asm4

Problem

What will asm4("picoCTF_376ee") return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format. Source located in the directory at /problems/asm4_2_0932017a5f5efe2bc813afd0fe0603aa.

• Source

Solution

1. Let's look at the source:

   Copy

    asm4:
        <+0>:    push   ebp
        <+1>:    mov    ebp,esp
        <+3>:    push   ebx
        <+4>:    sub    esp,0x10
        <+7>:    mov    DWORD PTR [ebp-0x10],0x25c
        <+14>:    mov    DWORD PTR [ebp-0xc],0x0
        <+21>:    jmp    0x518 <asm4+27>
        <+23>:    add    DWORD PTR [ebp-0xc],0x1
        <+27>:    mov    edx,DWORD PTR [ebp-0xc]
        <+30>:    mov    eax,DWORD PTR [ebp+0x8]
        <+33>:    add    eax,edx
        <+35>:    movzx  eax,BYTE PTR [eax]
        <+38>:    test   al,al
        <+40>:    jne    0x514 <asm4+23>
        <+42>:    mov    DWORD PTR [ebp-0x8],0x1
        <+49>:    jmp    0x587 <asm4+138>
        <+51>:    mov    edx,DWORD PTR [ebp-0x8]
        <+54>:    mov    eax,DWORD PTR [ebp+0x8]
        <+57>:    add    eax,edx
        <+59>:    movzx  eax,BYTE PTR [eax]
        <+62>:    movsx  edx,al
        <+65>:    mov    eax,DWORD PTR [ebp-0x8]
        <+68>:    lea    ecx,[eax-0x1]
        <+71>:    mov    eax,DWORD PTR [ebp+0x8]
        <+74>:    add    eax,ecx
        <+76>:    movzx  eax,BYTE PTR [eax]
        <+79>:    movsx  eax,al
        <+82>:    sub    edx,eax
        <+84>:    mov    eax,edx
        <+86>:    mov    edx,eax
        <+88>:    mov    eax,DWORD PTR [ebp-0x10]
        <+91>:    lea    ebx,[edx+eax*1]
        <+94>:    mov    eax,DWORD PTR [ebp-0x8]
        <+97>:    lea    edx,[eax+0x1]
        <+100>:    mov    eax,DWORD PTR [ebp+0x8]
        <+103>:    add    eax,edx
        <+105>:    movzx  eax,BYTE PTR [eax]
        <+108>:    movsx  edx,al
        <+111>:    mov    ecx,DWORD PTR [ebp-0x8]
        <+114>:    mov    eax,DWORD PTR [ebp+0x8]
        <+117>:    add    eax,ecx
        <+119>:    movzx  eax,BYTE PTR [eax]
        <+122>:    movsx  eax,al
        <+125>:    sub    edx,eax
        <+127>:    mov    eax,edx
        <+129>:    add    eax,ebx
        <+131>:    mov    DWORD PTR [ebp-0x10],eax
        <+134>:    add    DWORD PTR [ebp-0x8],0x1
        <+138>:    mov    eax,DWORD PTR [ebp-0xc]
        <+141>:    sub    eax,0x1
        <+144>:    cmp    DWORD PTR [ebp-0x8],eax
        <+147>:    jl     0x530 <asm4+51>
        <+149>:    mov    eax,DWORD PTR [ebp-0x10]
        <+152>:    add    esp,0x10
        <+155>:    pop    ebx
        <+156>:    pop    ebp
        <+157>:    ret

2. Since this challenge is more complicated than challenges asm1 and asm2, we will compile and run it using a different method than asm3.

3. We can compile the function into a C file using the following syntax (source):

   Copy

    #include <stdio.h>
    #include <stdlib.h>
   
    int asm4(char* in)
    {
        int val;
   
        asm (
            "nop;"
            "nop;"
            "nop;"
            //"push   ebp;"
            //"mov    ebp,esp;"
            "push   ebx;"
            "sub    esp,0x10"
            "mov    DWORD PTR [ebp-0x10],0x25c"
            "mov    DWORD PTR [ebp-0xc],0x0"
            "jmp    _asm_27;"
        "_asm_23:"
            "add    DWORD PTR [ebp-0xc],0x1;"
        "_asm_27:"
            "mov    edx,DWORD PTR [ebp-0xc];"
            "mov    eax,DWORD PTR [%[pInput]];"
            "add    eax,edx;"
            "movzx  eax,BYTE PTR [eax];"
            "test   al,al;"
            "jne    _asm_23;"
            "mov    DWORD PTR [ebp-0x8],0x1;"
            "jmp    _asm_138;"
        "_asm_51:"
            "mov    edx,DWORD PTR [ebp-0x8];"
            "mov    eax,DWORD PTR [%[pInput]];"
            "add    eax,edx;"
            "movzx  eax,BYTE PTR [eax];"
            "movsx  edx,al;"
            "mov    eax,DWORD PTR [ebp-0x8];"
            "lea    ecx,[eax-0x1];"
            "mov    eax,DWORD PTR [%[pInput]];"
            "add    eax,ecx;"
            "movzx  eax,BYTE PTR [eax];"
            "movsx  eax,al;"
            "sub    edx,eax;"
            "mov    eax,edx;"
            "mov    edx,eax;"
            "mov    eax,DWORD PTR [ebp-0x10];"
            "lea    ebx,[edx+eax*1];"
            "mov    eax,DWORD PTR [ebp-0x8];"
            "lea    edx,[eax+0x1];"
            "mov    eax,DWORD PTR [%[pInput]];"
            "add    eax,edx;"
            "movzx  eax,BYTE PTR [eax];"
            "movsx  edx,al;"
            "mov    ecx,DWORD PTR [ebp-0x8];"
            "mov    eax,DWORD PTR [%[pInput]];"
            "add    eax,ecx;"
            "movzx  eax,BYTE PTR [eax];"
            "movsx  eax,al;"
            "sub    edx,eax;"
            "mov    eax,edx;"
            "add    eax,ebx;"
            "mov    DWORD PTR [ebp-0x10],eax;"
            "add    DWORD PTR [ebp-0x8],0x1;"
        "_asm_138:"
            "mov    eax,DWORD PTR [ebp-0xc];"
            "sub    eax,0x1;"
            "cmp    DWORD PTR [ebp-0x8],eax;"
            "jl     _asm_51;"
            "mov    eax,DWORD PTR [ebp-0x10];"
            "add    esp,0x10;"
            "pop    ebx;"
            //"pop    ebp;"
            //"ret    ;"
            "nop;"
            "nop;"
            "nop;"
                :"=r"(val)
                : [pInput] "m"(in)
        );
   
        return val;
    }
   
    int main(int argc, char** argv)
    {
        printf("0x%x\n", asm4("picoCTF_376ee"));
   
        return 0;
    }

   Note that jumps were ported to use labels, the input parameter was renamed and the frame setup and teardown were already taken care of by the compiler and therefore commented out in the assembly. The nops were inserted in order to make it easier to locate the inline assembly with a debugger or disassembler. An alternative was to use a dedicated assembly file as we did in asm3.

4. Compile by running gcc -masm=intel -m32 solve.c -o solve.

5. Run the solve.c file with ./solve

Flag

0x24d