Another quick picoCTF challenge. This one was a easy challenge on reading and understanding x86 assembly. Let’s take a look.
.global main main: mov $XXXXXXX, %eax mov $0, %ebx mov $0x8, %ecx loop: test %eax, %eax jz fin add %ecx, %ebx dec %eax jmp loop fin: cmp $0xdc98, %ebx je good mov v$0, %eax jmp end good: mov $1, %eax end: ret
So our goal is to get to the “good” block where it moves eax into 1. To get there, we look in the fin block. We jump to good if ebx is the same as 0xdc98. Let’s look at main now. We initialize ebx to 0 and ecx to 8. In the loop, we do a test on eax and jump fin if eax is 0. If it’s not 0, we increment ebx by ecx (which is 8) and decrease eax by 1 and then go back into the loop. So in code.
eax = ?? ebx = 0 ecx = 8 while(eax != 0) eax-- ebx+=ecx if(ebx == 0xdc98) victory! else failure!
So how many times will the program have to loop to get ebx to 0xdc98? 0xdc98/8 = 0x1b93 which is our flag!