Post

Decompetition.io Writeups

Posted Updated
By Akshit Singh 5 min read

Baby-C

Today we are going to decompile the assembly given in the challenge baby-C of Decompetitionv2.0 :

First of All we are given blocks that have assembly language so we start form the (main:) block

image

-> Here we can easily see that the program is pushing RBP(base pointer register) and RSP(Stack pointer Register) into the Stack for the program to be able to use it.

Now we move onto (block 1) as (main:) block was not doing much for us

image

->Here we observe that RAX(Accumulator Register) is made to take the input from the user.

->Then we give it as an argument of the function “getc()” and then store it at an address 0x14 below the base pointer

->Then we are comparing the input with -1 and if that happens we will jump to the (block7) of the program

image

image

->We have made two variables flag and b as we can see that the assembly is making space on the stack and marking one as stdin variable thus two variables are declared and b is input from the user.

->Here we have added the break statement inside the if condition (b==-1) because of the statements of (block 7:) as if the value is -1 for the variable b then it will jump to (block 7).

image

->The (block 7) basically exits or returns the program by popping RBP and RSP out of the Stack.

->So we can assume that whichever block enters the (block 7) will break a loop or return the program

Now we assume that we donot have value of b equal to -1 then we will move to (block 2):

image

->In this block we are calling the function ‘__ctype_b_loc@plt.sec’ and basically checking the condition:

image

->This statement is equivalent to (isalpha==0) or it checks if the given argument character is an alphabet or not . And if the given argument is an alphabet then it will jump to (block 4)

image

Now let us assume that the address (rbp-0x15) or our input variable does’nt store the value 0 . Then it will goto (block 5), then next block:

->In this block we can easily see that the ‘toupper()’ function is being called with the argument as our input varaible and then putc is called to print it . Thus :

image

->Here if statement will check for flag=1 or not and then flag variable is set to 0

->But the last statement of the block tells us to go back to (block1) again so we can assume that a loop is going on for our whole program.

->So we are going to add a while loop in our program :

image

Now we assume that our flag variable was 0 when we decided to compare it in (block 4) then we will jump to (block 6):

image

->This is also similar to the (block 5) while it is calling ‘tolower()’ with the argument given in the (EDI) register (the 32 bit version of RDI).

->This also ends at block 1 again so this will also come in the block of our while loop

image

Here we backtrace the assembly and observe that if the character is not an alphabet then flag variable is as it is while it is set to 1 if the ‘b’ variable is an alphabet.

Thus at last our decompiled code becomes:

image

And here we receive 100% score 😊

image

baby-CPP

image

  • Above is the first block of the assembly program given that is accessing the Command-line Arguments and storing them in (rbp-0x14) and (rbp-0x20).

  • We should know that when we put Command-line Arguments then we have to input a vector having its first argument as the name of the executable file and then all the arguments we want to give.

This gives us our first statement:

image

Now we shall see the (block 1) of the assembly:

  • We compare the first argument of the Command-Line Vector := argc to 2 or we simply check if there are 2 arguments given to the command line.

  • If the arguments are not 2 then ->

image

  • The first two statements describes that “USAGE: ./grade n” has to be printed as an error output statement.

  • Also the exit() function is called with EDI equal to 2.

Thus our code becomes:

image

  • If the argument count is not 2 then we will jump to block 2 :

image

  • Here we can easily observe that the program is converting 1st index argument of the vector (argv) to an integer using ‘atoi()’ function and storing it inside a variable on the stack.

  • Then another variable on the stack is set to 1, at the 7th line of the block.

  • Also here we compare the converted number variable (num) to 0 and if it is less or equal to 0, then we move onto the next block (block 3).

image

  • This block prints the string “Don’t be so negative.” as an error output. Also it uses endl after that.

  • Then it exits the program using the argument 2 in the RDI register.

Thus our code becomes:

image

Now we move onto the next block (block 4)

  • We will move here only if num variable is not equal to 0->

image

  • In this block the program is using ‘sqrt()’ function to evaluate the sqaure root of the ‘num’ variable value and store it into the variable that I named cnt.

Thus we got our statement to add:

image

Now the next block is:

image

  • This tells us that the program compares the value stored at (rbp-8) in the stack or one of the variable with 1.

image

  • Also we can infer that this above can be said a while loop until cnt variable is more than 1 as then only it will get oht of the loop and go to block9.

Thus our code becomes:

image

  • This happens because we will see in the next block sections(block6 and block7) we can transform the calculations into the given code.

  • Now let us break out of the loop or simply say set ‘cnt’ variable to less than or equal to 1.

image

  • These instructions tell us that we will jump to block11 if ‘num’ variable is not equal to 1.

  • If not then this block will execute:

image

Making our code:

image

  • The correct if statement if fulfilled then the block10 will be executed making our code giving us the if statement.

THUS OUR FINAL CODE IS:

image

Decompetition_Writeups
decompetition.io
This post is licensed under CC BY 4.0 by the author.