Tags: reverse_engineering indepth 

Rating:

# ARMssembly 2

Category: Reverse Engineering

AUTHOR: DYLAN MCGUIRE

**Disclaimer! I do not own any of the challenge files!**

## Description
```
What integer does this program print with argument 2403814618? File: chall_2.S
Flag format: picoCTF{XXXXXXXX} -> (hex, lowercase, no 0x, and 32 bits. ex. 5614267 would be picoCTF{0055aabb})
```

## Function analysis

If you've read my previous ARMssembly writeups, you know the drill. It's time to delv deep into the functions.
```
func1:
sub sp, sp, #32
str w0, [sp, 12]
str wzr, [sp, 24]
str wzr, [sp, 28]
b .L2
.L3:
+-->ldr w0, [sp, 24]
| add w0, w0, 3
| str w0, [sp, 24]
| ldr w0, [sp, 28]
| add w0, w0, 1
| str w0, [sp, 28]
.L2:
| ldr w1, [sp, 28]
| ldr w0, [sp, 12]
| cmp w1, w0
+---bcc .L3
ldr w0, [sp, 24]
add sp, sp, 32
ret
.size func1, .-func1
.section .rodata
.align 3
```
These are the most important functions for us. And I added an `r2` style loop indicator for myself. Time for `.func1`.

### .func1
```
func1:
sub sp, sp, #32
str w0, [sp, 12]
str wzr, [sp, 24]
str wzr, [sp, 28]
b .L2
```
By now, this should be obvious to you. But we see one peculiar register. `wzr` is a special register, and it holds the value `0`. This allows us to quickly store a 0.
```
stack + 12 = 2403814618
stack + 24 = 0
stack + 28 = 0
```
And finally just `branch` (jmp in x86) to `.L2`!

### .L2
```
.L2:
ldr w1, [sp, 28]
ldr w0, [sp, 12]
cmp w1, w0
bcc .L3
ldr w0, [sp, 24]
add sp, sp, 32
ret
.size func1, .-func1
.section .rodata
.align 3
```
Now `load 0 into w1` and `load 2403814618 into w0` and compare them. (Which is just a `sub` without storing the value) And most importantly `bcc` branch if the carry flag is set (it is set when w1 < w0)! This is our loop! We could maybe imagine it like this:
```py
while w1 >= w0:
L3()
```
After the loop ends `load a value from stack + 24 into w0`. Return.

### .L3
```
.L3:
ldr w0, [sp, 24]
add w0, w0, 3
str w0, [sp, 24]
ldr w0, [sp, 28]
add w0, w0, 1
str w0, [sp, 28]
```
This is what happens every loop, `Load the value from stack + 24 into w0` and add 3 to it. `Store this value in stack + 24`. Next `load the value from stack + 28 into w0` and add 1 to it. `Store this value in stack + 28`. And we will do this, until `stack + 28 > stack + 12`.

## Solving it

So what do we actually need to do? Well think about it... we just want to loop. But can we do this without looping? `2403814618` loops is quite a lot.... How about we just calculate `2403814618 * 3`, since we know that 3 will be added everytime and this is what will be printed. What is the result? `7211443854` Great! Just turn into hex and... Well not so fast. It needs to be a 32bit number, here's how we convert:
```py
>>> result = int(hex(7211443854),16) & 0xffffffff
>>> f'{result:08x}'
'add5e68e'
>>>
```
There we go! Wrapped it in `picoCTF{add5e68e}` and done.

Original writeup (https://github.com/xnomas/PicoCTF-2021-Writeups/tree/main/ARMssembly-2).