{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-arm-assembly-bigginer-en","result":{"data":{"markdownRemark":{"id":"4492a191-028e-5b98-b630-3743bc27a85f","html":"
\n

This page has been machine-translated from the original page.

\n
\n

Introduction

\n

I was working on picoCTF 2021, which ran until 2021/3/31.\nI was aiming to solve all the Reversing challenges, but unfortunately fell short.

\n

Among the picoCTF 2021 Reversing problems, the “ARMssembly” series was extremely educational, so I’ll write a writeup for it here.

\n

What I Learned

\n
    \n
  1. ARM assembly mnemonics
    2. \n
  2. Key points for manually decompiling assembly code
    3. \n
\n

Approach for the ARMssembly Series

\n

The “ARMssembly” series consisted of 5 problems in total, and the approach was the same for all of them, so I’ll describe it upfront.

\n

The “ARMssembly” series could be solved with the following steps:

\n
    \n
  1. Read through the provided assembly code
    2. \n
  2. \n

    Trace the flow from the main function

    \n\n
    3. \n
  3. Solve
    4. \n
\n

Let’s start with the first problem.

\n

ARMssembly 0

\n

Problem

\n

This problem gives two variables and asks for the final output.

\n
\n

Description

\n

What integer does this program print with arguments 4112417903 and 1169092511?

\n
\n
; Challenge code\n.arch armv8-a\n.file"chall.c"\n.text\n.align2\n.globalfunc1\n.typefunc1, %function\nfunc1:\nsubsp, sp, #16\nstrw0, [sp, 12]\nstrw1, [sp, 8]\nldrw1, [sp, 12]\nldrw0, [sp, 8]\ncmpw1, w0\nbls.L2\nldrw0, [sp, 12]\nb.L3\n.L2:\nldrw0, [sp, 8]\n.L3:\naddsp, sp, 16\nret\n.sizefunc1, .-func1\n.section.rodata\n.align3\n.LC0:\n.string"Result: %ld\\n"\n.text\n.align2\n.globalmain\n.typemain, %function\nmain:\nstpx29, x30, [sp, -48]!\naddx29, sp, 0\nstrx19, [sp, 16]\nstrw0, [x29, 44]\nstrx1, [x29, 32]\nldrx0, [x29, 32]\naddx0, x0, 8\nldrx0, [x0]\nblatoi\nmovw19, w0\nldrx0, [x29, 32]\naddx0, x0, 16\nldrx0, [x0]\nblatoi\nmovw1, w0\nmovw0, w19\nblfunc1\nmovw1, w0\nadrpx0, .LC0\naddx0, x0, :lo12:.LC0\nblprintf\nmovw0, 0\nldrx19, [sp, 16]\nldpx29, x30, [sp], 48\nret\n.sizemain, .-main\n.ident"GCC: (Ubuntu/Linaro 7.5.0-3ubuntu1~18.04) 7.5.0"\n.section.note.GNU-stack,"",@progbits
\n

Reading main

\n

Let’s trace from main first.\nIt’s fairly long, but I focused on these items:

\n\n

bl stands for “Branch with Link” and can be understood as something like a CALL instruction.\nFor details, see Arm64(ARMv8) Assembly Programming (08) Branch Instructions.

\n

In short, it jumps to the address written right after bl and returns when it hits a RET instruction.

\n

Since there are two atoi calls, it’s clear that the program converts the received variables to numbers, passes them as arguments to func1, and displays the return value with printf.

\n

Verifying with C code

\n

Having read this far, let me write the reverse-engineered C code for the main function and verify my understanding.

\n

Here’s what I came up with:

\n
#include <stdio.h>\n#include <stdlib.h>\n\nunsigned int func1(unsigned int n1, unsigned int n2)\n{\n    return 0;\n}\n\nint main(char a[128], char b[128]) {\n    unsigned int n1 = atoi(a);\n    unsigned int n2 = atoi(b);\n    unsigned int ans = func1(n1, n2);\n    printf(\"%u\", ans);\n\n    return 0;\n}
\n

Compile this on a Raspberry Pi with GCC using gcc -S sample.c -o sample.lst to generate an object file.

\n

Extracting just the main function, the following assembly is generated.\nComparing with the challenge code, it’s nearly identical!

\n
main:\n.LFB7:\n      .cfi_startproc\n      stp     x29, x30, [sp, -48]!\n      .cfi_def_cfa_offset 48\n      .cfi_offset 29, -48\n      .cfi_offset 30, -40\n      mov     x29, sp\n      str     x0, [sp, 24]\n      str     x1, [sp, 16]\n      ldr     x0, [sp, 24]\n      bl      atoi\n      str     w0, [sp, 36]\n      ldr     x0, [sp, 16]\n      bl      atoi\n      str     w0, [sp, 40]\n      ldr     w1, [sp, 40]\n      ldr     w0, [sp, 36]\n      bl      func1\n      str     w0, [sp, 44]\n      ldr     w1, [sp, 44]\n      adrp    x0, .LC0\n      add     x0, x0, :lo12:.LC0\n      bl      printf\n      mov     w0, 0\n      ldp     x29, x30, [sp], 48\n      .cfi_restore 30\n      .cfi_restore 29\n      .cfi_def_cfa_offset 0\n      ret\n      .cfi_endproc
\n

Reading func1

\n

Next, let’s look at func1, which receives the two arguments.\nThis is the relevant part of the challenge code:

\n
func1:\nsubsp, sp, #16\nstrw0, [sp, 12]\nstrw1, [sp, 8]\nldrw1, [sp, 12]\nldrw0, [sp, 8]\ncmpw1, w0\nbls.L2\nldrw0, [sp, 12]\nb.L3\n.L2:\nldrw0, [sp, 8]\n.L3:\naddsp, sp, 16\nret\n.sizefunc1, .-func1\n.section.rodata\n.align3
\n

First, let’s look at the str and ldr instructions.

\n

Simply put, str is a store instruction that writes a register’s value to a specified address.\nldr is a load instruction that reads a value from a specified address into a register.

\n

[sp, 12] uses register-indirect addressing—one of the CPU’s memory addressing modes—which specifies the address obtained by adding the given offset to the stack pointer.

\n

So func1 loads the received argument values, compares them, and branches based on the result.

\n

Let’s look at the branch instruction bls.\nls stands for “lower or same (<=)“.

\n

From this, func1 can be written in C as:

\n
#include <stdio.h>\n#include <stdlib.h>\n\nunsigned int func1(unsigned int n1, unsigned int n2)\n{\n    if (n2 > n1)\n    {\n        return n1;\n    }\n    else\n    {\n        return n2;\n    }\n}
\n

I wrote bls as “lower or same (<=)”, but the jump to the branch target happens when the IF condition is not satisfied, so the C condition expression is n1 > n2.

\n

Also, function arguments are pushed onto the stack from the last one first, so the value stored in [sp, 12], which is accessed first, corresponds to the first argument (n1).

\n

Let’s generate the object file from this code:

\n
func1:\n.LFB6:\n.cfi_startproc\nsubsp, sp, #16\n.cfi_def_cfa_offset 16\nstrw0, [sp, 12]\nstrw1, [sp, 8]\nldrw1, [sp, 8]\nldrw0, [sp, 12]\ncmpw1, w0\nbls.L2\nldrw0, [sp, 12]\nb.L3\n.L2:\nldrw0, [sp, 8]\n.L3:\naddsp, sp, 16\n.cfi_def_cfa_offset 0\nret\n.cfi_endproc
\n

The assembly nearly matches the challenge code, confirming our understanding is correct.

\n

Finally, running the compiled binary with the given arguments produces the number sequence that is the FLAG.

\n

ARMssembly 1

\n

Problem

\n

This problem asks for the argument that makes the program print “win”.\nThe code is a bit longer than the first problem.

\n
\n

Description

\n

For what argument does this program print win with variables 81, 0 and 3?

\n
\n
.arch armv8-a\n.file"chall_1.c"\n.text\n.align2\n.globalfunc\n.typefunc, %function\nfunc:\nsubsp, sp, #32\nstrw0, [sp, 12]\nmovw0, 81\nstrw0, [sp, 16]\nstrwzr, [sp, 20]\nmovw0, 3\nstrw0, [sp, 24]\nldrw0, [sp, 20]\nldrw1, [sp, 16]\nlslw0, w1, w0\nstrw0, [sp, 28]\nldrw1, [sp, 28]\nldrw0, [sp, 24]\nsdivw0, w1, w0\nstrw0, [sp, 28]\nldrw1, [sp, 28]\nldrw0, [sp, 12]\nsubw0, w1, w0\nstrw0, [sp, 28]\nldrw0, [sp, 28]\naddsp, sp, 32\nret\n.sizefunc, .-func\n.section.rodata\n.align3\n.LC0:\n.string"You win!"\n.align3\n.LC1:\n.string"You Lose :("\n.text\n.align2\n.globalmain\n.typemain, %function\nmain:\nstpx29, x30, [sp, -48]!\naddx29, sp, 0\nstrw0, [x29, 28]\nstrx1, [x29, 16]\nldrx0, [x29, 16]\naddx0, x0, 8\nldrx0, [x0]\nblatoi\nstrw0, [x29, 44]\nldrw0, [x29, 44]\nblfunc\ncmpw0, 0\nbne.L4\nadrpx0, .LC0\naddx0, x0, :lo12:.LC0\nblputs\nb.L6\n.L4:\nadrpx0, .LC1\naddx0, x0, :lo12:.LC1\nblputs\n.L6:\nnop\nldpx29, x30, [sp], 48\nret\n.sizemain, .-main\n.ident"GCC: (Ubuntu/Linaro 7.5.0-3ubuntu1~18.04) 7.5.0"\n.section.note.GNU-stack,"",@progbits
\n

Reading main

\n

Let’s trace through main. Instructions introduced in previous problems are skipped.

\n

The important part in main is the last section.

\n

Just like the previous problem, it receives an argument, passes it to the func function, and then determines whether to display “win” or “lose” based on the return value compared to 0.

\n

Let me write this part out in C.

\n

bne .L4 means “not equal”.\nIn other words, if func1's return value != 0, it jumps to the address specified by .L4.

\n

Verifying with C code

\n

Having read this far, let me write the reverse-engineered C code for main and verify.

\n

Here’s what I came up with:

\n
#include <stdio.h>\n#include <stdlib.h>\n\nunsigned int func1(unsigned int n1)\n{\n    return 0;\n}\n\nint main(char a[128]) {\n    unsigned int n1 = atoi(a);\n    unsigned int ret = func1(n1);\n\n    if (ret == 0)\n    {\n        printf(\"win\");\n    }\n    else\n    {\n        printf(\"lose\");\n    }\n\n    return 0;\n}
\n

Compiling this on a Raspberry Pi with gcc -S sample.c -o sample.lst generates the following assembly for main.\nComparing with the challenge code, they match.

\n
main:\n.LFB7:\n.cfi_startproc\nstpx29, x30, [sp, -48]!\n.cfi_def_cfa_offset 48\n.cfi_offset 29, -48\n.cfi_offset 30, -40\nmovx29, sp\nstrx0, [sp, 24]\nldrx0, [sp, 24]\nblatoi\nstrw0, [sp, 40]\nldrw0, [sp, 40]\nblfunc1\nstrw0, [sp, 44]\nldrw0, [sp, 44]\ncmpw0, 0\nbne.L4\nadrpx0, .LC0\naddx0, x0, :lo12:.LC0\nblprintf\nb.L5\n.L4:\nadrpx0, .LC1\naddx0, x0, :lo12:.LC1\nblprintf\n.L5:\nmovw0, 0\nldpx29, x30, [sp], 48\n.cfi_restore 30\n.cfi_restore 29\n.cfi_def_cfa_offset 0\nret\n.cfi_endproc
\n

Reading func1

\n

Now I know the win condition: if the return value of func1 with the given argument is 0, “win” is displayed.

\n

Let’s look at func1:

\n
func:\nsubsp, sp, #32\n; 1. Store the argument in [sp, 12]\nstrw0, [sp, 12]\n\n; 2. Store 81 in [sp, 16]\nmovw0, 81\nstrw0, [sp, 16]\n\n; 3. Store 0 in [sp, 20]\nstrwzr, [sp, 20]\n\n; 4. Store 3 in [sp, 24]\nmovw0, 3\nstrw0, [sp, 24]\n\n; 5. Load [sp, 20] and [sp, 16], then left-shift\nldrw0, [sp, 20]\nldrw1, [sp, 16]\nlslw0, w1, w0\nstrw0, [sp, 28]\n\n; 6. Divide result of 5 by [sp, 24]\nldrw1, [sp, 28]\nldrw0, [sp, 24]\nsdivw0, w1, w0\nstrw0, [sp, 28]\n\n; 7. Subtract the argument passed to func1 from result of 6, then return\nldrw1, [sp, 28]\nldrw0, [sp, 12]\nsubw0, w1, w0\n\nstrw0, [sp, 28]\nldrw0, [sp, 28]\naddsp, sp, 32\nret
\n

I’ve annotated the challenge code to make the variable flow clearer.

\n
    \n
  1. Store the argument in [sp, 12]
    2. \n
  2. Store 81 in [sp, 16]
    3. \n
  3. Store 0 in [sp, 20]
    4. \n
  4. Store 3 in [sp, 24]
    5. \n
\n

Steps 1, 2, and 4 were covered earlier, so I’ll skip them.

\n

For step 3, using wzr is a zero register expression.\nThis allows storing 0 directly at the specified address without going through another register.

\n

Reference: ARM Cortex-A Series Programmer’s Guide for ARMv8-A

\n

Now let me look at the operations after the variable assignments.

\n
    \n
  1. Load [sp, 20] and [sp, 16], then left-shift
    2. \n
\n

lsl is a logical shift left instruction.\nData is shifted left by the specified amount, and vacated bits are filled with 0.

\n

Steps 6 and 7 take the result of this left shift, divide by 3, and subtract the argument.\nIn other words, the argument that makes this final expression equal to 0 is the flag.

\n

We can now solve this easily, but for completeness, let me write func1 in C too.\nWhen I compiled this, I couldn’t exactly reproduce the sdiv part for some reason, but it’s approximately correct:

\n
unsigned int func1(unsigned int n1)\n{\n    unsigned int n2 = 81;\n    unsigned int n3 = 0;\n    unsigned int n4 = 3;\n\n    int ret;\n    ret = n2 << n3;\n    ret = ret / 3;\n    ret = ret - n1;\n\n    return ret;\n}
\n

The argument that makes func1 return 0 is the number sequence that is the FLAG.

\n

Summary

\n

Carefully working through assembly code and rewriting it in C by hand was a very enjoyable experience.\nThanks to the problem authors.

\n

I may add writeups for the remaining problems later.

\n

As a side note, here are some books I recommend for studying assembly:

\n

Recommended Books

\n","fields":{"slug":"/ctf-arm-assembly-bigginer-en","tagSlugs":["/tag/ctf-en/","/tag/reversing-en/","/tag/pico-ctf-en/","/tag/english/"]},"frontmatter":{"date":"2021-10-04","description":"Learning ARM assembly through the ARMssembly series of Reversing challenges in picoCTF 2021.","tags":["CTF (en)","Reversing (en)","picoCTF (en)","English"],"title":"Learning ARM Assembly through CTF","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/ctf-arm-assembly-bigginer-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}