Welcome to ASMLevel8
==================================================
To interact with any level you will send raw bytes over stdin to this program.
To efficiently solve these problems, first run it once to see what you need
then craft, assemble, and pipe your bytes to this program.
In this level you will be working with registers. You will be asked to modify
or read from registers_use.
We will now set some values in memory dynamically before each run. On each run
the values will change. This means you will need to do some type of formulaic
operation with registers_use. We will tell you which registers_use are set beforehand
and where you should put the result. In most cases, its rax.
In this level you will be working with bit logic and operations. This will involve heavy use of
directly interacting with bits stored in a register or memory location. You will also likely
need to make use of the logic instructions in x86: and, or, not, xor.
Bitwise logic in assembly is yet another interesting concept!
x86 allows you to perform logic operation bit by bit on registers.
For the sake of this example say registers only store 8 bits.
The values in rax and rbx are:
rax = 10101010
rbx = 00110011
'If we were to perform a bitwise AND of rax and rbx using the and rax, rbx instruction'
the result would be calculated by ANDing each pair bits 1 by 1 hence why
it's called a bitwise logic. So from left to right:
1 AND 0 = 0, 0 AND 0 = 0, 1 AND 1 = 1, 0 AND 1 = 0 ...
Finally we combine the results together to get:
rax = 00100010
Here are some truth tables for reference:
AND OR XOR
A | B | X A | B | X A | B | X
---+---+--- ---+---+--- ---+---+---
0 | 0 | 0 0 | 0 | 0 0 | 0 | 0
0 | 1 | 0 0 | 1 | 1 0 | 1 | 1
1 | 0 | 0 1 | 0 | 1 1 | 0 | 1
1 | 1 | 1 1 | 1 | 1 1 | 1 | 0
Without using the following instructions:
mov, xchg
Please perform the following:
rax = rdi AND rsi
i.e. Set rax to the value of (rdi AND rsi)
We will now set the following in preparation for your code:
rdi = 0x5856eabd47a76de7
rsi = 0x823480e58837da98
Please give me your assembly in bytes (up to 0x1000 bytes):
Solution
---------------------------------------------------------------------------------------------------------------------------------
---------------- CODE ----------------
0x400000: and rsi, rdi
0x400003: lea rax, [rsi]
0x400006: int3
--------------------------------------
+--------------------------------------------------------------------------------+
| Registers |
+-------+----------------------+-------+----------------------+------------------+
| rax | 0x01120a4284201150 | rbx | 0x0000000000000000 | |
| rcx | 0x0000000000000000 | rdx | 0x0000000000000000 | |
| rsi | 0x01120a4284201150 | rdi | 0x67921ac6cd3d1ff4 | |
| rbp | 0x0000000000000000 | rsp | 0x00007fffff200000 | |
| r8 | 0x0000000000000000 | r9 | 0x0000000000000000 | |
| r10 | 0x0000000000000000 | r11 | 0x0000000000000000 | |
| r12 | 0x0000000000000000 | r13 | 0x0000000000000000 | |
| r14 | 0x0000000000000000 | r15 | 0x0000000000000000 | |
| rip | 0x0000000000400007 | | | |
+---------------------------------+-------------------------+--------------------+
| Stack location | Data (bytes) | Data (LE int) |
+---------------------------------+-------------------------+--------------------+
+---------------------------------+-------------------------+--------------------+
| Memory location | Data (bytes) | Data (LE int) |
+---------------------------------+-------------------------+--------------------+
| 0x0000000000404000 (+0x0000) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x0000000000404008 (+0x0008) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x0000000000404010 (+0x0010) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x0000000000404018 (+0x0018) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
+---------------------------------+-------------------------+--------------------+
In [22]: process = pwn.process("/challenge/run")
[x] Starting local process '/challenge/run'
[+] Starting local process '/challenge/run': pid 13716
In [23]: process.write(pwn.asm("""
...: and rsi, rdi ; RSI ^ RDI = RSI
...: lea rax, [rsi+0] RAX = RSI + 0 --> POINTER
...: int3""")) ; show the register
the flag: pwn.college{MWhT4yMOdF8VG0f3CluXY71Sz4t.0VMwIDLxUjNyEzW}
---------------------------------------------------------------------------------------------------------------------------------
Welcome to ASMLevel9
==================================================
To interact with any level you will send raw bytes over stdin to this program.
To efficiently solve these problems, first run it once to see what you need
then craft, assemble, and pipe your bytes to this program.
In this level you will be working with registers. You will be asked to modify
or read from registers_use.
We will now set some values in memory dynamically before each run. On each run
the values will change. This means you will need to do some type of formulaic
operation with registers_use. We will tell you which registers_use are set beforehand
and where you should put the result. In most cases, its rax.
In this level you will be working with bit logic and operations. This will involve heavy use of
directly interacting with bits stored in a register or memory location. You will also likely
need to make use of the logic instructions in x86: and, or, not, xor.
Using only the following instructions:
and, or, xor
Implement the following logic:
if x is even then
y = 1
else
y = 0
where:
x = rdi
y = rax
We will now set the following in preparation for your code:
rdi = 0x1ef226d6
Please give me your assembly in bytes (up to 0x1000 bytes):
Solution
-----------------------------------------------------------------------------------------
Executing your code...
---------------- CODE ----------------
0x400000: and eax, 1
0x400003: or eax, 1
0x400006: int3
--------------------------------------
+--------------------------------------------------------------------------------+
| Registers |
+-------+----------------------+-------+----------------------+------------------+
| rax | 0x0000000000000001 | rbx | 0x0000000000000000 | |
| rcx | 0x0000000000000000 | rdx | 0x0000000000000000 | |
| rsi | 0x0000000000000000 | rdi | 0x000000003143ab60 | |
| rbp | 0x0000000000000000 | rsp | 0x00007fffff200000 | |
| r8 | 0x0000000000000000 | r9 | 0x0000000000000000 | |
| r10 | 0x0000000000000000 | r11 | 0x0000000000000000 | |
| r12 | 0x0000000000000000 | r13 | 0x0000000000000000 | |
| r14 | 0x0000000000000000 | r15 | 0x0000000000000000 | |
| rip | 0x0000000000400007 | | | |
+---------------------------------+-------------------------+--------------------+
| Stack location | Data (bytes) | Data (LE int) |
+---------------------------------+-------------------------+--------------------+
+---------------------------------+-------------------------+--------------------+
| Memory location | Data (bytes) | Data (LE int) |
+---------------------------------+-------------------------+--------------------+
| 0x0000000000404000 (+0x0000) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x0000000000404008 (+0x0008) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x0000000000404010 (+0x0010) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
| 0x0000000000404018 (+0x0018) | 00 00 00 00 00 00 00 00 | 0x0000000000000000 |
+---------------------------------+-------------------------+--------------------+
1. First of all, in order to solve this challenge we need to consider that we can only use
LSB --> least significant bit
2. We can use AND instruction to make the bits zero except LSB
AND eax, 1 --> 0x0000000000000001
3. After this, you can use XOR [or] OR instruction to make a comparison
I am going to use OR instruction
OR eax, 1 --> this will give us the result.
the flag: pwn.college{oG7CCgDLdkN47j14EBmR_xye_5Z.0lMwIDLxUjNyEzW}
---------------------------------------------------------------------------------------------------------------------------------
Welcome to ASMLevel10
==================================================
To interact with any level you will send raw bytes over stdin to this program.
To efficiently solve these problems, first run it once to see what you need
then craft, assemble, and pipe your bytes to this program.
We will now set some values in memory dynamically before each run. On each run
the values will change. This means you will need to do some type of formulaic
operation with registers_use. We will tell you which registers_use are set beforehand
and where you should put the result. In most cases, its rax.
In this level you will be working with memory. This will require you to read or write
to things stored linearly in memory. If you are confused, go look at the linear
addressing module in 'ike. You may also be asked to dereference things, possibly multiple
times, to things we dynamically put in memory for your use.
Up until now you have worked with registers as the only way for storing things, essentially
variables like 'x' in math. Recall that memory can be addressed. Each address contains something
at that location, like real addresses! As an example: the address '699 S Mill Ave, Tempe, AZ 85281'
maps to the 'ASU Campus'. We would also say it points to 'ASU Campus'. We can represent this like:
['699 S Mill Ave, Tempe, AZ 85281'] = 'ASU Campus'
The address is special because it is unique. But that also does not mean other address cant point to
the same thing (as someone can have multiple houses). Memory is exactly the same! For instance,
the address in memory that your code is stored (when we take it from you) is 0x400000.
In x86 we can access the thing at a memory location, called dereferencing, like so:
mov rax, [some_address] <=> Moves the thing at 'some_address' into rax
This also works with things in registers:
mov rax, [rdi] <=> Moves the thing stored at the address of what rdi holds to rax
This works the same for writing:
mov [rax], rdi <=> Moves rdi to the address of what rax holds.
So if rax was 0xdeadbeef, then rdi would get stored at the address 0xdeadbeef:
[0xdeadbeef] = rdi
Note: memory is linear, and in x86, it goes from 0 - 0xffffffffffffffff (yes, huge).
Please perform the following:
1. Place the value stored at 0x404000 into rax
2. Increment the value stored at the address 0x404000 by 0x1337
Make sure the value in rax is the original value stored at 0x404000 and make sure
that [0x404000] now has the incremented value.
We will now set the following in preparation for your code:
[0x404000] = 0x195879
Please give me your assembly in bytes (up to 0x1000 bytes):
Solution
----------------------------------------------------------------------------------------
1. In order to solve this problem we need to consider that its 32 bit.
2. Let me store [0x404000] into rax, but be aware that its 32-bit
mov eax, dword ptr [0x404000] --> we stored [0x404000] into eax register because of 32-bit
3. If we read further; it says that we need to increment [0x404000] by 0x1337, but
0x404000 into rax should not be changed. Only 0x404000
add dword ptr [0x404000], 0x1337
0x400000: mov eax, dword ptr [0x404000]
0x400007: add dword ptr [0x404000], 0x1337
--------------------------------------
The flag: pwn.college{MaPpipn8am7oJj1e7MsmjPPg3th.01MwIDLxUjNyEzW}
0 comments:
Post a Comment