As I was lacking time the last couple of weeks to focus on any of the pwnable.kr challenges, someone told me that picoCTF has much shorter challenges. So I am going to go through them and note the ones that were a bit more interesting, the first ones are quite easy.
What does asm1(0x2e0) return? Submit the flag as a hexadecimal value (starting with ‘0x’). NOTE: Your submission for this question will NOT be in the normal flag format. Source
asm1:
<+0>: push ebp
<+1>: mov ebp,esp
<+3>: cmp DWORD PTR [ebp+0x8],0x3fb
<+10>: jg 0x512 <asm1+37>
<+12>: cmp DWORD PTR [ebp+0x8],0x280
<+19>: jne 0x50a <asm1+29>
<+21>: mov eax,DWORD PTR [ebp+0x8]
<+24>: add eax,0xa
<+27>: jmp 0x529 <asm1+60>
<+29>: mov eax,DWORD PTR [ebp+0x8]
<+32>: sub eax,0xa
<+35>: jmp 0x529 <asm1+60>
<+37>: cmp DWORD PTR [ebp+0x8],0x559
<+44>: jne 0x523 <asm1+54>
<+46>: mov eax,DWORD PTR [ebp+0x8]
<+49>: sub eax,0xa
<+52>: jmp 0x529 <asm1+60>
<+54>: mov eax,DWORD PTR [ebp+0x8]
<+57>: add eax,0xa
<+60>: pop ebp
<+61>: ret Ok, this one is just to see if you have the basic understanding of asm flows. We can take an educated guess and say that 0x2e0 is EBP+0x8. This is in line with a lot of calling conventions.
We check if our EBP+0x8 is higher than 0x3fb and if so we will go to asm1+37. But 0x2e0 isn’t greater than 0x3fb.
Our EIP moves to the next instruction and doesn’t follow the jmp. The next instruction is a check if 0x2e0 is equal to 0x280. If not (as it is the case here) it will jump to asm1+29.
At asm1+29 we move our value 0x2e0 into EAX and we subtract 0xa from it. So EAX now becomes 0x2d6. After that we do a forced jump to asm1+60 which is the epilogue of this function.
As EAX is used as a return register we can happily say that the flag is 0x2d6.
And it seems my friend was correct, these are small puzzles like you would see in the newspaper.
< Home