PicoCTF-2019 Writeup
  • HHousen PicoCTF-2019 Writeup
  • Binary Exploitation
    • L1im1tL355
    • messy-malloc
    • OverFlow 2
    • CanaRy
    • NewOverFlow-1
    • NewOverFlow-2
    • sice_cream
    • seed-sPRiNG
    • leap-frog
    • GoT
    • rop64
    • rop32
    • Ghost_Diary
    • zero_to_hero
    • Challenge Name
    • Heap overflow
    • slippery-shellcode
    • AfterLife
    • SecondLife
    • stringzz
  • Cryptography
    • la cifra de
    • b00tl3gRSA2
    • b00tl3gRSA3
    • AES-ABC
    • john_pollard
    • b00tl3gRSA2
    • waves over lambda
  • Forensics
    • What Lies Within
    • m00nwalk
    • shark on wire 1
    • shark on wire 2
    • Glory of the Garden
    • pastaAAA
    • Investigative Reversing 0
    • Investigative Reversing 1
    • extensions
    • investigation_encoded_1
    • Investigative Reversing 2
    • investigation_encoded_2
    • Investigative Reversing 3
    • like1000
    • Investigative Reversing 4
    • WebNet0
    • B1g_Mac
    • m00nwalk 2
    • WebNet1
    • WhitePages
    • So Meta
    • c0rrupt
  • Web Exploitation
    • Java Script Kiddie 2
    • Empire1
    • Empire2
    • cereal hacker 1
    • Empire3
    • cereal hacker 2
    • Java Script Kiddie
    • JaWT Scratchpad
    • Irish-Name-Repo 1
    • Irish-Name-Repo 2
    • Irish-Name-Repo 3
  • Reverse Engineering
    • Time's Up, Again!
    • Forky
    • droids0
    • Challenge Name
    • droids1
    • droids2
    • droids3
    • reverse_cipher
    • droids4
    • B1ll_Gat35
    • Time's Up
    • Time's Up, For the Last Time!
    • asm1
    • asm2
    • asm3
    • asm4
  • Challenge Name
Powered by GitBook
On this page
  • Problem
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Reverse Engineering

asm3

Previousasm2Nextasm4

Last updated 3 years ago

Was this helpful?

Problem

What does asm3(0xc4bd37e3,0xf516e15e,0xeea4f333) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm3_4_c89016e12b8f3cac92a2e637c03f6139.

Solution

  1. Let's look at the source:

     asm3:
     <+0>:    push   ebp
     <+1>:    mov    ebp,esp
     <+3>:    xor    eax,eax
     <+5>:    mov    ah,BYTE PTR [ebp+0x9]
     <+8>:    shl    ax,0x10
     <+12>:    sub    al,BYTE PTR [ebp+0xd]
     <+15>:    add    ah,BYTE PTR [ebp+0xe]
     <+18>:    xor    ax,WORD PTR [ebp+0x10]
     <+22>:    nop
     <+23>:    pop    ebp
     <+24>:    ret

  2. Since this challenge is more complicated than the previous asm* challenges, we will compile and run it.

  3. We will modify to like so:

     .intel_syntax noprefix
 .global asm3

 asm3:
     push   ebp
     mov    ebp,esp
     xor    eax,eax
     mov    ah,BYTE PTR [ebp+0x9]
     shl    ax,0x10
     sub    al,BYTE PTR [ebp+0xd]
     add    ah,BYTE PTR [ebp+0xe]
     xor    ax,WORD PTR [ebp+0x10]
     nop
     pop    ebp
     ret

  4. We also create a script:

     #include <stdio.h>

 int asm3(int, int, int);

 int main(int argc, char* argv[])
 {
     printf("0x%x\n", asm3(0xc4bd37e3,0xf516e15e,0xeea4f333));
     return 0;
 }

  5. Compile:

     $ gcc -masm=intel -m32 -c test_modified.S -o test_modified.o
 $ gcc -m32 -c solve.c -o solve.o
 $ gcc -m32 test_modified.o solve.o -o solve

  6. Run ./solve to get flag.

Flag

0xe52c

Source
test.S
test_modified.S
solve.c