PWN College CSE 466 - Assembly Crash Course

First Post:

Last Update:

level1

1
2
.section .text
    mov $0x1337,%rdi
1
2
3
as -o asm.o asm.S
objcopy -O binary --only-section=.text asm.o asm.bin
cat ./asm.bin | /challenge/run

level2

1
2
.section .text
    add $0x331337,%rdi

level3

1
2
3
4
.section .text
    imul %rsi,%rdi
    add %rdx,%rdi
    mov %rdi,%rax

level4

1
2
3
.section .text
    mov %rdi,%rax
    divq %rsi

level5

1
2
3
4
.section .text
    mov %rdi,%rax
    divq %rsi
    mov %rdx,%rax

level6

1
2
3
.section .text
   movb %dil, %al
   movw %si, %bx

level7

1
2
3
4
.section .text
   shl $24,%rdi
   shr $56, %rdi
   mov %rdi,%rax

level8

1
2
3
4
.section .text
   xor %rax,%rax
   and %rdi,%rsi
   xor %rsi,%rax

level9

1
2
3
4
5
.section .text
   xor %rax,%rax
   and $1,%rdi
   xor %rdi,%rax
   xor $1,%rax

level10

1
2
3
4
5
6
7
8
9
10
11
12
13
from pwn import *
context.arch="amd64"
context.log_level="debug"
sc="""
mov rax,[0x404000]
mov rdi,rax
add rdi,0x1337
mov byte ptr[0x404000],rdi
"""
p=process("/challenge/run")

p.send(asm(sc))
p.interactive()

level11

1
2
3
4
mov al,byte ptr[0x404000]
mov bx,word ptr[0x404000]
mov ecx,dword ptr[0x404000]
mov rdx,qword ptr[0x404000]

level12

1
2
3
4
mov rax,0xdeadbeef00001337
mov qword ptr[rdi],rax
mov rax,0xc0ffee0000
mov qword ptr[rsi],rax

level13

1
2
3
4
mov rax,[rdi]
mov rbx,[rdi+8]
add rax,rbx
mov [rsi],rax

level15

1
2
3
pop rax
sub rax,rdi
push rax

level16

1
2
3
4
5
6
7
mov rax,[rsp]
add rax,[rsp+8]
add rax,[rsp+16]
add rax,[rsp+24]
mov rbx,4
div rbx
push rax

level17

1
2
3
4
5
6
7
8
sc="""
jmp $+0x53
"""+"""nop
"""*0x51+"""
pop rdi
mov rax,0x403000
jmp rax
"""

level18

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
mov eax,dword ptr [rdi]
cmp rax,0x7f454c46
jne case2
mov eax,dword ptr [rdi+4]
add eax,dword ptr [rdi+8]
add eax,dword ptr [rdi+12]
jmp out
case2:
cmp eax,0x00005A4D
jne case3
mov eax,dword ptr [rdi+4]
sub eax,dword ptr [rdi+8]
sub eax,dword ptr [rdi+12]
jmp out
case3:
mov eax,dword ptr [rdi+4]
mov ebx,dword ptr [rdi+8]
mul ebx
mov ebx,dword ptr [rdi+12]
mul ebx

level19

1
2
3
4
5
6
7
8
xor rax,rax
cmp rdi,3
jbe tcase
mov rax,qword ptr[rsi+8*4]
jmp rax
tcase:
mov rax,qword ptr[rsi+8*rdi]
jmp rax

level20

1
2
3
4
5
6
7
8
9
10
xor rax,rax
xor rcx,rcx
mov rbx,rsi
loop:
sub rbx,1
mov rcx,qword ptr [rdi+rbx*8]
add rax,rcx
cmp rbx,0
jne loop
div rsi

level21

1
2
3
4
5
6
7
8
9
10
11
mov rax,0
cmp rdi,0
je done
mov rsi,-1
loop:
add rsi,1
mov rbx,[rdi+rsi]
cmp rbx,0
jne loop
mov rax,rsi
done:

level22

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
mov rax,0
mov rsi,rdi
cmp rsi,0
je done
loop:
mov bl,[rsi]
cmp bl,0
je done
cmp bl,90
ja next
mov dil,bl
mov rdx,rax
mov rcx,0x403000
call rcx
mov [rsi],al
mov rax,rdx
add rax,1
next:
add rsi,1
jmp loop
done:
ret

level23

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
push 0
mov rbp,rsp

mov rax,-1
sub rsi,1
sub rsp,rsi
loop1:
        add rax,1
        cmp rax,rsi
        jg next
        mov rcx,0
        mov cl,[rdi+rax]
        mov r11,rbp
        sub r11,rcx
        mov dl,[r11]
        add dl,1
        mov [r11],dl
        jmp loop1

next:
mov rax,0
mov rbx,rax
mov rcx,rax
mov ax,-1
loop2:
        add ax,1
        cmp ax,0xff
        jg return
        mov r11,rbp
        sub r11,rax
        mov dl,[r11]
        cmp dl,bl
        jle loop2
        mov bl,dl
        mov cl,al
        jmp loop2

return:
mov rax,rcx
mov rsp,rbp
pop rbx
ret