Welcome to ASMLevel7
==================================================
To interact with any level you will send raw bytes over stdin to this program.
To efficiently solve these problems, first run it once to see what you need
then craft, assemble, and pipe your bytes to this program.
In this level you will be working with registers. You will be asked to modify
or read from registers_use.
We will now set some values in memory dynamically before each run. On each run
the values will change. This means you will need to do some type of formulaic
operation with registers_use. We will tell you which registers_use are set beforehand
and where you should put the result. In most cases, its rax.
In this level you will be working with bit logic and operations. This will involve heavy use of
directly interacting with bits stored in a register or memory location. You will also likely
need to make use of the logic instructions in x86: and, or, not, xor.
Shifting in assembly is another interesting concept! x86 allows you to 'shift'
bits around in a register. Take for instance, rax. For the sake of this example
say rax only can store 8 bits (it normally stores 64). The value in rax is:
rax = 10001010
If we shift the value once to the left:
shl rax, 1
The new value is:
rax = 00010100
As you can see, everything shifted to the left and the highest bit fell off and
a new 0 was added to the right side. You can use this to do special things to
the bits you care about. It also has the nice side affect of doing quick multiplication,
division, and possibly modulo.
Here are the important instructions:
shl reg1, reg2 <=> Shift reg1 left by the amount in reg2
shr reg1, reg2 <=> Shift reg1 right by the amount in reg2
Note: all 'regX' can be replaced by a constant or memory location
Using only the following instructions:
mov, shr, shl
Please perform the following:
Set rax to the 5th least significant byte of rdi
i.e.
rdi = | B7 | B6 | B5 | B4 | B3 | B2 | B1 | B0 |
Set rax to the value of B4
We will now set the following in preparation for your code:
rdi = 0x8c5bf75e4e542f93
Please give me your assembly in bytes (up to 0x1000 bytes):
Solution
--------------------------------------------------------------------------------------
: mov rax, rdi
shr rax, 32
shl rax, 32
shl rax, 24
shr rax, 56
In order to solve this problem, you need to know about shifting. I need to say that I was not easy
to solve this challenge because of logical instructions.
Let me divide RDI instruction:
8c 5b f7 |5e| 4e 54 2f 93
b7 b6 b5 b4 b3 b2 b1 b0
We should consider that; so as to solve this problem we ought to make 0x00000000000|5e|
It is not easy, however, we can use shift instructions
0x400000: mov rax, rdi
0x400003: shr rax, 0x20
1. We should store RDI to RAX
mov rax, rdi
2. 8c 5b f7 |5e| 4e 54 2f 93, we can just shift to right (32 bits) 4 bytes
To understand let me give an example:
mov al, 0d0h ; AL= 11010000b
shr al, 1 ; AL= 01101000b , CF = 0
It will shift 1 byte
before : 1 1 0 1 0 0 0 0
after : 0 1 1 0 1 0 0 0 <--- 1 byte
Oke, if we understand this let me move forward.
3. 8c 5b f7 5e 4e 54 2f 93 (4 bytes) shifting to right | shr rax, 32
before: 8c 5b f7 5e 4e 54 2f 93
after : 00 00 00 00 8c 5b f7 5e
4. shl rax, 0x20, we are shifting (4 bytes) to left | shl rax, 32
before: 00 00 00 00 8c 5b f7 5e
after: 8c 5b f7 5e 00 00 00 00
5. shl rax, 24; we can just shift 3 bytes
before: 8c 5b f7 5e 00 00 00 00
after: 5e 00 00 00 00 00 00 00
Awesome! The goal was to make --> 00 00 00 00 00 00 00 5e
In order to code this we can use 54 bytes, because 54 / 8 = 7 bytes shifting to right
6. shr rax, 56; we can just shift 7 bytes to right
before: 5e 00 00 00 00 00 00 00
after: 00 00 00 00 00 00 00 5e
And we will get the result
the flag --> pwn.college{cm5Lbv4ttjiDHxd6ZCWkMql6NgK.0FMwIDLxUjNyEzW}
0 comments:
Post a Comment