picoCTF - asm2 write up
source: https://play.picoctf.org/practice/challenge/16?category=3&page=1
Problem
Description
What does asm2(0xb,0x2e) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format.
asm2:
<+0>: push ebp
<+1>: mov ebp,esp
<+3>: sub esp,0x10
<+6>: mov eax,DWORD PTR [ebp+0xc]
<+9>: mov DWORD PTR [ebp-0x4],eax
<+12>: mov eax,DWORD PTR [ebp+0x8]
<+15>: mov DWORD PTR [ebp-0x8],eax
<+18>: jmp 0x509 <asm2+28>
<+20>: add DWORD PTR [ebp-0x4],0x1
<+24>: sub DWORD PTR [ebp-0x8],0xffffff80
<+28>: cmp DWORD PTR [ebp-0x8],0x63f3
<+35>: jle 0x501 <asm2+20>
<+37>: mov eax,DWORD PTR [ebp-0x4]
<+40>: leave
<+41>: ret
Solution
[ebp-0x4] was assigned [ebp+0xc], [ebp+0xc] was assigned 0x2e
[ebp-0x8] was assigned [ebp+0x8], [ebp+0x8] was assigned 0xb
After analysis of the codes, I found that it is actually a while loop.
it could be written in java in the following code
static int ams2(int a, int b)
{
int c = a;
int d = b;
while(c <= 25587)
{
d++;
c+=128;
}
return d;
}
a = [ebp+0x8]
b = [ebp+0xc]
c = [ebp-0x8]
d = [ebp-0x4]
0xffffff80 = "-0x80" b/c 0xffffff80 xor 0xffffffff + 0 x 1 = 0x80
So, the Flag is "0xf6"