Tags: x86 assembly
Rating:
**Description**
> The final boss!
>
> Time to pull together your knowledge of Bash, Python, and stupidly-low-level assembly!!
>
> This time you have to write some assembly that we're going to run.. You'll see the output of your code through VNC for 60 seconds.
>
> Objective: Print the flag.
>
> What to know:
>
> Strings need to be alternating between the character you want to print and '0x1f'.
>
> To print a string you need to write those alternating bytes to the frame buffer (starting at 0x00b8000...just do it). Increment your pointer to move through this buffer.
>
> If you're having difficulty figuring out where the flag is stored in memory, this code snippet might help you out:
>
> get_ip:
> call next_line
> next_line:
> pop rax
> ret
>
> That'll put the address of `pop rax` into rax.
>
> Call serves as an alias for `push rip` (the instruction pointer - where we are in code) followed by `jmp _____` where whatever is next to the call fills in the blank.
>
> And in case this comes up, you shouldn't need to know where you are loaded in memory if you use that above snippet...
>
> Happy Reversing!!
>
> `nc rev.chal.csaw.io 9004`
>
> - Elyk
>
> Edit (09/16 1:13 AM) - Uploaded new files. No change in challenge difficulty or progression, simply streamlining the build process.
**Files provided**
- [`Makefile`](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/files/x86-3-Makefile)
- [`part-3-server.py`](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/files/x86-3-part-3-server.py)
- [`tacOS-base.bin`](https://github.com/Aurel300/empirectf/blob/master/writeups/2018-09-14-CSAW-CTF-Quals/files/x86-3-tacOS-base.bin)
**Solution**
From the `part-3-server.py` script we can see what happens on connection – we provide the hexdump for our assembly code, it gets linked with the previous stages and executed on a VNC. What is most important, however, is that the flag is added to the end of our code.
So we simply need to read the flag from after our location in memory (related to the `rip` register, hence the snippet in the description), and write it to the screen. `0x000b8000` is a special location in memory – it is mapped directly to text display in protected mode. We write the character values in even positions in the memory, and we write background / foreground colour settings in odd positions in the memory.
```asm
bits 32
part3:
mov esi, 0x000b8000 ; video memory location
call get_ip ; = mov ebx, (position of pop ebx in get_ip)
mov edx, 512 ; read 512 characters
._mov_loop:
cmp edx, 0
jz .end ; jump to .end if done
sub edx, 1
mov ecx, [ebx] ; read a character from memory
mov byte [esi], cl ; move it into video memory
add esi, 1
mov byte [esi], 0x1F ; white-on-blue text
add esi, 1
add ebx, 1
jmp ._mov_loop
.end:
jmp .end ; infinite loop to keep the VNC running
get_ip:
call next_line
next_line:
pop ebx
ret
```
`flag{S4l1y_Se11S_tacOShell_c0d3_bY_tHe_Se4_Sh0re}`
