# ASM writeup - Zh3r0CTF
This is a quick writeup of the asm challenges that I encountered.
## ASM 1
> What is returned sql(10)
>
> Flag format: zh3r0{Returned_Value}
> Author: Tourpran
Reading asm is not easy, especially for beginners. Fortunately, in my arsenal was a trick I learnt from AUCTF. The basic premise is that you just get the asm compiled and let your computer do the work for you xD
```
; asm1.rev
sql(int):
push rbp
mov rbp, rsp
mov DWORD PTR [rbp-20], edi
mov eax, DWORD PTR [rbp-20]
mov edx, eax
shr edx, 31
add eax, edx
sar eax
mov DWORD PTR [rbp-4], eax
mov eax, DWORD PTR [rbp-20]
add eax, eax
mov DWORD PTR [rbp-8], eax
mov eax, DWORD PTR [rbp-4]
imul eax, DWORD PTR [rbp-8]
pop rbp
ret
```
If you know even basic of assembly you could probably patch it up to compilable assembly, but I have sadly not reached that level.
Thus, the way to proceed is to write a basic c structure program:
```cpp
#include <stdio.h>
int sql(int num) {
return num + num;
}
int main() {
printf("%d", sql(10));
return 0;
}
```
Then compile it using:
gcc -S -masm=intel -O0 test.c
that should give you a `test.s` file. Replace the assembly under .sql label.
Finally, the `test.s` file turns out to look like this:
```
.file "test.c"
.intel_syntax noprefix
.text
.globl sql
.type sql, @function
sql:
.LFB0:
.cfi_startproc
push rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
mov rbp, rsp
.cfi_def_cfa_register 6
mov DWORD PTR [rbp-20], edi
mov eax, DWORD PTR [rbp-20]
mov edx, eax
shr edx, 31
add eax, edx
sar eax
mov DWORD PTR [rbp-4], eax
mov eax, DWORD PTR [rbp-20]
add eax, eax
mov DWORD PTR [rbp-8], eax
mov eax, DWORD PTR [rbp-4]
imul eax, DWORD PTR [rbp-8]
pop rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE0:
.size sql, .-sql
.section .rodata
.LC0:
.string "%d"
.text
.globl main
.type main, @function
main:
.LFB1:
.cfi_startproc
push rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
mov rbp, rsp
.cfi_def_cfa_register 6
mov edi, 10
call sql
mov esi, eax
lea rdi, .LC0[rip]
mov eax, 0
call printf@PLT
mov eax, 0
pop rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE1:
.size main, .-main
.ident "GCC: (Debian 9.3.0-10) 9.3.0"
.section .note.GNU-stack,"",@progbits
```
Compile and run using:
gcc test.s
./a.out
The flag is `zh3r0{100}`
## ASM2
:::spoiler asm2.rev
```
start(int, int):
push rbp
mov rbp, rsp
sub rsp, 48
mov DWORD PTR [rbp-36], edi
mov DWORD PTR [rbp-40], esi
mov eax, DWORD PTR [rbp-36]
mov edi, eax
call f(int)
mov DWORD PTR [rbp-4], eax
mov eax, DWORD PTR [rbp-40]
mov edi, eax
call f(int)
mov DWORD PTR [rbp-8], eax
mov DWORD PTR [rbp-12], 0
mov DWORD PTR [rbp-16], 0
.L3:
cmp DWORD PTR [rbp-4], 0
jle .L2
mov edx, DWORD PTR [rbp-4]
movsx rax, edx
imul rax, rax, 1717986919
shr rax, 32
mov ecx, eax
sar ecx, 2
mov eax, edx
sar eax, 31
sub ecx, eax
mov eax, ecx
sal eax, 2
add eax, ecx
add eax, eax
mov ecx, edx
sub ecx, eax
mov esi, DWORD PTR [rbp-4]
movsx rax, esi
imul rax, rax, 1717986919
shr rax, 32
mov edx, eax
sar edx, 2
mov eax, esi
sar eax, 31
sub edx, eax
mov eax, edx
sal eax, 2
add eax, edx
add eax, eax
sub esi, eax
mov edx, esi
mov eax, ecx
imul eax, edx
add DWORD PTR [rbp-12], eax
mov eax, DWORD PTR [rbp-4]
movsx rdx, eax
imul rdx, rdx, 1717986919
shr rdx, 32
sar edx, 2
sar eax, 31
sub edx, eax
mov eax, edx
mov DWORD PTR [rbp-4], eax
jmp .L3
.L2:
cmp DWORD PTR [rbp-8], 0
jle .L4
mov edx, DWORD PTR [rbp-8]
movsx rax, edx
imul rax, rax, 1717986919
shr rax, 32
mov ecx, eax
sar ecx, 2
mov eax, edx
sar eax, 31
sub ecx, eax
mov eax, ecx
sal eax, 2
add eax, ecx
add eax, eax
mov ecx, edx
sub ecx, eax
mov esi, DWORD PTR [rbp-8]
movsx rax, esi
imul rax, rax, 1717986919
shr rax, 32
mov edx, eax
sar edx, 2
mov eax, esi
sar eax, 31
sub edx, eax
mov eax, edx
sal eax, 2
add eax, edx
add eax, eax
sub esi, eax
mov edx, esi
mov eax, ecx
imul eax, edx
add DWORD PTR [rbp-16], eax
mov eax, DWORD PTR [rbp-8]
movsx rdx, eax
imul rdx, rdx, 1717986919
shr rdx, 32
sar edx, 2
sar eax, 31
sub edx, eax
mov eax, edx
mov DWORD PTR [rbp-8], eax
jmp .L2
.L4:
mov DWORD PTR [rbp-20], 0
mov DWORD PTR [rbp-24], 1
.L8:
cmp DWORD PTR [rbp-24], 99
jg .L5
mov DWORD PTR [rbp-28], 1
.L7:
cmp DWORD PTR [rbp-28], 99
jg .L6
mov eax, DWORD PTR [rbp-12]
imul eax, DWORD PTR [rbp-24]
mov edx, eax
mov eax, DWORD PTR [rbp-16]
imul eax, DWORD PTR [rbp-28]
add eax, edx
add DWORD PTR [rbp-20], eax
add DWORD PTR [rbp-28], 1
jmp .L7
.L6:
add DWORD PTR [rbp-24], 1
jmp .L8
.L5:
mov eax, DWORD PTR [rbp-20]
leave
ret
f(int):
push rbp
mov rbp, rsp
push rbx
sub rsp, 24
mov DWORD PTR [rbp-20], edi
cmp DWORD PTR [rbp-20], 0
jne .L11
mov eax, 0
jmp .L12
.L11:
cmp DWORD PTR [rbp-20], 1
jne .L13
mov eax, 1
jmp .L12
.L13:
mov eax, DWORD PTR [rbp-20]
sub eax, 1
mov edi, eax
call f(int)
mov ebx, eax
mov eax, DWORD PTR [rbp-20]
sub eax, 2
mov edi, eax
call f(int)
add eax, ebx
.L12:
add rsp, 24
pop rbx
pop rbp
ret
```
:::
Asm2 looks a bit more harder, with two functions this time. That shouldn't be a problem for us. Writing the structure c program again:
```cpp
#include <stdio.h>
int f(int num) {
return num>>1;
}
int start(int num1, int num2) {
return f(num1) + num2;
}
int main() {
printf("%d", start(7,8));
return 0;
}
```
Compiling again using:
gcc -S -masm=intel -O0 test.c
Replacing the asm, `test.s` looks like:
:::spoiler test.s
```
.file "test.c"
.intel_syntax noprefix
.text
.globl f
.type f, @function
f:
.LFB0:
.cfi_startproc
push rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
mov rbp, rsp
.cfi_def_cfa_register 6
push rbx
sub rsp, 24
mov DWORD PTR [rbp-20], edi
cmp DWORD PTR [rbp-20], 0
jne .L11
mov eax, 0
jmp .L12
.L11:
cmp DWORD PTR [rbp-20], 1
jne .L13
mov eax, 1
jmp .L12
.L13:
mov eax, DWORD PTR [rbp-20]
sub eax, 1
mov edi, eax
call f
mov ebx, eax
mov eax, DWORD PTR [rbp-20]
sub eax, 2
mov edi, eax
call f
add eax, ebx
.L12:
add rsp, 24
pop rbx
pop rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE0:
.size f, .-f
.globl start
.type start, @function
start:
.LFB1:
.cfi_startproc
push rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
mov rbp, rsp
.cfi_def_cfa_register 6
sub rsp, 48
mov DWORD PTR [rbp-36], edi
mov DWORD PTR [rbp-40], esi
mov eax, DWORD PTR [rbp-36]
mov edi, eax
call f
mov DWORD PTR [rbp-4], eax
mov eax, DWORD PTR [rbp-40]
mov edi, eax
call f
mov DWORD PTR [rbp-8], eax
mov DWORD PTR [rbp-12], 0
mov DWORD PTR [rbp-16], 0
.L3:
cmp DWORD PTR [rbp-4], 0
jle .L2
mov edx, DWORD PTR [rbp-4]
movsx rax, edx
imul rax, rax, 1717986919
shr rax, 32
mov ecx, eax
sar ecx, 2
mov eax, edx
sar eax, 31
sub ecx, eax
mov eax, ecx
sal eax, 2
add eax, ecx
add eax, eax
mov ecx, edx
sub ecx, eax
mov esi, DWORD PTR [rbp-4]
movsx rax, esi
imul rax, rax, 1717986919
shr rax, 32
mov edx, eax
sar edx, 2
mov eax, esi
sar eax, 31
sub edx, eax
mov eax, edx
sal eax, 2
add eax, edx
add eax, eax
sub esi, eax
mov edx, esi
mov eax, ecx
imul eax, edx
add DWORD PTR [rbp-12], eax
mov eax, DWORD PTR [rbp-4]
movsx rdx, eax
imul rdx, rdx, 1717986919
shr rdx, 32
sar edx, 2
sar eax, 31
sub edx, eax
mov eax, edx
mov DWORD PTR [rbp-4], eax
jmp .L3
.L2:
cmp DWORD PTR [rbp-8], 0
jle .L4
mov edx, DWORD PTR [rbp-8]
movsx rax, edx
imul rax, rax, 1717986919
shr rax, 32
mov ecx, eax
sar ecx, 2
mov eax, edx
sar eax, 31
sub ecx, eax
mov eax, ecx
sal eax, 2
add eax, ecx
add eax, eax
mov ecx, edx
sub ecx, eax
mov esi, DWORD PTR [rbp-8]
movsx rax, esi
imul rax, rax, 1717986919
shr rax, 32
mov edx, eax
sar edx, 2
mov eax, esi
sar eax, 31
sub edx, eax
mov eax, edx
sal eax, 2
add eax, edx
add eax, eax
sub esi, eax
mov edx, esi
mov eax, ecx
imul eax, edx
add DWORD PTR [rbp-16], eax
mov eax, DWORD PTR [rbp-8]
movsx rdx, eax
imul rdx, rdx, 1717986919
shr rdx, 32
sar edx, 2
sar eax, 31
sub edx, eax
mov eax, edx
mov DWORD PTR [rbp-8], eax
jmp .L2
.L4:
mov DWORD PTR [rbp-20], 0
mov DWORD PTR [rbp-24], 1
.L8:
cmp DWORD PTR [rbp-24], 99
jg .L5
mov DWORD PTR [rbp-28], 1
.L7:
cmp DWORD PTR [rbp-28], 99
jg .L6
mov eax, DWORD PTR [rbp-12]
imul eax, DWORD PTR [rbp-24]
mov edx, eax
mov eax, DWORD PTR [rbp-16]
imul eax, DWORD PTR [rbp-28]
add eax, edx
add DWORD PTR [rbp-20], eax
add DWORD PTR [rbp-28], 1
jmp .L7
.L6:
add DWORD PTR [rbp-24], 1
jmp .L8
.L5:
mov eax, DWORD PTR [rbp-20]
leave
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE1:
.size start, .-start
.section .rodata
.LC0:
.string "%d"
.text
.globl main
.type main, @function
main:
.LFB2:
.cfi_startproc
push rbp
.cfi_def_cfa_offset 16
.cfi_offset 6, -16
mov rbp, rsp
.cfi_def_cfa_register 6
mov esi, 8
mov edi, 7
call start
mov esi, eax
lea rdi, .LC0[rip]
mov eax, 0
call printf@PLT
mov eax, 0
pop rbp
.cfi_def_cfa 7, 8
ret
.cfi_endproc
.LFE2:
.size main, .-main
.ident "GCC: (Debian 9.3.0-10) 9.3.0"
.section .note.GNU-stack,"",@progbits
```
:::
Compiling and running `test.s`,
gcc test.s && ./a.out
We get the flag, `zh3r0{7350750}`
Sign in with Wallet
Connect another wallet