"CTF" Asm-pico CTF Snippet

【Title】Pico CTF write-up snippet

【Description】

We found this program snippet.txt, but we have some trouble figuring it out. What's the value of%eax when the last instruction (the NOP) runs?

Hint: want to convert the assembly into some equivalent C code, which'll be easier to read!

?

# This file was in/T Syntax-see http://www.imada.sdu.dk/Courses/DM18/Litteratur/IntelnATT.htm

# and Http://en.wikipedia.org/wiki/X86_assembly_language#Syntax. Both GDB and Objdump produce

# t syntax by default.

MOV $10814,%EBX

MOV $2972,%eax

MOV $10017,%ECX

CMP%EAX,%EBX

JL L1

JMP L2

L1:

Imul%EAX,%EBX

ADD%EAX,%EBX

MOV%ebx,%eax

SUB%ecx,%eax

JMP L3

L2:

Imul%EAX,%EBX

SUB%EAX,%EBX

MOV%ebx,%eax

ADD%ecx,%eax

L3:

NOP

?

"Solution"

Let's walk through the program step-by-step. The first actions that occur are that 15329 are moved into%EBX (%EBX = 15329), 21674 are moved into%eax, and 25704 are moved Into%ECX. The next operation is a CMP operation, where in and syntax, the operation checks if the second element is less than T He first element. If this is true for it follows the first jump statement, and if it is false, it jumps to the second jump statement. In this case%ebx was less than%eax (15329 < 21674), and the program follows the path into the L1 function. The next thing that occurs was that%eax and%ebx were multiplied, and the value is stored into%EBX. At the end of this%ebx = 332240746. %eax is then added to%EBX and stored in%ebx, making%ebx = 332262420. The value of%EBX is then moved into%eax, making%eax = 332262420. Next%ecx is subtracted from%eax and stored into%eax, which makes%eax = 332236716. A jump to the L3 function was then called, which calls NOP and ends the program. The flag is theValue of%eax at the end of the program which is 332236716.

【Appendix】

There ' s another solution from Vulnhub:

Just Save the code in BASIC.S with a few small changes:

?

. Global Main

. text

?

Main

?

MOV $119,%EBX

MOV $28557,%eax

MOV $8055,%ECX

CMP%EAX,%EBX

JL L1

JMP L2

L1:

Imul%EAX,%EBX

ADD%EAX,%EBX

MOV%ebx,%eax

SUB%ecx,%eax

JMP L3

L2:

Imul%EAX,%EBX

SUB%EAX,%EBX

MOV%ebx,%eax

ADD%ecx,%eax

L3:

INT3 # <---set a breakpoint here

NOP

?

?

and compile it with Gcc:gcc–basic Basic.s

Run in GDB and get the value of EAX:

GdB./basic-q-batch-n-ex ' r '-ex ' P $eax '

?

Recently, there are a lot of English work to do, so the article is inclined to write in English, so that the promotion of faster ^_^.

By the way, take a refresher on GCC knowledge (CV from Network):

Let's take the C language as an example to discuss the input and output of different stages.

In the preprocessing phase, the source file for the C language is entered, usually *.c. They usually include files with a header file such as. h. This phase mainly deals with #ifdef, #include和 # define commands in the source file. This phase generates an intermediate file *.i, but usually does not have to be generated specifically for this type of file, because it is basically not available, but you can use the following command if you are not able to generate such a file:

GCC-E Test.c-o test.i

In the compile phase, the input is intermediate file *.i, compiled after compiling assembly language file *.S. The GCC command corresponding to this phase is as follows:

Gcc-s Test.i-o Test.s

During the assembly phase, the input assembly file *.s is converted to machine language *.o. The GCC command corresponding to this phase is as follows: Gcc-c Test.s-o TEST.O

Finally, the input machine code file *.S (with other machine code files and library files) is assembled into an executable binary code file during the connection phase. This step can be accomplished using the following example command:

GCC Test.o-o Test

Do you understand the GDB command above? At first I did not understand:-D If I think I would only take p eax to try, or to learn more ~

?

?

【Reference】

https://ctf-team.vulnhub.com/picoctf-2014-basic-asm/

Http://en.wikipedia.org/wiki/X86_assembly_language#Syntax

Http://ehsandev.com/pico2014/reverse_engineering/basic_asm.html

Https://github.com/ctfs/write-ups-2014/blob/master/pico-ctf-2014/reverse-engineering/basic-asm-60/snippet.txt

"CTF" Asm-pico CTF Snippet