gh0s7/csapp2025
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit

Browse Source
This commit is contained in:
CGH0S7
2025-03-06 19:56:12 +08:00
commit 5b6db97133
47 changed files with 8549 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
buflab/Readme.txt Normal file
View File

@@ -0,0 +1,30 @@
2017超级缓冲区炸弹
使用IDA Pro反汇编、调试bufbomb.exe文件。
你需要首先设置学号
然后根据提示输入一串特定的十六进制字符串以便对bufbomb实现缓冲区溢出攻击。
例如:
2017超级缓冲区炸弹欢迎你
============================
你的通行密码是0X8E371DDA
============================
请输入攻击字符串十六进制串00 11 22 33 44 55 66 77 88 99 AA BB CC DD EE FF
鸟还活着!
不错哦缓冲区溢出成功而且getbuf返回0X8E371DDA
恭喜你你已经成功偷偷运行了第1只木马!
通过第1只木马测试
不错哦第2只木马运行了而且通行密码是正确的(0X8E371DDA
通过第2只木马测试
厉害第3只木马运行了而且你修改了全局变量正确global_value = 0X8E371DDA
通过第3只木马测试
不错哦缓冲区溢出成功而且getbuf返回0X8E371DDA
厉害第4只木马运行了而且你修改了全局变量正确global_value = 0X8E371DDA
通过第4只木马测试

560
buflab/bufbomb.asm Normal file
View File

@@ -0,0 +1,560 @@
bufbomb_linux elf64-x86-64
Disassembly of section .init:
0000000000001000 <_init>:
1000: f3 0f 1e fa endbr64
1004: 48 83 ec 08 sub $0x8,%rsp
1008: 48 8b 05 c1 2f 00 00 mov 0x2fc1(%rip),%rax # 3fd0 <__gmon_start__@Base>
100f: 48 85 c0 test %rax,%rax
1012: 74 02 je 1016 <_init+0x16>
1014: ff d0 call *%rax
1016: 48 83 c4 08 add $0x8,%rsp
101a: c3 ret
Disassembly of section .plt:
0000000000001020 <puts@plt-0x10>:
1020: ff 35 ca 2f 00 00 push 0x2fca(%rip) # 3ff0 <_GLOBAL_OFFSET_TABLE_+0x8>
1026: ff 25 cc 2f 00 00 jmp *0x2fcc(%rip) # 3ff8 <_GLOBAL_OFFSET_TABLE_+0x10>
102c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000001030 <puts@plt>:
1030: ff 25 ca 2f 00 00 jmp *0x2fca(%rip) # 4000 <puts@GLIBC_2.2.5>
1036: 68 00 00 00 00 push $0x0
103b: e9 e0 ff ff ff jmp 1020 <_init+0x20>
0000000000001040 <__stack_chk_fail@plt>:
1040: ff 25 c2 2f 00 00 jmp *0x2fc2(%rip) # 4008 <__stack_chk_fail@GLIBC_2.4>
1046: 68 01 00 00 00 push $0x1
104b: e9 d0 ff ff ff jmp 1020 <_init+0x20>
0000000000001050 <printf@plt>:
1050: ff 25 ba 2f 00 00 jmp *0x2fba(%rip) # 4010 <printf@GLIBC_2.2.5>
1056: 68 02 00 00 00 push $0x2
105b: e9 c0 ff ff ff jmp 1020 <_init+0x20>
0000000000001060 <getchar@plt>:
1060: ff 25 b2 2f 00 00 jmp *0x2fb2(%rip) # 4018 <getchar@GLIBC_2.2.5>
1066: 68 03 00 00 00 push $0x3
106b: e9 b0 ff ff ff jmp 1020 <_init+0x20>
0000000000001070 <atoi@plt>:
1070: ff 25 aa 2f 00 00 jmp *0x2faa(%rip) # 4020 <atoi@GLIBC_2.2.5>
1076: 68 04 00 00 00 push $0x4
107b: e9 a0 ff ff ff jmp 1020 <_init+0x20>
0000000000001080 <exit@plt>:
1080: ff 25 a2 2f 00 00 jmp *0x2fa2(%rip) # 4028 <exit@GLIBC_2.2.5>
1086: 68 05 00 00 00 push $0x5
108b: e9 90 ff ff ff jmp 1020 <_init+0x20>
0000000000001090 <__ctype_b_loc@plt>:
1090: ff 25 9a 2f 00 00 jmp *0x2f9a(%rip) # 4030 <__ctype_b_loc@GLIBC_2.3>
1096: 68 06 00 00 00 push $0x6
109b: e9 80 ff ff ff jmp 1020 <_init+0x20>
Disassembly of section .text:
00000000000010a0 <_start>:
10a0: f3 0f 1e fa endbr64
10a4: 31 ed xor %ebp,%ebp
10a6: 49 89 d1 mov %rdx,%r9
10a9: 5e pop %rsi
10aa: 48 89 e2 mov %rsp,%rdx
10ad: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
10b1: 50 push %rax
10b2: 54 push %rsp
10b3: 45 31 c0 xor %r8d,%r8d
10b6: 31 c9 xor %ecx,%ecx
10b8: 48 8d 3d 3a 05 00 00 lea 0x53a(%rip),%rdi # 15f9 <main>
10bf: ff 15 fb 2e 00 00 call *0x2efb(%rip) # 3fc0 <__libc_start_main@GLIBC_2.34>
10c5: f4 hlt
10c6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
10cd: 00 00 00
10d0: 48 8d 3d 79 2f 00 00 lea 0x2f79(%rip),%rdi # 4050 <__TMC_END__>
10d7: 48 8d 05 72 2f 00 00 lea 0x2f72(%rip),%rax # 4050 <__TMC_END__>
10de: 48 39 f8 cmp %rdi,%rax
10e1: 74 1d je 1100 <_start+0x60>
10e3: 48 8b 05 de 2e 00 00 mov 0x2ede(%rip),%rax # 3fc8 <_ITM_deregisterTMCloneTable@Base>
10ea: 48 85 c0 test %rax,%rax
10ed: 74 11 je 1100 <_start+0x60>
10ef: ff e0 jmp *%rax
10f1: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
10f8: 00 00 00 00
10fc: 0f 1f 40 00 nopl 0x0(%rax)
1100: c3 ret
1101: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
1108: 00 00 00 00
110c: 0f 1f 40 00 nopl 0x0(%rax)
1110: 48 8d 3d 39 2f 00 00 lea 0x2f39(%rip),%rdi # 4050 <__TMC_END__>
1117: 48 8d 35 32 2f 00 00 lea 0x2f32(%rip),%rsi # 4050 <__TMC_END__>
111e: 48 29 fe sub %rdi,%rsi
1121: 48 89 f0 mov %rsi,%rax
1124: 48 c1 f8 03 sar $0x3,%rax
1128: 48 c1 ee 3f shr $0x3f,%rsi
112c: 48 01 c6 add %rax,%rsi
112f: 48 d1 fe sar $1,%rsi
1132: 74 1c je 1150 <_start+0xb0>
1134: 48 8b 05 9d 2e 00 00 mov 0x2e9d(%rip),%rax # 3fd8 <_ITM_registerTMCloneTable@Base>
113b: 48 85 c0 test %rax,%rax
113e: 74 10 je 1150 <_start+0xb0>
1140: ff e0 jmp *%rax
1142: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
1149: 00 00 00 00
114d: 0f 1f 00 nopl (%rax)
1150: c3 ret
1151: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
1158: 00 00 00 00
115c: 0f 1f 40 00 nopl 0x0(%rax)
1160: f3 0f 1e fa endbr64
1164: 80 3d e5 2e 00 00 00 cmpb $0x0,0x2ee5(%rip) # 4050 <__TMC_END__>
116b: 75 33 jne 11a0 <_start+0x100>
116d: 48 83 3d 6b 2e 00 00 cmpq $0x0,0x2e6b(%rip) # 3fe0 <__cxa_finalize@GLIBC_2.2.5>
1174: 00
1175: 55 push %rbp
1176: 48 89 e5 mov %rsp,%rbp
1179: 74 0d je 1188 <_start+0xe8>
117b: 48 8b 3d be 2e 00 00 mov 0x2ebe(%rip),%rdi # 4040 <__dso_handle>
1182: ff 15 58 2e 00 00 call *0x2e58(%rip) # 3fe0 <__cxa_finalize@GLIBC_2.2.5>
1188: e8 43 ff ff ff call 10d0 <_start+0x30>
118d: 5d pop %rbp
118e: c6 05 bb 2e 00 00 01 movb $0x1,0x2ebb(%rip) # 4050 <__TMC_END__>
1195: c3 ret
1196: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
119d: 00 00 00
11a0: c3 ret
11a1: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
11a8: 00 00 00 00
11ac: 0f 1f 40 00 nopl 0x0(%rax)
11b0: f3 0f 1e fa endbr64
11b4: e9 57 ff ff ff jmp 1110 <_start+0x70>
00000000000011b9 <GenerateRandomNumber>:
11b9: 55 push %rbp
11ba: 48 89 e5 mov %rsp,%rbp
11bd: 48 89 7d e8 mov %rdi,-0x18(%rbp)
11c1: 48 8b 05 90 2e 00 00 mov 0x2e90(%rip),%rax # 4058 <rand1_h>
11c8: 48 89 45 f8 mov %rax,-0x8(%rbp)
11cc: 48 8b 45 f8 mov -0x8(%rbp),%rax
11d0: 48 69 c0 c5 90 c6 6a imul $0x6ac690c5,%rax,%rax
11d7: 48 89 45 f8 mov %rax,-0x8(%rbp)
11db: 48 8b 55 f8 mov -0x8(%rbp),%rdx
11df: 48 8b 05 7a 2e 00 00 mov 0x2e7a(%rip),%rax # 4060 <rand1_l>
11e6: 48 01 d0 add %rdx,%rax
11e9: 48 89 45 f8 mov %rax,-0x8(%rbp)
11ed: 48 8b 45 f8 mov -0x8(%rbp),%rax
11f1: 48 89 05 60 2e 00 00 mov %rax,0x2e60(%rip) # 4058 <rand1_h>
11f8: 48 8b 45 f8 mov -0x8(%rbp),%rax
11fc: 48 c1 f8 20 sar $0x20,%rax
1200: 48 89 05 59 2e 00 00 mov %rax,0x2e59(%rip) # 4060 <rand1_l>
1207: 48 83 7d e8 00 cmpq $0x0,-0x18(%rbp)
120c: 74 1c je 122a <GenerateRandomNumber+0x71>
120e: 48 8b 05 43 2e 00 00 mov 0x2e43(%rip),%rax # 4058 <rand1_h>
1215: ba 00 00 00 00 mov $0x0,%edx
121a: 48 f7 75 e8 divq -0x18(%rbp)
121e: 48 89 d0 mov %rdx,%rax
1221: 48 89 05 40 2e 00 00 mov %rax,0x2e40(%rip) # 4068 <rand_div>
1228: eb 01 jmp 122b <GenerateRandomNumber+0x72>
122a: 90 nop
122b: 5d pop %rbp
122c: c3 ret
000000000000122d <getxs>:
122d: 55 push %rbp
122e: 48 89 e5 mov %rsp,%rbp
1231: 48 83 ec 30 sub $0x30,%rsp
1235: 48 89 7d d8 mov %rdi,-0x28(%rbp)
1239: c7 45 e8 01 00 00 00 movl $0x1,-0x18(%rbp)
1240: c7 45 ec 00 00 00 00 movl $0x0,-0x14(%rbp)
1247: 48 8b 45 d8 mov -0x28(%rbp),%rax
124b: 48 89 45 f8 mov %rax,-0x8(%rbp)
124f: e9 94 00 00 00 jmp 12e8 <getxs+0xbb>
1254: e8 37 fe ff ff call 1090 <__ctype_b_loc@plt>
1259: 48 8b 00 mov (%rax),%rax
125c: 8b 55 f4 mov -0xc(%rbp),%edx
125f: 48 63 d2 movslq %edx,%rdx
1262: 48 01 d2 add %rdx,%rdx
1265: 48 01 d0 add %rdx,%rax
1268: 0f b7 00 movzwl (%rax),%eax
126b: 0f b7 c0 movzwl %ax,%eax
126e: 25 00 10 00 00 and $0x1000,%eax
1273: 85 c0 test %eax,%eax
1275: 74 71 je 12e8 <getxs+0xbb>
1277: 83 7d f4 2f cmpl $0x2f,-0xc(%rbp)
127b: 7e 11 jle 128e <getxs+0x61>
127d: 83 7d f4 39 cmpl $0x39,-0xc(%rbp)
1281: 7f 0b jg 128e <getxs+0x61>
1283: 8b 45 f4 mov -0xc(%rbp),%eax
1286: 83 e8 30 sub $0x30,%eax
1289: 89 45 f0 mov %eax,-0x10(%rbp)
128c: eb 20 jmp 12ae <getxs+0x81>
128e: 83 7d f4 40 cmpl $0x40,-0xc(%rbp)
1292: 7e 11 jle 12a5 <getxs+0x78>
1294: 83 7d f4 46 cmpl $0x46,-0xc(%rbp)
1298: 7f 0b jg 12a5 <getxs+0x78>
129a: 8b 45 f4 mov -0xc(%rbp),%eax
129d: 83 e8 37 sub $0x37,%eax
12a0: 89 45 f0 mov %eax,-0x10(%rbp)
12a3: eb 09 jmp 12ae <getxs+0x81>
12a5: 8b 45 f4 mov -0xc(%rbp),%eax
12a8: 83 e8 57 sub $0x57,%eax
12ab: 89 45 f0 mov %eax,-0x10(%rbp)
12ae: 83 7d e8 00 cmpl $0x0,-0x18(%rbp)
12b2: 74 0f je 12c3 <getxs+0x96>
12b4: 8b 45 f0 mov -0x10(%rbp),%eax
12b7: 89 45 ec mov %eax,-0x14(%rbp)
12ba: c7 45 e8 00 00 00 00 movl $0x0,-0x18(%rbp)
12c1: eb 25 jmp 12e8 <getxs+0xbb>
12c3: 8b 45 ec mov -0x14(%rbp),%eax
12c6: c1 e0 04 shl $0x4,%eax
12c9: 89 c2 mov %eax,%edx
12cb: 8b 45 f0 mov -0x10(%rbp),%eax
12ce: 8d 0c 02 lea (%rdx,%rax,1),%ecx
12d1: 48 8b 45 f8 mov -0x8(%rbp),%rax
12d5: 48 8d 50 01 lea 0x1(%rax),%rdx
12d9: 48 89 55 f8 mov %rdx,-0x8(%rbp)
12dd: 89 ca mov %ecx,%edx
12df: 88 10 mov %dl,(%rax)
12e1: c7 45 e8 01 00 00 00 movl $0x1,-0x18(%rbp)
12e8: e8 73 fd ff ff call 1060 <getchar@plt>
12ed: 89 45 f4 mov %eax,-0xc(%rbp)
12f0: 83 7d f4 ff cmpl $0xffffffff,-0xc(%rbp)
12f4: 74 10 je 1306 <getxs+0xd9>
12f6: 83 7d f4 0a cmpl $0xa,-0xc(%rbp)
12fa: 74 0a je 1306 <getxs+0xd9>
12fc: 83 7d f4 0d cmpl $0xd,-0xc(%rbp)
1300: 0f 85 4e ff ff ff jne 1254 <getxs+0x27>
1306: 48 8b 45 f8 mov -0x8(%rbp),%rax
130a: 48 8d 50 01 lea 0x1(%rax),%rdx
130e: 48 89 55 f8 mov %rdx,-0x8(%rbp)
1312: c6 00 00 movb $0x0,(%rax)
1315: 48 8b 45 d8 mov -0x28(%rbp),%rax
1319: c9 leave
131a: c3 ret
000000000000131b <getbuf>:
131b: 55 push %rbp
131c: 48 89 e5 mov %rsp,%rbp
131f: 48 83 ec 20 sub $0x20,%rsp
1323: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
132a: 00 00
132c: 48 89 45 f8 mov %rax,-0x8(%rbp)
1330: 31 c0 xor %eax,%eax
1332: 48 8d 45 ec lea -0x14(%rbp),%rax
1336: 48 89 c7 mov %rax,%rdi
1339: e8 ef fe ff ff call 122d <getxs>
133e: b8 01 00 00 00 mov $0x1,%eax
1343: 48 8b 55 f8 mov -0x8(%rbp),%rdx
1347: 64 48 2b 14 25 28 00 sub %fs:0x28,%rdx
134e: 00 00
1350: 74 05 je 1357 <getbuf+0x3c>
1352: e8 e9 fc ff ff call 1040 <__stack_chk_fail@plt>
1357: c9 leave
1358: c3 ret
0000000000001359 <test>:
1359: 55 push %rbp
135a: 48 89 e5 mov %rsp,%rbp
135d: 48 83 ec 20 sub $0x20,%rsp
1361: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
1368: 00 00
136a: 48 89 45 f8 mov %rax,-0x8(%rbp)
136e: 31 c0 xor %eax,%eax
1370: c7 45 e8 ef be ad de movl $0xdeadbeef,-0x18(%rbp)
1377: bf 17 00 00 00 mov $0x17,%edi
137c: e8 38 fe ff ff call 11b9 <GenerateRandomNumber>
1381: 48 8b 05 e0 2c 00 00 mov 0x2ce0(%rip),%rax # 4068 <rand_div>
1388: 48 83 c0 01 add $0x1,%rax
138c: 48 8d 50 08 lea 0x8(%rax),%rdx
1390: b8 10 00 00 00 mov $0x10,%eax
1395: 48 83 e8 01 sub $0x1,%rax
1399: 48 01 d0 add %rdx,%rax
139c: b9 10 00 00 00 mov $0x10,%ecx
13a1: ba 00 00 00 00 mov $0x0,%edx
13a6: 48 f7 f1 div %rcx
13a9: 48 6b c0 10 imul $0x10,%rax,%rax
13ad: 48 29 c4 sub %rax,%rsp
13b0: 48 89 e0 mov %rsp,%rax
13b3: 48 83 c0 0f add $0xf,%rax
13b7: 48 c1 e8 04 shr $0x4,%rax
13bb: 48 c1 e0 04 shl $0x4,%rax
13bf: 48 89 45 f0 mov %rax,-0x10(%rbp)
13c3: 48 8b 45 f0 mov -0x10(%rbp),%rax
13c7: c6 00 6c movb $0x6c,(%rax)
13ca: e8 4c ff ff ff call 131b <getbuf>
13cf: 89 45 ec mov %eax,-0x14(%rbp)
13d2: 8b 45 e8 mov -0x18(%rbp),%eax
13d5: 3d ef be ad de cmp $0xdeadbeef,%eax
13da: 75 11 jne 13ed <test+0x94>
13dc: 48 8d 05 25 0c 00 00 lea 0xc25(%rip),%rax # 2008 <_IO_stdin_used+0x8>
13e3: 48 89 c7 mov %rax,%rdi
13e6: e8 45 fc ff ff call 1030 <puts@plt>
13eb: eb 0f jmp 13fc <test+0xa3>
13ed: 48 8d 05 24 0c 00 00 lea 0xc24(%rip),%rax # 2018 <_IO_stdin_used+0x18>
13f4: 48 89 c7 mov %rax,%rdi
13f7: e8 34 fc ff ff call 1030 <puts@plt>
13fc: 8b 05 46 2c 00 00 mov 0x2c46(%rip),%eax # 4048 <cookie>
1402: 39 45 ec cmp %eax,-0x14(%rbp)
1405: 75 1b jne 1422 <test+0xc9>
1407: 8b 45 ec mov -0x14(%rbp),%eax
140a: 89 c6 mov %eax,%esi
140c: 48 8d 05 3d 0c 00 00 lea 0xc3d(%rip),%rax # 2050 <_IO_stdin_used+0x50>
1413: 48 89 c7 mov %rax,%rdi
1416: b8 00 00 00 00 mov $0x0,%eax
141b: e8 30 fc ff ff call 1050 <printf@plt>
1420: eb 30 jmp 1452 <test+0xf9>
1422: 83 7d ec 01 cmpl $0x1,-0x14(%rbp)
1426: 75 11 jne 1439 <test+0xe0>
1428: 48 8d 05 61 0c 00 00 lea 0xc61(%rip),%rax # 2090 <_IO_stdin_used+0x90>
142f: 48 89 c7 mov %rax,%rdi
1432: e8 f9 fb ff ff call 1030 <puts@plt>
1437: eb 19 jmp 1452 <test+0xf9>
1439: 8b 45 ec mov -0x14(%rbp),%eax
143c: 89 c6 mov %eax,%esi
143e: 48 8d 05 83 0c 00 00 lea 0xc83(%rip),%rax # 20c8 <_IO_stdin_used+0xc8>
1445: 48 89 c7 mov %rax,%rdi
1448: b8 00 00 00 00 mov $0x0,%eax
144d: e8 fe fb ff ff call 1050 <printf@plt>
1452: 90 nop
1453: 48 8b 45 f8 mov -0x8(%rbp),%rax
1457: 64 48 2b 04 25 28 00 sub %fs:0x28,%rax
145e: 00 00
1460: 74 05 je 1467 <test+0x10e>
1462: e8 d9 fb ff ff call 1040 <__stack_chk_fail@plt>
1467: c9 leave
1468: c3 ret
0000000000001469 <Trojan1>:
1469: 55 push %rbp
146a: 48 89 e5 mov %rsp,%rbp
146d: 48 8d 05 9c 0c 00 00 lea 0xc9c(%rip),%rax # 2110 <_IO_stdin_used+0x110>
1474: 48 89 c7 mov %rax,%rdi
1477: e8 b4 fb ff ff call 1030 <puts@plt>
147c: 48 8d 05 c6 0c 00 00 lea 0xcc6(%rip),%rax # 2149 <_IO_stdin_used+0x149>
1483: 48 89 c7 mov %rax,%rdi
1486: e8 a5 fb ff ff call 1030 <puts@plt>
148b: bf 00 00 00 00 mov $0x0,%edi
1490: e8 eb fb ff ff call 1080 <exit@plt>
0000000000001495 <Trojan2>:
1495: 55 push %rbp
1496: 48 89 e5 mov %rsp,%rbp
1499: 48 83 ec 10 sub $0x10,%rsp
149d: 89 7d fc mov %edi,-0x4(%rbp)
14a0: 8b 05 a2 2b 00 00 mov 0x2ba2(%rip),%eax # 4048 <cookie>
14a6: 39 45 fc cmp %eax,-0x4(%rbp)
14a9: 75 1b jne 14c6 <Trojan2+0x31>
14ab: 8b 45 fc mov -0x4(%rbp),%eax
14ae: 89 c6 mov %eax,%esi
14b0: 48 8d 05 b1 0c 00 00 lea 0xcb1(%rip),%rax # 2168 <_IO_stdin_used+0x168>
14b7: 48 89 c7 mov %rax,%rdi
14ba: b8 00 00 00 00 mov $0x0,%eax
14bf: e8 8c fb ff ff call 1050 <printf@plt>
14c4: eb 19 jmp 14df <Trojan2+0x4a>
14c6: 8b 45 fc mov -0x4(%rbp),%eax
14c9: 89 c6 mov %eax,%esi
14cb: 48 8d 05 e6 0c 00 00 lea 0xce6(%rip),%rax # 21b8 <_IO_stdin_used+0x1b8>
14d2: 48 89 c7 mov %rax,%rdi
14d5: b8 00 00 00 00 mov $0x0,%eax
14da: e8 71 fb ff ff call 1050 <printf@plt>
14df: 8b 05 63 2b 00 00 mov 0x2b63(%rip),%eax # 4048 <cookie>
14e5: 39 45 fc cmp %eax,-0x4(%rbp)
14e8: 75 0f jne 14f9 <Trojan2+0x64>
14ea: 48 8d 05 23 0d 00 00 lea 0xd23(%rip),%rax # 2214 <_IO_stdin_used+0x214>
14f1: 48 89 c7 mov %rax,%rdi
14f4: e8 37 fb ff ff call 1030 <puts@plt>
14f9: bf 00 00 00 00 mov $0x0,%edi
14fe: e8 7d fb ff ff call 1080 <exit@plt>
0000000000001503 <Trojan3>:
1503: 55 push %rbp
1504: 48 89 e5 mov %rsp,%rbp
1507: 48 83 ec 10 sub $0x10,%rsp
150b: 89 7d fc mov %edi,-0x4(%rbp)
150e: 8b 15 5c 2b 00 00 mov 0x2b5c(%rip),%edx # 4070 <global_value>
1514: 8b 05 2e 2b 00 00 mov 0x2b2e(%rip),%eax # 4048 <cookie>
151a: 39 c2 cmp %eax,%edx
151c: 75 1e jne 153c <Trojan3+0x39>
151e: 8b 05 4c 2b 00 00 mov 0x2b4c(%rip),%eax # 4070 <global_value>
1524: 89 c6 mov %eax,%esi
1526: 48 8d 05 03 0d 00 00 lea 0xd03(%rip),%rax # 2230 <_IO_stdin_used+0x230>
152d: 48 89 c7 mov %rax,%rdi
1530: b8 00 00 00 00 mov $0x0,%eax
1535: e8 16 fb ff ff call 1050 <printf@plt>
153a: eb 1c jmp 1558 <Trojan3+0x55>
153c: 8b 05 2e 2b 00 00 mov 0x2b2e(%rip),%eax # 4070 <global_value>
1542: 89 c6 mov %eax,%esi
1544: 48 8d 05 45 0d 00 00 lea 0xd45(%rip),%rax # 2290 <_IO_stdin_used+0x290>
154b: 48 89 c7 mov %rax,%rdi
154e: b8 00 00 00 00 mov $0x0,%eax
1553: e8 f8 fa ff ff call 1050 <printf@plt>
1558: 8b 15 12 2b 00 00 mov 0x2b12(%rip),%edx # 4070 <global_value>
155e: 8b 05 e4 2a 00 00 mov 0x2ae4(%rip),%eax # 4048 <cookie>
1564: 39 c2 cmp %eax,%edx
1566: 75 0f jne 1577 <Trojan3+0x74>
1568: 48 8d 05 7e 0d 00 00 lea 0xd7e(%rip),%rax # 22ed <_IO_stdin_used+0x2ed>
156f: 48 89 c7 mov %rax,%rdi
1572: e8 b9 fa ff ff call 1030 <puts@plt>
1577: bf 00 00 00 00 mov $0x0,%edi
157c: e8 ff fa ff ff call 1080 <exit@plt>
0000000000001581 <Trojan4>:
1581: 55 push %rbp
1582: 48 89 e5 mov %rsp,%rbp
1585: 48 83 ec 10 sub $0x10,%rsp
1589: 89 7d fc mov %edi,-0x4(%rbp)
158c: 8b 15 de 2a 00 00 mov 0x2ade(%rip),%edx # 4070 <global_value>
1592: 8b 05 b0 2a 00 00 mov 0x2ab0(%rip),%eax # 4048 <cookie>
1598: 39 c2 cmp %eax,%edx
159a: 75 1e jne 15ba <Trojan4+0x39>
159c: 8b 05 ce 2a 00 00 mov 0x2ace(%rip),%eax # 4070 <global_value>
15a2: 89 c6 mov %eax,%esi
15a4: 48 8d 05 5d 0d 00 00 lea 0xd5d(%rip),%rax # 2308 <_IO_stdin_used+0x308>
15ab: 48 89 c7 mov %rax,%rdi
15ae: b8 00 00 00 00 mov $0x0,%eax
15b3: e8 98 fa ff ff call 1050 <printf@plt>
15b8: eb 1c jmp 15d6 <Trojan4+0x55>
15ba: 8b 05 b0 2a 00 00 mov 0x2ab0(%rip),%eax # 4070 <global_value>
15c0: 89 c6 mov %eax,%esi
15c2: 48 8d 05 9f 0d 00 00 lea 0xd9f(%rip),%rax # 2368 <_IO_stdin_used+0x368>
15c9: 48 89 c7 mov %rax,%rdi
15cc: b8 00 00 00 00 mov $0x0,%eax
15d1: e8 7a fa ff ff call 1050 <printf@plt>
15d6: 8b 15 94 2a 00 00 mov 0x2a94(%rip),%edx # 4070 <global_value>
15dc: 8b 05 66 2a 00 00 mov 0x2a66(%rip),%eax # 4048 <cookie>
15e2: 39 c2 cmp %eax,%edx
15e4: 75 10 jne 15f6 <Trojan4+0x75>
15e6: 48 8d 05 d2 0d 00 00 lea 0xdd2(%rip),%rax # 23bf <_IO_stdin_used+0x3bf>
15ed: 48 89 c7 mov %rax,%rdi
15f0: e8 3b fa ff ff call 1030 <puts@plt>
15f5: 90 nop
15f6: 90 nop
15f7: c9 leave
15f8: c3 ret
00000000000015f9 <main>:
15f9: 55 push %rbp
15fa: 48 89 e5 mov %rsp,%rbp
15fd: 48 83 ec 30 sub $0x30,%rsp
1601: 89 7d dc mov %edi,-0x24(%rbp)
1604: 48 89 75 d0 mov %rsi,-0x30(%rbp)
1608: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
160f: 00 00
1611: 48 89 45 f8 mov %rax,-0x8(%rbp)
1615: 31 c0 xor %eax,%eax
1617: 48 8d 05 c2 0d 00 00 lea 0xdc2(%rip),%rax # 23e0 <_IO_stdin_used+0x3e0>
161e: 48 89 c7 mov %rax,%rdi
1621: e8 0a fa ff ff call 1030 <puts@plt>
1626: 48 8d 05 dd 0d 00 00 lea 0xddd(%rip),%rax # 240a <_IO_stdin_used+0x40a>
162d: 48 89 c7 mov %rax,%rdi
1630: e8 fb f9 ff ff call 1030 <puts@plt>
1635: 83 7d dc 01 cmpl $0x1,-0x24(%rbp)
1639: 75 46 jne 1681 <main+0x88>
163b: 48 8b 45 d0 mov -0x30(%rbp),%rax
163f: 48 8b 00 mov (%rax),%rax
1642: 48 89 c6 mov %rax,%rsi
1645: 48 8d 05 dc 0d 00 00 lea 0xddc(%rip),%rax # 2428 <_IO_stdin_used+0x428>
164c: 48 89 c7 mov %rax,%rdi
164f: b8 00 00 00 00 mov $0x0,%eax
1654: e8 f7 f9 ff ff call 1050 <printf@plt>
1659: 48 8d 05 10 0e 00 00 lea 0xe10(%rip),%rax # 2470 <_IO_stdin_used+0x470>
1660: 48 89 c7 mov %rax,%rdi
1663: e8 c8 f9 ff ff call 1030 <puts@plt>
1668: 48 8d 05 59 0e 00 00 lea 0xe59(%rip),%rax # 24c8 <_IO_stdin_used+0x4c8>
166f: 48 89 c7 mov %rax,%rdi
1672: e8 b9 f9 ff ff call 1030 <puts@plt>
1677: b8 00 00 00 00 mov $0x0,%eax
167c: e9 43 01 00 00 jmp 17c4 <main+0x1cb>
1681: 48 8b 45 d0 mov -0x30(%rbp),%rax
1685: 48 83 c0 08 add $0x8,%rax
1689: 48 8b 00 mov (%rax),%rax
168c: 48 89 c6 mov %rax,%rsi
168f: 48 8d 05 7a 0e 00 00 lea 0xe7a(%rip),%rax # 2510 <_IO_stdin_used+0x510>
1696: 48 89 c7 mov %rax,%rdi
1699: b8 00 00 00 00 mov $0x0,%eax
169e: e8 ad f9 ff ff call 1050 <printf@plt>
16a3: 48 8b 45 d0 mov -0x30(%rbp),%rax
16a7: 48 83 c0 08 add $0x8,%rax
16ab: 48 8b 00 mov (%rax),%rax
16ae: 48 89 c7 mov %rax,%rdi
16b1: e8 ba f9 ff ff call 1070 <atoi@plt>
16b6: 48 98 cltq
16b8: 48 89 05 99 29 00 00 mov %rax,0x2999(%rip) # 4058 <rand1_h>
16bf: 48 c7 05 96 29 00 00 movq $0x29a,0x2996(%rip) # 4060 <rand1_l>
16c6: 9a 02 00 00
16ca: bf 00 00 00 00 mov $0x0,%edi
16cf: e8 e5 fa ff ff call 11b9 <GenerateRandomNumber>
16d4: c7 45 ec 02 00 00 00 movl $0x2,-0x14(%rbp)
16db: eb 36 jmp 1713 <main+0x11a>
16dd: 8b 45 ec mov -0x14(%rbp),%eax
16e0: 48 98 cltq
16e2: 48 8d 14 c5 00 00 00 lea 0x0(,%rax,8),%rdx
16e9: 00
16ea: 48 8b 45 d0 mov -0x30(%rbp),%rax
16ee: 48 01 d0 add %rdx,%rax
16f1: 48 8b 00 mov (%rax),%rax
16f4: 48 89 c7 mov %rax,%rdi
16f7: e8 74 f9 ff ff call 1070 <atoi@plt>
16fc: 48 98 cltq
16fe: 48 89 05 5b 29 00 00 mov %rax,0x295b(%rip) # 4060 <rand1_l>
1705: bf 00 00 00 00 mov $0x0,%edi
170a: e8 aa fa ff ff call 11b9 <GenerateRandomNumber>
170f: 83 45 ec 01 addl $0x1,-0x14(%rbp)
1713: 8b 45 ec mov -0x14(%rbp),%eax
1716: 3b 45 dc cmp -0x24(%rbp),%eax
1719: 7c c2 jl 16dd <main+0xe4>
171b: 48 8b 05 36 29 00 00 mov 0x2936(%rip),%rax # 4058 <rand1_h>
1722: 89 05 20 29 00 00 mov %eax,0x2920(%rip) # 4048 <cookie>
1728: 8b 05 1a 29 00 00 mov 0x291a(%rip),%eax # 4048 <cookie>
172e: 89 c6 mov %eax,%esi
1730: 48 8d 05 f7 0d 00 00 lea 0xdf7(%rip),%rax # 252e <_IO_stdin_used+0x52e>
1737: 48 89 c7 mov %rax,%rdi
173a: b8 00 00 00 00 mov $0x0,%eax
173f: e8 0c f9 ff ff call 1050 <printf@plt>
1744: 48 8d 05 bf 0c 00 00 lea 0xcbf(%rip),%rax # 240a <_IO_stdin_used+0x40a>
174b: 48 89 c7 mov %rax,%rdi
174e: e8 dd f8 ff ff call 1030 <puts@plt>
1753: 48 8d 05 f6 0d 00 00 lea 0xdf6(%rip),%rax # 2550 <_IO_stdin_used+0x550>
175a: 48 89 c7 mov %rax,%rdi
175d: b8 00 00 00 00 mov $0x0,%eax
1762: e8 e9 f8 ff ff call 1050 <printf@plt>
1767: bf 00 02 00 00 mov $0x200,%edi
176c: e8 48 fa ff ff call 11b9 <GenerateRandomNumber>
1771: 48 8b 05 f0 28 00 00 mov 0x28f0(%rip),%rax # 4068 <rand_div>
1778: 48 83 c0 01 add $0x1,%rax
177c: 48 8d 50 08 lea 0x8(%rax),%rdx
1780: b8 10 00 00 00 mov $0x10,%eax
1785: 48 83 e8 01 sub $0x1,%rax
1789: 48 01 d0 add %rdx,%rax
178c: b9 10 00 00 00 mov $0x10,%ecx
1791: ba 00 00 00 00 mov $0x0,%edx
1796: 48 f7 f1 div %rcx
1799: 48 6b c0 10 imul $0x10,%rax,%rax
179d: 48 29 c4 sub %rax,%rsp
17a0: 48 89 e0 mov %rsp,%rax
17a3: 48 83 c0 0f add $0xf,%rax
17a7: 48 c1 e8 04 shr $0x4,%rax
17ab: 48 c1 e0 04 shl $0x4,%rax
17af: 48 89 45 f0 mov %rax,-0x10(%rbp)
17b3: 48 8b 45 f0 mov -0x10(%rbp),%rax
17b7: c6 00 68 movb $0x68,(%rax)
17ba: e8 9a fb ff ff call 1359 <test>
17bf: b8 00 00 00 00 mov $0x0,%eax
17c4: 48 8b 55 f8 mov -0x8(%rbp),%rdx
17c8: 64 48 2b 14 25 28 00 sub %fs:0x28,%rdx
17cf: 00 00
17d1: 74 05 je 17d8 <main+0x1df>
17d3: e8 68 f8 ff ff call 1040 <__stack_chk_fail@plt>
17d8: c9 leave
17d9: c3 ret
Disassembly of section .fini:
00000000000017dc <_fini>:
17dc: f3 0f 1e fa endbr64
17e0: 48 83 ec 08 sub $0x8,%rsp
17e4: 48 83 c4 08 add $0x8,%rsp
17e8: c3 ret

200
buflab/bufbomb.c Normal file
View File

@@ -0,0 +1,200 @@
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#ifdef __linux__
#define _alloca alloca
#endif
int getbuf(void);
void test(void);
int cookie=0x11223344;
unsigned long rand1_h,rand1_l,rand_div;
/* 产生一个0~divv-1之间的随机数同时更新随机数种子 */
void GenerateRandomNumber(unsigned long divv)
{
long long x = rand1_h;
x *= 0x6AC690C5;
x += rand1_l;
rand1_h = (unsigned long)x;
rand1_l = (unsigned long)(x>>32);
if (divv==0) return;
rand_div = rand1_h % divv;
}
/* 输入16进制字符串并转换为对应的字符串以\0结束 */
char*getxs(char*dest)
{
int c;
int even =1; /* Have read even number of digits */
int otherd =0; /* Other hex digit of pair */
char*sp = dest;
while ((c = getchar()) != EOF && c !='\n' && c != '\r') {
if (isxdigit(c)) {
int val;
if ('0'<= c && c <='9')
val = c -'0';
else if ('A'<= c && c <='F')
val = c -'A'+10;
else
val = c -'a'+10;
if (even) {
otherd = val;
even =0;
}
else {
*sp++= otherd *16+ val;
even =1;
}
}
}
*sp++='\0';
return dest;
}
/* 获取一行输入字符串 */
int getbuf(void)
{
char buf[12];
getxs(buf);
return 1;
}
/* 主测试程序 */
void test(void)
{
int val;
char *localbuf;
volatile int bird = 0xdeadbeef; //金丝雀保护机制
GenerateRandomNumber(23);
localbuf = (char *)_alloca(rand_div+1); //在栈上分配随机空间
localbuf[0] = 'l';
val = getbuf();
/* 检测是否栈被破坏 */
if (bird == 0xdeadbeef) {
printf("鸟还活着!\n");
}
else
printf("不妙!鸟被杀死,栈已经被你破坏了!\n");
if (val == cookie) {
printf("不错哦缓冲区溢出成功而且getbuf返回 0X%08X\n", val);
}
else if (val == 1) {
printf("缓冲区没有溢出.....攻击失败,请重来吧\n");
}
else {
printf("不对哦虽然缓冲区溢出成功但是getbuf返回 0X%08X\n", val);
}
}
/* 第1只木马只需要修改返回地址即可进入 */
void Trojan1(void)
{
printf("恭喜你你已经成功偷偷运行了第1只木马!\n");
printf("通过第1只木马测试\n");
exit(0);
}
/* 第2只木马不仅需要修改返回地址而且要修改栈中返回的结果 */
void Trojan2(int val)
{
if (val == cookie) {
printf("不错哦第2只木马运行了而且通行密码是正确的(0X%08X)\n", val);
} else
printf("需要加油虽然第2只木马运行了但是通行密码是不正确的(0X%08X)\n", val);
if (val == cookie)
printf("通过第2只木马测试\n");
exit(0);
}
/* 第3只木马本关任务是构造特定的机器代码放置在栈内然后将返回地址置为该段特定代码的入口。此段代码负责将global_value设置为想要的cookie值 */
/* 汇编指令程序:
MOV EAX,cookie
MOV global_val,EAX
PUSH Trojan3
RET
0: a1 e4 c1 04 08 MOV EAX,0x804c1e4
5: a3 ec c1 04 08 MOV 0x804c1ec,EAX
a: 68 eb 8c 04 08 PUSH $0x8048ceb
f: c3 RET
*/
int global_value = 0;
void Trojan3(int val)
{
if (global_value == cookie) {
printf("厉害第3只木马运行了而且你修改了全局变量正确global_value = 0X%08X\n", global_value);
} else
printf("差一点第3只木马运行了但是全局变量修改错误global_value = 0X%08X\n", global_value);
if (global_value == cookie)
printf("通过第3只木马测试\n");
exit(0);
}
/* 第4只木马本关任务是构造特定的机器代码放置在栈内然后将返回地址置为该段特定代码的入口。此段代码负责将global_value设置为想要的cookie值需要正常返回 */
/* 汇编指令程序:
MOV EAX,cookie
MOV global_val,EAX
PUSH Trojan3
RET
0: a1 e4 c1 04 08 MOV EAX,0x804c1e4
5: a3 ec c1 04 08 MOV 0x804c1ec,EAX
a: 68 eb 8c 04 08 PUSH $0x8048ceb
f: c3 RET
*/
void Trojan4(int val)
{
if (global_value == cookie) {
printf("厉害第4只木马运行了而且你修改了全局变量正确global_value = 0X%08X\n", global_value);
} else
printf("差一点第4只木马运行了但是全局变量不对global_value = 0X%08X\n", global_value);
if (global_value == cookie)
printf("通过第4只木马测试\n");
return; // 正常返回,需要修复栈
}
/* 主程序依据学号随机生成cookie值 */
int main(int argc, char *argv[])
{
int i;
char *MyRandomBuffer;
printf("\t2018超级缓冲区炸弹欢迎你\n");
printf("============================\n");
if (argc == 1)
{
printf("使用方法:%s 学号后6位 [学号后6位] [学号后6位] ...\n",argv[0]);
printf("你需要输入攻击字符串,以便种入木马,一旦出错,哇哈哈....\n");
printf("请以十六进制形式输入攻击字符串例如00 aa bb cc等等\n");
return 0;
}
printf("欢迎你前来挑战! %s \n",argv[1]);
/*依据学号,初始化一个随机数发生器*/
rand1_h = (unsigned long)atoi(argv[1]);
rand1_l=0x29A;
GenerateRandomNumber(0);
for (i=2;i<argc;i++)
{
rand1_l = (unsigned long)atoi(argv[i]);
GenerateRandomNumber(0);
}
cookie = (int)rand1_h;
printf("你的通行密码是0X%08X\n",cookie);
printf("============================\n");
printf("请输入攻击字符串(十六进制串):");
GenerateRandomNumber(512);
MyRandomBuffer = (char *)_alloca(rand_div+1); //在栈上分配随机空间
MyRandomBuffer[0] = 'h';
test();
return 0;
}

BIN
buflab/bufbomb.exe Normal file
View File

Binary file not shown.

560
buflab/bufbomb.txt Normal file
View File

@@ -0,0 +1,560 @@
bufbomb_linux 文件格式 elf64-x86-64
Disassembly of section .init:
0000000000001000 <_init>:
1000: f3 0f 1e fa endbr64
1004: 48 83 ec 08 sub $0x8,%rsp
1008: 48 8b 05 c1 2f 00 00 mov 0x2fc1(%rip),%rax # 3fd0 <__gmon_start__@Base>
100f: 48 85 c0 test %rax,%rax
1012: 74 02 je 1016 <_init+0x16>
1014: ff d0 call *%rax
1016: 48 83 c4 08 add $0x8,%rsp
101a: c3 ret
Disassembly of section .plt:
0000000000001020 <puts@plt-0x10>:
1020: ff 35 ca 2f 00 00 push 0x2fca(%rip) # 3ff0 <_GLOBAL_OFFSET_TABLE_+0x8>
1026: ff 25 cc 2f 00 00 jmp *0x2fcc(%rip) # 3ff8 <_GLOBAL_OFFSET_TABLE_+0x10>
102c: 0f 1f 40 00 nopl 0x0(%rax)
0000000000001030 <puts@plt>:
1030: ff 25 ca 2f 00 00 jmp *0x2fca(%rip) # 4000 <puts@GLIBC_2.2.5>
1036: 68 00 00 00 00 push $0x0
103b: e9 e0 ff ff ff jmp 1020 <_init+0x20>
0000000000001040 <__stack_chk_fail@plt>:
1040: ff 25 c2 2f 00 00 jmp *0x2fc2(%rip) # 4008 <__stack_chk_fail@GLIBC_2.4>
1046: 68 01 00 00 00 push $0x1
104b: e9 d0 ff ff ff jmp 1020 <_init+0x20>
0000000000001050 <printf@plt>:
1050: ff 25 ba 2f 00 00 jmp *0x2fba(%rip) # 4010 <printf@GLIBC_2.2.5>
1056: 68 02 00 00 00 push $0x2
105b: e9 c0 ff ff ff jmp 1020 <_init+0x20>
0000000000001060 <getchar@plt>:
1060: ff 25 b2 2f 00 00 jmp *0x2fb2(%rip) # 4018 <getchar@GLIBC_2.2.5>
1066: 68 03 00 00 00 push $0x3
106b: e9 b0 ff ff ff jmp 1020 <_init+0x20>
0000000000001070 <atoi@plt>:
1070: ff 25 aa 2f 00 00 jmp *0x2faa(%rip) # 4020 <atoi@GLIBC_2.2.5>
1076: 68 04 00 00 00 push $0x4
107b: e9 a0 ff ff ff jmp 1020 <_init+0x20>
0000000000001080 <exit@plt>:
1080: ff 25 a2 2f 00 00 jmp *0x2fa2(%rip) # 4028 <exit@GLIBC_2.2.5>
1086: 68 05 00 00 00 push $0x5
108b: e9 90 ff ff ff jmp 1020 <_init+0x20>
0000000000001090 <__ctype_b_loc@plt>:
1090: ff 25 9a 2f 00 00 jmp *0x2f9a(%rip) # 4030 <__ctype_b_loc@GLIBC_2.3>
1096: 68 06 00 00 00 push $0x6
109b: e9 80 ff ff ff jmp 1020 <_init+0x20>
Disassembly of section .text:
00000000000010a0 <_start>:
10a0: f3 0f 1e fa endbr64
10a4: 31 ed xor %ebp,%ebp
10a6: 49 89 d1 mov %rdx,%r9
10a9: 5e pop %rsi
10aa: 48 89 e2 mov %rsp,%rdx
10ad: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp
10b1: 50 push %rax
10b2: 54 push %rsp
10b3: 45 31 c0 xor %r8d,%r8d
10b6: 31 c9 xor %ecx,%ecx
10b8: 48 8d 3d 3a 05 00 00 lea 0x53a(%rip),%rdi # 15f9 <main>
10bf: ff 15 fb 2e 00 00 call *0x2efb(%rip) # 3fc0 <__libc_start_main@GLIBC_2.34>
10c5: f4 hlt
10c6: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
10cd: 00 00 00
10d0: 48 8d 3d 79 2f 00 00 lea 0x2f79(%rip),%rdi # 4050 <__TMC_END__>
10d7: 48 8d 05 72 2f 00 00 lea 0x2f72(%rip),%rax # 4050 <__TMC_END__>
10de: 48 39 f8 cmp %rdi,%rax
10e1: 74 1d je 1100 <_start+0x60>
10e3: 48 8b 05 de 2e 00 00 mov 0x2ede(%rip),%rax # 3fc8 <_ITM_deregisterTMCloneTable@Base>
10ea: 48 85 c0 test %rax,%rax
10ed: 74 11 je 1100 <_start+0x60>
10ef: ff e0 jmp *%rax
10f1: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
10f8: 00 00 00 00
10fc: 0f 1f 40 00 nopl 0x0(%rax)
1100: c3 ret
1101: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
1108: 00 00 00 00
110c: 0f 1f 40 00 nopl 0x0(%rax)
1110: 48 8d 3d 39 2f 00 00 lea 0x2f39(%rip),%rdi # 4050 <__TMC_END__>
1117: 48 8d 35 32 2f 00 00 lea 0x2f32(%rip),%rsi # 4050 <__TMC_END__>
111e: 48 29 fe sub %rdi,%rsi
1121: 48 89 f0 mov %rsi,%rax
1124: 48 c1 f8 03 sar $0x3,%rax
1128: 48 c1 ee 3f shr $0x3f,%rsi
112c: 48 01 c6 add %rax,%rsi
112f: 48 d1 fe sar $1,%rsi
1132: 74 1c je 1150 <_start+0xb0>
1134: 48 8b 05 9d 2e 00 00 mov 0x2e9d(%rip),%rax # 3fd8 <_ITM_registerTMCloneTable@Base>
113b: 48 85 c0 test %rax,%rax
113e: 74 10 je 1150 <_start+0xb0>
1140: ff e0 jmp *%rax
1142: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
1149: 00 00 00 00
114d: 0f 1f 00 nopl (%rax)
1150: c3 ret
1151: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
1158: 00 00 00 00
115c: 0f 1f 40 00 nopl 0x0(%rax)
1160: f3 0f 1e fa endbr64
1164: 80 3d e5 2e 00 00 00 cmpb $0x0,0x2ee5(%rip) # 4050 <__TMC_END__>
116b: 75 33 jne 11a0 <_start+0x100>
116d: 48 83 3d 6b 2e 00 00 cmpq $0x0,0x2e6b(%rip) # 3fe0 <__cxa_finalize@GLIBC_2.2.5>
1174: 00
1175: 55 push %rbp
1176: 48 89 e5 mov %rsp,%rbp
1179: 74 0d je 1188 <_start+0xe8>
117b: 48 8b 3d be 2e 00 00 mov 0x2ebe(%rip),%rdi # 4040 <__dso_handle>
1182: ff 15 58 2e 00 00 call *0x2e58(%rip) # 3fe0 <__cxa_finalize@GLIBC_2.2.5>
1188: e8 43 ff ff ff call 10d0 <_start+0x30>
118d: 5d pop %rbp
118e: c6 05 bb 2e 00 00 01 movb $0x1,0x2ebb(%rip) # 4050 <__TMC_END__>
1195: c3 ret
1196: 66 2e 0f 1f 84 00 00 cs nopw 0x0(%rax,%rax,1)
119d: 00 00 00
11a0: c3 ret
11a1: 66 66 2e 0f 1f 84 00 data16 cs nopw 0x0(%rax,%rax,1)
11a8: 00 00 00 00
11ac: 0f 1f 40 00 nopl 0x0(%rax)
11b0: f3 0f 1e fa endbr64
11b4: e9 57 ff ff ff jmp 1110 <_start+0x70>
00000000000011b9 <GenerateRandomNumber>:
11b9: 55 push %rbp
11ba: 48 89 e5 mov %rsp,%rbp
11bd: 48 89 7d e8 mov %rdi,-0x18(%rbp)
11c1: 48 8b 05 90 2e 00 00 mov 0x2e90(%rip),%rax # 4058 <rand1_h>
11c8: 48 89 45 f8 mov %rax,-0x8(%rbp)
11cc: 48 8b 45 f8 mov -0x8(%rbp),%rax
11d0: 48 69 c0 c5 90 c6 6a imul $0x6ac690c5,%rax,%rax
11d7: 48 89 45 f8 mov %rax,-0x8(%rbp)
11db: 48 8b 55 f8 mov -0x8(%rbp),%rdx
11df: 48 8b 05 7a 2e 00 00 mov 0x2e7a(%rip),%rax # 4060 <rand1_l>
11e6: 48 01 d0 add %rdx,%rax
11e9: 48 89 45 f8 mov %rax,-0x8(%rbp)
11ed: 48 8b 45 f8 mov -0x8(%rbp),%rax
11f1: 48 89 05 60 2e 00 00 mov %rax,0x2e60(%rip) # 4058 <rand1_h>
11f8: 48 8b 45 f8 mov -0x8(%rbp),%rax
11fc: 48 c1 f8 20 sar $0x20,%rax
1200: 48 89 05 59 2e 00 00 mov %rax,0x2e59(%rip) # 4060 <rand1_l>
1207: 48 83 7d e8 00 cmpq $0x0,-0x18(%rbp)
120c: 74 1c je 122a <GenerateRandomNumber+0x71>
120e: 48 8b 05 43 2e 00 00 mov 0x2e43(%rip),%rax # 4058 <rand1_h>
1215: ba 00 00 00 00 mov $0x0,%edx
121a: 48 f7 75 e8 divq -0x18(%rbp)
121e: 48 89 d0 mov %rdx,%rax
1221: 48 89 05 40 2e 00 00 mov %rax,0x2e40(%rip) # 4068 <rand_div>
1228: eb 01 jmp 122b <GenerateRandomNumber+0x72>
122a: 90 nop
122b: 5d pop %rbp
122c: c3 ret
000000000000122d <getxs>:
122d: 55 push %rbp
122e: 48 89 e5 mov %rsp,%rbp
1231: 48 83 ec 30 sub $0x30,%rsp
1235: 48 89 7d d8 mov %rdi,-0x28(%rbp)
1239: c7 45 e8 01 00 00 00 movl $0x1,-0x18(%rbp)
1240: c7 45 ec 00 00 00 00 movl $0x0,-0x14(%rbp)
1247: 48 8b 45 d8 mov -0x28(%rbp),%rax
124b: 48 89 45 f8 mov %rax,-0x8(%rbp)
124f: e9 94 00 00 00 jmp 12e8 <getxs+0xbb>
1254: e8 37 fe ff ff call 1090 <__ctype_b_loc@plt>
1259: 48 8b 00 mov (%rax),%rax
125c: 8b 55 f4 mov -0xc(%rbp),%edx
125f: 48 63 d2 movslq %edx,%rdx
1262: 48 01 d2 add %rdx,%rdx
1265: 48 01 d0 add %rdx,%rax
1268: 0f b7 00 movzwl (%rax),%eax
126b: 0f b7 c0 movzwl %ax,%eax
126e: 25 00 10 00 00 and $0x1000,%eax
1273: 85 c0 test %eax,%eax
1275: 74 71 je 12e8 <getxs+0xbb>
1277: 83 7d f4 2f cmpl $0x2f,-0xc(%rbp)
127b: 7e 11 jle 128e <getxs+0x61>
127d: 83 7d f4 39 cmpl $0x39,-0xc(%rbp)
1281: 7f 0b jg 128e <getxs+0x61>
1283: 8b 45 f4 mov -0xc(%rbp),%eax
1286: 83 e8 30 sub $0x30,%eax
1289: 89 45 f0 mov %eax,-0x10(%rbp)
128c: eb 20 jmp 12ae <getxs+0x81>
128e: 83 7d f4 40 cmpl $0x40,-0xc(%rbp)
1292: 7e 11 jle 12a5 <getxs+0x78>
1294: 83 7d f4 46 cmpl $0x46,-0xc(%rbp)
1298: 7f 0b jg 12a5 <getxs+0x78>
129a: 8b 45 f4 mov -0xc(%rbp),%eax
129d: 83 e8 37 sub $0x37,%eax
12a0: 89 45 f0 mov %eax,-0x10(%rbp)
12a3: eb 09 jmp 12ae <getxs+0x81>
12a5: 8b 45 f4 mov -0xc(%rbp),%eax
12a8: 83 e8 57 sub $0x57,%eax
12ab: 89 45 f0 mov %eax,-0x10(%rbp)
12ae: 83 7d e8 00 cmpl $0x0,-0x18(%rbp)
12b2: 74 0f je 12c3 <getxs+0x96>
12b4: 8b 45 f0 mov -0x10(%rbp),%eax
12b7: 89 45 ec mov %eax,-0x14(%rbp)
12ba: c7 45 e8 00 00 00 00 movl $0x0,-0x18(%rbp)
12c1: eb 25 jmp 12e8 <getxs+0xbb>
12c3: 8b 45 ec mov -0x14(%rbp),%eax
12c6: c1 e0 04 shl $0x4,%eax
12c9: 89 c2 mov %eax,%edx
12cb: 8b 45 f0 mov -0x10(%rbp),%eax
12ce: 8d 0c 02 lea (%rdx,%rax,1),%ecx
12d1: 48 8b 45 f8 mov -0x8(%rbp),%rax
12d5: 48 8d 50 01 lea 0x1(%rax),%rdx
12d9: 48 89 55 f8 mov %rdx,-0x8(%rbp)
12dd: 89 ca mov %ecx,%edx
12df: 88 10 mov %dl,(%rax)
12e1: c7 45 e8 01 00 00 00 movl $0x1,-0x18(%rbp)
12e8: e8 73 fd ff ff call 1060 <getchar@plt>
12ed: 89 45 f4 mov %eax,-0xc(%rbp)
12f0: 83 7d f4 ff cmpl $0xffffffff,-0xc(%rbp)
12f4: 74 10 je 1306 <getxs+0xd9>
12f6: 83 7d f4 0a cmpl $0xa,-0xc(%rbp)
12fa: 74 0a je 1306 <getxs+0xd9>
12fc: 83 7d f4 0d cmpl $0xd,-0xc(%rbp)
1300: 0f 85 4e ff ff ff jne 1254 <getxs+0x27>
1306: 48 8b 45 f8 mov -0x8(%rbp),%rax
130a: 48 8d 50 01 lea 0x1(%rax),%rdx
130e: 48 89 55 f8 mov %rdx,-0x8(%rbp)
1312: c6 00 00 movb $0x0,(%rax)
1315: 48 8b 45 d8 mov -0x28(%rbp),%rax
1319: c9 leave
131a: c3 ret
000000000000131b <getbuf>:
131b: 55 push %rbp
131c: 48 89 e5 mov %rsp,%rbp
131f: 48 83 ec 20 sub $0x20,%rsp
1323: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
132a: 00 00
132c: 48 89 45 f8 mov %rax,-0x8(%rbp)
1330: 31 c0 xor %eax,%eax
1332: 48 8d 45 ec lea -0x14(%rbp),%rax
1336: 48 89 c7 mov %rax,%rdi
1339: e8 ef fe ff ff call 122d <getxs>
133e: b8 01 00 00 00 mov $0x1,%eax
1343: 48 8b 55 f8 mov -0x8(%rbp),%rdx
1347: 64 48 2b 14 25 28 00 sub %fs:0x28,%rdx
134e: 00 00
1350: 74 05 je 1357 <getbuf+0x3c>
1352: e8 e9 fc ff ff call 1040 <__stack_chk_fail@plt>
1357: c9 leave
1358: c3 ret
0000000000001359 <test>:
1359: 55 push %rbp
135a: 48 89 e5 mov %rsp,%rbp
135d: 48 83 ec 20 sub $0x20,%rsp
1361: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
1368: 00 00
136a: 48 89 45 f8 mov %rax,-0x8(%rbp)
136e: 31 c0 xor %eax,%eax
1370: c7 45 e8 ef be ad de movl $0xdeadbeef,-0x18(%rbp)
1377: bf 17 00 00 00 mov $0x17,%edi
137c: e8 38 fe ff ff call 11b9 <GenerateRandomNumber>
1381: 48 8b 05 e0 2c 00 00 mov 0x2ce0(%rip),%rax # 4068 <rand_div>
1388: 48 83 c0 01 add $0x1,%rax
138c: 48 8d 50 08 lea 0x8(%rax),%rdx
1390: b8 10 00 00 00 mov $0x10,%eax
1395: 48 83 e8 01 sub $0x1,%rax
1399: 48 01 d0 add %rdx,%rax
139c: b9 10 00 00 00 mov $0x10,%ecx
13a1: ba 00 00 00 00 mov $0x0,%edx
13a6: 48 f7 f1 div %rcx
13a9: 48 6b c0 10 imul $0x10,%rax,%rax
13ad: 48 29 c4 sub %rax,%rsp
13b0: 48 89 e0 mov %rsp,%rax
13b3: 48 83 c0 0f add $0xf,%rax
13b7: 48 c1 e8 04 shr $0x4,%rax
13bb: 48 c1 e0 04 shl $0x4,%rax
13bf: 48 89 45 f0 mov %rax,-0x10(%rbp)
13c3: 48 8b 45 f0 mov -0x10(%rbp),%rax
13c7: c6 00 6c movb $0x6c,(%rax)
13ca: e8 4c ff ff ff call 131b <getbuf>
13cf: 89 45 ec mov %eax,-0x14(%rbp)
13d2: 8b 45 e8 mov -0x18(%rbp),%eax
13d5: 3d ef be ad de cmp $0xdeadbeef,%eax
13da: 75 11 jne 13ed <test+0x94>
13dc: 48 8d 05 25 0c 00 00 lea 0xc25(%rip),%rax # 2008 <_IO_stdin_used+0x8>
13e3: 48 89 c7 mov %rax,%rdi
13e6: e8 45 fc ff ff call 1030 <puts@plt>
13eb: eb 0f jmp 13fc <test+0xa3>
13ed: 48 8d 05 24 0c 00 00 lea 0xc24(%rip),%rax # 2018 <_IO_stdin_used+0x18>
13f4: 48 89 c7 mov %rax,%rdi
13f7: e8 34 fc ff ff call 1030 <puts@plt>
13fc: 8b 05 46 2c 00 00 mov 0x2c46(%rip),%eax # 4048 <cookie>
1402: 39 45 ec cmp %eax,-0x14(%rbp)
1405: 75 1b jne 1422 <test+0xc9>
1407: 8b 45 ec mov -0x14(%rbp),%eax
140a: 89 c6 mov %eax,%esi
140c: 48 8d 05 3d 0c 00 00 lea 0xc3d(%rip),%rax # 2050 <_IO_stdin_used+0x50>
1413: 48 89 c7 mov %rax,%rdi
1416: b8 00 00 00 00 mov $0x0,%eax
141b: e8 30 fc ff ff call 1050 <printf@plt>
1420: eb 30 jmp 1452 <test+0xf9>
1422: 83 7d ec 01 cmpl $0x1,-0x14(%rbp)
1426: 75 11 jne 1439 <test+0xe0>
1428: 48 8d 05 61 0c 00 00 lea 0xc61(%rip),%rax # 2090 <_IO_stdin_used+0x90>
142f: 48 89 c7 mov %rax,%rdi
1432: e8 f9 fb ff ff call 1030 <puts@plt>
1437: eb 19 jmp 1452 <test+0xf9>
1439: 8b 45 ec mov -0x14(%rbp),%eax
143c: 89 c6 mov %eax,%esi
143e: 48 8d 05 83 0c 00 00 lea 0xc83(%rip),%rax # 20c8 <_IO_stdin_used+0xc8>
1445: 48 89 c7 mov %rax,%rdi
1448: b8 00 00 00 00 mov $0x0,%eax
144d: e8 fe fb ff ff call 1050 <printf@plt>
1452: 90 nop
1453: 48 8b 45 f8 mov -0x8(%rbp),%rax
1457: 64 48 2b 04 25 28 00 sub %fs:0x28,%rax
145e: 00 00
1460: 74 05 je 1467 <test+0x10e>
1462: e8 d9 fb ff ff call 1040 <__stack_chk_fail@plt>
1467: c9 leave
1468: c3 ret
0000000000001469 <Trojan1>:
1469: 55 push %rbp
146a: 48 89 e5 mov %rsp,%rbp
146d: 48 8d 05 9c 0c 00 00 lea 0xc9c(%rip),%rax # 2110 <_IO_stdin_used+0x110>
1474: 48 89 c7 mov %rax,%rdi
1477: e8 b4 fb ff ff call 1030 <puts@plt>
147c: 48 8d 05 c6 0c 00 00 lea 0xcc6(%rip),%rax # 2149 <_IO_stdin_used+0x149>
1483: 48 89 c7 mov %rax,%rdi
1486: e8 a5 fb ff ff call 1030 <puts@plt>
148b: bf 00 00 00 00 mov $0x0,%edi
1490: e8 eb fb ff ff call 1080 <exit@plt>
0000000000001495 <Trojan2>:
1495: 55 push %rbp
1496: 48 89 e5 mov %rsp,%rbp
1499: 48 83 ec 10 sub $0x10,%rsp
149d: 89 7d fc mov %edi,-0x4(%rbp)
14a0: 8b 05 a2 2b 00 00 mov 0x2ba2(%rip),%eax # 4048 <cookie>
14a6: 39 45 fc cmp %eax,-0x4(%rbp)
14a9: 75 1b jne 14c6 <Trojan2+0x31>
14ab: 8b 45 fc mov -0x4(%rbp),%eax
14ae: 89 c6 mov %eax,%esi
14b0: 48 8d 05 b1 0c 00 00 lea 0xcb1(%rip),%rax # 2168 <_IO_stdin_used+0x168>
14b7: 48 89 c7 mov %rax,%rdi
14ba: b8 00 00 00 00 mov $0x0,%eax
14bf: e8 8c fb ff ff call 1050 <printf@plt>
14c4: eb 19 jmp 14df <Trojan2+0x4a>
14c6: 8b 45 fc mov -0x4(%rbp),%eax
14c9: 89 c6 mov %eax,%esi
14cb: 48 8d 05 e6 0c 00 00 lea 0xce6(%rip),%rax # 21b8 <_IO_stdin_used+0x1b8>
14d2: 48 89 c7 mov %rax,%rdi
14d5: b8 00 00 00 00 mov $0x0,%eax
14da: e8 71 fb ff ff call 1050 <printf@plt>
14df: 8b 05 63 2b 00 00 mov 0x2b63(%rip),%eax # 4048 <cookie>
14e5: 39 45 fc cmp %eax,-0x4(%rbp)
14e8: 75 0f jne 14f9 <Trojan2+0x64>
14ea: 48 8d 05 23 0d 00 00 lea 0xd23(%rip),%rax # 2214 <_IO_stdin_used+0x214>
14f1: 48 89 c7 mov %rax,%rdi
14f4: e8 37 fb ff ff call 1030 <puts@plt>
14f9: bf 00 00 00 00 mov $0x0,%edi
14fe: e8 7d fb ff ff call 1080 <exit@plt>
0000000000001503 <Trojan3>:
1503: 55 push %rbp
1504: 48 89 e5 mov %rsp,%rbp
1507: 48 83 ec 10 sub $0x10,%rsp
150b: 89 7d fc mov %edi,-0x4(%rbp)
150e: 8b 15 5c 2b 00 00 mov 0x2b5c(%rip),%edx # 4070 <global_value>
1514: 8b 05 2e 2b 00 00 mov 0x2b2e(%rip),%eax # 4048 <cookie>
151a: 39 c2 cmp %eax,%edx
151c: 75 1e jne 153c <Trojan3+0x39>
151e: 8b 05 4c 2b 00 00 mov 0x2b4c(%rip),%eax # 4070 <global_value>
1524: 89 c6 mov %eax,%esi
1526: 48 8d 05 03 0d 00 00 lea 0xd03(%rip),%rax # 2230 <_IO_stdin_used+0x230>
152d: 48 89 c7 mov %rax,%rdi
1530: b8 00 00 00 00 mov $0x0,%eax
1535: e8 16 fb ff ff call 1050 <printf@plt>
153a: eb 1c jmp 1558 <Trojan3+0x55>
153c: 8b 05 2e 2b 00 00 mov 0x2b2e(%rip),%eax # 4070 <global_value>
1542: 89 c6 mov %eax,%esi
1544: 48 8d 05 45 0d 00 00 lea 0xd45(%rip),%rax # 2290 <_IO_stdin_used+0x290>
154b: 48 89 c7 mov %rax,%rdi
154e: b8 00 00 00 00 mov $0x0,%eax
1553: e8 f8 fa ff ff call 1050 <printf@plt>
1558: 8b 15 12 2b 00 00 mov 0x2b12(%rip),%edx # 4070 <global_value>
155e: 8b 05 e4 2a 00 00 mov 0x2ae4(%rip),%eax # 4048 <cookie>
1564: 39 c2 cmp %eax,%edx
1566: 75 0f jne 1577 <Trojan3+0x74>
1568: 48 8d 05 7e 0d 00 00 lea 0xd7e(%rip),%rax # 22ed <_IO_stdin_used+0x2ed>
156f: 48 89 c7 mov %rax,%rdi
1572: e8 b9 fa ff ff call 1030 <puts@plt>
1577: bf 00 00 00 00 mov $0x0,%edi
157c: e8 ff fa ff ff call 1080 <exit@plt>
0000000000001581 <Trojan4>:
1581: 55 push %rbp
1582: 48 89 e5 mov %rsp,%rbp
1585: 48 83 ec 10 sub $0x10,%rsp
1589: 89 7d fc mov %edi,-0x4(%rbp)
158c: 8b 15 de 2a 00 00 mov 0x2ade(%rip),%edx # 4070 <global_value>
1592: 8b 05 b0 2a 00 00 mov 0x2ab0(%rip),%eax # 4048 <cookie>
1598: 39 c2 cmp %eax,%edx
159a: 75 1e jne 15ba <Trojan4+0x39>
159c: 8b 05 ce 2a 00 00 mov 0x2ace(%rip),%eax # 4070 <global_value>
15a2: 89 c6 mov %eax,%esi
15a4: 48 8d 05 5d 0d 00 00 lea 0xd5d(%rip),%rax # 2308 <_IO_stdin_used+0x308>
15ab: 48 89 c7 mov %rax,%rdi
15ae: b8 00 00 00 00 mov $0x0,%eax
15b3: e8 98 fa ff ff call 1050 <printf@plt>
15b8: eb 1c jmp 15d6 <Trojan4+0x55>
15ba: 8b 05 b0 2a 00 00 mov 0x2ab0(%rip),%eax # 4070 <global_value>
15c0: 89 c6 mov %eax,%esi
15c2: 48 8d 05 9f 0d 00 00 lea 0xd9f(%rip),%rax # 2368 <_IO_stdin_used+0x368>
15c9: 48 89 c7 mov %rax,%rdi
15cc: b8 00 00 00 00 mov $0x0,%eax
15d1: e8 7a fa ff ff call 1050 <printf@plt>
15d6: 8b 15 94 2a 00 00 mov 0x2a94(%rip),%edx # 4070 <global_value>
15dc: 8b 05 66 2a 00 00 mov 0x2a66(%rip),%eax # 4048 <cookie>
15e2: 39 c2 cmp %eax,%edx
15e4: 75 10 jne 15f6 <Trojan4+0x75>
15e6: 48 8d 05 d2 0d 00 00 lea 0xdd2(%rip),%rax # 23bf <_IO_stdin_used+0x3bf>
15ed: 48 89 c7 mov %rax,%rdi
15f0: e8 3b fa ff ff call 1030 <puts@plt>
15f5: 90 nop
15f6: 90 nop
15f7: c9 leave
15f8: c3 ret
00000000000015f9 <main>:
15f9: 55 push %rbp
15fa: 48 89 e5 mov %rsp,%rbp
15fd: 48 83 ec 30 sub $0x30,%rsp
1601: 89 7d dc mov %edi,-0x24(%rbp)
1604: 48 89 75 d0 mov %rsi,-0x30(%rbp)
1608: 64 48 8b 04 25 28 00 mov %fs:0x28,%rax
160f: 00 00
1611: 48 89 45 f8 mov %rax,-0x8(%rbp)
1615: 31 c0 xor %eax,%eax
1617: 48 8d 05 c2 0d 00 00 lea 0xdc2(%rip),%rax # 23e0 <_IO_stdin_used+0x3e0>
161e: 48 89 c7 mov %rax,%rdi
1621: e8 0a fa ff ff call 1030 <puts@plt>
1626: 48 8d 05 dd 0d 00 00 lea 0xddd(%rip),%rax # 240a <_IO_stdin_used+0x40a>
162d: 48 89 c7 mov %rax,%rdi
1630: e8 fb f9 ff ff call 1030 <puts@plt>
1635: 83 7d dc 01 cmpl $0x1,-0x24(%rbp)
1639: 75 46 jne 1681 <main+0x88>
163b: 48 8b 45 d0 mov -0x30(%rbp),%rax
163f: 48 8b 00 mov (%rax),%rax
1642: 48 89 c6 mov %rax,%rsi
1645: 48 8d 05 dc 0d 00 00 lea 0xddc(%rip),%rax # 2428 <_IO_stdin_used+0x428>
164c: 48 89 c7 mov %rax,%rdi
164f: b8 00 00 00 00 mov $0x0,%eax
1654: e8 f7 f9 ff ff call 1050 <printf@plt>
1659: 48 8d 05 10 0e 00 00 lea 0xe10(%rip),%rax # 2470 <_IO_stdin_used+0x470>
1660: 48 89 c7 mov %rax,%rdi
1663: e8 c8 f9 ff ff call 1030 <puts@plt>
1668: 48 8d 05 59 0e 00 00 lea 0xe59(%rip),%rax # 24c8 <_IO_stdin_used+0x4c8>
166f: 48 89 c7 mov %rax,%rdi
1672: e8 b9 f9 ff ff call 1030 <puts@plt>
1677: b8 00 00 00 00 mov $0x0,%eax
167c: e9 43 01 00 00 jmp 17c4 <main+0x1cb>
1681: 48 8b 45 d0 mov -0x30(%rbp),%rax
1685: 48 83 c0 08 add $0x8,%rax
1689: 48 8b 00 mov (%rax),%rax
168c: 48 89 c6 mov %rax,%rsi
168f: 48 8d 05 7a 0e 00 00 lea 0xe7a(%rip),%rax # 2510 <_IO_stdin_used+0x510>
1696: 48 89 c7 mov %rax,%rdi
1699: b8 00 00 00 00 mov $0x0,%eax
169e: e8 ad f9 ff ff call 1050 <printf@plt>
16a3: 48 8b 45 d0 mov -0x30(%rbp),%rax
16a7: 48 83 c0 08 add $0x8,%rax
16ab: 48 8b 00 mov (%rax),%rax
16ae: 48 89 c7 mov %rax,%rdi
16b1: e8 ba f9 ff ff call 1070 <atoi@plt>
16b6: 48 98 cltq
16b8: 48 89 05 99 29 00 00 mov %rax,0x2999(%rip) # 4058 <rand1_h>
16bf: 48 c7 05 96 29 00 00 movq $0x29a,0x2996(%rip) # 4060 <rand1_l>
16c6: 9a 02 00 00
16ca: bf 00 00 00 00 mov $0x0,%edi
16cf: e8 e5 fa ff ff call 11b9 <GenerateRandomNumber>
16d4: c7 45 ec 02 00 00 00 movl $0x2,-0x14(%rbp)
16db: eb 36 jmp 1713 <main+0x11a>
16dd: 8b 45 ec mov -0x14(%rbp),%eax
16e0: 48 98 cltq
16e2: 48 8d 14 c5 00 00 00 lea 0x0(,%rax,8),%rdx
16e9: 00
16ea: 48 8b 45 d0 mov -0x30(%rbp),%rax
16ee: 48 01 d0 add %rdx,%rax
16f1: 48 8b 00 mov (%rax),%rax
16f4: 48 89 c7 mov %rax,%rdi
16f7: e8 74 f9 ff ff call 1070 <atoi@plt>
16fc: 48 98 cltq
16fe: 48 89 05 5b 29 00 00 mov %rax,0x295b(%rip) # 4060 <rand1_l>
1705: bf 00 00 00 00 mov $0x0,%edi
170a: e8 aa fa ff ff call 11b9 <GenerateRandomNumber>
170f: 83 45 ec 01 addl $0x1,-0x14(%rbp)
1713: 8b 45 ec mov -0x14(%rbp),%eax
1716: 3b 45 dc cmp -0x24(%rbp),%eax
1719: 7c c2 jl 16dd <main+0xe4>
171b: 48 8b 05 36 29 00 00 mov 0x2936(%rip),%rax # 4058 <rand1_h>
1722: 89 05 20 29 00 00 mov %eax,0x2920(%rip) # 4048 <cookie>
1728: 8b 05 1a 29 00 00 mov 0x291a(%rip),%eax # 4048 <cookie>
172e: 89 c6 mov %eax,%esi
1730: 48 8d 05 f7 0d 00 00 lea 0xdf7(%rip),%rax # 252e <_IO_stdin_used+0x52e>
1737: 48 89 c7 mov %rax,%rdi
173a: b8 00 00 00 00 mov $0x0,%eax
173f: e8 0c f9 ff ff call 1050 <printf@plt>
1744: 48 8d 05 bf 0c 00 00 lea 0xcbf(%rip),%rax # 240a <_IO_stdin_used+0x40a>
174b: 48 89 c7 mov %rax,%rdi
174e: e8 dd f8 ff ff call 1030 <puts@plt>
1753: 48 8d 05 f6 0d 00 00 lea 0xdf6(%rip),%rax # 2550 <_IO_stdin_used+0x550>
175a: 48 89 c7 mov %rax,%rdi
175d: b8 00 00 00 00 mov $0x0,%eax
1762: e8 e9 f8 ff ff call 1050 <printf@plt>
1767: bf 00 02 00 00 mov $0x200,%edi
176c: e8 48 fa ff ff call 11b9 <GenerateRandomNumber>
1771: 48 8b 05 f0 28 00 00 mov 0x28f0(%rip),%rax # 4068 <rand_div>
1778: 48 83 c0 01 add $0x1,%rax
177c: 48 8d 50 08 lea 0x8(%rax),%rdx
1780: b8 10 00 00 00 mov $0x10,%eax
1785: 48 83 e8 01 sub $0x1,%rax
1789: 48 01 d0 add %rdx,%rax
178c: b9 10 00 00 00 mov $0x10,%ecx
1791: ba 00 00 00 00 mov $0x0,%edx
1796: 48 f7 f1 div %rcx
1799: 48 6b c0 10 imul $0x10,%rax,%rax
179d: 48 29 c4 sub %rax,%rsp
17a0: 48 89 e0 mov %rsp,%rax
17a3: 48 83 c0 0f add $0xf,%rax
17a7: 48 c1 e8 04 shr $0x4,%rax
17ab: 48 c1 e0 04 shl $0x4,%rax
17af: 48 89 45 f0 mov %rax,-0x10(%rbp)
17b3: 48 8b 45 f0 mov -0x10(%rbp),%rax
17b7: c6 00 68 movb $0x68,(%rax)
17ba: e8 9a fb ff ff call 1359 <test>
17bf: b8 00 00 00 00 mov $0x0,%eax
17c4: 48 8b 55 f8 mov -0x8(%rbp),%rdx
17c8: 64 48 2b 14 25 28 00 sub %fs:0x28,%rdx
17cf: 00 00
17d1: 74 05 je 17d8 <main+0x1df>
17d3: e8 68 f8 ff ff call 1040 <__stack_chk_fail@plt>
17d8: c9 leave
17d9: c3 ret
Disassembly of section .fini:
00000000000017dc <_fini>:
17dc: f3 0f 1e fa endbr64
17e0: 48 83 ec 08 sub $0x8,%rsp
17e4: 48 83 c4 08 add $0x8,%rsp
17e8: c3 ret

BIN
buflab/bufbomb_linux Executable file
View File

Binary file not shown.

BIN
buflab/buflab.pdf Normal file
View File

Binary file not shown.

BIN
buflab/╝╞╦π╗·╧╡═│╘¡└φ-╩╡╤Θ3.pptx Normal file
View File

Binary file not shown.