picoCTF - asm2 writeup
Description
What does asm2(0x4,0x21) return? Submit the flag as a hexadecimal value (starting with ‘0x’). NOTE: Your submission for this question will NOT be in the normal flag format.
Category: Reverse Engineering
Points: 250
Source Code
I again added my own comments:
# asm2(0x4, 0x21) --> asm2(4, 33)
asm2:
<+0>: push ebp ; set up stack frame
<+1>: mov ebp,esp
<+3>: sub esp,0x10 ; alloc local variables
var1 and var2
<+6>: mov eax,DWORD PTR [ebp+0xc] ; eax = 33
<+9>: mov DWORD PTR [ebp-0x4],eax ; var1 = 33
<+12>: mov eax,DWORD PTR [ebp+0x8] ; eax = 4
<+15>: mov DWORD PTR [ebp-0x8],eax ; var2 = 4
<+18>: jmp 0x509 <asm2+28> ; unconditional jump
<+20>: add DWORD PTR [ebp-0x4],0x1 ; var1 += 1
<+24>: add DWORD PTR [ebp-0x8],0x74 ; var2 += 116
<+28>: cmp DWORD PTR [ebp-0x8],0xfb46 ; cmp 4 with 64326
<+35>: jle 0x501 <asm2+20> ; loop condition
<+37>: mov eax,DWORD PTR [ebp-0x4] ; eax = var1
<+40>: leave ; clean up stack frame
<+41>: ret
Solution
Option 1 - Quick Math
Two local variables are created and initialized to the function parameters.
The two variables are incremented in a loop until var2 is greater than 0xfb46 (64326). var1 is incremented by 1 and var2 is incremented by 116.
Some quick math shows us that 64326 / 116 = 554. Add 1 to this for the initial loop check to get a total of 555 loop iterations.
So var1 (which was initially 33) is now 33 + (1 * 555) = 588 –> 0x24c
Option 2 - Python
I also created a Python script to fact check my math:
# flag.py
var1 = 33
var2 = 4
num = 64326
inc = 116
iters = 0
# count total number of loop iterations
while var2 < num:
iters += 1
var2 += inc
flag = var1 + iters
flag = hex(flag)
print("The flag is {}".format(flag))
Run it:
jason@lapras:~/ctf-solutions/picoctf/reverse-engineering/asm2$ python flag.py
The flag is 0x24c