easyctf-2017/self-modifier/first.asm
2017-03-17 18:04:59 -05:00

140 lines
2.4 KiB
NASM

format binary
use32
include 'std.inc'
; On entrance to each shellcode segment the ebx register will be a vtable of std funcs
; printf
; puts
; scanf
; sin
; cos
; tan
; asin
; acos
; atan
; malloc
; free
; esi contains the base address of the shellcode segment
; edi contains the address of the part of the flag that this segment fills
; edx contains the number of the block
start:
push edx
push edi
push esi
mov eax, dword [ebx]
lea ecx, [esi + base_txt]
push ecx
call dword [eax]
add esp, 4
xor eax, eax
push eax
mov eax, esp
push eax
lea eax, [ebx + 8]
mov eax, dword [eax]
lea ecx, [esi+scanf_txt]
push ecx
call dword [eax]
add esp, 8
; inputt'd float is now on top of the stack
pop eax
mov dword [esi+temp_val], eax
sub esp, 8
cvtss2sd xmm0, dword [esi+temp_val]
movsd qword [esp], xmm0
; call cos
lea eax, [ebx + 0x10]
mov eax, dword [eax]
call dword [eax]
fstp qword [esp]
movsd xmm0, qword [esp]
add esp, 8
cvtss2sd xmm1, dword [esi+c_val]
mulsd xmm0, xmm1
push ebp
push ebp
movsd qword [esp], xmm0
; call atan
lea eax, [ebx + 0x20]
mov eax, dword [eax]
call dword [eax]
fstp qword [esp]
movsd xmm0, qword [esp]
pop eax
cvtss2sd xmm1, dword [esi+b_val]
pop ecx
mulsd xmm0, xmm1
push esp
push ebp
movsd qword [esp], xmm0
; call sin
lea eax, [ebx + 0xc]
mov eax, dword [eax]
call dword [eax]
fstp qword [esp]
cvtss2sd xmm1, dword [esi+a_val]
movsd xmm0, qword [esp]
mulsd xmm0, xmm1
movsd qword [esp], xmm0
cvtsd2ss xmm0, qword [esp]
pop eax
movss dword [esp], xmm0
pop eax
pop esi
push esi
cmp eax, dword [esi+final_val]
jnz trash
lea ecx, [esi+right_txt]
jmp past_trash
trash:
lea ecx, [esi+wrong_txt]
; Make this so it crashes badly
inc esp
past_trash:
push ecx
lea eax, [ebx + 0x4]
mov eax, dword [eax]
call dword [eax]
pop ebp
pop esi
pop edi
pop edx
mov eax, dword [esi+temp_val]
; 0x336a687b = little endian of '{hj3'
; 0x336a687b ^ 0x3fab396d which is the value of the correct input 1.33769
; is equal to 0x5e9c6316
xor eax, 0xcc15116
mov dword [edi], eax
xor eax, eax
mov dword [esi+temp_val], eax
retn
b_val dd 0x4039999a
base_txt db 'Please enter the best number, round to 6 significant figures.', ENDL, 0
a_val dd 0x40d00000
scanf_txt db '%f', 0
final_val dd 0xc092e6a0
right_txt db 'You got it!', 0
c_val dd 0xbf99999a
wrong_txt db 'You dumb.', 0
temp_val dd 0
resv_stuff 512-$