# asm1 ## Problem > What does asm1(0x610) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm1\_1\_95494d904d73b330976420bc1cd763ec. * [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Reverse%20Engineering/asm1/test.S) ## Solution 1. Let's look at the source: ``` asm1: <+0>: push ebp <+1>: mov ebp,esp <+3>: cmp DWORD PTR [ebp+0x8],0x3b9 <+10>: jg 0x50f <+12>: cmp DWORD PTR [ebp+0x8],0x1 <+16>: jne 0x507 <+18>: mov eax,DWORD PTR [ebp+0x8] <+21>: add eax,0x11 <+24>: jmp 0x526 <+26>: mov eax,DWORD PTR [ebp+0x8] <+29>: sub eax,0x11 <+32>: jmp 0x526 <+34>: cmp DWORD PTR [ebp+0x8],0x477 <+41>: jne 0x520 <+43>: mov eax,DWORD PTR [ebp+0x8] <+46>: sub eax,0x11 <+49>: jmp 0x526 <+51>: mov eax,DWORD PTR [ebp+0x8] <+54>: add eax,0x11 <+57>: pop ebp <+58>: ret ``` 2. We call `asm1(0x610)` so we are putting `0x610` into the stack. This value gets pushed into ebp and then moved into esp on lines 0 and 1. Normally ebp is used to backup esp, so if esp is changed by the code in a function, all it takes to restore esp is mov esp, ebp. Also since ebp is normally left unchanged by the code in a function, it can be used to access passed parameters or local variables without having to adjust the offsets. More info about esp and ebp: [StackOverflow answer](https://stackoverflow.com/a/21718526). ``` <+0>: push ebp <+1>: mov ebp,esp ``` 3. First Condition: ``` <+3>: cmp DWORD PTR [ebp+0x8],0x3b9 <+10>: jg 0x50f ``` Here, we are comparing (cmp) first value in the stack (which is `0x610`) to 0x3b9. The jg means "jump if greater". Since `0x610` is indeed greater than 0x3b9, we jump to the line given by this condition: line 34. 4. Second Condition: ``` <+34>: cmp DWORD PTR [ebp+0x8],0x477 <+41>: jne 0x520 ``` Here, we have another comparison, this time between the first value in the stack and `0x477`. The condition jne means "jump if not equal". Since `0x610` is not equal to `0x477`, this is true and jump to line 51. 5. Addition ``` <+51>: mov eax,DWORD PTR [ebp+0x8] <+54>: add eax,0x11 ``` Here, the value in the stack is moved to the variable that will be returned eax. We then add `0x11` to it, so now eax is equal to `0x610+0x11=0x621`. 6. Ending ``` <+57>: pop ebp <+58>: ret ``` On line 57, the stack is popped and eax is returned. Since eax is equal to `0x621`, that is our flag. ### Flag `0x621` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://picoctf2019.haydenhousen.com/reverse-engineering/asm1.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.