0x080484fd <+0>: push ebp
0x080484fe <+1>: mov ebp,esp
0x08048500 <+3>: push ebx
0x08048501 <+4>: and esp,0xfffffff0
0x08048504 <+7>: sub esp,0x30
0x08048507 <+10>: mov DWORD PTR [esp+0x18],0x206469
0x0804850f <+18>: mov eax,DWORD PTR [ebp+0x10]
0x08048512 <+21>: mov DWORD PTR [esp+0x24],eax
0x08048516 <+25>: jmp 0x804854d <main+80>
0x08048518 <+27>: mov eax,DWORD PTR [esp+0x24]
0x0804851c <+31>: mov eax,DWORD PTR [eax]
0x0804851e <+33>: mov DWORD PTR [esp],eax
0x08048521 <+36>: call 0x80483c0 <strlen@plt>
0x08048526 <+41>: mov DWORD PTR [esp+0x28],eax
0x0804852a <+45>: mov edx,DWORD PTR [esp+0x28]
0x0804852e <+49>: mov eax,DWORD PTR [esp+0x24]
0x08048532 <+53>: mov eax,DWORD PTR [eax]
0x08048534 <+55>: mov DWORD PTR [esp+0x8],edx
0x08048538 <+59>: mov DWORD PTR [esp+0x4],0x0
0x08048540 <+67>: mov DWORD PTR [esp],eax
0x08048543 <+70>: call 0x80483e0 <memset@plt>
0x08048548 <+75>: add DWORD PTR [esp+0x24],0x4
0x0804854d <+80>: mov eax,DWORD PTR [esp+0x24]
0x08048551 <+84>: mov eax,DWORD PTR [eax]
0x08048553 <+86>: test eax,eax
0x08048555 <+88>: jne 0x8048518 <main+27>
0x08048557 <+90>: mov eax,DWORD PTR [ebp+0xc]
0x0804855a <+93>: add eax,0x20
0x0804855d <+96>: mov eax,DWORD PTR [eax]
0x0804855f <+98>: test eax,eax
0x08048561 <+100>: je 0x804860a <main+269>
0x08048567 <+106>: mov eax,DWORD PTR [ebp+0xc]
0x0804856a <+109>: add eax,0x20
0x0804856d <+112>: mov eax,DWORD PTR [eax]
0x0804856f <+114>: mov DWORD PTR [esp+0x4],eax
0x08048573 <+118>: lea eax,[esp+0x18]
0x08048577 <+122>: mov DWORD PTR [esp],eax
0x0804857a <+125>: call 0x8048390 <strcat@plt>
0x0804857f <+130>: mov DWORD PTR [esp+0x20],0x0
0x08048587 <+138>: jmp 0x80485dd <main+224>
0x08048589 <+140>: call 0x80483f0 <__ctype_b_loc@plt>
0x0804858e <+145>: mov eax,DWORD PTR [eax]
0x08048590 <+147>: mov edx,DWORD PTR [esp+0x20]
0x08048594 <+151>: lea ecx,[esp+0x18]
0x08048598 <+155>: add edx,ecx
0x0804859a <+157>: movzx edx,BYTE PTR [edx]
0x0804859d <+160>: movsx edx,dl
0x080485a0 <+163>: add edx,edx
0x080485a2 <+165>: add eax,edx
0x080485a4 <+167>: movzx eax,WORD PTR [eax]
0x080485a7 <+170>: movzx eax,ax
0x080485aa <+173>: mov DWORD PTR [esp+0x2c],eax
0x080485ae <+177>: mov eax,DWORD PTR [esp+0x2c]
0x080485b2 <+181>: and eax,0x8
0x080485b5 <+184>: test eax,eax
0x080485b7 <+186>: jne 0x80485d8 <main+219>
0x080485b9 <+188>: mov eax,DWORD PTR [esp+0x20]
0x080485bd <+192>: lea edx,[esp+0x18]
0x080485c1 <+196>: add eax,edx
0x080485c3 <+198>: movzx eax,BYTE PTR [eax]
0x080485c6 <+201>: cmp al,0x20
0x080485c8 <+203>: je 0x80485d8 <main+219>
0x080485ca <+205>: mov DWORD PTR [esp+0x1c],0x1
0x080485d2 <+213>: mov eax,DWORD PTR [esp+0x1c]
0x080485d6 <+217>: jmp 0x8048616 <main+281>
0x080485d8 <+219>: add DWORD PTR [esp+0x20],0x1
0x080485dd <+224>: mov ebx,DWORD PTR [esp+0x20]
0x080485e1 <+228>: mov eax,DWORD PTR [ebp+0xc]
0x080485e4 <+231>: add eax,0x20
0x080485e7 <+234>: mov eax,DWORD PTR [eax]
0x080485e9 <+236>: mov DWORD PTR [esp],eax
0x080485ec <+239>: call 0x80483c0 <strlen@plt>
0x080485f1 <+244>: add eax,0x3
0x080485f4 <+247>: cmp ebx,eax
0x080485f6 <+249>: jb 0x8048589 <main+140>
0x080485f8 <+251>: lea eax,[esp+0x18]
0x080485fc <+255>: mov DWORD PTR [esp],eax
0x080485ff <+258>: call 0x80483a0 <system@plt>
0x08048604 <+263>: mov DWORD PTR [esp+0x1c],eax
0x08048608 <+267>: jmp 0x8048612 <main+277>
0x0804860a <+269>: mov DWORD PTR [esp+0x1c],0x0
0x08048612 <+277>: mov eax,DWORD PTR [esp+0x1c]
0x08048616 <+281>: mov ebx,DWORD PTR [ebp-0x4]
0x08048619 <+284>: leave
0x0804861a <+285>: ret
#include <stdio.h>
#include <string.h>
int main(int argc,char *argv[],char *env[])
{
char v1[] = ‘id ‘; // esp + 0x18
char **v2 = env; // esp + 0x24
int v3; // esp + 0x28
int v4; //esp + 0x20
int v5; //esp + 0x2c
int v6; //esp + 0x1c
int v7; //esp + 0xc
while(*v2 != NULL)
{
v3 = strlen(*v2)
memset(*v2,0,v3);
v2++;
}
if(argv[32] != NULL)
{
strcat(v1,argv[0x20]);
v4 = 0;
while(v4 < strlen(argv[0x20])+3)
{
v5 = (*__ctype_b_loc())[(*(*unsigned char)&v1+v4)];
if(!(v5&8) && ((*unsigned char)&v1 + v4) != 0x20)
{
v6 = 1;
}
v4++;
}
v6 = system(v1);
}
else
{
v6 = 0;
}
return v6;
}
연습하면서 한거라 다소 정확하지는 않을수있습니다.
