PicoCTF 2017 – Programmers Assemble #reverseengineering #assembly #infosec

Another day, another hacking challenge.

In today’s challenge we’re going to focus on a reverse engineering exercise.

Clicking on the exercise we see the following:

programmers_assemble_challenge_hints

Downloading the file and opening it in WordPad we see:

assembly_screenshot

 

Assembly… eeekk!

Let’s break it down – line by line.

eax = ???

ebx = 0

ecx = 8

for the line test %eax, %eax we’re testing to see if the zero flag of the %eax register is equal to zero

When eax is zero then we jump to the fin label, and compare ebx to see if it’s 46992.

So what do we need to set eax so ebx will be 46991? What happens if we divide 46992/8? Could this possibly give us the value of eax? Dividing 46991/8 = 5,874 decimal = 0x16F2.

You may be wondering, why would you divide 46992 by 8?

Looking at the assembly we know that when eax is not zero, we add 8 to the ebx register, and decrement eax by one and jump back to the loop label. We know if we set eax to 0x16F2 or 5,874 decimal then when eax equal 0 the program will jump to the fin label and the ebx register will be 0xb6790 or 46991 decimal. Once the comparison happens the program will jump again to the good label which will assign the eax register to 1.

To put this in a computer language it will be:

eax = 5874;

ebx = 0;

ecx = 8;

if(eax ==0) {

if(ebx == 46991) {

eax = 1;

} else {

eax = 0;

}

else {

ebx = ebx + ecx;

}

eax–;

Moral of the story assembly is the bare bones of ALL programming languages. No matter what language you use it can be broken down into assembly.

Entering 0x16F2 into the text box we acquired 75 points!

Advertisements

PicoCTF 2017 – A Thing Called A Stack #ctf #picoctf #appsec #infosec #reverseengineering

Another day, another challenge.

In today’s blog post we’re going to solve the “A Thing Called A Stack” challenge from PicoCTF.

Let’s get started.

Clicking on the challenge, we see the following:

PicoCTF_A_Thing_Called_A_Stack_1

OK, so we’re given a file, and we need to determine the difference between the value of esp at the end of the code, and the location of the saved return address.

Looking at the hints we see the following:

PicoCTF_A_Thing_Called_A_Stack_2

We’ve encountered two different questions. Where is the return address saved, and what commands actually affect the stack.

DISCLAIMER: I haven’t worked with assembly in probably 8 years. So, what did I do? Go to YouTube.

Entering – “Assembly tutorial” I found a GREAT crash course on explaining assembly.

I have linked the video here.

Opening the file (Notepad++ is great!)

We see the following:

PicoCTF_A_Thing_Called_A_Stack_3

Using the YouTube tutorial, let’s decode the assembly code.

First we’re pushing the ebp (base pointer) onto the stack.

Next, we move the esp (stack pointer) to be at the same location to the base pointer.

Next, we push edi, esi, and ebx onto the stack. Note these instructions don’t change the stack. This solves question #2 in the hints section.

Next, we add 180 (0xb4 hex) to the stack to hold local variables.

Next, we’re going to store the local variable x = 0, to address 180 + 4 = 184

Next, we’re going to store the local variable y = 1,  to address 184 + 4 = 188

Next, we’re going to store the local variable z = 2, to address 188 + 4 = 192

Next, we’re going to store the local variable a = 3, to address 192 + 4 = 196

So now the esp (stack pointer) is now at 196.

Let’s convert 196 to hexadecimal.

Doing this we get the following: 0xc4

Entering this into the challenge, we see that solved the challenge and acquired 60 points!