So I have a program where I ask the user to input an entry, which it compares to the value “zoidberg.” If it isn’t zoidberg, then it tells the user that the entry is incorrect. I didn’t write it, but I was given it and told to find the exploit and fix it.

First off, I want to confirm (or deny if they are wrong) two things. I haven’t done asm programming in a hot minute, so I’m not sure if this assumption is right.

My assumptions:

The memory address where the user’s entry is: [esp+410h+var_410]?

The memory address where the entry zoidberg is stored is: [esp+410h+var_40C]?

I really have no idea if that is a temporary location or its final location. I’m so confused.

Also, the test call compares eax to itself, could that be the exploit that needs to be fixed?

; Attributes: bp-based frame

public main
main proc near

var_410= dword ptr -410h
var_40C= dword ptr -40Ch
var_400= dword ptr -400h

push    ebp
mov     ebp, esp
and     esp, 0FFFFFFF0h
sub     esp, 410h       ; char *
mov     [esp+410h+var_410], offset anEntry ; "enter an entry to continue:"
call    _puts
lea     eax, [esp+410h+var_400]
mov     [esp+410h+var_410], eax
call    _gets
mov     [esp+410h+var_40C], offset aZoidberg ; "zoidberg"
lea     eax, [esp+410h+var_400]
mov     [esp+410h+var_410], eax
call    _strcmp
test    eax, eax
jnz     short loc_804846E

mov     [esp+410h+var_410], offset aNeedAnEntry?Wh ; "need an entry? why not zoidberg?"
call    _puts
jmp     short loc_804847A


loc_804846E:            ; "your entry is bad, and you should feel"...
mov     [esp+410h+var_410], offset aYourEntryIsBa
call    _puts


loc_804847A:
mov     eax, 0
leave
retn
main endp