Skip to content

Instantly share code, notes, and snippets.

@Barakat

Barakat/out.asm

Last active February 9, 2020 21:03
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save Barakat/c78ed4fb143596c88b9c900aeb007ef3 to your computer and use it in GitHub Desktop.
Save Barakat/c78ed4fb143596c88b9c900aeb007ef3 to your computer and use it in GitHub Desktop.
Download ZIP
Nullcon 2020 - returminator
Raw
out.asm
pop rax = flag
pop rdi = 0
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 2
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 4
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
add rax, rdx
pop rdi = 100
sub rax, rdi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 208
;
; =====================
pop rax = flag
pop rdi = 6
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 8
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 10
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
add rax, rdx
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 225
;
; =====================
pop rax = flag
pop rdi = 12
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 14
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 16
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
add rax, rdx
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 237
;
; =====================
pop rax = flag
pop rdi = 18
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 1
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 30
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
sub rax, rdx
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 20
;
; =====================
pop rax = flag
pop rdi = 3
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 22
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 3
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
add rax, rdx
pop rdi = 100
sub rax, rdi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 214
;
; =====================
pop rax = flag
pop rdi = 5
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 29
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 28
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
pop rax = flag
pop rcx = 7
add rax, rcx
mov rcx, rax
movzx rcx, BYTE PTR [rcx]
xor rax, rax
add rax, rdi
add rax, rsi
add rax, rdx
sub rax, rcx
pop rdi = 100
sub rax, rdi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 183
;
; =====================
pop rax = flag
pop rdi = 9
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 17
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 11
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
sub rax, rdx
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 79
;
; =====================
pop rax = flag
pop rdi = 19
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 27
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi ; rdi = flag[19]
add rax, rsi ; rsi = flag[27]
mov rcx, rax ; rcx = flag[19] + flag[27]
pop rax = flag
pop rdi = 13
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 15
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 20
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
add rax, rdx
sub rax, rcx
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 105
;
; =====================
pop rax = flag
pop rdi = 21
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 23
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 23
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
add rax, rdx
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 207
;
; =====================
pop rax = flag
pop rdi = 25
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 26
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
add rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 217
;
; =====================
pop rax = flag
pop rdi = 30
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 125
;
; =====================
pop rax = flag
pop rdi = 9
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 66
;
; =====================
pop rax = flag
pop rdi = 8
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 123
;
; =====================
pop rax = flag
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 104
;
; =====================
pop rax = flag
pop rdi = 1
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 97
;
; =====================
pop rax = flag
pop rdi = 2
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 99
;
; =====================
pop rax = flag
pop rdi = 3
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 107
;
; =====================
pop rax = flag
pop rdi = 4
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 105
;
; =====================
pop rax = flag
pop rdi = 5
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 109
;
; =====================
pop rax = flag
pop rdi = 6
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 50
;
; =====================
pop rax = flag
pop rdi = 7
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 48
;
; =====================
pop rax = flag
pop rdi = 11
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 0
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
add rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 202
;
; =====================
pop rax = flag
pop rdi = 29
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 111
;
; =====================
pop rax = flag
pop rdi = 29
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 111
;
; =====================
pop rax = flag
pop rdi = 29
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 13
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
sub rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 29
;
; =====================
pop rax = flag
pop rdi = 28
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 14
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
sub rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 63
;
; =====================
pop rax = flag
pop rdi = 28
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 15
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
add rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 223
;
; =====================
pop rax = flag
pop rdi = 0
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 27
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
sub rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 36
;
; =====================
pop rax = flag
pop rdi = 23
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 24
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
sub rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 0
;
; =====================
pop rax = flag
pop rdi = 26
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 0
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
pop rax = flag
pop rdx = 1
add rax, rdx
mov rdx, rax
movzx rdx, BYTE PTR [rdx]
xor rax, rax
add rax, rdi
add rax, rsi
sub rax, rdx
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 124
;
; =====================
pop rax = flag
pop rdi = 19
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
call 0x4010a0 <exit@plt>
; rdi = 100
;
; =====================
pop rax = flag
pop rdi = 11
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 12
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
add rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 219
;
; =====================
pop rax = flag
pop rdi = 21
add rax, rdi
mov rdi, rax
movzx rdi, BYTE PTR [rdi]
pop rax = flag
pop rsi = 20
add rax, rsi
mov rsi, rax
movzx rsi, BYTE PTR [rsi]
xor rax, rax
add rax, rdi
sub rax, rsi
mov rdi, rax
call 0x4010a0 <exit@plt>
; rdi = 32
;
; =====================
Raw
rop_disasm.py
import struct
o = [296, 272, 272, 272, 296, 360, 272, 424, 272, 208, 120, 120, 120, 96, 120, 120,
120, 120, 120, 120, 120, 208, 120, 120, 208, 208, 208, 208, 208, 272, 120, 208, 208]
r = [208, 225, 237, 20, 214, 183, 79, 105, 207, 217, 125, 66, 123, 104, 97, 99, 107 , 105,
109, 50, 48, 202, 111, 111, 29, 63, 223, 36, 0, 124, 100, 219, 32]
lookup = {
0x4011ff: 'call 0x4010a0 <exit@plt>',
0x4011a2: 'pop rax',
0x40119a: 'pop rdi',
0x4011a4: 'add rax, rdi',
0x4011ea: 'mov rdi, rax',
0x4011d6: 'movzx rdi, BYTE PTR [rdi]',
0x40119c: 'pop rsi',
0x4011a8: 'add rax, rsi',
0x4011ee: 'mov rsi, rax',
0x4011db: 'movzx rsi, BYTE PTR [rsi]',
0x40119e: 'pop rdx',
0x4011ac: 'add rax, rdx',
0x4011f2: 'mov rdx, rax',
0x4011e0: 'movzx rdx, BYTE PTR [rdx]',
0x4011bd: 'xor rax, rax',
0x4011c1: 'sub rax, rdi',
0x4011c9: 'sub rax, rdx',
0x4011a0: 'pop rcx',
0x4011b0: 'add rax, rcx',
0x4011f6: 'mov rcx, rax',
0x4011e5: 'movzx rcx, BYTE PTR [rcx]',
0x4011cd: 'sub rax, rcx',
0x4011c5: 'sub rax, rsi',
}
with open('blob', 'rb') as f:
i = 0
for offset in o:
data = f.read(offset)[56:]
idx = 0
#print('push flag')
while True:
try:
gaget = struct.unpack('Q', data[idx:idx+8])[0]
except Exception as e:
print(gaget)
raise e
if gaget < 0x400000 or gaget == 0x4040a0:
print(f' = {gaget if gaget < 0x400000 else "flag"}')
elif gaget not in lookup:
print('x/i 0x%016x' % gaget)
exit(0)
else:
if lookup[gaget].startswith('pop'):
print(lookup[gaget], end='')
elif lookup[gaget].endswith(']'):
print(lookup[gaget], end='\n\n')
else:
print(lookup[gaget])
if gaget == 0x4011ff:
break
idx += 8
print(f'; rdi = {r[i]}\n;')
print('; =====================')
i += 1
Raw
solver.py
from z3 import *
solver = Solver()
for i in range(31):
globals()['flag%i' % i] = BitVec('flag%i' % i, 64)
solver.add(flag0 + flag2 + flag4 - 100 == 208)
solver.add(flag6 + flag8 + flag10 == 225)
solver.add(flag12 + flag14 + flag16 == 237)
solver.add(flag18 + flag1 - flag30 == 20)
solver.add(flag3 + flag22 + flag3 - 100 == 214)
solver.add(flag5 + flag29 + flag28 - flag7 - 100 == 183)
solver.add(flag9 + flag17 - flag11 == 79)
solver.add(flag13 + flag15 + flag20 - (flag19 + flag27) == 105)
solver.add(flag21 + flag23 + flag23 == 207)
solver.add(flag25 + flag26 == 217)
solver.add(flag30 == 125)
solver.add(flag9 == 66)
solver.add(flag8 == 123)
solver.add(flag0 == 104)
solver.add(flag1 == 97)
solver.add(flag2 == 99)
solver.add(flag3 == 107)
solver.add(flag4 == 105)
solver.add(flag5 == 109)
solver.add(flag6 == 50)
solver.add(flag7 == 48)
solver.add(flag11 + flag0 == 202)
solver.add(flag29 == 111)
solver.add(flag29 - flag13 == 29)
solver.add(flag28 - flag14 == 63)
solver.add(flag28 + flag15 == 223)
solver.add(flag0 - flag27 == 36)
solver.add(flag23 - flag24 == 0)
solver.add(flag26 + flag0 - flag1 == 124)
solver.add(flag19 == 100)
solver.add(flag11 + flag12 == 219)
solver.add(flag21 - flag20 == 32)
if not solver.check():
assert False
model = solver.model()
for i in range(31):
print(chr(model[globals()['flag%i' % i]].as_long()), end='')
print('')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment