unsigned __int64 sub_400AF4() { sub_43FD00(1u, "1.add\n", 6uLL); sub_43FD00(1u, "2.delete\n", 9uLL); sub_43FD00(1u, "3.edit\n", 7uLL); sub_43FD00(1u, "4.exit\n", 7uLL); return sub_43FD00(1u, "Your choice:\n", 0xDuLL); } unsigned __int64 __fastcall sub_43FD00(unsigned int a1, const char *a2, size_t a3) { unsigned __int64 result; // rax __int64 v4; // rax size_t v5; // rdx unsigned __int64 v6; // rdx if ( dword_6CD1FC ) { v4 = sub_443160(); sub_4431C0(v4, a2, sys_write(a1, a2, v5)); result = v6; if ( v6 < 0xFFFFFFFFFFFFF001LL ) return result; goto LABEL_5; } result = sys_write(a1, a2, a3); if ( result >= 0xFFFFFFFFFFFFF001LL ) { LABEL_5: __writefsdword(0xFFFFFFD0, -(int)result); return -1LL; } return result; } void __fastcall sub_4431C0(char a1, __int64 a2, u32 a3, __int64 a4, u32 *a5, u32 a6) { char v7; // r11 char i; // al signed __int64 v9; // rax if ( (a1 & 2) == 0 ) { _InterlockedAnd(MK_FP(__FS__, 776LL), 0xFFFFFFFD); for ( i = v7; (i & 0xC) == 4; i = __readfsdword(0x308u) ) v9 = sys_futex((u32 *)(__readfsqword(0) + 776), 128, a3, 0LL, a5, a6); } } __int64 sub_400B5F() { __int64 v0; // rsi __int64 result; // rax unsigned int v2; // [rsp+4h] [rbp-2Ch] char v3[24]; // [rsp+10h] [rbp-20h] BYREF unsigned __int64 v4; // [rsp+28h] [rbp-8h] v4 = __readfsqword(0x28u); sub_43FD00(1LL, "idx:", 4LL); sub_43FCA0(0LL, v3, 16LL); v2 = sub_40E180(v3); if ( v2 >= 5 ) sub_40EF90(1LL); sub_43FD00(1LL, "Alright!\nwhat do you want to say\n", 33LL); v0 = sub_41E500(256LL); sub_43FCA0(0LL, v0, 256LL); result = (int)v2; qword_6CCD60[v2] = v0; if ( __readfsqword(0x28u) != v4 ) sub_443600(); return result; } __int64 sub_400CD5() { __int64 result; // rax unsigned int v1; // [rsp+Ch] [rbp-24h] char v2[24]; // [rsp+10h] [rbp-20h] BYREF unsigned __int64 v3; // [rsp+28h] [rbp-8h] v3 = __readfsqword(0x28u); sub_43FD00(1u, "idx:", 4uLL); sub_43FCA0(0LL, v2, 16LL); v1 = sub_40E180(v2); if ( v1 >= 5 ) sub_40EF90(1LL); result = sub_41E8A0(qword_6CCD60[v1]); if ( __readfsqword(0x28u) != v3 ) sub_443600(); return result; } void __fastcall __noreturn sub_43F2F0(int a1) { unsigned __int64 v1; // rax unsigned int v2; // r9d unsigned __int64 v3; // rax int v4; // edx unsigned int v5; // r9d v3 = sys_exit_group(a1); if ( v3 > 0xFFFFFFFFFFFFF000LL ) __writefsdword(v5, -(int)v3); v1 = sys_exit(v4); if ( v1 > 0xFFFFFFFFFFFFF000LL ) __writefsdword(v2, -(int)v1); __halt(); } pwndbg> b *0x400B5F Breakpoint 1 at 0x400b5f pwndbg> b *0x400CD5 Breakpoint 2 at 0x400cd5 pwndbg> b *0x400C25 Breakpoint 3 at 0x400c25 pwndbg> run Starting program: /home/sean/桌面/pwn 1.add 2.delete 3.edit 4.exit Your choice: 1 Breakpoint 1, 0x0000000000400b5f in ?? () LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA ──────────[ REGISTERS / show-flags off / show-compact-regs off ]────────── RAX 0 RBX 0x4002c8 ◂— sub rsp, 8 RCX 0xffffffda RDX 0 RDI 0x7fffffffdfd1 ◂— 0x180000000000400a /* '\n@' */ RSI 1 R8 0 R9 0x1999999999999999 R10 0 R11 0x4a8d60 ◂— add al, byte ptr [rax] R12 0x401ab0 ◂— push r14 R13 0x401b40 ◂— push rbx R14 0 R15 0 RBP 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi RSP 0x7fffffffdfb8 —▸ 0x400dc7 ◂— jmp 0x400d88 RIP 0x400b5f ◂— push rbp ───────────────────[ DISASM / x86-64 / set emulate on ]─────────────────── ► 0x400b5f push rbp 0x400b60 mov rbp, rsp RBP => 0x7fffffffdfb0 —▸ 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— ... 0x400b63 sub rsp, 0x30 RSP => 0x7fffffffdf80 (0x7fffffffdfb0 - 0x30) 0x400b67 mov rax, qword ptr fs:[0x28] RAX, [0x6ce8a8] => 0x17d6c8de5fb13e00 0x400b70 mov qword ptr [rbp - 8], rax [0x7fffffffdfa8] <= 0x17d6c8de5fb13e00 0x400b74 xor eax, eax EAX => 0 0x400b76 mov edx, 4 EDX => 4 0x400b7b mov esi, 0x4a1617 ESI => 0x4a1617 ◂— imul esp, dword ptr [rax + rdi*2 + 0x3a], 0 /* 'idx:' */ 0x400b80 mov edi, 1 EDI => 1 0x400b85 call 0x43fd00 <0x43fd00> 0x400b8a lea rax, [rbp - 0x20] ────────────────────────────────[ STACK ]───────────────────────────────── 00:0000│ rsp 0x7fffffffdfb8 —▸ 0x400dc7 ◂— jmp 0x400d88 01:0008│-030 0x7fffffffdfc0 —▸ 0x7fffffffe128 —▸ 0x7fffffffe447 ◂— 0x65732f656d6f682f ('/home/se') 02:0010│-028 0x7fffffffdfc8 ◂— 0x100401b27 03:0018│ rdi-1 0x7fffffffdfd0 —▸ 0x400a31 ◂— call 0x46060a3c 04:0020│-018 0x7fffffffdfd8 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi 05:0028│-010 0x7fffffffdfe0 —▸ 0x401ab0 ◂— push r14 06:0030│-008 0x7fffffffdfe8 ◂— 0x17d6c8de5fb13e00 07:0038│ rbp 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi ──────────────────────────────[ BACKTRACE ]─────────────────────────────── ► 0 0x400b5f None 1 0x400dc7 None 2 0x401046 None 3 0x401635 None 4 0x4008b9 None ────────────────────────────────────────────────────────────────────────── pwndbg> b *0x400885 Breakpoint 4 at 0x400885 pwndbg> run Starting program: /home/sean/桌面/pwn 1.add 2.delete 3.edit 4.exit Your choice: 1 Breakpoint 1, 0x0000000000400b5f in ?? () LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA ───────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────── RAX 0 RBX 0x4002c8 ◂— sub rsp, 8 RCX 0xffffffda RDX 0 RDI 0x7fffffffdfd1 ◂— 0x180000000000400a /* '\n@' */ RSI 1 R8 0 R9 0x1999999999999999 R10 0 R11 0x4a8d60 ◂— add al, byte ptr [rax] R12 0x401ab0 ◂— push r14 R13 0x401b40 ◂— push rbx R14 0 R15 0 RBP 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi RSP 0x7fffffffdfb8 —▸ 0x400dc7 ◂— jmp 0x400d88 RIP 0x400b5f ◂— push rbp ────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────── ► 0x400b5f push rbp 0x400b60 mov rbp, rsp RBP => 0x7fffffffdfb0 —▸ 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— ... 0x400b63 sub rsp, 0x30 RSP => 0x7fffffffdf80 (0x7fffffffdfb0 - 0x30) 0x400b67 mov rax, qword ptr fs:[0x28] RAX, [0x6ce8a8] => 0xa7a5031cbcadb00 0x400b70 mov qword ptr [rbp - 8], rax [0x7fffffffdfa8] <= 0xa7a5031cbcadb00 0x400b74 xor eax, eax EAX => 0 0x400b76 mov edx, 4 EDX => 4 0x400b7b mov esi, 0x4a1617 ESI => 0x4a1617 ◂— imul esp, dword ptr [rax + rdi*2 + 0x3a], 0 /* 'idx:' */ 0x400b80 mov edi, 1 EDI => 1 0x400b85 call 0x43fd00 <0x43fd00> 0x400b8a lea rax, [rbp - 0x20] ─────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffdfb8 —▸ 0x400dc7 ◂— jmp 0x400d88 01:0008│-030 0x7fffffffdfc0 —▸ 0x7fffffffe128 —▸ 0x7fffffffe447 ◂— 0x65732f656d6f682f ('/home/se') 02:0010│-028 0x7fffffffdfc8 ◂— 0x100401b27 03:0018│ rdi-1 0x7fffffffdfd0 —▸ 0x400a31 ◂— call 0x46060a3c 04:0020│-018 0x7fffffffdfd8 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi 05:0028│-010 0x7fffffffdfe0 —▸ 0x401ab0 ◂— push r14 06:0030│-008 0x7fffffffdfe8 ◂— 0xa7a5031cbcadb00 07:0038│ rbp 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi ───────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────── ► 0 0x400b5f None 1 0x400dc7 None 2 0x401046 None 3 0x401635 None 4 0x4008b9 None ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> c Continuing. idx:si Alright! what do you want to say finish 1.add 2.delete 3.edit 4.exit Your choice: info reg rax [Inferior 1 (process 5079) exited normally] pwndbg> b *0x43FCA0 Breakpoint 5 at 0x43fca0 pwndbg> run Starting program: /home/sean/桌面/pwn 1.add 2.delete 3.edit 4.exit Your choice: Breakpoint 5, 0x000000000043fca0 in ?? () LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA ───────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────── RAX 0x7fffffffdfd0 —▸ 0x4002c8 ◂— sub rsp, 8 RBX 0x4002c8 ◂— sub rsp, 8 RCX 0x43fd10 ◂— cmp rax, -0xfff RDX 0x10 RDI 0 RSI 0x7fffffffdfd0 —▸ 0x4002c8 ◂— sub rsp, 8 R8 0 R9 0x6ce880 ◂— 0x6ce880 R10 0x44309a ◂— cmp rax, -0xfff R11 0x246 R12 0x401ab0 ◂— push r14 R13 0x401b40 ◂— push rbx R14 0 R15 0 RBP 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi RSP 0x7fffffffdfb8 —▸ 0x400da8 ◂— lea rax, [rbp - 0x20] RIP 0x43fca0 ◂— cmp dword ptr [rip + 0x28d555], 0 ────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────── ► 0x43fca0 cmp dword ptr [rip + 0x28d555], 0 0 - 0 EFLAGS => 0x246 [ cf PF af ZF sf IF df of ] 0x43fca7 jne 0x43fcbd <0x43fcbd> 0x43fca9 mov eax, 0 EAX => 0 0x43fcae syscall 0x43fcb0 cmp rax, -0xfff 0x43fcb6 jae 0x444df0 <0x444df0> 0x43fcbc ret 0x43fcbd sub rsp, 8 0x43fcc1 call 0x443160 <0x443160> 0x43fcc6 mov qword ptr [rsp], rax 0x43fcca mov eax, 0 EAX => 0 ─────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffdfb8 —▸ 0x400da8 ◂— lea rax, [rbp - 0x20] 01:0008│-030 0x7fffffffdfc0 —▸ 0x7fffffffe128 —▸ 0x7fffffffe447 ◂— 0x65732f656d6f682f ('/home/se') 02:0010│-028 0x7fffffffdfc8 —▸ 0x401b27 ◂— add rbx, 1 03:0018│ rax rsi 0x7fffffffdfd0 —▸ 0x4002c8 ◂— sub rsp, 8 04:0020│-018 0x7fffffffdfd8 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi 05:0028│-010 0x7fffffffdfe0 —▸ 0x401ab0 ◂— push r14 06:0030│-008 0x7fffffffdfe8 ◂— 0x54c60defd160e000 07:0038│ rbp 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi ───────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────── ► 0 0x43fca0 None 1 0x400da8 None 2 0x401046 None 3 0x401635 None 4 0x4008b9 None ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> c Continuing. info registers rdi rsi rdx [Inferior 1 (process 5129) exited normally] pwndbg> di rsi rdx Ambiguous command "di rsi rdx": diff, directory, dis, disa, disable, disasm, disassemble, disconnect, display, distance. pwndbg> info registers rdi rsi rdx The program has no registers now. pwndbg> run Starting program: /home/sean/桌面/pwn 1.add 2.delete 3.edit 4.exit Your choice: Breakpoint 5, 0x000000000043fca0 in ?? () LEGEND: STACK | HEAP | CODE | DATA | WX | RODATA ───────────────────────────────────────[ REGISTERS / show-flags off / show-compact-regs off ]─────────────────────────────────────── RAX 0x7fffffffdfd0 —▸ 0x4002c8 ◂— sub rsp, 8 RBX 0x4002c8 ◂— sub rsp, 8 RCX 0x43fd10 ◂— cmp rax, -0xfff RDX 0x10 RDI 0 RSI 0x7fffffffdfd0 —▸ 0x4002c8 ◂— sub rsp, 8 R8 0 R9 0x6ce880 ◂— 0x6ce880 R10 0x44309a ◂— cmp rax, -0xfff R11 0x246 R12 0x401ab0 ◂— push r14 R13 0x401b40 ◂— push rbx R14 0 R15 0 RBP 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi RSP 0x7fffffffdfb8 —▸ 0x400da8 ◂— lea rax, [rbp - 0x20] RIP 0x43fca0 ◂— cmp dword ptr [rip + 0x28d555], 0 ────────────────────────────────────────────────[ DISASM / x86-64 / set emulate on ]──────────────────────────────────────────────── ► 0x43fca0 cmp dword ptr [rip + 0x28d555], 0 0 - 0 EFLAGS => 0x246 [ cf PF af ZF sf IF df of ] 0x43fca7 jne 0x43fcbd <0x43fcbd> 0x43fca9 mov eax, 0 EAX => 0 0x43fcae syscall 0x43fcb0 cmp rax, -0xfff 0x43fcb6 jae 0x444df0 <0x444df0> 0x43fcbc ret 0x43fcbd sub rsp, 8 0x43fcc1 call 0x443160 <0x443160> 0x43fcc6 mov qword ptr [rsp], rax 0x43fcca mov eax, 0 EAX => 0 ─────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────── 00:0000│ rsp 0x7fffffffdfb8 —▸ 0x400da8 ◂— lea rax, [rbp - 0x20] 01:0008│-030 0x7fffffffdfc0 —▸ 0x7fffffffe128 —▸ 0x7fffffffe447 ◂— 0x65732f656d6f682f ('/home/se') 02:0010│-028 0x7fffffffdfc8 —▸ 0x401b27 ◂— add rbx, 1 03:0018│ rax rsi 0x7fffffffdfd0 —▸ 0x4002c8 ◂— sub rsp, 8 04:0020│-018 0x7fffffffdfd8 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi 05:0028│-010 0x7fffffffdfe0 —▸ 0x401ab0 ◂— push r14 06:0030│-008 0x7fffffffdfe8 ◂— 0xe4508f0c2ac6dc00 07:0038│ rbp 0x7fffffffdff0 —▸ 0x6ca018 —▸ 0x43b850 ◂— mov rcx, rsi ───────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────── ► 0 0x43fca0 None 1 0x400da8 None 2 0x401046 None 3 0x401635 None 4 0x4008b9 None ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── pwndbg> info registers rdi rsi rdx rdi 0x0 0 rsi 0x7fffffffdfd0 140737488347088 rdx 0x10 16 pwndbg> x/16bx $rsi 0x7fffffffdfd0: 0xc8 0x02 0x40 0x00 0x00 0x00 0x00 0x00 0x7fffffffdfd8: 0x18 0xa0 0x6c 0x00 0x00 0x00 0x00 0x00