Assemble Writeup

By
Gincy Mol A G
Published on
20 Sep 2020
2 min read
DOMECTF2020

The challenge provides a zip file, which has 3 files - assem.c, assem.s and out.txt. charasm function called in the assem.S,

.intel_syntax noprefix

.global charasm

        charasm:

            push    ebp
            mov    ebp,esp
            mov    ax,DWORD PTR [ebp+0x8]
            mov    bx,DWORD PTR [ebp+0xc]
            mov    bx, ax
            mov    ax, bx
            mov    esp,ebp
            pop    ebp    
            ret
    

This function returns its first parameter.

        #include <stdio.h>
        #include <stdlib.h>
        
        #define size 1000
        int i;
        int len;
        char str[6];
        
        int charasm(int,int);
        int readFlag(char f[], char string[]);
        
        int main(int argc, char* argv[]){
                char string[size];
            int a;
                readFlag("flag.txt",string);
            while(a<41){
            if(a%2 == 1){
            printf("%x", ~(string[a]));
            a+=1;    
            }
            else{
                printf("%x", charasm(string[a],string[a+1]));
            a+=1;}
            }
        }
        
        int readFlag(char f[], char string[]){
                FILE *fptr;
                char c;
                int i = 0;
        
                if ((fptr=fopen(f, "r")) == NULL){
                    printf("Error: can not open file %s\n", f);
                    exit(1);
                }
        
                while ((c = fgetc(fptr)) != EOF)
                    string[i++] = c;
        
                string[i] = '\0';
        
                return i;   
            }
    

This c function takes a string input:

not operation is performed in the bytes at odd positions bytes at even position is written as same(since charsm function returns the first parameter of its input)

Out.txt contains:

        64ffffff906dffffff9a63ffffff8b66ffffff8457ffffffad35ffffff8b34ffffff9d4affffffaa49ffffffb749ffffff9564ffffff937affffffc651ffffff8b58ffffffc748ffffffb067ffffffb565ffffffb636ffffff9875ffffffb255ffffffb37d
    

So, Not operation should be performed on bytes at odd positions. The resulting hexadecimal value when converted into ASCII will give the output:

domectf{WR5t4bJUIHIjdlz9QtX8HOgJeI6guMUL}

And that’s our flag!

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Gincy Mol A G
Gincy Mol A G
AI Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
Find surface-level website security issues in under a minute
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.