pwntools-level-2.2

SangharshaSangharsha
2 min read

Table of contents

Objective:

This level requires you to write an assembly code snippet to meet the following condition to bypass the check, and use the asm API from pwntools to compile the assembly code and complete the challenge. The condition for this challenge is:

Calculate a specific formula (refer to the `trace` method of the `ASMChallenge` class)

In short we have to write raw assembly that computes that equation and leave the result in rax.

Core Code:

def trace(self):
    self.start()
    return (self.rax == self.init_rax % self.init_rbx + self.init_rcx - self.init_rsi)

What’s happening:

  • it checks

      rax == (init_rax % init_rbx) + init_rcx - init_rsi

  • If that is TRUE, we get the flag.

  • Now we need to find the numbers but they are randomized at run time

      init_rax = random.randint(0, 0x100000000)
  init_rbx = random.randint(0, 0x100000000)
  init_rcx = random.randint(0, 0x100000000)
  init_rsi = random.randint(0, 0x100000000)

    Solution:

    We divide this shit to get rax%rbx

      xor     rdx, rdx        ; Zero rdx 
  div     rbx             ; rax = rax / rbx, rdx = rax % rbx
  mov     rax, rdx        ; move (mod) to rax
  add     rax, rcx        ; + rcx
  sub     rax, rsi        ; - rsi

    Crafting this took a more time and here’s what’s happening

  • xor rdx, rdx → Zero out RDX because div requires the dividend to be in rdx:rax.

  • div rbx → Unsigned division: (rdx:rax) / rbx

    • → Quotient → rax

    • → Remainder → rdx

  • mov rax, rdx → Pull the remainder for the modulo operation.

  • add rax, rcx → +rcx

  • sub rax, rsi → -rsi

Then rax holds the exact value the challenge expects.

from pwn import *

context(arch="amd64", os="linux", log_level="debug")

def print_lines(io):
    while True:
        try:
            line = io.recvline()
            success(line.decode())
        except EOFError:
            break
p = process("/challenge/pwntools-tutorials-level2.2")

payload = asm("""
    xor     rdx, rdx
    div     rbx
    mov     rax, rdx
    add     rax, rcx
    sub     rax, rsi
""")
p.sendafter(b"Please give me your assembly in bytes", payload)
print_lines(p)

Flag:

0
Subscribe to my newsletter

Read articles from Sangharsha directly inside your inbox. Subscribe to the newsletter, and don't miss out.

pwntoolsreverse engineering

Written by

Sangharsha
Sangharsha

Aspiring developer and security enthusiast.