PicoCTF Writeup – asm1
# Information:
CTF Name: PicoCTF
CTF Challenge: asm1
Challenge Category: Reverse Engineering
Challenge Points: 200
PicoCTF 2019.
# Challenge Description:
What does asm1(0x8be) return? Submit the flag as a hexadecimal value (starting with ‘0x’). NOTE: Your submission for this question will NOT be in the normal flag format. Source
Hint: assembly conditions
# Writeup
Assembly, oh assembly, such a lovely hard language to understand. Well, sorry for this weird moment.
Well, this challenge presents us with an assembly code snippet. The file name is test.S and below you can see the code snippet:
asm1:
<+0> : push ebp
<+1> : mov ebp,esp
<+3> : cmp DWORD PTR [ebp+0x8],0x71c
<+10>: jg 0x512 <asm1+37>
<+12>: cmp DWORD PTR [ebp+0x8],0x6cf
<+19>: jne 0x50a <asm1+29>
<+21>: mov eax,DWORD PTR [ebp+0x8]
<+24>: add eax,0x3
<+27>: jmp 0x529 <asm1+60>
<+29>: mov eax,DWORD PTR [ebp+0x8]
<+32>: sub eax,0x3
<+35>: jmp 0x529 <asm1+60>
<+37>: cmp DWORD PTR [ebp+0x8],0x8be
<+44>: jne 0x523 <asm1+54>
<+46>: mov eax,DWORD PTR [ebp+0x8]
<+49>: sub eax,0x3
<+52>: jmp 0x529 <asm1+60>
<+54>: mov eax,DWORD PTR [ebp+0x8]
<+57>: add eax,0x3
<+60>: pop ebp
<+61>: ret
As I said this is assembly code, and I know a little assembly but not enough, so I used the link in the hint to learn a little bit more. After reading a little bit about assembly and having a better understanding of how it works I decided to try my luck and see if I could read the program flow and understand what it does.
To understand the program I decided to go line by line.
<+0>: push ebp
<+1>: mov ebp,esp
We know that the asm1(0x8be) is being put into the stack. This happens due to these two first lines. The first line pushes asm1(0x8be) into ebp and then this value is moved into esp.
After these two instructions, we have the 0x8be located at ebp+0x8. The current stack state is as such: …
Distance to ebp | Address | Notes |
---|---|---|
0x8 | 0x8be | which is equal to saying: ebp+0x8 |
0x4 | esp | which is equal to saying: ebp+0x4 |
0x0 | ebp |
Knowing this helps us a lot. Now the next two instructions:
<+3>: cmp DWORD PTR [ebp+0x8],0x71c
<+10>: jg 0x512 <asm1+37>
In these instructions what we have is a comparison, if ebp+0x8, which as we know is 0x8be is greater than 0x71c, we jump to the line asm1+37. In this case, it is true so we jump to:
<+37>: cmp DWORD PTR [ebp+0x8],0x8be
<+44>: jne 0x523 <asm1+54>
Here we have another comparison, and in this case, if 0x8be is not equal to 0x8be then we jump to asm1+54. Because they are equal we continue to the next line, line +46:
<+46>: mov eax,DWORD PTR [ebp+0x8]
<+49>: sub eax,0x3
<+52>: jmp 0x529 <asm1+60>
Now, we have a mov in line +46. What it does is it moves the contents of ebp+0x8m which are 0x8be to eax register. In the next line, line +49 it is performed a subtraction, as such: 0x8be-0x3 = 0x8bb. In line +52 we simply perform a jump to asm1+60:
<+60>: pop ebp
<+61>: ret
In these two lines, we simply pop ebp from the stack and return.
Now that we followed the program line by line we can say what it returns. It returns the contents of eax, which are:
The image source can be found here.
Thank you very much for reading!
Cheers,
MRegra