Pwnable.kr - leg
Challenge description:
Daddy told me I should study arm. But I prefer to study my leg!
#include <stdio.h>
#include <fcntl.h>
int key1(){
asm("mov r3, pc\n");
}
int key2(){
asm(
"push {r6}\n"
"add r6, pc, $1\n"
"bx r6\n"
".code 16\n"
"mov r3, pc\n"
"add r3, $0x4\n"
"push {r3}\n"
"pop {pc}\n"
".code 32\n"
"pop {r6}\n"
);
}
int key3(){
asm("mov r3, lr\n");
}
int main(){
int key=0;
printf("Daddy has very strong arm! : ");
scanf("%d", &key);
if( (key1()+key2()+key3()) == key ){
printf("Congratz!\n");
int fd = open("flag", O_RDONLY);
char buf[100];
int r = read(fd, buf, 100);
write(0, buf, r);
}
else{
printf("I have strong leg :P\n");
}
return 0;
}
This is a simple arm challenge. It compares the input key with the sum of 3 functions, we are also given the assembly of the code (because the result of the sum depends on the pc register value). I will only show the important parts of assembly that will get us the right key.
Here is the important part of main assembly:
0x00008d68 <+44>: bl 0x8cd4 <key1>
0x00008d6c <+48>: mov r4, r0 ; result of key1
0x00008d70 <+52>: bl 0x8cf0 <key2>
0x00008d74 <+56>: mov r3, r0 ; result of key2
0x00008d78 <+60>: add r4, r4, r3
0x00008d7c <+64>: bl 0x8d20 <key3>
0x00008d80 <+68>: mov r3, r0 ; result of key3
0x00008d84 <+72>: add r2, r4, r3
key1():
0x00008cdc <+8>: mov r3, pc
0x00008ce0 <+12>: mov r0, r3
0x00008ce4 <+16>: sub sp, r11, #0
result will be stored at r3, its value is $pc which is (next_instruction + 4) 0x00008ce4.
key2():
0x00008d04 <+20>: mov r3, pc
0x00008d06 <+22>: adds r3, #4
0x00008d08 <+24>: push {r3}
result will be stored at r3, its value is $pc+4 which is (next_instruction + 4) + 4 0x00008d0c.
key3():
0x00008d28 <+8>: mov r3, lr
0x00008d2c <+12>: mov r0, r3
result will be stored at r3, its value is $lr which is the return address 0x00008d80.
The result of the sum is 0x00008ce4 + 0x00008d0c + 0x00008d80 = 108400.
Solution:
$ ./leg
Daddy has very strong arm! : 108400
Congratz!
My daddy has a lot of ARMv5te muscle!
Flag: My daddy has a lot of ARMv5te muscle!