< Home

Challenge

What does asm2(0x4,0x2d) return?

asm2:
    <+0>:   push   ebp
    <+1>:   mov    ebp,esp
    <+3>:   sub    esp,0x10
    <+6>:   mov    eax,DWORD PTR [ebp+0xc]              ; 0x2d
    <+9>:   mov    DWORD PTR [ebp-0x4],eax              ; Store value in ebp-0x4 (0x2d)
    <+12>:  mov    eax,DWORD PTR [ebp+0x8]              ; 0xC
    <+15>:  mov    DWORD PTR [ebp-0x8],eax              ; store value in ebp-0x8 (0xC)
    <+18>:  jmp    0x50c <asm2+31>                      ; Skip next 2 lines but we can see a jle so I'm guessing... while loop
    <+20>:  add    DWORD PTR [ebp-0x4],0x1              ; while-loop: add 1 to ebp-0x4
    <+24>:  add    DWORD PTR [ebp-0x8],0xd1             ; while loop: add 0xd1 to ebp-0x8
    <+31>:  cmp    DWORD PTR [ebp-0x8],0x5fa1           ; compare ebp-0x8 to 0x5fa1
    <+38>:  jle    0x501 <asm2+20>                      ; if ebp-0x8 is less than or equal it will jump into the while loop body
    <+40>:  mov    eax,DWORD PTR [ebp-0x4]
    <+43>:  leave  
    <+44>:  ret

Ok, if we take a guess this will probably use one of the calling conventions were parameters are stored right to left onto the stack so

EBP+0xC is 0x2d and EBP+0x8 is 0x4.

To solve this I just go over the function and add some comments for readability

asm2:
    <+0>:   push   ebp
    <+1>:   mov    ebp,esp
    <+3>:   sub    esp,0x10
    <+6>:   mov    eax,DWORD PTR [ebp+0xc]              ; 0x2d into EAX
    <+9>:   mov    DWORD PTR [ebp-0x4],eax              ; Store value in ebp-0x4 (0x2d)
    <+12>:  mov    eax,DWORD PTR [ebp+0x8]              ; 0x4
    <+15>:  mov    DWORD PTR [ebp-0x8],eax              ; store value in ebp-0x8 (0x4)
    <+18>:  jmp    0x50c <asm2+31>                      ; Skip next 2 lines but we can see a jle so I'm guessing... while loop
    <+20>:  add    DWORD PTR [ebp-0x4],0x1              ; while-loop: add 1 to ebp-0x4 (0x2d original)
    <+24>:  add    DWORD PTR [ebp-0x8],0xd1             ; while loop: add 0xd1 to ebp-0x8 (0x4 original)
    <+31>:  cmp    DWORD PTR [ebp-0x8],0x5fa1           ; compare ebp-0x8 to 0x5fa1
    <+38>:  jle    0x501 <asm2+20>                      ; if ebp-0x8 is less than or equal it will jump into the while loop body
    <+40>:  mov    eax,DWORD PTR [ebp-0x4]
    <+43>:  leave                                       ; Returns ebp-0x4 as the answer
    <+44>:  ret

Ok, the answer seems to be, how many iterations are needed (plus 0x2d) before ebp-0x8 reaches 0x5fa1.

I’m not a fan of hex calculations so lets convert them to decimals

ebp-0x4 = 0x2d or 45

ebp-0x8 = 0x4 or 4

asm2+20 adds 0x1 or 1

asm2+24 adds 0xd1 or 209

asm2+31 compares ebp-0x8 to 0x5fa1 or 24481

The python code to solve this little challenge


ebp4 = 45
ebp8 = 4
while ebp8 <= 24481:
    ebp8 += 209
    ebp4 += 1

print(hex(ebp4))

This returns 0xa3 which seems to be the answer!

< Home