1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
|
0x5f5e0ff doesn't cause a segfault...
but
calc: Contains the main calulator function, including calling get_expr.
08048e44 get_expr: gets user input, look into this!
during crash 1:
mov DWORD PTR [edx+eax*4+0x4], ecx
$eax : 0x0
$ecx : 0x98967f
$edx : 0xffffcb18 → 0x00000001
calc+56: right before get_expr
calc+113: right before parce_expr
0x080f05e8
0x080f05f8
either eax or edx
08048e44 <get_expr>:
8048e44: 55 push ebp
8048e45: 89 e5 mov ebp,esp
8048e47: 83 ec 28 sub esp,0x28 ; 40 bytes available
8048e4a: c7 45 f4 00 00 00 00 mov DWORD PTR [ebp-0xc],0x0 ; our counter, which starts at zero
8048e51: eb 76 jmp 8048ec9 <get_expr+0x85> ; jumps to the place that compares length to 1024
8048e53: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1 ; jump 2
8048e5a: 00
8048e5b: 8d 45 f3 lea eax,[ebp-0xd] ; just setting up for the read call
8048e5e: 89 44 24 04 mov DWORD PTR [esp+0x4],eax ; just setting up for the read call
8048e62: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0 ; just setting up for the read call
8048e69: e8 62 58 02 00 call 806e6d0 <__libc_read> ; puts one of our input into eax
8048e6e: 83 f8 ff cmp eax,0xffffffff ; if our read returns an error
8048e71: 74 5e je 8048ed1 <get_expr+0x8d> ; then jump 3
8048e73: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd]
8048e77: 3c 0a cmp al,0xa ; if byte is newline
8048e79: 74 56 je 8048ed1 <get_expr+0x8d> ; then jump 3
8048e7b: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd]
8048e7f: 3c 2b cmp al,0x2b ; if byte is +
8048e81: 74 30 je 8048eb3 <get_expr+0x6f> ; then jump 4
8048e83: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd]
8048e87: 3c 2d cmp al,0x2d ; if byte is -
8048e89: 74 28 je 8048eb3 <get_expr+0x6f> ; then jump 4
8048e8b: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd]
8048e8f: 3c 2a cmp al,0x2a ; if byte is *
8048e91: 74 20 je 8048eb3 <get_expr+0x6f> ; then jump 4
8048e93: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd]
8048e97: 3c 2f cmp al,0x2f ; if byte is /
8048e99: 74 18 je 8048eb3 <get_expr+0x6f> ; then jump 4
8048e9b: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd]
8048e9f: 3c 25 cmp al,0x25 ; if byte is %
8048ea1: 74 10 je 8048eb3 <get_expr+0x6f> ; then jump 4
8048ea3: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd]
8048ea7: 3c 2f cmp al,0x2f ; if byte <= /
8048ea9: 7e 1e jle 8048ec9 <get_expr+0x85> ; then jump 1
8048eab: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd]
8048eaf: 3c 39 cmp al,0x39 ; if byte > '9' (if letter)
8048eb1: 7f 16 jg 8048ec9 <get_expr+0x85> ; then jump 1
8048eb3: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] ; jump 4
8048eb6: 8d 50 01 lea edx,[eax+0x1]
8048eb9: 89 55 f4 mov DWORD PTR [ebp-0xc],edx ; puts quanity into the thing
8048ebc: 89 c2 mov edx,eax
8048ebe: 8b 45 08 mov eax,DWORD PTR [ebp+0x8] ; this is where the amount of letters we have is
8048ec1: 01 c2 add edx,eax ; here, edx contains the address of the string, and eax contains the length (1).
8048ec3: 0f b6 45 f3 movzx eax,BYTE PTR [ebp-0xd] ; We move the input back into register eax.
8048ec7: 88 02 mov BYTE PTR [edx],al ; this puts the actual letter in edx, which is where the string pointer was added from two instructions ago.
8048ec9: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] ; We move the quanity to eax, JUMP 1
8048ecc: 3b 45 0c cmp eax,DWORD PTR [ebp+0xc] ; and compare it with this static variable that's a value of 1024.
8048ecf: 7c 82 jl 8048e53 <get_expr+0xf> ; if len < 1024, go to jump 2
8048ed1: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc] ; jump 3. This puts the quanity into edx.
8048ed4: 8b 45 08 mov eax,DWORD PTR [ebp+0x8] ; This puts the begning of the string into eax.
8048ed7: 01 d0 add eax,edx ; Finds the end of the string for some reason?
8048ed9: c6 00 00 mov BYTE PTR [eax],0x0 ; We terminate it with a null pointer (this may be importaint).
8048edc: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] ; Move quanity back into eax.
8048edf: c9 leave
8048ee0: c3 ret
parse_expr:
0804902a <parse_expr>:
804902a: 55 push ebp
804902b: 89 e5 mov ebp,esp
804902d: 53 push ebx
804902e: 81 ec a4 00 00 00 sub esp,0xa4
8049034: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]
8049037: 89 85 74 ff ff ff mov DWORD PTR [ebp-0x8c],eax
804903d: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]
8049040: 89 85 70 ff ff ff mov DWORD PTR [ebp-0x90],eax
8049046: 65 a1 14 00 00 00 mov eax,gs:0x14
804904c: 89 45 f4 mov DWORD PTR [ebp-0xc],eax
804904f: 31 c0 xor eax,eax
8049051: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
8049057: 89 85 78 ff ff ff mov DWORD PTR [ebp-0x88],eax
804905d: c7 45 80 00 00 00 00 mov DWORD PTR [ebp-0x80],0x0
8049064: c7 44 24 04 64 00 00 mov DWORD PTR [esp+0x4],0x64
804906b: 00
804906c: 8d 45 90 lea eax,[ebp-0x70]
804906f: 89 04 24 mov DWORD PTR [esp],eax
8049072: e8 c9 f1 ff ff call 8048240 <.plt+0x60>
8049077: c7 85 7c ff ff ff 00 mov DWORD PTR [ebp-0x84],0x0
804907e: 00 00 00
8049081: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
8049087: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
804908d: 01 d0 add eax,edx
804908f: 0f b6 00 movzx eax,BYTE PTR [eax]
8049092: 0f be c0 movsx eax,al
8049095: 83 e8 30 sub eax,0x30
8049098: 83 f8 09 cmp eax,0x9
804909b: 0f 86 83 02 00 00 jbe 8049324 <parse_expr+0x2fa>
80490a1: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
80490a7: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
80490ad: 01 d0 add eax,edx
80490af: 89 c2 mov edx,eax
80490b1: 8b 85 78 ff ff ff mov eax,DWORD PTR [ebp-0x88]
80490b7: 29 c2 sub edx,eax
80490b9: 89 d0 mov eax,edx
80490bb: 89 45 84 mov DWORD PTR [ebp-0x7c],eax
80490be: 8b 45 84 mov eax,DWORD PTR [ebp-0x7c]
80490c1: 83 c0 01 add eax,0x1
80490c4: 89 04 24 mov DWORD PTR [esp],eax
80490c7: e8 b4 0e 01 00 call 8059f80 <__libc_malloc> BNOTE: Allocates for memcpy call in a few instructinos
80490cc: 89 45 88 mov DWORD PTR [ebp-0x78],eax
80490cf: 8b 45 84 mov eax,DWORD PTR [ebp-0x7c]
80490d2: 89 44 24 08 mov DWORD PTR [esp+0x8],eax
80490d6: 8b 85 78 ff ff ff mov eax,DWORD PTR [ebp-0x88]
80490dc: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80490e0: 8b 45 88 mov eax,DWORD PTR [ebp-0x78]
80490e3: 89 04 24 mov DWORD PTR [esp],eax
80490e6: e8 95 45 01 00 call 805d680 <memcpy> BNOTE: 0x080f05e8 returned?
80490eb: 8b 55 84 mov edx,DWORD PTR [ebp-0x7c]
80490ee: 8b 45 88 mov eax,DWORD PTR [ebp-0x78]
80490f1: 01 d0 add eax,edx
80490f3: c6 00 00 mov BYTE PTR [eax],0x0
80490f6: c7 44 24 04 a8 f7 0b mov DWORD PTR [esp+0x4],0x80bf7a8
80490fd: 08
80490fe: 8b 45 88 mov eax,DWORD PTR [ebp-0x78]
8049101: 89 04 24 mov DWORD PTR [esp],eax
8049104: e8 97 f1 ff ff call 80482a0 <.plt+0xc0>
8049109: 85 c0 test eax,eax
804910b: 75 23 jne 8049130 <parse_expr+0x106>
804910d: c7 04 24 aa f7 0b 08 mov DWORD PTR [esp],0x80bf7aa
8049114: e8 a7 73 00 00 call 80504c0 <_IO_puts>
8049119: a1 c0 c4 0e 08 mov eax,ds:0x80ec4c0
804911e: 89 04 24 mov DWORD PTR [esp],eax
8049121: e8 5a 71 00 00 call 8050280 <_IO_fflush>
8049126: b8 00 00 00 00 mov eax,0x0
804912b: e9 2f 02 00 00 jmp 804935f <parse_expr+0x335>
8049130: 8b 45 88 mov eax,DWORD PTR [ebp-0x78]
8049133: 89 04 24 mov DWORD PTR [esp],eax
8049136: e8 35 54 00 00 call 804e570 <atoi>
804913b: 89 45 8c mov DWORD PTR [ebp-0x74],eax
804913e: 83 7d 8c 00 cmp DWORD PTR [ebp-0x74],0x0
8049142: 7e 20 jle 8049164 <parse_expr+0x13a>
8049144: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90]
804914a: 8b 00 mov eax,DWORD PTR [eax]
804914c: 8d 48 01 lea ecx,[eax+0x1]
804914f: 8b 95 70 ff ff ff mov edx,DWORD PTR [ebp-0x90]
8049155: 89 0a mov DWORD PTR [edx],ecx
8049157: 8b 95 70 ff ff ff mov edx,DWORD PTR [ebp-0x90]
804915d: 8b 4d 8c mov ecx,DWORD PTR [ebp-0x74]
8049160: 89 4c 82 04 mov DWORD PTR [edx+eax*4+0x4],ecx //can cause segfault
8049164: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
804916a: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
8049170: 01 d0 add eax,edx
8049172: 0f b6 00 movzx eax,BYTE PTR [eax]
8049175: 84 c0 test al,al
8049177: 74 1f je 8049198 <parse_expr+0x16e>
8049179: 8b 85 7c ff ff ff mov eax,DWORD PTR [ebp-0x84]
804917f: 8d 50 01 lea edx,[eax+0x1]
8049182: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
8049188: 01 d0 add eax,edx
804918a: 0f b6 00 movzx eax,BYTE PTR [eax]
804918d: 0f be c0 movsx eax,al
8049190: 83 e8 30 sub eax,0x30
8049193: 83 f8 09 cmp eax,0x9
8049196: 77 28 ja 80491c0 <parse_expr+0x196>
8049198: 8b 85 7c ff ff ff mov eax,DWORD PTR [ebp-0x84]
804919e: 8d 50 01 lea edx,[eax+0x1]
80491a1: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
80491a7: 01 d0 add eax,edx
80491a9: 89 85 78 ff ff ff mov DWORD PTR [ebp-0x88],eax
80491af: 8d 55 90 lea edx,[ebp-0x70]
80491b2: 8b 45 80 mov eax,DWORD PTR [ebp-0x80]
80491b5: 01 d0 add eax,edx
80491b7: 0f b6 00 movzx eax,BYTE PTR [eax]
80491ba: 84 c0 test al,al
80491bc: 74 25 je 80491e3 <parse_expr+0x1b9>
80491be: eb 43 jmp 8049203 <parse_expr+0x1d9>
80491c0: c7 04 24 c3 f7 0b 08 mov DWORD PTR [esp],0x80bf7c3
80491c7: e8 f4 72 00 00 call 80504c0 <_IO_puts>
80491cc: a1 c0 c4 0e 08 mov eax,ds:0x80ec4c0
80491d1: 89 04 24 mov DWORD PTR [esp],eax
80491d4: e8 a7 70 00 00 call 8050280 <_IO_fflush>
80491d9: b8 00 00 00 00 mov eax,0x0
80491de: e9 7c 01 00 00 jmp 804935f <parse_expr+0x335>
80491e3: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
80491e9: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
80491ef: 01 d0 add eax,edx
80491f1: 0f b6 00 movzx eax,BYTE PTR [eax]
80491f4: 8d 4d 90 lea ecx,[ebp-0x70]
80491f7: 8b 55 80 mov edx,DWORD PTR [ebp-0x80]
80491fa: 01 ca add edx,ecx
80491fc: 88 02 mov BYTE PTR [edx],al
80491fe: e9 09 01 00 00 jmp 804930c <parse_expr+0x2e2>
8049203: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
8049209: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
804920f: 01 d0 add eax,edx
8049211: 0f b6 00 movzx eax,BYTE PTR [eax]
8049214: 0f be c0 movsx eax,al
8049217: 83 e8 25 sub eax,0x25
804921a: 83 f8 0a cmp eax,0xa
804921d: 0f 87 c5 00 00 00 ja 80492e8 <parse_expr+0x2be>
8049223: 8b 04 85 d8 f7 0b 08 mov eax,DWORD PTR [eax*4+0x80bf7d8]
804922a: ff e0 jmp eax
804922c: 8d 55 90 lea edx,[ebp-0x70]
804922f: 8b 45 80 mov eax,DWORD PTR [ebp-0x80]
8049232: 01 d0 add eax,edx
8049234: 0f b6 00 movzx eax,BYTE PTR [eax]
8049237: 0f be c0 movsx eax,al
804923a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
804923e: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90]
8049244: 89 04 24 mov DWORD PTR [esp],eax
8049247: e8 95 fc ff ff call 8048ee1 <eval>
804924c: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
8049252: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
8049258: 01 d0 add eax,edx
804925a: 0f b6 00 movzx eax,BYTE PTR [eax]
804925d: 8d 4d 90 lea ecx,[ebp-0x70]
8049260: 8b 55 80 mov edx,DWORD PTR [ebp-0x80]
8049263: 01 ca add edx,ecx
8049265: 88 02 mov BYTE PTR [edx],al
8049267: e9 a0 00 00 00 jmp 804930c <parse_expr+0x2e2>
804926c: 8d 55 90 lea edx,[ebp-0x70]
804926f: 8b 45 80 mov eax,DWORD PTR [ebp-0x80]
8049272: 01 d0 add eax,edx
8049274: 0f b6 00 movzx eax,BYTE PTR [eax]
8049277: 3c 2b cmp al,0x2b
8049279: 74 0f je 804928a <parse_expr+0x260>
804927b: 8d 55 90 lea edx,[ebp-0x70]
804927e: 8b 45 80 mov eax,DWORD PTR [ebp-0x80]
8049281: 01 d0 add eax,edx
8049283: 0f b6 00 movzx eax,BYTE PTR [eax]
8049286: 3c 2d cmp al,0x2d
8049288: 75 21 jne 80492ab <parse_expr+0x281>
804928a: 83 45 80 01 add DWORD PTR [ebp-0x80],0x1
804928e: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
8049294: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
804929a: 01 d0 add eax,edx
804929c: 0f b6 00 movzx eax,BYTE PTR [eax]
804929f: 8d 4d 90 lea ecx,[ebp-0x70]
80492a2: 8b 55 80 mov edx,DWORD PTR [ebp-0x80]
80492a5: 01 ca add edx,ecx
80492a7: 88 02 mov BYTE PTR [edx],al
80492a9: eb 61 jmp 804930c <parse_expr+0x2e2>
80492ab: 8d 55 90 lea edx,[ebp-0x70]
80492ae: 8b 45 80 mov eax,DWORD PTR [ebp-0x80]
80492b1: 01 d0 add eax,edx
80492b3: 0f b6 00 movzx eax,BYTE PTR [eax]
80492b6: 0f be c0 movsx eax,al
80492b9: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80492bd: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90]
80492c3: 89 04 24 mov DWORD PTR [esp],eax
80492c6: e8 16 fc ff ff call 8048ee1 <eval>
80492cb: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
80492d1: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
80492d7: 01 d0 add eax,edx
80492d9: 0f b6 00 movzx eax,BYTE PTR [eax]
80492dc: 8d 4d 90 lea ecx,[ebp-0x70]
80492df: 8b 55 80 mov edx,DWORD PTR [ebp-0x80]
80492e2: 01 ca add edx,ecx
80492e4: 88 02 mov BYTE PTR [edx],al
80492e6: eb 24 jmp 804930c <parse_expr+0x2e2>
80492e8: 8d 55 90 lea edx,[ebp-0x70]
80492eb: 8b 45 80 mov eax,DWORD PTR [ebp-0x80]
80492ee: 01 d0 add eax,edx
80492f0: 0f b6 00 movzx eax,BYTE PTR [eax]
80492f3: 0f be c0 movsx eax,al
80492f6: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
80492fa: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90]
8049300: 89 04 24 mov DWORD PTR [esp],eax
8049303: e8 d9 fb ff ff call 8048ee1 <eval>
8049308: 83 6d 80 01 sub DWORD PTR [ebp-0x80],0x1
804930c: 8b 95 7c ff ff ff mov edx,DWORD PTR [ebp-0x84]
8049312: 8b 85 74 ff ff ff mov eax,DWORD PTR [ebp-0x8c]
8049318: 01 d0 add eax,edx
804931a: 0f b6 00 movzx eax,BYTE PTR [eax]
804931d: 84 c0 test al,al
804931f: 75 03 jne 8049324 <parse_expr+0x2fa>
8049321: 90 nop
8049322: eb 30 jmp 8049354 <parse_expr+0x32a>
8049324: 83 85 7c ff ff ff 01 add DWORD PTR [ebp-0x84],0x1
804932b: e9 51 fd ff ff jmp 8049081 <parse_expr+0x57>
8049330: 8d 55 90 lea edx,[ebp-0x70]
8049333: 8b 45 80 mov eax,DWORD PTR [ebp-0x80]
8049336: 01 d0 add eax,edx
8049338: 0f b6 00 movzx eax,BYTE PTR [eax]
804933b: 0f be c0 movsx eax,al
804933e: 89 44 24 04 mov DWORD PTR [esp+0x4],eax
8049342: 8b 85 70 ff ff ff mov eax,DWORD PTR [ebp-0x90]
8049348: 89 04 24 mov DWORD PTR [esp],eax
804934b: e8 91 fb ff ff call 8048ee1 <eval>
8049350: 83 6d 80 01 sub DWORD PTR [ebp-0x80],0x1
8049354: 83 7d 80 00 cmp DWORD PTR [ebp-0x80],0x0
8049358: 79 d6 jns 8049330 <parse_expr+0x306>
804935a: b8 01 00 00 00 mov eax,0x1
804935f: 8b 5d f4 mov ebx,DWORD PTR [ebp-0xc]
8049362: 65 33 1d 14 00 00 00 xor ebx,DWORD PTR gs:0x14
8049369: 74 05 je 8049370 <parse_expr+0x346>
804936b: e8 a0 70 02 00 call 8070410 <__stack_chk_fail>
8049370: 81 c4 a4 00 00 00 add esp,0xa4
8049376: 5b pop ebx
8049377: 5d pop ebp
8049378: c3 ret
Disassembly of section __libc_freeres_fn:
Disassembly of section __libc_thread_freeres_fn:
Disassembly of section .fini:
|