Assembly analysis for override
level00
main
8048494 to 8048494 Sets up the stack frame by moving the stack pointers away from the parents esp to the current ebp8048497 Stack alignment to the closes 8 bytes. The esp moves up by 8 bytes.
804849a bulk allocates 32 bytes in the stack804849d - 804849d calls
80484c1 - 80484c9 calls printf("Password: ")
80484ce prepares the "%d" string in eax80484d3 loads a variable (pointer is at esp + 0x1c) to edx, which will be used by scanf later. Lets call this input80484d7 - 80484de Calls
80484e3 - 80484e7 derefrences the pointer to input and compares it with 5276
80484ec if the comparison is not equal, jump to 804850d80484ee - 8048501 calls puts("Authenticated!") and runs system("/bin/sh")804850b return 0804850d - 8048514 calls puts("Invalid Password!")8048519 - 804851f return 1
level01
main
80484d0 - 80484d5 Stack frame setup and stack alignment80484d8 - 80484db Allocates 96 bytes on the stack and loads a buffer at [esp + 0x1c] to ebx. Call this child_input80484df - 80484ed Repeatedly fill up the data pointed in edi (child_input) with the value in eax, which is 16, for edx times which is 10. The es is an explicit segmentation specifier for compatibility issues. Effectively, this does memset(child_input, 0, 16);
80484ef Write 0 to a pointer at [esp + 0x5c], Call this num80484f7 - 80484fe Effectively call puts("********* ADMIN LOGIN PROMPT *********")804850b Effectively call printf("Enter Username:")
8048510 Load a static global buffer into eax from 0x804a020, call this input_buf8048515 - 8048528 Effectively call fgets(input_buf, 256, stdin)804852d Call verify_user_name with the return value of fgets.
8048532 - 804853b Load the return value of verify_user_name and write it to num. Compare it with value 0. If the result is equal, jump to <main+0x80>.804853d - 804854e If not, call puts("nope, incorrect username") and return 1.
8048550 - 8048557 Effectively call puts("Enter Password:")804855c - 8048574 Effectively call fgets(child_input, 100, stdin)8048579 - 8048580 Effectively call verify_user_pass with the return value of fgets earlier
8048585 - 80485a8 Essentially the same operations earlier after we verify username, we compare the return value to 0, puts("nope, incorrect password") if its not and return 180485aa - 80485b5 return 0
verify_user_name
8048464 - 8048469 Sets up stack frame and allocates 16 bytes in stack804846c - 8048473 Effectively call puts("verifying username....")8048478 - 804848b Sets up input_buf in esi and "dat_wil"(from data section) in edi and compare them.804848d - 8048490 Records the differences in dl or al. If the comparisons are equal, both of them should be 08048493 - 8048499 Perform arithmethic on the differences to get the actual return value, since al or dl does not reflect the full registers - there might have other things unintentionally804849f - 80484a2 Return the difference earlier.
verify_user_pass
80484a3 - 80484a8 Set up stack frame and load the first argument into eax80484ab - 80484cf Compare it with the string "admin" from data segment, the rest is the same with verify_user_name
level02
main
400814 - 400815 preparing stack frame addresses400818 - 400825 allocates 288 bytes for the stack, loads the value of edi into [rbp-0x114] (call this init_edi), Load rsi into [rbp-0x120] (init_rsi)40082c - 40083d Loads [rbp-0x70] into rdx (call this username) effectively call memset(username, 0, 12)
400840 Null terminates username and increments it by 4 (why?)400849 - 40085d Loads [rbp-0xa0] aka pass_file_content into rdx and effectively call memset(pass_file_content, 0, 5)400860 - 400863 Null terminates pass_file_content and increments it by 1 (why?)
400869 - 400883 Do the same thing as above for another variable [rbp-0x110] aka pass using memset(pass, 0, 12), this time it increments 4 in the end.
400889 - 4008a8 Declares open_passfile at [rbp-0x8] and read_pass_status at [rbp-0xc] Prepares arguments to call fopen("/home/users/level03/", "r")4008ad - 4008b1 Save the return value above in [rbp-0x8] aka open_passfile and compares it with 0. It its not equal, jump to 4008e64008b8 - 4008e1 If it is 0, call fwrite("ERROR: failed to open password file", 1, 24, stderr) and exit(1)
4008e6 - 400901 Calls fread(pass_file_content, 1, 29, open_passfile) and stores the result in read_pass_status400909 - 400918 Prepares arguments and calls strcspn(pass_file_content, "\n") which returns the number of bytes of pass_file_content which are not in the "\n".40091d pass_file_content[<ret_above>] = 0400925 - 400978 Compare read_pass_status with 41. If the are equal, jump to 40097d. If they are not, frwite("ERROR: failed to read password file", 1, 24, stderr) twice and call exit(1)
40097d - 400984 Closes the password file by calling fclose(open_passfile)400989 - 4009be Calls puts() for all the lines of the following output and calls printf("--[ Username:") at the end.
4009c3 - 4009d9 Effectively calls fgets(username, 100, stdin)4009de - 400a01 finds the index of newline string in username, and replaces the newline with nullbyte. Calls printf(" --[ Password:") after that
400a06 - 400a3f Essentially do the same with pass by calling fgets(pass, 100, stdin) and null terminates it
400a40 - 400a45 Calls puts("*****************************************")400a4a - 400a68 Calls strncmp(pass_file_content, pass, 41) and test if the result is 0400a6a If its not equal, jump to 400a96400a6c - 400a95 call printf("Greetings, %s!", username) and system("/bin/sh"), and returns 0400a96 - 400ab6 call printf(username) and puts("does not have access!") and exit(1)
level03
main
804885a - 8048860 Stack setup, alignment and allocating 32 bytes for the stack8048863 - 804886b I dont know why they would do this but looks like it is just clearing out eax and making sure the stack is ok?804886c - 8048873 Call srand(time(0))8048880 - 804889f For each line below, call puts() on it
80488a4 - 80488ac Call printf("Password:")80488ac - 80488c1 Loads [esp + 0x1c] aka pwinput to eax. Calls scanf("%d", &pwinput)80488c6 - 80488e0 Calls test(pwinput, 0x1337d00d) and returns 0
test
8048747: 55 push ebp
8048748: 89 e5 mov ebp,esp
804874a: 83 ec 28 sub esp,0x28
804874d: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048750: 8b 55 0c mov edx,DWORD PTR [ebp+0xc]
8048753: 89 d1 mov ecx,edx
8048755: 29 c1 sub ecx,eax
8048757: 89 c8 mov eax,ecx
8048759: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
804875c: 83 7d f4 15 cmp DWORD PTR [ebp-0xc],0x15
8048760: 0f 87 e4 00 00 00 ja 804884a <test+0x103>
8048766: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048769: c1 e0 02 shl eax,0x2
804876c: 05 f0 89 04 08 add eax,0x80489f0
8048771: 8b 00 mov eax,DWORD PTR [eax]
8048773: ff e0 jmp eax
8048775: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048778: 89 04 24 mov DWORD PTR [esp],eax
804877b: e8 e0 fe ff ff call 8048660 <decrypt>
8048780: e9 d3 00 00 00 jmp 8048858 <test+0x111>
8048785: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048788: 89 04 24 mov DWORD PTR [esp],eax
804878b: e8 d0 fe ff ff call 8048660 <decrypt>
8048790: e9 c3 00 00 00 jmp 8048858 <test+0x111>
8048795: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048798: 89 04 24 mov DWORD PTR [esp],eax
804879b: e8 c0 fe ff ff call 8048660 <decrypt>
80487a0: e9 b3 00 00 00 jmp 8048858 <test+0x111>
80487a5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487a8: 89 04 24 mov DWORD PTR [esp],eax
80487ab: e8 b0 fe ff ff call 8048660 <decrypt>
80487b0: e9 a3 00 00 00 jmp 8048858 <test+0x111>
80487b5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487b8: 89 04 24 mov DWORD PTR [esp],eax
80487bb: e8 a0 fe ff ff call 8048660 <decrypt>
80487c0: e9 93 00 00 00 jmp 8048858 <test+0x111>
80487c5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487c8: 89 04 24 mov DWORD PTR [esp],eax
80487cb: e8 90 fe ff ff call 8048660 <decrypt>
80487d0: e9 83 00 00 00 jmp 8048858 <test+0x111>
80487d5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487d8: 89 04 24 mov DWORD PTR [esp],eax
80487db: e8 80 fe ff ff call 8048660 <decrypt>
80487e0: eb 76 jmp 8048858 <test+0x111>
80487e2: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487e5: 89 04 24 mov DWORD PTR [esp],eax
80487e8: e8 73 fe ff ff call 8048660 <decrypt>
80487ed: eb 69 jmp 8048858 <test+0x111>
80487ef: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487f2: 89 04 24 mov DWORD PTR [esp],eax
80487f5: e8 66 fe ff ff call 8048660 <decrypt>
80487fa: eb 5c jmp 8048858 <test+0x111>
80487fc: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
80487ff: 89 04 24 mov DWORD PTR [esp],eax
8048802: e8 59 fe ff ff call 8048660 <decrypt>
8048807: eb 4f jmp 8048858 <test+0x111>
8048809: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
804880c: 89 04 24 mov DWORD PTR [esp],eax
804880f: e8 4c fe ff ff call 8048660 <decrypt>
8048814: eb 42 jmp 8048858 <test+0x111>
8048816: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048819: 89 04 24 mov DWORD PTR [esp],eax
804881c: e8 3f fe ff ff call 8048660 <decrypt>
8048821: eb 35 jmp 8048858 <test+0x111>
8048823: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048826: 89 04 24 mov DWORD PTR [esp],eax
8048829: e8 32 fe ff ff call 8048660 <decrypt>
804882e: eb 28 jmp 8048858 <test+0x111>
8048830: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048833: 89 04 24 mov DWORD PTR [esp],eax
8048836: e8 25 fe ff ff call 8048660 <decrypt>
804883b: eb 1b jmp 8048858 <test+0x111>
804883d: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]
8048840: 89 04 24 mov DWORD PTR [esp],eax
8048843: e8 18 fe ff ff call 8048660 <decrypt>
8048848: eb 0e jmp 8048858 <test+0x111>
804884a: e8 d1 fc ff ff call 8048520 <rand@plt>
804884f: 89 04 24 mov DWORD PTR [esp],eax
8048852: e8 09 fe ff ff call 8048660 <decrypt>
8048857: 90 nop
8048858: c9 leave
8048859: c3 ret
8048747 - 8048750 Set up stack frame and load pwinput at [ebp+0x8] to eax and init_addr[ebp+0xc] which is now equal to 0x1337d00d to edx8048753 - 8048759 init_addr -= pwinput804875c - 8048760 comapre init_addr with 21. If its more than, jump to 804884a.8048766 - 8048780 load init_addr in some temp variable and shift left by 2, which means multiply by 4 and add 0x80489f0 to that value. The temp variable is the derefrenced and jumped to.804877b - 8048858 Continiously call decrypt(init_addr) and return
decrypt
8048660: 55 push ebp
8048661: 89 e5 mov ebp,esp
8048663: 57 push edi
8048664: 56 push esi
8048665: 83 ec 40 sub esp,0x40
8048668: 65 a1 14 00 00 00 mov eax,gs:0x14
804866e: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
8048671: 31 c0 xor eax,eax
8048673: c7 45 e3 51 7d 7c 75 mov DWORD PTR [ebp-0x1d],0x757c7d51
804867a: c7 45 e7 60 73 66 67 mov DWORD PTR [ebp-0x19],0x67667360
8048681: c7 45 eb 7e 73 66 7b mov DWORD PTR [ebp-0x15],0x7b66737e
8048688: c7 45 ef 7d 7c 61 33 mov DWORD PTR [ebp-0x11],0x33617c7d
804868f: c6 45 f3 00 mov BYTE PTR [ebp-0xd],0x0
8048693: 50 push eax
8048694: 31 c0 xor eax,eax
8048696: 74 03 je 804869b <decrypt+0x3b>
8048698: 83 c4 04 add esp,0x4
804869b: 58 pop eax
804869c: 8d 45 e3 lea eax,[ebp-0x1d]
804869f: c7 45 d4 ff ff ff ff mov DWORD PTR [ebp-0x2c],0xffffffff
80486a6: 89 c2 mov edx,eax
80486a8: b8 00 00 00 00 mov eax,0x0
80486ad: 8b 4d d4 mov ecx,DWORD PTR [ebp-0x2c]
80486b0: 89 d7 mov edi,edx
80486b2: f2 ae repnz scas al,BYTE PTR es:[edi]
80486b4: 89 c8 mov eax,ecx
80486b6: f7 d0 not eax
80486b8: 83 e8 01 sub eax,0x1
80486bb: 89 45 dc mov DWORD PTR [ebp-0x24],eax
80486be: c7 45 d8 00 00 00 00 mov DWORD PTR [ebp-0x28],0x0
80486c5: eb 1e jmp 80486e5 <decrypt+0x85>
80486c7: 8d 45 e3 lea eax,[ebp-0x1d]
80486ca: 03 45 d8 add eax,DWORD PTR [ebp-0x28]
80486cd: 0f b6 00 movzx eax,BYTE PTR [eax]
80486d0: 89 c2 mov edx,eax
80486d2: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
80486d5: 31 d0 xor eax,edx
80486d7: 89 c2 mov edx,eax
80486d9: 8d 45 e3 lea eax,[ebp-0x1d]
80486dc: 03 45 d8 add eax,DWORD PTR [ebp-0x28]
80486df: 88 10 mov BYTE PTR [eax],dl
80486e1: 83 45 d8 01 add DWORD PTR [ebp-0x28],0x1
80486e5: 8b 45 d8 mov eax,DWORD PTR [ebp-0x28]
80486e8: 3b 45 dc cmp eax,DWORD PTR [ebp-0x24]
80486eb: 72 da jb 80486c7 <decrypt+0x67>
80486ed: 8d 45 e3 lea eax,[ebp-0x1d]
80486f0: 89 c2 mov edx,eax
80486f2: b8 c3 89 04 08 mov eax,0x80489c3
80486f7: b9 11 00 00 00 mov ecx,0x11
80486fc: 89 d6 mov esi,edx
80486fe: 89 c7 mov edi,eax
8048700: f3 a6 repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]
8048702: 0f 97 c2 seta dl
8048705: 0f 92 c0 setb al
8048708: 89 d1 mov ecx,edx
804870a: 28 c1 sub cl,al
804870c: 89 c8 mov eax,ecx
804870e: 0f be c0 movsx eax,al
8048711: 85 c0 test eax,eax
8048713: 75 0e jne 8048723 <decrypt+0xc3>
8048715: c7 04 24 d4 89 04 08 mov DWORD PTR [esp],0x80489d4
804871c: e8 bf fd ff ff call 80484e0 <system@plt>
8048721: eb 0c jmp 804872f <decrypt+0xcf>
8048723: c7 04 24 dc 89 04 08 mov DWORD PTR [esp],0x80489dc
804872a: e8 a1 fd ff ff call 80484d0 <puts@plt>
804872f: 8b 75 f4 mov esi,DWORD PTR [ebp-0xc]
8048732: 65 33 35 14 00 00 00 xor esi,DWORD PTR gs:0x14
8048739: 74 05 je 8048740 <decrypt+0xe0>
804873b: e8 80 fd ff ff call 80484c0 <__stack_chk_fail@plt>
8048740: 83 c4 40 add esp,0x40
8048743: 5e pop esi
8048744: 5f pop edi
8048745: 5d pop ebp
8048746: c3 ret
8048660 - 8048671 Prepare the stack and allocate 64 bytes for the stack. Load 20 into [ebp-0xc] aka canary and clears eax.8048673 - 804863f declates cipher1 in [ebp-0x1d] with 0x757c7d51, cipher2 in [ebp-0x19] with 0x67667360,cipher3 in [ebp-0x15] with 0x7b66737e,cipher4 in [ebp-0x11] with 0x33617c7d, cipher5 in [ebp-0xd] with 0.8048693 - 804869b I have no idea why they want to pop eax like that, so cant provide any context here yet… (im guessing stack canary?)804869c - 80486c5 cipher1 has been loaded into eax and 0xffffffff has been written to [ebp-0x2c] aka clear_mask.80486a6 - 80486b2 evaluate string length of cipher180486b4 - 80486b8 store the value at eax and flip the polarity, since the result of the strlen was negative (direction flag), and then subtract 180486bb - 80486c5Move the length into [ebp-0x24] aka cipherlen and zero into [ebp-0x28] aka count, jump to 80486e5, which seems to be a loop checker80486c7 - 80486e1 Load cipher1s address into eax and add the value of count. Derefrence the resultant address and write that result to edx. Load argument 1 (init_addr) into eax and xor it with edx, or our cipher1addr + count. -> xor_res. cipher1[count] = xor_res. count += 180486e5 - 80486eb if count < cipherlen jump to 80486c78048700 - 8048740 Comapres cipher1 with the string Congratulations! using strncmp(cipher1, "Congratulations!", 17). if its the same, system("/bin/sh"), else puts("Invalid Password") and return while checking for stack overflow.
level04
main
80486c8: 55 push ebp
80486c9: 89 e5 mov ebp,esp
80486cb: 57 push edi
80486cc: 53 push ebx
80486cd: 83 e4 f0 and esp,0xfffffff0
80486d0: 81 ec b0 00 00 00 sub esp,0xb0
80486d6: e8 75 fe ff ff call 8048550 <fork@plt>
80486db: 89 84 24 ac 00 00 00 mov DWORD PTR [esp+0xac],eax
80486e2: 8d 5c 24 20 lea ebx,[esp+0x20]
80486e6: b8 00 00 00 00 mov eax,0x0
80486eb: ba 20 00 00 00 mov edx,0x20
80486f0: 89 df mov edi,ebx
80486f2: 89 d1 mov ecx,edx
80486f4: f3 ab rep stos DWORD PTR es:[edi],eax
80486f6: c7 84 24 a8 00 00 00 mov DWORD PTR [esp+0xa8],0x0
80486fd: 00 00 00 00
8048701: c7 44 24 1c 00 00 00 mov DWORD PTR [esp+0x1c],0x0
8048708: 00
8048709: 83 bc 24 ac 00 00 00 cmp DWORD PTR [esp+0xac],0x0
8048710: 00
8048711: 75 56 jne 8048769 <main+0xa1>
8048713: c7 44 24 04 01 00 00 mov DWORD PTR [esp+0x4],0x1
804871a: 00
804871b: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1
8048722: e8 19 fe ff ff call 8048540 <prctl@plt>
8048727: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0
804872e: 00
804872f: c7 44 24 08 00 00 00 mov DWORD PTR [esp+0x8],0x0
8048736: 00
8048737: c7 44 24 04 00 00 00 mov DWORD PTR [esp+0x4],0x0
804873e: 00
804873f: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0
8048746: e8 25 fe ff ff call 8048570 <ptrace@plt>
804874b: c7 04 24 03 89 04 08 mov DWORD PTR [esp],0x8048903
8048752: e8 a9 fd ff ff call 8048500 <puts@plt>
8048757: 8d 44 24 20 lea eax,[esp+0x20]
804875b: 89 04 24 mov DWORD PTR [esp],eax
804875e: e8 4d fd ff ff call 80484b0 <gets@plt>
8048763: e9 b2 00 00 00 jmp 804881a <main+0x152>
8048768: 90 nop
8048769: 8d 44 24 1c lea eax,[esp+0x1c]
804876d: 89 04 24 mov DWORD PTR [esp],eax
8048770: e8 7b fd ff ff call 80484f0 <wait@plt>
8048775: 8b 44 24 1c mov eax,DWORD PTR [esp+0x1c]
8048779: 89 84 24 a0 00 00 00 mov DWORD PTR [esp+0xa0],eax
8048780: 8b 84 24 a0 00 00 00 mov eax,DWORD PTR [esp+0xa0]
8048787: 83 e0 7f and eax,0x7f
804878a: 85 c0 test eax,eax
804878c: 74 1e je 80487ac <main+0xe4>
804878e: 8b 44 24 1c mov eax,DWORD PTR [esp+0x1c]
8048792: 89 84 24 a4 00 00 00 mov DWORD PTR [esp+0xa4],eax
8048799: 8b 84 24 a4 00 00 00 mov eax,DWORD PTR [esp+0xa4]
80487a0: 83 e0 7f and eax,0x7f
80487a3: 83 c0 01 add eax,0x1
80487a6: d0 f8 sar al,1
80487a8: 84 c0 test al,al
80487aa: 7e 0e jle 80487ba <main+0xf2>
80487ac: c7 04 24 1d 89 04 08 mov DWORD PTR [esp],0x804891d
80487b3: e8 48 fd ff ff call 8048500 <puts@plt>
80487b8: eb 60 jmp 804881a <main+0x152>
80487ba: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0
80487c1: 00
80487c2: c7 44 24 08 2c 00 00 mov DWORD PTR [esp+0x8],0x2c
80487c9: 00
80487ca: 8b 84 24 ac 00 00 00 mov eax,DWORD PTR [esp+0xac]
80487d1: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80487d5: c7 04 24 03 00 00 00 mov DWORD PTR [esp],0x3
80487dc: e8 8f fd ff ff call 8048570 <ptrace@plt>
80487e1: 89 84 24 a8 00 00 00 mov DWORD PTR [esp+0xa8],eax
80487e8: 83 bc 24 a8 00 00 00 cmp DWORD PTR [esp+0xa8],0xb
80487ef: 0b
80487f0: 0f 85 72 ff ff ff jne 8048768 <main+0xa0>
80487f6: c7 04 24 31 89 04 08 mov DWORD PTR [esp],0x8048931
80487fd: e8 fe fc ff ff call 8048500 <puts@plt>
8048802: c7 44 24 04 09 00 00 mov DWORD PTR [esp+0x4],0x9
8048809: 00
804880a: 8b 84 24 ac 00 00 00 mov eax,DWORD PTR [esp+0xac]
8048811: 89 04 24 mov DWORD PTR [esp],eax
8048814: e8 07 fd ff ff call 8048520 <kill@plt>
8048819: 90 nop
804881a: b8 00 00 00 00 mov eax,0x0
804881f: 8d 65 f8 lea esp,[ebp-0x8]
8048822: 5b pop ebx
8048823: 5f pop edi
8048824: 5d pop ebp
8048825: c3 ret
8048826: 90 nop
80486c8 - 80486d6 Sets up stack, does stack alignment and allocates 176 bytes on the stack80486d6 - 80486f4 Calls fork() and stores the return value on [esp+0xac] aka pid. Loads a buffer at [esp+0x20] aka child_input and call memset(child_input, 0, 32)80486f6 - 8048711 Write 0 to [esp+0xa8] aka ptrace_res and [esp+0x1c] aka wait_status. Check if pid == 0. If not, jump to 80487698048713 - 80487aa This is the child fork. Call prctl(1, 1) prctl man, which according to the header, is prctl(PR_SET_PDEATHSIG, SIGHUP). This will make the child receive a SIGHUP signal if the parent dies. Call ptrace(0, 0, 0, 0), which can be translated to ptrace(PTRACE_TRACEME, 0, 0, 0). What it does is that it allows the parent to inspect the childs program behaviour. puts(".Give me some shellcode, k") is called, a buffer is loaded at [esp+0x20] aka child_input and gets(child_input) is called. Once gets finished, the program returns.8048769 - 8048824 Call wait(&wait_status), write wait_status into a temp variable and and 127 or according to the header for wait WIFEXITED(wait_status). If its true, jump to 80487ac. Else, check WIFSIGNALED(wait_status). If its not true, jump to 80487ba.80487ac - 80487b8 Call puts("child is exiting") and return.80487ba - 8048824 Call ptrace(3, pid, 44, 0) which corresponds to ptrace(PTRACE_PEEKUSER, pid, 44, NULL); and write the return value to ptrace_res. Compare it with 11. If its not equal, return. Else, puts("no exec() for you") and kill(pid, 9) and return. Judging by the output, it seems like the ptrace is looking for an exec() call by the child before killing it.
level05
main
08048444 <main>:
8048444: 55 push ebp
8048445: 89 e5 mov ebp,esp
8048447: 57 push edi
8048448: 53 push ebx
8048449: 83 e4 f0 and esp,0xfffffff0
804844c: 81 ec 90 00 00 00 sub esp,0x90
8048452: c7 84 24 8c 00 00 00 mov DWORD PTR [esp+0x8c],0x0
8048459: 00 00 00 00
804845d: a1 f0 97 04 08 mov eax,ds:0x80497f0
8048462: 89 44 24 08 mov DWORD PTR [esp+0x8],eax
8048466: c7 44 24 04 64 00 00 mov DWORD PTR [esp+0x4],0x64
804846d: 00
804846e: 8d 44 24 28 lea eax,[esp+0x28]
8048472: 89 04 24 mov DWORD PTR [esp],eax
8048475: e8 d6 fe ff ff call 8048350 <fgets@plt>
804847a: c7 84 24 8c 00 00 00 mov DWORD PTR [esp+0x8c],0x0
8048481: 00 00 00 00
8048485: eb 4c jmp 80484d3 <main+0x8f>
8048487: 8d 44 24 28 lea eax,[esp+0x28]
804848b: 03 84 24 8c 00 00 00 add eax,DWORD PTR [esp+0x8c]
8048492: 0f b6 00 movzx eax,BYTE PTR [eax]
8048495: 3c 40 cmp al,0x40
8048497: 7e 32 jle 80484cb <main+0x87>
8048499: 8d 44 24 28 lea eax,[esp+0x28]
804849d: 03 84 24 8c 00 00 00 add eax,DWORD PTR [esp+0x8c]
80484a4: 0f b6 00 movzx eax,BYTE PTR [eax]
80484a7: 3c 5a cmp al,0x5a
80484a9: 7f 20 jg 80484cb <main+0x87>
80484ab: 8d 44 24 28 lea eax,[esp+0x28]
80484af: 03 84 24 8c 00 00 00 add eax,DWORD PTR [esp+0x8c]
80484b6: 0f b6 00 movzx eax,BYTE PTR [eax]
80484b9: 89 c2 mov edx,eax
80484bb: 83 f2 20 xor edx,0x20
80484be: 8d 44 24 28 lea eax,[esp+0x28]
80484c2: 03 84 24 8c 00 00 00 add eax,DWORD PTR [esp+0x8c]
80484c9: 88 10 mov BYTE PTR [eax],dl
80484cb: 83 84 24 8c 00 00 00 add DWORD PTR [esp+0x8c],0x1
80484d2: 01
80484d3: 8b 9c 24 8c 00 00 00 mov ebx,DWORD PTR [esp+0x8c]
80484da: 8d 44 24 28 lea eax,[esp+0x28]
80484de: c7 44 24 1c ff ff ff mov DWORD PTR [esp+0x1c],0xffffffff
80484e5: ff
80484e6: 89 c2 mov edx,eax
80484e8: b8 00 00 00 00 mov eax,0x0
80484ed: 8b 4c 24 1c mov ecx,DWORD PTR [esp+0x1c]
80484f1: 89 d7 mov edi,edx
80484f3: f2 ae repnz scas al,BYTE PTR es:[edi]
80484f5: 89 c8 mov eax,ecx
80484f7: f7 d0 not eax
80484f9: 83 e8 01 sub eax,0x1
80484fc: 39 c3 cmp ebx,eax
80484fe: 72 87 jb 8048487 <main+0x43>
8048500: 8d 44 24 28 lea eax,[esp+0x28]
8048504: 89 04 24 mov DWORD PTR [esp],eax
8048507: e8 34 fe ff ff call 8048340 <printf@plt>
804850c: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0
8048513: e8 58 fe ff ff call 8048370 <exit@plt>
8048518: 90 nop
8048444 - 804844c Prep stack and stack alignment, allocates 144 bytes for the stack.8048452 - 80484a9 Write 0 to a variable called count at [esp+0x8c]. Load a buffer from [esp+0x28] aka inputbuf, call fgets(inputbuf, 100, stdin). Write 0 to count again and then jump to 80484d3 (I dont know why its so abrupt, loop maybe?), load address inputbuf to a tmp variable and increment the address by count. Derefrence the inputbuf and compare it with 64 and 90. If its less or equals than 64 or more than 90 (not capital alphabet), jump to 80484cb.80484ab - 8048513 Load address of inputbuf and increment by count. Derefrence the index at inputbuf and xor 32 the element. inputbuf[count] = xorred_res and increment count. while strlen(inputbuf) is more than count, jump back to 8048487. When the loop exits, printf(inputbuf) and exit(0)
level06
main
8048879: 55 push ebp
804887a: 89 e5 mov ebp,esp
804887c: 83 e4 f0 and esp,0xfffffff0
804887f: 83 ec 50 sub esp,0x50
8048882: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
8048885: 89 44 24 1c mov DWORD PTR [esp+0x1c],eax
8048889: 65 a1 14 00 00 00 mov eax,gs:0x14
804888f: 89 44 24 4c mov DWORD PTR [esp+0x4c],eax
8048893: 31 c0 xor eax,eax
8048895: 50 push eax
8048896: 31 c0 xor eax,eax
8048898: 74 03 je 804889d <main+0x24>
804889a: 83 c4 04 add esp,0x4
804889d: 58 pop eax
804889e: c7 04 24 d4 8a 04 08 mov DWORD PTR [esp],0x8048ad4
80488a5: e8 e6 fc ff ff call 8048590 <puts@plt>
80488aa: c7 04 24 f8 8a 04 08 mov DWORD PTR [esp],0x8048af8
80488b1: e8 da fc ff ff call 8048590 <puts@plt>
80488b6: c7 04 24 d4 8a 04 08 mov DWORD PTR [esp],0x8048ad4
80488bd: e8 ce fc ff ff call 8048590 <puts@plt>
80488c2: b8 08 8b 04 08 mov eax,0x8048b08
80488c7: 89 04 24 mov DWORD PTR [esp],eax
80488ca: e8 41 fc ff ff call 8048510 <printf@plt>
80488cf: a1 60 a0 04 08 mov eax,ds:0x804a060
80488d4: 89 44 24 08 mov DWORD PTR [esp+0x8],eax
80488d8: c7 44 24 04 20 00 00 mov DWORD PTR [esp+0x4],0x20
80488df: 00
80488e0: 8d 44 24 2c lea eax,[esp+0x2c]
80488e4: 89 04 24 mov DWORD PTR [esp],eax
80488e7: e8 64 fc ff ff call 8048550 <fgets@plt>
80488ec: c7 04 24 d4 8a 04 08 mov DWORD PTR [esp],0x8048ad4
80488f3: e8 98 fc ff ff call 8048590 <puts@plt>
80488f8: c7 04 24 1c 8b 04 08 mov DWORD PTR [esp],0x8048b1c
80488ff: e8 8c fc ff ff call 8048590 <puts@plt>
8048904: c7 04 24 d4 8a 04 08 mov DWORD PTR [esp],0x8048ad4
804890b: e8 80 fc ff ff call 8048590 <puts@plt>
8048910: b8 40 8b 04 08 mov eax,0x8048b40
8048915: 89 04 24 mov DWORD PTR [esp],eax
8048918: e8 f3 fb ff ff call 8048510 <printf@plt>
804891d: b8 60 8a 04 08 mov eax,0x8048a60
8048922: 8d 54 24 28 lea edx,[esp+0x28]
8048926: 89 54 24 04 mov DWORD PTR [esp+0x4],edx
804892a: 89 04 24 mov DWORD PTR [esp],eax
804892d: e8 ae fc ff ff call 80485e0 <__isoc99_scanf@plt>
8048932: 8b 44 24 28 mov eax,DWORD PTR [esp+0x28]
8048936: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
804893a: 8d 44 24 2c lea eax,[esp+0x2c]
804893e: 89 04 24 mov DWORD PTR [esp],eax
8048941: e8 02 fe ff ff call 8048748 <auth>
8048946: 85 c0 test eax,eax
8048948: 75 1f jne 8048969 <main+0xf0>
804894a: c7 04 24 52 8b 04 08 mov DWORD PTR [esp],0x8048b52
8048951: e8 3a fc ff ff call 8048590 <puts@plt>
8048956: c7 04 24 61 8b 04 08 mov DWORD PTR [esp],0x8048b61
804895d: e8 3e fc ff ff call 80485a0 <system@plt>
8048962: b8 00 00 00 00 mov eax,0x0
8048967: eb 05 jmp 804896e <main+0xf5>
8048969: b8 01 00 00 00 mov eax,0x1
804896e: 8b 54 24 4c mov edx,DWORD PTR [esp+0x4c]
8048972: 65 33 15 14 00 00 00 xor edx,DWORD PTR gs:0x14
8048979: 74 05 je 8048980 <main+0x107>
804897b: e8 00 fc ff ff call 8048580 <__stack_chk_fail@plt>
8048980: c9 leave
8048981: c3 ret
8048982: 90 nop
8048879 - 804887f Set up stack frame, stack alignment and allocates 80 bytes for the stack8048882 - 8048898 Load argv into [esp+0x1c] aka argv and 20 into [esp+0x4c] aka canary. and save canary ^ canary in memory, aka canary_xor. canary ^ canary again, and if its true, jump to 804889d804889a - 80488ca Idk why they want to shrink the stack by 4 and pop the result to eax, I assume its for stack canary. Call these in order :
80488cf - 8048918 Load a buffer to [esp+0x2c] aka logininput and call fgets(logininput, 32, stdin) and calls these in order:
804891d - 804897b Load an unsigned int in [esp+0x28] aka serial_input. Call scanf("%u", &serialinput);. After that, call auth(logininput, serialinput). If the return value is not equal zero, check the stack overflow and return. If it is, system("/bin/sh")
auth
8048748: 55 push ebp
8048749: 89 e5 mov ebp,esp
804874b: 83 ec 28 sub esp,0x28
804874e: c7 44 24 04 63 8a 04 mov DWORD PTR [esp+0x4],0x8048a63
8048755: 08
8048756: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048759: 89 04 24 mov DWORD PTR [esp],eax
804875c: e8 bf fd ff ff call 8048520 <strcspn@plt>
8048761: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048764: c6 00 00 mov BYTE PTR [eax],0x0
8048767: c7 44 24 04 20 00 00 mov DWORD PTR [esp+0x4],0x20
804876e: 00
804876f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048772: 89 04 24 mov DWORD PTR [esp],eax
8048775: e8 56 fe ff ff call 80485d0 <strnlen@plt>
804877a: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
804877d: 50 push eax
804877e: 31 c0 xor eax,eax
8048780: 74 03 je 8048785 <auth+0x3d>
8048782: 83 c4 04 add esp,0x4
8048785: 58 pop eax
8048786: 83 7d f4 05 cmp DWORD PTR [ebp-0xc],0x5
804878a: 7f 0a jg 8048796 <auth+0x4e>
804878c: b8 01 00 00 00 mov eax,0x1
8048791: e9 e1 00 00 00 jmp 8048877 <auth+0x12f>
8048796: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0
804879d: 00
804879e: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1
80487a5: 00
80487a6: c7 44 24 04 00 00 00 mov DWORD PTR [esp+0x4],0x0
80487ad: 00
80487ae: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0
80487b5: e8 36 fe ff ff call 80485f0 <ptrace@plt>
80487ba: 83 f8 ff cmp eax,0xffffffff
80487bd: 75 2e jne 80487ed <auth+0xa5>
80487bf: c7 04 24 68 8a 04 08 mov DWORD PTR [esp],0x8048a68
80487c6: e8 c5 fd ff ff call 8048590 <puts@plt>
80487cb: c7 04 24 8c 8a 04 08 mov DWORD PTR [esp],0x8048a8c
80487d2: e8 b9 fd ff ff call 8048590 <puts@plt>
80487d7: c7 04 24 b0 8a 04 08 mov DWORD PTR [esp],0x8048ab0
80487de: e8 ad fd ff ff call 8048590 <puts@plt>
80487e3: b8 01 00 00 00 mov eax,0x1
80487e8: e9 8a 00 00 00 jmp 8048877 <auth+0x12f>
80487ed: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
80487f0: 83 c0 03 add eax,0x3
80487f3: 0f b6 00 movzx eax,BYTE PTR [eax]
80487f6: 0f be c0 movsx eax,al
80487f9: 35 37 13 00 00 xor eax,0x1337
80487fe: 05 ed ed 5e 00 add eax,0x5eeded
8048803: 89 45 f0 mov DWORD PTR [ebp-0x10],eax
8048806: c7 45 ec 00 00 00 00 mov DWORD PTR [ebp-0x14],0x0
804880d: eb 4c jmp 804885b <auth+0x113>
804880f: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
8048812: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048815: 0f b6 00 movzx eax,BYTE PTR [eax]
8048818: 3c 1f cmp al,0x1f
804881a: 7f 07 jg 8048823 <auth+0xdb>
804881c: b8 01 00 00 00 mov eax,0x1
8048821: eb 54 jmp 8048877 <auth+0x12f>
8048823: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
8048826: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048829: 0f b6 00 movzx eax,BYTE PTR [eax]
804882c: 0f be c0 movsx eax,al
804882f: 89 c1 mov ecx,eax
8048831: 33 4d f0 xor ecx,DWORD PTR [ebp-0x10]
8048834: ba 2b 3b 23 88 mov edx,0x88233b2b
8048839: 89 c8 mov eax,ecx
804883b: f7 e2 mul edx
804883d: 89 c8 mov eax,ecx
804883f: 29 d0 sub eax,edx
8048841: d1 e8 shr eax,1
8048843: 01 d0 add eax,edx
8048845: c1 e8 0a shr eax,0xa
8048848: 69 c0 39 05 00 00 imul eax,eax,0x539
804884e: 89 ca mov edx,ecx
8048850: 29 c2 sub edx,eax
8048852: 89 d0 mov eax,edx
8048854: 01 45 f0 add DWORD PTR [ebp-0x10],eax
8048857: 83 45 ec 01 add DWORD PTR [ebp-0x14],0x1
804885b: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
804885e: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc]
8048861: 7c ac jl 804880f <auth+0xc7>
8048863: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
8048866: 3b 45 f0 cmp eax,DWORD PTR [ebp-0x10]
8048869: 74 07 je 8048872 <auth+0x12a>
804886b: b8 01 00 00 00 mov eax,0x1
8048870: eb 05 jmp 8048877 <auth+0x12f>
8048872: b8 00 00 00 00 mov eax,0x0
8048877: c9 leave
8048878: c3 ret
8048748: 55 push ebp
8048749: 89 e5 mov ebp,esp
804874b: 83 ec 28 sub esp,0x28
804874e: c7 44 24 04 63 8a 04 mov DWORD PTR [esp+0x4],0x8048a63
8048755: 08
8048756: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048759: 89 04 24 mov DWORD PTR [esp],eax
804875c: e8 bf fd ff ff call 8048520 <strcspn@plt>
8048761: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048764: c6 00 00 mov BYTE PTR [eax],0x0
8048767: c7 44 24 04 20 00 00 mov DWORD PTR [esp+0x4],0x20
804876e: 00
804876f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8048772: 89 04 24 mov DWORD PTR [esp],eax
8048775: e8 56 fe ff ff call 80485d0 <strnlen@plt>
804877a: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
804877d: 50 push eax
804877e: 31 c0 xor eax,eax
8048780: 74 03 je 8048785 <auth+0x3d>
8048782: 83 c4 04 add esp,0x4
8048785: 58 pop eax
8048786: 83 7d f4 05 cmp DWORD PTR [ebp-0xc],0x5
804878a: 7f 0a jg 8048796 <auth+0x4e>
804878c: b8 01 00 00 00 mov eax,0x1
8048791: e9 e1 00 00 00 jmp 8048877 <auth+0x12f>
8048796: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0
804879d: 00
804879e: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1
80487a5: 00
80487a6: c7 44 24 04 00 00 00 mov DWORD PTR [esp+0x4],0x0
80487ad: 00
80487ae: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0
80487b5: e8 36 fe ff ff call 80485f0 <ptrace@plt>
80487ba: 83 f8 ff cmp eax,0xffffffff
80487bd: 75 2e jne 80487ed <auth+0xa5>
80487bf: c7 04 24 68 8a 04 08 mov DWORD PTR [esp],0x8048a68
80487c6: e8 c5 fd ff ff call 8048590 <puts@plt>
80487cb: c7 04 24 8c 8a 04 08 mov DWORD PTR [esp],0x8048a8c
80487d2: e8 b9 fd ff ff call 8048590 <puts@plt>
80487d7: c7 04 24 b0 8a 04 08 mov DWORD PTR [esp],0x8048ab0
80487de: e8 ad fd ff ff call 8048590 <puts@plt>
80487e3: b8 01 00 00 00 mov eax,0x1
80487e8: e9 8a 00 00 00 jmp 8048877 <auth+0x12f>
80487ed: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
80487f0: 83 c0 03 add eax,0x3
80487f3: 0f b6 00 movzx eax,BYTE PTR [eax]
80487f6: 0f be c0 movsx eax,al
80487f9: 35 37 13 00 00 xor eax,0x1337
80487fe: 05 ed ed 5e 00 add eax,0x5eeded
8048803: 89 45 f0 mov DWORD PTR [ebp-0x10],eax
8048806: c7 45 ec 00 00 00 00 mov DWORD PTR [ebp-0x14],0x0
804880d: eb 4c jmp 804885b <auth+0x113>
804880f: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
8048812: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048815: 0f b6 00 movzx eax,BYTE PTR [eax]
8048818: 3c 1f cmp al,0x1f
804881a: 7f 07 jg 8048823 <auth+0xdb>
804881c: b8 01 00 00 00 mov eax,0x1
8048821: eb 54 jmp 8048877 <auth+0x12f>
8048823: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
8048826: 03 45 08 add eax,DWORD PTR [ebp+0x8]
8048829: 0f b6 00 movzx eax,BYTE PTR [eax]
804882c: 0f be c0 movsx eax,al
804882f: 89 c1 mov ecx,eax
8048831: 33 4d f0 xor ecx,DWORD PTR [ebp-0x10]
8048834: ba 2b 3b 23 88 mov edx,0x88233b2b
8048839: 89 c8 mov eax,ecx
804883b: f7 e2 mul edx
804883d: 89 c8 mov eax,ecx
804883f: 29 d0 sub eax,edx
8048841: d1 e8 shr eax,1
8048843: 01 d0 add eax,edx
8048845: c1 e8 0a shr eax,0xa
8048848: 69 c0 39 05 00 00 imul eax,eax,0x539
804884e: 89 ca mov edx,ecx
8048850: 29 c2 sub edx,eax
8048852: 89 d0 mov eax,edx
8048854: 01 45 f0 add DWORD PTR [ebp-0x10],eax
8048857: 83 45 ec 01 add DWORD PTR [ebp-0x14],0x1
804885b: 8b 45 ec mov eax,DWORD PTR [ebp-0x14]
804885e: 3b 45 f4 cmp eax,DWORD PTR [ebp-0xc]
8048861: 7c ac jl 804880f <auth+0xc7>
8048863: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
8048866: 3b 45 f0 cmp eax,DWORD PTR [ebp-0x10]
8048869: 74 07 je 8048872 <auth+0x12a>
804886b: b8 01 00 00 00 mov eax,0x1
8048870: eb 05 jmp 8048877 <auth+0x12f>
8048872: b8 00 00 00 00 mov eax,0x0
8048877: c9 leave
8048878: c3 ret
8048748 - 804875c Set up stack and allocate 40 bytes for stack, load logininput to [epb+0x8] and call strcspn(logininput, "\n")8048761 - 804877a Replace the character "\n" with a nullbyte for logininput. Call strnlen(logininput, 32), save the result in a variable at [ebp-0xc] aka loginlen804877d - 80487b5 Do some weird canary shit until 8048785, where it checks if loginlen is greater than 5. If it is, jump to 8048796. If not, junp to 8048877 which returns. Calls ptrace(0, 0, 1, 0), can be translated to ptrace(PTRACE_TRACEME, 0, 1, 0) which means allow parent to trace me.80487bd - 80487e8 If the return value of the ptrace is -1, run the following in order:
80487ed - 8048818 Store logininput[3] in a temp variable and XOR it with 0x1337 (4919) and add 0x5eeded (6221293). The result is stored in [ebp-0x10] aka enc_logininput and 0 is stored in [ebp-0x14] aka count. Jump to 804885b (loop check). Derefrence logininput[count] and compares it with 31. If is less or equal than, return 1.8048823 - 8048861 logininput[count] is loaded into ecx and it is XOR'd against enc_logininput to eax. 0x88233b2b which is loaded into edx, and we are multiplying 0x88233b2b * **logininput[count]** and shifting the result by 1 to the right. It add back logininput[count] and shifts right by 10. It then multiplies 1337 and stores the value in eax. After that, enc_logininput -= logininput[count] and move enc_logininput to eax. enc_logininput + logininput[count] and increments count, compares count with login length.8048863 - 8048877 Compare serialinput with the enc_logininput If its equal, return 0, else return 1
level07
main
This section sets up the stack frame and does stack alignment. Also allocates 464 bytes on the stack.
This section takes in argv and writes it to [esp+0x1c] aka argv, also writes envp in [esp+0x18] aka envp, writes 20 in [esp+0x1cc] aka num1 and sets up the canary mechanism
Declares 6 variables on the stack, [esp+0x1b4] aka op_ret, [esp+0x1b8] aka user_cmd, [esp+0x1bc] aka var3, [esp+0x1c0] aka var4, [esp+0x1c4] aka var5, [esp+0x1c8] aka var7, all of them have value 0 inside them. var3 to var7 may be part of the same array.
Load a buffer from [esp+0x24] aka meat and call memset(meat, 0, 100) and jump to 80487ea (looks like a loop).
Load argv from argv and calls strlen on it after defref strlen(*argv) and call memset(*argv, 0, <strlen res>). Increment the address of argv by 4 (next argument) and compare it with 0. If its not equal, loop back to 80487a7, essentially repeating this until argv is fully cleared.
Do the same thing for envp.
Call these in order :-
Once the fgets returns, find the newline character in the string and replace it with a nullbyte using .
Comapre user_cmd with "store" using strncmp(user_cmd, "store", 5). If its not equal, jump to 80488f8, which should check next command. If it is, call store_number(meat) and place the return value at op_ret, go back to the loop start by jumping to 8048965
Do the same thing to read, strncmp(user_cmd, "read", 4) and call read_number(meat) , saving the output at op_ret and jumping to 8048965
Do the same thing to "quit", strncmp(user_cmd, "quit", 4) and jump to 80489cf, which checks for canary and returns.
Check for empty op_ret If it is empty or 0, jump to 8048989 which calls
printf(" Completed %s command successfully\n", user_cmd), clears all vars and goes back to loop. If the loop exits, check canary and return.
If op_ret is non zero, call printf("Failed to do %s command\n", user_cmd)
read_number
Sets up stack and allocates 40 bytes on the stack. Clears out [ebp-0xc] aka num_input and calls printf("Index: ") and then calls get_unum(), and stores the value in num_input. The number is then shifted left by 2 and added by the first argument in [ebp+0x8] aka meat. meat is then derefrenced and put to edx and calls printf("Number at data[%u] is %u, ", num_input, meat). Returns 0
store_number
Sets up stack and allocates 40 bytes on the stack. Clears up [ebp-0x10] aka num_input and [ebp-0xc] aka idx_input. Call printf("Number: ") and then call get_unum(), which assigns the return value to num_input Do the same for idx_input, with the print being printf("Index: "). The pseudocode for 8048671 - 8048686 is like so.
If the condition is true jump to 8048697 which calls
and return 1
The pseudocode for 804868a - 8048690 is like so
If its not true, jump to 80486c2 which does meat[idx_input] = num_input;
and return 0. jump to 8048697 if its not.
get_unum
Setup stack and allocate 40 bytes for the stack, declare a variable at [ebp-0xc] aka res, call fflush(stdout) and then scanf("%u", &res). Call clear_stdin() and return res
clear_stdin
Setup stack and allocate 24 bytes for the stack, declare a variable at [ebp-0x9] aka curr, jump to 80485d1 (loop start), calls getchar() and stores ret value at curr. Compare curr with '\n' and -1. Return of they are either equal. jump back to 80485d0 if they are not (infinite loop)
HackMD
