asm3

Author: programmeruser2

picoCTF/2019/asm3

@@ -0,0 +1,34 @@
+section .text
+extern printf
+extern exit
+global _start
+; nasm -f elf32 -o asm3.o asm3.asm
+; ld -m elf_i386 -dynamic-linker /lib/ld-linux.so.2 -o asm3 -lc asm3.o
+_start:
+    push 0xe54409d5
+    push 0xe6cf51f0
+    push 0xd2c26416 
+    call asm3
+    add esp, 12
+    push eax
+    push fmt
+    call printf
+    add esp, 8
+    push 0x00
+    call exit
+asm3:
+    push   ebp
+    mov    ebp,esp
+    xor    eax,eax
+    mov    ah,BYTE [ebp+0x9]
+    shl    ax,0x10
+    sub    al,BYTE [ebp+0xe]
+    add    ah,BYTE [ebp+0xf]
+    xor    ax,WORD [ebp+0x12]
+    nop
+    pop    ebp
+    ret
+
+section .data
+    fmt: db "0x%x", 0xa, 0x00
+

picoCTF/2019/asm3.asm

@@ -0,0 +1,21 @@
+from pwn import p32
+# Broken, use asm3.asm instead
+a1 = 0xd2c26416 
+a2 = 0xe6cf51f0 
+a3 = 0xe54409d5 
+mem = p32(a1)+p32(a2)+p32(a3)
+print(mem.hex())
+ax = 0 
+print(hex(ax))
+ax = mem[0x9-0x8]<<8
+print(hex(ax))
+ax <<= 0x10 
+print(hex(ax))
+ax = ax-(ax&0xff)+(((ax&0xff)-mem[0xe-0x8])%256)
+print(hex(ax))
+ax = ax-((ax>>8)&0xff)+(((ax>>8)&0xff)+mem[0xf-0x8])%256
+print(hex(ax))
+ax ^= mem[0x12-0x8]+mem[0x12-0x8+1]<<8
+print('final', hex(ax))
+
+