diff options
-rw-r--r-- | notes | 325 |
1 files changed, 325 insertions, 0 deletions
@@ -1,2 +1,327 @@ +0x5f5e0ff doesn't cause a segfault... +but calc: Contains the main calulator function, including calling get_expr. 08048e44 get_expr: gets user input, look into this! + + + +during crash 1: + +mov DWORD PTR [edx+eax*4+0x4], ecx +$eax : 0x0 +$ecx : 0x98967f +$edx : 0xffffcb18 → 0x00000001 + + + + + +calc+56: right before get_expr +calc+113: right before parce_expr + +0x080f05e8 +0x080f05f8 + +either eax or edx + +08048e44 <get_expr>: + 8048e44: 55 push ebp + 8048e45: 89 e5 mov ebp,esp + 8048e47: 83 ec 28 sub esp,0x28 ; 40 bytes available + 8048e4a: c7 45 f4 00 00 00 00 mov DWORD PTR [ebp-0xc],0x0 ; our counter, which starts at zero + 8048e51: eb 76 jmp 8048ec9 <get_expr+0x85> ; jumps to the place that compares length to 1024 + 8048e53: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1 ; jump 2 + 8048e5a: 00 + 8048e5b: 8d 45 f3 lea eax,[ebp-0xd] ; just setting up for the read call + 8048e5e: 89 44 24 04 mov DWORD PTR [esp+0x4],eax ; just setting up for the read call + 8048e62: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0 ; just setting up for the read call + 8048e69: e8 62 58 02 00 call 806e6d0 <__libc_read> ; puts one of our input into eax + 8048e6e: 83 f8 ff cmp eax,0xffffffff ; if our read returns an error + 8048e71: 74 5e je 8048ed1 <get_expr+0x8d> ; then jump 3 + 8048e73: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] + 8048e77: 3c 0a cmp al,0xa ; if byte is newline + 8048e79: 74 56 je 8048ed1 <get_expr+0x8d> ; then jump 3 + 8048e7b: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] + 8048e7f: 3c 2b cmp al,0x2b ; if byte is + + 8048e81: 74 30 je 8048eb3 <get_expr+0x6f> ; then jump 4 + 8048e83: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] + 8048e87: 3c 2d cmp al,0x2d ; if byte is - + 8048e89: 74 28 je 8048eb3 <get_expr+0x6f> ; then jump 4 + 8048e8b: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] + 8048e8f: 3c 2a cmp al,0x2a ; if byte is * + 8048e91: 74 20 je 8048eb3 <get_expr+0x6f> ; then jump 4 + 8048e93: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] + 8048e97: 3c 2f cmp al,0x2f ; if byte is / + 8048e99: 74 18 je 8048eb3 <get_expr+0x6f> ; then jump 4 + 8048e9b: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] + 8048e9f: 3c 25 cmp al,0x25 ; if byte is % + 8048ea1: 74 10 je 8048eb3 <get_expr+0x6f> ; then jump 4 + 8048ea3: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] + 8048ea7: 3c 2f cmp al,0x2f ; if byte <= / + 8048ea9: 7e 1e jle 8048ec9 <get_expr+0x85> ; then jump 1 + 8048eab: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] + 8048eaf: 3c 39 cmp al,0x39 ; if byte > '9' (if letter) + 8048eb1: 7f 16 jg 8048ec9 <get_expr+0x85> ; then jump 1 + 8048eb3: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] ; jump 4 + 8048eb6: 8d 50 01 lea edx,[eax+0x1] + 8048eb9: 89 55 f4 mov DWORD PTR [ebp-0xc],edx ; puts quanity into the thing + 8048ebc: 89 c2 mov edx,eax + 8048ebe: 8b 45 08 mov eax,DWORD PTR [ebp+0x8] ; this is where the amount of letters we have is + 8048ec1: 01 c2 add edx,eax ; here, edx contains the address of the string, and eax contains the length (1). + 8048ec3: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] ; We move the input back into register eax. + 8048ec7: 88 02 mov BYTE PTR [edx],al ; this puts the actual letter in edx, which is where the string pointer was added from two instructions ago. + 8048ec9: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] ; We move the quanity to eax, JUMP 1 + 8048ecc: 3b 45 0c cmp eax,DWORD PTR [ebp+0xc] ; and compare it with this static variable that's a value of 1024. + 8048ecf: 7c 82 jl 8048e53 <get_expr+0xf> ; if len < 1024, go to jump 2 + + 8048ed1: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc] ; jump 3. This puts the quanity into edx. + 8048ed4: 8b 45 08 mov eax,DWORD PTR [ebp+0x8] ; This puts the begning of the string into eax. + 8048ed7: 01 d0 add eax,edx ; Finds the end of the string for some reason? + 8048ed9: c6 00 00 mov BYTE PTR [eax],0x0 ; We terminate it with a null pointer (this may be importaint). + 8048edc: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] ; Move quanity back into eax. + 8048edf: c9 leave + 8048ee0: c3 ret + + +parse_expr: + +0804902a <parse_expr>: + 804902a: 55 push ebp + 804902b: 89 e5 mov ebp,esp + 804902d: 53 push ebx + 804902e: 81 ec a4 00 00 00 sub esp,0xa4 + 8049034: 8b 45 08 mov eax,DWORD PTR [ebp+0x8] + 8049037: 89 85 74 ff ff ff mov DWORD PTR [ebp-0x8c],eax + 804903d: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] + 8049040: 89 85 70 ff ff ff mov DWORD PTR [ebp-0x90],eax + 8049046: 65 a1 14 00 00 00 mov eax,gs:0x14 + 804904c: 89 45 f4 mov DWORD PTR [ebp-0xc],eax + 804904f: 31 c0 xor eax,eax + 8049051: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 8049057: 89 85 78 ff ff ff mov DWORD PTR [ebp-0x88],eax + 804905d: c7 45 80 00 00 00 00 mov DWORD PTR [ebp-0x80],0x0 + 8049064: c7 44 24 04 64 00 00 mov DWORD PTR [esp+0x4],0x64 + 804906b: 00 + 804906c: 8d 45 90 lea eax,[ebp-0x70] + 804906f: 89 04 24 mov DWORD PTR [esp],eax + 8049072: e8 c9 f1 ff ff call 8048240 <.plt+0x60> + 8049077: c7 85 7c ff ff ff 00 mov DWORD PTR [ebp-0x84],0x0 + 804907e: 00 00 00 + 8049081: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 8049087: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 804908d: 01 d0 add eax,edx + 804908f: 0f b6 00 movzx eax,BYTE PTR [eax] + 8049092: 0f be c0 movsx eax,al + 8049095: 83 e8 30 sub eax,0x30 + 8049098: 83 f8 09 cmp eax,0x9 + 804909b: 0f 86 83 02 00 00 jbe 8049324 <parse_expr+0x2fa> + 80490a1: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 80490a7: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 80490ad: 01 d0 add eax,edx + 80490af: 89 c2 mov edx,eax + 80490b1: 8b 85 78 ff ff ff mov eax,DWORD PTR [ebp-0x88] + 80490b7: 29 c2 sub edx,eax + 80490b9: 89 d0 mov eax,edx + 80490bb: 89 45 84 mov DWORD PTR [ebp-0x7c],eax + 80490be: 8b 45 84 mov eax,DWORD PTR [ebp-0x7c] + 80490c1: 83 c0 01 add eax,0x1 + 80490c4: 89 04 24 mov DWORD PTR [esp],eax + 80490c7: e8 b4 0e 01 00 call 8059f80 <__libc_malloc> BNOTE: Allocates for memcpy call in a few instructinos + 80490cc: 89 45 88 mov DWORD PTR [ebp-0x78],eax + 80490cf: 8b 45 84 mov eax,DWORD PTR [ebp-0x7c] + 80490d2: 89 44 24 08 mov DWORD PTR [esp+0x8],eax + 80490d6: 8b 85 78 ff ff ff mov eax,DWORD PTR [ebp-0x88] + 80490dc: 89 44 24 04 mov DWORD PTR [esp+0x4],eax + 80490e0: 8b 45 88 mov eax,DWORD PTR [ebp-0x78] + 80490e3: 89 04 24 mov DWORD PTR [esp],eax + 80490e6: e8 95 45 01 00 call 805d680 <memcpy> BNOTE: 0x080f05e8 returned? + 80490eb: 8b 55 84 mov edx,DWORD PTR [ebp-0x7c] + 80490ee: 8b 45 88 mov eax,DWORD PTR [ebp-0x78] + 80490f1: 01 d0 add eax,edx + 80490f3: c6 00 00 mov BYTE PTR [eax],0x0 + 80490f6: c7 44 24 04 a8 f7 0b mov DWORD PTR [esp+0x4],0x80bf7a8 + 80490fd: 08 + 80490fe: 8b 45 88 mov eax,DWORD PTR [ebp-0x78] + 8049101: 89 04 24 mov DWORD PTR [esp],eax + 8049104: e8 97 f1 ff ff call 80482a0 <.plt+0xc0> + 8049109: 85 c0 test eax,eax + 804910b: 75 23 jne 8049130 <parse_expr+0x106> + 804910d: c7 04 24 aa f7 0b 08 mov DWORD PTR [esp],0x80bf7aa + 8049114: e8 a7 73 00 00 call 80504c0 <_IO_puts> + 8049119: a1 c0 c4 0e 08 mov eax,ds:0x80ec4c0 + 804911e: 89 04 24 mov DWORD PTR [esp],eax + 8049121: e8 5a 71 00 00 call 8050280 <_IO_fflush> + 8049126: b8 00 00 00 00 mov eax,0x0 + 804912b: e9 2f 02 00 00 jmp 804935f <parse_expr+0x335> + 8049130: 8b 45 88 mov eax,DWORD PTR [ebp-0x78] + 8049133: 89 04 24 mov DWORD PTR [esp],eax + 8049136: e8 35 54 00 00 call 804e570 <atoi> + 804913b: 89 45 8c mov DWORD PTR [ebp-0x74],eax + 804913e: 83 7d 8c 00 cmp DWORD PTR [ebp-0x74],0x0 + 8049142: 7e 20 jle 8049164 <parse_expr+0x13a> + 8049144: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90] + 804914a: 8b 00 mov eax,DWORD PTR [eax] + 804914c: 8d 48 01 lea ecx,[eax+0x1] + 804914f: 8b 95 70 ff ff ff mov edx,DWORD PTR [ebp-0x90] + 8049155: 89 0a mov DWORD PTR [edx],ecx + 8049157: 8b 95 70 ff ff ff mov edx,DWORD PTR [ebp-0x90] + 804915d: 8b 4d 8c mov ecx,DWORD PTR [ebp-0x74] + 8049160: 89 4c 82 04 mov DWORD PTR [edx+eax*4+0x4],ecx //can cause segfault + 8049164: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 804916a: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 8049170: 01 d0 add eax,edx + 8049172: 0f b6 00 movzx eax,BYTE PTR [eax] + 8049175: 84 c0 test al,al + 8049177: 74 1f je 8049198 <parse_expr+0x16e> + 8049179: 8b 85 7c ff ff ff mov eax,DWORD PTR [ebp-0x84] + 804917f: 8d 50 01 lea edx,[eax+0x1] + 8049182: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 8049188: 01 d0 add eax,edx + 804918a: 0f b6 00 movzx eax,BYTE PTR [eax] + 804918d: 0f be c0 movsx eax,al + 8049190: 83 e8 30 sub eax,0x30 + 8049193: 83 f8 09 cmp eax,0x9 + 8049196: 77 28 ja 80491c0 <parse_expr+0x196> + 8049198: 8b 85 7c ff ff ff mov eax,DWORD PTR [ebp-0x84] + 804919e: 8d 50 01 lea edx,[eax+0x1] + 80491a1: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 80491a7: 01 d0 add eax,edx + 80491a9: 89 85 78 ff ff ff mov DWORD PTR [ebp-0x88],eax + 80491af: 8d 55 90 lea edx,[ebp-0x70] + 80491b2: 8b 45 80 mov eax,DWORD PTR [ebp-0x80] + 80491b5: 01 d0 add eax,edx + 80491b7: 0f b6 00 movzx eax,BYTE PTR [eax] + 80491ba: 84 c0 test al,al + 80491bc: 74 25 je 80491e3 <parse_expr+0x1b9> + 80491be: eb 43 jmp 8049203 <parse_expr+0x1d9> + 80491c0: c7 04 24 c3 f7 0b 08 mov DWORD PTR [esp],0x80bf7c3 + 80491c7: e8 f4 72 00 00 call 80504c0 <_IO_puts> + 80491cc: a1 c0 c4 0e 08 mov eax,ds:0x80ec4c0 + 80491d1: 89 04 24 mov DWORD PTR [esp],eax + 80491d4: e8 a7 70 00 00 call 8050280 <_IO_fflush> + 80491d9: b8 00 00 00 00 mov eax,0x0 + 80491de: e9 7c 01 00 00 jmp 804935f <parse_expr+0x335> + 80491e3: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 80491e9: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 80491ef: 01 d0 add eax,edx + 80491f1: 0f b6 00 movzx eax,BYTE PTR [eax] + 80491f4: 8d 4d 90 lea ecx,[ebp-0x70] + 80491f7: 8b 55 80 mov edx,DWORD PTR [ebp-0x80] + 80491fa: 01 ca add edx,ecx + 80491fc: 88 02 mov BYTE PTR [edx],al + 80491fe: e9 09 01 00 00 jmp 804930c <parse_expr+0x2e2> + 8049203: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 8049209: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 804920f: 01 d0 add eax,edx + 8049211: 0f b6 00 movzx eax,BYTE PTR [eax] + 8049214: 0f be c0 movsx eax,al + 8049217: 83 e8 25 sub eax,0x25 + 804921a: 83 f8 0a cmp eax,0xa + 804921d: 0f 87 c5 00 00 00 ja 80492e8 <parse_expr+0x2be> + 8049223: 8b 04 85 d8 f7 0b 08 mov eax,DWORD PTR [eax*4+0x80bf7d8] + 804922a: ff e0 jmp eax + 804922c: 8d 55 90 lea edx,[ebp-0x70] + 804922f: 8b 45 80 mov eax,DWORD PTR [ebp-0x80] + 8049232: 01 d0 add eax,edx + 8049234: 0f b6 00 movzx eax,BYTE PTR [eax] + 8049237: 0f be c0 movsx eax,al + 804923a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax + 804923e: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90] + 8049244: 89 04 24 mov DWORD PTR [esp],eax + 8049247: e8 95 fc ff ff call 8048ee1 <eval> + 804924c: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 8049252: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 8049258: 01 d0 add eax,edx + 804925a: 0f b6 00 movzx eax,BYTE PTR [eax] + 804925d: 8d 4d 90 lea ecx,[ebp-0x70] + 8049260: 8b 55 80 mov edx,DWORD PTR [ebp-0x80] + 8049263: 01 ca add edx,ecx + 8049265: 88 02 mov BYTE PTR [edx],al + 8049267: e9 a0 00 00 00 jmp 804930c <parse_expr+0x2e2> + 804926c: 8d 55 90 lea edx,[ebp-0x70] + 804926f: 8b 45 80 mov eax,DWORD PTR [ebp-0x80] + 8049272: 01 d0 add eax,edx + 8049274: 0f b6 00 movzx eax,BYTE PTR [eax] + 8049277: 3c 2b cmp al,0x2b + 8049279: 74 0f je 804928a <parse_expr+0x260> + 804927b: 8d 55 90 lea edx,[ebp-0x70] + 804927e: 8b 45 80 mov eax,DWORD PTR [ebp-0x80] + 8049281: 01 d0 add eax,edx + 8049283: 0f b6 00 movzx eax,BYTE PTR [eax] + 8049286: 3c 2d cmp al,0x2d + 8049288: 75 21 jne 80492ab <parse_expr+0x281> + 804928a: 83 45 80 01 add DWORD PTR [ebp-0x80],0x1 + 804928e: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 8049294: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 804929a: 01 d0 add eax,edx + 804929c: 0f b6 00 movzx eax,BYTE PTR [eax] + 804929f: 8d 4d 90 lea ecx,[ebp-0x70] + 80492a2: 8b 55 80 mov edx,DWORD PTR [ebp-0x80] + 80492a5: 01 ca add edx,ecx + 80492a7: 88 02 mov BYTE PTR [edx],al + 80492a9: eb 61 jmp 804930c <parse_expr+0x2e2> + 80492ab: 8d 55 90 lea edx,[ebp-0x70] + 80492ae: 8b 45 80 mov eax,DWORD PTR [ebp-0x80] + 80492b1: 01 d0 add eax,edx + 80492b3: 0f b6 00 movzx eax,BYTE PTR [eax] + 80492b6: 0f be c0 movsx eax,al + 80492b9: 89 44 24 04 mov DWORD PTR [esp+0x4],eax + 80492bd: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90] + 80492c3: 89 04 24 mov DWORD PTR [esp],eax + 80492c6: e8 16 fc ff ff call 8048ee1 <eval> + 80492cb: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 80492d1: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 80492d7: 01 d0 add eax,edx + 80492d9: 0f b6 00 movzx eax,BYTE PTR [eax] + 80492dc: 8d 4d 90 lea ecx,[ebp-0x70] + 80492df: 8b 55 80 mov edx,DWORD PTR [ebp-0x80] + 80492e2: 01 ca add edx,ecx + 80492e4: 88 02 mov BYTE PTR [edx],al + 80492e6: eb 24 jmp 804930c <parse_expr+0x2e2> + 80492e8: 8d 55 90 lea edx,[ebp-0x70] + 80492eb: 8b 45 80 mov eax,DWORD PTR [ebp-0x80] + 80492ee: 01 d0 add eax,edx + 80492f0: 0f b6 00 movzx eax,BYTE PTR [eax] + 80492f3: 0f be c0 movsx eax,al + 80492f6: 89 44 24 04 mov DWORD PTR [esp+0x4],eax + 80492fa: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90] + 8049300: 89 04 24 mov DWORD PTR [esp],eax + 8049303: e8 d9 fb ff ff call 8048ee1 <eval> + 8049308: 83 6d 80 01 sub DWORD PTR [ebp-0x80],0x1 + 804930c: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84] + 8049312: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c] + 8049318: 01 d0 add eax,edx + 804931a: 0f b6 00 movzx eax,BYTE PTR [eax] + 804931d: 84 c0 test al,al + 804931f: 75 03 jne 8049324 <parse_expr+0x2fa> + 8049321: 90 nop + 8049322: eb 30 jmp 8049354 <parse_expr+0x32a> + 8049324: 83 85 7c ff ff ff 01 add DWORD PTR [ebp-0x84],0x1 + 804932b: e9 51 fd ff ff jmp 8049081 <parse_expr+0x57> + 8049330: 8d 55 90 lea edx,[ebp-0x70] + 8049333: 8b 45 80 mov eax,DWORD PTR [ebp-0x80] + 8049336: 01 d0 add eax,edx + 8049338: 0f b6 00 movzx eax,BYTE PTR [eax] + 804933b: 0f be c0 movsx eax,al + 804933e: 89 44 24 04 mov DWORD PTR [esp+0x4],eax + 8049342: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90] + 8049348: 89 04 24 mov DWORD PTR [esp],eax + 804934b: e8 91 fb ff ff call 8048ee1 <eval> + 8049350: 83 6d 80 01 sub DWORD PTR [ebp-0x80],0x1 + 8049354: 83 7d 80 00 cmp DWORD PTR [ebp-0x80],0x0 + 8049358: 79 d6 jns 8049330 <parse_expr+0x306> + 804935a: b8 01 00 00 00 mov eax,0x1 + 804935f: 8b 5d f4 mov ebx,DWORD PTR [ebp-0xc] + 8049362: 65 33 1d 14 00 00 00 xor ebx,DWORD PTR gs:0x14 + 8049369: 74 05 je 8049370 <parse_expr+0x346> + 804936b: e8 a0 70 02 00 call 8070410 <__stack_chk_fail> + 8049370: 81 c4 a4 00 00 00 add esp,0xa4 + 8049376: 5b pop ebx + 8049377: 5d pop ebp + 8049378: c3 ret + +Disassembly of section __libc_freeres_fn: + +Disassembly of section __libc_thread_freeres_fn: + +Disassembly of section .fini: |