# asm4 ## Problem > What will asm4("picoCTF\_376ee") return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm4\_2\_0932017a5f5efe2bc813afd0fe0603aa. * [Source](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Reverse%20Engineering/asm4/test.S) ## Solution 1. Let's look at the source: ``` asm4: <+0>: push ebp <+1>: mov ebp,esp <+3>: push ebx <+4>: sub esp,0x10 <+7>: mov DWORD PTR [ebp-0x10],0x25c <+14>: mov DWORD PTR [ebp-0xc],0x0 <+21>: jmp 0x518 <+23>: add DWORD PTR [ebp-0xc],0x1 <+27>: mov edx,DWORD PTR [ebp-0xc] <+30>: mov eax,DWORD PTR [ebp+0x8] <+33>: add eax,edx <+35>: movzx eax,BYTE PTR [eax] <+38>: test al,al <+40>: jne 0x514 <+42>: mov DWORD PTR [ebp-0x8],0x1 <+49>: jmp 0x587 <+51>: mov edx,DWORD PTR [ebp-0x8] <+54>: mov eax,DWORD PTR [ebp+0x8] <+57>: add eax,edx <+59>: movzx eax,BYTE PTR [eax] <+62>: movsx edx,al <+65>: mov eax,DWORD PTR [ebp-0x8] <+68>: lea ecx,[eax-0x1] <+71>: mov eax,DWORD PTR [ebp+0x8] <+74>: add eax,ecx <+76>: movzx eax,BYTE PTR [eax] <+79>: movsx eax,al <+82>: sub edx,eax <+84>: mov eax,edx <+86>: mov edx,eax <+88>: mov eax,DWORD PTR [ebp-0x10] <+91>: lea ebx,[edx+eax*1] <+94>: mov eax,DWORD PTR [ebp-0x8] <+97>: lea edx,[eax+0x1] <+100>: mov eax,DWORD PTR [ebp+0x8] <+103>: add eax,edx <+105>: movzx eax,BYTE PTR [eax] <+108>: movsx edx,al <+111>: mov ecx,DWORD PTR [ebp-0x8] <+114>: mov eax,DWORD PTR [ebp+0x8] <+117>: add eax,ecx <+119>: movzx eax,BYTE PTR [eax] <+122>: movsx eax,al <+125>: sub edx,eax <+127>: mov eax,edx <+129>: add eax,ebx <+131>: mov DWORD PTR [ebp-0x10],eax <+134>: add DWORD PTR [ebp-0x8],0x1 <+138>: mov eax,DWORD PTR [ebp-0xc] <+141>: sub eax,0x1 <+144>: cmp DWORD PTR [ebp-0x8],eax <+147>: jl 0x530 <+149>: mov eax,DWORD PTR [ebp-0x10] <+152>: add esp,0x10 <+155>: pop ebx <+156>: pop ebp <+157>: ret ``` 2. Since this challenge is more complicated than challenges `asm1` and `asm2`, we will compile and run it using a different method than `asm3`. 3. We can compile the function into a C file using the following syntax ([source](https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html)): ```cpp #include #include int asm4(char* in) { int val; asm ( "nop;" "nop;" "nop;" //"push ebp;" //"mov ebp,esp;" "push ebx;" "sub esp,0x10" "mov DWORD PTR [ebp-0x10],0x25c" "mov DWORD PTR [ebp-0xc],0x0" "jmp _asm_27;" "_asm_23:" "add DWORD PTR [ebp-0xc],0x1;" "_asm_27:" "mov edx,DWORD PTR [ebp-0xc];" "mov eax,DWORD PTR [%[pInput]];" "add eax,edx;" "movzx eax,BYTE PTR [eax];" "test al,al;" "jne _asm_23;" "mov DWORD PTR [ebp-0x8],0x1;" "jmp _asm_138;" "_asm_51:" "mov edx,DWORD PTR [ebp-0x8];" "mov eax,DWORD PTR [%[pInput]];" "add eax,edx;" "movzx eax,BYTE PTR [eax];" "movsx edx,al;" "mov eax,DWORD PTR [ebp-0x8];" "lea ecx,[eax-0x1];" "mov eax,DWORD PTR [%[pInput]];" "add eax,ecx;" "movzx eax,BYTE PTR [eax];" "movsx eax,al;" "sub edx,eax;" "mov eax,edx;" "mov edx,eax;" "mov eax,DWORD PTR [ebp-0x10];" "lea ebx,[edx+eax*1];" "mov eax,DWORD PTR [ebp-0x8];" "lea edx,[eax+0x1];" "mov eax,DWORD PTR [%[pInput]];" "add eax,edx;" "movzx eax,BYTE PTR [eax];" "movsx edx,al;" "mov ecx,DWORD PTR [ebp-0x8];" "mov eax,DWORD PTR [%[pInput]];" "add eax,ecx;" "movzx eax,BYTE PTR [eax];" "movsx eax,al;" "sub edx,eax;" "mov eax,edx;" "add eax,ebx;" "mov DWORD PTR [ebp-0x10],eax;" "add DWORD PTR [ebp-0x8],0x1;" "_asm_138:" "mov eax,DWORD PTR [ebp-0xc];" "sub eax,0x1;" "cmp DWORD PTR [ebp-0x8],eax;" "jl _asm_51;" "mov eax,DWORD PTR [ebp-0x10];" "add esp,0x10;" "pop ebx;" //"pop ebp;" //"ret ;" "nop;" "nop;" "nop;" :"=r"(val) : [pInput] "m"(in) ); return val; } int main(int argc, char** argv) { printf("0x%x\n", asm4("picoCTF_376ee")); return 0; } ``` Note that jumps were ported to use labels, the input parameter was renamed and the frame setup and teardown were already taken care of by the compiler and therefore commented out in the assembly. The nops were inserted in order to make it easier to locate the inline assembly with a debugger or disassembler. An alternative was to use a dedicated assembly file as we did in `asm3`. 4. Compile by running `gcc -masm=intel -m32 solve.c -o solve`. 5. Run the [solve.c](https://github.com/HHousen/PicoCTF-2019/tree/24b0981c72638c12f9a8572f81e1abbcf8de306d/Reverse%20Engineering/asm4/solve.c) file with `./solve` ### Flag `0x24d` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://picoctf2019.haydenhousen.com/reverse-engineering/asm4.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.