Skip to content

Latest commit

 

History

History
182 lines (155 loc) · 9.76 KB

File metadata and controls

182 lines (155 loc) · 9.76 KB

Disassembly

Here's a deeper look into main().

(gdb) disas main
Dump of assembler code for function main:

   0x0804885a <+0>:	push   %ebp
   0x0804885b <+1>:	mov    %esp,%ebp
   
   0x0804885d <+3>:	and    $0xfffffff0,%esp                         ; align the stack on 16 bytes
   0x08048860 <+6>:	sub    $0x20,%esp                               ; allocates 32 bytes on stack for local variables
   0x08048863 <+9>:	push   %eax
   0x08048864 <+10>:	xor    %eax,%eax                                ; sets eax to zero (the most efficient way)
   0x08048866 <+12>:	je     0x804886b <main+17>
   0x08048868 <+14>:	add    $0x4,%esp                                ; 4 bytes... size of an int?
   0x0804886b <+17>:	pop    %eax
   
   0x0804886c <+18>:	movl   $0x0,(%esp)                              ; load value of 0
   0x08048873 <+25>:	call   0x80484b0 <time@plt>                     ; time(0)
   
   0x08048878 <+30>:	mov    %eax,(%esp)
   0x0804887b <+33>:	call   0x8048500 <srand@plt>                    ; srand(time(0))
   
   0x08048880 <+38>:	movl   $0x8048a48,(%esp)
   0x08048887 <+45>:	call   0x80484d0 <puts@plt>                     ; puts("***********************************");
   0x0804888c <+50>:	movl   $0x8048a6c,(%esp)
   0x08048893 <+57>:	call   0x80484d0 <puts@plt>                     ; puts("*\t\tlevel03\t\t**");
   0x08048898 <+62>:	movl   $0x8048a48,(%esp)
   0x0804889f <+69>:	call   0x80484d0 <puts@plt>                     ; puts("***********************************");
   0x080488a4 <+74>:	mov    $0x8048a7b,%eax
   0x080488a9 <+79>:	mov    %eax,(%esp)                              ; set argument 1, esp: "Password:"
   0x080488ac <+82>:	call   0x8048480 <printf@plt>                   ; printf("Password:");
   
   0x080488b1 <+87>:	mov    $0x8048a85,%eax                          ; %d
   0x080488b6 <+92>:	lea    0x1c(%esp),%edx                          ; input
   0x080488ba <+96>:	mov    %edx,0x4(%esp)                           ; set argument 2, esp+4: input
   0x080488be <+100>:	mov    %eax,(%esp)                              ; set argument 1, esp: %d
   0x080488c1 <+103>:	call   0x8048530 <__isoc99_scanf@plt>
   
   0x080488c6 <+108>:	mov    0x1c(%esp),%eax                          ; return of scanf: input
   0x080488ca <+112>:	movl   $0x1337d00d,0x4(%esp)                    ; set argument 2, esp+4: value 322424845
   0x080488d2 <+120>:	mov    %eax,(%esp)                              ; set argument 1, esp: input
   0x080488d5 <+123>:	call   0x8048747 <test>                         ; test(input, 322424845);
   0x080488da <+128>:	mov    $0x0,%eax
   
   0x080488df <+133>:	leave
   0x080488e0 <+134>:	ret

Here's a deeper look into test().

(gdb) disas test
Dump of assembler code for function test:
   0x08048747 <+0>:	push   %ebp
   0x08048748 <+1>:	mov    %esp,%ebp
   0x0804874a <+3>:	sub    $0x28,%esp                                  ; allocates 40 bytes on stack for local variables
   
   0x0804874d <+6>:	mov    0x8(%ebp),%eax                              ; ebp+8, DWORD PTR
   0x08048750 <+9>:	mov    0xc(%ebp),%edx                              ; ebp+0xc, DWORD PTR
   0x08048753 <+12>:	mov    %edx,%ecx
   0x08048755 <+14>:	sub    %eax,%ecx                                   ; 322424845 - input
   0x08048757 <+16>:	mov    %ecx,%eax
   0x08048759 <+18>:	mov    %eax,-0xc(%ebp)                             ; key = 322424845 - input
   0x0804875c <+21>:	cmpl   $0x15,-0xc(%ebp)                            ; if key > 21
   0x08048760 <+25>:	ja     0x804884a <test+259>                        ; jump if above
   
   0x08048766 <+31>:	mov    -0xc(%ebp),%eax
   0x08048769 <+34>:	shl    $0x2,%eax                                   ; shift
   0x0804876c <+37>:	add    $0x80489f0,%eax
   0x08048771 <+42>:	mov    (%eax),%eax
   0x08048773 <+44>:	jmp    *%eax
   0x08048775 <+46>:	mov    -0xc(%ebp),%eax
   0x08048778 <+49>:	mov    %eax,(%esp)
   0x0804877b <+52>:	call   0x8048660 <decrypt>                         ; decrypt(key)
   0x08048780 <+57>:	jmp    0x8048858 <test+273>
   0x08048785 <+62>:	mov    -0xc(%ebp),%eax
   0x08048788 <+65>:	mov    %eax,(%esp)
   0x0804878b <+68>:	call   0x8048660 <decrypt>
   0x08048790 <+73>:	jmp    0x8048858 <test+273>
[...]
   0x0804884a <+259>:	call   0x8048520 <rand@plt>                     ; rand()
   0x0804884f <+264>:	mov    %eax,(%esp)
   0x08048852 <+267>:	call   0x8048660 <decrypt>                      ; decrypt(rand())
   
   0x08048857 <+272>:	nop
   0x08048858 <+273>:	leave
   0x08048859 <+274>:	ret

Here's a deeper look into decrypt().

(gdb) disas decrypt
Dump of assembler code for function decrypt:

   0x08048660 <+0>:	push   %ebp
   0x08048661 <+1>:	mov    %esp,%ebp
   
   0x08048663 <+3>:	push   %edi
   0x08048664 <+4>:	push   %esi
   0x08048665 <+5>:	sub    $0x40,%esp                                  ; allocates 64 bytes on stack for local variables
   
   0x08048668 <+8>:	mov    %gs:0x14,%eax                               ; read 4 bytes into eax from memory at address gs:0x14
   0x0804866e <+14>:	mov    %eax,-0xc(%ebp)                             ; local variable esp-0xc
   0x08048671 <+17>:	xor    %eax,%eax                                   ; sets eax to zero (the most efficient way)
   
   0x08048673 <+19>:	movl   $0x757c7d51,-0x1d(%ebp)                     ; "Q}|u`sfg~sf{}|a". <- crypt
   0x0804867a <+26>:	movl   $0x67667360,-0x19(%ebp)                     ; "`sfg~sf{}|a"
   0x08048681 <+33>:	movl   $0x7b66737e,-0x15(%ebp)                     ; "~sf{}|a"
   0x08048688 <+40>:	movl   $0x33617c7d,-0x11(%ebp)                     ;  "}|a"
   0x0804868f <+47>:	movb   $0x0,-0xd(%ebp)                             ; "\0"
   0x08048693 <+51>:	push   %eax
   
   0x08048694 <+52>:	xor    %eax,%eax                                   ; sets eax to zero
   0x08048696 <+54>:	je     0x804869b <decrypt+59>
   
   0x08048698 <+56>:	add    $0x4,%esp                                   ; add 4 empty bytes "" to esp ?
   0x0804869b <+59>:	pop    %eax
   0x0804869c <+60>:	lea    -0x1d(%ebp),%eax                            ; load crypt into eax
   0x0804869f <+63>:	movl   $0xffffffff,-0x2c(%ebp)                     ; alignment?
   0x080486a6 <+70>:	mov    %eax,%edx                                   ; load 0xffffffff into edx
   0x080486a8 <+72>:	mov    $0x0,%eax
   0x080486ad <+77>:	mov    -0x2c(%ebp),%ecx                            ; load 0xffffffff into ecx
   0x080486b0 <+80>:	mov    %edx,%edi                                   ; load crypt into edi
   0x080486b2 <+82>:	repnz scas %es:(%edi),%al                          ; strlen(crypt)
   0x080486b4 <+84>:	mov    %ecx,%eax
   0x080486b6 <+86>:	not    %eax
   0x080486b8 <+88>:	sub    $0x1,%eax
   0x080486bb <+91>:	mov    %eax,-0x24(%ebp)                            ; size_t len = strlen(crypt)
   0x080486be <+94>:	movl   $0x0,-0x28(%ebp)                            ; int i = 0
   0x080486c5 <+101>:	jmp    0x80486e5 <decrypt+133>
   
   0x080486c7 <+103>:	lea    -0x1d(%ebp),%eax                         ; crypt
   0x080486ca <+106>:	add    -0x28(%ebp),%eax                         ; 32 bytes? index?
   0x080486cd <+109>:	movzbl (%eax),%eax                              ; return crypt[i]
   0x080486d0 <+112>:	mov    %eax,%edx
   
   0x080486d2 <+114>:	mov    0x8(%ebp),%eax                           ; input?
   0x080486d5 <+117>:	xor    %edx,%eax
   0x080486d7 <+119>:	mov    %eax,%edx
   0x080486d9 <+121>:	lea    -0x1d(%ebp),%eax
   0x080486dc <+124>:	add    -0x28(%ebp),%eax
   0x080486df <+127>:	mov    %dl,(%eax)                               ; crypt[i] = crypt[i] ^ value; //// need to edit this after reconstruct binary
   0x080486e1 <+129>:	addl   $0x1,-0x28(%ebp)
   0x080486e5 <+133>:	mov    -0x28(%ebp),%eax
   0x080486e8 <+136>:	cmp    -0x24(%ebp),%eax                         ; while i (ebp-0x28) < len (ebp-0x24)
   0x080486eb <+139>:	jb     0x80486c7 <decrypt+103>
   
   0x080486ed <+141>:	lea    -0x1d(%ebp),%eax                            ; buf
   0x080486f0 <+144>:	mov    %eax,%edx
   0x080486f2 <+146>:	mov    $0x80489c3,%eax                             ; "Congratulations!"
   0x080486f7 <+151>:	mov    $0x11,%ecx                                  ; value of 17
   0x080486fc <+156>:	mov    %edx,%esi
   0x080486fe <+158>:	mov    %eax,%edi
   0x08048700 <+160>:	repz cmpsb %es:(%edi),%ds:(%esi)                   ; strncmp - loops comparing values in ES:EDI and DS:ESI, continues until ECX is zero or a mismatching byte is found
   0x08048702 <+162>:	seta   %dl                                         ; sets DL if previous comparison results in >
   0x08048705 <+165>:	setb   %al                                         ; sets AL if previous comparison results in <
   0x08048708 <+168>:	mov    %edx,%ecx
   0x0804870a <+170>:	sub    %al,%cl
   0x0804870c <+172>:	mov    %ecx,%eax
   0x0804870e <+174>:	movsbl %al,%eax
   0x08048711 <+177>:	test   %eax,%eax                                   ; if (strncmp(crypt, "Congratulations",17) == 0)
   0x08048713 <+179>:	jne    0x8048723 <decrypt+195>
   
   0x08048715 <+181>:	movl   $0x80489d4,(%esp)                           ; "/bin/sh"
   0x0804871c <+188>:	call   0x80484e0 <system@plt>                      ; system("/bin/sh")
   
   0x08048721 <+193>:	jmp    0x804872f <decrypt+207>
   
   0x08048723 <+195>:	movl   $0x80489dc,(%esp)
   0x0804872a <+202>:	call   0x80484d0 <puts@plt>                        ; puts("\nInvalid Password")
   
   0x0804872f <+207>:	mov    -0xc(%ebp),%esi
   0x08048732 <+210>:	xor    %gs:0x14,%esi
   0x08048739 <+217>:	je     0x8048740 <decrypt+224>
   0x0804873b <+219>:	call   0x80484c0 <__stack_chk_fail@plt>
   0x08048740 <+224>:	add    $0x40,%esp
   0x08048743 <+227>:	pop    %esi
   0x08048744 <+228>:	pop    %edi
   0x08048745 <+229>:	pop    %ebp
   0x08048746 <+230>:	ret