0
This code is from the picoCTF 2018:

    asm3:
    push    ebp
    mov     ebp,esp
    mov eax,0xbc
    xor al,al
    mov ah,BYTE PTR [ebp+0x9]
    sal ax,0x10
    sub al,BYTE PTR [ebp+0xc]
    add ah,BYTE PTR [ebp+0xd]
    xor ax,WORD PTR [ebp+0x10]
    mov esp, ebp
    pop ebp
    ret

I'm quite new at solving CTF's, but I'm progressing. But one thing frustrates me. At this CTF 3 inputs were given. But by my logic. There's 4 (I don't ask for hints for CTF, because I've already solved it by using this as asm function and supplying inputs) But by my logic this should work like:

    Enter 4 inputs: *User Entered 3*
    Error. 4th input not found

But in fact... It gives the right answer. Not an error. In my point of view inputs are:

1) BYTE PTR [ebp+0x9]
2) BYTE PTR [ebp+0xc]
3) BYTE PTR [ebp+0xd]
4) WORD PTR [ebp+0x10]

If someone can... Please tell me, how to figure out, which pointer is input and which is not.

Raicha
  • 120
  • 8
  • You can't tell from this much code. The bytes at `0xc` and `0xd` might have been read in as a single word input for example. – Jester Mar 10 '19 at 17:18
  • But at ctf in PICOCTF 2018 (Assembly 3) There's only so much given. Inputs are: asm3(0xbda42100,0xb98dd6a5,0xecded223) – Raicha Mar 10 '19 at 17:40
  • 1
    Since all of those are dwords that means you got 12 bytes worth of input some of which are not used. `[ebp+0x9]` is the second byte of the first argument, ie. `0x21`. `[ebp+0xc]` is the first byte of the second argument, ie. `0xa5`. `[ebp+0xd]` is the second byte of the second argument, ie. `0xd6`. `[ebp+0x10]` is the low word of the third argument, ie. `0xd223`. – Jester Mar 10 '19 at 17:51
  • As I see... 0x9 = 9 ; 0xc = 12 ; 0xd=11 ; 0x10=10. These look like 4 inputs. And even their location seems to be logical. Because inputs are usually next to each other. And there it's very good to been seen. 1) bp +9 2) bp + 12 3) bp +11 4) bp + 10 – Raicha Mar 10 '19 at 18:00
  • 1
    No? `0xc=12`, `0xd=13`, `0x10=16`. The dword arguments are next to each other, yes. – Jester Mar 10 '19 at 18:02
  • Honestly... I don't understand anything by this point xD – Raicha Mar 10 '19 at 18:04

0 Answers0