PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Reverse Engineering

asm2

Problem

What does asm2(0x9,0x1e) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm2_2_5667a5cd5764b4356121f1d6232ac78c.

  • Source

Solution

  1. Let's look at the source:

     asm2:
     <+0>:    push   ebp
     <+1>:    mov    ebp,esp
     <+3>:    sub    esp,0x10
     <+6>:    mov    eax,DWORD PTR [ebp+0xc]
     <+9>:    mov    DWORD PTR [ebp-0x4],eax
     <+12>:    mov    eax,DWORD PTR [ebp+0x8]
     <+15>:    mov    DWORD PTR [ebp-0x8],eax
     <+18>:    jmp    0x50c <asm2+31>
     <+20>:    add    DWORD PTR [ebp-0x4],0x1
     <+24>:    add    DWORD PTR [ebp-0x8],0xa9
     <+31>:    cmp    DWORD PTR [ebp-0x8],0x47a6
     <+38>:    jle    0x501 <asm2+20>
     <+40>:    mov    eax,DWORD PTR [ebp-0x4]
     <+43>:    leave  
     <+44>:    ret

  2. We call asm2(0x9,0x1e) so we are putting 0x9 and 0x1e into the stack. After running mov ebp,esp the stack looks like this:

     +---------+
 | old ebp | <-- ebp
 +---------+
 | ret     | <-- ebp + 0x4
 +---------+
 | 0x9     | <-- ebp + 0x8
 +---------+
 | 0x1e    | <-- ebp + 0xc
 +---------+

  3. Then we run sub esp,0x10 which creates the below layout:

     +---------+
 |         | <-- ebp - 0x10 (local3)
 +---------+
 |         | <-- ebp - 0xc (local2)
 +---------+
 |         | <-- ebp - 0x8 (local1)
 +---------+
 |         | <-- ebp - 0x4 (local0)
 +---------+
 | old ebp | <-- ebp
 +---------+
 | ret     | <-- ebp + 0x4
 +---------+
 | 0x9     | <-- ebp + 0x8
 +---------+
 | 0x1e    | <-- ebp + 0xc
 +---------+

  4. Next, we put our two parameters in at ebp-0x4 and ebp-0x8:

     <+6>:    mov    eax,DWORD PTR [ebp+0xc]
 <+9>:    mov    DWORD PTR [ebp-0x4],eax
 <+12>:    mov    eax,DWORD PTR [ebp+0x8]
 <+15>:    mov    DWORD PTR [ebp-0x8],eax
 <+18>:    jmp    0x50c <asm2+31>

    Two new positions at ebp-0x4 and ebp-0x8 are created and store the values from ebp+0xc and ebp+0x8.

    This makes the stack look as follows:

     +---------+
 |         | <-- ebp - 0x10 (local3)
 +---------+
 |         | <-- ebp - 0xc (local2)
 +---------+
 | 0x9     | <-- ebp - 0x8 (local1)
 +---------+
 | 0x1e    | <-- ebp - 0x4 (local0)
 +---------+
 | old ebp | <-- ebp
 +---------+
 | ret     | <-- ebp + 0x4
 +---------+
 | 0x9     | <-- ebp + 0x8
 +---------+
 | 0x1e    | <-- ebp + 0xc
 +---------+

  5. At this point, we know that ebp-0x4 is storing 0x1e and ebp-0x8 is storing 0x9. We then take an unconditional jump to line 31.

  6. We see here that we are comparing the value stored at ebp-0x8, which is 0x9, to 0x47a6. Since the comparison is less or equal to and the condition is jle (jump less/equal), we make the jump back up to line 20.

     <+31>:    cmp    DWORD PTR [ebp-0x8],0x47a6
 <+38>:    jle    0x501 <asm2+20>

  7. At this point we can start to see a for loop type of logic occurring. After jumping to line 20, the value stored at ebp-0x4 increases by 0x1 and the value at ebp-0x8 increases by 0xa9. This continues to loop because of the jle condition until ebp-0x8 is not less or equal to 0x47a6. Finally, once the loop ends, we move the value stored at ebp-0x4 to the returned value eax. Therefore, the value at ebp-0x4 is all that matters in determining the flag, but we do need to worry about ebp-0x8 since it determines how many times to loop. So we take 0x1e and add 0x1 x times, where x can be found by solving 0x9+0xa9*x>0x47a6 to get 109. 0x1e+0x1*109 is 0x8b, which is the flag.

     <+20>:    add    DWORD PTR [ebp-0x4],0x1
 <+24>:    add    DWORD PTR [ebp-0x8],0xa9
 <+31>:    cmp    DWORD PTR [ebp-0x8],0x47a6
 <+38>:    jle    0x501 <asm2+20>
 <+40>:    mov    eax,DWORD PTR [ebp-0x4]
 <+43>:    leave  
 <+44>:    ret

Flag

0x8b

Previousasm1Nextasm3

Last updated 3 years ago

Was this helpful?