MIPS pwnme

pwnme.asm

# mips stack pwnme by tcmal
# contrived & kinda easy :)
# to get binary into mips i/o, use the command line:
# $ echo -e "payload" | mars-mips sm pwnme.asm

.data
prompt: .asciiz "Enter a name: "
length: .asciiz "Your name is this long: "
congrats: .asciiz "You did it!"

.text

main: # get the name length
      jal prompt_name_length

      # push v0 to stack
      addi $sp, $sp, -4
      sw $v0, ($sp)
      
      # print length prefix
      li $v0, 4
      la $a0, length
      syscall
      
      # pop v0 from stack into a0
      lw $a0, ($sp)
      addi $sp, $sp, 4
      
      # print length
      la $v0, 1
      syscall

      # exit      
      li $v0, 10
      syscall
      
unreachable:
	# you did it!
	la $a0, congrats
	li $v0, 4
	syscall

prompt_name_length: # print prompt
	 la $a0, prompt
	 li $v0, 4
	 syscall
	 
	 # push ra to stack
	 addi $sp, $sp, -4
	 sw $ra, ($sp)

	 # call echo
	 jal get_name
	 	 	 
	 # pop ra back from stack
	 lw $ra, ($sp)
	 addi $sp, $sp, 4
	 
	jr $ra

get_name: # 16 bytes on the stack
      addi $sp, $sp, -16
      
      # read string
      add $a0, $sp, 0
      li $a1, 21
      li $v0, 8
      syscall
      
      # count characters
      add $t1, $sp, 0 # t1 = location of character
      lbu $t2, ($t1)  # t2 = character
      li $v0, 0       # v0 = character count
      
loop: # get next char
      beq $t2, 0xa, after_loop # \n, done counting
      
      # exit if length >= 16
      li $t4, 16
      sge $t3, $v0, $t4
      bne $t3, $zero, after_loop
      
      # add to count
      addi $v0, $v0, 1

      # advance character      
      addi $t1, $t1, 1
      lbu $t2, ($t1)

      j loop
    
after_loop:
      # restore stack
      addi $sp, $sp, 16
      
      # return
      jr $ra