Solution
In a nature similar to that of the previous exercise, we take a close look at the objdump
disassembly output of the binary using the objdump -D -M intel link2
command, specifically focusing on the helper()
function:
0000012b <helper>:
(...)
137: 83 7d 08 2a cmp dword ptr [ebp + 8], 42
13b: 75 0d jne 0x14a <helper+0x1f>
13d: 80 7d f4 58 cmp byte ptr [ebp - 12], 88
141: 75 07 jne 0x14a <helper+0x1f>
143: e8 b8 fe ff ff call 0x0 <get_flag>
The first cmp
instruction at 0x137
compares the value at [ebp + 8]
with 42
. This implies that the first argument passed to the helper() function is expected to be 42
. The second cmp
instruction at 0x13d
compares the value at [ebp - 12]
with 88
. Since it’s comparing a single byte (byte ptr
), we can infer that this corresponds to a char
argument. Although it appears to be a local variable, if we look around a bit, we will notice why that is:
131: 8b 45 0c mov eax, dword ptr [ebp + 12]
134: 88 45 f4 mov byte ptr [ebp - 12], al
The value at [ebp + 12]
is moved into the eax
register - this corresponds to the second argument passed to the helper
function. The lower byte of eax
, al
, the char
that we are interested in, is then moved into a local variable.
If both of the aforementioned comparisons are successful, the get_flag()
function is called. Hence, we can infer that we need to call the helper()
function using the two arguments above - the integer 44
, and the char X
, which is 88
in decimal.