Skip to content

Latest commit

 

History

History
73 lines (54 loc) · 2.97 KB

ARMssembly_4.md

File metadata and controls

73 lines (54 loc) · 2.97 KB
Raw

ARMssembly 4

Challenge information

Points: 170
Tags: picoCTF 2021, Reverse Engineering
Author: DYLAN MCGUIRE

Description:
What integer does this program print with argument 2907278761? 

File: chall_4.S 

Flag format: picoCTF{XXXXXXXX} -> (hex, lowercase, no 0x, and 32 bits. ex. 5614267 would be picoCTF{0055aabb})

Hints:
1. Switching things up

Challenge link: https://play.picoctf.org/practice/challenge/183

Solutions

As in the previous challenges, we compile the assembly code and then emulate the program to find out what the answer is.

First we need to install a cross compiler to compile on a non-ARM machine such as Intel x64. We do that with sudo apt install binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu.

Then we assemble and link

┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/ARMssembly_4]
└─$ aarch64-linux-gnu-as -o chall_4.o chall_4.S                           

┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/ARMssembly_4]
└─$ aarch64-linux-gnu-gcc -static -o chall_4 chall_4.o

┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/ARMssembly_4]
└─$ file chall_4
chall_4: ELF 64-bit LSB executable, ARM aarch64, version 1 (GNU/Linux), statically linked, BuildID[sha1]=dd6c8b64674faca69b26b7018cb23f3085e7fcb9, for GNU/Linux 3.7.0, not stripped

Next, we need QEMU to emulate the execution environment. We install it with sudo apt install qemu-user qemu-user-static.

Then we can just run the program. In one of the previous challenges I had to reboot my machine before the emulation worked.

┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/ARMssembly_4]
└─$ ./chall_4 2907278761                              
Result: 2907278876

To convert the result to hexadecimal we can use interactive python

┌──(kali㉿kali)-[/mnt/…/picoCTF/picoCTF_2021/Reverse_Engineering/ARMssembly_4]
└─$ python
Python 3.11.4 (main, Jun  7 2023, 10:13:09) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> hex(2907278876)
'0xad498e1c'
>>> exit()

Then all we need is to create the flag according to the instructions.

For additional information, please see the references below.

References