< Home

As I was lacking time the last couple of weeks to focus on any of the pwnable.kr challenges, someone told me that picoCTF has much shorter challenges. So I am going to go through them and note the ones that were a bit more interesting, the first ones are quite easy.


What does asm1(0x2e0) return? Submit the flag as a hexadecimal value (starting with ‘0x’). NOTE: Your submission for this question will NOT be in the normal flag format. Source

    <+0>:   push   ebp
    <+1>:   mov    ebp,esp
    <+3>:   cmp    DWORD PTR [ebp+0x8],0x3fb
    <+10>:  jg     0x512 <asm1+37>
    <+12>:  cmp    DWORD PTR [ebp+0x8],0x280
    <+19>:  jne    0x50a <asm1+29>
    <+21>:  mov    eax,DWORD PTR [ebp+0x8]
    <+24>:  add    eax,0xa
    <+27>:  jmp    0x529 <asm1+60>
    <+29>:  mov    eax,DWORD PTR [ebp+0x8]
    <+32>:  sub    eax,0xa
    <+35>:  jmp    0x529 <asm1+60>
    <+37>:  cmp    DWORD PTR [ebp+0x8],0x559
    <+44>:  jne    0x523 <asm1+54>
    <+46>:  mov    eax,DWORD PTR [ebp+0x8]
    <+49>:  sub    eax,0xa
    <+52>:  jmp    0x529 <asm1+60>
    <+54>:  mov    eax,DWORD PTR [ebp+0x8]
    <+57>:  add    eax,0xa
    <+60>:  pop    ebp
    <+61>:  ret    

Ok, this one is just to see if you have the basic understanding of asm flows. We can take an educated guess and say that 0x2e0 is EBP+0x8. This is in line with a lot of calling conventions.

We check if our EBP+0x8 is higher than 0x3fb and if so we will go to asm1+37. But 0x2e0 isn’t greater than 0x3fb.

Our EIP moves to the next instruction and doesn’t follow the jmp. The next instruction is a check if 0x2e0 is equal to 0x280. If not (as it is the case here) it will jump to asm1+29.

At asm1+29 we move our value 0x2e0 into EAX and we subtract 0xa from it. So EAX now becomes 0x2d6. After that we do a forced jump to asm1+60 which is the epilogue of this function.

As EAX is used as a return register we can happily say that the flag is 0x2d6.

And it seems my friend was correct, these are small puzzles like you would see in the newspaper.

< Home