Skip to content

Instantly share code, notes, and snippets.

@hgarrereyn

hgarrereyn/changevm.asm

Created December 22, 2019 16:54
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save hgarrereyn/b39978469037f1e5bf62e034df36ecc2 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save hgarrereyn/b39978469037f1e5bf62e034df36ecc2 to your computer and use it in GitHub Desktop.
Download ZIP
Annotated disassembly for Change VM - justCTF 2019
Raw
changevm.asm
_start:
[2000] :: 01 01 00 00 :: ld r1, 0
[2004] :: 01 02 28 00 :: ld r2, 40
[2008] :: 0C 01 02 00 :: write(buf=r1, n=r2) # hello!
[200C] :: 01 01 28 00 :: ld r1, 40
[2010] :: 01 02 03 00 :: ld r2, 3
[2014] :: 0C 01 02 00 :: write(buf=r1, n=r2) # >>
[2018] :: 0E 00 D2 04 :: setkey 4D204D2
[201C] :: 01 04 00 08 :: ld r4, 2048
[2020] :: 01 05 2F 00 :: ld r5, 47 # flag len
[2024] :: 0E 00 61 1E :: setkey 1E611E61
[2028] :: 01 0A 32 00 :: ld r10, 50
[202C] :: 01 0B 30 00 :: ld r11, 48
[2030] :: 0B 04 0A 00 :: read(buf=r4, n=r10) # read into 2048 (50 bytes)
[2034] :: 0E 00 03 D9 :: setkey D903D903
[2038] :: 01 03 50 00 :: ld r3, 80
[203C] :: 0F 00 0B 03 :: jeq [r3], (r0 == r11) # 48 bytes
[2040] :: 01 01 3B 00 :: ld r1, 59
[2044] :: 01 02 13 00 :: ld r2, 19
[2048] :: 0C 01 02 00 :: write(buf=r1, n=r2) # Wrong password :(
[204C] :: 0D 00 00 00 :: exit
_correct_len:
[2050] :: 0E 00 29 09 :: setkey 9290929
[2054] :: 01 01 2C 00 :: ld r1, 44
[2058] :: 01 02 0F 00 :: ld r2, 15
[205C] :: 0C 01 02 00 :: write(buf=r1, n=r2) # Lets'check...
[2060] :: 03 03 04 00 :: add r3, r4, r0
[2064] :: 01 06 00 00 :: ld r6, 0
[2068] :: 08 03 06 00 :: sb r6 -> (r3)
[206C] :: 0E 00 9A 02 :: setkey 29A029A
[2070] :: 01 06 00 00 :: ld r6, 0
[2074] :: 01 07 4E 01 :: ld r7, 334 # hidden
[2078] :: 01 08 E7 01 :: ld r8, 487
[207C] :: 01 09 00 20 :: ld r9, 8192
[2080] :: 01 0C 00 00 :: ld r12, 0
[2084] :: 01 01 00 00 :: ld r1, 0
[2088] :: 01 02 00 00 :: ld r2, 0
[208C] :: 01 0B 00 08 :: ld r11, 2048 # user input
[2090] :: 0E 00 1D 23 :: setkey 231D231D
_loop:
[2094] :: 07 01 0B 00 :: lb r1 <- (r11)
[2098] :: 07 02 07 00 :: lb r2 <- (r7)
[209C] :: 04 01 01 02 :: xor r1, r1, r2 # [r7] ^ [r11]
[20A0] :: 07 02 08 00 :: lb r2 <- (r8)
[20A4] :: 04 01 01 02 :: xor r1, r1, r2 # [r7] ^ [r11] ^ [r8]
[20A8] :: 07 02 09 00 :: lb r2 <- (r9)
[20AC] :: 04 01 01 02 :: xor r1, r1, r2
[20B0] :: 04 01 01 06 :: xor r1, r1, r6
[20B4] :: 03 0C 0C 01 :: add r12, r12, r1
[20B8] :: 01 0E 01 00 :: ld r14, 1 # increment pointers
[20BC] :: 03 06 06 0E :: add r6, r6, r14 # len
[20C0] :: 03 07 07 0E :: add r7, r7, r14
[20C4] :: 03 08 08 0E :: add r8, r8, r14
[20C8] :: 03 09 09 0E :: add r9, r9, r14
[20CC] :: 03 0B 0B 0E :: add r11, r11, r14
[20D0] :: 01 0F 94 00 :: ld r15, 148 # 0x2094
[20D4] :: 06 06 05 0F :: jlt [r15], (r6 < r5)
[20D8] :: 0E 00 28 03 :: setkey 3280328
[20DC] :: 01 00 F8 00 :: ld r0, 248 # 0x20f8
[20E0] :: 01 01 00 00 :: ld r1, 0
[20E4] :: 0F 0C 01 00 :: jeq [r0], (r12 == r1) # r12 needs to be zero
[20E8] :: 01 01 3B 00 :: ld r1, 59
[20EC] :: 01 02 13 00 :: ld r2, 19
[20F0] :: 0C 01 02 00 :: write(buf=r1, n=r2) # Wrong password :(
[20F4] :: 0D 00 00 00 :: exit
_good_pass:
[20F8] :: 01 01 18 02 :: ld r1, 536
[20FC] :: 01 02 21 00 :: ld r2, 33
[2100] :: 0C 01 02 00 :: write(buf=r1, n=r2) # Good password. Congratulations!
[2104] :: 0D 00 00 00 :: exit
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment