# CPUID
rbx rdx rcx
0x756e6547 0x49656e69 0x6c65746e GenuineIntel
0x68747541 0x69746e65 0x444d4163 AuthenticAMD
On first cpuid
call (maybe on second works too)
AuthenticAMD
set $rbx=0x68747541
set $rdx=0x69746e65
set $rcx=0x444d4163
# mutcher
## C
- a
return strcmp(strA, strB)
- e
strncpy(strA, strB, length)
- d
strcat(strA, strB)
- b
return strlen(strA)
- c
strcpy(strA, strB)
return strcmp(strA, strB)
strncpy(strA, strB, length)
strcat(strA, strB)
return strlen(strA)
strcpy(strA, strB)
Ans: 1-a, 2-e, 3-d, 4-b, 5-c
## Asm
- a
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
mov al, byte ptr [esi]
sub al, byte ptr [edi]
test al, al
jnz finish
cmp byte ptr [esi], 0
je finish
inc esi
inc edi
jmp next
finish:
movsx eax, al
ret
- b
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
mov al, byte ptr [esi]
cmp al, 0
je finish
inc esi
jmp next
finish:
sub esi, offset strA
mov eax, esi
ret
- c
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
mov al, byte ptr [edi]
mov byte ptr [esi], al
cmp al, 0
je finish
inc esi
inc edi
jmp next
finish:
ret
- d
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
mov al, byte ptr [esi]
cmp al, 0
je finish
inc esi
jmp next
finish:
next2:
mov al, byte ptr [edi]
mov byte ptr [esi], al
cmp al, 0
je finish2
inc esi
inc edi
jmp next2
finish2:
ret
- e
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
test ecx, ecx
jz finish
mov al, byte ptr [edi]
mov byte ptr [esi], al
cmp al, 0
je finish
inc esi
inc edi
dec ecx
jmp next
finish:
ret
# Peta awesome
mov eax, 12345
mov ecx, 11
again:
lea ebx, [ecx * 8 + 0xf00b42]
xor eax, ebx
mov edx, ecx
and edx, 1
test edx, edx
jz lbl
rol eax, cl
jmp jumpout
lbl:
rol eax, 17
jumpout:
dec ecx
test ecx, ecx
jnz again
and eax, 0x55555555
def rol(x, n, bits=32):
return (0xffffffff & (x << n)) | ((x & (0xffffffff << (bits - n))) >> (bits - n))
a = 12345
c = 11
while True:
a ^= (c * 8 + 0xf00b42)
if c % 2 == 0:
a = rol(a, 17)
else:
a = rol(a, c) # c < 0xff
c -= 1
if c == 0:
break
a = a & 0x55555555
print(a)
## Cheating
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
mov al, byte ptr [esi]
sub al, byte ptr [edi]
test al, al
jnz finish
cmp byte ptr [esi], 0
je finish
inc esi
inc edi
jmp next
finish:
movsx eax, al
ret
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
mov al, byte ptr [esi]
cmp al, 0
je finish
inc esi
jmp next
finish:
sub esi, offset strA
mov eax, esi
ret
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
mov al, byte ptr [edi]
mov byte ptr [esi], al
cmp al, 0
je finish
inc esi
inc edi
jmp next
finish:
ret
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
mov al, byte ptr [esi]
cmp al, 0
je finish
inc esi
jmp next
finish:
next2:
mov al, byte ptr [edi]
mov byte ptr [esi], al
cmp al, 0
je finish2
inc esi
inc edi
jmp next2
finish2:
ret
mov esi, offset strA
mov edi, offset strB
mov ecx, length
next:
test ecx, ecx
jz finish
mov al, byte ptr [edi]
mov byte ptr [esi], al
cmp al, 0
je finish
inc esi
inc edi
dec ecx
jmp next
finish:
ret
mov eax, 12345
mov ecx, 11
again:
lea ebx, [ecx * 8 + 0xf00b42]
xor eax, ebx
mov edx, ecx
and edx, 1
test edx, edx
jz lbl
rol eax, cl
jmp jumpout
lbl:
rol eax, 17
jumpout:
dec ecx
test ecx, ecx
jnz again
and eax, 0x55555555
def rol(x, n, bits=32):
return (0xffffffff & (x << n)) | ((x & (0xffffffff << (bits - n))) >> (bits - n))
a = 12345
c = 11
while True:
a ^= (c * 8 + 0xf00b42)
if c % 2 == 0:
a = rol(a, 17)
else:
a = rol(a, c) # c < 0xff
c -= 1
if c == 0:
break
a = a & 0x55555555
print(a)
f.asm
:
BITS 64
global f
section .text
f:
mov eax, 12345
mov ecx, 11
again:
lea ebx, [ecx * 8 + 0xf00b42]
xor eax, ebx
mov edx, ecx
and edx, 1
test edx, edx
jz lbl
rol eax, cl
jmp jumpout
lbl:
rol eax, 17
jumpout:
dec ecx
test ecx, ecx
jnz again
and eax, 0x55555555
ret
sol.c
:
#include <stdio.h>
int f();
int main() {
printf("%d\n", f());
}
# motcher
numA dd 4.0
numB dd 8.0
numC dd 3.14
result dd 0.0
## C
- b
result = 2 * numC * numB + numA
- a
result = numA + numC * numB * numB
- c
result = (numB + numA) / numC
- e
result = sin(numB + numA) * 2 * numC
- d
result = sin(numC) * (numB + numA)
result = 2 * numC * numB + numA
result = numA + numC * numB * numB
result = (numB + numA) / numC
result = sin(numB + numA) * 2 * numC
result = sin(numC) * (numB + numA)
1-b, 2-a, 3-c, 4-e, 5-d
## Asm
- a
fld offset numC
fld offset numB
fld offset numB
fmulp
fmulp
fadd offset numA
fstp result
C B B
C (B * B)
(C * (B * B)) + A
- b
fld offset numC
fld offset numB
fld offset numB
faddp
fmulp
fadd offset numA
fstp result
C B B
C (B + B)
(C * (B + B))
(C * (B + B)) + A
- c
fld offset numC
fld offset numB
fadd offset numA
fxch
fdivp
fstp result
C B
C (B + A)
(B + A) C
(B + A) / C
- d
fld offset numC
fld offset numB
fadd offset numA
fxch
fsin
fmulp
fstp result
C B
C (B + A)
(B + A) C
(B + A) sin(C)
(B + A) * sin(C)
- e
fld offset numC
fld offset numB
fadd offset numA
fsin
fxch
fadd offset numC
fmulp
fstp result
C B
C (B + A)
C sin(B + A)
sin(B + A) C
sin(B + A) (C + C)
sin(B + A) * (C + C)
# subs
BITS 32
global _start
section .data
tet db 106, 112, 101, 107, 127, 119, 121, 102, 119, 120, 109, 120, 121, 120, 109, 115, 114, 99, 109, 119, 99, 114, 115, 120, 99, 120, 108, 105, 99, 119, 115, 112, 121, 120, 109, 115, 114, 129
nd db "all ok!\n"
section .bss
pass resb 1024
section .text
_start:
mov eax, 3
mov ebx, 0
mov ecx, pass
mov edx, 256
int 80h ; read 256 chars from stdin to pass
mov edi, 38
mov ebx, tet
mov edx, pass
ff:
mov cl, 4 ; cl = 0b100
not cl ; cl = 0b11111011
inc cl ; cl = 0b11111100
mov al, [ebx] ; al = *tet
add al, cl ; al += cl
push ebx
mov bl, [edx] ; bl = *pass
cmp al, bl
jnz fail ; if (al != bl) fail()
pop ebx
inc ebx ; tet++
inc edx ; pas++
dec edi ; edi--
test edi,edi
jnz ff ; if (edi == 0) break
mov eax, 4
mov ebx, 1
mov ecx, nd
mov edx, 7
int 80h ; write "all ok!\n"
jmp ext
fail:
pop ebx
ext:
mov eax, 1
xor ebx, ebx
int 80h ; exit 0
tet = [106, 112, 101, 107, 127, 119, 121, 102, 119, 120, 109, 120, 121, 120, 109, 115, 114, 99, 109, 119, 99, 114, 115, 120, 99, 120, 108, 105, 99, 119, 115, 112, 121, 120, 109, 115, 114, 129]
tet = [(c + 0b11111100) % 256 for c in tet]
print(''.join(map(chr, tet)))
# chain
BITS 32
global _start
section .data
dat db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|'
flg db "All ok!",0xa
size equ 19
section .bss
passw resb 256
section .text
_start:
mov eax, 3
mov ebx, 0
mov ecx, passw
mov edx, 256
int 80h ; read(stdin, passw, 256)
mov ebp, 0
mov edi, dat
lop:
mov al, '|' ; 0x7c
mov esi, edi
repne scasb ; search '|' in dat
mov edx, edi ; *edx == '|'
sub edx, esi ; distance to first '|'
mov ecx, passw
add ecx, ebp
mov al, [ecx]
cmp al, dl
jnz fail
inc ebp
cmp ebp, size
jnz lop
mov eax, 4
mov ebx, 1
mov ecx, flg
mov edx, 8
int 80h
jmp ex
fail:
ex:
mov eax, 1
xor ebx, ebx
int 80h
dat = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|'
print(''.join(chr(len(s) + 1) for s in dat.split('|'))[:-1])
# Deadbeef
fld offset numC
fld offset numB
fld offset numB
fmulp
fmulp
fadd offset numA
fstp result
C B B
C (B * B)
(C * (B * B)) + A
fld offset numC
fld offset numB
fld offset numB
faddp
fmulp
fadd offset numA
fstp result
C B B
C (B + B)
(C * (B + B))
(C * (B + B)) + A
fld offset numC
fld offset numB
fadd offset numA
fxch
fdivp
fstp result
C B
C (B + A)
(B + A) C
(B + A) / C
fld offset numC
fld offset numB
fadd offset numA
fxch
fsin
fmulp
fstp result
C B
C (B + A)
(B + A) C
(B + A) sin(C)
(B + A) * sin(C)
fld offset numC
fld offset numB
fadd offset numA
fsin
fxch
fadd offset numC
fmulp
fstp result
C B
C (B + A)
C sin(B + A)
sin(B + A) C
sin(B + A) (C + C)
sin(B + A) * (C + C)
BITS 32
global _start
section .data
tet db 106, 112, 101, 107, 127, 119, 121, 102, 119, 120, 109, 120, 121, 120, 109, 115, 114, 99, 109, 119, 99, 114, 115, 120, 99, 120, 108, 105, 99, 119, 115, 112, 121, 120, 109, 115, 114, 129
nd db "all ok!\n"
section .bss
pass resb 1024
section .text
_start:
mov eax, 3
mov ebx, 0
mov ecx, pass
mov edx, 256
int 80h ; read 256 chars from stdin to pass
mov edi, 38
mov ebx, tet
mov edx, pass
ff:
mov cl, 4 ; cl = 0b100
not cl ; cl = 0b11111011
inc cl ; cl = 0b11111100
mov al, [ebx] ; al = *tet
add al, cl ; al += cl
push ebx
mov bl, [edx] ; bl = *pass
cmp al, bl
jnz fail ; if (al != bl) fail()
pop ebx
inc ebx ; tet++
inc edx ; pas++
dec edi ; edi--
test edi,edi
jnz ff ; if (edi == 0) break
mov eax, 4
mov ebx, 1
mov ecx, nd
mov edx, 7
int 80h ; write "all ok!\n"
jmp ext
fail:
pop ebx
ext:
mov eax, 1
xor ebx, ebx
int 80h ; exit 0
tet = [106, 112, 101, 107, 127, 119, 121, 102, 119, 120, 109, 120, 121, 120, 109, 115, 114, 99, 109, 119, 99, 114, 115, 120, 99, 120, 108, 105, 99, 119, 115, 112, 121, 120, 109, 115, 114, 129]
tet = [(c + 0b11111100) % 256 for c in tet]
print(''.join(map(chr, tet)))
BITS 32
global _start
section .data
dat db 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|'
flg db "All ok!",0xa
size equ 19
section .bss
passw resb 256
section .text
_start:
mov eax, 3
mov ebx, 0
mov ecx, passw
mov edx, 256
int 80h ; read(stdin, passw, 256)
mov ebp, 0
mov edi, dat
lop:
mov al, '|' ; 0x7c
mov esi, edi
repne scasb ; search '|' in dat
mov edx, edi ; *edx == '|'
sub edx, esi ; distance to first '|'
mov ecx, passw
add ecx, ebp
mov al, [ecx]
cmp al, dl
jnz fail
inc ebp
cmp ebp, size
jnz lop
mov eax, 4
mov ebx, 1
mov ecx, flg
mov edx, 8
int 80h
jmp ex
fail:
ex:
mov eax, 1
xor ebx, ebx
int 80h
dat = 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|'
print(''.join(chr(len(s) + 1) for s in dat.split('|'))[:-1])
def rol(x, n, bits=32):
return (0xffffffff & (x << n)) | ((x & (0xffffffff << (bits - n))) >> (bits - n))
def ror(x, n, bits=32):
return (0xffffffff & (x >> n)) | ((x & (0xffffffff >> (bits - n))) << (bits - n))
# 0x395547a2
def test(inp):
d = inp ^ 0xcafebabe
d = ror(d, 7)
d ^= 0xdeadbeef
d = rol(d, 0x15)
d ^= 0x13373389
d ^= inp
return d
# print(hex(test(0x41414141)))
for b1 in range(0x20, 0x7d + 1):
for b2 in range(0x20, 0x7d + 1):
for b3 in range(0x20, 0x7d + 1):
for b4 in range(0x20, 0x7d + 1):
inp = b1 | (b2 << 1 * 8) | (b3 << 2 * 8) | (b4 << 3 * 8)
if test(inp) == 0x395547a2:
print(chr(b1), chr(b2), chr(b3), chr(b4))
break
# for inp in range(2**32):
# if test(inp) == 0x395547a2:
# print(inp)
# break
# giga awesome
mov ebx, 32767
rdtsc
xchg ebx, eax
xor eax, ebx
xor eax, edx
shl edx, 1
imul eax, 2
lea ecx, [ebx + ebx]
xor eax, 77731337
xor eax, ecx
xor ah, 77
xor ax, 31337
xor eax, edx
# b = 32767
# d, a = rdtsc()
a = 32767 # b, a = a, b
# a ^= b
# a ^= d
# d <<= 1
a <<= 1 # a *= 2
# b <<= 1 # c = 2 * b
a ^= 77731337
# a ^= b
a ^= (77 << 8)
a ^= 31337
# a ^= d
return a
# C-ASM
1-1, 2-3, 3-4, 4-2, 5-5
# ASM0
global _start
section .text
_start:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
xor edx, edx
Metka0:
add eax, 10
add ebx, 20
sub ebx, eax
cmp eax, ebx
jl Metka5
jge Metka4
Metka1:
add ecx, ecx
add ecx, ecx
sub edx, ecx
cmp edx, eax
jz finish
jmp Metka2
Metka2:
xor ecx, edx
add edx, edx
sub edx, ecx
jmp Metka0
Metka3:
xor edx, ecx
xor edx, eax
cmp edx, eax
jne Metka1
jg Metka2
jl finish
Metka4:
mov edx, 50
mov ecx, 10
cmp eax, edx
jg Metka5
jmp Metka3
Metka5:
mov edx, 10
mov ecx, 50
jmp Metka0
finish:
a = 0
b = 0
c = 0
d = 0
while True: # Metka 0
a += 10
b += 20
b -= a
if a < b: # Metka 5
d = 10
c = 50
else: # Metka 4
d = 50
c = 10
if a > d: # Metka 5
d = 10
c = 50
else: # Metka 3
d ^= c
d ^= a
if d != a: # Metka 1
c += c
c += c
d -= c
if d == a:
break
else: # Metka 2
c ^= d
d += d
d -= c
elif d > a: # Metka 2
c ^= d
d += d
d -= c
else:
break
return d
# matcher
## C
- c
int num = 4 * 7 + 3 * 2;
- e
int num = 4 + 7 - 3 * 8;
- d
char num = 4 * 7 - 3 * 8;
- b
int num = 4 * 7 - 3 * 8;
- a
int num = 4 * 7 + 3 * 8;
int num = 4 * 7 + 3 * 2;
int num = 4 + 7 - 3 * 8;
char num = 4 * 7 - 3 * 8;
int num = 4 * 7 - 3 * 8;
int num = 4 * 7 + 3 * 8;
1-c, 2-e, 3-d, 4-b, 5-a
## Asm
- a
mov rax, offset num
mov rbx, 4
imul rbx, 7
mov dword ptr [rax], ebx
mov rbx, 3
lea rbx, [rbx * 8]
add dword ptr [rax], ebx
- b
mov rax, offset num
mov rbx, 4
imul rbx, 7
mov dword ptr [rax], ebx
mov rbx, 3
lea rbx, [rbx * 8]
sub dword ptr [rax], ebx
- c
mov rax, offset num
mov rbx, 4
imul rbx, 7
mov dword ptr [rax], ebx
mov rbx, 3
lea rbx, [rbx + rbx]
add dword ptr [rax], ebx
- d
mov rax, offset num
mov rbx, 4
imul rbx, 7
mov byte ptr [rax], bl
mov rbx, 3
lea rbx, [rbx * 8]
sub byte ptr [rax], bl
- e
mov rax, offset num
mov dword ptr [rax], 4
add dword ptr [rax], 7
mov rbx, 3
lea rbx, [rbx * 8]
sub dword ptr [rax], ebx
# mega awesome
mov rax, 0x93f3ffc2fbc7a1ce
mov rbx, 6368891006275312830
imul eax, ebx
xchg al, ah
mov ebx, ebx
lea ebx, [ebx + eax * 2]
mov ecx, eax
ror ebx, cl
xor bx, ax
and ebx, 0xffffff
mov rax, rbx
def rol(x, n, bits=32):
return (0xffffffff & (x << n)) | ((x & (0xffffffff << (bits - n))) >> (bits - n))
def ror(x, n, bits=32):
return (0xffffffff & (x >> n)) | ((x & (0xffffffff >> (bits - n))) << (bits - n))
# mov rax, 0x93f3ffc2fbc7a1ce
# mov rbx, 6368891006275312830
# imul eax, ebx
a = 0x93f3ffc2fbc7a1ce
b = 6368891006275312830
a = ((a & 0xffffffff) * (b & 0xffffffff)) & 0xffffffff
print(hex(a))
# xchg al, ah
al = a & 0xff
ah = (a & 0xff00) >> 8
a = (a & 0xffff0000) | (al << 8) | (ah)
print(hex(a))
# mov ebx, ebx
b = b & 0xffffffff
# lea ebx, [ebx + eax * 2]
b = (b + a * 2) & 0xffffffff
print(hex(b))
# mov ecx, eax
# ror ebx, cl
b = ror(b, a & 0xff)
# xor bx, ax
b = (b & 0xffff0000) | ((b & 0xffff) ^ (a & 0xffff))
# and ebx, 0xffffff
b = b & 0xffffff
# mov rax, rbx
print("Ans: ", b)
# super awesome
mov eax, 0x11223344
mov ebx, 3344556677
push eax
not eax
xor eax, ebx
mov bl, al
push ebx
shr ebx, 16
xor ebx, eax
pop eax
shr eax, 8
add eax, ebx
pop ebx
sub eax, ebx
# mov eax, 0x11223344
a = 0x11223344
# mov ebx, 3344556677
b = 3344556677
# push eax
sa = a
# not eax
a = a ^ 0xffffffff
# xor eax, ebx
a ^= b
# mov bl, al
b = (b & 0xffffff00) | (a & 0xff)
# push ebx
sb = b
# shr ebx, 16
b = (b >> 16)
# xor ebx, eax
b ^= a
# pop eax
a = sb
# shr eax, 8
a = (a >> 8)
# add eax, ebx
a += b
# pop ebx
b = sa
# sub eax, ebx
a -= b
return a & 0xffff
# xorist
mov rax, offset num
mov rbx, 4
imul rbx, 7
mov dword ptr [rax], ebx
mov rbx, 3
lea rbx, [rbx * 8]
add dword ptr [rax], ebx
mov rax, offset num
mov rbx, 4
imul rbx, 7
mov dword ptr [rax], ebx
mov rbx, 3
lea rbx, [rbx * 8]
sub dword ptr [rax], ebx
mov rax, offset num
mov rbx, 4
imul rbx, 7
mov dword ptr [rax], ebx
mov rbx, 3
lea rbx, [rbx + rbx]
add dword ptr [rax], ebx
mov rax, offset num
mov rbx, 4
imul rbx, 7
mov byte ptr [rax], bl
mov rbx, 3
lea rbx, [rbx * 8]
sub byte ptr [rax], bl
mov rax, offset num
mov dword ptr [rax], 4
add dword ptr [rax], 7
mov rbx, 3
lea rbx, [rbx * 8]
sub dword ptr [rax], ebx
mov rax, 0x93f3ffc2fbc7a1ce
mov rbx, 6368891006275312830
imul eax, ebx
xchg al, ah
mov ebx, ebx
lea ebx, [ebx + eax * 2]
mov ecx, eax
ror ebx, cl
xor bx, ax
and ebx, 0xffffff
mov rax, rbx
def rol(x, n, bits=32):
return (0xffffffff & (x << n)) | ((x & (0xffffffff << (bits - n))) >> (bits - n))
def ror(x, n, bits=32):
return (0xffffffff & (x >> n)) | ((x & (0xffffffff >> (bits - n))) << (bits - n))
# mov rax, 0x93f3ffc2fbc7a1ce
# mov rbx, 6368891006275312830
# imul eax, ebx
a = 0x93f3ffc2fbc7a1ce
b = 6368891006275312830
a = ((a & 0xffffffff) * (b & 0xffffffff)) & 0xffffffff
print(hex(a))
# xchg al, ah
al = a & 0xff
ah = (a & 0xff00) >> 8
a = (a & 0xffff0000) | (al << 8) | (ah)
print(hex(a))
# mov ebx, ebx
b = b & 0xffffffff
# lea ebx, [ebx + eax * 2]
b = (b + a * 2) & 0xffffffff
print(hex(b))
# mov ecx, eax
# ror ebx, cl
b = ror(b, a & 0xff)
# xor bx, ax
b = (b & 0xffff0000) | ((b & 0xffff) ^ (a & 0xffff))
# and ebx, 0xffffff
b = b & 0xffffff
# mov rax, rbx
print("Ans: ", b)
mov eax, 0x11223344
mov ebx, 3344556677
push eax
not eax
xor eax, ebx
mov bl, al
push ebx
shr ebx, 16
xor ebx, eax
pop eax
shr eax, 8
add eax, ebx
pop ebx
sub eax, ebx
# mov eax, 0x11223344
a = 0x11223344
# mov ebx, 3344556677
b = 3344556677
# push eax
sa = a
# not eax
a = a ^ 0xffffffff
# xor eax, ebx
a ^= b
# mov bl, al
b = (b & 0xffffff00) | (a & 0xff)
# push ebx
sb = b
# shr ebx, 16
b = (b >> 16)
# xor ebx, eax
b ^= a
# pop eax
a = sb
# shr eax, 8
a = (a >> 8)
# add eax, ebx
a += b
# pop ebx
b = sa
# sub eax, ebx
a -= b
return a & 0xffff
d = [ 0x3033e1b0,
0x6b3cb8bd,
0x3861e4b2,
0x6c67b9e1,
0x6a3db5e1,
0x6d36b1b6,
0x3832e4e1 ]
a = 0x8048085
d = [c ^ a for c in d]
return ''.join((chr((c & 0xff) >> 0 * 8) + chr((c & 0xff00) >> 8) + chr((c & 0xff0000) >> 2 * 8) + chr((c & 0xff000000) >> 3 * 8)) for c in d) + '6680'
# ASM3
BITS 32
global _start
section .text
_start:
mov eax, 10
mov ebx, eax
mul eax
mov esi, 10
mul esi
mov ecx, eax
mov eax, ebx
mov esi, 7
mul esi
add ecx, eax
add ecx, 37
a = 10
b = a
a *= a
s = 10
a *= s
c = a
a = b
s = 7
a *= s
c += a
c += 37
return c
# ASM2
mov [0xAABBCCCD], 0xDEADBEEF
mov [0xAABBCCD1], 0xCAFEBABE
mov [0xAABBCCD5], 0x12345678
mov [0xAABBCCD9], 0x9ABCDEF0
lea edi, [0xAABBCCDD]
lea esi, [0xAABBCCD9]
xor ebx, ebx
l1:
mov eax, DWORD [esi]
mov [edi], eax
sub esi, 0x4
sub edi, 0x4
add ebx, 0x4
cmp ebx, 0x10
jl l1
mem = {
0xAABBCCCD: 0xDEADBEEF,
0xAABBCCD1: 0xCAFEBABE,
0xAABBCCD5: 0x12345678,
0xAABBCCD9: 0x9ABCDEF0
}
di = 0xAABBCCDD
si = 0xAABBCCD9
b = 0
while True:
a = mem[si]
mem[di] = a
si -= 4
di -= 4
b += 4
if b >= 16:
break
print(mem[0xAABBCCD5])
# awesome
mov eax, 1337
mov ebx, 31337
add eax, ebx
mov ecx, eax
imul ebx, ecx
xor eax, ebx
a = 1337
b = 31337
a += b
c = a
b *= c
a ^= b
return a
# ASM1
xor edx, edx
mov eax, 100
mov ebx, 30
div ebx
mov eax, edx
mul edx
d = 0
a = 100
b = 30
d, a = a % b, a // b
a = d
a *= d
return a
Made with Org mode, © 2023 - ∞ iliayar