1. Infinity0899,180
2. DropZone10,500
3. t0t08,520
4. ozo7,000
5. abel4,375
6. evilrix4,332
7. jcgriff24,000
8. garycase3,750
9. nobus3,000
10. billprew2,860
11. TheLearn...2,500
11. ikework2,500
11. ravenpl2,500
14. itsmeandn...2,332
15. giltjr2,164
16. woolmilkp...2,150
17. Hypo2,000
17. tliotta2,000
17. vo1d2,000
17. Agarici2,000
17. oBdA2,000
17. Sandra-242,000
17. moorhous...2,000
17. bounsy2,000
17. McKnife2,000
17. noci2,000
17. kaufmed2,000
17. Eladla2,000
17. DefreeCo...2,000
17. mgonullu2,000
17. HooKooD...2,000
17. comegets...2,000
17. sjl19862,000
17. xenacode2,000
17. HalfAsleep2,000
17. climbgunks2,000
17. roman22,000
17. intelfx2,000

1. Infinity08233,426
2. dimitry158,876
3. grg99116,208
4. mzvika56,009
5. BrianGEF...52,043
6. BeyondWu51,715
7. PaulCasw...50,139
8. manish_r...30,623
9. stefan7325,328
10. PeterdLo20,472
11. Dancie17,978
12. ozo16,114
13. mtmike15,779
14. abith13,536
15. billious12,777
16. DeanHorak12,698
17. DropZone11,500
18. joghurt11,070
19. _Katka_10,600
20. craigward...9,570
21. AlexFM9,504
22. evilrix9,332
23. Jase-Co...9,100
24. ravenpl8,980
25. TheLearn...8,875

	[x] Posted via EE Mobile
	Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.

06/04/2008 at 09:44AM PDT, ID: 23457410

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

9.8

Buffer Bomb - Final Phase

Asked by ckehoe in Assembly Programming Language

Tags: Assembly

Here is the object dump of my the bomb program:

bufbomb: file format elf32-i386

Disassembly of section .init:

080486c8 <_init>:
80486c8: 55 push %ebp
80486c9: 89 e5 mov %esp,%ebp
80486cb: 53 push %ebx
80486cc: 83 ec 04 sub $0x4,%esp
80486cf: e8 00 00 00 00 call 80486d4 <_init+0xc>
80486d4: 5b pop %ebx
80486d5: 81 c3 14 1a 00 00 add $0x1a14,%ebx
80486db: 8b 93 fc ff ff ff mov 0xfffffffc(%ebx),%edx
80486e1: 85 d2 test %edx,%edx
80486e3: 74 05 je 80486ea <_init+0x22>
80486e5: e8 5e 00 00 00 call 8048748 <__gmon_start__@plt>
80486ea: e8 41 02 00 00 call 8048930 <frame_dummy>
80486ef: e8 ac 0d 00 00 call 80494a0 <__do_global_ctors_aux>
80486f4: 58 pop %eax
80486f5: 5b pop %ebx
80486f6: c9 leave
80486f7: c3 ret
Disassembly of section .plt:

080486f8 <sprintf@plt-0x10>:
80486f8: ff 35 ec a0 04 08 pushl 0x804a0ec
80486fe: ff 25 f0 a0 04 08 jmp *0x804a0f0
8048704: 00 00 add %al,(%eax)
...

08048708 <sprintf@plt>:
8048708: ff 25 f4 a0 04 08 jmp *0x804a0f4
804870e: 68 00 00 00 00 push $0x0
8048713: e9 e0 ff ff ff jmp 80486f8 <_init+0x30>

08048718 <srand@plt>:
8048718: ff 25 f8 a0 04 08 jmp *0x804a0f8
804871e: 68 08 00 00 00 push $0x8
8048723: e9 d0 ff ff ff jmp 80486f8 <_init+0x30>

08048728 <random@plt>:
8048728: ff 25 fc a0 04 08 jmp *0x804a0fc
804872e: 68 10 00 00 00 push $0x10
8048733: e9 c0 ff ff ff jmp 80486f8 <_init+0x30>

08048738 <signal@plt>:
8048738: ff 25 00 a1 04 08 jmp *0x804a100
804873e: 68 18 00 00 00 push $0x18
8048743: e9 b0 ff ff ff jmp 80486f8 <_init+0x30>

08048748 <__gmon_start__@plt>:
8048748: ff 25 04 a1 04 08 jmp *0x804a104
804874e: 68 20 00 00 00 push $0x20
8048753: e9 a0 ff ff ff jmp 80486f8 <_init+0x30>

08048758 <calloc@plt>:
8048758: ff 25 08 a1 04 08 jmp *0x804a108
804875e: 68 28 00 00 00 push $0x28
8048763: e9 90 ff ff ff jmp 80486f8 <_init+0x30>

08048768 <system@plt>:
8048768: ff 25 0c a1 04 08 jmp *0x804a10c
804876e: 68 30 00 00 00 push $0x30
8048773: e9 80 ff ff ff jmp 80486f8 <_init+0x30>

08048778 <memset@plt>:
8048778: ff 25 10 a1 04 08 jmp *0x804a110
804877e: 68 38 00 00 00 push $0x38
8048783: e9 70 ff ff ff jmp 80486f8 <_init+0x30>

08048788 <__libc_start_main@plt>:
8048788: ff 25 14 a1 04 08 jmp *0x804a114
804878e: 68 40 00 00 00 push $0x40
8048793: e9 60 ff ff ff jmp 80486f8 <_init+0x30>

08048798 <_IO_getc@plt>:
8048798: ff 25 18 a1 04 08 jmp *0x804a118
804879e: 68 48 00 00 00 push $0x48
80487a3: e9 50 ff ff ff jmp 80486f8 <_init+0x30>

080487a8 <__ctype_b_loc@plt>:
80487a8: ff 25 1c a1 04 08 jmp *0x804a11c
80487ae: 68 50 00 00 00 push $0x50
80487b3: e9 40 ff ff ff jmp 80486f8 <_init+0x30>

080487b8 <fclose@plt>:
80487b8: ff 25 20 a1 04 08 jmp *0x804a120
80487be: 68 58 00 00 00 push $0x58
80487c3: e9 30 ff ff ff jmp 80486f8 <_init+0x30>

080487c8 <getopt@plt>:
80487c8: ff 25 24 a1 04 08 jmp *0x804a124
80487ce: 68 60 00 00 00 push $0x60
80487d3: e9 20 ff ff ff jmp 80486f8 <_init+0x30>

080487d8 <fopen@plt>:
80487d8: ff 25 28 a1 04 08 jmp *0x804a128
80487de: 68 68 00 00 00 push $0x68
80487e3: e9 10 ff ff ff jmp 80486f8 <_init+0x30>

080487e8 <alarm@plt>:
80487e8: ff 25 2c a1 04 08 jmp *0x804a12c
80487ee: 68 70 00 00 00 push $0x70
80487f3: e9 00 ff ff ff jmp 80486f8 <_init+0x30>

080487f8 <strcpy@plt>:
80487f8: ff 25 30 a1 04 08 jmp *0x804a130
80487fe: 68 78 00 00 00 push $0x78
8048803: e9 f0 fe ff ff jmp 80486f8 <_init+0x30>

08048808 <printf@plt>:
8048808: ff 25 34 a1 04 08 jmp *0x804a134
804880e: 68 80 00 00 00 push $0x80
8048813: e9 e0 fe ff ff jmp 80486f8 <_init+0x30>

08048818 <srandom@plt>:
8048818: ff 25 38 a1 04 08 jmp *0x804a138
804881e: 68 88 00 00 00 push $0x88
8048823: e9 d0 fe ff ff jmp 80486f8 <_init+0x30>

08048828 <fwrite@plt>:
8048828: ff 25 3c a1 04 08 jmp *0x804a13c
804882e: 68 90 00 00 00 push $0x90
8048833: e9 c0 fe ff ff jmp 80486f8 <_init+0x30>

08048838 <fprintf@plt>:
8048838: ff 25 40 a1 04 08 jmp *0x804a140
804883e: 68 98 00 00 00 push $0x98
8048843: e9 b0 fe ff ff jmp 80486f8 <_init+0x30>

08048848 <remove@plt>:
8048848: ff 25 44 a1 04 08 jmp *0x804a144
804884e: 68 a0 00 00 00 push $0xa0
8048853: e9 a0 fe ff ff jmp 80486f8 <_init+0x30>

08048858 <cuserid@plt>:
8048858: ff 25 48 a1 04 08 jmp *0x804a148
804885e: 68 a8 00 00 00 push $0xa8
8048863: e9 90 fe ff ff jmp 80486f8 <_init+0x30>

08048868 <fputc@plt>:
8048868: ff 25 4c a1 04 08 jmp *0x804a14c
804886e: 68 b0 00 00 00 push $0xb0
8048873: e9 80 fe ff ff jmp 80486f8 <_init+0x30>

08048878 <puts@plt>:
8048878: ff 25 50 a1 04 08 jmp *0x804a150
804887e: 68 b8 00 00 00 push $0xb8
8048883: e9 70 fe ff ff jmp 80486f8 <_init+0x30>

08048888 <rand@plt>:
8048888: ff 25 54 a1 04 08 jmp *0x804a154
804888e: 68 c0 00 00 00 push $0xc0
8048893: e9 60 fe ff ff jmp 80486f8 <_init+0x30>

08048898 <tempnam@plt>:
8048898: ff 25 58 a1 04 08 jmp *0x804a158
804889e: 68 c8 00 00 00 push $0xc8
80488a3: e9 50 fe ff ff jmp 80486f8 <_init+0x30>

080488a8 <__strdup@plt>:
80488a8: ff 25 5c a1 04 08 jmp *0x804a15c
80488ae: 68 d0 00 00 00 push $0xd0
80488b3: e9 40 fe ff ff jmp 80486f8 <_init+0x30>

080488b8 <exit@plt>:
80488b8: ff 25 60 a1 04 08 jmp *0x804a160
80488be: 68 d8 00 00 00 push $0xd8
80488c3: e9 30 fe ff ff jmp 80486f8 <_init+0x30>
Disassembly of section .text:

080488d0 <_start>:
80488d0: 31 ed xor %ebp,%ebp
80488d2: 5e pop %esi
80488d3: 89 e1 mov %esp,%ecx
80488d5: 83 e4 f0 and $0xfffffff0,%esp
80488d8: 50 push %eax
80488d9: 54 push %esp
80488da: 52 push %edx
80488db: 68 30 94 04 08 push $0x8049430
80488e0: 68 40 94 04 08 push $0x8049440
80488e5: 51 push %ecx
80488e6: 56 push %esi
80488e7: 68 00 91 04 08 push $0x8049100
80488ec: e8 97 fe ff ff call 8048788 <__libc_start_main@plt>
80488f1: f4 hlt
80488f2: 90 nop
80488f3: 90 nop
80488f4: 90 nop
80488f5: 90 nop
80488f6: 90 nop
80488f7: 90 nop
80488f8: 90 nop
80488f9: 90 nop
80488fa: 90 nop
80488fb: 90 nop
80488fc: 90 nop
80488fd: 90 nop
80488fe: 90 nop
80488ff: 90 nop

08048900 <__do_global_dtors_aux>:
8048900: 55 push %ebp
8048901: 89 e5 mov %esp,%ebp
8048903: 83 ec 08 sub $0x8,%esp
8048906: 80 3d a8 a1 04 08 00 cmpb $0x0,0x804a1a8
804890d: 74 0c je 804891b <__do_global_dtors_aux+0x1b>
804890f: eb 1c jmp 804892d <__do_global_dtors_aux+0x2d>
8048911: 83 c0 04 add $0x4,%eax
8048914: a3 6c a1 04 08 mov %eax,0x804a16c
8048919: ff d2 call *%edx
804891b: a1 6c a1 04 08 mov 0x804a16c,%eax
8048920: 8b 10 mov (%eax),%edx
8048922: 85 d2 test %edx,%edx
8048924: 75 eb jne 8048911 <__do_global_dtors_aux+0x11>
8048926: c6 05 a8 a1 04 08 01 movb $0x1,0x804a1a8
804892d: c9 leave
804892e: c3 ret
804892f: 90 nop

08048930 <frame_dummy>:
8048930: 55 push %ebp
8048931: 89 e5 mov %esp,%ebp
8048933: 83 ec 08 sub $0x8,%esp
8048936: a1 10 a0 04 08 mov 0x804a010,%eax
804893b: 85 c0 test %eax,%eax
804893d: 74 12 je 8048951 <frame_dummy+0x21>
804893f: b8 00 00 00 00 mov $0x0,%eax
8048944: 85 c0 test %eax,%eax
8048946: 74 09 je 8048951 <frame_dummy+0x21>
8048948: c7 04 24 10 a0 04 08 movl $0x804a010,(%esp)
804894f: ff d0 call *%eax
8048951: c9 leave
8048952: c3 ret
8048953: 90 nop
8048954: 90 nop
8048955: 90 nop
8048956: 90 nop
8048957: 90 nop
8048958: 90 nop
8048959: 90 nop
804895a: 90 nop
804895b: 90 nop
804895c: 90 nop
804895d: 90 nop
804895e: 90 nop
804895f: 90 nop

08048960 <save_char>:
8048960: 8b 0d e0 a1 04 08 mov 0x804a1e0,%ecx
8048966: 55 push %ebp
8048967: 89 e5 mov %esp,%ebp
8048969: 53 push %ebx
804896a: 89 c3 mov %eax,%ebx
804896c: 81 f9 ff 03 00 00 cmp $0x3ff,%ecx
8048972: 7f 37 jg 80489ab <save_char+0x4b>
8048974: c0 f8 04 sar $0x4,%al
8048977: 83 e0 0f and $0xf,%eax
804897a: 0f b6 80 88 9a 04 08 movzbl 0x8049a88(%eax),%eax
8048981: 8d 14 49 lea (%ecx,%ecx,2),%edx
8048984: c6 82 02 a2 04 08 20 movb $0x20,0x804a202(%edx)
804898b: 88 82 00 a2 04 08 mov %al,0x804a200(%edx)
8048991: 89 d8 mov %ebx,%eax
8048993: 83 e0 0f and $0xf,%eax
8048996: 0f b6 80 88 9a 04 08 movzbl 0x8049a88(%eax),%eax
804899d: 88 82 01 a2 04 08 mov %al,0x804a201(%edx)
80489a3: 8d 41 01 lea 0x1(%ecx),%eax
80489a6: a3 e0 a1 04 08 mov %eax,0x804a1e0
80489ab: 5b pop %ebx
80489ac: 5d pop %ebp
80489ad: c3 ret
80489ae: 66 90 xchg %ax,%ax

080489b0 <entry_check>:
80489b0: 55 push %ebp
80489b1: 89 e5 mov %esp,%ebp
80489b3: 8b 45 08 mov 0x8(%ebp),%eax
80489b6: 5d pop %ebp
80489b7: a3 74 a1 04 08 mov %eax,0x804a174
80489bc: c3 ret
80489bd: 8d 76 00 lea 0x0(%esi),%esi

080489c0 <illegalhandler>:
80489c0: 55 push %ebp
80489c1: 89 e5 mov %esp,%ebp
80489c3: 83 ec 08 sub $0x8,%esp
80489c6: c7 04 24 f0 94 04 08 movl $0x80494f0,(%esp)
80489cd: e8 a6 fe ff ff call 8048878 <puts@plt>
80489d2: c7 04 24 64 98 04 08 movl $0x8049864,(%esp)
80489d9: e8 9a fe ff ff call 8048878 <puts@plt>
80489de: c7 04 24 00 00 00 00 movl $0x0,(%esp)
80489e5: e8 ce fe ff ff call 80488b8 <exit@plt>
80489ea: 8d b6 00 00 00 00 lea 0x0(%esi),%esi

080489f0 <alarmhandler>:
80489f0: 55 push %ebp
80489f1: 89 e5 mov %esp,%ebp
80489f3: 83 ec 08 sub $0x8,%esp
80489f6: a1 78 a1 04 08 mov 0x804a178,%eax
80489fb: c7 04 24 1c 95 04 08 movl $0x804951c,(%esp)
8048a02: 89 44 24 04 mov %eax,0x4(%esp)
8048a06: e8 fd fd ff ff call 8048808 <printf@plt>
8048a0b: c7 04 24 64 98 04 08 movl $0x8049864,(%esp)
8048a12: e8 61 fe ff ff call 8048878 <puts@plt>
8048a17: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048a1e: e8 95 fe ff ff call 80488b8 <exit@plt>
8048a23: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048a29: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi

08048a30 <seghandler>:
8048a30: 55 push %ebp
8048a31: 89 e5 mov %esp,%ebp
8048a33: 83 ec 08 sub $0x8,%esp
8048a36: c7 04 24 50 95 04 08 movl $0x8049550,(%esp)
8048a3d: e8 36 fe ff ff call 8048878 <puts@plt>
8048a42: c7 04 24 64 98 04 08 movl $0x8049864,(%esp)
8048a49: e8 2a fe ff ff call 8048878 <puts@plt>
8048a4e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048a55: e8 5e fe ff ff call 80488b8 <exit@plt>
8048a5a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi

08048a60 <bushandler>:
8048a60: 55 push %ebp
8048a61: 89 e5 mov %esp,%ebp
8048a63: 83 ec 08 sub $0x8,%esp
8048a66: c7 04 24 78 95 04 08 movl $0x8049578,(%esp)
8048a6d: e8 06 fe ff ff call 8048878 <puts@plt>
8048a72: c7 04 24 64 98 04 08 movl $0x8049864,(%esp)
8048a79: e8 fa fd ff ff call 8048878 <puts@plt>
8048a7e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048a85: e8 2e fe ff ff call 80488b8 <exit@plt>
8048a8a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi

08048a90 <usage>:
8048a90: 55 push %ebp
8048a91: 89 e5 mov %esp,%ebp
8048a93: 83 ec 08 sub $0x8,%esp
8048a96: 89 44 24 04 mov %eax,0x4(%esp)
8048a9a: c7 04 24 98 95 04 08 movl $0x8049598,(%esp)
8048aa1: e8 62 fd ff ff call 8048808 <printf@plt>
8048aa6: c7 04 24 7a 98 04 08 movl $0x804987a,(%esp)
8048aad: e8 c6 fd ff ff call 8048878 <puts@plt>
8048ab2: c7 04 24 98 98 04 08 movl $0x8049898,(%esp)
8048ab9: e8 ba fd ff ff call 8048878 <puts@plt>
8048abe: c7 04 24 bc 95 04 08 movl $0x80495bc,(%esp)
8048ac5: e8 ae fd ff ff call 8048878 <puts@plt>
8048aca: c7 04 24 e4 95 04 08 movl $0x80495e4,(%esp)
8048ad1: e8 a2 fd ff ff call 8048878 <puts@plt>
8048ad6: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048add: e8 d6 fd ff ff call 80488b8 <exit@plt>
8048ae2: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
8048ae9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi

08048af0 <validate>:
8048af0: 55 push %ebp
8048af1: 89 e5 mov %esp,%ebp
8048af3: 81 ec 48 01 00 00 sub $0x148,%esp
8048af9: 8b 0d d0 a1 04 08 mov 0x804a1d0,%ecx
8048aff: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
8048b02: 8b 5d 08 mov 0x8(%ebp),%ebx
8048b05: 89 75 f8 mov %esi,0xfffffff8(%ebp)
8048b08: 89 7d fc mov %edi,0xfffffffc(%ebp)
8048b0b: 85 c9 test %ecx,%ecx
8048b0d: 0f 84 d8 01 00 00 je 8048ceb <validate+0x1fb>
8048b13: 83 fb 04 cmp $0x4,%ebx
8048b16: 77 58 ja 8048b70 <validate+0x80>
8048b18: 3b 1d 74 a1 04 08 cmp 0x804a174,%ebx
8048b1e: 74 20 je 8048b40 <validate+0x50>
8048b20: c7 04 24 5c 96 04 08 movl $0x804965c,(%esp)
8048b27: e8 4c fd ff ff call 8048878 <puts@plt>
8048b2c: 8d 74 26 00 lea 0x0(%esi),%esi
8048b30: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
8048b33: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
8048b36: 8b 7d fc mov 0xfffffffc(%ebp),%edi
8048b39: 89 ec mov %ebp,%esp
8048b3b: 5d pop %ebp
8048b3c: c3 ret
8048b3d: 8d 76 00 lea 0x0(%esi),%esi
8048b40: 8b 04 9d 7c a1 04 08 mov 0x804a17c(,%ebx,4),%eax
8048b47: c7 05 d8 a1 04 08 01 movl $0x1,0x804a1d8
8048b4e: 00 00 00
8048b51: 83 e8 01 sub $0x1,%eax
8048b54: 85 c0 test %eax,%eax
8048b56: 89 04 9d 7c a1 04 08 mov %eax,0x804a17c(,%ebx,4)
8048b5d: 7e 21 jle 8048b80 <validate+0x90>
8048b5f: c7 04 24 af 98 04 08 movl $0x80498af,(%esp)
8048b66: e8 0d fd ff ff call 8048878 <puts@plt>
8048b6b: eb c3 jmp 8048b30 <validate+0x40>
8048b6d: 8d 76 00 lea 0x0(%esi),%esi
8048b70: c7 04 24 34 96 04 08 movl $0x8049634,(%esp)
8048b77: e8 fc fc ff ff call 8048878 <puts@plt>
8048b7c: eb b2 jmp 8048b30 <validate+0x40>
8048b7e: 66 90 xchg %ax,%ax
8048b80: 8b 15 d4 a1 04 08 mov 0x804a1d4,%edx
8048b86: 85 d2 test %edx,%edx
8048b88: 0f 85 7f 01 00 00 jne 8048d0d <validate+0x21d>
8048b8e: a1 70 a1 04 08 mov 0x804a170,%eax
8048b93: 85 c0 test %eax,%eax
8048b95: 0f 84 61 01 00 00 je 8048cfc <validate+0x20c>
8048b9b: c7 44 24 04 c0 98 04 movl $0x80498c0,0x4(%esp)
8048ba2: 08
8048ba3: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048baa: e8 e9 fc ff ff call 8048898 <tempnam@plt>
8048baf: c7 44 24 04 c7 98 04 movl $0x80498c7,0x4(%esp)
8048bb6: 08
8048bb7: 89 85 e0 fe ff ff mov %eax,0xfffffee0(%ebp)
8048bbd: 89 04 24 mov %eax,(%esp)
8048bc0: e8 13 fc ff ff call 80487d8 <fopen@plt>
8048bc5: 85 c0 test %eax,%eax
8048bc7: 89 c6 mov %eax,%esi
8048bc9: 0f 84 76 01 00 00 je 8048d45 <validate+0x255>
8048bcf: 89 44 24 0c mov %eax,0xc(%esp)
8048bd3: c7 44 24 08 1b 00 00 movl $0x1b,0x8(%esp)
8048bda: 00
8048bdb: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048be2: 00
8048be3: c7 04 24 c9 98 04 08 movl $0x80498c9,(%esp)
8048bea: e8 39 fc ff ff call 8048828 <fwrite@plt>
8048bef: 89 74 24 04 mov %esi,0x4(%esp)
8048bf3: c7 04 24 0a 00 00 00 movl $0xa,(%esp)
8048bfa: e8 69 fc ff ff call 8048868 <fputc@plt>
8048bff: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048c06: e8 4d fc ff ff call 8048858 <cuserid@plt>
8048c0b: 85 c0 test %eax,%eax
8048c0d: 0f 84 19 01 00 00 je 8048d2c <validate+0x23c>
8048c13: 8d 7d eb lea 0xffffffeb(%ebp),%edi
8048c16: 89 44 24 04 mov %eax,0x4(%esp)
8048c1a: 89 3c 24 mov %edi,(%esp)
8048c1d: e8 d6 fb ff ff call 80487f8 <strcpy@plt>
8048c22: 89 7c 24 08 mov %edi,0x8(%esp)
8048c26: c7 44 24 04 e5 98 04 movl $0x80498e5,0x4(%esp)
8048c2d: 08
8048c2e: 89 34 24 mov %esi,(%esp)
8048c31: e8 02 fc ff ff call 8048838 <fprintf@plt>
8048c36: a1 cc a1 04 08 mov 0x804a1cc,%eax
8048c3b: 89 5c 24 10 mov %ebx,0x10(%esp)
8048c3f: 8d 9d eb fe ff ff lea 0xfffffeeb(%ebp),%ebx
8048c45: c7 44 24 1c 00 00 00 movl $0x0,0x1c(%esp)
8048c4c: 00
8048c4d: c7 44 24 18 00 a2 04 movl $0x804a200,0x18(%esp)
8048c54: 08
8048c55: 89 44 24 14 mov %eax,0x14(%esp)
8048c59: a1 d0 a1 04 08 mov 0x804a1d0,%eax
8048c5e: c7 44 24 08 63 10 03 movl $0x31063,0x8(%esp)
8048c65: 00
8048c66: c7 44 24 04 cc 96 04 movl $0x80496cc,0x4(%esp)
8048c6d: 08
8048c6e: 89 34 24 mov %esi,(%esp)
8048c71: 89 44 24 0c mov %eax,0xc(%esp)
8048c75: e8 be fb ff ff call 8048838 <fprintf@plt>
8048c7a: 89 34 24 mov %esi,(%esp)
8048c7d: e8 36 fb ff ff call 80487b8 <fclose@plt>
8048c82: 8b 85 e0 fe ff ff mov 0xfffffee0(%ebp),%eax
8048c88: c7 44 24 14 f3 98 04 movl $0x80498f3,0x14(%esp)
8048c8f: 08
8048c90: c7 44 24 10 01 99 04 movl $0x8049901,0x10(%esp)
8048c97: 08
8048c98: c7 44 24 0c 06 99 04 movl $0x8049906,0xc(%esp)
8048c9f: 08
8048ca0: 89 44 24 08 mov %eax,0x8(%esp)
8048ca4: c7 44 24 04 1d 99 04 movl $0x804991d,0x4(%esp)
8048cab: 08
8048cac: 89 1c 24 mov %ebx,(%esp)
8048caf: e8 54 fa ff ff call 8048708 <sprintf@plt>
8048cb4: 89 1c 24 mov %ebx,(%esp)
8048cb7: e8 ac fa ff ff call 8048768 <system@plt>
8048cbc: 85 c0 test %eax,%eax
8048cbe: 75 5e jne 8048d1e <validate+0x22e>
8048cc0: c7 04 24 30 99 04 08 movl $0x8049930,(%esp)
8048cc7: e8 ac fb ff ff call 8048878 <puts@plt>
8048ccc: c7 04 24 ec 96 04 08 movl $0x80496ec,(%esp)
8048cd3: e8 a0 fb ff ff call 8048878 <puts@plt>
8048cd8: 8b 85 e0 fe ff ff mov 0xfffffee0(%ebp),%eax
8048cde: 89 04 24 mov %eax,(%esp)
8048ce1: e8 62 fb ff ff call 8048848 <remove@plt>
8048ce6: e9 45 fe ff ff jmp 8048b30 <validate+0x40>
8048ceb: c7 04 24 08 96 04 08 movl $0x8049608,(%esp)
8048cf2: e8 81 fb ff ff call 8048878 <puts@plt>
8048cf7: e9 34 fe ff ff jmp 8048b30 <validate+0x40>
8048cfc: c7 04 24 5c 97 04 08 movl $0x804975c,(%esp)
8048d03: e8 70 fb ff ff call 8048878 <puts@plt>
8048d08: e9 23 fe ff ff jmp 8048b30 <validate+0x40>
8048d0d: c7 04 24 ba 98 04 08 movl $0x80498ba,(%esp)
8048d14: e8 5f fb ff ff call 8048878 <puts@plt>
8048d19: e9 12 fe ff ff jmp 8048b30 <validate+0x40>
8048d1e: c7 04 24 1c 97 04 08 movl $0x804971c,(%esp)
8048d25: e8 4e fb ff ff call 8048878 <puts@plt>
8048d2a: eb ac jmp 8048cd8 <validate+0x1e8>
8048d2c: 8d 7d eb lea 0xffffffeb(%ebp),%edi
8048d2f: c7 45 eb 6e 6f 62 6f movl $0x6f626f6e,0xffffffeb(%ebp)
8048d36: 66 c7 45 ef 64 79 movw $0x7964,0xffffffef(%ebp)
8048d3c: c6 45 f1 00 movb $0x0,0xfffffff1(%ebp)
8048d40: e9 dd fe ff ff jmp 8048c22 <validate+0x132>
8048d45: c7 04 24 98 96 04 08 movl $0x8049698,(%esp)
8048d4c: e8 b7 fa ff ff call 8048808 <printf@plt>
8048d51: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048d58: e8 5b fb ff ff call 80488b8 <exit@plt>
8048d5d: 8d 76 00 lea 0x0(%esi),%esi

08048d60 <bang>:
8048d60: 55 push %ebp
8048d61: 89 e5 mov %esp,%ebp
8048d63: 83 ec 08 sub $0x8,%esp
8048d66: c7 04 24 02 00 00 00 movl $0x2,(%esp)
8048d6d: e8 3e fc ff ff call 80489b0 <entry_check>
8048d72: a1 dc a1 04 08 mov 0x804a1dc,%eax
8048d77: 3b 05 cc a1 04 08 cmp 0x804a1cc,%eax
8048d7d: 74 21 je 8048da0 <bang+0x40>
8048d7f: 89 44 24 04 mov %eax,0x4(%esp)
8048d83: c7 04 24 3a 99 04 08 movl $0x804993a,(%esp)
8048d8a: e8 79 fa ff ff call 8048808 <printf@plt>
8048d8f: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d96: e8 1d fb ff ff call 80488b8 <exit@plt>
8048d9b: 90 nop
8048d9c: 8d 74 26 00 lea 0x0(%esi),%esi
8048da0: 89 44 24 04 mov %eax,0x4(%esp)
8048da4: c7 04 24 a8 97 04 08 movl $0x80497a8,(%esp)
8048dab: e8 58 fa ff ff call 8048808 <printf@plt>
8048db0: c7 04 24 02 00 00 00 movl $0x2,(%esp)
8048db7: e8 34 fd ff ff call 8048af0 <validate>
8048dbc: eb d1 jmp 8048d8f <bang+0x2f>
8048dbe: 66 90 xchg %ax,%ax

08048dc0 <fizz>:
8048dc0: 55 push %ebp
8048dc1: 89 e5 mov %esp,%ebp
8048dc3: 53 push %ebx
8048dc4: 83 ec 14 sub $0x14,%esp
8048dc7: 8b 5d 08 mov 0x8(%ebp),%ebx
8048dca: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048dd1: e8 da fb ff ff call 80489b0 <entry_check>
8048dd6: 3b 1d cc a1 04 08 cmp 0x804a1cc,%ebx
8048ddc: 74 22 je 8048e00 <fizz+0x40>
8048dde: 89 5c 24 04 mov %ebx,0x4(%esp)
8048de2: c7 04 24 d0 97 04 08 movl $0x80497d0,(%esp)
8048de9: e8 1a fa ff ff call 8048808 <printf@plt>
8048dee: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048df5: e8 be fa ff ff call 80488b8 <exit@plt>
8048dfa: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048e00: 89 5c 24 04 mov %ebx,0x4(%esp)
8048e04: c7 04 24 58 99 04 08 movl $0x8049958,(%esp)
8048e0b: e8 f8 f9 ff ff call 8048808 <printf@plt>
8048e10: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048e17: e8 d4 fc ff ff call 8048af0 <validate>
8048e1c: eb d0 jmp 8048dee <fizz+0x2e>
8048e1e: 66 90 xchg %ax,%ax

08048e20 <smoke>:
8048e20: 55 push %ebp
8048e21: 89 e5 mov %esp,%ebp
8048e23: 83 ec 08 sub $0x8,%esp
8048e26: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048e2d: e8 7e fb ff ff call 80489b0 <entry_check>
8048e32: c7 04 24 76 99 04 08 movl $0x8049976,(%esp)
8048e39: e8 3a fa ff ff call 8048878 <puts@plt>
8048e3e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048e45: e8 a6 fc ff ff call 8048af0 <validate>
8048e4a: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048e51: e8 62 fa ff ff call 80488b8 <exit@plt>
8048e56: 8d 76 00 lea 0x0(%esi),%esi
8048e59: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi

08048e60 <Gets>:
8048e60: 55 push %ebp
8048e61: 89 e5 mov %esp,%ebp
8048e63: 57 push %edi
8048e64: 56 push %esi
8048e65: 53 push %ebx
8048e66: 83 ec 0c sub $0xc,%esp
8048e69: 8b 1d c8 a1 04 08 mov 0x804a1c8,%ebx
8048e6f: c7 05 e0 a1 04 08 00 movl $0x0,0x804a1e0
8048e76: 00 00 00
8048e79: 8b 75 08 mov 0x8(%ebp),%esi
8048e7c: 85 db test %ebx,%ebx
8048e7e: 74 72 je 8048ef2 <Gets+0x92>
8048e80: bf 01 00 00 00 mov $0x1,%edi
8048e85: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp)
8048e8c: 8d 74 26 00 lea 0x0(%esi),%esi
8048e90: a1 c0 a1 04 08 mov 0x804a1c0,%eax
8048e95: 89 04 24 mov %eax,(%esp)
8048e98: e8 fb f8 ff ff call 8048798 <_IO_getc@plt>
8048e9d: 83 f8 ff cmp $0xffffffff,%eax
8048ea0: 89 c3 mov %eax,%ebx
8048ea2: 74 60 je 8048f04 <Gets+0xa4>
8048ea4: 83 f8 0a cmp $0xa,%eax
8048ea7: 74 5b je 8048f04 <Gets+0xa4>
8048ea9: e8 fa f8 ff ff call 80487a8 <__ctype_b_loc@plt>
8048eae: 8b 00 mov (%eax),%eax
8048eb0: f6 44 58 01 10 testb $0x10,0x1(%eax,%ebx,2)
8048eb5: 74 d9 je 8048e90 <Gets+0x30>
8048eb7: 8d 43 d0 lea 0xffffffd0(%ebx),%eax
8048eba: 83 f8 09 cmp $0x9,%eax
8048ebd: 89 c2 mov %eax,%edx
8048ebf: 76 0f jbe 8048ed0 <Gets+0x70>
8048ec1: 8d 43 bf lea 0xffffffbf(%ebx),%eax
8048ec4: 83 f8 05 cmp $0x5,%eax
8048ec7: 8d 53 c9 lea 0xffffffc9(%ebx),%edx
8048eca: 76 04 jbe 8048ed0 <Gets+0x70>
8048ecc: 8d 53 a9 lea 0xffffffa9(%ebx),%edx
8048ecf: 90 nop
8048ed0: 85 ff test %edi,%edi
8048ed2: 74 4c je 8048f20 <Gets+0xc0>
8048ed4: 31 ff xor %edi,%edi
8048ed6: 89 55 f0 mov %edx,0xfffffff0(%ebp)
8048ed9: eb b5 jmp 8048e90 <Gets+0x30>
8048edb: 90 nop
8048edc: 8d 74 26 00 lea 0x0(%esi),%esi
8048ee0: 83 f8 0a cmp $0xa,%eax
8048ee3: 74 1f je 8048f04 <Gets+0xa4>
8048ee5: 88 06 mov %al,(%esi)
8048ee7: 0f be c0 movsbl %al,%eax
8048eea: 83 c6 01 add $0x1,%esi
8048eed: e8 6e fa ff ff call 8048960 <save_char>
8048ef2: a1 c0 a1 04 08 mov 0x804a1c0,%eax
8048ef7: 89 04 24 mov %eax,(%esp)
8048efa: e8 99 f8 ff ff call 8048798 <_IO_getc@plt>
8048eff: 83 f8 ff cmp $0xffffffff,%eax
8048f02: 75 dc jne 8048ee0 <Gets+0x80>
8048f04: c6 06 00 movb $0x0,(%esi)
8048f07: a1 e0 a1 04 08 mov 0x804a1e0,%eax
8048f0c: c6 84 40 00 a2 04 08 movb $0x0,0x804a200(%eax,%eax,2)
8048f13: 00
8048f14: 8b 45 08 mov 0x8(%ebp),%eax
8048f17: 83 c4 0c add $0xc,%esp
8048f1a: 5b pop %ebx
8048f1b: 5e pop %esi
8048f1c: 5f pop %edi
8048f1d: 5d pop %ebp
8048f1e: c3 ret
8048f1f: 90 nop
8048f20: 8b 45 f0 mov 0xfffffff0(%ebp),%eax
8048f23: bf 01 00 00 00 mov $0x1,%edi
8048f28: c1 e0 04 shl $0x4,%eax
8048f2b: 8d 04 02 lea (%edx,%eax,1),%eax
8048f2e: 88 06 mov %al,(%esi)
8048f30: 0f be c0 movsbl %al,%eax
8048f33: 83 c6 01 add $0x1,%esi
8048f36: e8 25 fa ff ff call 8048960 <save_char>
8048f3b: e9 50 ff ff ff jmp 8048e90 <Gets+0x30>

08048f40 <getbufn>:
8048f40: 55 push %ebp
8048f41: 89 e5 mov %esp,%ebp
8048f43: 81 ec 08 02 00 00 sub $0x208,%esp
8048f49: 8d 85 00 fe ff ff lea 0xfffffe00(%ebp),%eax
8048f4f: 89 04 24 mov %eax,(%esp)
8048f52: e8 09 ff ff ff call 8048e60 <Gets>
8048f57: b8 01 00 00 00 mov $0x1,%eax
8048f5c: c9 leave
8048f5d: c3 ret
8048f5e: 66 90 xchg %ax,%ax

08048f60 <testn>:
8048f60: 55 push %ebp
8048f61: 89 e5 mov %esp,%ebp
8048f63: 83 ec 18 sub $0x18,%esp
8048f66: c7 45 fc ef be ad de movl $0xdeadbeef,0xfffffffc(%ebp)
8048f6d: c7 04 24 04 00 00 00 movl $0x4,(%esp)
8048f74: e8 37 fa ff ff call 80489b0 <entry_check>
8048f79: e8 c2 ff ff ff call 8048f40 <getbufn>
8048f7e: 89 c2 mov %eax,%edx
8048f80: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8048f83: 3d ef be ad de cmp $0xdeadbeef,%eax
8048f88: 74 0e je 8048f98 <testn+0x38>
8048f8a: c7 04 24 f0 97 04 08 movl $0x80497f0,(%esp)
8048f91: e8 e2 f8 ff ff call 8048878 <puts@plt>
8048f96: c9 leave
8048f97: c3 ret
8048f98: 3b 15 cc a1 04 08 cmp 0x804a1cc,%edx
8048f9e: 74 12 je 8048fb2 <testn+0x52>
8048fa0: 89 54 24 04 mov %edx,0x4(%esp)
8048fa4: c7 04 24 91 99 04 08 movl $0x8049991,(%esp)
8048fab: e8 58 f8 ff ff call 8048808 <printf@plt>
8048fb0: c9 leave
8048fb1: c3 ret
8048fb2: 89 54 24 04 mov %edx,0x4(%esp)
8048fb6: c7 04 24 1c 98 04 08 movl $0x804981c,(%esp)
8048fbd: e8 46 f8 ff ff call 8048808 <printf@plt>
8048fc2: c7 04 24 04 00 00 00 movl $0x4,(%esp)
8048fc9: e8 22 fb ff ff call 8048af0 <validate>
8048fce: c9 leave
8048fcf: c3 ret

08048fd0 <getbuf>:
8048fd0: 55 push %ebp
8048fd1: 89 e5 mov %esp,%ebp
8048fd3: 83 ec 18 sub $0x18,%esp
8048fd6: 8d 45 f4 lea 0xfffffff4(%ebp),%eax
8048fd9: 89 04 24 mov %eax,(%esp)
8048fdc: e8 7f fe ff ff call 8048e60 <Gets>
8048fe1: b8 01 00 00 00 mov $0x1,%eax
8048fe6: c9 leave
8048fe7: c3 ret
8048fe8: 90 nop
8048fe9: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi

08048ff0 <test>:
8048ff0: 55 push %ebp
8048ff1: 89 e5 mov %esp,%ebp
8048ff3: 83 ec 18 sub $0x18,%esp
8048ff6: c7 45 fc ef be ad de movl $0xdeadbeef,0xfffffffc(%ebp)
8048ffd: c7 04 24 03 00 00 00 movl $0x3,(%esp)
8049004: e8 a7 f9 ff ff call 80489b0 <entry_check>
8049009: e8 c2 ff ff ff call 8048fd0 <getbuf>
804900e: 89 c2 mov %eax,%edx
8049010: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8049013: 3d ef be ad de cmp $0xdeadbeef,%eax
8049018: 74 0e je 8049028 <test+0x38>
804901a: c7 04 24 f0 97 04 08 movl $0x80497f0,(%esp)
8049021: e8 52 f8 ff ff call 8048878 <puts@plt>
8049026: c9 leave
8049027: c3 ret
8049028: 3b 15 cc a1 04 08 cmp 0x804a1cc,%edx
804902e: 74 12 je 8049042 <test+0x52>
8049030: 89 54 24 04 mov %edx,0x4(%esp)
8049034: c7 04 24 ca 99 04 08 movl $0x80499ca,(%esp)
804903b: e8 c8 f7 ff ff call 8048808 <printf@plt>
8049040: c9 leave
8049041: c3 ret
8049042: 89 54 24 04 mov %edx,0x4(%esp)
8049046: c7 04 24 ad 99 04 08 movl $0x80499ad,(%esp)
804904d: e8 b6 f7 ff ff call 8048808 <printf@plt>
8049052: c7 04 24 03 00 00 00 movl $0x3,(%esp)
8049059: e8 92 fa ff ff call 8048af0 <validate>
804905e: c9 leave
804905f: c3 ret

08049060 <launch>:
8049060: 55 push %ebp
8049061: 89 e5 mov %esp,%ebp
8049063: 53 push %ebx
8049064: 89 c3 mov %eax,%ebx
8049066: 8d 45 bc lea 0xffffffbc(%ebp),%eax
8049069: 83 ec 54 sub $0x54,%esp
804906c: 25 f8 3f 00 00 and $0x3ff8,%eax
8049071: 01 c2 add %eax,%edx
8049073: 8d 42 1e lea 0x1e(%edx),%eax
8049076: 83 e0 f0 and $0xfffffff0,%eax
8049079: 29 c4 sub %eax,%esp
804907b: 8d 44 24 1b lea 0x1b(%esp),%eax
804907f: 83 e0 f0 and $0xfffffff0,%eax
8049082: 89 54 24 08 mov %edx,0x8(%esp)
8049086: c7 44 24 04 f4 00 00 movl $0xf4,0x4(%esp)
804908d: 00
804908e: 89 04 24 mov %eax,(%esp)
8049091: e8 e2 f6 ff ff call 8048778 <memset@plt>
8049096: a1 c4 a1 04 08 mov 0x804a1c4,%eax
804909b: 85 c0 test %eax,%eax
804909d: 75 15 jne 80490b4 <launch+0x54>
804909f: a1 c8 a1 04 08 mov 0x804a1c8,%eax
80490a4: 85 c0 test %eax,%eax
80490a6: 74 40 je 80490e8 <launch+0x88>
80490a8: c7 04 24 e5 99 04 08 movl $0x80499e5,(%esp)
80490af: e8 54 f7 ff ff call 8048808 <printf@plt>
80490b4: 85 db test %ebx,%ebx
80490b6: 74 29 je 80490e1 <launch+0x81>
80490b8: e8 a3 fe ff ff call 8048f60 <testn>
80490bd: a1 d8 a1 04 08 mov 0x804a1d8,%eax
80490c2: 85 c0 test %eax,%eax
80490c4: 75 16 jne 80490dc <launch+0x7c>
80490c6: c7 04 24 64 98 04 08 movl $0x8049864,(%esp)
80490cd: e8 a6 f7 ff ff call 8048878 <puts@plt>
80490d2: c7 05 d8 a1 04 08 00 movl $0x0,0x804a1d8
80490d9: 00 00 00
80490dc: 8b 5d fc mov 0xfffffffc(%ebp),%ebx
80490df: c9 leave
80490e0: c3 ret
80490e1: e8 0a ff ff ff call 8048ff0 <test>
80490e6: eb d5 jmp 80490bd <launch+0x5d>
80490e8: c7 04 24 f6 99 04 08 movl $0x80499f6,(%esp)
80490ef: e8 14 f7 ff ff call 8048808 <printf@plt>
80490f4: eb be jmp 80490b4 <launch+0x54>
80490f6: 8d 76 00 lea 0x0(%esi),%esi
80490f9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi

08049100 <main>:
8049100: 8d 4c 24 04 lea 0x4(%esp),%ecx
8049104: 83 e4 f0 and $0xfffffff0,%esp
8049107: ff 71 fc pushl 0xfffffffc(%ecx)
804910a: 55 push %ebp
804910b: 89 e5 mov %esp,%ebp
804910d: 57 push %edi
804910e: 56 push %esi
804910f: 53 push %ebx
8049110: 51 push %ecx
8049111: 83 ec 18 sub $0x18,%esp
8049114: 8b 31 mov (%ecx),%esi
8049116: 8b 59 04 mov 0x4(%ecx),%ebx
8049119: c7 44 24 04 30 8a 04 movl $0x8048a30,0x4(%esp)
8049120: 08
8049121: c7 04 24 0b 00 00 00 movl $0xb,(%esp)
8049128: e8 0b f6 ff ff call 8048738 <signal@plt>
804912d: c7 44 24 04 60 8a 04 movl $0x8048a60,0x4(%esp)
8049134: 08
8049135: c7 04 24 07 00 00 00 movl $0x7,(%esp)
804913c: e8 f7 f5 ff ff call 8048738 <signal@plt>
8049141: c7 44 24 04 f0 89 04 movl $0x80489f0,0x4(%esp)
8049148: 08
8049149: c7 04 24 0e 00 00 00 movl $0xe,(%esp)
8049150: e8 e3 f5 ff ff call 8048738 <signal@plt>
8049155: c7 44 24 04 c0 89 04 movl $0x80489c0,0x4(%esp)
804915c: 08
804915d: c7 04 24 04 00 00 00 movl $0x4,(%esp)
8049164: e8 cf f5 ff ff call 8048738 <signal@plt>
8049169: a1 a0 a1 04 08 mov 0x804a1a0,%eax
804916e: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp)
8049175: c7 45 ec 01 00 00 00 movl $0x1,0xffffffec(%ebp)
804917c: a3 c0 a1 04 08 mov %eax,0x804a1c0
8049181: c7 44 24 08 32 9a 04 movl $0x8049a32,0x8(%esp)
8049188: 08
8049189: 89 5c 24 04 mov %ebx,0x4(%esp)
804918d: 89 34 24 mov %esi,(%esp)
8049190: e8 33 f6 ff ff call 80487c8 <getopt@plt>
8049195: 3c ff cmp $0xff,%al
8049197: 0f 84 09 01 00 00 je 80492a6 <main+0x1a6>
804919d: 83 e8 66 sub $0x66,%eax
80491a0: 3c 12 cmp $0x12,%al
80491a2: 76 0c jbe 80491b0 <main+0xb0>
80491a4: 8b 03 mov (%ebx),%eax
80491a6: e8 e5 f8 ff ff call 8048a90 <usage>
80491ab: eb d4 jmp 8049181 <main+0x81>
80491ad: 8d 76 00 lea 0x0(%esi),%esi
80491b0: 0f b6 c0 movzbl %al,%eax
80491b3: ff 24 85 3c 9a 04 08 jmp *0x8049a3c(,%eax,4)
80491ba: c7 05 c8 a1 04 08 01 movl $0x1,0x804a1c8
80491c1: 00 00 00
80491c4: eb bb jmp 8049181 <main+0x81>
80491c6: a1 a4 a1 04 08 mov 0x804a1a4,%eax
80491cb: 89 04 24 mov %eax,(%esp)
80491ce: e8 d5 f6 ff ff call 80488a8 <__strdup@plt>
80491d3: a3 d0 a1 04 08 mov %eax,0x804a1d0
80491d8: 89 44 24 04 mov %eax,0x4(%esp)
80491dc: c7 04 24 03 9a 04 08 movl $0x8049a03,(%esp)
80491e3: e8 20 f6 ff ff call 8048808 <printf@plt>
80491e8: a1 d0 a1 04 08 mov 0x804a1d0,%eax
80491ed: 89 04 24 mov %eax,(%esp)
80491f0: e8 fb 01 00 00 call 80493f0 <gencookie>
80491f5: a3 cc a1 04 08 mov %eax,0x804a1cc
80491fa: 89 44 24 04 mov %eax,0x4(%esp)
80491fe: c7 04 24 0d 9a 04 08 movl $0x8049a0d,(%esp)
8049205: e8 fe f5 ff ff call 8048808 <printf@plt>
804920a: e9 72 ff ff ff jmp 8049181 <main+0x81>
804920f: c7 05 70 a1 04 08 01 movl $0x1,0x804a170
8049216: 00 00 00
8049219: e9 63 ff ff ff jmp 8049181 <main+0x81>
804921e: c7 05 c4 a1 04 08 01 movl $0x1,0x804a1c4
8049225: 00 00 00
8049228: e9 54 ff ff ff jmp 8049181 <main+0x81>
804922d: c7 45 e8 01 00 00 00 movl $0x1,0xffffffe8(%ebp)
8049234: c7 45 ec 05 00 00 00 movl $0x5,0xffffffec(%ebp)
804923b: e9 41 ff ff ff jmp 8049181 <main+0x81>
8049240: c7 05 d4 a1 04 08 01 movl $0x1,0x804a1d4
8049247: 00 00 00
804924a: c7 05 c4 a1 04 08 01 movl $0x1,0x804a1c4
8049251: 00 00 00
8049254: c7 05 78 a1 04 08 01 movl $0x1,0x804a178
804925b: 00 00 00
804925e: e9 1e ff ff ff jmp 8049181 <main+0x81>
8049263: c7 44 24 04 1b 9a 04 movl $0x8049a1b,0x4(%esp)
804926a: 08
804926b: a1 a4 a1 04 08 mov 0x804a1a4,%eax
8049270: 89 04 24 mov %eax,(%esp)
8049273: e8 60 f5 ff ff call 80487d8 <fopen@plt>
8049278: 85 c0 test %eax,%eax
804927a: a3 c0 a1 04 08 mov %eax,0x804a1c0
804927f: 0f 85 fc fe ff ff jne 8049181 <main+0x81>
8049285: a1 a4 a1 04 08 mov 0x804a1a4,%eax
804928a: c7 04 24 1d 9a 04 08 movl $0x8049a1d,(%esp)
8049291: 89 44 24 04 mov %eax,0x4(%esp)
8049295: e8 6e f5 ff ff call 8048808 <printf@plt>
804929a: 8b 03 mov (%ebx),%eax
804929c: e8 ef f7 ff ff call 8048a90 <usage>
80492a1: e9 db fe ff ff jmp 8049181 <main+0x81>
80492a6: a1 d0 a1 04 08 mov 0x804a1d0,%eax
80492ab: 85 c0 test %eax,%eax
80492ad: 0f 84 b9 00 00 00 je 804936c <main+0x26c>
80492b3: a1 cc a1 04 08 mov 0x804a1cc,%eax
80492b8: 89 04 24 mov %eax,(%esp)
80492bb: e8 58 f5 ff ff call 8048818 <srandom@plt>
80492c0: e8 63 f4 ff ff call 8048728 <random@plt>
80492c5: 25 f8 0f 00 00 and $0xff8,%eax
80492ca: 89 45 e4 mov %eax,0xffffffe4(%ebp)
80492cd: c7 44 24 04 04 00 00 movl $0x4,0x4(%esp)
80492d4: 00
80492d5: 8b 45 ec mov 0xffffffec(%ebp),%eax
80492d8: 89 04 24 mov %eax,(%esp)
80492db: e8 78 f4 ff ff call 8048758 <calloc@plt>
80492e0: 89 c6 mov %eax,%esi
80492e2: 8b 45 ec mov 0xffffffec(%ebp),%eax
80492e5: 83 e8 02 sub $0x2,%eax
80492e8: 85 c0 test %eax,%eax
80492ea: 7e 1e jle 804930a <main+0x20a>
80492ec: 8b 45 ec mov 0xffffffec(%ebp),%eax
80492ef: bb 01 00 00 00 mov $0x1,%ebx
80492f4: 8d 78 ff lea 0xffffffff(%eax),%edi
80492f7: e8 2c f4 ff ff call 8048728 <random@plt>
80492fc: 83 e0 38 and $0x38,%eax
80492ff: 89 44 9e fc mov %eax,0xfffffffc(%esi,%ebx,4)
8049303: 83 c3 01 add $0x1,%ebx
8049306: 39 fb cmp %edi,%ebx
8049308: 75 ed jne 80492f7 <main+0x1f7>
804930a: 83 7d ec 01 cmpl $0x1,0xffffffec(%ebp)
804930e: 7e 54 jle 8049364 <main+0x264>
8049310: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049313: c1 e0 02 shl $0x2,%eax
8049316: c7 44 30 f8 38 00 00 movl $0x38,0xfffffff8(%eax,%esi,1)
804931d: 00
804931e: c7 44 30 fc 00 00 00 movl $0x0,0xfffffffc(%eax,%esi,1)
8049325: 00
8049326: a1 78 a1 04 08 mov 0x804a178,%eax
804932b: 89 04 24 mov %eax,(%esp)
804932e: e8 b5 f4 ff ff call 80487e8 <alarm@plt>
8049333: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049336: 85 c0 test %eax,%eax
8049338: 7e 1c jle 8049356 <main+0x256>
804933a: 31 db xor %ebx,%ebx
804933c: 8d 74 26 00 lea 0x0(%esi),%esi
8049340: 8b 55 e4 mov 0xffffffe4(%ebp),%edx
8049343: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
8049346: 03 14 9e add (%esi,%ebx,4),%edx
8049349: 83 c3 01 add $0x1,%ebx
804934c: e8 0f fd ff ff call 8049060 <launch>
8049351: 3b 5d ec cmp 0xffffffec(%ebp),%ebx
8049354: 75 ea jne 8049340 <main+0x240>
8049356: 83 c4 18 add $0x18,%esp
8049359: 31 c0 xor %eax,%eax
804935b: 59 pop %ecx
804935c: 5b pop %ebx
804935d: 5e pop %esi
804935e: 5f pop %edi
804935f: 5d pop %ebp
8049360: 8d 61 fc lea 0xfffffffc(%ecx),%esp
8049363: c3 ret
8049364: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049367: c1 e0 02 shl $0x2,%eax
804936a: eb b2 jmp 804931e <main+0x21e>
804936c: c7 04 24 3c 98 04 08 movl $0x804983c,(%esp)
8049373: e8 00 f5 ff ff call 8048878 <puts@plt>
8049378: 8b 03 mov (%ebx),%eax
804937a: e8 11 f7 ff ff call 8048a90 <usage>
804937f: e9 2f ff ff ff jmp 80492b3 <main+0x1b3>
8049384: 90 nop
8049385: 90 nop
8049386: 90 nop
8049387: 90 nop
8049388: 90 nop
8049389: 90 nop
804938a: 90 nop
804938b: 90 nop
804938c: 90 nop
804938d: 90 nop
804938e: 90 nop
804938f: 90 nop

08049390 <hash>:
8049390: 55 push %ebp
8049391: 31 c0 xor %eax,%eax
8049393: 89 e5 mov %esp,%ebp
8049395: 8b 4d 08 mov 0x8(%ebp),%ecx
8049398: 0f b6 11 movzbl (%ecx),%edx
804939b: 84 d2 test %dl,%dl
804939d: 74 15 je 80493b4 <hash+0x24>
804939f: 90 nop
80493a0: 6b c0 67 imul $0x67,%eax,%eax
80493a3: 0f be d2 movsbl %dl,%edx
80493a6: 8d 04 02 lea (%edx,%eax,1),%eax
80493a9: 0f b6 51 01 movzbl 0x1(%ecx),%edx
80493ad: 83 c1 01 add $0x1,%ecx
80493b0: 84 d2 test %dl,%dl
80493b2: 75 ec jne 80493a0 <hash+0x10>
80493b4: 5d pop %ebp
80493b5: c3 ret
80493b6: 8d 76 00 lea 0x0(%esi),%esi
80493b9: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi

080493c0 <check>:
80493c0: 55 push %ebp
80493c1: 89 e5 mov %esp,%ebp
80493c3: 8b 55 08 mov 0x8(%ebp),%edx
80493c6: 89 d0 mov %edx,%eax
80493c8: c1 e8 1c shr $0x1c,%eax
80493cb: 85 c0 test %eax,%eax
80493cd: 74 19 je 80493e8 <check+0x28>
80493cf: 31 c9 xor %ecx,%ecx
80493d1: 89 d0 mov %edx,%eax
80493d3: d3 e8 shr %cl,%eax
80493d5: 3c 0a cmp $0xa,%al
80493d7: 74 0f je 80493e8 <check+0x28>
80493d9: 83 c1 08 add $0x8,%ecx
80493dc: 83 f9 20 cmp $0x20,%ecx
80493df: 75 f0 jne 80493d1 <check+0x11>
80493e1: 5d pop %ebp
80493e2: b8 01 00 00 00 mov $0x1,%eax
80493e7: c3 ret
80493e8: 5d pop %ebp
80493e9: 31 c0 xor %eax,%eax
80493eb: c3 ret
80493ec: 8d 74 26 00 lea 0x0(%esi),%esi

080493f0 <gencookie>:
80493f0: 55 push %ebp
80493f1: 89 e5 mov %esp,%ebp
80493f3: 53 push %ebx
80493f4: 83 ec 04 sub $0x4,%esp
80493f7: 8b 45 08 mov 0x8(%ebp),%eax
80493fa: 89 04 24 mov %eax,(%esp)
80493fd: e8 8e ff ff ff call 8049390 <hash>
8049402: 89 04 24 mov %eax,(%esp)
8049405: e8 0e f3 ff ff call 8048718 <srand@plt>
804940a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8049410: e8 73 f4 ff ff call 8048888 <rand@plt>
8049415: 89 c3 mov %eax,%ebx
8049417: 89 04 24 mov %eax,(%esp)
804941a: e8 a1 ff ff ff call 80493c0 <check>
804941f: 85 c0 test %eax,%eax
8049421: 74 ed je 8049410 <gencookie+0x20>
8049423: 89 d8 mov %ebx,%eax
8049425: 83 c4 04 add $0x4,%esp
8049428: 5b pop %ebx
8049429: 5d pop %ebp
804942a: c3 ret
804942b: 90 nop
804942c: 90 nop
804942d: 90 nop
804942e: 90 nop
804942f: 90 nop

08049430 <__libc_csu_fini>:
8049430: 55 push %ebp
8049431: 89 e5 mov %esp,%ebp
8049433: 5d pop %ebp
8049434: c3 ret
8049435: 8d 74 26 00 lea 0x0(%esi),%esi
8049439: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi

08049440 <__libc_csu_init>:
8049440: 55 push %ebp
8049441: 89 e5 mov %esp,%ebp
8049443: 57 push %edi
8049444: 56 push %esi
8049445: 53 push %ebx
8049446: e8 4f 00 00 00 call 804949a <__i686.get_pc_thunk.bx>
804944b: 81 c3 9d 0c 00 00 add $0xc9d,%ebx
8049451: 83 ec 0c sub $0xc,%esp
8049454: e8 6f f2 ff ff call 80486c8 <_init>
8049459: 8d bb 18 ff ff ff lea 0xffffff18(%ebx),%edi
804945f: 8d 83 18 ff ff ff lea 0xffffff18(%ebx),%eax
8049465: 29 c7 sub %eax,%edi
8049467: c1 ff 02 sar $0x2,%edi
804946a: 85 ff test %edi,%edi
804946c: 74 24 je 8049492 <__libc_csu_init+0x52>
804946e: 31 f6 xor %esi,%esi
8049470: 8b 45 10 mov 0x10(%ebp),%eax
8049473: 89 44 24 08 mov %eax,0x8(%esp)
8049477: 8b 45 0c mov 0xc(%ebp),%eax
804947a: 89 44 24 04 mov %eax,0x4(%esp)
804947e: 8b 45 08 mov 0x8(%ebp),%eax
8049481: 89 04 24 mov %eax,(%esp)
8049484: ff 94 b3 18 ff ff ff call *0xffffff18(%ebx,%esi,4)
804948b: 83 c6 01 add $0x1,%esi
804948e: 39 f7 cmp %esi,%edi
8049490: 75 de jne 8049470 <__libc_csu_init+0x30>
8049492: 83 c4 0c add $0xc,%esp
8049495: 5b pop %ebx
8049496: 5e pop %esi
8049497: 5f pop %edi
8049498: 5d pop %ebp
8049499: c3 ret

0804949a <__i686.get_pc_thunk.bx>:
804949a: 8b 1c 24 mov (%esp),%ebx
804949d: c3 ret
804949e: 90 nop
804949f: 90 nop

080494a0 <__do_global_ctors_aux>:
80494a0: 55 push %ebp
80494a1: 89 e5 mov %esp,%ebp
80494a3: 53 push %ebx
80494a4: 83 ec 04 sub $0x4,%esp
80494a7: a1 00 a0 04 08 mov 0x804a000,%eax
80494ac: 83 f8 ff cmp $0xffffffff,%eax
80494af: 74 12 je 80494c3 <__do_global_ctors_aux+0x23>
80494b1: 31 db xor %ebx,%ebx
80494b3: ff d0 call *%eax
80494b5: 8b 83 fc 9f 04 08 mov 0x8049ffc(%ebx),%eax
80494bb: 83 eb 04 sub $0x4,%ebx
80494be: 83 f8 ff cmp $0xffffffff,%eax
80494c1: 75 f0 jne 80494b3 <__do_global_ctors_aux+0x13>
80494c3: 83 c4 04 add $0x4,%esp
80494c6: 5b pop %ebx
80494c7: 5d pop %ebp
80494c8: c3 ret
80494c9: 90 nop
80494ca: 90 nop
80494cb: 90 nop
Disassembly of section .fini:

080494cc <_fini>:
80494cc: 55 push %ebp
80494cd: 89 e5 mov %esp,%ebp
80494cf: 53 push %ebx
80494d0: 83 ec 04 sub $0x4,%esp
80494d3: e8 00 00 00 00 call 80494d8 <_fini+0xc>
80494d8: 5b pop %ebx
80494d9: 81 c3 10 0c 00 00 add $0xc10,%ebx
80494df: e8 1c f4 ff ff call 8048900 <__do_global_dtors_aux>
80494e4: 59 pop %ecx
80494e5: 5b pop %ebx
80494e6: c9 leave
80494e7: c3 ret

Our preceding attacks have all caused the program to jump to the code for some other function, which
then causes the program to exit. As a result, it was acceptable to use exploit strings that corrupt the stack,
overwriting the saved value of register %ebp and the return pointer.
The most sophisticated form of buffer overflow attack causes the program to execute some exploit code
that patches up the stack and makes the program return to the original calling function (test in this case).
The calling function is oblivious to the attack. This style of attack is tricky, though, since you must: 1) get
machine code onto the stack, 2) set the return pointer to the start of this code, and 3) undo the corruptions
made to the stack state.
Your job for this level is to <<supply an exploit string that will cause getbuf to return your cookie back to
test, rather than the value 1>>. You can see in the code for test that this will cause the program to go
Boom!. Your exploit code should set your cookie as the return value, restore any corrupted state, push
the correct return location on the stack, and execute a ret instruction to really return to test.
Some Advice:
" In order to overwrite the return pointer, you must also overwrite the saved value of %ebp. However, it
is important that this value is correctly restored before you return to test. You can do this by either
1) making sure that your exploit string contains the correct value of the saved %ebp in the correct
position, so that it never gets corrupted, or 2) restore the correct value as part of your exploit code.
Youll see that the code for test has some explicit tests to check for a corrupted stack.
" You can use GDB to get the information you need to construct your exploit string. Set a breakpoint
within getbuf and run to this breakpoint. Determine parameters such as the saved return address
and the saved value of %ebp.
" Again, let tools such as GCC and OBJDUMP do all of the work of generating a byte encoding of the
instructions.
" Keep in mind that your exploit string depends on your machine, your compiler, and even your teams
cookie. Do all of your work on a Fish machine, and make sure you include the proper team name on
the command line to BUFBOMB.
Once you complete this level, pause to reflect on what you have accomplished. You caused a program to
execute machine code of your own design. You have done so in a sufficiently stealthy way that the program did not realize that anything was amiss.

Hey Infinity, Want to tackle this one with me today? I have till 3:00 PM PST to get this in so any help would be awesome!!!!

View the Solution FREE for 30 Days

Keywords: Buffer Bomb - Final Phase

	Title
1	defuse binary bomb
2	Buffer Bomb Problem
3	Buffer Bomb Phase 2
4	Binarybomb phase_2
5	Assembly IA 32 help

Loading Advertisement...

20090824-EE-VQP-74 / EE_QW_2_20070628

Buffer Bomb - Final Phase

Asked by ckehoe in Assembly Programming Language

Tags: Assembly

About this solution