easyctf-2017/self-modifier/second.asm

121 lines
1.8 KiB
NASM
Raw Normal View History

format binary
use32
include 'std.inc'
; On entrance to each shellcode segment the ebx register will be a vtable of std funcs
; printf
; puts
; scanf
; sin
; cos
; tan
; asin
; acos
; atan
; malloc
; free
; esi contains the base address of the shellcode segment
; edi contains the address of the part of the flag that this segment fills
; edx contains the number of the block
push edi
lea ecx, [esi+pattern_text]
push ecx
lea eax, [ebx + 0x4]
mov eax, dword [eax]
call dword [eax]
pop ebp
mov ecx, 0
printLoop:
push ecx
call adv_fib
push eax
lea ecx, [esi + format_text]
mov eax, dword [ebx]
push ecx
call dword [eax]
pop ecx
pop ebp
pop ecx
inc ecx
cmp ecx, 6
jnz printLoop
lea ecx, [esi+empty_text]
lea eax, [ebx + 0x4]
mov eax, dword [eax]
push ecx
call dword [eax]
pop ebp
lea ecx, [esi+inputVal]
push ecx
lea eax, [ebx + 8]
mov eax, dword [eax]
lea ecx, [esi+unsignFmt]
push ecx
call dword [eax]
add esp, 8
mov ecx, dword [esi+inputVal]
pop edi
; 433695873 is the answer
; (struct.unpack('<I', b'_ok_')[0] ^ 0x19d9ac81)
; This part of the flag is _ok_ ^ the 35th value in the pattern.
xor ecx, 0x46b2c3de
mov dword [edi], ecx
push edi
lea ecx, [esi+pray_text]
mov eax, dword [ebx]
push ecx
call dword [eax]
pop ecx
pop edi
mov dword [esi+inputVal], 0
ret
pattern_text db 'What is the 35th number (index 34) in the following sequence?', 0
format_text db '%d ', 0
; ecx = arg
adv_fib:
cmp ecx, 2
jg do_more
mov eax, 1
ret
unsignFmt db '%u', 0
inputVal dd 0
do_more:
push edx
dec ecx
push ecx
call adv_fib
pop ecx
push eax
dec ecx
push ecx
call adv_fib
pop ecx
push eax
dec ecx
call adv_fib
pop edx
add eax, edx
pop edx
add eax, edx
pop edx
ret
empty_text db 0
pray_text db 'Hope you got it right! Result: [%s]', ENDL, 0
resv_stuff 512-$