asm4
Problem
What will asm4("picoCTF_376ee") return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm4_2_0932017a5f5efe2bc813afd0fe0603aa.
Solution
Let's look at the source:
asm4: <+0>: push ebp <+1>: mov ebp,esp <+3>: push ebx <+4>: sub esp,0x10 <+7>: mov DWORD PTR [ebp-0x10],0x25c <+14>: mov DWORD PTR [ebp-0xc],0x0 <+21>: jmp 0x518 <asm4+27> <+23>: add DWORD PTR [ebp-0xc],0x1 <+27>: mov edx,DWORD PTR [ebp-0xc] <+30>: mov eax,DWORD PTR [ebp+0x8] <+33>: add eax,edx <+35>: movzx eax,BYTE PTR [eax] <+38>: test al,al <+40>: jne 0x514 <asm4+23> <+42>: mov DWORD PTR [ebp-0x8],0x1 <+49>: jmp 0x587 <asm4+138> <+51>: mov edx,DWORD PTR [ebp-0x8] <+54>: mov eax,DWORD PTR [ebp+0x8] <+57>: add eax,edx <+59>: movzx eax,BYTE PTR [eax] <+62>: movsx edx,al <+65>: mov eax,DWORD PTR [ebp-0x8] <+68>: lea ecx,[eax-0x1] <+71>: mov eax,DWORD PTR [ebp+0x8] <+74>: add eax,ecx <+76>: movzx eax,BYTE PTR [eax] <+79>: movsx eax,al <+82>: sub edx,eax <+84>: mov eax,edx <+86>: mov edx,eax <+88>: mov eax,DWORD PTR [ebp-0x10] <+91>: lea ebx,[edx+eax*1] <+94>: mov eax,DWORD PTR [ebp-0x8] <+97>: lea edx,[eax+0x1] <+100>: mov eax,DWORD PTR [ebp+0x8] <+103>: add eax,edx <+105>: movzx eax,BYTE PTR [eax] <+108>: movsx edx,al <+111>: mov ecx,DWORD PTR [ebp-0x8] <+114>: mov eax,DWORD PTR [ebp+0x8] <+117>: add eax,ecx <+119>: movzx eax,BYTE PTR [eax] <+122>: movsx eax,al <+125>: sub edx,eax <+127>: mov eax,edx <+129>: add eax,ebx <+131>: mov DWORD PTR [ebp-0x10],eax <+134>: add DWORD PTR [ebp-0x8],0x1 <+138>: mov eax,DWORD PTR [ebp-0xc] <+141>: sub eax,0x1 <+144>: cmp DWORD PTR [ebp-0x8],eax <+147>: jl 0x530 <asm4+51> <+149>: mov eax,DWORD PTR [ebp-0x10] <+152>: add esp,0x10 <+155>: pop ebx <+156>: pop ebp <+157>: ret
Since this challenge is more complicated than challenges
asm1
andasm2
, we will compile and run it using a different method thanasm3
.We can compile the function into a C file using the following syntax (source):
#include <stdio.h> #include <stdlib.h> int asm4(char* in) { int val; asm ( "nop;" "nop;" "nop;" //"push ebp;" //"mov ebp,esp;" "push ebx;" "sub esp,0x10" "mov DWORD PTR [ebp-0x10],0x25c" "mov DWORD PTR [ebp-0xc],0x0" "jmp _asm_27;" "_asm_23:" "add DWORD PTR [ebp-0xc],0x1;" "_asm_27:" "mov edx,DWORD PTR [ebp-0xc];" "mov eax,DWORD PTR [%[pInput]];" "add eax,edx;" "movzx eax,BYTE PTR [eax];" "test al,al;" "jne _asm_23;" "mov DWORD PTR [ebp-0x8],0x1;" "jmp _asm_138;" "_asm_51:" "mov edx,DWORD PTR [ebp-0x8];" "mov eax,DWORD PTR [%[pInput]];" "add eax,edx;" "movzx eax,BYTE PTR [eax];" "movsx edx,al;" "mov eax,DWORD PTR [ebp-0x8];" "lea ecx,[eax-0x1];" "mov eax,DWORD PTR [%[pInput]];" "add eax,ecx;" "movzx eax,BYTE PTR [eax];" "movsx eax,al;" "sub edx,eax;" "mov eax,edx;" "mov edx,eax;" "mov eax,DWORD PTR [ebp-0x10];" "lea ebx,[edx+eax*1];" "mov eax,DWORD PTR [ebp-0x8];" "lea edx,[eax+0x1];" "mov eax,DWORD PTR [%[pInput]];" "add eax,edx;" "movzx eax,BYTE PTR [eax];" "movsx edx,al;" "mov ecx,DWORD PTR [ebp-0x8];" "mov eax,DWORD PTR [%[pInput]];" "add eax,ecx;" "movzx eax,BYTE PTR [eax];" "movsx eax,al;" "sub edx,eax;" "mov eax,edx;" "add eax,ebx;" "mov DWORD PTR [ebp-0x10],eax;" "add DWORD PTR [ebp-0x8],0x1;" "_asm_138:" "mov eax,DWORD PTR [ebp-0xc];" "sub eax,0x1;" "cmp DWORD PTR [ebp-0x8],eax;" "jl _asm_51;" "mov eax,DWORD PTR [ebp-0x10];" "add esp,0x10;" "pop ebx;" //"pop ebp;" //"ret ;" "nop;" "nop;" "nop;" :"=r"(val) : [pInput] "m"(in) ); return val; } int main(int argc, char** argv) { printf("0x%x\n", asm4("picoCTF_376ee")); return 0; }
Note that jumps were ported to use labels, the input parameter was renamed and the frame setup and teardown were already taken care of by the compiler and therefore commented out in the assembly. The nops were inserted in order to make it easier to locate the inline assembly with a debugger or disassembler. An alternative was to use a dedicated assembly file as we did in
asm3
.Compile by running
gcc -masm=intel -m32 solve.c -o solve
.Run the solve.c file with
./solve
Flag
0x24d
Last updated
Was this helpful?