Uncategorized

PicoCTF 2017 – A Thing Called A Stack #ctf #picoctf #appsec #infosec #reverseengineering

Another day, another challenge.

In today’s blog post we’re going to solve the “A Thing Called A Stack” challenge from PicoCTF.

Let’s get started.

Clicking on the challenge, we see the following:

PicoCTF_A_Thing_Called_A_Stack_1

OK, so we’re given a file, and we need to determine the difference between the value of esp at the end of the code, and the location of the saved return address.

Looking at the hints we see the following:

PicoCTF_A_Thing_Called_A_Stack_2

We’ve encountered two different questions. Where is the return address saved, and what commands actually affect the stack.

DISCLAIMER: I haven’t worked with assembly in probably 8 years. So, what did I do? Go to YouTube.

Entering – “Assembly tutorial” I found a GREAT crash course on explaining assembly.

I have linked the video here.

Opening the file (Notepad++ is great!)

We see the following:

PicoCTF_A_Thing_Called_A_Stack_3

Using the YouTube tutorial, let’s decode the assembly code.

First we’re pushing the ebp (base pointer) onto the stack.

Next, we move the esp (stack pointer) to be at the same location to the base pointer.

Next, we push edi, esi, and ebx onto the stack. Note these instructions don’t change the stack. This solves question #2 in the hints section.

Next, we add 180 (0xb4 hex) to the stack to hold local variables.

Next, we’re going to store the local variable x = 0, to address 180 + 4 = 184

Next, we’re going to store the local variable y = 1,  to address 184 + 4 = 188

Next, we’re going to store the local variable z = 2, to address 188 + 4 = 192

Next, we’re going to store the local variable a = 3, to address 192 + 4 = 196

So now the esp (stack pointer) is now at 196.

Let’s convert 196 to hexadecimal.

Doing this we get the following: 0xc4

Entering this into the challenge, we see that solved the challenge and acquired 60 points!