[0x00001120]> aaa
[x] Analyze all flags starting with sym. and entry0 (aa)
[x] Analyze function calls (aac)
[x] Analyze len bytes of instructions for references (aar)
[x] Finding and parsing C++ vtables (avrr)
[x] Type matching analysis for all functions (aaft)
[x] Propagate noreturn information (aanr)
[x] Use -AA or aaaa to perform additional experimental analysis.
[0x00001120]> afl
0x00001120 1 47 entry0
0x000010b0 1 11 sym.imp.puts
0x000010c0 1 11 sym.imp.__stack_chk_fail
0x000010d0 1 11 sym.imp.strchr
0x000010e0 1 11 sym.imp.printf
0x000010f0 1 11 sym.imp.read
0x00001100 1 11 sym.imp.memcmp
0x00001110 1 11 sym.imp.fflush
0x000022b9 11 1037 main
0x00001200 5 137 -> 60 entry.init0
0x000011c0 5 57 -> 54 entry.fini0
0x000010a0 1 11 fcn.000010a0
0x00001150 4 41 -> 34 fcn.00001150
0x000015b3 1 3334 fcn.000015b3
0x0000125c 12 395 fcn.0000125c
0x00001209 1 83 fcn.00001209
0x000013e7 12 460 fcn.000013e7
0x00001000 3 27 fcn.00001000
[0x00001120]> pdf @main
; DATA XREF from entry0 @ 0x1141
┌ 1037: int main (int argc, char **argv, char **envp);
│ ; var size_t n @ rbp-0x21c
│ ; var char *var_218h @ rbp-0x218
│ ; var void *s1 @ rbp-0x210
│ ; var int64_t var_1a0h @ rbp-0x1a0
│ ; var int64_t var_198h @ rbp-0x198
│ ; var int64_t var_190h @ rbp-0x190
│ ; var int64_t var_188h @ rbp-0x188
│ ; var int64_t var_180h @ rbp-0x180
│ ; var int64_t var_178h @ rbp-0x178
│ ; var int64_t var_170h @ rbp-0x170
│ ; var int64_t var_168h @ rbp-0x168
│ ; var int64_t var_160h @ rbp-0x160
│ ; var int64_t var_158h @ rbp-0x158
│ ; var int64_t var_150h @ rbp-0x150
│ ; var int64_t var_148h @ rbp-0x148
│ ; var int64_t var_140h @ rbp-0x140
│ ; var int64_t var_138h @ rbp-0x138
│ ; var int64_t var_130h @ rbp-0x130
│ ; var int64_t var_128h @ rbp-0x128
│ ; var int64_t var_120h @ rbp-0x120
│ ; var int64_t var_118h @ rbp-0x118
│ ; var char *buf @ rbp-0x110
│ ; var int64_t var_108h @ rbp-0x108
│ ; var int64_t var_100h @ rbp-0x100
│ ; var int64_t var_f8h @ rbp-0xf8
│ ; var int64_t var_f0h @ rbp-0xf0
│ ; var int64_t var_e8h @ rbp-0xe8
│ ; var int64_t var_e0h @ rbp-0xe0
│ ; var int64_t var_d8h @ rbp-0xd8
│ ; var int64_t var_d0h @ rbp-0xd0
│ ; var int64_t var_c8h @ rbp-0xc8
│ ; var int64_t var_c0h @ rbp-0xc0
│ ; var int64_t var_b8h @ rbp-0xb8
│ ; var int64_t var_b0h @ rbp-0xb0
│ ; var int64_t var_a8h @ rbp-0xa8
│ ; var int64_t var_a0h @ rbp-0xa0
│ ; var int64_t var_98h @ rbp-0x98
│ ; var int64_t var_90h @ rbp-0x90
│ ; var int64_t var_88h @ rbp-0x88
│ ; var int64_t var_80h @ rbp-0x80
│ ; var int64_t var_78h @ rbp-0x78
│ ; var int64_t var_70h @ rbp-0x70
│ ; var int64_t var_68h @ rbp-0x68
│ ; var int64_t var_60h @ rbp-0x60
│ ; var int64_t var_58h @ rbp-0x58
│ ; var int64_t var_50h @ rbp-0x50
│ ; var int64_t var_48h @ rbp-0x48
│ ; var int64_t var_40h @ rbp-0x40
│ ; var int64_t var_38h @ rbp-0x38
│ ; var int64_t var_30h @ rbp-0x30
│ ; var int64_t var_28h @ rbp-0x28
│ ; var int64_t var_20h @ rbp-0x20
│ ; var int64_t var_18h @ rbp-0x18
│ ; var int64_t var_8h @ rbp-0x8
│ 0x000022b9 f30f1efa endbr64
│ 0x000022bd 55 push rbp
│ 0x000022be 4889e5 mov rbp, rsp
│ 0x000022c1 4881ec200200. sub rsp, 0x220
│ 0x000022c8 64488b042528. mov rax, qword fs:[0x28]
│ 0x000022d1 488945f8 mov qword [var_8h], rax
│ 0x000022d5 31c0 xor eax, eax
│ 0x000022d7 48b82bd06839. movabs rax, 0xfe5d3a093968d02b
│ 0x000022e1 48baae2e86c2. movabs rdx, 0xba0aa367c2862eae
│ 0x000022eb 48898560feff. mov qword [var_1a0h], rax
│ 0x000022f2 48899568feff. mov qword [var_198h], rdx
│ 0x000022f9 48b84f60269e. movabs rax, 0x8bea2ada9e26604f
│ 0x00002303 48ba2452cf6d. movabs rdx, 0x2e6f41c96dcf5224
│ 0x0000230d 48898570feff. mov qword [var_190h], rax
│ 0x00002314 48899578feff. mov qword [var_188h], rdx
│ 0x0000231b 48b8f3759b94. movabs rax, 0x7fd91bd2949b75f3
│ 0x00002325 48baa6f37260. movabs rdx, 0x5b1ed8e6072f3a6
│ 0x0000232f 48898580feff. mov qword [var_180h], rax
│ 0x00002336 48899588feff. mov qword [var_178h], rdx
│ 0x0000233d 48b8117688d4. movabs rax, 0xc94045c6d4887611
│ 0x00002347 48ba954db9f6. movabs rdx, 0x9d43df6df6b94d95
│ 0x00002351 48898590feff. mov qword [var_170h], rax
│ 0x00002358 48899598feff. mov qword [var_168h], rdx
│ 0x0000235f 48b8808dc08a. movabs rax, 0xb9a8a83c8ac08d80
│ 0x00002369 48ba64845176. movabs rdx, 0x6d78e80376518464
│ 0x00002373 488985a0feff. mov qword [var_160h], rax
│ 0x0000237a 488995a8feff. mov qword [var_158h], rdx
│ 0x00002381 48b8d0c22320. movabs rax, 0xe81a20f2023c2d0
│ 0x0000238b 48ba86f1899d. movabs rdx, 0x2e41eae69d89f186
│ 0x00002395 488985b0feff. mov qword [var_150h], rax
│ 0x0000239c 488995b8feff. mov qword [var_148h], rdx
│ 0x000023a3 48b8fde5a3d2. movabs rax, 0x425c831dd2a3e5fd
│ 0x000023ad 48baec0041dc. movabs rdx, 0x82788dbbdc4100ec
│ 0x000023b7 488985c0feff. mov qword [var_140h], rax
│ 0x000023be 488995c8feff. mov qword [var_138h], rdx
│ 0x000023c5 48b820dd0139. movabs rax, 0x6d0fee8d3901dd20
│ 0x000023cf 48ba83d7e541. movabs rdx, 0xebe82a0a41e5d783
│ 0x000023d9 488985d0feff. mov qword [var_130h], rax
│ 0x000023e0 488995d8feff. mov qword [var_128h], rdx
│ 0x000023e7 48b806e5724b. movabs rax, 0x2afa26414b72e506
│ 0x000023f1 48ba4d111dc2. movabs rdx, 0xd1848e9c21d114d
│ 0x000023fb 488985e0feff. mov qword [var_120h], rax
│ 0x00002402 488995e8feff. mov qword [var_118h], rdx
│ 0x00002409 48c785f0feff. mov qword [buf], 0
│ 0x00002414 48c785f8feff. mov qword [var_108h], 0
│ 0x0000241f 48c78500ffff. mov qword [var_100h], 0
│ 0x0000242a 48c78508ffff. mov qword [var_f8h], 0
│ 0x00002435 48c78510ffff. mov qword [var_f0h], 0
│ 0x00002440 48c78518ffff. mov qword [var_e8h], 0
│ 0x0000244b 48c78520ffff. mov qword [var_e0h], 0
│ 0x00002456 48c78528ffff. mov qword [var_d8h], 0
│ 0x00002461 48c78530ffff. mov qword [var_d0h], 0
│ 0x0000246c 48c78538ffff. mov qword [var_c8h], 0
│ 0x00002477 48c78540ffff. mov qword [var_c0h], 0
│ 0x00002482 48c78548ffff. mov qword [var_b8h], 0
│ 0x0000248d 48c78550ffff. mov qword [var_b0h], 0
│ 0x00002498 48c78558ffff. mov qword [var_a8h], 0
│ 0x000024a3 48c78560ffff. mov qword [var_a0h], 0
│ 0x000024ae 48c78568ffff. mov qword [var_98h], 0
│ 0x000024b9 48c78570ffff. mov qword [var_90h], 0
│ 0x000024c4 48c78578ffff. mov qword [var_88h], 0
│ 0x000024cf 48c745800000. mov qword [var_80h], 0
│ 0x000024d7 48c745880000. mov qword [var_78h], 0
│ 0x000024df 48c745900000. mov qword [var_70h], 0
│ 0x000024e7 48c745980000. mov qword [var_68h], 0
│ 0x000024ef 48c745a00000. mov qword [var_60h], 0
│ 0x000024f7 48c745a80000. mov qword [var_58h], 0
│ 0x000024ff 48c745b00000. mov qword [var_50h], 0
│ 0x00002507 48c745b80000. mov qword [var_48h], 0
│ 0x0000250f 48c745c00000. mov qword [var_40h], 0
│ 0x00002517 48c745c80000. mov qword [var_38h], 0
│ 0x0000251f 48c745d00000. mov qword [var_30h], 0
│ 0x00002527 48c745d80000. mov qword [var_28h], 0
│ 0x0000252f 48c745e00000. mov qword [var_20h], 0
│ 0x00002537 48c745e80000. mov qword [var_18h], 0
│ 0x0000253f 488d3dc60a00. lea rdi, str.Input_:_ ; 0x300c ; "Input : " ; const char *format
│ 0x00002546 b800000000 mov eax, 0
│ 0x0000254b e890ebffff call sym.imp.printf ; int printf(const char *format)
│ 0x00002550 488b05092b00. mov rax, qword [obj.stdout] ; [0x5060:8]=0
│ 0x00002557 4889c7 mov rdi, rax ; FILE *stream
│ 0x0000255a e8b1ebffff call sym.imp.fflush ; int fflush(FILE *stream)
│ 0x0000255f 488d85f0feff. lea rax, [buf]
│ 0x00002566 ba00010000 mov edx, 0x100 ; size_t nbyte
│ 0x0000256b 4889c6 mov rsi, rax ; void *buf
│ 0x0000256e bf00000000 mov edi, 0 ; int fildes
│ 0x00002573 b800000000 mov eax, 0
│ 0x00002578 e873ebffff call sym.imp.read ; ssize_t read(int fildes, void *buf, size_t nbyte)
│ 0x0000257d 488d85f0feff. lea rax, [buf]
│ 0x00002584 be0a000000 mov esi, 0xa ; int c
│ 0x00002589 4889c7 mov rdi, rax ; const char *s
│ 0x0000258c e83febffff call sym.imp.strchr ; char *strchr(const char *s, int c)
│ 0x00002591 488985e8fdff. mov qword [var_218h], rax
│ 0x00002598 4883bde8fdff. cmp qword [var_218h], 0
│ ┌─< 0x000025a0 740a je 0x25ac
│ │ 0x000025a2 488b85e8fdff. mov rax, qword [var_218h]
│ │ 0x000025a9 c60000 mov byte [rax], 0
│ │ ; CODE XREF from main @ 0x25a0
│ └─> 0x000025ac c785e4fdffff. mov dword [n], 0
│ ┌─< 0x000025b6 e9b0000000 jmp 0x266b
│ │ ; CODE XREF from main @ 0x2674
│ ┌──> 0x000025bb 488d85f0fdff. lea rax, [s1]
│ ╎│ 0x000025c2 4889c7 mov rdi, rax ; int64_t arg1
│ ╎│ 0x000025c5 b800000000 mov eax, 0
│ ╎│ 0x000025ca e83aecffff call fcn.00001209
│ ╎│ 0x000025cf be03000000 mov esi, 3
│ ╎│ 0x000025d4 b803000000 mov eax, 3
│ ╎│ 0x000025d9 0faf85e4fdff. imul eax, dword [n]
│ ╎│ 0x000025e0 488d95f0feff. lea rdx, [buf]
│ ╎│ 0x000025e7 4898 cdqe
│ ╎│ 0x000025e9 488d0c02 lea rcx, [rdx + rax]
│ ╎│ 0x000025ed 488d85f0fdff. lea rax, [s1]
│ ╎│ 0x000025f4 89f2 mov edx, esi ; int64_t arg3
│ ╎│ 0x000025f6 4889ce mov rsi, rcx ; int64_t arg2
│ ╎│ 0x000025f9 4889c7 mov rdi, rax ; int64_t arg1
│ ╎│ 0x000025fc b800000000 mov eax, 0
│ ╎│ 0x00002601 e856ecffff call fcn.0000125c
│ ╎│ 0x00002606 488d85f0fdff. lea rax, [s1]
│ ╎│ 0x0000260d 4889c7 mov rdi, rax ; int64_t arg1
│ ╎│ 0x00002610 b800000000 mov eax, 0
│ ╎│ 0x00002615 e8cdedffff call fcn.000013e7
│ ╎│ 0x0000261a 488d8560feff. lea rax, [var_1a0h]
│ ╎│ 0x00002621 8b95e4fdffff mov edx, dword [n]
│ ╎│ 0x00002627 4863d2 movsxd rdx, edx
│ ╎│ 0x0000262a 48c1e204 shl rdx, 4
│ ╎│ 0x0000262e 488d0c10 lea rcx, [rax + rdx]
│ ╎│ 0x00002632 488d85f0fdff. lea rax, [s1]
│ ╎│ 0x00002639 4883c058 add rax, 0x58
│ ╎│ 0x0000263d ba10000000 mov edx, 0x10 ; size_t n
│ ╎│ 0x00002642 4889ce mov rsi, rcx ; const void *s2
│ ╎│ 0x00002645 4889c7 mov rdi, rax ; const void *s1
│ ╎│ 0x00002648 e8b3eaffff call sym.imp.memcmp ; int memcmp(const void *s1, const void *s2, size_t n)
│ ╎│ 0x0000264d 85c0 test eax, eax
│ ┌───< 0x0000264f 7413 je 0x2664
│ │╎│ 0x00002651 488d3dbd0900. lea rdi, str.Wrong_ ; 0x3015 ; "Wrong!" ; const char *s
│ │╎│ 0x00002658 e853eaffff call sym.imp.puts ; int puts(const char *s)
│ │╎│ 0x0000265d b801000000 mov eax, 1
│ ┌────< 0x00002662 eb4c jmp 0x26b0
│ ││╎│ ; CODE XREF from main @ 0x264f
│ │└───> 0x00002664 8385e4fdffff. add dword [n], 1
│ │ ╎│ ; CODE XREF from main @ 0x25b6
│ │ ╎└─> 0x0000266b 8b85e4fdffff mov eax, dword [n]
│ │ ╎ 0x00002671 83f808 cmp eax, 8
│ │ └──< 0x00002674 0f8641ffffff jbe 0x25bb
│ │ 0x0000267a b803000000 mov eax, 3
│ │ 0x0000267f 0faf85e4fdff. imul eax, dword [n]
│ │ 0x00002686 4898 cdqe
│ │ 0x00002688 c68405f0feff. mov byte [rbp + rax - 0x110], 0
│ │ 0x00002690 488d85f0feff. lea rax, [buf]
│ │ 0x00002697 4889c6 mov rsi, rax
│ │ 0x0000269a 488d3d7b0900. lea rdi, str.Correct__Flag_is__s_n ; 0x301c ; "Correct! Flag is %s\n" ; const char *format
│ │ 0x000026a1 b800000000 mov eax, 0
│ │ 0x000026a6 e835eaffff call sym.imp.printf ; int printf(const char *format)
│ │ ; DATA XREF from main @ +0x41d
│ │ 0x000026ab b800000000 mov eax, 0
│ │ ; CODE XREF from main @ 0x2662
│ └────> 0x000026b0 488b4df8 mov rcx, qword [var_8h]
│ 0x000026b4 6448330c2528. xor rcx, qword fs:[0x28]
│ ┌─< 0x000026bd 7405 je 0x26c4
│ │ 0x000026bf e8fce9ffff call sym.imp.__stack_chk_fail
│ │ ; CODE XREF from main @ 0x26bd
│ └─> 0x000026c4 c9 leave
└ 0x000026c5 c3 ret
