picoCTF - asm2 write up

source: https://play.picoctf.org/practice/challenge/16?category=3&page=1

Problem

Description
What does asm2(0xb,0x2e) return? Submit the flag as a hexadecimal value (starting with '0x'). NOTE: Your submission for this question will NOT be in the normal flag format.

asm2:
<+0>:    push   ebp
<+1>:    mov    ebp,esp
<+3>:    sub    esp,0x10
<+6>:    mov    eax,DWORD PTR [ebp+0xc]
<+9>:    mov    DWORD PTR [ebp-0x4],eax
<+12>:    mov    eax,DWORD PTR [ebp+0x8]
<+15>:    mov    DWORD PTR [ebp-0x8],eax
<+18>:    jmp    0x509 <asm2+28>
<+20>:    add    DWORD PTR [ebp-0x4],0x1
<+24>:    sub    DWORD PTR [ebp-0x8],0xffffff80
<+28>:    cmp    DWORD PTR [ebp-0x8],0x63f3
<+35>:    jle    0x501 <asm2+20>
<+37>:    mov    eax,DWORD PTR [ebp-0x4]
<+40>:    leave  
<+41>:    ret    

Solution

[ebp-0x4] was assigned [ebp+0xc], [ebp+0xc] was assigned 0x2e
[ebp-0x8] was assigned [ebp+0x8], [ebp+0x8] was assigned 0xb
After analysis of the codes, I found that it is actually a while loop.
it could be written in java in the following code

static int ams2(int a, int b)
{
    int c = a;
    int d = b;
    while(c <= 25587)
    {
        d++;
        c+=128;
    }
    return d;
}

a = [ebp+0x8]
b = [ebp+0xc]
c = [ebp-0x8]
d = [ebp-0x4]

0xffffff80 = "-0x80" b/c 0xffffff80 xor 0xffffffff + 0 x 1 = 0x80

So, the Flag is "0xf6"

标签:none

添加新评论