Skip to main content

100 Reps

Post a Comment

PicoCTF: Intro to Assembly Code

Intro to Assembly Code

Bit-O-Asm-1

Task: Can you figure out what is in the eax register?

This is the assembly code. I had no idea how to read it.


<+0>:     endbr64 
<+4>:     push   rbp
<+5>:     mov    rbp,rsp
<+8>:     mov    DWORD PTR [rbp-0x4],edi
<+11>:    mov    QWORD PTR [rbp-0x10],rsi
<+15>:    mov    eax,0x30
<+20>:    pop    rbp
<+21>:    ret
Lots of things are happening there is the <+0> structure on the left which I now learned is the line number
The push, mov, pop and ret are called operands. These run an action.
The stuff on the right are the arguments.

In line 15 we see that we are moving 0x30 into the eax register.
The number is in hexadecimal so 3x16 = 48
Flag is picoCTF{48}

This exercise taught me how to read the assembly code and know how numbers are moved into different registers

Bit-O-Asm-2


Task: Can you figure out what is in the eax register?

<+0>:     endbr64 
<+4>:     push   rbp
<+5>:     mov    rbp,rsp
<+8>:     mov    DWORD PTR [rbp-0x14],edi
<+11>:    mov    QWORD PTR [rbp-0x20],rsi
<+15>:    mov    DWORD PTR [rbp-0x4],0x9fe1a
<+22>:    mov    eax,DWORD PTR [rbp-0x4]
<+25>:    pop    rbp
<+26>:    ret
Building from the last exercise, I learned that DWORD PTR is a pointer to the address rbp-0x4
Looking back, I see that this address was initialised with this value: 0x9fe1a. Then the same value was copied into the eax register.

Using a hex to decimal converter, I got the flag  picoCTF{654874}

Bit-O-Asm-3


<+0>:     endbr64 
<+4>:     push   rbp
<+5>:     mov    rbp,rsp
<+8>:     mov    DWORD PTR [rbp-0x14],edi
<+11>:    mov    QWORD PTR [rbp-0x20],rsi
<+15>:    mov    DWORD PTR [rbp-0xc],0x9fe1a
<+22>:    mov    DWORD PTR [rbp-0x8],0x4
<+29>:    mov    eax,DWORD PTR [rbp-0xc]
<+32>:    imul   eax,DWORD PTR [rbp-0x8]
<+36>:    add    eax,0x1f5
<+41>:    mov    DWORD PTR [rbp-0x4],eax
<+44>:    mov    eax,DWORD PTR [rbp-0x4]
<+47>:    pop    rbp
<+48>:    ret
I learned how to read the multiply and add operands Again we can backtrack to find that eax first copied its value from rbp-0xc (0x9fe1a). Then, it was multiplied by the value in rbp-0x8 (0x4). Then, the eax register added the value 0x1f5 Lines 41 and 44 are red herrings because they just copy the eax value back and forth between rbp-0x4 and eax The value doesn't change from these operations I used an online hex calculator to easily help me solve this hex arithmetic without needing to convert to decimal. picoCTF{2619997} 

Bit-O-Asm-4 


<+0>:     endbr64 
<+4>:     push   rbp
<+5>:     mov    rbp,rsp
<+8>:     mov    DWORD PTR [rbp-0x14],edi
<+11>:    mov    QWORD PTR [rbp-0x20],rsi
<+15>:    mov    DWORD PTR [rbp-0x4],0x9fe1a
<+22>:    cmp    DWORD PTR [rbp-0x4],0x2710
<+29>:    jle    0x55555555514e <main+37>
<+31>:    sub    DWORD PTR [rbp-0x4],0x65
<+35>:    jmp    0x555555555152 <main+41>
<+37>:    add    DWORD PTR [rbp-0x4],0x65
<+41>:    mov    eax,DWORD PTR [rbp-0x4]
<+44>:    pop    rbp
<+45>:    ret
This exercise teaches how branching works in assembly. The cmp compares two numbers to be used for the next branch. The next branch can be a less than or equal (jle), greater than or equal (jge) or equals (je) etc. Full list here: http://unixwiz.net/techtips/x86-jumps.html Here, if you follow the code, we can see that 0x9fe1a is added to rbp-0x4 memory. We compare this value against 0x2710. Without doing any conversions, we can easily see that 9fe1a is bigger than 2710 since there's more digits. So the code will skip the jle line and run the subtract operand on line 31. It then jumps to line 41 which copies the value in rbp-0x4 into eax. 0x9fe1a - 0x65 = 0x9FDB5 picoCTF{654773}

Comments

Post a Comment

Popular posts from this blog

PicoCTF: Low Level Binary Intro Playlist

Mochi's Tale Mochi's Tale is a really cool little game that teaches you how to "find things out" through experimentation. I found it a really helpful way to get you into the rhythm of learning rules without being told what they are in the first place.
Post a Comment
Read more

Linux Admin: Managing Users

I read through Chapter 2 of Linux Admin for Absolute Beginners by Martin Stevenson Key Learnings: Add Users Passwords User groups How to add users The flags of adduser varies across different version of Linux, so consult the man pages for more info. I am practising on Kali Linux, the simplest command is: sudo adduser --comment "Gym Owner Terry Crews" tcrews You will need root access for this. So using the root user or adding sudo will work. Sometimes you'll see another command useradd instead. The recommendation is to always use adduser. adduser is a wrapper for useradd.  adduser is more user friendly and interactive than its back-end useradd . There's no difference in features provided. Why is this important? This is how we can create an account for users to access Linux servers. If you have a new employee at your company or student who enters the university, they'll need access to the shared drive, a private drive for themselves etc. Groups Groups keep users i
Post a Comment
Read more

PicoCTF: The Debugger

GDB baby step 1  Can you figure out what is in the eax register at the end of the main function?  For Mac, gdb can be installed via homebrew: brew install gdbGDB baby step 2 Learn how to disassemble a program from binary file. Here we can see that in line 15, 0x86342 is copied into eax. The output here seems to reverse the arguments.
Post a Comment
Read more