PicoCTF - ARMssembly 0

Source code

:::spoiler ARM assembly code

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60

.arch armv8-a .file "chall.c" .text .align 2 .global func1 .type func1, %function func1: sub sp, sp, #16 str w0, [sp, 12] str w1, [sp, 8] ldr w1, [sp, 12] ldr w0, [sp, 8] cmp w1, w0 bls .L2 ldr w0, [sp, 12] b .L3 .L2: ldr w0, [sp, 8] .L3: add sp, sp, 16 ret .size func1, .-func1 .section .rodata .align 3 .LC0: .string "Result: %ld\n" .text .align 2 .global main .type main, %function main: stp x29, x30, [sp, -48]! add x29, sp, 0 str x19, [sp, 16] str w0, [x29, 44] str x1, [x29, 32] ldr x0, [x29, 32] add x0, x0, 8 ldr x0, [x0] bl atoi mov w19, w0 ldr x0, [x29, 32] add x0, x0, 16 ldr x0, [x0] bl atoi mov w1, w0 mov w0, w19 bl func1 mov w1, w0 adrp x0, .LC0 add x0, x0, :lo12:.LC0 bl printf mov w0, 0 ldr x19, [sp, 16] ldp x29, x30, [sp], 48 ret .size main, .-main .ident "GCC: (Ubuntu/Linaro 7.5.0-3ubuntu1~18.04) 7.5.0" .section .note.GNU-stack,"",@progbits

:::

Recon

這一題是ARM架構的組語，真的懶得看，想說可以先compile完之後用IDA看一下psudo code，但search半天都找不到如何compile，compile完的東西還不能執行，要瘋了，所幸最後有找到repo的相關資料¹

Exploit

1 2 3 4

$ sudo apt install gcc-aarch64-linux-gnu -y $ sudo apt install binutils-aarch64-linux-gnu -y $ aarch64-linux-gnu-as -o a.o [the name of your source file] $ aarch64-linux-gnu-gcc -static -o [the name of the executable] a.o

再用IDA反編譯就完事了

Reference

1. Running ARMv8 via Linux Command Line ↩