Jumper

We were asked to find out where does it jump to from 0x80484e2. The destination is stored in register eax.

 80484df:       8b 45 f0                mov    -0x10(%ebp),%eax
 80484e2:       ff d0                   call   *%eax <--- What address does this jump to??

Look back a few lines, there was a fgets call to get user input and the value is stored in eax. When user input is jump, fgets reads only 4 bytes, the last byte is set to “00” for end of string, therefore, in register eax the value is 006d756a for string " jum00".

 80484b4:       50                      push   %eax
 80484b5:       6a 04                   push   $0x4
 80484b7:       8d 45 f0                lea    -0x10(%ebp),%eax
 80484ba:       50                      push   %eax
 80484bb:       e8 80 fe ff ff          call   8048340 <fgets@plt>

The coming loop increaments value in eax by 5 for 8 times, so when it quit the loop, eax became 0x006d756a+40, which is the flag 0x6d7592 without leading zeros.

 80484cc:       8b 45 f0                mov    -0x10(%ebp),%eax
 80484cf:       83 c0 05                add    $0x5,%eax
 80484d2:       89 45 f0                mov    %eax,-0x10(%ebp)
 80484d5:       83 45 f4 01             addl   $0x1,-0xc(%ebp)
 80484d9:       83 7d f4 07             cmpl   $0x7,-0xc(%ebp)
 80484dd:       7e ed                   jle    80484cc <jump+0x3d>
TOP