Assembly analysis for override
level00
main
8048494
to 8048494
Sets up the stack frame by moving the stack pointers away from the parents esp to the current ebp
8048497
Stack alignment to the closes 8 bytes. The esp moves up by 8 bytes.
804849a
bulk allocates 32 bytes in the stack
804849d - 804849d
calls
80484c1 - 80484c9
calls printf("Password: ")
80484ce
prepares the "%d" string in eax
80484d3
loads a variable (pointer is at esp + 0x1c) to edx, which will be used by scanf later. Lets call this input
80484d7 - 80484de
Calls
80484e3 - 80484e7
derefrences the pointer to input
and compares it with 5276
80484ec
if the comparison is not equal, jump to 804850d
80484ee - 8048501
calls puts("Authenticated!")
and runs system("/bin/sh")
804850b
return 0
804850d - 8048514
calls puts("Invalid Password!")
8048519 - 804851f
return 1
level01
main
80484d0 - 80484d5
Stack frame setup and stack alignment
80484d8 - 80484db
Allocates 96 bytes on the stack and loads a buffer at [esp + 0x1c] to ebx. Call this child_input
80484df - 80484ed
Repeatedly fill up the data pointed in edi
(child_input) with the value in eax
, which is 16, for edx
times which is 10. The es
is an explicit segmentation specifier for compatibility issues. Effectively, this does memset(child_input, 0, 16);
80484ef
Write 0 to a pointer at [esp + 0x5c], Call this num
80484f7 - 80484fe
Effectively call puts("********* ADMIN LOGIN PROMPT *********")
804850b
Effectively call printf("Enter Username:")
8048510
Load a static global buffer into eax from 0x804a020
, call this input_buf
8048515 - 8048528
Effectively call fgets(input_buf, 256, stdin)
804852d
Call verify_user_name
with the return value of fgets.
8048532 - 804853b
Load the return value of verify_user_name
and write it to num. Compare it with value 0. If the result is equal, jump to <main+0x80>
.
804853d - 804854e
If not, call puts("nope, incorrect username")
and return 1.
8048550 - 8048557
Effectively call puts("Enter Password:")
804855c - 8048574
Effectively call fgets(child_input, 100, stdin)
8048579 - 8048580
Effectively call verify_user_pass
with the return value of fgets earlier
8048585 - 80485a8
Essentially the same operations earlier after we verify username, we compare the return value to 0, puts("nope, incorrect password")
if its not and return 1
80485aa - 80485b5
return 0
verify_user_name
8048464 - 8048469
Sets up stack frame and allocates 16 bytes in stack
804846c - 8048473
Effectively call puts("verifying username....")
8048478 - 804848b
Sets up input_buf in esi
and "dat_wil"(from data section)
in edi
and compare them.
804848d - 8048490
Records the differences in dl
or al
. If the comparisons are equal, both of them should be 0
8048493 - 8048499
Perform arithmethic on the differences to get the actual return value, since al
or dl
does not reflect the full registers - there might have other things unintentionally
804849f - 80484a2
Return the difference earlier.
verify_user_pass
80484a3 - 80484a8
Set up stack frame and load the first argument into eax
80484ab - 80484cf
Compare it with the string "admin" from data segment, the rest is the same with verify_user_name
level02
main
400814 - 400815
preparing stack frame addresses
400818 - 400825
allocates 288 bytes for the stack, loads the value of edi
into [rbp-0x114]
(call this init_edi), Load rsi
into [rbp-0x120]
(init_rsi)
40082c - 40083d
Loads [rbp-0x70]
into rdx
(call this username) effectively call memset(username, 0, 12)
400840
Null terminates username
and increments it by 4 (why?)
400849 - 40085d
Loads [rbp-0xa0]
aka pass_file_content into rdx and effectively call memset(pass_file_content, 0, 5)
400860 - 400863
Null terminates pass_file_content
and increments it by 1 (why?)
400869 - 400883
Do the same thing as above for another variable [rbp-0x110]
aka pass using memset(pass, 0, 12)
, this time it increments 4 in the end.
400889 - 4008a8
Declares open_passfile at [rbp-0x8]
and read_pass_status at [rbp-0xc]
Prepares arguments to call fopen("/home/users/level03/", "r")
4008ad - 4008b1
Save the return value above in [rbp-0x8]
aka open_passfile and compares it with 0. It its not equal, jump to 4008e6
4008b8 - 4008e1
If it is 0, call fwrite("ERROR: failed to open password file", 1, 24, stderr)
and exit(1)
4008e6 - 400901
Calls fread(pass_file_content, 1, 29, open_passfile)
and stores the result in read_pass_status
400909 - 400918
Prepares arguments and calls strcspn(pass_file_content, "\n")
which returns the number of bytes of pass_file_content which are not in the "\n".
40091d
pass_file_content[<ret_above>] = 0
400925 - 400978
Compare read_pass_status with 41
. If the are equal, jump to 40097d
. If they are not, frwite("ERROR: failed to read password file", 1, 24, stderr)
twice and call exit(1)
40097d - 400984
Closes the password file by calling fclose(open_passfile)
400989 - 4009be
Calls puts()
for all the lines of the following output and calls printf("--[ Username:")
at the end.
4009c3 - 4009d9
Effectively calls fgets(username, 100, stdin)
4009de - 400a01
finds the index of newline string in username, and replaces the newline with nullbyte. Calls printf(" --[ Password:")
after that
400a06 - 400a3f
Essentially do the same with pass by calling fgets(pass, 100, stdin)
and null terminates it
400a40 - 400a45
Calls puts("*****************************************")
400a4a - 400a68
Calls strncmp(pass_file_content, pass, 41)
and test if the result is 0
400a6a
If its not equal, jump to 400a96
400a6c - 400a95
call printf("Greetings, %s!", username)
and system("/bin/sh")
, and returns 0
400a96 - 400ab6
call printf(username)
and puts("does not have access!")
and exit(1)
level03
main
804885a - 8048860
Stack setup, alignment and allocating 32 bytes for the stack
8048863 - 804886b
I dont know why they would do this but looks like it is just clearing out eax and making sure the stack is ok?
804886c - 8048873
Call srand(time(0))
8048880 - 804889f
For each line below, call puts()
on it
80488a4 - 80488ac
Call printf("Password:")
80488ac - 80488c1
Loads [esp + 0x1c]
aka pwinput to eax
. Calls scanf("%d", &pwinput)
80488c6 - 80488e0
Calls test(pwinput, 0x1337d00d)
and returns 0
test
8048747: 55 push ebp
8048748: 89 e5 mov ebp,esp
804874a: 83 ec 28 sub esp,0x28
804874d: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048750: 8b 55 0c mov edx,DWORD PTR [ebp+0xc]
8048753: 89 d1 mov ecx,edx
8048755: 29 c1 sub ecx,eax
8048757: 89 c8 mov eax,ecx
8048759: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
804875c: 83 7d f4 15 cmp DWORD PTR [ebp-0xc],0x15
8048760: 0f 87 e4 00 00 00 ja 804884a <test+0x103>
8048766: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048769: c1 e0 02 shl eax,0x2
804876c: 05 f0 89 04 08 add eax,0x80489f0
8048771: 8b 00 mov eax,DWORD PTR [eax]
8048773: ff e0 jmp eax
8048775: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048778: 89 04 24 mov DWORD PTR [esp],eax
804877b: e8 e0 fe ff ff call 8048660 <decrypt>
8048780: e9 d3 00 00 00 jmp 8048858 <test+0x111>
8048785: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048788: 89 04 24 mov DWORD PTR [esp],eax
804878b: e8 d0 fe ff ff call 8048660 <decrypt>
8048790: e9 c3 00 00 00 jmp 8048858 <test+0x111>
8048795: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048798: 89 04 24 mov DWORD PTR [esp],eax
804879b: e8 c0 fe ff ff call 8048660 <decrypt>
80487a0: e9 b3 00 00 00 jmp 8048858 <test+0x111>
80487a5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487a8: 89 04 24 mov DWORD PTR [esp],eax
80487ab: e8 b0 fe ff ff call 8048660 <decrypt>
80487b0: e9 a3 00 00 00 jmp 8048858 <test+0x111>
80487b5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487b8: 89 04 24 mov DWORD PTR [esp],eax
80487bb: e8 a0 fe ff ff call 8048660 <decrypt>
80487c0: e9 93 00 00 00 jmp 8048858 <test+0x111>
80487c5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487c8: 89 04 24 mov DWORD PTR [esp],eax
80487cb: e8 90 fe ff ff call 8048660 <decrypt>
80487d0: e9 83 00 00 00 jmp 8048858 <test+0x111>
80487d5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487d8: 89 04 24 mov DWORD PTR [esp],eax
80487db: e8 80 fe ff ff call 8048660 <decrypt>
80487e0: eb 76 jmp 8048858 <test+0x111>
80487e2: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487e5: 89 04 24 mov DWORD PTR [esp],eax
80487e8: e8 73 fe ff ff call 8048660 <decrypt>
80487ed: eb 69 jmp 8048858 <test+0x111>
80487ef: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487f2: 89 04 24 mov DWORD PTR [esp],eax
80487f5: e8 66 fe ff ff call 8048660 <decrypt>
80487fa: eb 5c jmp 8048858 <test+0x111>
80487fc: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487ff: 89 04 24 mov DWORD PTR [esp],eax
8048802: e8 59 fe ff ff call 8048660 <decrypt>
8048807: eb 4f jmp 8048858 <test+0x111>
8048809: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
804880c: 89 04 24 mov DWORD PTR [esp],eax
804880f: e8 4c fe ff ff call 8048660 <decrypt>
8048814: eb 42 jmp 8048858 <test+0x111>
8048816: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048819: 89 04 24 mov DWORD PTR [esp],eax
804881c: e8 3f fe ff ff call 8048660 <decrypt>
8048821: eb 35 jmp 8048858 <test+0x111>
8048823: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048826: 89 04 24 mov DWORD PTR [esp],eax
8048829: e8 32 fe ff ff call 8048660 <decrypt>
804882e: eb 28 jmp 8048858 <test+0x111>
8048830: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048833: 89 04 24 mov DWORD PTR [esp],eax
8048836: e8 25 fe ff ff call 8048660 <decrypt>
804883b: eb 1b jmp 8048858 <test+0x111>
804883d: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048840: 89 04 24 mov DWORD PTR [esp],eax
8048843: e8 18 fe ff ff call 8048660 <decrypt>
8048848: eb 0e jmp 8048858 <test+0x111>
804884a: e8 d1 fc ff ff call 8048520 <rand@plt>
804884f: 89 04 24 mov DWORD PTR [esp],eax
8048852: e8 09 fe ff ff call 8048660 <decrypt>
8048857: 90 nop
8048858: c9 leave
8048859: c3 ret
8048747 - 8048750
Set up stack frame and load pwinput at [ebp+0x8]
to eax
and init_addr[ebp+0xc]
which is now equal to 0x1337d00d
to edx
8048753 - 8048759
init_addr -= pwinput
804875c - 8048760
comapre init_addr with 21
. If its more than, jump to 804884a
.
8048766 - 8048780
load init_addr in some temp variable and shift left by 2, which means multiply by 4 and add 0x80489f0
to that value. The temp variable is the derefrenced and jumped to.
804877b - 8048858
Continiously call decrypt(init_addr)
and return
decrypt
8048660: 55 push ebp
8048661: 89 e5 mov ebp,esp
8048663: 57 push edi
8048664: 56 push esi
8048665: 83 ec 40 sub esp,0x40
8048668: 65 a1 14 00 00 00 mov eax,gs:0x14
804866e: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
8048671: 31 c0 xor eax,eax
8048673: c7 45 e3 51 7d 7c 75 mov DWORD PTR [ebp-0x1d],0x757c7d51
804867a: c7 45 e7 60 73 66 67 mov DWORD PTR [ebp-0x19],0x67667360
8048681: c7 45 eb 7e 73 66 7b mov DWORD PTR [ebp-0x15],0x7b66737e
8048688: c7 45 ef 7d 7c 61 33 mov DWORD PTR [ebp-0x11],0x33617c7d
804868f: c6 45 f3 00 mov BYTE PTR [ebp-0xd],0x0
8048693: 50 push eax
8048694: 31 c0 xor eax,eax
8048696: 74 03 je 804869b <decrypt+0x3b>
8048698: 83 c4 04 add esp,0x4
804869b: 58 pop eax
804869c: 8d 45 e3 lea eax,[ebp-0x1d]
804869f: c7 45 d4 ff ff ff ff mov DWORD PTR [ebp-0x2c],0xffffffff
80486a6: 89 c2 mov edx,eax
80486a8: b8 00 00 00 00 mov eax,0x0
80486ad: 8b 4d d4 mov ecx,DWORD PTR [ebp-0x2c]
80486b0: 89 d7 mov edi,edx
80486b2: f2 ae repnz scas al,BYTE PTR es:[edi]
80486b4: 89 c8 mov eax,ecx
80486b6: f7 d0 not eax
80486b8: 83 e8 01 sub eax,0x1
80486bb: 89 45 dc mov DWORD PTR [ebp-0x24],eax
80486be: c7 45 d8 00 00 00 00 mov DWORD PTR [ebp-0x28],0x0
80486c5: eb 1e jmp 80486e5 <decrypt+0x85>
80486c7: 8d 45 e3 lea eax,[ebp-0x1d]
80486ca: 03 45 d8 add eax,DWORD PTR [ebp-0x28]
80486cd: 0f b6 00 movzx eax,BYTE PTR [eax]
80486d0: 89 c2 mov edx,eax
80486d2: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
80486d5: 31 d0 xor eax,edx
80486d7: 89 c2 mov edx,eax
80486d9: 8d 45 e3 lea eax,[ebp-0x1d]
80486dc: 03 45 d8 add eax,DWORD PTR [ebp-0x28]
80486df: 88 10 mov BYTE PTR [eax],dl
80486e1: 83 45 d8 01 add DWORD PTR [ebp-0x28],0x1
80486e5: 8b 45 d8 mov eax,DWORD PTR [ebp-0x28]
80486e8: 3b 45 dc cmp eax,DWORD PTR [ebp-0x24]
80486eb: 72 da jb 80486c7 <decrypt+0x67>
80486ed: 8d 45 e3 lea eax,[ebp-0x1d]
80486f0: 89 c2 mov edx,eax
80486f2: b8 c3 89 04 08 mov eax,0x80489c3
80486f7: b9 11 00 00 00 mov ecx,0x11
80486fc: 89 d6 mov esi,edx
80486fe: 89 c7 mov edi,eax
8048700: f3 a6 repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]
8048702: 0f 97 c2 seta dl
8048705: 0f 92 c0 setb al
8048708: 89 d1 mov ecx,edx
804870a: 28 c1 sub cl,al
804870c: 89 c8 mov eax,ecx
804870e: 0f be c0 movsx eax,al
8048711: 85 c0 test eax,eax
8048713: 75 0e jne 8048723 <decrypt+0xc3>
8048715: c7 04 24 d4 89 04 08 mov DWORD PTR [esp],0x80489d4
804871c: e8 bf fd ff ff call 80484e0 <system@plt>
8048721: eb 0c jmp 804872f <decrypt+0xcf>
8048723: c7 04 24 dc 89 04 08 mov DWORD PTR [esp],0x80489dc
804872a: e8 a1 fd ff ff call 80484d0 <puts@plt>
804872f: 8b 75 f4 mov esi,DWORD PTR [ebp-0xc]
8048732: 65 33 35 14 00 00 00 xor esi,DWORD PTR gs:0x14
8048739: 74 05 je 8048740 <decrypt+0xe0>
804873b: e8 80 fd ff ff call 80484c0 <__stack_chk_fail@plt>
8048740: 83 c4 40 add esp,0x40
8048743: 5e pop esi
8048744: 5f pop edi
8048745: 5d pop ebp
8048746: c3 ret
8048660 - 8048671
Prepare the stack and allocate 64 bytes for the stack. Load 20
into [ebp-0xc]
aka canary and clears eax
.
8048673 - 804863f
declates cipher1 in [ebp-0x1d]
with 0x757c7d51
, cipher2 in [ebp-0x19]
with 0x67667360
,cipher3 in [ebp-0x15]
with 0x7b66737e
,cipher4 in [ebp-0x11]
with 0x33617c7d
, cipher5 in [ebp-0xd]
with 0
.
8048693 - 804869b
I have no idea why they want to pop eax
like that, so cant provide any context here yet… (im guessing stack canary?)
804869c - 80486c5
cipher1 has been loaded into eax
and 0xffffffff
has been written to [ebp-0x2c]
aka clear_mask.
80486a6 - 80486b2
evaluate string length of cipher1
80486b4 - 80486b8
store the value at eax and flip the polarity, since the result of the strlen was negative (direction flag), and then subtract 1
80486bb - 80486c5
Move the length into [ebp-0x24]
aka cipherlen and zero into [ebp-0x28]
aka count, jump to 80486e5
, which seems to be a loop checker
80486c7 - 80486e1
Load cipher1s address into eax
and add the value of count. Derefrence the resultant address and write that result to edx
. Load argument 1 (init_addr) into eax
and xor it with edx
, or our cipher1addr + count. -> xor_res. cipher1[count] = xor_res. count += 1
80486e5 - 80486eb
if count < cipherlen jump to 80486c7
8048700 - 8048740
Comapres cipher1 with the string Congratulations!
using strncmp(cipher1, "Congratulations!", 17)
. if its the same, system("/bin/sh")
, else puts("Invalid Password")
and return while checking for stack overflow.
level04
main
80486c8: 55 push ebp
80486c9: 89 e5 mov ebp,esp
80486cb: 57 push edi
80486cc: 53 push ebx
80486cd: 83 e4 f0 and esp,0xfffffff0
80486d0: 81 ec b0 00 00 00 sub esp,0xb0
80486d6: e8 75 fe ff ff call 8048550 <fork@plt>
80486db: 89 84 24 ac 00 00 00 mov DWORD PTR [esp+0xac],eax
80486e2: 8d 5c 24 20 lea ebx,[esp+0x20]
80486e6: b8 00 00 00 00 mov eax,0x0
80486eb: ba 20 00 00 00 mov edx,0x20
80486f0: 89 df mov edi,ebx
80486f2: 89 d1 mov ecx,edx
80486f4: f3 ab rep stos DWORD PTR es:[edi],eax
80486f6: c7 84 24 a8 00 00 00 mov DWORD PTR [esp+0xa8],0x0
80486fd: 00 00 00 00
8048701: c7 44 24 1c 00 00 00 mov DWORD PTR [esp+0x1c],0x0
8048708: 00
8048709: 83 bc 24 ac 00 00 00 cmp DWORD PTR [esp+0xac],0x0
8048710: 00
8048711: 75 56 jne 8048769 <main+0xa1>
8048713: c7 44 24 04 01 00 00 mov DWORD PTR [esp+0x4],0x1
804871a: 00
804871b: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1
8048722: e8 19 fe ff ff call 8048540 <prctl@plt>
8048727: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0
804872e: 00
804872f: c7 44 24 08 00 00 00 mov DWORD PTR [esp+0x8],0x0
8048736: 00
8048737: c7 44 24 04 00 00 00 mov DWORD PTR [esp+0x4],0x0
804873e: 00
804873f: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0
8048746: e8 25 fe ff ff call 8048570 <ptrace@plt>
804874b: c7 04 24 03 89 04 08 mov DWORD PTR [esp],0x8048903
8048752: e8 a9 fd ff ff call 8048500 <puts@plt>
8048757: 8d 44 24 20 lea eax,[esp+0x20]
804875b: 89 04 24 mov DWORD PTR [esp],eax
804875e: e8 4d fd ff ff call 80484b0 <gets@plt>
8048763: e9 b2 00 00 00 jmp 804881a <main+0x152>
8048768: 90 nop
8048769: 8d 44 24 1c lea eax,[esp+0x1c]
804876d: 89 04 24 mov DWORD PTR [esp],eax
8048770: e8 7b fd ff ff call 80484f0 <wait@plt>
8048775: 8b 44 24 1c mov eax,DWORD PTR [esp+0x1c]
8048779: 89 84 24 a0 00 00 00 mov DWORD PTR [esp+0xa0],eax
8048780: 8b 84 24 a0 00 00 00 mov eax,DWORD PTR [esp+0xa0]
8048787: 83 e0 7f and eax,0x7f
804878a: 85 c0 test eax,eax
804878c: 74 1e je 80487ac <main+0xe4>
804878e: 8b 44 24 1c mov eax,DWORD PTR [esp+0x1c]
8048792: 89 84 24 a4 00 00 00 mov DWORD PTR [esp+0xa4],eax
8048799: 8b 84 24 a4 00 00 00 mov eax,DWORD PTR [esp+0xa4]
80487a0: 83 e0 7f and eax,0x7f
80487a3: 83 c0 01 add eax,0x1
80487a6: d0 f8 sar al,1
80487a8: 84 c0 test al,al
80487aa: 7e 0e jle 80487ba <main+0xf2>
80487ac: c7 04 24 1d 89 04 08 mov DWORD PTR [esp],0x804891d
80487b3: e8 48 fd ff ff call 8048500 <puts@plt>
80487b8: eb 60 jmp 804881a <main+0x152>
80487ba: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0
80487c1: 00
80487c2: c7 44 24 08 2c 00 00 mov DWORD PTR [esp+0x8],0x2c
80487c9: 00
80487ca: 8b 84 24 ac 00 00 00 mov eax,DWORD PTR [esp+0xac]
80487d1: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80487d5: c7 04 24 03 00 00 00 mov DWORD PTR [esp],0x3
80487dc: e8 8f fd ff ff call 8048570 <ptrace@plt>
80487e1: 89 84 24 a8 00 00 00 mov DWORD PTR [esp+0xa8],eax
80487e8: 83 bc 24 a8 00 00 00 cmp DWORD PTR [esp+0xa8],0xb
80487ef: 0b
80487f0: 0f 85 72 ff ff ff jne 8048768 <main+0xa0>
80487f6: c7 04 24 31 89 04 08 mov DWORD PTR [esp],0x8048931
80487fd: e8 fe fc ff ff call 8048500 <puts@plt>
8048802: c7 44 24 04 09 00 00 mov DWORD PTR [esp+0x4],0x9
8048809: 00
804880a: 8b 84 24 ac 00 00 00 mov eax,DWORD PTR [esp+0xac]
8048811: 89 04 24 mov DWORD PTR [esp],eax
8048814: e8 07 fd ff ff call 8048520 <kill@plt>
8048819: 90 nop
804881a: b8 00 00 00 00 mov eax,0x0
804881f: 8d 65 f8 lea esp,[ebp-0x8]
8048822: 5b pop ebx
8048823: 5f pop edi
8048824: 5d pop ebp
8048825: c3 ret
8048826: 90 nop
80486c8 - 80486d6
Sets up stack, does stack alignment and allocates 176 bytes on the stack
80486d6 - 80486f4
Calls fork()
and stores the return value on [esp+0xac]
aka pid. Loads a buffer at [esp+0x20]
aka child_input and call memset(child_input, 0, 32)
80486f6 - 8048711
Write 0 to [esp+0xa8]
aka ptrace_res and [esp+0x1c]
aka wait_status. Check if pid == 0
. If not, jump to 8048769
8048713 - 80487aa
This is the child fork. Call prctl(1, 1)
prctl man, which according to the header, is prctl(PR_SET_PDEATHSIG, SIGHUP)
. This will make the child receive a SIGHUP signal if the parent dies. Call ptrace(0, 0, 0, 0)
, which can be translated to ptrace(PTRACE_TRACEME, 0, 0, 0)
. What it does is that it allows the parent to inspect the childs program behaviour. puts(".Give me some shellcode, k")
is called, a buffer is loaded at [esp+0x20]
aka child_input and gets(child_input)
is called. Once gets
finished, the program returns.
8048769 - 8048824
Call wait(&wait_status)
, write wait_status into a temp variable and and 127
or according to the header for wait WIFEXITED(wait_status)
. If its true, jump to 80487ac
. Else, check WIFSIGNALED(wait_status)
. If its not true, jump to 80487ba
.
80487ac - 80487b8
Call puts("child is exiting")
and return.
80487ba - 8048824
Call ptrace(3, pid, 44, 0)
which corresponds to ptrace(PTRACE_PEEKUSER, pid, 44, NULL);
and write the return value to ptrace_res
. Compare it with 11
. If its not equal, return. Else, puts("no exec() for you")
and kill(pid, 9)
and return. Judging by the output, it seems like the ptrace is looking for an exec()
call by the child before killing it.
level05
main
08048444 <main>:
8048444: 55 push ebp
8048445: 89 e5 mov ebp,esp
8048447: 57 push edi
8048448: 53 push ebx
8048449: 83 e4 f0 and esp,0xfffffff0
804844c: 81 ec 90 00 00 00 sub esp,0x90
8048452: c7 84 24 8c 00 00 00 mov DWORD PTR [esp+0x8c],0x0
8048459: 00 00 00 00
804845d: a1 f0 97 04 08 mov eax,ds:0x80497f0
8048462: 89 44 24 08 mov DWORD PTR [esp+0x8],eax
8048466: c7 44 24 04 64 00 00 mov DWORD PTR [esp+0x4],0x64
804846d: 00
804846e: 8d 44 24 28 lea eax,[esp+0x28]
8048472: 89 04 24 mov DWORD PTR [esp],eax
8048475: e8 d6 fe ff ff call 8048350 <fgets@plt>
804847a: c7 84 24 8c 00 00 00 mov DWORD PTR [esp+0x8c],0x0
8048481: 00 00 00 00
8048485: eb 4c jmp 80484d3 <main+0x8f>
8048487: 8d 44 24 28 lea eax,[esp+0x28]
804848b: 03 84 24 8c 00 00 00 add eax,DWORD PTR [esp+0x8c]
8048492: 0f b6 00 movzx eax,BYTE PTR [eax]
8048495: 3c 40 cmp al,0x40
8048497: 7e 32 jle 80484cb <main+0x87>
8048499: 8d 44 24 28 lea eax,[esp+0x28]
804849d: 03 84 24 8c 00 00 00 add eax,DWORD PTR [esp+0x8c]
80484a4: 0f b6 00 movzx eax,BYTE PTR [eax]
80484a7: 3c 5a cmp al,0x5a
80484a9: 7f 20 jg 80484cb <main+0x87>
80484ab: 8d 44 24 28 lea eax,[esp+0x28]
80484af: 03 84 24 8c 00 00 00 add eax,DWORD PTR [esp+0x8c]
80484b6: 0f b6 00 movzx eax,BYTE PTR [eax]
80484b9: 89 c2 mov edx,eax
80484bb: 83 f2 20 xor edx,0x20
80484be: 8d 44 24 28 lea eax,[esp+0x28]
80484c2: 03 84 24 8c 00 00 00 add eax,DWORD PTR [esp+0x8c]
80484c9: 88 10 mov BYTE PTR [eax],dl
80484cb: 83 84 24 8c 00 00 00 add DWORD PTR [esp+0x8c],0x1
80484d2: 01
80484d3: 8b 9c 24 8c 00 00 00 mov ebx,DWORD PTR [esp+0x8c]
80484da: 8d 44 24 28 lea eax,[esp+0x28]
80484de: c7 44 24 1c ff ff ff mov DWORD PTR [esp+0x1c],0xffffffff
80484e5: ff
80484e6: 89 c2 mov edx,eax
80484e8: b8 00 00 00 00 mov eax,0x0
80484ed: 8b 4c 24 1c mov ecx,DWORD PTR [esp+0x1c]
80484f1: 89 d7 mov edi,edx
80484f3: f2 ae repnz scas al,BYTE PTR es:[edi]
80484f5: 89 c8 mov eax,ecx
80484f7: f7 d0 not eax
80484f9: 83 e8 01 sub eax,0x1
80484fc: 39 c3 cmp ebx,eax
80484fe: 72 87 jb 8048487 <main+0x43>
8048500: 8d 44 24 28 lea eax,[esp+0x28]
8048504: 89 04 24 mov DWORD PTR [esp],eax
8048507: e8 34 fe ff ff call 8048340 <printf@plt>
804850c: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0
8048513: e8 58 fe ff ff call 8048370 <exit@plt>
8048518: 90 nop
8048444 - 804844c
Prep stack and stack alignment, allocates 144 bytes for the stack.
8048452 - 80484a9
Write 0 to a variable called count at [esp+0x8c]
. Load a buffer from [esp+0x28]
aka inputbuf, call fgets(inputbuf, 100, stdin)
. Write 0 to count again and then jump to 80484d3
(I dont know why its so abrupt, loop maybe?), load address inputbuf to a tmp variable and increment the address by count. Derefrence the inputbuf and compare it with 64
and 90
. If its less or equals than 64
or more than 90
(not capital alphabet), jump to 80484cb
.
80484ab - 8048513
Load address of inputbuf and increment by count. Derefrence the index at inputbuf and xor 32
the element. inputbuf[count] = xorred_res
and increment count. while strlen(inputbuf)
is more than count, jump back to 8048487.
When the loop exits, printf(inputbuf)
and exit(0)
level06
main
8048879: 55 push ebp
804887a: 89 e5 mov ebp,esp
804887c: 83 e4 f0 and esp,0xfffffff0
804887f: 83 ec 50 sub esp,0x50
8048882: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
8048885: 89 44 24 1c mov DWORD PTR [esp+0x1c],eax
8048889: 65 a1 14 00 00 00 mov eax,gs:0x14
804888f: 89 44 24 4c mov DWORD PTR [esp+0x4c],eax
8048893: 31 c0 xor eax,eax
8048895: 50 push eax
8048896: 31 c0 xor eax,eax
8048898: 74 03 je 804889d <main+0x24>
804889a: 83 c4 04 add esp,0x4
804889d: 58 pop eax
804889e: c7 04 24 d4 8a 04 08 mov DWORD PTR [esp],0x8048ad4
80488a5: e8 e6 fc ff ff call 8048590 <puts@plt>
80488aa: c7 04 24 f8 8a 04 08 mov DWORD PTR [esp],0x8048af8
80488b1: e8 da fc ff ff call 8048590 <puts@plt>
80488b6: c7 04 24 d4 8a 04 08 mov DWORD PTR [esp],0x8048ad4
80488bd: e8 ce fc ff ff call 8048590 <puts@plt>
80488c2: b8 08 8b 04 08 mov eax,0x8048b08
80488c7: 89 04 24 mov DWORD PTR [esp],eax
80488ca: e8 41 fc ff ff call 8048510 <printf@plt>
80488cf: a1 60 a0 04 08 mov eax,ds:0x804a060
80488d4: 89 44 24 08 mov DWORD PTR [esp+0x8],eax
80488d8: c7 44 24 04 20 00 00 mov DWORD PTR [esp+0x4],0x20
80488df: 00
80488e0: 8d 44 24 2c lea eax,[esp+0x2c]
80488e4: 89 04 24 mov DWORD PTR [esp],eax
80488e7: e8 64 fc ff ff call 8048550 <fgets@plt>
80488ec: c7 04 24 d4 8a 04 08 mov DWORD PTR [esp],0x8048ad4
80488f3: e8 98 fc ff ff call 8048590 <puts@plt>
80488f8: c7 04 24 1c 8b 04 08 mov DWORD PTR [esp],0x8048b1c
80488ff: e8 8c fc ff ff call 8048590 <puts@plt>
8048904: c7 04 24 d4 8a 04 08 mov DWORD PTR [esp],0x8048ad4
804890b: e8 80 fc ff ff call 8048590 <puts@plt>
8048910: b8 40 8b 04 08 mov eax,0x8048b40
8048915: 89 04 24 mov DWORD PTR [esp],eax
8048918: e8 f3 fb ff ff call 8048510 <printf@plt>
804891d: b8 60 8a 04 08 mov eax,0x8048a60
8048922: 8d 54 24 28 lea edx,[esp+0x28]
8048926: 89 54 24 04 mov DWORD PTR [esp+0x4],edx
804892a: 89 04 24 mov DWORD PTR [esp],eax
804892d: e8 ae fc ff ff call 80485e0 <__isoc99_scanf@plt>
8048932: 8b 44 24 28 mov eax,DWORD PTR [esp+0x28]
8048936: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
804893a: 8d 44 24 2c lea eax,[esp+0x2c]
804893e: 89 04 24 mov DWORD PTR [esp],eax
8048941: e8 02 fe ff ff call 8048748 <auth>
8048946: 85 c0 test eax,eax
8048948: 75 1f jne 8048969 <main+0xf0>
804894a: c7 04 24 52 8b 04 08 mov DWORD PTR [esp],0x8048b52
8048951: e8 3a fc ff ff call 8048590 <puts@plt>
8048956: c7 04 24 61 8b 04 08 mov DWORD PTR [esp],0x8048b61
804895d: e8 3e fc ff ff call 80485a0 <system@plt>
8048962: b8 00 00 00 00 mov eax,0x0
8048967: eb 05 jmp 804896e <main+0xf5>
8048969: b8 01 00 00 00 mov eax,0x1
804896e: 8b 54 24 4c mov edx,DWORD PTR [esp+0x4c]
8048972: 65 33 15 14 00 00 00 xor edx,DWORD PTR gs:0x14
8048979: 74 05 je 8048980 <main+0x107>
804897b: e8 00 fc ff ff call 8048580 <__stack_chk_fail@plt>
8048980: c9 leave
8048981: c3 ret
8048982: 90 nop
8048879 - 804887f
Set up stack frame, stack alignment and allocates 80 bytes for the stack
8048882 - 8048898
Load argv into [esp+0x1c]
aka argv and 20 into [esp+0x4c]
aka canary. and save canary ^ canary
in memory, aka canary_xor. canary ^ canary
again, and if its true, jump to 804889d
804889a - 80488ca
Idk why they want to shrink the stack by 4 and pop the result to eax, I assume its for stack canary. Call these in order :
80488cf - 8048918
Load a buffer to [esp+0x2c]
aka logininput and call fgets(logininput, 32, stdin)
and calls these in order:
804891d - 804897b
Load an unsigned int in [esp+0x28]
aka serial_input. Call scanf("%u", &serialinput);
. After that, call auth(logininput, serialinput)
. If the return value is not equal zero, check the stack overflow and return. If it is, system("/bin/sh")
auth
8048748: 55 push ebp
8048749: 89 e5 mov ebp,esp
804874b: 83 ec 28 sub esp,0x28
804874e: c7 44 24 04 63 8a 04 mov DWORD PTR [esp+0x4],0x8048a63
8048755: 08
8048756: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048759: 89 04 24 mov DWORD PTR [esp],eax
804875c: e8 bf fd ff ff call 8048520 <strcspn@plt>
8048761: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048764: c6 00 00 mov BYTE PTR [eax],0x0
8048767: c7 44 24 04 20 00 00 mov DWORD PTR [esp+0x4],0x20
804876e: 00
804876f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048772: 89 04 24 mov DWORD PTR [esp],eax
8048775: e8 56 fe ff ff call 80485d0 <strnlen@plt>
804877a: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
804877d: 50 push eax
804877e: 31 c0 xor eax,eax
8048780: 74 03 je 8048785 <auth+0x3d>
8048782: 83 c4 04 add esp,0x4
8048785: 58 pop eax
8048786: 83 7d f4 05 cmp DWORD PTR [ebp-0xc],0x5
804878a: 7f 0a jg 8048796 <auth+0x4e>
804878c: b8 01 00 00 00 mov eax,0x1
8048791: e9 e1 00 00 00 jmp 8048877 <auth+0x12f>
8048796: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0
804879d: 00
804879e: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1
80487a5: 00
80487a6: c7 44 24 04 00 00 00 mov DWORD PTR [esp+0x4],0x0
80487ad: 00
80487ae: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0
80487b5: e8 36 fe ff ff call 80485f0 <ptrace@plt>
80487ba: 83 f8 ff cmp eax,0xffffffff
80487bd: 75 2e jne 80487ed <auth+0xa5>
80487bf: c7 04 24 68 8a 04 08 mov DWORD PTR [esp],0x8048a68
80487c6: e8 c5 fd ff ff call 8048590 <puts@plt>
80487cb: c7 04 24 8c 8a 04 08 mov DWORD PTR [esp],0x8048a8c
80487d2: e8 b9 fd ff ff call 8048590 <puts@plt>
80487d7: c7 04 24 b0 8a 04 08 mov DWORD PTR [esp],0x8048ab0
80487de: e8 ad fd ff ff call 8048590 <puts@plt>
80487e3: b8 01 00 00 00 mov eax,0x1
80487e8: e9 8a 00 00 00 jmp 8048877 <auth+0x12f>
80487ed: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
80487f0: 83 c0 03 add eax,0x3
80487f3: 0f b6 00 movzx eax,BYTE PTR [eax]
80487f6: 0f be c0 movsx eax,al
80487f9: 35 37 13 00 00 xor eax,0x1337
80487fe: 05 ed ed 5e 00 add eax,0x5eeded
8048803: 89 45 f0 mov DWORD PTR [ebp-0x10],eax
8048806: c7 45 ec 00 00 00 00 mov DWORD PTR [ebp-0x14],0x0
804880d: eb 4c jmp 804885b <auth+0x113>
804880f: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
8048812: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048815: 0f b6 00 movzx eax,BYTE PTR [eax]
8048818: 3c 1f cmp al,0x1f
804881a: 7f 07 jg 8048823 <auth+0xdb>
804881c: b8 01 00 00 00 mov eax,0x1
8048821: eb 54 jmp 8048877 <auth+0x12f>
8048823: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
8048826: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048829: 0f b6 00 movzx eax,BYTE PTR [eax]
804882c: 0f be c0 movsx eax,al
804882f: 89 c1 mov ecx,eax
8048831: 33 4d f0 xor ecx,DWORD PTR [ebp-0x10]
8048834: ba 2b 3b 23 88 mov edx,0x88233b2b
8048839: 89 c8 mov eax,ecx
804883b: f7 e2 mul edx
804883d: 89 c8 mov eax,ecx
804883f: 29 d0 sub eax,edx
8048841: d1 e8 shr eax,1
8048843: 01 d0 add eax,edx
8048845: c1 e8 0a shr eax,0xa
8048848: 69 c0 39 05 00 00 imul eax,eax,0x539
804884e: 89 ca mov edx,ecx
8048850: 29 c2 sub edx,eax
8048852: 89 d0 mov eax,edx
8048854: 01 45 f0 add DWORD PTR [ebp-0x10],eax
8048857: 83 45 ec 01 add DWORD PTR [ebp-0x14],0x1
804885b: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
804885e: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc]
8048861: 7c ac jl 804880f <auth+0xc7>
8048863: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
8048866: 3b 45 f0 cmp eax,DWORD PTR [ebp-0x10]
8048869: 74 07 je 8048872 <auth+0x12a>
804886b: b8 01 00 00 00 mov eax,0x1
8048870: eb 05 jmp 8048877 <auth+0x12f>
8048872: b8 00 00 00 00 mov eax,0x0
8048877: c9 leave
8048878: c3 ret
8048748: 55 push ebp
8048749: 89 e5 mov ebp,esp
804874b: 83 ec 28 sub esp,0x28
804874e: c7 44 24 04 63 8a 04 mov DWORD PTR [esp+0x4],0x8048a63
8048755: 08
8048756: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048759: 89 04 24 mov DWORD PTR [esp],eax
804875c: e8 bf fd ff ff call 8048520 <strcspn@plt>
8048761: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048764: c6 00 00 mov BYTE PTR [eax],0x0
8048767: c7 44 24 04 20 00 00 mov DWORD PTR [esp+0x4],0x20
804876e: 00
804876f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048772: 89 04 24 mov DWORD PTR [esp],eax
8048775: e8 56 fe ff ff call 80485d0 <strnlen@plt>
804877a: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
804877d: 50 push eax
804877e: 31 c0 xor eax,eax
8048780: 74 03 je 8048785 <auth+0x3d>
8048782: 83 c4 04 add esp,0x4
8048785: 58 pop eax
8048786: 83 7d f4 05 cmp DWORD PTR [ebp-0xc],0x5
804878a: 7f 0a jg 8048796 <auth+0x4e>
804878c: b8 01 00 00 00 mov eax,0x1
8048791: e9 e1 00 00 00 jmp 8048877 <auth+0x12f>
8048796: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0
804879d: 00
804879e: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1
80487a5: 00
80487a6: c7 44 24 04 00 00 00 mov DWORD PTR [esp+0x4],0x0
80487ad: 00
80487ae: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0
80487b5: e8 36 fe ff ff call 80485f0 <ptrace@plt>
80487ba: 83 f8 ff cmp eax,0xffffffff
80487bd: 75 2e jne 80487ed <auth+0xa5>
80487bf: c7 04 24 68 8a 04 08 mov DWORD PTR [esp],0x8048a68
80487c6: e8 c5 fd ff ff call 8048590 <puts@plt>
80487cb: c7 04 24 8c 8a 04 08 mov DWORD PTR [esp],0x8048a8c
80487d2: e8 b9 fd ff ff call 8048590 <puts@plt>
80487d7: c7 04 24 b0 8a 04 08 mov DWORD PTR [esp],0x8048ab0
80487de: e8 ad fd ff ff call 8048590 <puts@plt>
80487e3: b8 01 00 00 00 mov eax,0x1
80487e8: e9 8a 00 00 00 jmp 8048877 <auth+0x12f>
80487ed: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
80487f0: 83 c0 03 add eax,0x3
80487f3: 0f b6 00 movzx eax,BYTE PTR [eax]
80487f6: 0f be c0 movsx eax,al
80487f9: 35 37 13 00 00 xor eax,0x1337
80487fe: 05 ed ed 5e 00 add eax,0x5eeded
8048803: 89 45 f0 mov DWORD PTR [ebp-0x10],eax
8048806: c7 45 ec 00 00 00 00 mov DWORD PTR [ebp-0x14],0x0
804880d: eb 4c jmp 804885b <auth+0x113>
804880f: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
8048812: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048815: 0f b6 00 movzx eax,BYTE PTR [eax]
8048818: 3c 1f cmp al,0x1f
804881a: 7f 07 jg 8048823 <auth+0xdb>
804881c: b8 01 00 00 00 mov eax,0x1
8048821: eb 54 jmp 8048877 <auth+0x12f>
8048823: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
8048826: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048829: 0f b6 00 movzx eax,BYTE PTR [eax]
804882c: 0f be c0 movsx eax,al
804882f: 89 c1 mov ecx,eax
8048831: 33 4d f0 xor ecx,DWORD PTR [ebp-0x10]
8048834: ba 2b 3b 23 88 mov edx,0x88233b2b
8048839: 89 c8 mov eax,ecx
804883b: f7 e2 mul edx
804883d: 89 c8 mov eax,ecx
804883f: 29 d0 sub eax,edx
8048841: d1 e8 shr eax,1
8048843: 01 d0 add eax,edx
8048845: c1 e8 0a shr eax,0xa
8048848: 69 c0 39 05 00 00 imul eax,eax,0x539
804884e: 89 ca mov edx,ecx
8048850: 29 c2 sub edx,eax
8048852: 89 d0 mov eax,edx
8048854: 01 45 f0 add DWORD PTR [ebp-0x10],eax
8048857: 83 45 ec 01 add DWORD PTR [ebp-0x14],0x1
804885b: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
804885e: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc]
8048861: 7c ac jl 804880f <auth+0xc7>
8048863: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
8048866: 3b 45 f0 cmp eax,DWORD PTR [ebp-0x10]
8048869: 74 07 je 8048872 <auth+0x12a>
804886b: b8 01 00 00 00 mov eax,0x1
8048870: eb 05 jmp 8048877 <auth+0x12f>
8048872: b8 00 00 00 00 mov eax,0x0
8048877: c9 leave
8048878: c3 ret
8048748 - 804875c
Set up stack and allocate 40 bytes for stack, load logininput to [epb+0x8]
and call strcspn(logininput, "\n")
8048761 - 804877a
Replace the character "\n" with a nullbyte for logininput. Call strnlen(logininput, 32)
, save the result in a variable at [ebp-0xc]
aka loginlen
804877d - 80487b5
Do some weird canary shit until 8048785
, where it checks if loginlen is greater than 5. If it is, jump to 8048796
. If not, junp to 8048877
which returns. Calls ptrace(0, 0, 1, 0)
, can be translated to ptrace(PTRACE_TRACEME, 0, 1, 0)
which means allow parent to trace me.
80487bd - 80487e8
If the return value of the ptrace is -1, run the following in order:
80487ed - 8048818
Store logininput[3] in a temp variable and XOR it with 0x1337 (4919)
and add 0x5eeded (6221293)
. The result is stored in [ebp-0x10]
aka enc_logininput and 0 is stored in [ebp-0x14]
aka count. Jump to 804885b
(loop check). Derefrence logininput[count] and compares it with 31. If is less or equal than, return 1.
8048823 - 8048861
logininput[count] is loaded into ecx
and it is XOR'd against enc_logininput to eax
. 0x88233b2b
which is loaded into edx
, and we are multiplying 0x88233b2b * **logininput[count]**
and shifting the result by 1 to the right. It add back logininput[count] and shifts right by 10. It then multiplies 1337 and stores the value in eax
. After that, enc_logininput -= logininput[count] and move enc_logininput to eax
. enc_logininput + logininput[count] and increments count, compares count with login length.
8048863 - 8048877
Compare serialinput with the enc_logininput If its equal, return 0, else return 1
level07
main
This section sets up the stack frame and does stack alignment. Also allocates 464 bytes on the stack.
This section takes in argv and writes it to [esp+0x1c]
aka argv, also writes envp in [esp+0x18]
aka envp, writes 20 in [esp+0x1cc]
aka num1 and sets up the canary mechanism
Declares 6 variables on the stack, [esp+0x1b4]
aka op_ret, [esp+0x1b8]
aka user_cmd, [esp+0x1bc]
aka var3, [esp+0x1c0]
aka var4, [esp+0x1c4]
aka var5, [esp+0x1c8]
aka var7, all of them have value 0 inside them. var3 to var7 may be part of the same array.
Load a buffer from [esp+0x24]
aka meat and call memset(meat, 0, 100)
and jump to 80487ea
(looks like a loop).
Load argv from argv and calls strlen on it after defref strlen(*argv)
and call memset(*argv, 0, <strlen res>)
. Increment the address of argv by 4 (next argument) and compare it with 0. If its not equal, loop back to 80487a7
, essentially repeating this until argv is fully cleared.
Do the same thing for envp.
Call these in order :-
Once the fgets returns, find the newline character in the string and replace it with a nullbyte using .
Comapre user_cmd with "store" using strncmp(user_cmd, "store", 5)
. If its not equal, jump to 80488f8
, which should check next command. If it is, call store_number(meat)
and place the return value at op_ret, go back to the loop start by jumping to 8048965
Do the same thing to read
, strncmp(user_cmd, "read", 4)
and call read_number(meat)
, saving the output at op_ret and jumping to 8048965
Do the same thing to "quit"
, strncmp(user_cmd, "quit", 4)
and jump to 80489cf
, which checks for canary and returns.
Check for empty op_ret If it is empty or 0, jump to 8048989
which calls
printf(" Completed %s command successfully\n", user_cmd)
, clears all vars and goes back to loop. If the loop exits, check canary and return.
If op_ret is non zero, call printf("Failed to do %s command\n", user_cmd)
read_number
Sets up stack and allocates 40 bytes on the stack. Clears out [ebp-0xc]
aka num_input and calls printf("Index: ")
and then calls get_unum()
, and stores the value in num_input. The number is then shifted left by 2 and added by the first argument in [ebp+0x8]
aka meat. meat is then derefrenced and put to edx
and calls printf("Number at data[%u] is %u, ", num_input, meat)
. Returns 0
store_number
Sets up stack and allocates 40 bytes on the stack. Clears up [ebp-0x10]
aka num_input and [ebp-0xc]
aka idx_input. Call printf("Number: ")
and then call get_unum()
, which assigns the return value to num_input Do the same for idx_input, with the print being printf("Index: ")
. The pseudocode for 8048671 - 8048686
is like so.
If the condition is true jump to 8048697
which calls
and return 1
The pseudocode for 804868a - 8048690
is like so
If its not true, jump to 80486c2
which does meat[idx_input] = num_input;
and return 0. jump to 8048697
if its not.
get_unum
Setup stack and allocate 40 bytes for the stack, declare a variable at [ebp-0xc]
aka res, call fflush(stdout)
and then scanf("%u", &res)
. Call clear_stdin()
and return res
clear_stdin
Setup stack and allocate 24 bytes for the stack, declare a variable at [ebp-0x9]
aka curr, jump to 80485d1
(loop start), calls getchar()
and stores ret value at curr. Compare curr with '\n' and -1. Return of they are either equal. jump back to 80485d0
if they are not (infinite loop)