b01lers CTF 2022 Write-up (Reverse Engineering)

Hi everyone! This post is on b01lers CTF 2022’s reverse challenges which was held on 23/4 – 24/4. The two write-ups on this post are on challenges that requires us to write x64 assembly code based on the given questions on each level. Let’s get started!

1. extreme_64

Can you program in x86_64 assembly? Pass each level to get the flag.
Note: separate each instruction by a semicolon
nc ctf.b01lers.com 9301

Author: novafacing
Difficulty: Easy

Solution

kali@kali~$ nc ctf.b01lers.com 9301
Warning: _curses.error: setupterm: could not find terminfo database

Terminal features will not be available.  Consider setting TERM variable to your current terminal name (or xterm).
Enter a level password or press enter if you don't have one:
>>> 
================================= LEVEL 0x000 ==================================
Set rdi to 0x1337 using only one instruction.
>>> mov rdi, 0x1337
--> 
Success! Level password is: code{very_1337}

================================= LEVEL 0x001 ==================================
Add rdi to rsi and store the result in rax using two or less instructions.
>>> mov rax, rdi; add rax, rsi
--> 
Success! Level password is: code{math_time}

================================= LEVEL 0x002 ==================================
Translate the following C-Like pseudocode to x86_64 assembly:

================================================================================
0001: if (rax == 0x1000) {
0002:     rsi = 0x10;
0003: }
================================================================================

>>> cmp rax, 0x1000; jne outside; mov rsi, 0x10; outside: nop
--> 
Success! Level password is: code{control_flow_is_the_best}

================================= LEVEL 0x003 ==================================
Translate the following C-Like pseudocode to x86_64 assembly:

================================================================================
0001: if (rax == 0x1000) {
0002:     rsi = 0x10;
0003: } else if (rax == 0x3000) {
0004:     rsi = 0x20;
0005: }
================================================================================

>>> cmp rax, 0x1000; jne secondcmp; mov rsi, 0x10; secondcmp: cmp rax, 0x3000; jne endit; mov rsi, 0x20; endit: nop
--> 
Success! Level password is: code{we_c4n_d0_th1s_all_d4y}

================================= LEVEL 0x004 ==================================
Translate the following C-Like pseudocode to x86_64 assembly:

================================================================================
0001: while (rax > 0x0) {
0002:     rsi += rax;
0003:     rax--;
0004: }
================================================================================

>>> theloop: cmp rax, 0x0; jle exitloop; add rsi, rax; dec rax; jmp theloop; exitloop: nop
--> 
Success! Level password is: code{l00p_the_l00p}

You have completed all levels! Here's the flag: bctf{c3rt1f13d_asm_pr0gr4mmer!!}

2. extreme_64_part_2

Can you program in x86_64 assembly? Pass each level to get the flag.
Note: separate each instruction by a semicolon
nc ctf.b01lers.com 9302

Solution

For level 0x001, note that we will need to push the string to the stack in reverse order. “n” then followed by “amrekcah”. See this reference.

kali@kali~$ nc ctf.b01lers.com 9302
Warning: _curses.error: setupterm: could not find terminfo database

Terminal features will not be available.  Consider setting TERM variable to your current terminal name (or xterm).
Enter a level password or press enter if you don't have one:
>>> 
================================= LEVEL 0x000 ==================================
Add rdi to rsi and store the result in rax using only one instruction.
>>> lea rax, [rsi+rdi]
--> 
Success! Level password is: code{some_instructions_have_many_uses}

================================= LEVEL 0x001 ==================================
Print the string 'hackerman' to stdout.
>>> mov rdx, 9; mov rsi, 0x00006e; push rsi; mov rsi, 0x616d72656b636168; push rsi; mov rsi, rsp; lea rsi, [rsp]; mov rax, 1; mov rdi, rax; syscall
--> 
[=]     (fd = 0x1, buf = 0x11feff0, count = 0x9)
Success! Level password is: code{asm_c4n_d0_anything_java_can_do}

================================= LEVEL 0x002 ==================================
 Register rsi contains a pointer to the flag, but the  flag has been encoded by
XOR-ing each byte with 0x82.  Decode it and print it out to complete the
challenge! Hint: the flag is 32 characters long...
>>> xor rax, rax; theloop: cmp rax, 0x20; jge printflag; lea rdx, [rsi+rax]; xor byte ptr [rdx], 0x82; inc rax; jmp theloop; printflag: mov rdx, 0x20; mov rax, 1; mov rdi, rax; syscall
--> 
[=]     (fd = 0x1, buf = 0x10000000, count = 0x20)
stdout: b'bctf{c0ngrats_y0u_are_a_pr0!!!!}'
Failed! Reason: 

I hope this article has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.