Login
Immutable PageDiscussionInfoAttachments
attachment:as.s of CTF/Writeup/SECCON 2014 Quals Online Winter/Advanced RISC Machine

MMA

Attachment 'as.s'

Download

   1 passcheck-arm:     ファイル形式 elf32-littlearm
   2 
   3 
   4 セクション .text の逆アセンブル:
   5 
   6 00004000 <.text>:
   7     4000:	e59fd008 	ldr	sp, [pc, #8]	; 0x4010 // sp = 0x1fff000
   8     4004:	eb0000c2 	bl	0x4314
   9     4008:	eb00001a 	bl	0x4078
  10     400c:	e1a00000 	nop			; (mov r0, r0)
  11     4010:	1ffff000 	svcne	0x00fff000
  12     4014:	ef0000ff 	svc	0x000000ff
  13     4018:	e1a0f00e 	mov	pc, lr
  14     // exit?
  15     401c:	e92d4000 	stmfd	sp!, {lr}
  16     4020:	e1a01000 	mov	r1, r0
  17     4024:	e3a00001 	mov	r0, #1
  18     4028:	ebfffff9 	bl	0x4014
  19     402c:	e8bd8000 	ldmfd	sp!, {pc} // exit?
  20 // read
  21     4030:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
  22     4034:	e1a0c000 	mov	ip, r0
  23     4038:	e1a0e001 	mov	lr, r1
  24     403c:	e1a03002 	mov	r3, r2
  25     4040:	e3a00003 	mov	r0, #3
  26     4044:	e1a0100c 	mov	r1, ip
  27     4048:	e1a0200e 	mov	r2, lr
  28     404c:	ebfffff0 	bl	0x4014
  29     4050:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
  30 
  31 // 文字列を表示する(たぶん)
  32 // func_4054
  33     4054:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
  34     4058:	e1a0c000 	mov	ip, r0 // r12 = r0
  35     405c:	e1a0e001 	mov	lr, r1 // lr = r1
  36     4060:	e1a03002 	mov	r3, r2 // r3 = r2
  37     4064:	e3a00004 	mov	r0, #4 // r0 = 4
  38     4068:	e1a0100c 	mov	r1, ip // r1 = r12
  39     406c:	e1a0200e 	mov	r2, lr // r2 = lr
  40     4070:	ebffffe7 	bl	0x4014
  41     4074:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
  42     // exit?
  43     4078:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
  44     407c:	ebffffe6 	bl	0x401c
  45     4080:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
  46 
  47 // func_4084(strlen)
  48     4084:	e1a02000 	mov	r2, r0 // r2 = arg0
  49     4088:	e3a00000 	mov	r0, #0 // r0 = 0
  50     408c:	e7d23000 	ldrb	r3, [r2, r0] // r3 = *r2
  51     4090:	e1530000 	cmp	r3, r0      // r3 == 0
  52     4094:	01a0f00e 	moveq	pc, lr    // return 0 if r3 == 0
  53     4098:	e2800001 	add	r0, r0, #1  // r0 = 1
  54     409c:	e7d23000 	ldrb	r3, [r2, r0] // *(r2 + 1)
  55     40a0:	e3530000 	cmp	r3, #0
  56     40a4:	1afffffb 	bne	0x4098 // loop
  57     40a8:	e1a0f00e 	mov	pc, lr // return
  58 
  59 
  60     40ac:	e1a02000 	mov	r2, r0
  61     40b0:	e5d13000 	ldrb	r3, [r1]
  62     40b4:	e3530000 	cmp	r3, #0
  63     40b8:	0a000004 	beq	0x40d0
  64     40bc:	e5d13000 	ldrb	r3, [r1]
  65     40c0:	e4c03001 	strb	r3, [r0], #1
  66     40c4:	e5f13001 	ldrb	r3, [r1, #1]!
  67     40c8:	e3530000 	cmp	r3, #0
  68     40cc:	1afffffa 	bne	0x40bc
  69     40d0:	e3a03000 	mov	r3, #0
  70     40d4:	e5c03000 	strb	r3, [r0]
  71     40d8:	e1a00002 	mov	r0, r2
  72     40dc:	e1a0f00e 	mov	pc, lr
  73 
  74 // func_40e0 compare
  75 int compare(char *s1, char *s2, int len) {
  76   if(*s1 == 0 && *s2 == 0) return 0;
  77   while(len-- && len >= 0) {
  78     if(*s1++ != *s2++)return 1;
  79     if(*s1==0||*s2==0)break;
  80   }
  81   return 0;
  82 }
  83     40e0:	e1a0c002 	mov	ip, r2 ; ip = r2
  84     40e4:	e5d03000 	ldrb	r3, [r0] ; 
  85     40e8:	e3530000 	cmp	r3, #0
  86     40ec:	1a000002 	bne	0x40fc
  87     40f0:	e5d13000 	ldrb	r3, [r1]
  88     40f4:	e3530000 	cmp	r3, #0
  89     40f8:	0a00000e 	beq	0x4138
  90     40fc:	e24cc001 	sub	ip, ip, #1
  91     4100:	e37c0001 	cmn	ip, #1
  92     4104:	0a00000b 	beq	0x4138
  93     4108:	e4d02001 	ldrb	r2, [r0], #1 // 
  94     410c:	e4d13001 	ldrb	r3, [r1], #1
  95     4110:	e1520003 	cmp	r2, r3
  96     4114:	0a000001 	beq	0x4120
  97     4118:	e3a00001 	mov	r0, #1
  98     411c:	e1a0f00e 	mov	pc, lr
  99     4120:	e5d03000 	ldrb	r3, [r0]
 100     4124:	e3530000 	cmp	r3, #0
 101     4128:	1afffff3 	bne	0x40fc
 102     412c:	e5d13000 	ldrb	r3, [r1]
 103     4130:	e3530000 	cmp	r3, #0
 104     4134:	1afffff0 	bne	0x40fc
 105     4138:	e3a00000 	mov	r0, #0
 106     413c:	e1a0f00e 	mov	pc, lr
 107     //
 108 
 109     4140:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 110     4144:	e3e02000 	mvn	r2, #0
 111     4148:	ebffffe4 	bl	0x40e0
 112     414c:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
 113 
 114 
 115     4150:	e2403061 	sub	r3, r0, #97	; 0x61
 116     4154:	e3530019 	cmp	r3, #25
 117     4158:	92400020 	subls	r0, r0, #32
 118     415c:	e1a0f00e 	mov	pc, lr
 119 
 120 char getchar(int fd) {
 121   char buf;
 122   read(fd, &buf, 1);
 123   return buf;
 124 }
 125     4160:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 126     4164:	e24dd004 	sub	sp, sp, #4
 127     4168:	e28d1003 	add	r1, sp, #3
 128     416c:	e3a02001 	mov	r2, #1
 129     4170:	ebffffae 	bl	0x4030
 130     4174:	e5dd0003 	ldrb	r0, [sp, #3]
 131     4178:	e28dd004 	add	sp, sp, #4
 132     417c:	e8bd8000 	ldmfd	sp!, {pc}
 133  
 134  int putchar2(int fd, char c) {
 135 
 136  }
 137     4180:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 138     4184:	e24dd004 	sub	sp, sp, #4
 139     4188:	e28d3004 	add	r3, sp, #4
 140     418c:	e5631001 	strb	r1, [r3, #-1]!
 141     4190:	e1a01003 	mov	r1, r3
 142     4194:	e3a02001 	mov	r2, #1
 143     4198:	ebffffad 	bl	0x4054
 144     419c:	e3a00000 	mov	r0, #0
 145     41a0:	e28dd004 	add	sp, sp, #4
 146     41a4:	e8bd8000 	ldmfd	sp!, {pc}
 147 
 148 // getchar(0);
 149 void readchar2() {
 150   return getchar(0);
 151 }
 152     41a8:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 153     41ac:	e3a00000 	mov	r0, #0
 154     41b0:	ebffffea 	bl	0x4160
 155     41b4:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
 156 
 157 // 
 158 int putchar(char s) {
 159   // 内容分かるよね?
 160 
 161 }
 162     41b8:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 163     41bc:	e1a01000 	mov	r1, r0
 164     41c0:	e3a00001 	mov	r0, #1
 165     41c4:	ebffffed 	bl	0x4180
 166     41c8:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
 167 
 168 
 169 //
 170 char filter_enter(char s) {
 171   if(s == 13) s = 10;
 172   return s;
 173 }
 174     41cc:	e350000d 	cmp	r0, #13
 175     41d0:	03a0000a 	moveq	r0, #10
 176     41d4:	e1a0f00e 	mov	pc, lr
 177 // readchar?
 178 char readchar(int fd) {
 179   return filter_enter(getchar(fd));
 180 }
 181     41d8:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 182     41dc:	ebffffdf 	bl	0x4160
 183     41e0:	ebfffff9 	bl	0x41cc
 184     41e4:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
 185 
 186 
 187 // func_41e8 input
 188 int input2(int fd, char *s) {
 189   int i = 0;
 190   for(int i = 0; ; i++) {
 191     s[i] = readchar(fd);
 192     if(s[i] == '\n') {
 193       s[i] = 0;
 194       break;
 195     }
 196   }
 197   return i;
 198 } 
 199     41e8:	e92d4070 	push	{r4, r5, r6, lr}
 200     41ec:	e1a06000 	mov	r6, r0 // r6 = fd
 201     41f0:	e1a05001 	mov	r5, r1 // r5 = s
 202     41f4:	e3a04000 	mov	r4, #0 // 4 = 0
 203     41f8:	e1a00006 	mov	r0, r6 // fd
 204     41fc:	ebfffff5 	bl	0x41d8 // 41d8(fd)
 205     4200:	e20000ff 	and	r0, r0, #255	; 0xff
 206     4204:	e7c40005 	strb	r0, [r4, r5]
 207     4208:	e2844001 	add	r4, r4, #1
 208     420c:	e350000a 	cmp	r0, #10
 209     4210:	1afffff8 	bne	0x41f8
 210     4214:	e3a03000 	mov	r3, #0
 211     4218:	e7c53004 	strb	r3, [r5, r4]
 212     421c:	e1a00004 	mov	r0, r4
 213     4220:	e8bd8070 	pop	{r4, r5, r6, pc}
 214 
 215 int func_4224(arg1, arg2)
 216 void print2(int fd, char *s) {
 217   write(fd, s, strlen(s));
 218   return strlen(s);
 219 }
 220     4224:	e92d4070 	push	{r4, r5, r6, lr}
 221     4228:	e1a04000 	mov	r4, r0 // r4 = arg1
 222     422c:	e1a05001 	mov	r5, r1 // r5 = arg2
 223     4230:	e1a00001 	mov	r0, r1 // func_4084(arg2)
 224     4234:	ebffff92 	bl	0x4084
 225     4238:	e1a06000 	mov	r6, r0
 226     423c:	e1a00004 	mov	r0, r4
 227     4240:	e1a01005 	mov	r1, r5
 228     4244:	e1a02006 	mov	r2, r6 // func_4054(arg1, arg2, func_4084(arg2))
 229     4248:	ebffff81 	bl	0x4054
 230     424c:	e1a00006 	mov	r0, r6 // return func_4084(arg2)
 231     4250:	e8bd8070 	pop	{r4, r5, r6, pc}
 232 
 233 // func_4254(arg1) 
 234 int readline(char *s) {
 235   return input2(0, s); // stdin
 236 }
 237     4254:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 238     4258:	e1a01000 	mov	r1, r0
 239     425c:	e3a00000 	mov	r0, #0
 240     4260:	ebffffe0 	bl	0x41e8 // func_41e8(0,arg1)
 241     4264:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
 242 
 243 // func_4268 print
 244 int print(char *s) {
 245   return print2(1, s); // stdout
 246 }
 247     4268:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 248     426c:	e1a01000 	mov	r1, r0 // r1 = arg1
 249     4270:	e3a00001 	mov	r0, #1 // r0 = 1 // STDOUT
 250     4274:	ebffffea 	bl	0x4224 // func_4224(1,arg1)
 251     4278:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
 252     //return
 253 
 254 char *password = "holiday";
 255 // check_paswsord
 256 // !important
 257 int check_password() {
 258   // sp size:32
 259   // pushed r1,r2,r3,r4,r5,r6,fp,lr
 260   char buf[32]; // r1 - fp
 261   readline(buf);
 262   return compare(buf, password, strlen(password)); // with pop r1-r6, fp, lr
 263 }
 264 
 265     427c:	e1a0c00d 	mov	ip, sp
 266     4280:	e92d487e 	push	{r1, r2, r3, r4, r5, r6, fp, lr} // -40
 267     4284:	e24cb004 	sub	fp, ip, #4
 268     4288:	e24b501c 	sub	r5, fp, #28
 269     428c:	e1a00005 	mov	r0, r5 // r5(28byte)
 270     4290:	ebffffef 	bl	0x4254 // たぶんinput
 271     4294:	e59f4018 	ldr	r4, [pc, #24]	; 0x42b4
 272     4298:	e5940000 	ldr	r0, [r4] // 1fff0000 stack first
 273     429c:	ebffff78 	bl	0x4084 // strlen
 274     42a0:	e1a02000 	mov	r2, r0 // r2 = strlen
 275     42a4:	e1a00005 	mov	r0, r5 // buf
 276     42a8:	e5941000 	ldr	r1, [r4] // size
 277     42ac:	ebffff8b 	bl	0x40e0 
 278     42b0:	e8bd887e 	pop	{r1, r2, r3, r4, r5, r6, fp, pc}
 279     42b4:	1fff0000 	svcne	0x00ff0000
 280 
 281 // 42b8:puts
 282 int puts(char *s) {
 283   print(s);
 284   print("\n");
 285   return 0;
 286 }
 287     42b8:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!)
 288     42bc:	ebffffe9 	bl	0x4268 
 289     42c0:	e59f0008 	ldr	r0, [pc, #8]	; 0x42d0
 290     42c4:	ebffffe7 	bl	0x4268 // print('\n')
 291     42c8:	e3a00000 	mov	r0, #0
 292     42cc:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
 293     42d0:	00004334 	andeq	r4, r0, r4, lsr r3
 294 
 295 // func_42d4
 296 int run() {
 297   // sp - 4
 298   print("Input password: ");
 299   if(check_password()) {
 300     puts("OK. Read flag.txt"); 
 301   }else{
 302     puts("Invalid password");
 303   }
 304   return 0;
 305 }
 306     42d4:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!) // -8
 307     42d8:	e59f0028 	ldr	r0, [pc, #40]	; 0x4308 "Input: password: "
 308     42dc:	ebffffe1 	bl	0x4268 // func_4268(0x4308)
 309     42e0:	ebffffe5 	bl	0x427c 
 310     42e4:	e3500000 	cmp	r0, #0 
 311     42e8:	1a000002 	bne	0x42f8
 312     42ec:	e59f0018 	ldr	r0, [pc, #24]	; 0x430c
 313     42f0:	ebfffff0 	bl	0x42b8
 314     42f4:	ea000001 	b	0x4300
 315     42f8:	e59f0010 	ldr	r0, [pc, #16]	; 0x4310
 316     42fc:	ebffffed 	bl	0x42b8
 317     4300:	e3a00000 	mov	r0, #0
 318     4304:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)
 319     4308:	00004338 	andeq	r4, r0, r8, lsr r3
 320     430c:	0000434c 	andeq	r4, r0, ip, asr #6
 321     4310:	00004360 	andeq	r4, r0, r0, ror #6
 322 
 323 // func_4314 main();
 324 int main() {
 325   // sp - 4
 326   run();
 327   exit(0);
 328   return 0;
 329 }
 330     4314:	e52de004 	push	{lr}		; (str lr, [sp, #-4]!) // sp = -4
 331     4318:	ebffffed 	bl	0x42d4 // fund_42d4
 332     431c:	e3a00000 	mov	r0, #0
 333     4320:	ebffff54 	bl	0x4078
 334     4324:	e3a00000 	mov	r0, #0
 335     4328:	e49df004 	pop	{pc}		; (ldr pc, [sp], #4)

Attached Files

To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.
  • [get | view] (2014-12-07 19:33:53, 9.6 KB) [[attachment:as.s]]
 All files | Selected Files: delete move to page copy to page

You are not allowed to attach a file to this page.