ; ESP -= 0xc;
80485b4: PUSH DWORD 0x8048670 ; 'good gatekeeper'
80485b9: CALL 80483f0 <puts>
80485be: ADD ESP, 0x10 ; ESP += 0x10;
80485c1: CALL 804852f <vulnerable>
80485c6: JMP 0x80485dd ; goto
; }
80485c8: SUB ESP, 0xc ; ESP -= 0xc;
80485cb: PUSH DWORD 0x8048680 ; 'bad gatekeeper'
80485d0: CALL 80483f0 <puts>
80485d5: ADD ESP, 0x10 ; ESP += 0x10;
80485d8: MOV EAX, 0xffffffff ; EAX = 0xffffffff;
80485dd: MOV ECX, [EBP-0x4] ; ECX = [EBP-0x4];
80485e0: LEAVE ; leave
80485e1: LEA ESP, [ECX-0x4]
80485e4: RET ; return 0xffffffff;
80485e5: NOP
80485e7: NOP
80485e9: NOP
80485eb: NOP
80485ed: NOP
80485ef: NOP
__libc_csu_init:
80485f0: PUSH EBP
80485f1: PUSH EDI
80485f2: PUSH ESI
80485f3: PUSH EBX
80485f4: CALL 8048450 <__x86.get_pc_thunk.bx> ; EBX = 0x80485f9
80485f9: ADD EBX, 0x1a07 ; EBX += 0x1a07; ; EBX = 0x804a000
80485ff: SUB ESP, 0xc ; ESP -= 0xc;
8048602: MOV EBP, [ESP+0x20] ; EBP = [ESP+0x20];
8048606: LEA ESI, [EBX-0xf4] ; 0x8049f0c '\xd0\x84\x04\x08'
804860c: CALL 8048378 <sub_8048378>
8048611: LEA EAX, [EBX-0xf8] ; 0x8049f08 '\xf0\x84\x04\x08'
8048617: SUB ESI, EAX ; ESI -= EAX;
8048619: SAR ESI, 0x2 ; ESI >>= 0x2;
804861c: TEST ESI, ESI ;
804861e: JZ 0x8048645 ; if(ESI) {
8048620: XOR EDI, EDI ; EDI = 0
8048622: LEA ESI, [ESI+0x0]
8048628: SUB ESP, 0x4 ; ESP -= 0x4;
804862b: PUSH DWORD [ESP+0x2c]
804862f: PUSH DWORD [ESP+0x2c]
8048633: PUSH EBP
8048634: CALL DWORD [EBX+EDI*4-0xf8] ; [EBX+EDI*4-0xf8](RDI)
804863b: ADD EDI, 0x1 ; EDI += 0x1;
804863e: ADD ESP, 0x10 ; ESP += 0x10;
8048641: CMP EDI, ESI ;
8048643: JNZ 0x8048628 ; } while(EDI != ESI)
; }
8048645: ADD ESP, 0xc ; ESP += 0xc;
8048648: POP EBX ; POP EBX
8048649: POP ESI ; POP ESI
804864a: POP EDI ; POP EDI
804864b: POP EBP ; POP EBP
804864c: RET
804864d: LEA ESI, [ESI+0x0]
__libc_csu_fini:
8048650: RET
.fini:
:
8048654: PUSH EBX
8048655: SUB ESP, 0x8 ; ESP -= 0x8;
8048658: CALL 8048450 <__x86.get_pc_thunk.bx> ; EBX = 0x804865d
804865d: ADD EBX, 0x19a3 ; EBX += 0x19a3; ; EBX = 0x804a000
8048663: ADD ESP, 0x8 ; ESP += 0x8;
8048666: POP EBX ; POP EBX
8048667: RET